builder substituter setup rework

hosts/gerg-desktop/main.nix

@@ -8,7 +8,6 @@
 }:
 {
   local = {
-    remoteBuild.isBuilder = true;
     DE.dwm.enable = true;
     DM = {
       lightdm.enable = true;

hosts/gerg-desktop/secrets.yaml

@@ -3,7 +3,7 @@ discordenv: ENC[AES256_GCM,data:GQVGLVlIutSEyCZYiGfc2ON4yOfCtKEApRYLHn98xKaflEQt
 searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str]
 minifluxenv: ENC[AES256_GCM,data:wgz6sxSbbjXrgBAak0Q0TlvG78+JHPpiPtcbqGo9HpSF3qY78edECCDB3qqIaynxdhI4,iv:mbsr+OG8fE5MggmC+TNkLmhhDNGvJo+uelNRo/rMLoo=,tag:xN+FbNHZIVCruQh23aMt5g==,type:str]
 gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str]
-store_key: ENC[AES256_GCM,data:/1wAHcMZl3loV2IR7mj1z51lwfKmaP24DgEjl2w8qwbrKHBIS09meLXrVTvsvQmFM4AvKig9ADs1aeYoVTTEa4QE9nKJ/LyRI5z8dHe7j7H5Y+UI+Syr0CUKN2I9UuqkOAyWrPM=,iv:5cLxhzNawFMTKn+MT5cHILTvggHmxteycL+2bxUPsoc=,tag:q8voriNRZUL4pYYfOvJT0A==,type:str]
+store_key: ENC[AES256_GCM,data:2XioKwoH0V5QuedXl4w2IFrT2qOQWF0kbchYTMhyL9BaUqYHhXQi4buvKUVbBQ8AnzD1GJT3ZRy1S13CxEkdQvXE0IY0iX5nkTJtI3VgpiF64wfvZqcLQGaaNTCg+AEDP304KtIZZiao,iv:PV0bORWHoRDM8HvFwOI2sl7QjfD9G0VXSZ9RrPBUsyM=,tag:caVnOow466eBT/5bqYU0Iw==,type:str]
 nextcloud: ENC[AES256_GCM,data:CJqcH+l7EMwV8q7S,iv:uiq+lRMYR8APoVCmliAvUEthBUABdPXxs53y8I1WB+M=,tag:ObRMNYp9xIKR4VPxQr3JfA==,type:str]
 github_token: ENC[AES256_GCM,data:nIWnOvoO8jcoPvKIF4TDdMZxO5H+mAEjLOfQpPmIh0gUSHjadFCwdI0FpMN3D/+8zUXVuAWd2FfCdzKIxGApGqlXAn3aajkUeBK8rYF554COuxa4B43SjRlfvanCZyfsbxzFxoO1RDlzHUMUSzYgFE8wdvj804luIA==,iv:OcRPCZP3KIKv+OuS28jIEp5zQyFw/41gMMdPBVj5N9w=,tag:t+oJDxqwyFU92kDh0ot+6w==,type:str]
 gerg_ssl_key: ENC[AES256_GCM,data:F51mBHbLzfgJ8SdFQwxRIHOfG/iYi35EwOzQ/PlWkI6VzAGoFn3K/Team1dMAS62CxIq96WByqctLhfgNl/sI63LT9KoGAKV/8sLKXav9FtVJlrsqWCCswMRV95ia6vUj6yiqCdX2qgawq+sYO1ztUu5pTfvG2DEO+2r+SXCFPBARJ5CQl39i+clnyjVSsZLHlRwdqSG5uzfNyjMand/0jgQ6yxFExaqahSiyf20H7liK0G8vnv4R4X1Gs+6Cqm2nMRy89rSLVndoX+IH7tvfjxMB+oHJkjdYqcznfUuIDeRMTxeQq6RiQuSmBYgPfYBWenMgMgt0IiuTRxfCdShjveDGXJr1lO8ZkmxPV6VUgL7stbRUs+UkWgpct7cUbgwcsbdgUvo3SiHRDHikqAJgWihV3V8jOUBsJrNbCyam999cZtyTCHRxnpHYR+zEfqA4823c9tW6KYQRr+FW8mHYxGCPLyDgXzCsNYf3bOzkKx6UIw5iNjRfQIPVlQinJtTfcYY20CXn25k+V15wRWMvs2QrOWj7qdssIyPgDalb70mj0lrLbdceHWW6JTmHiSQAjFK1pYEmXIEa9G1jES3Zq3G9Ty0/XUmt3yGUJr2TBQxhDbryr5Kd6PLfIrHBh/msw1QlSbdSv4a4BeGos1qD0HJgXrE/xqHPCUX07wCYpXVeEHR5OXF0SVgc6dCWo+s5iE7AggS4j3dKqZoDV2l0rZGI7RQvf8BoEAl+RwsCgrgY2zo7qeSb12NVP8Kb/wA0hIWT3IFrj4wLyk93vjsHwdbt9QJWf7yAFqIkB3y2MwPGQdn0s88FzZTeZCqDo+Q2vH0+GhzNozg1NV6XorV8kRO5t0hTM8fw8PGFdt7cUm1PGg60Fg5lBOs3t/y9OFDZcfsgEuxnOwZeslzkPmnLHf3DBPizdc2XCXuYmEKGiBiiFSC+zJF6+3S9W9/6uHvHEffJrIRSPxC4ElDfyvpxxY4kA5BMCXALpkYDaDCRPQSpu1EF1bi0mBSONHl6in+aYr1leVG185n+AOR3SsaY8jftN/rU4VxV2W5zszx2KZk/LzAjoDAZbBHgBVgY7KsD8Zs2+TBJppnxg35S4s0+PRQM/0t7mFfSNGv75ih98UX9jzvIpb/evR5vD8ImUJy1BzO1nVyzKHQiILETixxz6kRMDUlvP6OpsBXcAWR0w0AKX4irAXT6xVyaSYfIBIJuwzE/mN68kNhPT62eaFnTUTV7KLf7yM/3+blXHcELtEVO2z1WcC3QJZNTA9WVTli+YTeJ//2M5gyBKOAQ3bfYeNz8mubxJQh0XpZaVdUu6TGVG3bIjbj0ixnnuAt6IVlZQK74h/Ah542oSuqLclrXlmNYn5vU5OdxjRgThZZKhZFoqiY+W79OulXDzSbhlMvI5tiGGjiIc31iFSKS0JYyISt1jdiwogv/b8/d7whQCwh9IvG7loKFsPBP2NgW6hYlixqcdaSpP9S7hrG54BPZe2o2S0Ci3BMasits2WFr6u7Qsx1AvuWyJ/rO+llmuvWVl64WNQxi8EYKiMJx0QI3Pr1Od66wVir/LtAlR04vsNHAvzM6gjuQYefWV9X2cXlklbGJYrE/9DCWr8fvUzmh659/81d2+CCkd7jxxFh8BHTR7oFHhM/H21BEUzOSu35vrMTPwy8y4mLhywNqmbLdOiOIGgkw4g+q5r4v9Byf15PqGcR02K+TmpQpF3HIpnv/3UH3lD4TtjIzWocTIdlKuriHsZcIIlHDxoWj/2mlo6+QxOiiTyR0jhQA372T2tlEo5/v3VFDuWikrBhgnmVe5zngkTqUUghrucbxJDDsehlwzSbrcczvYGwSNYu+DdS+57WDUGoLTJ7oOWovz5XCbV11LOQUNP8TYP597YzeV/eVguYvjUoSqSmo0m6kHGkhLZWbWyZrl7e2F7cOf+S6cdheREkp2Q/Eet8/B9fVWxRBBTXTLnOCC2q/Y1A9Ls+lpW4OXYO7QJjQAx9SKXfrjGgujrXH7oLMxQZfORwjnZzT1LQU7T0wNhQvZLHmUoA0VRZdSxSqEWlEjSF0eJjx/SNoKOacinHTCiT3r0P0cKmIypENef9czRURKgiunmlvSgQ5jOeu2C69KmF9Qau5YnRt6rXjkJzu+lji5ArVfkDxDG+mx5dtVSxwovbdAh065JDHo52ROaXLCb3nfFWKWSgoemYXrsbH9lT4/Ro3P2JC+iDeJFwz4r9OjTvPDWh9YTfzOlhfvg7m+2lg9vV74gmXd+IgSKh,iv:aE4/hxhfju3jJXjwK0TrfI/cbLsFgDEDspg2zTgqo4M=,tag:LAmit77WTZnpoCX1iuhkbQ==,type:str]
@@ -25,8 +25,8 @@ sops:
             dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy
             MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-21T19:08:47Z"
+    lastmodified: "2024-06-29T16:39:17Z"
-    mac: ENC[AES256_GCM,data:/oeiVvzik1o3T0T6HlaNq16ZnZ2Fb0YhNDZ8pT2G/SHtpfz3ELjS/1yj8tfZjt2YOBlM1TrYN4+Yr0yJr7vhekWtpCZvN4I+FHrrnlyWGohg7quScArdXjVD+zWcahG41Q2Qu8ffmSARKf+aR3WpjcWnO6ueD5hXO4xm5es9wl0=,iv:gCLxoO13p/5da0VwP5LSlaL6vcMNaYzML5T5ejutf30=,tag:zHVoAS0FUJxFLhChjnfBpQ==,type:str]
+    mac: ENC[AES256_GCM,data:bLgrdArl7eSHIAyyBeYH5riD81VschZ4bdrq1ppQ3Ru7EucA4SqDNGXVkny0JA/U+3A8W1llRmAWH/BDCg11vSwIQ9YhmVVs1MSkmCBKQRSmX6t4UaWzPTNG6+HbIuSGcpvZvPO3iYg9u43kYRSz3zOjTVll7w1nzvlcpM7AOD8=,iv:mVj0SprdijAfsojC4fvAJjMY6Jp/K00JG5SRbVDpX84=,tag:6nfJmY5UEMCHuZ0GOvw0Kw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

