Serve Nix store from builder

ethnt · Dec 30, 2023 · 5d5e8c1 · 5d5e8c1
1 parent 6659151
commit 5d5e8c1
Show file tree

Hide file tree

Showing 8 changed files with 125 additions and 3 deletions.
diff --git a/flake.nix b/flake.nix
@@ -6,12 +6,14 @@
       "https://nix-community.cachix.org"
       "https://e10.cachix.org"
       "https://numtide.cachix.org"
+      "https://cache.builder.e10.camp"
     ];
 
     extra-trusted-public-keys = [
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       "e10.cachix.org-1:/++Tmo/ghEqnLwsQJdXn04c262agRCK5PaPYz8NcVfo="
       "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+      "cache.builder.e10.camp:lvUGwBcrxIyO5+KGymLJTqEWKJZ0wuaXPNexPENrQwA="
     ];
   };
 

diff --git a/hosts/builder/configuration.nix b/hosts/builder/configuration.nix
@@ -1,6 +1,7 @@
 { suites, profiles, ... }: {
   imports = with suites;
-    core ++ homelab ++ proxmox-vm ++ [ profiles.remote-builder.builder ]
+    core ++ homelab ++ proxmox-vm
+    ++ [ profiles.remote-builder.builder profiles.remote-builder.substituter ]
     ++ [ ./hardware-configuration.nix ./disk-config.nix ];
 
   boot.loader.grub.devices =

diff --git a/hosts/controller/configuration.nix b/hosts/controller/configuration.nix
@@ -16,7 +16,7 @@
       profiles.power.apc
       profiles.telemetry.prometheus-nut-exporter
       profiles.telemetry.prometheus-smokeping-exporter
-      profiles.nix.remote-builders.builder
+      profiles.nix.remote-builders.e10-builder
     ] ++ [ ./disk-config.nix ./hardware-configuration.nix ];
 
   e10 = {

diff --git a/hosts/gateway/configuration.nix b/hosts/gateway/configuration.nix
@@ -78,6 +78,11 @@
       port = hosts.htpc.config.services.tautulli.port;
     };
 
+    "cache.builder.e10.camp" = mkVirtualHost {
+      host = hosts.builder;
+      port = hosts.builder.config.services.nix-serve.port;
+    };
+
     "e10.video" = mkVirtualHost {
       host = hosts.htpc;
       port = hosts.htpc.config.services.plex.port;

