`with` Support for appending to `/etc/nix/machines`

[Profpatsch]

It would be cool if there was some support (maybe even a structured attrset like in nixos?) to add a builder to /etc/nix/machines. That way it becomes trivial to set up a build server instead of stealing minutes from the Github builders.

For example in my nixos config I have:

nix.buildMachines = [
      # access to the nix-community aarch64 build box
      {
        hostName = "aarch64.nixos.community";
        maxJobs = 64;
        sshKey = "/root/aarch64-build-box/ssh-key";
        sshUser = "Profpatsch";
        system = "aarch64-linux";
        supportedFeatures = [ "big-parallel" ];
      }

which creates the following line in /etc/nix/machines:

Profpatsch@aarch64.nixos.community aarch64-linux /root/aarch64-build-box/ssh-key 64 1 big-parallel

And now nix will use the nixos community aarch builder for my "aarch64-linux" derivations.

We of course also need a way to specify the private ssh key for logging into the builder. And maybe a security warning, that running nix on a builder might be a remote execution vector (nix sandboxes it, but exploits are not unheard of, so you might only want to enable it in private repos and/or on PRs by trusted contributors).

[domenkozar]

It would be cool if there was some support (maybe even a structured attrset like in nixos?) to add a builder to /etc/nix/machines.

Agreed :) Could you propose how it would work?

That way it becomes trivial to set up a build server instead of stealing minutes from the Github builders.

It would still take minutes from GHA, but it would be a lot faster?

We of course also need a way to specify the private ssh key for logging into the builder. And maybe a security warning, that running nix on a builder might be a remote execution vector (nix sandboxes it, but exploits are not unheard of, so you might only want to enable it in private repos and/or on PRs by trusted contributors).

👍

[Profpatsch]

Agreed :) Could you propose how it would work?

Ideally something like

with:
  builders:
    - hostName: "aarch64.nixos.community"
      maxJobs: 64
      sshKey: "/root/aarch64-build-box/ssh-key"
      sshUser: "Profpatsch"
      system: "aarch64-linux"
      supportedFeatures: [ "big-parallel" ]
   - …

To translate the example from above.

[Profpatsch]

It would still take minutes from GHA, but it would be a lot faster?

Definitely, it also frees us up to use any cheap hosting offer, e.g. with 128 cores which can be helpful for fast CI times with nix builds that e.g. bump nixpkgs.