feat: distributed builds

hosts/thegeneralist-central/cache/key.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pp9qdQ 7QBh40bF+3U+uQaQiZNMVsIWX2ZX162OKbuzgNwIR3A
-Fj2ACjgfeswbIt+ril51zlNaacqgMzkl8p3CQpiUGFo
---- yVZxFaEnzft0ovxvy0CbdIZso0qVMyFPGocBRiONTQM
-b²Q^4öø4ƒy!Rq9+AE6î²ÓòÅåW&ÃÇÃt[Ñç.ƒ…â/<2F>ª„ª™J¼<4A>#Bu„zwIïêÖ/ÊGCo¼xÕn©™0Ö1·J¡ckJv/¸p¤qwÿûz B/ßíëÖy<C396>$,¥;I–À3©wˆYÙ»üòSÔ
-ë³ÑP2‡
-_
ƒÀ”Á_µõDPž
+-> ssh-ed25519 pp9qdQ hxgD5olkewZpdkhEmVaGYypGzM403Xa7INBRzt78+kU
+LTj/042NIvyLcDA3VpWO6M+pdl2fhzjyXzA3jWP+III
+--- E7wuA8Hb4tpfvqQtPxexcGGK9ng/NVhI16XcErKVAFE
+-þŒüá8'ß|Ú<>dù²ùÊ#j9•(æ
+MAF+
‹[¼û’eNk_Ñ2\Ëƺ#d"øÅð§‹Òµw<PPU-­	»M¶G.Ôõ«
G/?™¾(qØ#{_C}IìJÚT…Ï»
+NHQãm¨ †^H¶´É¶<C389>ž­ òY±{aÈÙgfŽs“S›šø.À

hosts/thegeneralist-central/configuration.nix

@@ -7,17 +7,32 @@
 {
   imports = [ ./hardware-configuration.nix ./site.nix ./cache ];
 
-  users.users.thegeneralist = {
+  age.secrets.password.file = ./password.age;
+  users.users = {
+    thegeneralist = {
       isNormalUser = true;
       description = "thegeneralist";
       extraGroups = [ "wheel" "audio" "video" "input" "scanner" ];
       shell = pkgs.zsh;
       home = "/home/thegeneralist";
+      hashedPasswordFile = config.age.secrets.password.path;
       openssh.authorizedKeys.keys = let
         inherit (import ../../keys.nix) thegeneralist;
       in [ thegeneralist ];
     };
 
+    build = {
+      isNormalUser = true;
+      description = "for distributed builds";
+      extraGroups = [ "build" ];
+      shell = pkgs.zsh;
+      hashedPasswordFile = config.age.secrets.password.path;
+      openssh.authorizedKeys.keys = let
+        inherit (import ../../keys.nix) thegeneralist;
+      in [ thegeneralist ];
+    };
+  };
+
   home-manager = {
     backupFileExtension = "home.bak";
     extraSpecialArgs = { inherit inputs; };

hosts/thegeneralist-central/password.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 pp9qdQ hAL4bshCsrk6ICT4G3eH9SUNmrjHxNZyMce0dhvr7S0
+TUFsXZVHHRAfV0O4TFcGw/jgAuG0o+kswWyWft1PdxY
+--- oBWT2yMt7VN1Oz94ThsyKmhYfB0C3niB4NfTBW+66x0
+"»??EGßskÊ„UYAµÊØí<C398>
½ðD霈Eõ©’òóÞ“¨”lJÛH9ò<39>

modules/common/nix.nix

@@ -1,4 +1,9 @@
-{ pkgs, lib, ...}: {
+{ config, pkgs, lib, ...}: let
+  subs = [
+    "https://cache.thegeneralist01.com/"
+    "https://cache.nixos.org/"
+  ];
+in {
   # todo: gc
   environment.systemPackages = with pkgs; [
     nh
@@ -11,15 +16,28 @@
       "pipe-operators"
     ];
 
-    extra-substituters = [
-      "https://cache.thegeneralist01.com/"
-    ];
+    extra-substituters = subs;
+    trusted-substituters = subs;
 
     extra-trusted-public-keys = [
-      "etc.thegeneralist01.com:BIhIf7HJ5xjFX+2e0WrGDQ4LdHeEEyQrtWBB1li2Ve8="
+      "cache.thegeneralist01.com:jkKcenR877r7fQuWq6cr0JKv2piqBWmYLAYsYsSJnT4="
     ];
+
+    trusted-users = [ "root" "@build" "@wheel" ];
+
+    builders-use-substitutes = true;
   };
 
+  nix.distributedBuilds = true;
+  nix.buildMachines     = if (config.networking.hostName != "thegeneralist-central") then [{
+    hostName            = "thegeneralist-central";
+    maxJobs             = 20;
+    protocol            = "ssh-ng";
+    sshUser             = "build";
+    supportedFeatures   = [ "benchmark" "big-parallel" "kvm" "nixos-test" ];
+    system              = "aarch64-linux";
+  }] else [];
+
   home-manager.sharedModules  = [{
     programs.nh = {
       enable = true;

secrets.nix

@@ -8,6 +8,7 @@ in {
   "hosts/thegeneralist-central/cert.pem.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/credentials.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/cache/key.age".publicKeys = [ thegeneralist ];
+  "hosts/thegeneralist-central/password.age".publicKeys = [ thegeneralist ];
 
   "modules/linux/tailscale-marshall.age".publicKeys = [ thegeneralist ];
 }