imp: add local host builder

johnalotoski · johnalotoski · commit 42af336c5a79 · 2022-12-22T19:48:15.000-06:00
diff --git a/nix/metal/bitteProfile/default.nix b/nix/metal/bitteProfile/default.nix
@@ -85,7 +85,8 @@ in {
                   path = "/nix";
                   read_only = false;
                 };
-              });
+              })
+              ++ lib.optional (node_class == "test") ./local-builder.nix;
           }
           extraConfig;
         # -------------------------
diff --git a/nix/metal/bitteProfile/encrypted/darwin-builder-key b/nix/metal/bitteProfile/encrypted/darwin-builder-key
@@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:UKgpYfSqP8o/ZDN+2tZHpneV2nGkbfiqGE/mERPdYtVymsO+NJ8HFSbFIkCp93QL8FuaZsma+ZWHreqr9hJ3xzbRxBtBjojKKl/T4gA15pqMYs1nbUQOjITWsGShjv2deyhYiEslOSvb8n/bDw5RN/U7/4Y1K7eFIMN88q4/cJqYDDqmdFI/IAjVIXdc72813kZgWARTYd91yTk6GP4sHTZlwSf9M0SGzz/hBN9NTP+tAP6K4BAkfIIlM3vcxE+WvgcPeiRQemy06s7/gYyIlSuaxL1gCfh0DatY00xLGIGCfhiM6zMegFJJ7DbB2XThV+oRDzyNAvgku/Jjrur5K1YFS05VR5IaHAUkK9DdvvEXYizLvOsLzI/FDlGCQFAd3hdgiO7nChO7vardYzQ753m84XgQxGXj4qDfZ2UkrjPAXtzXS8smRZIBtgxnRooE4hgPXXv+oLl1zRnolu29J9Eza0pvIDwHqEPaCXNDkHvnc+mQtZTgqgX2jEbbA9MPxUhSErGkioVDubahiNpaRcMejhFiSJddw8GjpyDnWQpuae37725IxxnnH/f/9tzGjq8lnr9NwoCa0bwJjLrjS3Ry4aN3lcspTxVorhTvtazsqj8pyUJneTShIg14Nd7nphRDYXRg+oN9O6nLunmhzax6NikeWn7XVz7S6e4wUkU3zsPCCAcLDiw4MUDG3LI45bZLi1UHISBEGprXjY128mPBNAZ33L9stva9LCwZeEGsZIxA/MUpGs7bMI1IFN1kGXANIvdPxt+dK4RqKN7nyv7tmjK2gOFKHU0uNoP2wjKUasacKl/JQpCYIVmZIBqWgNFzijHcJzeR0FLuDSFPDoUeKP95nu7oh3RloC6mUrzf4DbUSGGsVGdAbrhbCjgJUb4/NVTbnOH8Z1JRSkrE+h5cJjEbooj7CMU1Va8UDyoEXIrJ72X5hqS+TcplKL45C1quzXfsxyZ+qH4bCL7f+SVNakWbjP0OUbW8x/VUJbdi2+jERvcYw3+DKZHAeDj/l1O+k+r7rYS2pOyPF2h60I59M0nUsEAlFIoKxm46C6gCQdTvCjsi8FGIvmP6GMfJsZ6ZkfOCfxR272+uLlmaPkGdTC9QEe9ajyl7fdmd5HX1ZfpzOwRvmnv6+qENm79HH07wE6YQDQ0Z7mSehY0JZ40L7fcHaCGr0HRQcKHXIXMi2gBKxisNmJSASevLo/9L9R3LtzXksIH3S9HJ1Nbfd/NpIK0nu2dZ6ZVmL6sQoQQBV1x2JCZbMoFUzpiuu9OWGfoIWUbo7pbZ6Zolura14JRXzUiZ+6JE6CWixnT3LQgyjP/MwHuKgqXby0pcZaCDn1sV2j/5Cg5XNhtWGpUimbi2JzKrgB9BGllJF2TYS9ArjCb/EfchadgVfAQwueaaTv1vA72eOzjxYSwIc1QW5D/OFe9X6L2IXJB5Z20jotRgv6FYKc4S7zmrOh3eFX7QwKhVewQwq7B1AtOZnVKENpkuug1/csVGziAA6RpWYJWENYp/S9TLbwgqRNAaVFmii2e+6Z22hOnOBGFdOpw1jLwpWjqhSYDkADtOJwf7RGNBXXxfAmYSqkGw2O9+YalmeP6v1dyE+GVKS4WQwPfaSfyTUFfy+gJM8lMczQKlxazGdO1Cu6nCr2GkaFrUj5nQtxDcGygG6HuKQQOD58Y/CIk1gbkJB6x8up1ml9QPB/b++BGMXgcUo26Grmqy+xeJ7ttieEe8Un4q7ZzqgzBdX3OBjL9Pi6fv/v7XseEpEp5ZiP0v2s1UhVKk4R4/xZKIYirr5hRaW2GHgFoJQmU1UwcfLUi31dMNMDXPDiw/KdpvhetvhSGJ+9joq6G+aJ8mLbeOiSLBcsT+/7qFSO/5sasRRNP+1u1hUTU03XetAI0MXXdHyFyILDlaisJ1jJDaiv2cRpUpVAHlJCyYLHZ3KUT5wqLTsvXlK04eky0xdKMpaFQUoHu3pvvYlj9bufnKGGHUwXaBM/IrJ6fbQWcR2ANP/xaqjr+ad1qnbzyGzmTfgLdJX6TNuPWoRWZ01qURAiZ7DWE8fy9mKqJw+WTzlHB7uBOTAprgpR6sMISKbAj0dC+lKGAoAPL9RSnb7q89w+mexkdtJrqmSOILza7BC/uWq+fPUik1h5YPC/5y3QX4+b7Bg0AWdG1r0JOIabxJKJPMtwnrcvt2OiHZcc/5UbTkXpigMitRMPr/zlxWW57ooX1szoRoMVGTCjAeEAM=,iv:ATdkh020l3ShINzlBggMUFEvb3CATzU4kzmaE6NzTXw=,tag:jRpl20QAz/BfVNF9p0pISw==,type:str]",
