From c9baa840d917e50607f75c3c4f45e43a7959978b Mon Sep 17 00:00:00 2001
From: TheGeneralist <180094941+thegeneralist01@users.noreply.github.com>
Date: Tue, 1 Jul 2025 17:30:24 +0200
Subject: [PATCH] feat: distributed builds

---
 hosts/thegeneralist-central/cache/key.age     | 12 +++----
 hosts/thegeneralist-central/configuration.nix | 33 ++++++++++++++-----
 hosts/thegeneralist-central/password.age      |  5 +++
 modules/common/nix.nix                        | 28 +++++++++++++---
 secrets.nix                                   |  1 +
 5 files changed, 59 insertions(+), 20 deletions(-)
 create mode 100644 hosts/thegeneralist-central/password.age

diff --git a/hosts/thegeneralist-central/cache/key.age b/hosts/thegeneralist-central/cache/key.age
index 402c191..ccf5c44 100644
--- a/hosts/thegeneralist-central/cache/key.age
+++ b/hosts/thegeneralist-central/cache/key.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pp9qdQ 7QBh40bF+3U+uQaQiZNMVsIWX2ZX162OKbuzgNwIR3A
-Fj2ACjgfeswbIt+ril51zlNaacqgMzkl8p3CQpiUGFo
---- yVZxFaEnzft0ovxvy0CbdIZso0qVMyFPGocBRiONTQM
-b²Q^4öø4ƒy!Rq9+AE6î²ÓòÅåW&ÃÇÃt[Ñç.ƒ…â/ª„ª™J¼#Bu„zwIïêÖ/ÊGCo¼xÕn©™0Ö1·J¡ckJv/¸p¤qwÿûz B/ßíëÖy$,¥;I–À3©wˆYÙ»üòSÔ
-ë³ÑP2‡
-_ƒÀ”Á_µõDPž
\ No newline at end of file
+-> ssh-ed25519 pp9qdQ hxgD5olkewZpdkhEmVaGYypGzM403Xa7INBRzt78+kU
+LTj/042NIvyLcDA3VpWO6M+pdl2fhzjyXzA3jWP+III
+--- E7wuA8Hb4tpfvqQtPxexcGGK9ng/NVhI16XcErKVAFE
+-þŒüá8'ß|Údù²ùÊ#j9•(æ
+MAF+‹[¼û’eNk_Ñ2\ËÆº#d"øÅð§‹Òµw<PPU-­	»M¶G.Ôõ«G/?™¾(qØ#{_C}IìJÚT…Ï»
+NHQãm¨ †^H¶´É¶ž­ òY±{aÈÙgfŽs“S›šø.À
\ No newline at end of file
diff --git a/hosts/thegeneralist-central/configuration.nix b/hosts/thegeneralist-central/configuration.nix
index f62fb37..fa29b9c 100644
--- a/hosts/thegeneralist-central/configuration.nix
+++ b/hosts/thegeneralist-central/configuration.nix
@@ -7,15 +7,30 @@
 {
   imports = [ ./hardware-configuration.nix ./site.nix ./cache ];
 
-  users.users.thegeneralist = {
-    isNormalUser = true;
-    description = "thegeneralist";
-    extraGroups = [ "wheel" "audio" "video" "input" "scanner" ];
-    shell = pkgs.zsh;
-    home = "/home/thegeneralist";
-    openssh.authorizedKeys.keys = let
-      inherit (import ../../keys.nix) thegeneralist;
-    in [ thegeneralist ];
+  age.secrets.password.file = ./password.age;
+  users.users = {
+    thegeneralist = {
+      isNormalUser = true;
+      description = "thegeneralist";
+      extraGroups = [ "wheel" "audio" "video" "input" "scanner" ];
+      shell = pkgs.zsh;
+      home = "/home/thegeneralist";
+      hashedPasswordFile = config.age.secrets.password.path;
+      openssh.authorizedKeys.keys = let
+        inherit (import ../../keys.nix) thegeneralist;
+      in [ thegeneralist ];
+    };
+
+    build = {
+      isNormalUser = true;
+      description = "for distributed builds";
+      extraGroups = [ "build" ];
+      shell = pkgs.zsh;
+      hashedPasswordFile = config.age.secrets.password.path;
+      openssh.authorizedKeys.keys = let
+        inherit (import ../../keys.nix) thegeneralist;
+      in [ thegeneralist ];
+    };
   };
 
   home-manager = {
diff --git a/hosts/thegeneralist-central/password.age b/hosts/thegeneralist-central/password.age
new file mode 100644
index 0000000..a040bbe
--- /dev/null
+++ b/hosts/thegeneralist-central/password.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 pp9qdQ hAL4bshCsrk6ICT4G3eH9SUNmrjHxNZyMce0dhvr7S0
+TUFsXZVHHRAfV0O4TFcGw/jgAuG0o+kswWyWft1PdxY
+--- oBWT2yMt7VN1Oz94ThsyKmhYfB0C3niB4NfTBW+66x0
+"»??EGßskÊ„UYAµÊØí½ðDéœˆEõ©’òóÞ“¨”lJÛH9ò
\ No newline at end of file
diff --git a/modules/common/nix.nix b/modules/common/nix.nix
index a60ad6f..c48a56c 100644
--- a/modules/common/nix.nix
+++ b/modules/common/nix.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, ...}: {
+{ config, pkgs, lib, ...}: let
+  subs = [
+    "https://cache.thegeneralist01.com/"
+    "https://cache.nixos.org/"
+  ];
+in {
   # todo: gc
   environment.systemPackages = with pkgs; [
     nh
@@ -11,15 +16,28 @@
       "pipe-operators"
     ];
 
-    extra-substituters = [
-      "https://cache.thegeneralist01.com/"
-    ];
+    extra-substituters = subs;
+    trusted-substituters = subs;
 
     extra-trusted-public-keys = [
-      "etc.thegeneralist01.com:BIhIf7HJ5xjFX+2e0WrGDQ4LdHeEEyQrtWBB1li2Ve8="
+      "cache.thegeneralist01.com:jkKcenR877r7fQuWq6cr0JKv2piqBWmYLAYsYsSJnT4="
     ];
+
+    trusted-users = [ "root" "@build" "@wheel" ];
+
+    builders-use-substitutes = true;
   };
 
+  nix.distributedBuilds = true;
+  nix.buildMachines     = if (config.networking.hostName != "thegeneralist-central") then [{
+    hostName            = "thegeneralist-central";
+    maxJobs             = 20;
+    protocol            = "ssh-ng";
+    sshUser             = "build";
+    supportedFeatures   = [ "benchmark" "big-parallel" "kvm" "nixos-test" ];
+    system              = "aarch64-linux";
+  }] else [];
+
   home-manager.sharedModules  = [{
     programs.nh = {
       enable = true;
diff --git a/secrets.nix b/secrets.nix
index 290df64..ad9a0d8 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -8,6 +8,7 @@ in {
   "hosts/thegeneralist-central/cert.pem.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/credentials.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/cache/key.age".publicKeys = [ thegeneralist ];
+  "hosts/thegeneralist-central/password.age".publicKeys = [ thegeneralist ];
 
   "modules/linux/tailscale-marshall.age".publicKeys = [ thegeneralist ];
 }