From dbbcad8b9bd90ff5f2785006fe86533edb4edd5c Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sun, 31 Dec 2023 13:28:24 +1100 Subject: linux-builder: remove trusted user requirement If you set up a signing key for the `linux-builder` and add that as trusted public key on your machine, you won't need to be a trusted user at all. --- modules/nix/linux-builder.nix | 8 -------- 1 file changed, 8 deletions(-) (limited to 'modules/nix/linux-builder.nix') diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index da8d791..41fec9d 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -80,14 +80,6 @@ in }; config = mkIf cfg.enable { - assertions = [ { - assertion = config.nix.settings.trusted-users != [ "root" ] || (config.nix.settings.extra-trusted-users or [ ]) != [ ]; - message = '' - Your user or group (@admin) needs to be added to `nix.settings.trusted-users` or `nix.settings.extra-trusted-users` - to use the Linux builder. - ''; - } ]; - system.activationScripts.preActivation.text = '' mkdir -p /var/lib/darwin-builder ''; -- cgit v1.2.3 From def1e23be848848400d1d097d4f044e3c401f9dd Mon Sep 17 00:00:00 2001 From: Weijia Wang <9713184+wegank@users.noreply.github.com> Date: Sun, 14 Apr 2024 23:02:32 +0200 Subject: treewide: remove lib.mdDoc --- modules/nix/linux-builder.nix | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'modules/nix/linux-builder.nix') diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index ecaf686..176d69e 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -33,13 +33,13 @@ in ]; options.nix.linux-builder = { - enable = mkEnableOption (lib.mdDoc "Linux builder"); + enable = mkEnableOption "Linux builder"; package = mkOption { type = types.package; default = pkgs.darwin.linux-builder; defaultText = "pkgs.darwin.linux-builder"; - description = lib.mdDoc '' + description = '' This option specifies the Linux builder to use. ''; }; @@ -54,7 +54,7 @@ in environment.systemPackages = [ pkgs.neovim ]; }) ''; - description = lib.mdDoc '' + description = '' This option specifies extra NixOS configuration for the builder. You should first use the Linux builder without changing the builder configuration otherwise you may not be able to build the Linux builder. ''; @@ -65,7 +65,7 @@ in default = []; defaultText = literalExpression ''[]''; example = literalExpression ''[ "big-parallel" ]''; - description = lib.mdDoc '' + description = '' A list of features mandatory for the Linux builder. The builder will be ignored for derivations that don't require all features in this list. All mandatory features are automatically included in @@ -79,7 +79,7 @@ in type = types.ints.positive; default = 1; example = 4; - description = lib.mdDoc '' + description = '' The number of concurrent jobs the Linux builder machine supports. The build machine will enforce its own limits, but this allows hydra to schedule better since there is no work-stealing between build @@ -94,7 +94,7 @@ in default = "ssh-ng"; defaultText = literalExpression ''"ssh-ng"''; example = literalExpression ''"ssh"''; - description = lib.mdDoc '' + description = '' The protocol used for communicating with the build machine. Use `ssh-ng` if your remote builder and your local Nix version support that improved protocol. @@ -108,7 +108,7 @@ in type = types.ints.positive; default = 1; defaultText = literalExpression ''1''; - description = lib.mdDoc '' + description = '' The relative speed of the Linux builder. This is an arbitrary integer that indicates the speed of this builder, relative to other builders. Higher is faster. @@ -122,7 +122,7 @@ in default = [ "kvm" "benchmark" "big-parallel" ]; defaultText = literalExpression ''[ "kvm" "benchmark" "big-parallel" ]''; example = literalExpression ''[ "kvm" "big-parallel" ]''; - description = lib.mdDoc '' + description = '' A list of features supported by the Linux builder. The builder will be ignored for derivations that require features not in this list. @@ -141,7 +141,7 @@ in "aarch64-linux" ] ''; - description = lib.mdDoc '' + description = '' This option specifies system types the build machine can execute derivations on. This sets the corresponding `nix.buildMachines.