Update nix-darwin for latest github-runner; refactor, following a fresh install (#51)

flake.lock

@@ -930,11 +930,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1708737761,
-        "narHash": "sha256-sR/1cYjpgr71ZSrt6Kp5Dg4Ul3mo6pZIG400tuzYks8=",
+        "lastModified": 1710717205,
+        "narHash": "sha256-Wf3gHh5uV6W1TV/A8X8QJf99a5ypDSugY4sNtdJDe0A=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "bbde06bed1b72eddff063fa42f18644e90a0121e",
+        "rev": "bcc8afd06e237df060c85bad6af7128e05fd61a3",
         "type": "github"
       },
       "original": {

flake.nix

@@ -72,9 +72,9 @@
             ./systems/darwin.nix;
 
         # Configuration for a NixOS VM (running on my Mac)
-        nixosConfigurations.linux-builder =
+        nixosConfigurations.parallels-linux-builder =
           self.nixos-flake.lib.mkLinuxSystem
-            ./systems/linux-builder;
+            ./systems/parallels-vm/linux-builder;
       };
 
       perSystem = { self', system, pkgs, lib, config, inputs', ... }: {

justfile

@@ -5,14 +5,14 @@ fmt:
     treefmt
 
 # Remote deploy to a host
-remote-deploy host='linux-builder':
+remote-deploy host='parallels-linux-builder':
     nixos-rebuild switch --fast --use-remote-sudo \
         --flake .#{{host}} \
         --target-host $USER@{{host}} \
         --build-host $USER@{{host}}
 
 # First install on a remote machine
-remote-install host='linux-builder':
+remote-install host='parallels-linux-builder':
     nix run github:nix-community/nixos-anywhere \
         -- \
         --build-on-remote \

nix-darwin/ci/README.md

@@ -0,0 +1,49 @@
+
+# Self-Hosted CI on Macbook Pro
+
+**WARNING: WIP Notes**. Expect final version in nixos.asia as a blog post.
+
+## `github-runner.nix`
+
+Create a classic token, and store it impurely:
+
+```sh
+sudo sh -c "echo 'ghp_...' > /run/github-token-ci"
+```
+
+Setup github-runner.nix for first time, and then:
+
+```sh
+sudo chown _github-runner:_github-runner /run/github-token-ci
+```
+
+## Linux Builder
+
+The author has observed the official "linux-builder" to be slow, in comparison to a Parallels VM. Prefer setting up a Parallels VM if you can.
+
+### Via Parallels
+
+- Create new VM, installing NixOS: https://nixos.asia/en/nixos-install-disko
+    - Name it parallels-linux-builder`
+    - CPU: 6; RAM 16GB; Disk 1TB; Use Rosetta
+    - Post install
+        - `sudo nano /etc/nixos/configuration.nix` and `services.openssh.enable = true;` and `sudo nixos-rebuild switch`
+        - If you are not using disko, you must copy over `hardware-configuration.nix`
+- `ssh-copy-id` your keys to both parallels@ and root@
+    - `ssh-copy-id -o PubkeyAuthentication=no -o PreferredAuthentications=password  parallels@parallels-linux-builder`
+    - `ssh parallels@parallels-linux-builder` and `sudo sh -c 'cp /home/parallels/.ssh/authorized_keys /root/.ssh'`
+    - Verify `ssh root@parallels-linux-builder` works.
+        - `service gdm stop` (we don't need)
+- Adjust the mac host keys
+
+```
+j remote-install
+```
+
+As root, run `ssh -i /etc/ssh/ssh_host_ed25519_key srid@parallels-linux-builder ` to access it as known host.
+
+
+
+### Via linux-builder
+
+See `nix-darwin/linux-builder`. Follow the instructions.

nix-darwin/ci/github-runner.nix

@@ -1,6 +1,12 @@
 { flake, pkgs, lib, ... }:
 
