From 92cfe9d05f63d9bcd800f7b0cb7c25f3a0c877a5 Mon Sep 17 00:00:00 2001 From: Gerg-L Date: Sat, 29 Jun 2024 16:01:53 -0400 Subject: [PATCH] builder substituter setup rework --- hosts/gerg-desktop/main.nix | 1 - hosts/gerg-desktop/secrets.yaml | 6 +- hosts/gerg-desktop/services/nginx.nix | 6 ++ hosts/gerg-desktop/services/nix-serve.nix | 78 +++++++++++++++++++++++ modules/builders.nix | 66 ++----------------- 5 files changed, 94 insertions(+), 63 deletions(-) create mode 100644 hosts/gerg-desktop/services/nix-serve.nix diff --git a/hosts/gerg-desktop/main.nix b/hosts/gerg-desktop/main.nix index ee217ba..43cb68a 100644 --- a/hosts/gerg-desktop/main.nix +++ b/hosts/gerg-desktop/main.nix @@ -8,7 +8,6 @@ }: { local = { - remoteBuild.isBuilder = true; DE.dwm.enable = true; DM = { lightdm.enable = true; diff --git a/hosts/gerg-desktop/secrets.yaml b/hosts/gerg-desktop/secrets.yaml index ed1cc91..45cb548 100644 --- a/hosts/gerg-desktop/secrets.yaml +++ b/hosts/gerg-desktop/secrets.yaml @@ -3,7 +3,7 @@ discordenv: ENC[AES256_GCM,data:GQVGLVlIutSEyCZYiGfc2ON4yOfCtKEApRYLHn98xKaflEQt searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str] minifluxenv: ENC[AES256_GCM,data:wgz6sxSbbjXrgBAak0Q0TlvG78+JHPpiPtcbqGo9HpSF3qY78edECCDB3qqIaynxdhI4,iv:mbsr+OG8fE5MggmC+TNkLmhhDNGvJo+uelNRo/rMLoo=,tag:xN+FbNHZIVCruQh23aMt5g==,type:str] gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str] -store_key: ENC[AES256_GCM,data:/1wAHcMZl3loV2IR7mj1z51lwfKmaP24DgEjl2w8qwbrKHBIS09meLXrVTvsvQmFM4AvKig9ADs1aeYoVTTEa4QE9nKJ/LyRI5z8dHe7j7H5Y+UI+Syr0CUKN2I9UuqkOAyWrPM=,iv:5cLxhzNawFMTKn+MT5cHILTvggHmxteycL+2bxUPsoc=,tag:q8voriNRZUL4pYYfOvJT0A==,type:str] +store_key: ENC[AES256_GCM,data:2XioKwoH0V5QuedXl4w2IFrT2qOQWF0kbchYTMhyL9BaUqYHhXQi4buvKUVbBQ8AnzD1GJT3ZRy1S13CxEkdQvXE0IY0iX5nkTJtI3VgpiF64wfvZqcLQGaaNTCg+AEDP304KtIZZiao,iv:PV0bORWHoRDM8HvFwOI2sl7QjfD9G0VXSZ9RrPBUsyM=,tag:caVnOow466eBT/5bqYU0Iw==,type:str] nextcloud: ENC[AES256_GCM,data:CJqcH+l7EMwV8q7S,iv:uiq+lRMYR8APoVCmliAvUEthBUABdPXxs53y8I1WB+M=,tag:ObRMNYp9xIKR4VPxQr3JfA==,type:str] github_token: ENC[AES256_GCM,data:nIWnOvoO8jcoPvKIF4TDdMZxO5H+mAEjLOfQpPmIh0gUSHjadFCwdI0FpMN3D/+8zUXVuAWd2FfCdzKIxGApGqlXAn3aajkUeBK8rYF554COuxa4B43SjRlfvanCZyfsbxzFxoO1RDlzHUMUSzYgFE8wdvj804luIA==,iv:OcRPCZP3KIKv+OuS28jIEp5zQyFw/41gMMdPBVj5N9w=,tag:t+oJDxqwyFU92kDh0ot+6w==,type:str] gerg_ssl_key: ENC[AES256_GCM,data:F51mBHbLzfgJ8SdFQwxRIHOfG/iYi35EwOzQ/PlWkI6VzAGoFn3K/Team1dMAS62CxIq96WByqctLhfgNl/sI63LT9KoGAKV/8sLKXav9FtVJlrsqWCCswMRV95ia6vUj6yiqCdX2qgawq+sYO1ztUu5pTfvG2DEO+2r+SXCFPBARJ5CQl39i+clnyjVSsZLHlRwdqSG5uzfNyjMand/0jgQ6yxFExaqahSiyf20H7liK0G8vnv4R4X1Gs+6Cqm2nMRy89rSLVndoX+IH7tvfjxMB+oHJkjdYqcznfUuIDeRMTxeQq6RiQuSmBYgPfYBWenMgMgt0IiuTRxfCdShjveDGXJr1lO8ZkmxPV6VUgL7stbRUs+UkWgpct7cUbgwcsbdgUvo3SiHRDHikqAJgWihV3V8jOUBsJrNbCyam999cZtyTCHRxnpHYR+zEfqA4823c9tW6KYQRr+FW8mHYxGCPLyDgXzCsNYf3bOzkKx6UIw5iNjRfQIPVlQinJtTfcYY20CXn25k+V15wRWMvs2QrOWj7qdssIyPgDalb70mj0lrLbdceHWW6JTmHiSQAjFK1pYEmXIEa9G1jES3Zq3G9Ty0/XUmt3yGUJr2TBQxhDbryr5Kd6PLfIrHBh/msw1QlSbdSv4a4BeGos1qD0HJgXrE/xqHPCUX07wCYpXVeEHR5OXF0SVgc6dCWo+s5iE7AggS4j3dKqZoDV2l0rZGI7RQvf8BoEAl+RwsCgrgY2zo7qeSb12NVP8Kb/wA0hIWT3IFrj4wLyk93vjsHwdbt9QJWf7yAFqIkB3y2MwPGQdn0s88FzZTeZCqDo+Q2vH0+GhzNozg1NV6XorV8kRO5t0hTM8fw8PGFdt7cUm1PGg60Fg5lBOs3t/y9OFDZcfsgEuxnOwZeslzkPmnLHf3DBPizdc2XCXuYmEKGiBiiFSC+zJF6+3S9W9/6uHvHEffJrIRSPxC4ElDfyvpxxY4kA5BMCXALpkYDaDCRPQSpu1EF1bi0mBSONHl6in+aYr1leVG185n+AOR3SsaY8jftN/rU4VxV2W5zszx2KZk/LzAjoDAZbBHgBVgY7KsD8Zs2+TBJppnxg35S4s0+PRQM/0t7mFfSNGv75ih98UX9jzvIpb/evR5vD8ImUJy1BzO1nVyzKHQiILETixxz6kRMDUlvP6OpsBXcAWR0w0AKX4irAXT6xVyaSYfIBIJuwzE/mN68kNhPT62eaFnTUTV7KLf7yM/3+blXHcELtEVO2z1WcC3QJZNTA9WVTli+YTeJ//2M5gyBKOAQ3bfYeNz8mubxJQh0XpZaVdUu6TGVG3bIjbj0ixnnuAt6IVlZQK74h/Ah542oSuqLclrXlmNYn5vU5OdxjRgThZZKhZFoqiY+W79OulXDzSbhlMvI5tiGGjiIc31iFSKS0JYyISt1jdiwogv/b8/d7whQCwh9IvG7loKFsPBP2NgW6hYlixqcdaSpP9S7hrG54BPZe2o2S0Ci3BMasits2WFr6u7Qsx1AvuWyJ/rO+llmuvWVl64WNQxi8EYKiMJx0QI3Pr1Od66wVir/LtAlR04vsNHAvzM6gjuQYefWV9X2cXlklbGJYrE/9DCWr8fvUzmh659/81d2+CCkd7jxxFh8BHTR7oFHhM/H21BEUzOSu35vrMTPwy8y4mLhywNqmbLdOiOIGgkw4g+q5r4v9Byf15PqGcR02K+TmpQpF3HIpnv/3UH3lD4TtjIzWocTIdlKuriHsZcIIlHDxoWj/2mlo6+QxOiiTyR0jhQA372T2tlEo5/v3VFDuWikrBhgnmVe5zngkTqUUghrucbxJDDsehlwzSbrcczvYGwSNYu+DdS+57WDUGoLTJ7oOWovz5XCbV11LOQUNP8TYP597YzeV/eVguYvjUoSqSmo0m6kHGkhLZWbWyZrl7e2F7cOf+S6cdheREkp2Q/Eet8/B9fVWxRBBTXTLnOCC2q/Y1A9Ls+lpW4OXYO7QJjQAx9SKXfrjGgujrXH7oLMxQZfORwjnZzT1LQU7T0wNhQvZLHmUoA0VRZdSxSqEWlEjSF0eJjx/SNoKOacinHTCiT3r0P0cKmIypENef9czRURKgiunmlvSgQ5jOeu2C69KmF9Qau5YnRt6rXjkJzu+lji5ArVfkDxDG+mx5dtVSxwovbdAh065JDHo52ROaXLCb3nfFWKWSgoemYXrsbH9lT4/Ro3P2JC+iDeJFwz4r9OjTvPDWh9YTfzOlhfvg7m+2lg9vV74gmXd+IgSKh,iv:aE4/hxhfju3jJXjwK0TrfI/cbLsFgDEDspg2zTgqo4M=,tag:LAmit77WTZnpoCX1iuhkbQ==,type:str] @@ -25,8 +25,8 @@ sops: dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-21T19:08:47Z" - mac: ENC[AES256_GCM,data:/oeiVvzik1o3T0T6HlaNq16ZnZ2Fb0YhNDZ8pT2G/SHtpfz3ELjS/1yj8tfZjt2YOBlM1TrYN4+Yr0yJr7vhekWtpCZvN4I+FHrrnlyWGohg7quScArdXjVD+zWcahG41Q2Qu8ffmSARKf+aR3WpjcWnO6ueD5hXO4xm5es9wl0=,iv:gCLxoO13p/5da0VwP5LSlaL6vcMNaYzML5T5ejutf30=,tag:zHVoAS0FUJxFLhChjnfBpQ==,type:str] + lastmodified: "2024-06-29T16:39:17Z" + mac: ENC[AES256_GCM,data:bLgrdArl7eSHIAyyBeYH5riD81VschZ4bdrq1ppQ3Ru7EucA4SqDNGXVkny0JA/U+3A8W1llRmAWH/BDCg11vSwIQ9YhmVVs1MSkmCBKQRSmX6t4UaWzPTNG6+HbIuSGcpvZvPO3iYg9u43kYRSz3zOjTVll7w1nzvlcpM7AOD8=,iv:mVj0SprdijAfsojC4fvAJjMY6Jp/K00JG5SRbVDpX84=,tag:6nfJmY5UEMCHuZ0GOvw0Kw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/hosts/gerg-desktop/services/nginx.nix b/hosts/gerg-desktop/services/nginx.nix index 9b9d590..49c4ce4 100644 --- a/hosts/gerg-desktop/services/nginx.nix +++ b/hosts/gerg-desktop/services/nginx.nix @@ -58,6 +58,12 @@ sslCertificateKey = config.sops.secrets.gerg_ssl_key.path; locations."/".proxyPass = "http://unix:${config.systemd.services.miniflux.environment.LISTEN_ADDR}"; }; + "cache.gerg-L.com" = { + forceSSL = true; + sslCertificate = config.sops.secrets.gerg_ssl_cert.path; + sslCertificateKey = config.sops.secrets.gerg_ssl_key.path; + locations."/".proxyPass = "http://unix:/run/nix-serve/nix-serve.sock"; + }; }; }; networking.firewall.allowedTCPPorts = [ diff --git a/hosts/gerg-desktop/services/nix-serve.nix b/hosts/gerg-desktop/services/nix-serve.nix new file mode 100644 index 0000000..cd56f17 --- /dev/null +++ b/hosts/gerg-desktop/services/nix-serve.nix @@ -0,0 +1,78 @@ +{ config, pkgs }: +{ + sops.secrets.store_key.owner = "nix-serve"; + + users = { + groups = { + builder = { }; + nix-serve = { }; + }; + users = { + + ${config.services.nginx.user}.extraGroups = [ "nix-serve" ]; + builder = { + isSystemUser = true; + openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ]; + group = "builder"; + }; + nix-serve = { + isSystemUser = true; + group = "nix-serve"; + }; + }; + }; + + services.openssh.extraConfig = '' + Match User builder + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitTunnel no + X11Forwarding no + Match All + ''; + + nix.settings = { + trusted-users = [ + "builder" + "nix-ssh" + ]; + allowed-users = [ "nix-serve" ]; + keep-outputs = true; + keep-derivations = true; + secret-key-files = config.sops.secrets.store_key.path; + }; + + systemd.services.nix-serve = { + description = "nix-serve binary cache server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + path = [ + config.nix.package + pkgs.bzip2 + pkgs.nix-serve-ng + ]; + + environment = { + NIX_REMOTE = "daemon"; + NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path; + }; + + script = '' + nix-serve --socket /run/nix-serve/nix-serve.sock & + PID=$! + sleep 1 + chmod 660 /run/nix-serve/nix-serve.sock + wait "$PID" + ''; + + serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + User = "nix-serve"; + Group = "nix-serve"; + }; + }; + systemd.tmpfiles.rules = [ "d /run/nix-serve - nix-serve nix-serve - -" ]; +} diff --git a/modules/builders.nix b/modules/builders.nix index 10a4351..f28ace1 100644 --- a/modules/builders.nix +++ b/modules/builders.nix @@ -1,9 +1,7 @@ { config, lib }: { - options.local.remoteBuild = { - enable = lib.mkEnableOption ""; - isBuilder = lib.mkEnableOption ""; - }; + options.local.remoteBuild.enable = lib.mkEnableOption ""; + config = lib.mkMerge [ (lib.mkIf config.local.remoteBuild.enable { nix = { @@ -12,8 +10,8 @@ keep-derivations = false; builders-use-substitutes = true; max-jobs = 0; - substituters = [ "ssh-ng://nix-ssh@gerg-desktop" ]; - trusted-public-keys = [ "gerg-desktop:6p1+h6jQnb1MOt3ra3PlQpfgEEF4zRrQWiEuAqcjBj8=" ]; + substituters = [ "https://cache.gerg-l.com" ]; + trusted-public-keys = [ "cache.gerg-l.com:6p1+h6jQnb1MOt3ra3PlQpfgEEF4zRrQWiEuAqcjBj8=" ]; }; distributedBuilds = true; buildMachines = [ @@ -37,60 +35,10 @@ } ]; }; - programs.ssh.knownHosts = { - gerg-desktop = { - extraHostNames = [ "gerg-desktop.lan" ]; - publicKey = config.local.keys.root_gerg-desktop; - }; + programs.ssh.knownHosts.gerg-desktop = { + extraHostNames = [ "gerg-desktop.lan" ]; + publicKey = config.local.keys.root_gerg-desktop; }; }) - - ( - let - keys = [ config.local.keys.root_media-laptop ]; - in - lib.mkIf config.local.remoteBuild.isBuilder { - sops.secrets.store_key = { }; - users = { - groups.builder = { }; - users.builder = { - createHome = false; - isSystemUser = true; - openssh.authorizedKeys = { - inherit keys; - }; - useDefaultShell = true; - group = "builder"; - }; - }; - services.openssh.extraConfig = '' - Match User builder - AllowAgentForwarding no - AllowTcpForwarding no - PermitTTY no - PermitTunnel no - X11Forwarding no - Match All - ''; - - nix = { - settings = { - trusted-users = [ - "builder" - "nix-ssh" - ]; - keep-outputs = true; - keep-derivations = true; - secret-key-files = config.sops.secrets.store_key.path; - }; - sshServe = { - enable = true; - write = true; - inherit keys; - protocol = "ssh-ng"; - }; - }; - } - ) ]; }