├── .github └── FUNDING.yml ├── README.md ├── darwin-configuration.nix ├── keys ├── 0x4A6F ├── artturin ├── dotlambda ├── emilylange ├── fab ├── figsoda ├── hexa ├── julienmalka ├── k900 ├── lily ├── ma27 ├── phaer ├── raitobezarius ├── stephank ├── toonn ├── winter └── zowoq └── users.nix /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | open_collective: nix-macos 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Deprecated 2 | 3 | The Nix Community organisation now provides a new machine as darwin build box that is managed in [nix-community/infra](https://github.com/nix-community/infra), see https://nix-community.org/community-builder for details. 4 | 5 |
Previous README: 6 | # Want access? 7 | 8 | 1. You must read literally this entire README. It is critically 9 | important that you do so. 10 | 2. Open a PR adding yourself to `users.nix`. 11 | 12 | I'll grant access to well known members of the community, and people 13 | well known members in the community trust. 14 | 15 | ## Notes on Security and Safety 16 | 17 | ***TLDR:*** a trusted but malicious actor could hack your system through 18 | this builder. Do not use this builder for secret builds. Be careful 19 | what you use this system for. Do not trust the results. For a more 20 | nuanced understanding, read on. 21 | 22 | For someone to use a server as a remote builder, they must be a 23 | `trusted-user` on the remote builder. `man nix.conf` has this to say 24 | about Trusted Users: 25 | 26 | > User that have additional rights when connecting to the Nix daemon, 27 | > such as the ability to specify additional binary caches, or to 28 | > import unsigned NARs. 29 | > 30 | > Warning: The users listed here have the ability to compromise the 31 | > security of a multi-user Nix store. For instance, they could install 32 | > Trojan horses subsequently executed by other users. So you should 33 | > consider carefully whether to add users to this list. 34 | 35 | Nix's model of remote builders requires users to be able to directly 36 | import files in to the Nix store, and there is no guarantee what they 37 | import hasn't been maliciously modified. 38 | 39 | The following is written as me, @winterqt: 40 | 41 | I trust everyone who has access, but with limits: 42 | 43 | 1. ***DO NOT*** trust this builder for systems that contain private 44 | data or tools. 45 | 46 | 2. ***DO NOT*** trust this builder to make binary bootstrap tools, 47 | because we have to trust those bootstrap tools for a long time to 48 | not be compromised. 49 | 50 | 3. ***DO NOT*** trust this builder to make tools used to make binary 51 | bootstrap tools, because we have to trust those bootstrap tools for 52 | a long time to not be compromised. 53 | 54 | IF YOU ARE: making binary bootstrap tools, please only use tools 55 | built by Hydra on a system which have never been exposed to things 56 | built from this server. 57 | 58 | # Configuring your computer for remote builds 59 | 60 | First, put this in your `configuration.nix`: 61 | 62 | ```nix 63 | { 64 | programs.ssh.knownHosts."darwin-build-box.winter.cafe".publicKey = 65 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0io9E0eXiDIEHvsibXOxOPveSjUPIr1RnNKbUkw3fD"; 66 | 67 | nix = { 68 | distributedBuilds = true; 69 | buildMachines = [ 70 | { 71 | hostName = "darwin-build-box.winter.cafe"; 72 | maxJobs = 4; 73 | sshKey = "/root/a-private-key"; 74 | sshUser = "your-user-name"; 75 | systems = [ "aarch64-darwin" "x86_64-darwin" ]; 76 | } 77 | ]; 78 | }; 79 | } 80 | ``` 81 | 82 | **Note:** Make sure the SSH key specified above does *not* have a 83 | password, otherwise `nix-build` will give an error along the lines of: 84 | 85 | > unable to open SSH connection to 86 | > 'ssh://your-user-name@darwin-build-box.winter.cafe': cannot connect to 87 | > 'your-user-name@darwin-build-box.winter.cafe'; trying other available 88 | > machines... 89 | 90 | Then run an initial SSH connection as root to setup the trust 91 | fingerprint: 92 | 93 | ``` 94 | $ sudo su 95 | # ssh your-user-name@darwin-build-box.winter.cafe -i /root/a-private-key 96 | ``` 97 | 98 | The fingerprint should always be: 99 | 100 | ``` 101 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0io9E0eXiDIEHvsibXOxOPveSjUPIr1RnNKbUkw3fD 102 | ``` 103 | 104 | ***If it is not, please open an issue!