*.systems` option. @@ -152,18 +152,18 @@ in workingDirectory = mkOption { type = types.str; default = "/var/lib/darwin-builder"; - description = lib.mdDoc '' + description = '' The working directory of the Linux builder daemon process. ''; }; - ephemeral = mkEnableOption (lib.mdDoc '' + ephemeral = mkEnableOption '' wipe the builder's filesystem on every restart. This is disabled by default as maintaining the builder's Nix Store reduces rebuilds. You can enable this if you don't want your builder to accumulate state. - ''); + ''; }; config = mkIf cfg.enable { -- cgit v1.2.3 From d21ba5a4871f02c50efc2de0ae61b749a6318a10 Mon Sep 17 00:00:00 2001 From: Nick Novitski Date: Wed, 12 Jun 2024 18:41:49 -0700 Subject: linux-builder: make compatible with cross-arch builder package Before this commit, aarch64 users building the following configuration would end up with an aarch64-linux builder, while after it, they get the x86_64-linux builder they expect: ```nix nix.linux-builder = { enable = true; package = pkgs.darwin.linux-builder-x86_64; }; ``` Before, in order to get an x86_64-linux builder, they would have needed to use this configuration instead: ```nix nix.linux-builder = { enable = true; config.nixpkgs.hostPlatform = "x86_64-linux"; systems = ["x86_64-linux"]; }; ``` The reason for this is that the linux-builder module calls `override` on the package option, and the `linux-builder-x86_64` package is also defined using override: ```nix linux-builder-x86_64 = linux-builder.override { modules = [ { nixpkgs.hostPlatform = "x86_64-linux"; } ]; }; ``` The module was effectively discarding the `nixpkgs.hostPlatform` option. Example issue: https://github.com/NixOS/nixpkgs/issues/313784 --- modules/nix/linux-builder.nix | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'modules/nix/linux-builder.nix') diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index 176d69e..b0c3cd6 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -7,9 +7,11 @@ let cfg = config.nix.linux-builder; - builderWithOverrides = cfg.package.override { - modules = [ cfg.config ]; - }; + builderWithOverrides = cfg.package.override (previousArguments: { + # the linux-builder packages require a list `modules` argument, so it's + # always non-null. + modules = previousArguments.modules ++ [ cfg.config ]; + }); # create-builder uses TMPDIR to share files with the builder, notably certs. # macOS will clean up files in /tmp automatically that haven't been accessed in 3+ days. @@ -133,8 +135,10 @@ in systems = mkOption { type = types.listOf types.str; - default = [ "${stdenv.hostPlatform.uname.processor}-linux" ]; - defaultText = literalExpression ''[ "''${stdenv.hostPlatform.uname.processor}-linux" ]''; + default = [ builderWithOverrides.nixosConfig.nixpkgs.hostPlatform.system ]; + defaultText = '' + The `nixpkgs.hostPlatform.system` of the build machine's final NixOS configuration. + ''; example = literalExpression '' [ "x86_64-linux" -- cgit v1.2.3 From b34d1bee4875ad7dbb2f030c451e07fb27ef67ca Mon Sep 17 00:00:00 2001 From: Thane Gill Date: Tue, 9 Jul 2024 13:13:37 -0700 Subject: Add `User` and already generated `IdentityFile` to ssh_config for `nix.linux-builder` --- modules/nix/linux-builder.