diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2025-01-29 17:33:57 +0100 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2025-01-29 17:41:22 +0100 |
| commit | ec7777260d39008d98f9cb925f3d0f4e5756f14c (patch) | |
| tree | 5c3c5515d99a8eb2e2b0b87f7c782af5c137b51e /modules/nixos/personal | |
| parent | b8979ecffefdf18ce8a3cc3459adda8f6dabbd33 (diff) | |
nixos: nix: reformat and add remote builds
Diffstat (limited to 'modules/nixos/personal')
| -rw-r--r-- | modules/nixos/personal/nix.nix | 209 |
1 files changed, 130 insertions, 79 deletions
diff --git a/modules/nixos/personal/nix.nix b/modules/nixos/personal/nix.nix index 94848d9..956e9a3 100644 --- a/modules/nixos/personal/nix.nix +++ b/modules/nixos/personal/nix.nix @@ -5,6 +5,19 @@ ... }: let cfg = config.personal.nix; + hasFlake = cfg.flake != null; + hasFlakeInputs = cfg.autoUpgrade.autoUpdateInputs != []; + checkNetwork = { + preStart = "${pkgs.host}/bin/host 9.9.9.9 || exit 100"; # Check network connectivity + unitConfig = { + StartLimitIntervalSec = 300; + StartLimitBurst = 5; + }; + serviceConfig = { + RestartForceExitCode = "100"; + RestartSec = "30"; + }; + }; in { options.personal.nix = { enable = lib.mkEnableOption "nix configuration"; @@ -20,80 +33,58 @@ in { default = null; }; gc.enable = lib.mkEnableOption "garbage collection"; + remoteBuilds = { + enable = lib.mkEnableOption "remote builds"; + machines.hephaistos = { + enable = lib.mkEnableOption "hephaistos remote builder"; + domain = lib.mkOption { + type = lib.types.str; + }; + protocol = lib.mkOption { + type = lib.types.str; + # Nix custom ssh-variant that avoids lots of "trusted-users" settings pain + default = "ssh-ng"; + }; + speedFactor = lib.mkOption { + type = lib.types.int; + default = 4; + }; + }; + }; }; - config = lib.mkIf cfg.enable { - nixpkgs = { - config.allowUnfree = true; - flake = lib.mkDefault { - setNixPath = false; - setFlakeRegistry = false; + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + nixpkgs = { + config.allowUnfree = true; + flake = lib.mkDefault { + setNixPath = false; + setFlakeRegistry = false; + }; }; - }; - nix = { - package = pkgs.lix; - settings = { - auto-optimise-store = true; - experimental-features = ["nix-command" "flakes"]; - substituters = ["https://devenv.cachix.org/" "https://nix-community.cachix.org/"]; - trusted-public-keys = ["devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="]; + nix = { + package = pkgs.lix; + settings = { + auto-optimise-store = true; + experimental-features = ["nix-command" "flakes"]; + substituters = ["https://devenv.cachix.org/" "https://nix-community.cachix.org/"]; + trusted-public-keys = ["devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="]; + }; + extraOptions = '' + !include secrets.conf + ''; }; - extraOptions = '' - !include secrets.conf - ''; - gc = lib.mkIf cfg.gc.enable { + } + + (lib.mkIf cfg.gc.enable { + nix.gc = { automatic = true; dates = "daily"; options = "--delete-old"; }; - }; - - system.autoUpgrade = lib.mkIf cfg.autoUpgrade.enable { - enable = true; - flake = cfg.flake; - flags = lib.optional (cfg.flake == null) "--upgrade-all"; - }; - systemd.services = lib.mkMerge [ - (lib.mkIf cfg.autoUpgrade.enable { - # upgrading - flake-update = lib.mkIf (cfg.flake != null && cfg.autoUpgrade.autoUpdateInputs != []) { - preStart = "${pkgs.host}/bin/host 9.9.9.9 || exit 100"; # Check network connectivity - unitConfig = { - Description = "Update flake inputs"; - StartLimitIntervalSec = 300; - StartLimitBurst = 5; - }; - serviceConfig = { - ExecStart = "${config.nix.package}/bin/nix flake update --commit-lock-file --flake ${cfg.flake} " + lib.concatStringsSep " " cfg.autoUpgrade.autoUpdateInputs; - RestartForceExitCode = "100"; - RestartSec = "30"; - Type = "oneshot"; # Ensure that it finishes before starting nixos-upgrade - }; - before = ["nixos-upgrade.service"]; - path = [pkgs.git]; - personal.monitor = true; - }; - nixos-upgrade = { - preStart = "${pkgs.host}/bin/host 9.9.9.9 || exit 100"; # Check network connectivity - unitConfig = { - StartLimitIntervalSec = 300; - StartLimitBurst = 5; - }; - serviceConfig = { - RestartForceExitCode = "100"; - RestartSec = "30"; - }; - after = ["flake-update.service"]; - wants = ["flake-update.service"]; - personal.monitor = true; - }; - }) - { - # cleaning + systemd.services = { nix-gc = { - after = - lib.optional (cfg.autoUpgrade.enable && cfg.gc.enable) - "nixos-upgrade.service"; + after = ["nixos-upgrade.service"]; personal.monitor = true; }; nix-gc-remove-dead-roots = { @@ -101,30 +92,90 @@ in { description = "Remove dead symlinks in /nix/var/nix/gcroots"; serviceConfig.Type = "oneshot"; script = "find /nix/var/nix/gcroots -xtype l -delete"; - before = lib.mkIf config.nix.gc.automatic ["nix-gc.service"]; - wantedBy = lib.mkIf config.nix.gc.automatic ["nix-gc.service"]; + before = ["nix-gc.service"]; + wantedBy = ["nix-gc.service"]; personal.monitor = true; }; nix-gc-remove-old-hm-gens = let user = config.personal.user; in { - enable = cfg.gc.enable && user.enable && user.homeManager.enable; + enable = user.enable && user.homeManager.enable; description = "Remove old Home Manager generations for user ${user.name}"; serviceConfig.Type = "oneshot"; script = "${pkgs.nix}/bin/nix-env --profile /home/${user.name}/.local/state/nix/profiles/home-manager --delete-generations old"; - before = lib.mkIf config.nix.gc.automatic ["nix-gc.service"]; - wantedBy = lib.mkIf config.nix.gc.automatic ["nix-gc.service"]; + before = ["nix-gc.service"]; + wantedBy = ["nix-gc.service"]; personal.monitor = true; }; - } - ]; + }; + }) - programs.git = lib.mkIf (cfg.flake != null && lib.hasPrefix "git+file" cfg.flake) { - enable = true; - config.user = { - name = "Root user of ${config.networking.hostName}"; - email = "root@${config.networking.hostName}"; + (lib.mkIf cfg.autoUpgrade.enable { + system.autoUpgrade = { + enable = true; + flake = cfg.flake; + flags = lib.optional (!hasFlake) "--upgrade-all"; }; - }; - }; + systemd.services.nixos-upgrade = lib.mkMerge [ + checkNetwork + { + personal.monitor = true; + } + ]; + }) + + (lib.mkIf hasFlake { + systemd.services.flake-update = lib.mkIf hasFlakeInputs (lib.mkMerge [ + checkNetwork + { + unitConfig.Description = "Update flake inputs"; + serviceConfig = { + ExecStart = "${config.nix.package}/bin/nix flake update --commit-lock-file --flake ${cfg.flake} " + lib.concatStringsSep " " cfg.autoUpgrade.autoUpdateInputs; + Type = "oneshot"; # Ensure that it finishes before starting nixos-upgrade + }; + before = ["nixos-upgrade.service"]; + wantedBy = ["nixos-upgrade.service"]; + path = [pkgs.git]; + personal.monitor = true; + } + ]); + + programs.git = lib.mkIf (lib.hasPrefix "git+file" cfg.flake) { + enable = true; + config.user = lib.mkDefault { + name = "Root user of ${config.networking.hostName}"; + email = "root@${config.networking.hostName}"; + }; + }; + }) + + (lib.mkIf cfg.remoteBuilds.enable { + nix = { + distributedBuilds = true; + settings.builders-use-substitutes = true; + buildMachines = with cfg.remoteBuilds.machines.hephaistos; + lib.optional enable { + inherit protocol speedFactor; + hostName = "hephaistos.${domain}"; + system = "x86_64-linux"; + maxJobs = 4; + supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; + mandatoryFeatures = []; + }; + }; + + programs.ssh = with cfg.remoteBuilds.machines.hephaistos; { + extraConfig = lib.optionalString enable '' + Host hephaistos.${domain} + # Prevent using ssh-agent or another keyfile, useful for testing + IdentitiesOnly yes + IdentityFile /etc/ssh/nixremote + # The weakly privileged user on the remote builder + # If not set, 'root' is used – which will hopefully fail + User nixremote + ''; + knownHosts."hephaistos.${domain}".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvtqi8tziBuviUV8LDK2ddQQUbHdJYB02dgWTK5Olxq"; + }; + }) + ]); } |