+	"sops": {
+		"kms": [
+			{
+				"arn": "arn:aws:kms:eu-central-1:074718059002:key/5bb7cc1b-151c-4841-bcb3-622bc8df4b5a",
+				"created_at": "2022-12-22T22:40:39Z",
+				"enc": "AQICAHg3OCn+/PAIR22bdMZmmm7xlk3KpM4n+haJ8Ph2IaYRgwGKikN93Yo9D8a5td4E4sENAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMHotHxAKzVt6+5ib/AgEQgDvkL7ZLqkgHKfdaJCEZl9pzHqfyKhd8I7htfyrWiEICh0yGa/iep8hK+RNNRDaem2RuH7RGfkWHEBIoGg==",
+				"aws_profile": ""
+			}
+		],
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-22T22:40:39Z",
+		"mac": "ENC[AES256_GCM,data:JTR431RbhtOB0kQmQorGBGaz2owGD2PUQNEmWyS28JcAkrYnB7Vf695n0zIQUKoAOACUQeGO3C1u+fvpnGuSuDhgmxi63r1pquL+iHyJn2Gqya62QMj43imN7ohUSBIzIETJtC+U1xU9UcIv12Jg2VqLNZVjQaublZoFtQTUenE=,iv:eTWgb/Yq95GuHNrZxCF6aTbTPmloeVjrtRNK7jKSscs=,tag:ox5Ka8Km69Xia53E3ABvXQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
diff --git a/nix/metal/bitteProfile/local-builder.nix b/nix/metal/bitteProfile/local-builder.nix
@@ -0,0 +1,71 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  profiles.auxiliaries.builder.enable = false;
+
+  nix = {
+    buildMachines = let
+      mkDarwinBuilder = name: mandatoryFeatures: {
+        inherit mandatoryFeatures;
+        hostName = name;
+        maxJobs = 4;
+        speedFactor = 1;
+        sshKey = "/etc/nix/darwin-builder-key";
+        sshUser = "builder";
+        systems = ["x86_64-darwin"];
+        supportedFeatures = ["big-parallel"];
+      };
+    in [
+      (mkDarwinBuilder "mm1-builder" [])
+      (mkDarwinBuilder "mm2-builder" [])
+      (mkDarwinBuilder "mm1-signer" ["signer"])
+      (mkDarwinBuilder "mm2-signer" ["signer"])
+    ];
+
+    distributedBuilds = true;
+
+    trustedUsers = ["root" "builder"];
+
+    extraOptions = ''
+      builders = @/etc/nix/machines
+
+      # Constrain Linux builds to 4 hrs
+      timeout = 14400
+
+      connect-timeout = 10
+    '';
+  };
+
+  programs.ssh.extraConfig = let
+    mkDarwinBuilderSsh = name: ip: ''
+      Host ${name}
+        Hostname ${ip}
+        Port 22
+        PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ssh-ed25519,ssh-rsa
+        IdentityFile /etc/nix/darwin-builder-key
+        StrictHostKeyChecking accept-new
+        ControlMaster auto
+        ControlPath ~/.ssh/master-%r@%n:%p
+        ControlPersist 1m
+    '';
+  in
+    builtins.concatStringsSep "\n" [
+      (mkDarwinBuilderSsh "mm1-builder" "10.10.0.1")
+      (mkDarwinBuilderSsh "mm2-builder" "10.10.0.2")
+      (mkDarwinBuilderSsh "mm1-signer" "10.10.0.101")
+      (mkDarwinBuilderSsh "mm2-signer" "10.10.0.102")
+    ];
+
+  secrets.install.darwin-secret-key = {
+    inputType = "binary";
+    outputType = "binary";
+    source = config.secrets.encryptedRoot + "/darwin-builder-key";
+    target = "/etc/nix/darwin-builder-key";
+    script = ''
+      chmod 0600 /etc/nix/darwin-builder-key
+    '';
+  };
+}
