1 files changed, 48 insertions, 49 deletions
diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix
index ecaf686..ae39547 100644
--- a/modules/nix/linux-builder.nix
+++ b/modules/nix/linux-builder.nix
@@ -3,28 +3,7 @@
 with lib;
 
 let
-  inherit (pkgs) stdenv;
-
   cfg = config.nix.linux-builder;
-
-  builderWithOverrides = cfg.package.override {
-    modules = [ cfg.config ];
-  };
-
-  # create-builder uses TMPDIR to share files with the builder, notably certs.
-  # macOS will clean up files in /tmp automatically that haven't been accessed in 3+ days.
-  # If we let it use /tmp, leaving the computer asleep for 3 days makes the certs vanish.
-  # So we'll use /run/org.nixos.linux-builder instead and clean it up ourselves.
-  script = pkgs.writeShellScript "linux-builder-start" ''
-    export TMPDIR=/run/org.nixos.linux-builder USE_TMPDIR=1
-    rm -rf $TMPDIR
-    mkdir -p $TMPDIR
-    trap "rm -rf $TMPDIR" EXIT
-    ${lib.optionalString cfg.ephemeral ''
-      rm -f ${cfg.workingDirectory}/${builderWithOverrides.nixosConfig.networking.hostName}.qcow2
-    ''}
-    ${builderWithOverrides}/bin/create-builder
-  '';
 in
 
 {
@@ -33,13 +12,18 @@ in
   ];
 
   options.nix.linux-builder = {
-    enable = mkEnableOption (lib.mdDoc "Linux builder");
+    enable = mkEnableOption "Linux builder";
 
     package = mkOption {
       type = types.package;
       default = pkgs.darwin.linux-builder;
       defaultText = "pkgs.darwin.linux-builder";
-      description = lib.mdDoc ''
+      apply = pkg: pkg.override (old: {
+        # the linux-builder package requires `modules` as an argument, so it's
+        # always non-null.
+        modules = old.modules ++ [ cfg.config ];
+      });
+      description = ''
         This option specifies the Linux builder to use.
       '';
     };
@@ -54,7 +38,7 @@ in
           environment.systemPackages = [ pkgs.neovim ];
         })
       '';
-      description = lib.mdDoc ''
+      description = ''
         This option specifies extra NixOS configuration for the builder. You should first use the Linux builder
         without changing the builder configuration otherwise you may not be able to build the Linux builder.
       '';
@@ -65,7 +49,7 @@ in
       default = [];
       defaultText = literalExpression ''[]'';
       example = literalExpression ''[ "big-parallel" ]'';
-      description = lib.mdDoc ''
+      description = ''
         A list of features mandatory for the Linux builder. The builder will
         be ignored for derivations that don't require all features in
         this list. All mandatory features are automatically included in
@@ -77,9 +61,16 @@ in
 
     maxJobs = mkOption {
       type = types.ints.positive;
-      default = 1;
-      example = 4;
-      description = lib.mdDoc ''
+      default = cfg.package.nixosConfig.virtualisation.cores;
+      defaultText = ''
+        The `virtualisation.cores` of the build machine's final NixOS configuration.
+      '';
+      example = 2;
+      description = ''
+        Instead of setting this directly, you should set
+        {option}`nix.linux-builder.config.virtualisation.cores` to configure
+        the amount of cores the Linux builder should have.
+
         The number of concurrent jobs the Linux builder machine supports. The
         build machine will enforce its own limits, but this allows hydra
         to schedule better since there is no work-stealing between build
@@ -94,7 +85,7 @@ in
       default = "ssh-ng";
       defaultText = literalExpression ''"ssh-ng"'';
       example = literalExpression ''"ssh"'';
-      description = lib.mdDoc ''
+      description = ''
         The protocol used for communicating with the build machine.  Use
         `ssh-ng` if your remote builder and your local Nix version support that
         improved protocol.
@@ -108,7 +99,7 @@ in
       type = types.ints.positive;
       default = 1;
       defaultText = literalExpression ''1'';
-      description = lib.mdDoc ''
+      description = ''
         The relative speed of the Linux builder. This is an arbitrary integer
         that indicates the speed of this builder, relative to other
         builders. Higher is faster.
@@ -122,7 +113,7 @@ in
       default = [ "kvm" "benchmark" "big-parallel" ];
       defaultText = literalExpression ''[ "kvm" "benchmark" "big-parallel" ]'';
       example = literalExpression ''[ "kvm" "big-parallel" ]'';
-      description = lib.mdDoc ''
+      description = ''
         A list of features supported by the Linux builder. The builder will
         be ignored for derivations that require features not in this
         list.
@@ -133,15 +124,17 @@ in
 
