Configure nix remote / distributed build

Make srv1.local (bforsman.name) the server, and configure the clients
(media, mini and whitetip (only keys tracked in git)) to use it as
remote builder.

Author: bjornfor

cfg/base-small.nix

@@ -166,6 +166,8 @@
       passwordAuthentication = false;
       extraConfig = ''
         AllowUsers backup git bf
+        # For nix remote / distributed builds
+        AllowUsers nix-remote-build
 
         # Doesn't work on NixOS: https://github.com/NixOS/nixpkgs/issues/18503
         ## Allow password authentication (only) from local network

cfg/nix-remote-build-client.nix

@@ -0,0 +1,28 @@
+{
+  nix.buildMachines = [
+    { hostName = "bforsman.name";
+      systems = [ "x86_64-linux" ];
+      # TODO: I belive maxJobs = "auto" is documented somewhere, but nix-2.2.2
+      # and 2.3 fail with unhelpful "error: stoull".
+      maxJobs = 4;
+      speedFactor = 10;
+      supportedFeatures = [
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+      mandatoryFeatures = [ ];
+      # The server side user to login with
+      sshUser = "nix-remote-build";
+      # The client side private key for login as sshUser
+      sshKey = "/root/.ssh/id_ed25519_nix_remote_build";
+    }
+  ];
+  nix.distributedBuilds = true;
+
+  # optional, useful when the builder has a faster internet connection than yours
+  nix.extraOptions = ''
+    builders-use-substitutes = true
+  '';
+}

cfg/nix-remote-build-server.nix

@@ -0,0 +1,23 @@
+# TODO: There is a nix.sshServe NixOS option, but it doesn't (yet) allow the
+# configuration of the nix-store --write flag.
+
+let
+  user = "nix-remote-build";
+in
+{
+  # must be trusted to be allowed to build derivations
+  nix.trustedUsers = [ user ];
+
+  users.users.nix-remote-build = {
+    group = user;
+    isSystemUser = true;
+    useDefaultShell = true;
+    openssh.authorizedKeys.keys = with import ../misc/ssh-keys.nix; [
+      (''command="nix-store --serve --write",restrict '' + media.root.nix_remote_build)
+      (''command="nix-store --serve --write",restrict '' + mini.root.nix_remote_build)
+      (''command="nix-store --serve --write",restrict '' + whitetip.root.nix_remote_build)
+    ];
+  };
+
+  users.groups."${user}" = { };
+}

machines/media/configuration.nix

@@ -6,6 +6,7 @@
     ../../cfg/base-medium.nix
     ../../cfg/disable-suspend.nix
     ../../cfg/bcache.nix
+    ../../cfg/nix-remote-build-client.nix
   ];
 
   # Use the systemd-boot EFI boot loader.

machines/mini/configuration.nix

@@ -6,6 +6,7 @@
     ../../cfg/base-big.nix
     ../../cfg/clamav.nix
     ../../cfg/disable-suspend.nix
+    ../../cfg/nix-remote-build-client.nix
     ../../cfg/smart-daemon.nix
   ];
 

machines/srv1/configuration.nix

@@ -19,6 +19,7 @@ in
     ../../cfg/cgit.nix
     ../../cfg/git-daemon.nix
     ../../cfg/gitolite.nix
+    ../../cfg/nix-remote-build-server.nix
     ../../cfg/postfix.nix
     ../../cfg/smart-daemon.nix
     ../../cfg/swraid.nix

misc/ssh-keys.nix

@@ -6,12 +6,15 @@
 
 {
   media.root.backup = ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsLLEZxPtdFQJVqG8zOuBZTUYHhhh026F2BDsHXJXPW root@media (for backup automation)'';
+  media.root.nix_remote_build = ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILoDrnvYjSPBWVLgwmuVaOUTnNF1ASaO7Y+oej+6WRBm root@media (nix remote build)'';
 
