add remote builder

2 files changed, 48 insertions, 0 deletions

diff --git a/config/nix/default.nix b/config/nix/default.nix
new file mode 100644
index 0000000..a9d79cc
--- /dev/null
+++ b/config/nix/default.nix
@@ -0,0 +1,19 @@
+{lib, ...}: {
+  imports = [./remote-builds.nix];
+
+  personal.nix = {
+    enable = true;
+    autoUpgrade.enable = true;
+    gc.enable = true;
+    flake = "git+file:///etc/nixos/";
+  };
+  nix.settings.max-jobs = lib.mkDefault 1;
+  nixpkgs.flake = {
+    setNixPath = true;
+    setFlakeRegistry = true;
+  };
+  system.autoUpgrade.flags = [
+    # for reading secrets from a file
+    "--impure"
+  ];
+}
diff --git a/config/nix/remote-builds.nix b/config/nix/remote-builds.nix
new file mode 100644
index 0000000..2bca883
--- /dev/null
+++ b/config/nix/remote-builds.nix
@@ -0,0 +1,29 @@
+{...}: {
+  programs.ssh = {
+    extraConfig = ''
+      Host hephaistos.local
+        # Prevent using ssh-agent or another keyfile, useful for testing
+        IdentitiesOnly yes
+        IdentityFile /root/.ssh/nixremote
+        # The weakly privileged user on the remote builder – if not set, 'root' is used – which will hopefully fail
+        User nixremote
+    '';
+    knownHosts."hephaistos.local".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPMlRcOB8142XkF8uFCLbyYhcqp4LioChXKAM3EGqSa";
+  };
+
+  nix = {
+    distributedBuilds = true;
+    buildMachines = [
+      {
+        hostName = "hephaistos.local";
+        system = "x86_64-linux";
+        # Nix custom ssh-variant that avoids lots of "trusted-users" settings pain
+        protocol = "ssh-ng";
+        maxJobs = 4;
+        speedFactor = 4;
+        supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
+        mandatoryFeatures = [];
+      }
+    ];
+  };
+}