install-nix-action icon indicating copy to clipboard operation
install-nix-action copied to clipboard

Published 20 hours ago verified publisher icon cachix

`with` Support for appending to `/etc/nix/machines`

Open Profpatsch opened this issue 4 years ago • 3 comments

It would be cool if there was some support (maybe even a structured attrset like in nixos?) to add a builder to /etc/nix/machines. That way it becomes trivial to set up a build server instead of stealing minutes from the Github builders.

For example in my nixos config I have:

nix.buildMachines = [
      # access to the nix-community aarch64 build box
      {
        hostName = "aarch64.nixos.community";
        maxJobs = 64;
        sshKey = "/root/aarch64-build-box/ssh-key";
        sshUser = "Profpatsch";
        system = "aarch64-linux";
        supportedFeatures = [ "big-parallel" ];
      }

which creates the following line in /etc/nix/machines:

[email protected] aarch64-linux /root/aarch64-build-box/ssh-key 64 1 big-parallel

And now nix will use the nixos community aarch builder for my "aarch64-linux" derivations.

We of course also need a way to specify the private ssh key for logging into the builder. And maybe a security warning, that running nix on a builder might be a remote execution vector (nix sandboxes it, but exploits are not unheard of, so you might only want to enable it in private repos and/or on PRs by trusted contributors).

Profpatsch avatar Jun 01 '21 08:06 Profpatsch

It would be cool if there was some support (maybe even a structured attrset like in nixos?) to add a builder to /etc/nix/machines.

Agreed :) Could you propose how it would work?

That way it becomes trivial to set up a build server instead of stealing minutes from the Github builders.

It would still take minutes from GHA, but it would be a lot faster?

We of course also need a way to specify the private ssh key for logging into the builder. And maybe a security warning, that running nix on a builder might be a remote execution vector (nix sandboxes it, but exploits are not unheard of, so you might only want to enable it in private repos and/or on PRs by trusted contributors).

:+1:

domenkozar avatar Jun 01 '21 09:06 domenkozar

Agreed :) Could you propose how it would work?

Ideally something like

with:
  builders:
    - hostName: "aarch64.nixos.community"
      maxJobs: 64
      sshKey: "/root/aarch64-build-box/ssh-key"
      sshUser: "Profpatsch"
      system: "aarch64-linux"
      supportedFeatures: [ "big-parallel" ]
   - …

To translate the example from above.

Profpatsch avatar Jun 01 '21 09:06 Profpatsch

It would still take minutes from GHA, but it would be a lot faster?

Definitely, it also frees us up to use any cheap hosting offer, e.g. with 128 cores which can be helpful for fast CI times with nix builds that e.g. bump nixpkgs.

Profpatsch avatar Jun 01 '21 09:06 Profpatsch