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'modules/nix/linux-builder.nix') diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index 67284b2..571ce28 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -192,9 +192,11 @@ in environment.etc."ssh/ssh_config.d/100-linux-builder.conf".text = '' Host linux-builder + User builder Hostname localhost HostKeyAlias linux-builder Port 31022 + IdentityFile ${cfg.workingDirectory}/keys/builder_ed25519 ''; nix.distributedBuilds = true; -- cgit v1.2.3 From 395e4d3794465f7d68b588c1bd7f5f357e88d8d2 Mon Sep 17 00:00:00 2001 From: Thane Gill Date: Fri, 12 Jul 2024 09:50:57 -0700 Subject: Update modules/nix/linux-builder.nix Co-authored-by: Michael Hoang --- modules/nix/linux-builder.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/nix/linux-builder.nix') diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index 571ce28..9edfed6 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -196,7 +196,7 @@ in Hostname localhost HostKeyAlias linux-builder Port 31022 - IdentityFile ${cfg.workingDirectory}/keys/builder_ed25519 + IdentityFile /etc/nix/builder_ed25519 ''; nix.distributedBuilds = true; -- cgit v1.2.3 From e1b6f307ecfa88e9759646b22c8b9ece580e1b78 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 5 Sep 2024 13:44:17 +1000 Subject: linux-builder: make `package.nixosConfig` accurate --- modules/nix/linux-builder.nix | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) (limited to 'modules/nix/linux-builder.nix') diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index 9edfed6..9756fe4 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -3,16 +3,8 @@ with lib; let - inherit (pkgs) stdenv; - cfg = config.nix.linux-builder; - builderWithOverrides = cfg.package.override (previousArguments: { - # the linux-builder packages require a list `modules` argument, so it's - # always non-null. - modules = previousArguments.modules ++ [ cfg.config ]; - }); - # create-builder uses TMPDIR to share files with the builder, notably certs. # macOS will clean up files in /tmp automatically that haven't been accessed in 3+ days. # If we let it use /tmp, leaving the computer asleep for 3 days makes the certs vanish. @@ -23,9 +15,9 @@ let mkdir -p $TMPDIR trap "rm -rf $TMPDIR" EXIT ${lib.optionalString cfg.ephemeral '' - rm -f ${cfg.workingDirectory}/${builderWithOverrides.nixosConfig.networking.hostName}.qcow2 + rm -f ${cfg.workingDirectory}/${cfg.package.nixosConfig.networking.hostName}.qcow2 ''} - ${builderWithOverrides}/bin/create-builder + ${cfg.package}/bin/create-builder ''; in @@ -41,6 +33,11 @@ in type = types.package; default = pkgs.darwin.linux-builder; defaultText = "pkgs.darwin.linux-builder"; + apply = pkg: pkg.override (old: { + # the linux-builder package requires `modules` as an argument, so it's + # always non-null. + modules = old.modules ++ [ cfg.config ]; + }); description = '' This option specifies the Linux builder to use. ''; @@ -135,7 +132,7 @@ in systems = mkOption { type = types.listOf types.str; - default = [ builderWithOverrides.nixosConfig.nixpkgs.hostPlatform.system ]; + default = [ cfg.package.nixosConfig.nixpkgs.hostPlatform.system ]; defaultText = '' The `nixpkgs.hostPlatform.system` of the build machine's final NixOS configuration. ''; -- cgit v1.2.3 From 034c45dd0cac806b527e64c143020676e1070769 Mon Sep 17 00:00:00 2001 From: will Date: Sat, 31 Aug 2024 18:27:10 +1000 Subject: feat: use wait4path with script launchd option addresses https://github.com/LnL7/nix-darwin/issues/1043 fix: use exec in launchd daemon config fix: dont use a script thats in the nix store fix: remove manual wait4path in linux-builder fix: remove manual wait4path in karabiner elements fix: remove manual wait4path in nix-daemon fix: remove manual wait4path in nix-optimise fix: remove manual wait4path in tailscaled fix: autossh test Revert "fix: remove manual wait4path in nix-daemon" This reverts commit 6aec084fa5d095666e81676e78f7054c83703faa. fix: remove bad exec Reapply "fix: remove manual wait4path in nix-daemon" This reverts commit