hosts/gerg-desktop/services/nginx.nix

@@ -58,6 +58,12 @@
         sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
         locations."/".proxyPass = "http://unix:${config.systemd.services.miniflux.environment.LISTEN_ADDR}";
       };
+      "cache.gerg-L.com" = {
+        forceSSL = true;
+        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
+        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        locations."/".proxyPass = "http://unix:/run/nix-serve/nix-serve.sock";
+      };
     };
   };
   networking.firewall.allowedTCPPorts = [

hosts/gerg-desktop/services/nix-serve.nix

@@ -0,0 +1,78 @@
+{ config, pkgs }:
+{
+  sops.secrets.store_key.owner = "nix-serve";
+
+  users = {
+    groups = {
+      builder = { };
+      nix-serve = { };
+    };
+    users = {
+
+      ${config.services.nginx.user}.extraGroups = [ "nix-serve" ];
+      builder = {
+        isSystemUser = true;
+        openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
+        group = "builder";
+      };
+      nix-serve = {
+        isSystemUser = true;
+        group = "nix-serve";
+      };
+    };
+  };
+
+  services.openssh.extraConfig = ''
+    Match User builder
+      AllowAgentForwarding no
+      AllowTcpForwarding no
+      PermitTTY no
+      PermitTunnel no
+      X11Forwarding no
+    Match All
+  '';
+
+  nix.settings = {
+    trusted-users = [
+      "builder"
+      "nix-ssh"
+    ];
+    allowed-users = [ "nix-serve" ];
+    keep-outputs = true;
+    keep-derivations = true;
+    secret-key-files = config.sops.secrets.store_key.path;
+  };
+
+  systemd.services.nix-serve = {
+    description = "nix-serve binary cache server";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    path = [
+      config.nix.package
+      pkgs.bzip2
+      pkgs.nix-serve-ng
+    ];
+
+    environment = {
+      NIX_REMOTE = "daemon";
+      NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path;
+    };
+
+    script = ''
+      nix-serve --socket /run/nix-serve/nix-serve.sock &
+      PID=$!
+      sleep 1
+      chmod 660 /run/nix-serve/nix-serve.sock
+      wait "$PID"
+    '';
+
+    serviceConfig = {
+      Restart = "always";
+      RestartSec = "5s";
+      User = "nix-serve";
+      Group = "nix-serve";
+    };
+  };
+  systemd.tmpfiles.rules = [ "d /run/nix-serve - nix-serve nix-serve - -" ];
+}

modules/builders.nix

@@ -1,9 +1,7 @@
 { config, lib }:
 {
-  options.local.remoteBuild = {
+  options.local.remoteBuild.enable = lib.mkEnableOption "";
-    enable = lib.mkEnableOption "";
+
-    isBuilder = lib.mkEnableOption "";
-  };
   config = lib.mkMerge [
     (lib.mkIf config.local.remoteBuild.enable {
       nix = {
@@ -12,8 +10,8 @@
           keep-derivations = false;
           builders-use-substitutes = true;
           max-jobs = 0;
-          substituters = [ "ssh-ng://nix-ssh@gerg-desktop" ];
+          substituters = [ "https://cache.gerg-l.com" ];
-          trusted-public-keys = [ "gerg-desktop:6p1+h6jQnb1MOt3ra3PlQpfgEEF4zRrQWiEuAqcjBj8=" ];
+          trusted-public-keys = [ "cache.gerg-l.com:6p1+h6jQnb1MOt3ra3PlQpfgEEF4zRrQWiEuAqcjBj8=" ];
         };
         distributedBuilds = true;
         buildMachines = [
@@ -37,60 +35,10 @@
           }
         ];
       };
-      programs.ssh.knownHosts = {
+      programs.ssh.knownHosts.gerg-desktop = {
-        gerg-desktop = {
+        extraHostNames = [ "gerg-desktop.lan" ];
-          extraHostNames = [ "gerg-desktop.lan" ];
+        publicKey = config.local.keys.root_gerg-desktop;
-          publicKey = config.local.keys.root_gerg-desktop;
-        };
       };
     })
-
-    (
-      let
-        keys = [ config.local.keys.root_media-laptop ];
-      in
-      lib.mkIf config.local.remoteBuild.isBuilder {
-        sops.secrets.store_key = { };
-        users = {
-          groups.builder = { };
-          users.builder = {
-            createHome = false;
-            isSystemUser = true;
-            openssh.authorizedKeys = {
-              inherit keys;
-            };
-            useDefaultShell = true;
-            group = "builder";
-          };
-        };
-        services.openssh.extraConfig = ''
-          Match User builder
-            AllowAgentForwarding no
-            AllowTcpForwarding no
-            PermitTTY no
-            PermitTunnel no
-            X11Forwarding no
-          Match All
-        '';
-
-        nix = {
-          settings = {
-            trusted-users = [
-              "builder"
-              "nix-ssh"
-            ];
-            keep-outputs = true;
-            keep-derivations = true;
-            secret-key-files = config.sops.secrets.store_key.path;
-          };
-          sshServe = {
-            enable = true;
-            write = true;
-            inherit keys;
-            protocol = "ssh-ng";
-          };
-        };
-      }
-    )
   ];
 }