-
-
Notifications
You must be signed in to change notification settings - Fork 163
Operating a Builder
nix-shell ./shell.nix
$ cd ofborg
$ cargo build
cargo build
or:
nix-build . -A ofborg.rs
then copy example.config.json to config.json and edit its vars. Set nix.remote to an empty string if you're not using the daemon.
If you used cargo build, run:
./target/debug/builder ./config.json
If you used nix-build, run:
./result/bin/builder ./config.json
This is a service I use:
let
grahamcofborg = (import ./ofbborg/default.nix).ofborg.rs;
in {
users.users.gc-of-borg = {
description = "GC Of Borg Workers";
home = "/var/lib/gc-of-borg";
createHome = true;
group = "gc-of-borg";
uid = 402;
};
users.groups.gc-of-borg.gid = 402;
systemd.services.grahamcofborg-builder = {
enable = true;
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
nix
git
curl
bash
];
serviceConfig = {
User = "gc-of-borg";
Group = "gc-of-borg";
PrivateTmp = true;
WorkingDirectory = "/var/lib/gc-of-borg";
Restart = "always";
};
preStart = ''
mkdir -p ./nix-test
'';
script = ''
export HOME=/var/lib/gc-of-borg;
export NIX_REMOTE=daemon;
git config --global user.email "graham+cofborg@example.com"
git config --global user.name "GrahamCOfBorg"
export RUST_BACKTRACE=1
${grahamcofborg}/bin/builder ${./myconfig.json}
'';
};If you get:
Protocol("Unexpected method frame: connection.close, expected: connection.open-ok")
it means your credentials don't have enough permissions.
If you get:
thread 'main' panicked at 'Running "nix-build": Error { repr: Os { code: 2, message: "No such file or directory" } }'
it means nix-build isn't executable, and if you're on a mac you might need this annoying patch:
diff --git a/ofborg/src/nix.rs b/ofborg/src/nix.rs
index dbb21c2..ceb2381 100644
--- a/ofborg/src/nix.rs
+++ b/ofborg/src/nix.rs
@@ -40,7 +40,7 @@ impl Nix {
attrargs.push(attr);
}
- return self.safely("nix-build", nixpkgs, attrargs, true);
+ return self.safely("/nix/var/nix/profiles/default/bin/nix-build", nixpkgs, attrargs, true);
}- Only run a builder on a host which is "multi-user", ie: uses the build daemon
- Ensure you have sandboxing enabled
- On MacOS, As of 2017-12-25, ONLY run it if you either:
- Are using Nix 1.12 from master with the fancy sandboxing code
- Are aware of the problems of not using the sandbox and have judged that to not be a problem for you if you don't fit these two, Subscribe to https://github.com/grahamc/ofborg/issues/7 and I'll update / close that when I have good documentation on setting up sandboxing.
Running a builder will inherently expose some information about your system publicly in GitHub comments. Efforts are taken to minimize the risk and exposure, but it cannot be perfect. Please evaluate the risks for yourself when deciding to run a builder.
The builder's identity is considered public information, and efforts are not taken to hide it.
For example, one operator was unhappy that the builder exposed their home directory in an error log:
error: while evaluating the attribute ‘args’ of the derivation ‘hello-1.12.0’ at /Users/theiruser/.nix-test-rs/repo/commit-hash/builder/their-builder-identity/pkgs/stdenv/generic/make-derivation.nix:98:11:
couldn't change to directory of ‘/nix/var/nix/daemon-socket/socket’: No such file or directory
If you'd rather your home directory / user account information not exposed, ensure the build root is outside of your home directory.