c8f136ecc555f803124af471324bc6ed1163d6dd. fix: update autossh test to reflect changes in f86e6133d957becb1958da638516b0860fbd7491 fix: services-activate-system-changed-label-prefix test fix: services-buildkite-agent test fix: services-activate-system test fix: escape ampersand fix: services-lorri test fix: services-nix-optimise test fix: services-nix-gc test refactor: use script rather than command in daemon fix: use config.command for clarity style: fix indentation fix: use lib.getExe rather than directly pointing to file revert: a87fc7bbbbdb7c25c5ad6721c93990ea035affdd - mistaken refactor meant that service waited for nix store and not the relevant path --- modules/nix/linux-builder.nix | 35 ++++++++++++++++------------------- 1 file changed, 16 insertions(+), 19 deletions(-) (limited to 'modules/nix/linux-builder.nix') diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index 9756fe4..2bcb62e 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -4,21 +4,6 @@ with lib; let cfg = config.nix.linux-builder; - - # create-builder uses TMPDIR to share files with the builder, notably certs. - # macOS will clean up files in /tmp automatically that haven't been accessed in 3+ days. - # If we let it use /tmp, leaving the computer asleep for 3 days makes the certs vanish. - # So we'll use /run/org.nixos.linux-builder instead and clean it up ourselves. - script = pkgs.writeShellScript "linux-builder-start" '' - export TMPDIR=/run/org.nixos.linux-builder USE_TMPDIR=1 - rm -rf $TMPDIR - mkdir -p $TMPDIR - trap "rm -rf $TMPDIR" EXIT - ${lib.optionalString cfg.ephemeral '' - rm -f ${cfg.workingDirectory}/${cfg.package.nixosConfig.networking.hostName}.qcow2 - ''} - ${cfg.package}/bin/create-builder - ''; in { @@ -176,11 +161,23 @@ in environment = { inherit (config.environment.variables) NIX_SSL_CERT_FILE; }; + + # create-builder uses TMPDIR to share files with the builder, notably certs. + # macOS will clean up files in /tmp automatically that haven't been accessed in 3+ days. + # If we let it use /tmp, leaving the computer asleep for 3 days makes the certs vanish. + # So we'll use /run/org.nixos.linux-builder instead and clean it up ourselves. + script = '' + export TMPDIR=/run/org.nixos.linux-builder USE_TMPDIR=1 + rm -rf $TMPDIR + mkdir -p $TMPDIR + trap "rm -rf $TMPDIR" EXIT + ${lib.optionalString cfg.ephemeral '' + rm -f ${cfg.workingDirectory}/${cfg.package.nixosConfig.networking.hostName}.qcow2 + ''} + ${cfg.package}/bin/create-builder + ''; + serviceConfig = { - ProgramArguments = [ - "/bin/sh" "-c" - "/bin/wait4path /nix/store && exec ${script}" - ]; KeepAlive = true; RunAtLoad = true; WorkingDirectory = cfg.workingDirectory; -- cgit v1.2.3 From 70957ab0c6a37fe72d21e1a2c273189a05c3670c Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 28 Nov 2024 14:14:25 +1100 Subject: linux-builder: default `maxJobs` to amount of cores for Linux builder --- modules/nix/linux-builder.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'modules/nix/linux-builder.nix') diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index 2bcb62e..ae39547 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -61,9 +61,16 @@ in maxJobs = mkOption { type = types.ints.positive; - default = 1; - example = 4; + default = cfg.package.nixosConfig.virtualisation.cores; + defaultText = '' + The `virtualisation.cores` of the build machine's final NixOS configuration. + ''; + example = 2; description = '' + Instead of setting this directly, you should set + {option}`nix.linux-builder.config.virtualisation.cores` to configure + the amount of cores the Linux builder should have. + The number of concurrent jobs the Linux builder machine supports. The build machine will enforce its own limits, but this allows hydra to schedule better since there is no work-stealing between build -- cgit v1.2.3