   mini.root.backup = ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCwtdqwE2WLolrNQmf5M/DmzaKjG29yq0lr4WgUa2z7 root@mini (for backup automation)'';
+  mini.root.nix_remote_build = ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE62OwZK96RYNiHbVWpQR+aD98wJn9TFmjKTnCV9pv5k root@mini (nix remote build)'';
 
   mini.bf.default = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTl8tsKUmHqO5eJoPvAVSu5vm7Ibml9rYxAblTUU/dl+zip7RNfl178qaX4nwUHkI3qsITJ8yQr42iIanvIPpCvM5V4rYjDmD7R4R8wSvzsrxegipG+kXfItlgsmCIuNsYZNCPtxESsLMW6tuJBfFy8L0IGmwYXLNNj7NIsrI4ElOhmWHz+VppZU1R74IghC+ZWJkkqoc9Ayt17ezLfBPYYuoan60H2/KOBtJX5qjfdxGXF5H7Oa7SBE/0zZ5Eaq8MudM/7CClc2nA787xadp8O6aQoF/ZB27dwr3mK2IugYc7w2rDlT67iQHLT27LKMU74CY//xSqkGUZOyGDAN7B bf@mini'';
 
   whitetip.bf.default = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfy7XFi35G277tbjGzFeFdbtz8c3b9dQcBpE9KlcVVKMG9mMzVQeLJkehqi/NGyzV7DcJgvFW0vFJaRbQbOVuIlnC3rCwO+NUJW+48aarnna1Izv6ihHp5vprYhZT9AANfUUsaCy5ZBVljlJ34S8gJNvmq7oogh9ioi9hE3LvdZMC0M6k2WZG5+lPlDWbNjuWlYF9e9XVJlopU+xfNy98u0djyBo2urkqtNT8vXu49JarKpxgi3tMDv2pZFNNICukWsg8EEH6YIhJjsiO0RdnanzO/yQK2/SQtq0GjnzEaRilAgiUnGHC7f7iOBeNhc+hUcKltBlWmPsF9ZV5txZDT bf@whitetip'';
+  whitetip.root.nix_remote_build = ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOgHOn3+Sr8WUZQiEVN3NZ6nXOL1NPUSo2Sen+63G6j root@whitetip (nix remote build)'';
   whitetip.root.backup = ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAMnppoIYKUmeW09hw2nEofL3aDL12T/P8P81HMnwPpE root@whitetip (for backup automation)'';
 
   my_phone.user.default = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZ63+kGCJbSI8P8LThqXJHZdiGWHpR7K/NUkimWn+3r4y22JhuRLpUHnHRfvPm16HIbrVwrHbZ6vxqvxx7hP9UGRTdRT9HjOvVoOQGIYjRtjrRiMHE/DmrBxdQ5FtQVeARKcNCWYIlubtuxg1c6ZD0fScs5yWrlumblsQxJgqS5K6csyh9yZL8rtBC0VqkroynMoYONqTTAAnx6lg9X6t2FZ3SFqCZ5VYk9DkwLZNIrwwEF87tQSuCSTX8pKw9THP0H07pafR0hWwKHuhPqbK7qlE1ZXzVtbujg/GndLbjFFV7Lpkc5h5B+fC4VBAiaKG9DQSV5LNRjrolprQkijNiFNqojnsCSJVDHSercDSTLNsN2wNPKXUlzkNyWEnefvPFrW1vPBoTF8YrPICNOi8mGLkX+ygP0ROycuKupSqkfAjXqdabAnuHNZHI1gY9j4/qlK5YhgbOu1pWVe9xVKCEfR0MG/iTi83ExiDlkzGgOcFkiDoUaKF6HMM2w6u+pgwDSsP8jmHrUuGqib3mMm3M7VMoGvxQE+T8bQ53G1/z/FI3xITpnNUs61DtUxf6uSCYJFDE5vRYSAnPW9L7/dLo5klJbDbyGyHgneFeGb5gdQEqhUZHXHXwCPyH5fn2XLA6DErMGWAvEqNVs6p2XO54UY/HuKnjr1W8eMqLVMpvVw== My phone'';