From a62a69c7ceeef3246f0daa14e611df9343709b0b Mon Sep 17 00:00:00 2001 From: Nathan Date: Sat, 23 Aug 2025 09:49:02 -0500 Subject: [PATCH] test remote builds --- .sops.yaml | 5 +++ home-manager/nathan/default.nix | 41 +++++++++++------- home-manager/programs/hyprpanel/default.nix | 15 +++++++ .../configuration/homebox/default.nix | 17 +++++++- .../configuration/laptop/default.nix | 2 +- .../configuration/laptop/secrets.yaml | 5 ++- system-config/default.nix | 42 +++++++++++++------ system-config/secrets.yaml | 26 ++++++++++++ 8 files changed, 121 insertions(+), 32 deletions(-) create mode 100644 home-manager/programs/hyprpanel/default.nix create mode 100644 system-config/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index df2b354..73bdd6f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,3 +15,8 @@ creation_rules: - age: - *laptop - *homebox + - path_regex: system-config/secrets.yaml$ + key_groups: + - age: + - *laptop + - *homebox diff --git a/home-manager/nathan/default.nix b/home-manager/nathan/default.nix index f4076c0..452daac 100644 --- a/home-manager/nathan/default.nix +++ b/home-manager/nathan/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: { +{ config, lib, pkgs, inputs, ... }: { imports = [ ./programs @@ -7,18 +7,6 @@ ./dotfiles ]; - options.homeconfig = { - host = lib.options.mkOption { - type = lib.types.str; - default = null; - }; - - home-manager.enable = lib.options.mkOption { - type = lib.types.bool; - default = false; - }; - }; - config = { home.stateVersion = "23.11"; @@ -48,11 +36,34 @@ defaultSopsFormat = "yaml"; }; + /*nix = { + nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; + settings = { + experimental-features = [ "nix-command" "flakes" ]; + builders = ''''; + builders-use-substitutes = true; + }; + + distributedBuilds = config.sysconfig.remoteBuildClient; + buildMachines = lib.mkIf config.sysconfig.remoteBuildClient [ + { + hostName = "blunkall.us"; + sshUser = "remote-builder"; + sshKey = config.sops.secrets."remoteBuildSSHKey".path; + supportedFeatures = [ + "nixos-test" + "benchmark" + "big-parallel" + "kvm" + ]; + systems = [ "x86_64-linux" "aarch64-linux" ]; + } + ]; + };*/ + services.mpris-proxy.enable = true; programs.ssh.enable = true; - programs.home-manager.enable = config.homeconfig.home-manager.enable; - }; } diff --git a/home-manager/programs/hyprpanel/default.nix b/home-manager/programs/hyprpanel/default.nix new file mode 100644 index 0000000..aaf06de --- /dev/null +++ b/home-manager/programs/hyprpanel/default.nix @@ -0,0 +1,15 @@ +{ config, lib, ... }: { + + options.homeconfig.hyprpanel.enable = lib.mkOption { + type = with types; bool; + default = false; + }; + + config = lib.mkIf config.homeconfig.hyprpanel.enable { + + programs.hyprpanel = { + enable = true; + + }; + }; +} diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index 51e81cb..a4941a2 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -21,6 +21,21 @@ systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; + binfmt.emulatedSystems = lib.mkIf config.sysconfig.remoteBuildHost [ "aarch64-linux" ]; + }; + + nix.settings.trusted-users = lib.mkIf config.sysconfig.remoteBuildHost [ "remote-builder" ]; + + users.users."remote-builder" = lib.mkIf