modules/nixos/traits/mac-builder.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

{
  config,
  lib,
  secretsDir,
  ...
}:
let
  cfg = config.traits.mac-builder;
in
{
  options.traits.mac-builder = {
    enable = lib.mkEnableOption "macOS remote builders";
    manageSecrets = lib.mkEnableOption "managing SSH keys for builders" // {
      default = true;
    };
  };

  config = lib.mkIf cfg.enable (
    lib.mkMerge [
      {
        nix = {
          buildMachines = [
            (lib.mkMerge [
              {
                hostName = "mini.scrumplex.net";
                maxJobs = 8;
                publicHostKey = "IyBtaW5pLnNjcnVtcGxleC5uZXQ6MjIgU1NILTIuMC1PcGVuU1NIXzkuOAptaW5pLnNjcnVtcGxleC5uZXQgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9DV1lXL29TbW5GYU1sOGQ0eHNjaGhxNkNKZkdjQ1M4djhLYkErb0dmQ3IK";
                sshUser = "bob-the-builder";
                supportedFeatures = [
                  "nixos-test"
                  "benchmark"
                  "big-parallel"
                  "apple-virt"
                ];
                systems = [
                  "aarch64-darwin"
                  "x86_64-darwin"
                ];
              }

              (lib.mkIf cfg.manageSecrets {
                sshKey = config.age.secrets.macstadium.path;
              })
            ])
          ];

          distributedBuilds = true;

          settings = {
            builders-use-substitutes = true;
          };
        };
      }

      (lib.mkIf cfg.manageSecrets {
        age.secrets = {
          macstadium = {
            file = secretsDir + "/macstadium.age";
            mode = "600";
          };
        };
      })
    ]
  );
}