From 8afcf249d6322603cd87790c1858c20af6c2008a Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Thu, 18 Jul 2024 12:18:02 +0200
Subject: [PATCH] buildbot: upgrade to local machine specifications

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 flake.lock                    |  8 +++----
 services/buildbot/default.nix | 39 +++++++++++++++--------------------
 2 files changed, 21 insertions(+), 26 deletions(-)

diff --git a/flake.lock b/flake.lock
index 38d1859..ad99b6c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -64,11 +64,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1721229951,
-        "narHash": "sha256-RO7jlz2T0h9l7Hmij6Iy3qdYps33wDuAoBMQ21ROvyw=",
+        "lastModified": 1721297738,
+        "narHash": "sha256-xkNu7G/ejwrz7P4NNu7cF2L1pQqh+XZMeUaKvF/tZKY=",
         "ref": "refs/heads/refactor",
-        "rev": "8286c1028b2a69ee72680dc06d26bd80665ce02a",
-        "revCount": 262,
+        "rev": "4ad5459da867bba670c5e9cb89e159820663dc07",
+        "revCount": 265,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/buildbot-nix.git"
       },
diff --git a/services/buildbot/default.nix b/services/buildbot/default.nix
index 5b3187f..1eb7543 100644
--- a/services/buildbot/default.nix
+++ b/services/buildbot/default.nix
@@ -76,16 +76,33 @@ in
         tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
       };
 
+      # TODO(raito): this is not really necessary, we never have remote buildbot workers.
+      # we can replace all of this with automatic localworker generation on buildbot-nix side.
       workersFile = config.age.secrets.buildbot-workers.path;
 
       allowedOrigins = [
         "*.forkos.org"
       ];
 
+      # TODO(raito): is that really necessary when we can just collect buildMachines' systems?
       buildSystems = [
         "x86_64-linux"
       ];
 
+      buildMachines = map (n: {
+          hostName = nodes.${n}.config.networking.fqdn;
+          protocol = "ssh-ng";
+          # Follows Hydra.
+          maxJobs = 8;
+          sshKey = config.age.secrets.buildbot-remote-builder-key.path;
+          sshUser = "buildbot";
+          systems = [ "x86_64-linux" ];
+          supportedFeatures = nodes.${n}.config.nix.settings.system-features;
+          # Contrary to how Nix works, here we can specify non-base64 public host keys.
+          publicHostKey = ssh-keys.machines.${n};
+        }
+      ) cfg.builders;
+
       gerrit = {
         domain = cfgGerrit.canonicalDomain;
         # Manually managed account…
@@ -106,28 +123,6 @@ in
       signingKeyFile = config.age.secrets.buildbot-signing-key.path;
     };
 
-    nix.distributedBuilds = true;
-    nix.buildMachines = map (n: {
-        hostName = nodes.${n}.config.networking.fqdn;
-        protocol = "ssh-ng";
-        # Follows Hydra.
-        maxJobs = 8;
-        sshKey = config.age.secrets.buildbot-remote-builder-key.path;
-        sshUser = "buildbot";
-        systems = [ "x86_64-linux" ];
-        supportedFeatures = nodes.${n}.config.nix.settings.system-features;
-        # TODO: fix it, see the Hydra file about it.
-        # IFD already exist in NixOS, so it's fine, I guess.
-        publicHostKey = builtins.readFile (pkgs.runCommandLocal "in-the-right-form" {
-          buildInputs = [
-            pkgs.coreutils
-          ];
-        } ''
-          echo -n '${ssh-keys.machines.${n}}' | base64 -w0 > $out
-        '');
-      }
-    ) cfg.builders;
-
     nix.settings.keep-derivations = true;
     nix.gc = {
       automatic = true;