config.sysconfig.remoteBuildHost { + isNormalUser = true; + createHome = false; + /*openssh.authorizedKeys.keyFiles = [ + config.sops.secrets."remoteBuildClientKeys/laptop".path + ];*/ + openssh.authorizedKeys.keyFiles = (builtins.partition + (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) + (builtins.attrNames config.sops.secrets) + ).right; }; hardware = { @@ -102,7 +117,7 @@ }; sysconfig = { - #remoteBuildHost = true; + remoteBuildHost = true; host = "homebox"; graphical = true; users = { diff --git a/system-config/configuration/laptop/default.nix b/system-config/configuration/laptop/default.nix index b6b1f14..8ee98e5 100644 --- a/system-config/configuration/laptop/default.nix +++ b/system-config/configuration/laptop/default.nix @@ -63,7 +63,7 @@ ]; sysconfig = { - #remoteBuildClient = true; + remoteBuildClient = true; host = "laptop"; graphical = true; users = { diff --git a/system-config/configuration/laptop/secrets.yaml b/system-config/configuration/laptop/secrets.yaml index 5e28b02..fa2e25d 100644 --- a/system-config/configuration/laptop/secrets.yaml +++ b/system-config/configuration/laptop/secrets.yaml @@ -1,5 +1,6 @@ nathan: pass: ENC[AES256_GCM,data:H/duNPyclGoCF/Z90TQcqaUymowHOLRDmcfDxSubNGdmijknsCq+UH5PaWUmXGZ7uZqcpYWBcsVbYfQO/98OHH/kbwAFD/Hgkw==,iv:74M2PQqVzAgMXA8Z4RVLJKawt0Lzh94IKbn8YCTx3tY=,tag:B/xgA4mrhWEccaXQ+qvjCA==,type:str] +remoteBuildKey: ENC[AES256_GCM,data:CN7AyOCV4iYzYrwVh2Af5YB0nwR4raXfj5FbbeIZg5Bfha0sUPnLAG+oqVUyzVQA3yftFhfwPGaALOyb6VlT13pTifG+uEoyiq1dQP6dimlmk/p/6kVtg4aiETJ/61EUeQF/HTVTZ3F7akgQRsKNFQYbF2srcurPQSY0Q2gjlkkFA3A3aLoN2LrkFPJvtnNP6SJzXDFHVOTPmbc/DvF9UbMiYu0viIlfiPqeBs26lAqcOWhrYlOxKqEL2IoP3kADDncedxT42c1rCPB/2kGvKg+mXSlaIH3a0Hb8hrnjVUB0edyqYnNCurVhPF8mg2yoqrtyaxRkZKvUsa5LBZwS+iL9bYQdU/4hxT9c7wRC+ZtWkwF4l/gy8Ggc+VuB+YT9JUCJY96o8f2wKFup0BS+oiYLGJKpcOLMFrPJLEtOMrqPN/Z6+gZ9LVbhlSliIV/yUTJAa26el0w6tP9Ebs6tHiFakpkMahsBbRxmHBmqkHW5zfa5YpvD5Ii/EC+F8Vb/Efn6LkBZBwSB6K33NSOy,iv:4i0bGQe7wiDSvmygY2VNSEhuYfYIi9YY1g7qLgDTcMo=,tag:MJqOovOcZ97COsVjxZus8w==,type:str] sops: age: - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q @@ -11,7 +12,7 @@ sops: Y2ZpR25VNGVoMi9ibW8wbW5rYTQ3R00Ka6/KLXSSRP9WJDV0RBHHS5nALfd/3xDu y+QS+Ueh56kQT2zbYpYBRIPDgI3LZgwlTifQCDJ9ZPq0LGgu4XbEqQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-19T03:46:09Z" - mac: ENC[AES256_GCM,data:oDQaS7PdVa2U8mJtv5lwj6DKO25dxyzAfhDuI+fBeAeKlq7RlILpxCsT3iXcltblMhz8Jk2QronMtAy53r/aCIEhmIeEKGqGWr/sPV5DRWmIcIvZU2EDAEqbcbrxOV8BQFmEvRvJ7RhpG90ffK51SdaczzTcod9PGMst7LHTeMw=,iv:4/MeKQ2j0CLXHwusfsyOzUVSz78j3q1aipw1ugWtW8Y=,tag:Tkn9Zx9vk93Ka28tBpcjWQ==,type:str] + lastmodified: "2025-08-23T03:46:50Z" + mac: ENC[AES256_GCM,data:QJLMqnmkrgtTqqmLN9NCfV8PPm5N/F0gtGw/XlX+nnfbesGVeYubSjtHmYWmY7ha41jEvLYu8rmIXaxDepfogyOf4wzuRPLkJxO7Wu0UVdr5uZlHNrcxZh4Ex6YGgg8Lbcjs0iVCev66lWfuhuxuvPOKsGLZvoNTq0V1hLpo/Fw=,iv:VFrL0L6tC1JvWM3BOJP4Dh+q1xSMBecCtPnNcY/loAU=,tag:p5VmBaGPTxyTmm1Ha9Le3Q==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/system-config/default.nix b/system-config/default.nix index ac208de..5911b1b 100644 --- a/system-config/default.nix +++ b/system-config/default.nix @@ -28,7 +28,33 @@ config = { - sops.secrets."remoteBuildSSHKey" = lib.mkIf config.sysconfig.remoteBuildClient {}; + sops.secrets = (if config.sysconfig.remoteBuildHost then ( + builtins.listToAttrs + (builtins.map + (y: { + name = "remoteBuildClientKeys/${y}"; + value = { + format = "yaml"; + sopsFile = ./secrets.yaml; + }; + }) + (builtins.partition + (z: let + cfg = if + ((builtins.readDir ./configuration).