nixos-configs/README.md

# nixos-configuration

Personal NixOS configuration for all machines. Devices are declared in `devices.nix`, per-device configs live in `nixosConfigurations/<name>/`, and shared modules in `nixosModules/`.

## Distributed builds

Machines are configured to act as build servers / binary caches for each other in devices.nix.

### Onboarding a device as a build client

1. Generate a key pair on the device:

   ```sh
   sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds" && sudo cat /etc/nix/distributed-build-key.pub
   ```

2. Add the public key to the device entry in `devices.nix`:

   ```nix
   distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds";
   ```

3. Rebuild all build machines so they pick up the new authorized key.

### Adding a build server

1. Add to its entry in `devices.nix`:

   ```nix
   distributedBuilds.isBuilder = true;
   distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 "$(hostname)"
   ```

2. Generate a store signing key on the builder:

   ```sh
   sudo nix key generate-secret --key-name "$(hostname)" | sudo tee /etc/nix/signing-key.sec | sudo nix key convert-secret-to-public
   ```

3. Add the printed public key to `devices.nix`:

   ```nix
   distributedBuilds.storeSigningPublicKey = "<hostname>:<base64...>";
   ```

4. Rebuild all machines so they trust the new signing key.
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			`# nixos-configuration`

			Personal NixOS configuration for all machines. Devices are declared in `devices.nix`, per-device configs live in `nixosConfigurations/<name>/`, and shared modules in `nixosModules/`.

			`## Distributed builds`

			`Machines are configured to act as build servers / binary caches for each other in devices.nix.`

			`### Onboarding a device as a build client`

			`1. Generate a key pair on the device:`
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00
			```sh
			`sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds" && sudo cat /etc/nix/distributed-build-key.pub`
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			```
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			2. Add the public key to the device entry in `devices.nix`:
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			```nix
			`distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds";`
			```
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			`3. Rebuild all build machines so they pick up the new authorized key.`

			`### Adding a build server`

			1. Add to its entry in `devices.nix`:
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			```nix
			`distributedBuilds.isBuilder = true;`
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00			`distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 "$(hostname)"`
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			```
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			`2. Generate a store signing key on the builder:`
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00
			```sh
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			`sudo nix key generate-secret --key-name "$(hostname)" \| sudo tee /etc/nix/signing-key.sec \| sudo nix key convert-secret-to-public`
			```
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			3. Add the printed public key to `devices.nix`:
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			```nix
			`distributedBuilds.storeSigningPublicKey = "<hostname>:<base64...>";`
			```
ditributed builds: add forgejo-runner-1 it may be a bad idea to have it act as a client, but only one way to find out 2026-05-02 11:37:32 +02:00
distributed builds: use builders as binary caches 2026-05-02 00:03:09 +02:00			`4. Rebuild all machines so they trust the new signing key.`