From df5287dd4133549dd7b13ea762f4c60fb2280a21 Mon Sep 17 00:00:00 2001
From: "quentin@aristote.fr" <quentin@aristote.fr>
Date: Sat, 30 Nov 2024 16:45:22 +0100
Subject: add remote builder

---
 config/default.nix                              |  2 +-
 config/networking/default.nix                   | 25 ++++++++++++++++++++-
 config/networking/services/firewall/ruleset.nix | 12 +++++++++-
 config/nix.nix                                  | 17 ---------------
 config/nix/default.nix                          | 19 ++++++++++++++++
 config/nix/remote-builds.nix                    | 29 +++++++++++++++++++++++++
 flake.lock                                      | 19 +++++++++++++++-
 flake.nix                                       |  4 +++-
 8 files changed, 105 insertions(+), 22 deletions(-)
 delete mode 100644 config/nix.nix
 create mode 100644 config/nix/default.nix
 create mode 100644 config/nix/remote-builds.nix

diff --git a/config/default.nix b/config/default.nix
index 81e202a..5af99ea 100644
--- a/config/default.nix
+++ b/config/default.nix
@@ -5,7 +5,7 @@
     ./environment.nix
     ./hardware
     ./networking
-    ./nix.nix
+    ./nix
     ./users.nix
   ];
 
diff --git a/config/networking/default.nix b/config/networking/default.nix
index 409ce3b..fb8dafe 100644
--- a/config/networking/default.nix
+++ b/config/networking/default.nix
@@ -78,7 +78,13 @@ in {
               prefix = "192.168.2";
               prefixLength = 24;
             };
-            machines.self.ip = "192.168.2.1";
+            machines = {
+              self.ip = "192.168.2.1";
+              hephaistos = {
+                ip = "192.168.2.2";
+                mac = "f4:a4:75:a1:a2:93";
+              };
+            };
           };
           iot = {
             interfaces = ["wlp1s0-iot"];
@@ -131,6 +137,23 @@ in {
         address = ifaces.all."${interface}".machines.livebox.ip;
       };
 
+      hosts = let
+        withMachines =
+          # [{machines: AttrSet, ...}]
+          lib.collect (value: builtins.isAttrs value.machines or false)
+          config.personal.networking.interfaces.all;
+        machineToHost =
+          # String -> {ip: String, ...} -> { name: String, value: String }
+          name: {ip, ...}: lib.nameValuePair ip "${name}.local";
+        pruneMachines =
+          # AttrSet -> {{ip: String, ...}}
+          lib.filterAttrs (name: value: name != "self" && (builtins.isString value.ip or false));
+        hosts =
+          # [{machines: AttrSet, ...}] -> [{String}]
+          lib.forEach withMachines ({machines, ...}: lib.mapAttrs' machineToHost (pruneMachines machines));
+      in
+        lib.zipAttrs hosts;
+
       useDHCP = false;
       dhcpcd.enable = false;
 