${z} == "directory") + then (import ./configuration/${z}).config + else null; + test = if cfg == null then false + else if !(cfg ? sysconfig) then false + else if !(cfg.sysconfig ? remoteBuildClient) then false + else cfg.sysconfig.remoteBuildClient; + in test) + (builtins.readDir ./configuration) + ).right + ) + ) else {}) // { + "remoteBuildKey" = lib.mkIf config.sysconfig.remoteBuildClient {}; + }; networking.hostName = lib.mkDefault config.sysconfig.host; @@ -39,7 +65,7 @@ channel.enable = false; settings = { experimental-features = [ "nix-command" "flakes" ]; - trusted-users = lib.mkIf config.sysconfig.remoteBuildHost [ "remote-builder" ]; + builders-use-substitutes = lib.mkIf config.sysconfig.remoteBuildClient true; }; distributedBuilds = config.sysconfig.remoteBuildClient; @@ -47,7 +73,7 @@ { hostName = "blunkall.us"; sshUser = "remote-builder"; - sshKey = config.sops.secrets."remoteBuildSSHKey".path; + sshKey = config.sops.secrets."remoteBuildKey".path; supportedFeatures = [ "nixos-test" "benchmark" @@ -59,16 +85,6 @@ ]; }; - boot.binfmt.emulatedSystems = lib.mkIf config.sysconfig.remoteBuildHost [ "aarch64-linux" ]; - - users.users."remote-builder" = lib.mkIf config.sysconfig.remoteBuildHost { - isNormalUser = true; - createHome = false; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN7wpZD7mpHHpfHBSBV28x3ify+dtoLRDXO91mJ/WhUj root@laptop" - ]; - }; - time.timeZone = lib.mkDefault "America/Chicago"; i18n = lib.mkDefault { diff --git a/system-config/secrets.yaml b/system-config/secrets.yaml new file mode 100644 index 0000000..f23aa8c --- /dev/null +++ b/system-config/secrets.yaml @@ -0,0 +1,26 @@ +remoteBuildClientKeys: + laptop: ENC[AES256_GCM,data:SZRAZ36nSueWVLcdvpgZpltp/aORqAObFWhgqtIrTYccoK/3F7l0J+VJzF51FASa6spbGJL2BSbzOygyal609pvJc9Hb9bIN85GMzV1P4lha62iC8dkuVLXezPU=,iv:veQJxL4QTxFg2UKm2+I3RQXyuwW2rXEV/gXIQ7nBtlY=,tag:9C9Ltzwz823yY029p9K41A==,type:str] +sops: + age: + - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZlgyTEl5ZUxFcHU0eFQ0 + NEc1Y05heUpLSmFzb2xrVVZZbzVUV2E0N1FjCjd0R0NrNktmMFlPWlpmRG9Qd0Zi + aGhRR3VodVVUNElKTzRIWGNUS01qaG8KLS0tIHBBdHdlVkx3STVLQ1ZNa2xCNjJU + aGhUWHhYQ21kRENhZkMxcS9KQWk1NW8KH/gDEIG7hPjHmWtAqU6o5tcE0Y6y68XV + 0cW84xSazHMO4PEGuvvvi3YE8Q2tR2XJR9+CJFBEDqvx1zaFroUptA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUGFIZDk4azdsSFhBUHho + cnUxWkVIdVg1ZUdqTVRTMTRZeTRyejBYendZCkF3WDN2QUh6MjZzSDNrdS9ZNVpW + b2ZHVnJYN2xsMVhWM3dDWGhXWkQzWDQKLS0tIGNoWFBNWkFjNFNjWDM4MkN2RUFC + S2UxVDJXd2J6NkJYUDVGMnR3VDhqRzQKCj/uuR0vRNjhDpr6D0nRhyxOkBRm6Ruq + 0HOgp2xkNH+q/KEhB1s/hRSae7lNKKi0T35xFPb46DMPkJSFUNdpPw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-23T03:42:30Z" + mac: ENC[AES256_GCM,data:+q0EeH0W+1Suu6/DDD4Br83RZ4wzWtsh+1BJrrQ1GBdFV55hjQoKigUVqPZMgjIZ2PIYOnKt9IjZhOdA/m5MY7N1Qdj/cPjzLRKM6JxjJEfaSW5EAp2cSC8vVp2zISsSEUh04zvv4Tiwjmzx2urdLHzOd/SK1upvDKNgAQfcDqQ=,iv:cJRH8JaHPex1I+ar9MC6PSwifRITPTr9+Ka7DCOHcaI=,tag:jpyC55iOI2KVHlnGzEpFNg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2