diff --git a/.sops.yaml b/.sops.yaml
index 5a45e0c..6283150 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -72,6 +72,14 @@ creation_rules:
- *zimbatm
- *zowoq
- *adisbladis
+ - path_regex: hosts/darwin.+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *ryantm
+ - *zimbatm
+ - *zowoq
+ - *adisbladis
- path_regex: modules/darwin/.+\.yaml$
key_groups:
- age:
diff --git a/hosts/darwin01/builders.nix b/hosts/darwin01/builders.nix
new file mode 100644
index 0000000..f9d64d3
--- /dev/null
+++ b/hosts/darwin01/builders.nix
@@ -0,0 +1,17 @@
+{ inputs, ... }:
+{
+ # builder ssh key is installed manually from ./secrets.yaml
+
+ nix.distributedBuilds = true;
+ nix.buildMachines = [
+ {
+ hostName = "darwin03.nix-community.org";
+ maxJobs = 8;
+ protocol = "ssh-ng";
+ sshKey = "/etc/nix/darwin-community-builder.key";
+ sshUser = "nix";
+ systems = [ "aarch64-darwin" "x86_64-darwin" ];
+ supportedFeatures = inputs.self.outputs.darwinConfigurations.darwin03.config.nix.settings.system-features;
+ }
+ ];
+}
diff --git a/hosts/darwin01/configuration.nix b/hosts/darwin01/configuration.nix
index 523f091..3379dac 100644
--- a/hosts/darwin01/configuration.nix
+++ b/hosts/darwin01/configuration.nix
@@ -5,6 +5,7 @@
inputs.self.darwinModules.common
inputs.self.darwinModules.builder
inputs.self.darwinModules.community-builder
+ ./builders.nix
];
nix.settings.sandbox = "relaxed";
diff --git a/hosts/darwin01/secrets.yaml b/hosts/darwin01/secrets.yaml
new file mode 100644
index 0000000..faa3852
--- /dev/null
+++ b/hosts/darwin01/secrets.yaml
@@ -0,0 +1,57 @@
+darwin-community-builder: ENC[AES256_GCM,data:j+R9EQaxYOqSTsAsFqd4sC8y1NToffun+W7Yer0OyQQh1gCZiuZ+9sQ9Zk21NMw4K1O5yVQ++nug/ifCoitQndNItaTIHt7kOpw1E2SixH3QFL1NXIkd9Z9fT1X9+tFvoupAp9+i724gy3xEnRhTk3CGxDDeBdlzwJD/nmKv6kzxlz+VFUJgZs3cXR9dicF78Aj75s8zZGFNCJQ5XbGB7B9KDpKbE5NYR+Si03HHyUtIcMJwYow0nsBG3hDzd0vmXQBAp9aAeyoVKfhDLjlxA9FtfROA12G7k4JGPyIRb79kaf9rCo+BZ7kTezSB6n01mEE1EYmqqjzC9jDqz2rT8FQFYQAl+guL6ucSePg1J6dR6h5AVy6Y7vtkqeqQAvZxuEI69/WiBLKDRHpKF4kWI+uP0VmGG/ymk9mZv6r0C3C38SYKnYX5lP81/DVeNqRc9a6a6VopmRo1bDSdwjrfKVsJRYVQxZE+LLc71gAPwM76vn4pp+7NfDMwigz8Vf9o2erG7EoL++LMVs9eQDONnmBJkbOMAUX128utfWjWwXks8GU=,iv:CF+9kcvtq5Ds/t1ix64JvEWYS1ZOeUgwkjH/1iPQ9uU=,tag:ijMRjNo//DbkejR3EaCIIg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYMGtJeXpScXc3NDNWTUZt
+ VUVFTGJrSEJiNmx6T1V4UnYrSU03cC8rdlJZClYrekNTM1RINmdTK3lXR2VDR01p
+ MVJLakdzcExQTGJneGlmUkpFMUxSM0EKLS0tIDlyUkppZzAwUmpOdFYxSE9jeExO
