From 5e3cd0566749121cd6b795c2b75f09c11b19c5c9 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Sun, 6 Oct 2024 13:18:04 +1000
Subject: [PATCH] add shared nix-remote-builder

---
 darwin/roles/nix-remote-builder.nix |  1 +
 nixos/roles/nix-remote-builder.nix  | 50 +----------------------------
 shared/roles/nix-remote-builder.nix | 27 ++++++++++++++++
 3 files changed, 29 insertions(+), 49 deletions(-)
 create mode 100644 darwin/roles/nix-remote-builder.nix
 create mode 100644 shared/roles/nix-remote-builder.nix

diff --git a/darwin/roles/nix-remote-builder.nix b/darwin/roles/nix-remote-builder.nix
new file mode 100644
index 00000000..ffcd4415
--- /dev/null
+++ b/darwin/roles/nix-remote-builder.nix
@@ -0,0 +1 @@
+{ }
diff --git a/nixos/roles/nix-remote-builder.nix b/nixos/roles/nix-remote-builder.nix
index fb761dfe..ffcd4415 100644
--- a/nixos/roles/nix-remote-builder.nix
+++ b/nixos/roles/nix-remote-builder.nix
@@ -1,49 +1 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.roles.nix-remote-builder;
-in
-{
-
-  options.roles.nix-remote-builder = {
-    schedulerPublicKeys = lib.mkOption {
-      description = "SSH public keys of the central build scheduler";
-      type = lib.types.listOf lib.types.str;
-    };
-  };
-
-  config = {
-    # Garbage-collect often
-    nix.gc.automatic = true;
-    nix.gc.dates = "*:45";
-    nix.gc.options = ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
-
-    # Randomize GC to avoid thundering herd effects.
-    nix.gc.randomizedDelaySec = "1800";
-
-    # Allow more open files for non-root users to run NixOS VM tests.
-    security.pam.loginLimits = [
-      {
-        domain = "*";
-        item = "nofile";
-        type = "-";
-        value = "20480";
-      }
-    ];
-
-    # Give restricted SSH access to the build scheduler
-    users.users.nix-remote-builder.openssh.authorizedKeys.keys = map (
-      key: ''restrict,command="nix-daemon --stdio" ${key}''
-    ) cfg.schedulerPublicKeys;
-    users.users.nix-remote-builder.isNormalUser = true;
-    users.users.nix-remote-builder.group = "nogroup";
-    nix.settings.trusted-users = [ "nix-remote-builder" ];
-
-    # Allow more nix-daemon sessions to connect at the same time.
-    services.openssh.settings.MaxStartups = 100;
-  };
-}
+{ }
diff --git a/shared/roles/nix-remote-builder.nix b/shared/roles/nix-remote-builder.nix
new file mode 100644
index 00000000..7398be28
--- /dev/null
+++ b/shared/roles/nix-remote-builder.nix
@@ -0,0 +1,27 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.roles.nix-remote-builder;
+in
+{
+
+  options.roles.nix-remote-builder = {
+    schedulerPublicKeys = lib.mkOption {
+      description = "SSH public keys of the central build scheduler";
+      type = lib.types.listOf lib.types.str;
+    };
+  };
+
+  config = {
+    # Give restricted SSH access to the build scheduler
+    users.users.nix-remote-builder.openssh.authorizedKeys.keys = map (
+      key: ''restrict,command="nix-daemon --stdio" ${key}''
+    ) cfg.schedulerPublicKeys;
+
+    nix.settings.trusted-users = [ "nix-remote-builder" ];
+  };
+}