diff --git a/modules/profiles/nix/remote-builders/common.nix b/modules/profiles/nix/remote-builders/common.nix
@@ -1 +1,6 @@
-{ nix.distributedBuilds = true; }
+{
+  nix = {
+    distributedBuilds = true;
+    settings.builders-use-substitutes = true;
+  };
+}
diff --git a/.../profiles/nix/remote-builders/builder.nix → ...files/nix/remote-builders/e10-builder.nix b/.../profiles/nix/remote-builders/builder.nix → ...files/nix/remote-builders/e10-builder.nix
diff --git a/modules/profiles/remote-builder/secrets.yml b/modules/profiles/remote-builder/secrets.yml
@@ -0,0 +1,94 @@
+nix_serve_private_key: ENC[AES256_GCM,data:gu2xJ6PfD8bfz/oOjWURzvzQ1VD5ha5tuHa9N1Ml+PBLRvpLsosOFGMHR1ymOfSq1hIQqVs9ilZTXux+Z8YH0y3DZa0W8PnaOvtoPWxjo5dQtMRfFAheIyQKkRJm2aXXa9P28Q1swOJbutsxgEUy,iv:9CRJ+azDbdBsskLKb2G/QSfAntw01FQ/QoKhnj91NVs=,tag:0mMoJskXKoKuPTX3R1fK+A==,type:str]
+nix_serve_public_key: ENC[AES256_GCM,data:nIFhNyDlkXzwqyztgMUCmuU7uoZqlursDcMlOC6crv5S9dJBk5i1ZnMOmbNOAaD8cp48uY1c7sGDiF80BTa29twJVw==,iv:UwgiiEk260sLPpeoS44EYSU1Gl1t3ShmpE0cThczKD8=,tag:ovAj6KjMMJJNvmc7jcYVDw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Q0RrMXp5dHNhc3FXYU1m
+            cjRxcHY0MmI5VThnTVJHZGh1aytRSFRGbUJjClBqVWt3MkdjMmtJYlpaSGJXS2pK
+            TlpyMFVtUTJkS1J1U0NraWpsbmo4QjQKLS0tIE5WMXJMY2VUQzJMdUtQazBSbEs4
+            NGxSV3FIVkpUQmIzYjM2cjRlZkk1U1kK+l/70ZILjjO3TUD28Hb2c36kDPwm/2UA
+            DmiEgRqg7uEHpcxf/cTPYaaXdBwld0QxvNPG5gOoZQq+r/R2//C9ug==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xgvn6f36rkzmq2kfqx0g2xg90qrpar4hpu6fr8xc3s2kqw6dzqcssnslsv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMnhqMVIrb01DZDRjbEFo
+            UkNSOU1DUlBPa0tPNFZVOEFMNExHVnZNRmtrCmZOelhOVjRGZyt0M2luNDc0VEhi
+            c3N6ZUFOQkc2anVvYytKZk0zMUNLMTAKLS0tIHhpVFBWZjBKNTJ4UzR2Q2ExUDZC
+            MVBQNUtFaU9lSVJ5K0wxeUFDVXdJRkEKr0+5aixUir3EtElBeahAYbzPQojVJRxk
+            R5JfTbBCC8zlsNHgrWP5jdOnYQQUwGkuRMFaRX7UZdk3H/KN8ecqWA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ex9c847ra3fkwv9qwk85a8ukt9f5jny6rusc3pn967dvkwlpwass56jrfd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2V1o5YTNNUG9PSHl5Sk5T
+            TU42NXlwaW8wcFZkMmthZjZQaHpJa0EyZTBJCncvNDhnbW9BazF2cGJVZWZoNXVV
+            NW1ta3Q2RVNLU0pMdHZnQStpQ0pQb1kKLS0tIFBQM1lDbWk2MGl0bkVLa2VpVU1k
+            V1hlclhHbDlkUlUrNG9nTkpGUFNUUWMKPeeWBtI6GqWBWj380SB+denTlubl/PSm
+            5n8vnw2ZkETfAAzc/1xRlLTJ+igtmtX1LGbZQh8KdELWXH6vqgseaA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13ztzxk2f2cklrecwqztmwznvj2qdrjlrpcu6xmc698yfex8puvdqsryrcj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPYVlyb0dzVEhFWFJtbGZX
+            TWNHaEFQYzhRckl2dCt5MkdNY3hFRzZDbXdFClo4blcyRzM2TE56YWJvNmlpdTFq
+            V1Z4MnZ1MTUvbi9tK1pLQVhFSTR0YncKLS0tIFZqdTNEak1GYWw5cDdpZXl2QkNG
+            MVVvK05YSXJTVSt3OFdrUTlVMllEaGMKzFi6geNNrwgmCpv3dp9HUzSlcl8Ik7Kj
+            RkHiu79qlTscUAWIO6k8JU+s5SqgAvNnL/7nSrmblyoHmbA7znNjYQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k5nzxq4ej2u9ls97c2dhlz96j2vghv0assz5g0p4npzyc8c8fqlqld72hg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWUk0ajBpSlhxRzBCNjZi
