search

cachix / install-nix-action

Installs Nix on GitHub Actions for the supported platforms: Linux and macOS.
Apache License 2.0
517 stars 79 forks source link

`with` Support for appending to `/etc/nix/machines` #81

Open Profpatsch opened 3 years ago

Profpatsch commented 3 years ago

It would be cool if there was some support (maybe even a structured attrset like in nixos?) to add a builder to /etc/nix/machines. That way it becomes trivial to set up a build server instead of stealing minutes from the Github builders.

For example in my nixos config I have:

nix.buildMachines = [
      # access to the nix-community aarch64 build box
      {
        hostName = "aarch64.nixos.community";
        maxJobs = 64;
        sshKey = "/root/aarch64-build-box/ssh-key";
        sshUser = "Profpatsch";
        system = "aarch64-linux";
        supportedFeatures = [ "big-parallel" ];
      }

which creates the following line in /etc/nix/machines:

Profpatsch@aarch64.nixos.community aarch64-linux /root/aarch64-build-box/ssh-key 64 1 big-parallel

And now nix will use the nixos community aarch builder for my "aarch64-linux" derivations.

We of course also need a way to specify the private ssh key for logging into the builder. And maybe a security warning, that running nix on a builder might be a remote execution vector (nix sandboxes it, but exploits are not unheard of, so you might only want to enable it in private repos and/or on PRs by trusted contributors).

domenkozar commented 3 years ago

It would be cool if there was some support (maybe even a structured attrset like in nixos?) to add a builder to /etc/nix/machines.

Agreed :) Could you propose how it would work?

That way it becomes trivial to set up a build server instead of stealing minutes from the Github builders.

It would still take minutes from GHA, but it would be a lot faster?

We of course also need a way to specify the private ssh key for logging into the builder. And maybe a security warning, that running nix on a builder might be a remote execution vector (nix sandboxes it, but exploits are not unheard of, so you might only want to enable it in private repos and/or on PRs by trusted contributors).

:+1:

Profpatsch commented 3 years ago

Agreed :) Could you propose how it would work?

Ideally something like

with:
  builders:
    - hostName: "aarch64.nixos.community"
      maxJobs: 64
      sshKey: "/root/aarch64-build-box/ssh-key"
      sshUser: "Profpatsch"
      system: "aarch64-linux"
      supportedFeatures: [ "big-parallel" ]
   - …

To translate the example from above.

Profpatsch commented 3 years ago

It would still take minutes from GHA, but it would be a lot faster?

Definitely, it also frees us up to use any cheap hosting offer, e.g. with 128 cores which can be helpful for fast CI times with nix builds that e.g. bump nixpkgs.