+ M0gxcUdFQUU5QlFrWG1hdXg1Ymd6ZlEKXCNYJlSOxCCiEpF0rRsaEqrBWIUUkbXp
+ uJtw0HyDkqGpQqfECeXFrYQaLwda4zE1jdyKAeAErCzBRWcNIiRxww==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCK005YnpUVW1WS0F5cVpn
+ T3c2QkZFWDBnZGFVeE9vZkhmKzEvUWZxSVhvCkozcWhabm9YVFJHWVZrREtPTi9G
+ d1FRa09iVUtRYXhrUWMyM0pmeUUwcEUKLS0tIGlXZGl2TlVjZE5zNVo4cVZwbTBu
+ M2gxMit6R0NVcEVndURhbUIrNUZ3Y3cKlgf3SLmXIGqB2QfHKl3diYIoea1PgTRi
+ KJxF1yemnTt1SONIQ1KGe0k/ZwF26nxFpulQgIUu5d/sxJsmcAOdkw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cEd4WFpVUGNYQnZWbFBN
+ WDcyOFQxMGs1WEdvNHU4dm1veFM3WjdMRUFJCjUxTGtRVlRpN1ErUVM2NWFZcFZn
+ RVNrdEp4RVpCRzBMRGZuREFldm91V2sKLS0tIEJ1VVlJTlNVVGd4Um1nZFN2RFAz
+ c3JzRmRNK2RsV1haT1h4SWNGcjQ1VVUKa+2fnLAyIfis4r1BiozVQLJh3SalBaxi
+ tCnKC/UQJdkYIUU9vJb6ppUjJkorAAo5mZrAe/eRduBxfpJUUb8eWw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbFJEMWhKNXV2b0xyYUlz
+ cXBteHFZMmpjVmZaVXZGRTF5SWRPSW9MSjJjCk9Zakw1NG9Mb0Zza3ZzQng0c1A0
+ WlQwcHVQMXZGL0t1d3NnOVVjMTBVU2cKLS0tIEFQMWQwNVFmZGpXLzI2RENUelRa
+ elhCR2FUQUJQN29kK3o2K0JLTFlqQmcKazwVMLcYu3I+8hAtrV+YQtygxgQ6dQVM
+ yQP5dTgZsYBkfaitOAP4l8itUZonrh6f7UdVzKUgYRPMOwIYhtzo6A==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5YVNHRjA4MHNFVTExR1k0
+ QThuNkZYUWJoSkJjejhTcXNnamd5dlUzdERrCkhyTUdkbEJtOUFZeDVFRzVJWFB1
+ N0lFTVN1cXB6U016QVRYc2d3dDFHOUUKLS0tIGU0Tm5qSWdxVjNDZDdxMjZscHgv
+ S1pxdllKb3RCaHNCbnA2emhUVDNuUmcKthSb56JvFU42z4JNv/iAvFBVKBMHnDPN
+ V6/ksTj/3fFApzCEuX+Q8CaisI8X7ZK+7bwl+2zxZBvaKvKFX5Teug==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-03-09T03:02:23Z"
+ mac: ENC[AES256_GCM,data:emWjXIHph8qRJ+fhTmpkuIIHgO3WMMUTPwIDZMVuFTOj+Q9aWux5k70k1xKs+ykPftWCgSoJvMYHiP62uJ9hjNXvYL1mg7KgbSUDf8xoFHwDWhBNKtq4KFUmCXnLprPkps/2sQmIeAnvjRNJnlrGqTWN6pQU/ErLqIvuZFIGbUs=,iv:ujYC++qyNfEzrAlcsIMRcpIkRRRgJP4H5gSaOlYJ5lk=,tag:lXWPh1bLWJMhDvLXBFK/Pg==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
diff --git a/hosts/darwin03/configuration.nix b/hosts/darwin03/configuration.nix
index d6463cc..ba797cf 100644
--- a/hosts/darwin03/configuration.nix
+++ b/hosts/darwin03/configuration.nix
@@ -4,8 +4,12 @@
imports = [
inputs.self.darwinModules.common
inputs.self.darwinModules.builder
+ inputs.self.darwinModules.remote-builder
];
+ # on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
+ nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKq4Jo8KcZEo3dcSBxFyaZA9Y8qWBLbOA/6aF6oqNYDS darwin-community-builder";
+
nix.settings.sandbox = "relaxed";
nix.settings.extra-platforms = [ "x86_64-darwin" ];