 {
+  # Choose one or the other.
+  imports = [
+    ../../systems/parallels-vm/nix-darwin/use.nix
+    # ./linux-builder.nix
+  ];
+
   # TODO: Refactor this into a module, like easy-github-runners.nix
   services.github-runners =
     let
@@ -14,7 +20,7 @@
           # > admin:org scope to use this endpoint. If the repository is private, 
           # > the repo scope is also required.
           # https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#list-self-hosted-runners-for-an-organization
-          tokenFile = "/run/mykeys/gh-token-runner";
+          tokenFile = "/run/github-token-ci";
           extraPackages = with pkgs; [
             # Standard nix tools
             nixci
@@ -44,14 +50,19 @@
             url = "https://github.com/srid/ema";
             num = 3;
           };
-          nixci = {
-            url = "https://github.com/srid/nixci";
+          dioxus-desktop-template = {
+            url = "https://github.com/srid/dioxus-desktop-template";
             num = 2;
           };
           nixos-config = {
             url = "https://github.com/srid/nixos-config";
             num = 2;
           };
+          /*
+          nixci = {
+            url = "https://github.com/srid/nixci";
+            num = 2;
+          };
           nixos-flake = {
             url = "https://github.com/srid/nixos-flake";
             num = 3;
@@ -68,6 +79,7 @@
             url = "https://github.com/srid/unionmount";
             num = 2;
           };
+          */
         };
       };
     in
@@ -82,43 +94,4 @@
           in
           lib.nameValuePair name value)
       )));
-  users.knownGroups = [ "github-runner" ];
-  users.knownUsers = [ "github-runner" ];
-
-  # If not using linux-builder, use a VM
-  nix.distributedBuilds = true;
-  nix.buildMachines = [{
-    hostName = "linux-builder";
-    systems = [ "aarch64-linux" "x86_64-linux" ];
-    supportedFeatures = [ "kvm" "benchmark" "big-parallel" ];
-    maxJobs = 6; # 6 cores
-    protocol = "ssh-ng";
-    sshUser = flake.config.people.myself;
-    sshKey = "/etc/ssh/ssh_host_ed25519_key";
-  }];
-
-  # To build Linux derivations whilst on macOS.
-  # 
-  # NOTES:
-  # - To SSH, `sudo su -` and then `ssh -i /etc/nix/builder_ed25519  builder@linux-builder`.
-  #   Unfortunately, a simple `ssh linux-builder` will not work (Too many authentication failures).
-  # - To update virtualisation configuration, you have to disable, delete
-  #   /private/var/lib/darwin-builder/ and re-enable.
-  nix.linux-builder = {
-    enable = false;
-    systems = [
-      "x86_64-linux"
-      "aarch64-linux"
-    ];
-    config = { pkgs, lib, ... }: {
-      boot.binfmt.emulatedSystems = [ "x86_64-linux" ];
-      nix.settings.experimental-features = "nix-command flakes repl-flake";
-      virtualisation = {
-        # Larger linux-builder cores, ram, and disk.
-        cores = 6;
-        memorySize = lib.mkForce (1024 * 16);
-        diskSize = lib.mkForce (1024 * 1024 * 1); # In MB.
-      };
-    };
-  };
 }

