diff --git a/nix/os/devices/sj-bm-hostkey0/configuration.nix b/nix/os/devices/sj-bm-hostkey0/configuration.nix index 8e53c81..17baea3 100644 --- a/nix/os/devices/sj-bm-hostkey0/configuration.nix +++ b/nix/os/devices/sj-bm-hostkey0/configuration.nix @@ -18,9 +18,18 @@ in { imports = [ nodeFlake.inputs.disko.nixosModules.disko - nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder + { + roles.nix-remote-builder.schedulerPublicKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s" + + # TODO: make this a reference to the private key's secret + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" + ]; + } + ../../profiles/common/user.nix ../../snippets/nix-settings.nix ../../snippets/nix-settings-holo-chain.nix @@ -66,11 +75,6 @@ in { } ]; - roles.nix-remote-builder.schedulerPublicKeys = [ - # TODO: make this a reference to the private key's secret - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" - ]; - services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "yes"; diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 585c02e..de52133 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -81,6 +81,26 @@ enable = true; enableNonRoot = true; }; + + sops.secrets.builder-private-key = {}; + nix.distributedBuilds = true; + nix.buildMachines = [ + { + hostName = "sj-bm-hostkey0.dev.infra.holochain.org"; + sshUser = "nix-remote-builder"; + sshKey = config.sops.secrets.builder-private-key.path; + protocol = "ssh-ng"; + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + supportedFeatures = [ + "big-parallel" + "kvm" + ]; + maxJobs = 32; + } + ]; } # TODO: create syncthing os snippet diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml index 26663f9..b69d6fa 100644 --- a/secrets/steveej-x13s/secrets.yaml +++ b/secrets/steveej-x13s/secrets.yaml @@ -1,4 +1,4 @@ -hello: ENC[AES256_GCM,data:9dO0Gd4YDDxWHHBYtdomfK8BJnBZC+SQYfUvTAkCq9sOO/ZH/bFhN0Fl/NvLzQ==,iv:m1TZ9PGjsoMo7NA9EHrLb0tCtIl98E3OEN1bkpZZxXY=,tag:Gup/pACLIXGXu8KEyzmfWg==,type:str] +builder-private-key: ENC[AES256_GCM,data:KG5V86SDVM5LfFPZI5rjKGvYwqLZInEqpwdIJPAiF7fMdG3rTq3JgNJCQr0eOhfmLwT3KEN2Fv0mHZS4smMGdh0WCkza8CzRn/KFY8gqEWxxdff1Wqj7+2/5lSI8I7Qp2EW+eaAgU53PPOh/M3Cgm/Rraw2ARmIJNIgtuJC8ZeZlsh3sl0tacF9rgSrP8p4xAH3C/QUs1HW+10eL9F3STtAV+ZBruU68lNmCdiyqKjg3O3qdRFsjdGWAwHNHL42cEm3il4PofyS5fDDF4otQktZa5n8832ukF5Aj6RNgJwubrsxB9+1M9s7hD1UQyKo6oQKJr1GXNK+IPyXAvdxckZ8INhsxP4c4v8GzR0zJK4MfESx0r67ciGLOcYulNBDOMSbD57oW+wRvCI2eZlpB3ugBcUm/rsQbgFVEX8q6jD8WipJ+Q3hz1zWq45s66XooFmnwc2nBhT6cRmtGzTJCcDpiovgj5tKXSXrWfwYO7tWr7lYg8T4zhfplZBtQOaqTUrAOhW7IRT5Lo/310cMRcp1h44TSnpWXZN7l,iv:DOUijPr4wHmjNIniF2IRjinXZ6iyg8Z1Nt5EgFfX5Zw=,tag:VWxHpfpyphtu6XLR1yKugg==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +14,8 @@ sops: dUQ5ZE9keUtxVU5mMklGODRjSld0TnMKGWu7m6/q6PhS1R8N9YBsxDs9O76U6Bta wr8Tqr/1JLWoSLbPapltKH8+hKAb84LeILezVS1SrL+mjf2KYa3WQQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-23T09:41:31Z" - mac: ENC[AES256_GCM,data:xGspZnqqcwoxM0otV3m6RJdwp4laYC+b6DSOEhzbQDeS6hslD6BddQ2g+tS7l3QTtItOjmB6pLb1JJkyhaG3PDWaDu89GNlvUyTyTUxfZWzTfiB6LWJS7eDTwb6OvzDklzCRltoH+8bWTjedWkeWIOtYbjJPo6zwUAiXgiKOj2s=,iv:MSgm5HXlb/NtvqHvVmDdwzX5ebipf7UJnmPNFUV9Nzs=,tag:XT4Evu+Sn+t/+EPb+dZ61Q==,type:str] + lastmodified: "2024-05-01T16:50:35Z" + mac: ENC[AES256_GCM,data:wDnv7wZLks2EME+JqlBtagVaDZEo9ap3d6xFfnBy2/D4wrJhhYlo8vOYM8GFXEhfa0Jek+9ZlkmXYerLNWLMiUMKWIvk0cvHjxBaR2wcxt9FnynPT9W9hSX7UFhM/eTiJviksOESTI7pqNh9X7ggLSZ0c+O5mBxxEh/bcjz8vIU=,iv:vgvmyvUkZBapCpRbPU3cDgmHsc5NwHzCsMzjHvr/Xc0=,tag:FMI0YrwdCPIFe8tnLQr69w==,type:str] pgp: - created_at: "2024-04-04T18:26:01Z" enc: |- @@ -33,4 +33,4 @@ sops: -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1