62 lines
1.9 KiB
Nix
62 lines
1.9 KiB
Nix
{ config, lib, pkgs, sane-lib, ... }:
|
|
|
|
let
|
|
inherit (lib) mkIf mkMerge mkOption types;
|
|
cfg = config.sane.roles.build-machine;
|
|
in
|
|
{
|
|
options.sane.roles.build-machine = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
};
|
|
};
|
|
|
|
config = mkMerge [
|
|
(mkIf cfg.enable {
|
|
# enable opt-in emulation of any package at runtime.
|
|
# i.e. `nix build '.#hostPkgs.moby.bash' ; qemu-aarch64 ./result/bin/bash`.
|
|
sane.programs.qemu.enableFor.user.colin = true;
|
|
|
|
# act as a remote builder
|
|
nix.settings.trusted-users = [ "nixremote" ];
|
|
users.users.nixremote = {
|
|
isNormalUser = true;
|
|
home = "/home/nixremote";
|
|
# remove write permissions everywhere in the home dir.
|
|
# combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory
|
|
# (in which case, i'm not actually sure why nixremote needs a home)
|
|
homeMode = "550";
|
|
group = "nixremote";
|
|
subUidRanges = [
|
|
{ startUid=300000; count=1; }
|
|
];
|
|
initialPassword = "";
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
|
|
];
|
|
};
|
|
|
|
users.groups.nixremote = {};
|
|
|
|
sane.users.nixremote = {
|
|
fs."/".dir.acl = {
|
|
# don't allow the user to write anywhere
|
|
user = "root";
|
|
group = "nixremote";
|
|
};
|
|
};
|
|
|
|
# each concurrent derivation realization uses a different nix build user.
|
|
# default is 32 build users, limiting us to that many concurrent jobs.
|
|
# it's nice to not be limited in that way, so increase this a bit.
|
|
nix.nrBuildUsers = 64;
|
|
|
|
nix.settings.system-features = [ "big-parallel" ];
|
|
|
|
# corresponds to env var: NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1
|
|
# nixpkgs.config.allowUnsupportedSystem = true;
|
|
})
|
|
];
|
|
}
|