nix-darwin/ci/linux-builder.nix

@@ -0,0 +1,33 @@
+{ lib, ... }:
+
+{
+  # To build Linux derivations whilst on macOS.
+  # 
+  # NOTES:
+  # - For first `nix run`, comment out all but the `enable` option, so binary cache is used. You may have to `sudo pkill nix-daemon` first.
+  #   - After this, uncomment the configuration and `nix run`; this time, it will use the remote builder.
+  # - To SSH, `sudo su -` and then `ssh -i /etc/nix/builder_ed25519  builder@linux-builder`.
+  #   Unfortunately, a simple `ssh linux-builder` will not work (Too many authentication failures).
+  # - To update virtualisation configuration, you have to disable; delete
+  #   /private/var/lib/darwin-builder/ and re-enable.
+  nix.linux-builder = {
+    enable = true;
+    systems = [
+      "x86_64-linux"
+      "aarch64-linux"
+    ];
+    config = { pkgs, lib, ... }: {
+      boot.binfmt.emulatedSystems = [ "x86_64-linux" ];
+      nix.settings.experimental-features = "nix-command flakes repl-flake";
+      environment.systemPackages = with pkgs; [
+        htop
+      ];
+      virtualisation = {
+        # Larger linux-builder cores, ram, and disk.
+        cores = 6;
+        memorySize = lib.mkForce (1024 * 16);
+        diskSize = lib.mkForce (1024 * 1024 * 1); # In MB.
+      };
+    };
+  };
+}

systems/darwin.nix

@@ -4,7 +4,7 @@
 {
   imports = [
     flake.inputs.self.darwinModules.default
-    # ../nix-darwin/ci.nix
+    ../nix-darwin/ci/github-runner.nix
     ../nix-darwin/zsh-completion-fix.nix
   ];
 

systems/parallels-vm/linux-builder/default.nix

@@ -10,13 +10,13 @@
 { flake, modulesPath, ... }: {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
-    flake.inputs.disko.nixosModules.disko
-    ../../nixos/self/primary-as-admin.nix
-    ../../nixos/server/harden/basics.nix
-    ../../nixos/current-location.nix
+    ./hardware-configuration.nix
+    ../../../nixos/self/primary-as-admin.nix
+    ../../../nixos/server/harden/basics.nix
+    ../../../nixos/current-location.nix
     ./parallels-vm.nix
     # Dev
-    ./dev.nix
+    # ./dev.nix
   ];
 
   # Basics
@@ -30,10 +30,8 @@
       MAILADDR srid@srid.ca
     '';
   };
-  disko.devices = import ../../nixos/disko/trivial.nix { device = "/dev/sda"; };
   networking = {
-    hostName = "linux-builder";
-    networkmanager.enable = true;
+    hostName = "parallels-linux-builder";
   };
 
   # Distributed Builder
@@ -42,6 +40,6 @@
   services.openssh.enable = true;
   users.users.${flake.config.people.myself}.openssh.authorizedKeys.keys = [
     # macos /etc/ssh/ssh_host_ed25519_key.pub
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPGfskkyhM0wefy0Sex2t5GENEHTIZAWrb9LzRN0R9x"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICra+ZidiwrHGjcGnyqPvHcZDvnGivbLMayDyecPYDh0"
   ];
 }

systems/parallels-vm/linux-builder/dev.nix

@@ -3,8 +3,8 @@
   imports = [
     flake.inputs.self.nixosModules.home-manager
     flake.inputs.self.nixosModules.my-home
-    ../../nixos/nix.nix
-    ../../nixos/docker.nix
+    ../../../nixos/nix.nix
+    ../../../nixos/docker.nix
   ];
 
   programs.nix-ld.enable = true; # For vscode-server

systems/parallels-vm/linux-builder/hardware-configuration.nix

@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/eb7e394a-1c20-4996-a392-efa3b69665ed";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/423B-8BF8";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s5.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+  hardware.parallels.enable = true;
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "prl-tools" ];
+}

systems/parallels-vm/nix-darwin/use.nix

@@ -0,0 +1,15 @@
+{ flake, ... }:
+
+{
+  # If not using linux-builder, use a VM
+  nix.distributedBuilds = true;
+  nix.buildMachines = [{
+    hostName = "parallels-linux-builder";
+    systems = [ "aarch64-linux" "x86_64-linux" ];
+    supportedFeatures = [ "kvm" "benchmark" "big-parallel" ];
+    maxJobs = 6; # 6 cores
+    protocol = "ssh-ng";
+    sshUser = flake.config.people.myself;
+    sshKey = "/etc/ssh/ssh_host_ed25519_key";
+  }];
+}