diff --git a/config/networking/services/firewall/ruleset.nix b/config/networking/services/firewall/ruleset.nix
index 3418ef8..ba9b39d 100644
--- a/config/networking/services/firewall/ruleset.nix
+++ b/config/networking/services/firewall/ruleset.nix
@@ -5,6 +5,10 @@
       sonos-play1
       sonos-move
       ;
+    inherit
+      (interfaces.all.wan.machines)
+      hephaistos
+      ;
   };
   makeTable = args:
     {
@@ -195,7 +199,13 @@ in {
           + ssdp
           + sonos.player-controller
           + sonos.controller-player;
-        wan_wan.rules = with rulesCommon; syncthing + kdeconnect;
+        wan_wan.rules = with rulesCommon;
+          syncthing
+          + kdeconnect
+          + ''
+            ip daddr ${machines.hephaistos.ip} \
+              ${ssh}
+          '';
         forward = makeBaseChain "filter" "forward" {
           rules = with rulesCommon;
             conntrack
diff --git a/config/nix.nix b/config/nix.nix
deleted file mode 100644
index 182aa1b..0000000
--- a/config/nix.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{lib, ...}: {
-  personal.nix = {
-    enable = true;
-    autoUpgrade.enable = true;
-    gc.enable = true;
-    flake = "git+file:///etc/nixos/";
-  };
-  nix.settings.max-jobs = lib.mkDefault 1;
-  nixpkgs.flake = {
-    setNixPath = true;
-    setFlakeRegistry = true;
-  };
-  system.autoUpgrade.flags = [
-    # for reading secrets from a file
-    "--impure"
-  ];
-}
diff --git a/config/nix/default.nix b/config/nix/default.nix
new file mode 100644
index 0000000..a9d79cc
--- /dev/null
+++ b/config/nix/default.nix
@@ -0,0 +1,19 @@
+{lib, ...}: {
+  imports = [./remote-builds.nix];
+
+  personal.nix = {
+    enable = true;
+    autoUpgrade.enable = true;
+    gc.enable = true;
+    flake = "git+file:///etc/nixos/";
+  };
+  nix.settings.max-jobs = lib.mkDefault 1;
+  nixpkgs.flake = {
+    setNixPath = true;
+    setFlakeRegistry = true;
+  };
+  system.autoUpgrade.flags = [
+    # for reading secrets from a file
+    "--impure"
+  ];
+}
diff --git a/config/nix/remote-builds.nix b/config/nix/remote-builds.nix
new file mode 100644
index 0000000..2bca883
--- /dev/null
+++ b/config/nix/remote-builds.nix
@@ -0,0 +1,29 @@
+{...}: {
+  programs.ssh = {
+    extraConfig = ''
+      Host hephaistos.local
+        # Prevent using ssh-agent or another keyfile, useful for testing
+        IdentitiesOnly yes
+        IdentityFile /root/.ssh/nixremote
+        # The weakly privileged user on the remote builder – if not set, 'root' is used – which will hopefully fail
+        User nixremote
+    '';
+    knownHosts."hephaistos.local".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPMlRcOB8142XkF8uFCLbyYhcqp4LioChXKAM3EGqSa";
+  };
+
+  nix = {
+    distributedBuilds = true;
+    buildMachines = [
+      {
+        hostName = "hephaistos.local";
+        system = "x86_64-linux";
+        # Nix custom ssh-variant that avoids lots of "trusted-users" settings pain
+        protocol = "ssh-ng";
+        maxJobs = 4;
+        speedFactor = 4;
+        supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
+        mandatoryFeatures = [];
+      }
+    ];
+  };
+}
diff --git a/flake.lock b/flake.lock
index 954b0e7..65782ef 100644
--- a/flake.lock
+++ b/flake.lock
@@ -65,6 +65,22 @@
         "type": "indirect"
       }
     },
+    "nixpkgs-beta": {
+      "locked": {
+        "lastModified": 1732981179,
+        "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "lastModified": 1722555339,
@@ -111,7 +127,8 @@
       "inputs": {
         "my-nixpkgs": "my-nixpkgs",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-beta": "nixpkgs-beta"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 1c95cbc..e94b74f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,10 +2,12 @@
   inputs = {
     my-nixpkgs.url = "github:qaristote/my-nixpkgs";
     nixpkgs.url = "github:NixOS/nixpkgs/release-24.05";
+    nixpkgs-beta.url = "github:NixOS/nixpkgs/release-24.11";
   };
 
   outputs = {
     nixpkgs,
+    nixpkgs-beta,
     my-nixpkgs,
     nixos-hardware,
     ...
@@ -14,7 +16,7 @@
       system = "x86_64-linux";
       commonModules = [
         my-nixpkgs.nixosModules.personal
-        ({...}: {nixpkgs.overlays = [my-nixpkgs.overlays.personal];})
+        ({...}: {nixpkgs.overlays = [my-nixpkgs.overlays.personal (_: _: {inherit (nixpkgs-beta.legacyPackages."${system}") nixos-rebuild;})];})
       ];
     in {
       kerberos = nixpkgs.lib.nixosSystem {
-- 
cgit v1.2.3