Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(macos-remote-bulder): authorize buildbot-nix-0 and enable remote building #163

Merged
merged 4 commits into from
Oct 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
strategy:
fail-fast: false
matrix:
os: [macos-latest, macos-13]
os: [ ]
name: OS
runs-on: ${{ matrix.os }}
permissions:
Expand Down
37 changes: 37 additions & 0 deletions modules/flake-parts/apps.ssh-/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,46 @@
config.apps =
let
configurations = (self.darwinConfigurations // self.nixosConfigurations);

individual = lib.mapAttrs' mkSshApp configurations;

distributers = {
inherit (self.nixosConfigurations) linux-builder-01 buildbot-nix-0;
};
mkBuilderPingCommand =
distributorConfig:
builtins.concatStringsSep ''&& '' (
builtins.map (buildMachineAttrs: ''
(timeout 10s ssh -No StrictHostKeyChecking=accept-new ${buildMachineAttrs.sshUser}@${buildMachineAttrs.hostName} || true) && nix store info --store 'ssh-ng://${buildMachineAttrs.sshUser}@${buildMachineAttrs.hostName}'
'') distributorConfig.config.nix.buildMachines
);

/*
adds one command for every host that has the nix-build-distributor module imported.
this command will accept the host keys of all the configured buildMachines and check whether nix can successfully establish a remote connection.
note that execution takes 10 seconds per buildMachine, because the the key acceptance command hangs indefinitely in the success case.

run for example: `nix run .\#ssh-buildbot-nix-0-ping-builders
*/
distributerNixPingBuilders = lib.mapAttrs' (
attrName: config:
lib.nameValuePair "${prefix}${attrName}-ping-builders" {
type = "app";
program = builtins.toString (
pkgs.writeShellScript "${prefix}${attrName}-ping-builders" ''
exec ${
mkSsh {
inherit attrName;
inherit (config.config) hostName deployUser;
}
} bash -c "${lib.strings.escapeShellArg (mkBuilderPingCommand config)}"
''
);
}
) distributers;
in
individual
// distributerNixPingBuilders
// {
"${prefix}all" = {
type = "app";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -204,8 +204,8 @@
buildSystems = [
"x86_64-linux"
# "aarch64-linux"
# "x86_64-darwin"
# "aarch64-darwin"
"x86_64-darwin"
"aarch64-darwin"
];
domain = config.passthru.buildbot-nix.appFqdn;
outputsPath = "/var/www/buildbot/nix-outputs/";
Expand Down
2 changes: 1 addition & 1 deletion modules/nixos/macos-remote-builder.nix
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
# setup ssh credentials for remote builds
mkdir -p /Users/builder/.ssh/
echo "command=\"${pkgs.flock}/bin/flock -s /nix/var/nix/gc.lock nix-daemon --stdio\" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1K1ZYBnf3UqQbln5Z8DLYsXyJo6pRAFISPQ7lJZpoO root@linux-builder-01" > /Users/builder/.ssh/authorized_keys
echo "command=\"${pkgs.flock}/bin/flock -s /nix/var/nix/gc.lock nix-daemon --stdio\" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6c6N8EnOvMt2GyS3Gp4akujyCIRKi1cXohf8+cXmKc root@linux-builder-02" >> /Users/builder/.ssh/authorized_keys
echo "command=\"${pkgs.flock}/bin/flock -s /nix/var/nix/gc.lock nix-daemon --stdio\" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqhOu9oMwDlfQFRTBKAdCe4IZmcGrrbDABP576Q+BYW root@buildbot-nix-0" >> /Users/builder/.ssh/authorized_keys
chown -R builder:staff /Users/builder/.ssh/
chmod 700 /Users/builder/.ssh/
chmod 400 /Users/builder/.ssh/authorized_keys
Expand Down