+            Vm1JbkZqNmNneFVLc0FUc0dJdmZxSHYxT3c0CnJNZTR0WkZNUE1LM2MwaUdwbDJL
+            RnNzOTZrbEk2QTZpNkhsVkRPZkxBSUUKLS0tIHNIMk12UDNPdm96SzIvdmQrdEcv
+            U3UvY0JvMzB4eUR3cUhEZ2dtR0huNkkKTYAOmpXnfpnH48nP7NRJ6rnr/AxPvW9z
+            oQQRYOHu5aTDuttAKvaqfp/8vfmTjAi/6AqxdTjsuS+Xusgb9szk2A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gkzp905yqkla54l52m4xkqtxpn0sndkx0vh6qqa8d2tu29x8f35q354gpe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGeG13b25PYjd2SE9uMExW
+            dlhHS3hqa2JBSlFFbFhPeWgrKytaZzdwMUFZClByK2tlV1ZYaFpHWFliM3ltUjhq
+            eHNmM2RTdjVMYVhjdXpoMk1Bcll1Y1UKLS0tIGNmQ2lrN043S3NaNVJkSWNRSzBJ
+            TlcwVmg0T2IxbG1pb3c0Y1ZrTmNiOXcKZVskly8ksHVLlNi8kRA9oyACMyw2wn1G
+            6DS+GXw92bSjMM1FTXGLnpR4M6Vs4pUy7YDzQlv322tbcPxtqWtq7A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1c4d93hmawmx8nt8g2sjrxcngfl7qx7y6vwxpqqg7grrkhjen6fvstljgg9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWXZuTTh1czJNNC84UzZE
+            K2NqRGdyRWhiOG9MSmVyNFNGWklDSkNNeVNzCjMwaTJrejNYZ3JkVWRnZ0dRempJ
+            ek15UDl6cHJRR0VoRVNnR2YzalZwSlkKLS0tIFhOQjBlS1FUUEtCbkNqdVpISU1R
+            S1gzVXVHQlpxQjhLc2tUV2I0SnJuZVkKaTm6Bd85rNykgB4MJt2vUgAunBQpeQbR
+            5n1UYep9Gx/duU0hBDRTX7vP630mmj8oZ+2/VQWqNNyi2wnsEXZ1vg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vdrdnzqjy9uj34slwkpk9tfnfnn7s7z20m48tel7ezh0svgruf3sjwfsy2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINFdpRXA3WWVCY2dBZ0Jj
+            L2lMWThNbEp0bks4cVdMV1BqNE9aS2tLRlRVCkJ6RzVxVW45M045MG5QVGJQN3pp
+            S2dZMFc1NDd6WWFkakVmT1B5eGtLNkEKLS0tIGRaNlROMHo2NDltZkFUelZ1Qi9a
+            aUwzTFQ5RGhQdlhuUEJSNEIwbFkrZ2sKjZDWviwM7tPp/Un+K1WzQOl+0EYE0DB+
+            6hIfKH/tSTGGUYpoT8XbIwe+juyyYhtU8+Od+62RFNW6EwmgZtnS0A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1kqzvvxxmlv7gudllrsnle8q2hct8vx7pl3ehswkn2gaqkuxhxpcqplglyk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3YXg2OFdxYWJwL1Q2R1BY
+            ckFYTmR0blkvN1FuSEtDZGhmNndHS3QwbTB3Cjl5ekpWakVmSW5EcytyOTZ5N2xP
+            WFlMbWtxRkFiVDN5OXlROXlBUGFXZEEKLS0tIFA1YVlHaTV4VG1NZDVHRWI2VXNL
+            Zlp5Z2JIZTQwR1c2bjQ4aVFZekRENUkKzXomnmZT7oHu5KQDGM+FjprR18vXhIAm
+            fwKesjuyt+na5dDcPtXfUVq/CCpTPkJU21yuzcOrEsMyF+xddFXgKg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-30T18:10:50Z"
+    mac: ENC[AES256_GCM,data:TrQ6N5qQTArJBUDpvxURsq6YOezHTmAnJqlgEbHcKwTjg4Xc7FQnrkmFdrZq9IFotWdLDuZGI7dXktCmMWihpDdXljHndQBBECLmKhiz3WN8TzbkNo7LuEz4hmWsdyFFI0RUbAPXvs61fbk2/aLuH86MVPfYglWMP33Cq0JgfyU=,iv:OkxiF+dVEg52KgQxZWCyjbTJic8Vcy0FBgTAeg52s70=,tag:FmTwunFHzmbtbiuqzXsgSQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/modules/profiles/remote-builder/substituter.nix b/modules/profiles/remote-builder/substituter.nix
@@ -0,0 +1,15 @@
+{ config, ... }: {
+  sops.secrets = {
+    nix_serve_private_key = {
+      format = "yaml";
+      sopsFile = ./secrets.yml;
+      mode = "0600";
+    };
+  };
+
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = config.sops.secrets.nix_serve_private_key.path;
+    openFirewall = true;
+  };
+}