     systems = mkOption {
       type = types.listOf types.str;
-      default = [ "${stdenv.hostPlatform.uname.processor}-linux" ];
-      defaultText = literalExpression ''[ "''${stdenv.hostPlatform.uname.processor}-linux" ]'';
+      default = [ cfg.package.nixosConfig.nixpkgs.hostPlatform.system ];
+      defaultText = ''
+        The `nixpkgs.hostPlatform.system` of the build machine's final NixOS configuration.
+      '';
       example = literalExpression ''
         [
           "x86_64-linux"
           "aarch64-linux"
         ]
       '';
-      description = lib.mdDoc ''
+      description = ''
         This option specifies system types the build machine can execute derivations on.
 
         This sets the corresponding `nix.buildMachines.*.systems` option.
@@ -152,29 +145,21 @@ in
     workingDirectory = mkOption {
       type = types.str;
       default = "/var/lib/darwin-builder";
-      description = lib.mdDoc ''
+      description = ''
         The working directory of the Linux builder daemon process.
       '';
     };
 
-    ephemeral = mkEnableOption (lib.mdDoc ''
+    ephemeral = mkEnableOption ''
       wipe the builder's filesystem on every restart.
 
       This is disabled by default as maintaining the builder's Nix Store reduces
       rebuilds. You can enable this if you don't want your builder to accumulate
       state.
-    '');
+    '';
   };
 
   config = mkIf cfg.enable {
-    assertions = [ {
-      assertion = config.nix.settings.trusted-users != [ "root" ] || (config.nix.settings.extra-trusted-users or [ ]) != [ ];
-      message = ''
-        Your user or group (@admin) needs to be added to `nix.settings.trusted-users` or `nix.settings.extra-trusted-users`
-        to use the Linux builder.
-      '';
-    } ];
-
     system.activationScripts.preActivation.text = ''
       mkdir -p ${cfg.workingDirectory}
     '';
@@ -183,11 +168,23 @@ in
       environment = {
         inherit (config.environment.variables) NIX_SSL_CERT_FILE;
       };
+
+      # create-builder uses TMPDIR to share files with the builder, notably certs.
+      # macOS will clean up files in /tmp automatically that haven't been accessed in 3+ days.
+      # If we let it use /tmp, leaving the computer asleep for 3 days makes the certs vanish.
+      # So we'll use /run/org.nixos.linux-builder instead and clean it up ourselves.
+      script = ''
+        export TMPDIR=/run/org.nixos.linux-builder USE_TMPDIR=1
+        rm -rf $TMPDIR
+        mkdir -p $TMPDIR
+        trap "rm -rf $TMPDIR" EXIT
+        ${lib.optionalString cfg.ephemeral ''
+          rm -f ${cfg.workingDirectory}/${cfg.package.nixosConfig.networking.hostName}.qcow2
+        ''}
+        ${cfg.package}/bin/create-builder
+      '';
+
       serviceConfig = {
-        ProgramArguments = [
-          "/bin/sh" "-c"
-          "/bin/wait4path /nix/store &amp;&amp; exec ${script}"
-        ];
         KeepAlive = true;
         RunAtLoad = true;
         WorkingDirectory = cfg.workingDirectory;
@@ -196,9 +193,11 @@ in
 
     environment.etc."ssh/ssh_config.d/100-linux-builder.conf".text = ''
       Host linux-builder
+        User builder
         Hostname localhost
         HostKeyAlias linux-builder
         Port 31022
+        IdentityFile /etc/nix/builder_ed25519
     '';
 
     nix.distributedBuilds = true;