*** 105 | 106 | Finally, `nix-build . -A hello --argstr system aarch64-darwin`. 107 | 108 | If this doesn't work, reach out and I can help debug. 109 | 110 | # Want to support this? 111 | 112 | The hosting costs for this machine are paid for by the [Nix 🖤 macOS Collective](https://opencollective.com/nix-macos). If you'd like to support not only this machine but also toonn's work on the SDK bump, consider contributing. 113 | 114 | # Acknowledgements 115 | 116 | - [Domen Kožar](https://github.com/domenkozar), for running the [Nix 🖤 macOS Collective](https://opencollective.com/nix-macos). 117 | - [Graham Christensen](https://github.com/grahamc), for running the [aarch64 build box](https://github.com/nix-community/aarch64-build-box), where I took the structure of this README from. 118 |
119 | -------------------------------------------------------------------------------- /darwin-configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = [ ./users.nix ]; 5 | 6 | # List packages installed in system profile. To search by name, run: 7 | # $ nix-env -qaP | grep wget 8 | environment.systemPackages = with pkgs; [ 9 | git 10 | vim 11 | ]; 12 | 13 | # Auto upgrade nix package and the daemon service. 14 | services.nix-daemon.enable = true; 15 | 16 | nix.settings.sandbox = "relaxed"; 17 | nix.settings.extra-platforms = [ "x86_64-darwin" ]; 18 | 19 | nix.nrBuildUsers = config.nix.settings.max-jobs * 2; 20 | nix.settings.max-jobs = 64; 21 | 22 | # Create /etc/zshrc that loads the nix-darwin environment. 23 | programs.zsh.enable = true; # default shell on catalina 24 | 25 | # Used for backwards compatibility, please read the changelog before changing. 26 | # $ darwin-rebuild changelog 27 | system.stateVersion = 4; 28 | } 29 | -------------------------------------------------------------------------------- /keys/0x4A6F: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFuUdiPdq7neZjTSRoc4PuRg8a6M/JBaJ8fjQxPH6uUT 0x4A6F@darwin-build-box 2 | -------------------------------------------------------------------------------- /keys/artturin: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJiUxvklqkkqhqUAsyQy1fnGYB2ICqCrxFZn4pf6G1o 2 | -------------------------------------------------------------------------------- /keys/dotlambda: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLD6C7Tqnesd17VpguCUPv8gbx4T/2xKwm6BmpPOGJ8 root@kurt 2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID49tEIeBAeMD2zsWWIl0YbepF+KMxs6nWZn0fWDmryT root@georg 3 | -------------------------------------------------------------------------------- /keys/emilylange: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPBk7s6uA+IHDDiXH4NNB1x7W9OIA95uIMp4Jq8MKpy 2 | -------------------------------------------------------------------------------- /keys/fab: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKjD9rcdx5Py8hQdIhRku1MfO6P7WFpZi+VJZspjj/2 Darwin remote builder 1 2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINsRtI+bY95/AJBAaKnWvW/EwG4qs8cFn5bSI+rC78lQ Darwin remote builder 2 3 | -------------------------------------------------------------------------------- /keys/figsoda: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMw76DA8ltc+mvXfckMstJgE7qXplw4IvDV+9B00JxG0 2 | -------------------------------------------------------------------------------- /keys/hexa: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/37GyrbkRJ98Woq6yz7le5kaFcvNHhE9uRbEtn/dRJ hexa@nyx 2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHfZrbvLfabJ1aWW2x8/dutV5jlFlVPSD+reRl81Sdp hexa@gaia 3 | -------------------------------------------------------------------------------- /keys/julienmalka: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower 2 | -------------------------------------------------------------------------------- /keys/k900: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun 2 | -------------------------------------------------------------------------------- /keys/lily: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKYH3ivyXgnhXL6xgZxZifRclw+2xsxWNdNe1ghjw7A lily@bina 2 | -------------------------------------------------------------------------------- /keys/ma27: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN09FaPqWdKIPHnyC4LXTY15cJerbsrYg0ynReCx1k7V ma27 2 | -------------------------------------------------------------------------------- /keys/phaer: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLopgIL2JS/XtosC8K+qQ1ZwkOe1gFi8w2i1cd13UehWwkxeguU6r26VpcGn8gfh6lVbxf22Z9T2Le8loYAhxANaPghvAOqYQH/PJPRztdimhkj2h7SNjP1/cuwlQYuxr/zEy43j0kK0flieKWirzQwH4kNXWrscHgerHOMVuQtTJ4Ryq4GIIxSg17VVTA89tcywGCL+3Nk4URe5x92fb8T2ZEk8T9p1eSUL+E72m7W7vjExpx1PLHgfSUYIkSGBr8bSWf3O1PW6EuOgwBGidOME4Y7xNgWxSB/vgyHx3/3q5ThH0b8Gb3qsWdN22ZILRAeui2VhtdUZeuf2JYYh8L 2 | -------------------------------------------------------------------------------- /keys/raitobezarius: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Nix remote builder key (Thors) 2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF07Sy0O+oletFYlrfS0+XtBWJO2F+Rc9J/ocNLBa/OE Nix remote builder key (Thorkell) 3 | -------------------------------------------------------------------------------- /keys/stephank: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEM89t08F2XADDgHOrq/6tqYgTxvShlu5AozW8J0D5tTNN0wxAPoOUb2VC5Rd2mviQeYvvR+ihH21F4w+/GFgET+UnYvTy8e/jiOhvuIPqvgo4fJt4NDPmClL9jFDkXmlC+uQUT3WtkhOTtPmbaLnKU5rb7q2igJ6UtNOAOFrUvq1/1Sw9M8apOLGlederSzbV6X7RnZDWRmZkKsxh+7b1lQE6PXHV99U1nioiQJoFlINUa2CfWTV/ODGKRbYkhe+FmRQw2lig4QW7MqrI3gWpy3/H0y7Ri5YaxBhLqzmsBiTV79OZkC2URg/c3ybUwhWmfNV8a/z30zDsY3ICpFOf 2 | -------------------------------------------------------------------------------- /keys/toonn: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPGvIn51XMn1DXred/QGQWBFF6/RwE8cG2dgyrOsXqnT toonn@darwin-build-box 2 | -------------------------------------------------------------------------------- /keys/winter: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB48pH8R4ofvGo5dph4I3lZ5CM6He95TRu1h1oURydhf 2 | -------------------------------------------------------------------------------- /keys/zowoq: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbCYwWByGE46XHH4Q0vZgQ5sOUgbH50M8KO2xhBC4m/ 2 | -------------------------------------------------------------------------------- /users.nix: -------------------------------------------------------------------------------- 1 | let 2 | # To add yourself: 3 | # 1. Add an entry to this list, using the next UID. 4 | # 2. Create a file in `keys` named your user name that contains your SSH key(s), separated by newlines. 5 | users = [ 6 | { 7 | name = "winter"; 8 | trusted = true; 9 | uid = 502; 10 | } 11 | { 12 | name = "stephank"; 13 | trusted = true; 14 | uid = 503; 15 | } 16 | { 17 | name = "hexa"; 18 | trusted = true; 19 | uid = 504; 20 | } 21 | { 22 | name = "0x4A6F"; 23 | trusted = true; 24 | uid = 505; 25 | } 26 | { 27 | name = "artturin"; 28 | trusted = true; 29 | uid = 506; 30 | } 31 | { 32 | name = "figsoda"; 33 | trusted = true; 34 | uid = 507; 35 | } 36 | { 37 | name = "raitobezarius"; 38 | trusted = true; 39 | uid = 508; 40 | } 41 | { 42 | name = "zowoq"; 43 | trusted = true; 44 | uid = 509; 45 | } 46 | { 47 | name = "k900"; 48 | trusted = true; 49 | uid = 510; 50 | } 51 | { 52 | name = "julienmalka"; 53 | trusted = true; 54 | uid = 511; 55 | } 56 | { 57 | name = "dotlambda"; 58 | trusted = true; 59 | uid = 512; 60 | } 61 | { 62 | name = "lily"; 63 | trusted = true; 64 | uid = 513; 65 | } 66 | { 67 | name = "ma27"; 68 | trusted = true; 69 | uid = 514; 70 | } 71 | { 72 | name = "fab"; 73 | trusted = true; 74 | uid = 515; 75 | } 76 | { 77 | name = "phaer"; 78 | trusted = true; 79 | uid = 516; 80 | } 81 | { 82 | name = "emilylange"; 83 | trusted = true; 84 | uid = 517; 85 | } 86 | { 87 | name = "toonn"; 88 | trusted = true; 89 | uid = 542; 90 | } 91 | ]; 92 | in 93 | { 94 | users.users = builtins.listToAttrs (builtins.map 95 | (u: { 96 | inherit (u) name; 97 | value = { 98 | inherit (u) uid; 99 | home = "/Users/${u.name}"; 100 | createHome = true; 101 | shell = "/bin/zsh"; 102 | }; 103 | }) 104 | users); 105 | 106 | users.knownUsers = builtins.map (u: u.name) users; 107 | 108 | users.forceRecreate = true; 109 | 110 | environment.etc = builtins.listToAttrs (builtins.map 111 | (u: { 112 | name = "ssh/authorized_keys.d/${u.name}"; 113 | value = { source = ./keys/${u.name}; }; 114 | }) 115 | users); 116 | 117 | nix.settings.trusted-users = builtins.map (u: u.name) (builtins.filter (u: u.trusted) users); 118 | } 119 | --------------------------------------------------------------------------------