Skip to content

Getting Started

Register

Registering for nixbuild.net is simple, and every account includes 50 free CPU hours of build time, so you can try out the service on your own terms, without committing to anything.

Before filling out the registration form, you need to generate a new SSH key for authenticating with the service. Once registered, you can add and remove SSH keys as you like.

The SSH key must be of type Ed25519. With OpenSSH, you can generate the key in the following way:

ssh-keygen -t ed25519 -C my-key-comment -f my-nixbuild-key

If you're using nix-daemon to run nix builds (which is usually the case), you shouldn't set a password on the SSH key. The key comment provided with the -C option will help you distinguish keys within nixbuild.net, if you add multiple SSH keys to your account, but is not used in any other way.

Now you can fill out the registration form, providing the public part of your SSH key. The public key should have this syntax:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzLYWrTuAlSWsdTHkTwLGoIaXOq6vrifbBt/X060KwL my-key-comment

When you've submitted the registration form, an activation link is emailed to you. After you've activated the account, follow the rest of this guide in order to setup your system for using nixbuild.net.

If you run into any troubles when going through the guide, or during your future use of nixbuild.net, just ask [email protected] for help.

You are also welcome to submit issue reports, questions or any other feedback here.

SSH Configuration

If you use nix-daemon to run builds on your local machine you need to make the private SSH key available (with permissions 0600) to the user that nix-daemon runs as (root). The easiest way to do this is to add the following entry to your system wide (or root user) SSH client config:

Host eu.nixbuild.net
  PubkeyAcceptedKeyTypes ssh-ed25519
  IdentityFile /path/to/your/private/key

The PubkeyAcceptedKeyTypes ssh-ed25519 entry above is important, since it will keep SSH from using key types that nixbuild.net can't handle.

Then, you need to add the public host key of eu.nixbuild.net to the known hosts file of the root user (/root/.ssh/known_hosts). Alternatively, you can add it to the global known hosts file (/etc/ssh/ssh_known_hosts). The reason you have to add the public host key manually is that when Nix sets up an SSH connection, it can't ask you to confirm the host key.

You should add the following line to the known hosts file:

eu.nixbuild.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM

Verifying Shell Access

You should now verify that you can connect to the nixbuild.net shell, which is used to administer your account.

Run the following command (using the root user via sudo, to emulate how nix-daemon works):

sudo ssh eu.nixbuild.net shell

You should be greeted by a screen looking similar to this:

••••••••••••••••••••••••••••
••••••• nixbuild.net •••••••
••••••••••••••••••••••••••••

Welcome to nixbuild.net!

This shell allows you to administer your account
and retrieve information about your nix builds.

Account name: bob
Free build time left: 49:59:59

Available shell commands:

  help       Show help
  get        Show all account settings
  set        Set an account settings
  unset      Revert an account setting to default
  list       List entities
  show       Show details about entities
  usage      Show resource usage
  ssh-keys   Manage your public SSH keys

Run 'help COMMAND' for help on individual shell commands.
For help on subcommands run 'COMMAND SUBCOMMAND --help'.
For more documentation, see:
https://docs.nixbuild.net/nixbuild-shell

Adding an SSH Key

For convenience, you probably want to generate another SSH key and add it to your nixbuild.net account now. This way, you can have one key owned by the root user, used by nix-daemon, and one key owned by your normal user, for accessing the nixbuild.net shell.

Your user key can have a password or be managed by an SSH agent, since it will be used interactively. It must be of type Ed25519, and you need to have the PubkeyAcceptedKeyTypes ssh-ed25519 configured as above.

Each key associated with your account must have a unique key name (sometimes referred to as key comment) for identifying the key.

To add a new SSH key, use the ssh-keys add command, like this:

nixbuild.net> ssh-keys add --help
ssh-keys add - Add a public SSH key to your account

Usage: ssh-keys add KEY_TYPE KEY KEY_NAME
  Add a key

Available options:
  KEY_TYPE                 Type of SSH key (must be 'ssh-ed25519')
  KEY                      The base64-encoded key byte sequence
  KEY_NAME                 A key name (comment), for identifying keys
  -h,--help                Show this help text

Example usage:
  ssh-keys add ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDrqgdPd6EB9YOUPy5CRNc+3dDvkc5jc2ZXfBNusi3LF laptop

The options match the format of OpenSSH public keys.
Only SSH keys of type 'ssh-ed25519' are supported.
Each key in your account must have a unique key name.
The same key cannot be associated with more than one account.


WARNING! When adding a new public key, any person with access to the
corresponding private key will gain immediate access to this account, and will
be able to run builds and make changes to the account. Look into the settings
'allow-shell' and 'allow-override' to restrict permissions.

As mentioned in the warning printed above, new SSH keys will get full access to your account by default. You can use various settings to restrict the key, see for example allow-shell and allow-override.

You can add as many SSH keys as you like to your account, to set up for example team users or CI builders.

Nix Configuration

You can now go ahead and configure nixbuild.net as a Nix remote build machine. As such, you can add it as an entry in your /etc/nix/machines file:

eu.nixbuild.net x86_64-linux - 100 1 big-parallel,benchmark

or simply use the --builders option of nix-build:

--builders "ssh://eu.nixbuild.net x86_64-linux - 100 1 big-parallel,benchmark"

The big-parallel,benchmark assignment is something that is called system features in Nix. You can use that as a primitive scheduling strategy if you have multiple remote machines. Nix will only submit builds that have been marked as requiring a specific system feature to machines that are assigned that feature.

The number 100 in the file above tells Nix that it is allowed to submit up to 100 simultaneous builds to eu.nixbuild.net. Usually, you use this property to balance builds between remote machines, and to make sure that a machine doesn't run too many builds at the same time. This works OK when you have rather homogeneous builds, and only one single Nix client is using a set of build servers. If multiple Nix clients use the same set of build servers, this simplistic scheduling breaks down, since a given Nix client loses track on how many builds are really running on a server.

However, when you're using nixbuild.net, you can set this number to anything really, since nixbuild.net will take care of the scheduling and scaling on its own, and it will not let multiple Nix clients step on each other's toes.

You probably want to activate the builders-use-substitutes Nix option. This option allows nixbuild.net to download dependencies directly from cache.nixos.org. You can read more about how nixbuild.net uses binary caches here.

Your First Build

Run the following build to verify that your configuration works as expected:

nix-build \
  --max-jobs 0 \
  --builders "ssh://eu.nixbuild.net x86_64-linux - 100 1 big-parallel,benchmark" \
  -I nixpkgs=channel:nixos-20.03 \
  --expr '((import <nixpkgs> {}).runCommand "test${toString builtins.currentTime}" {} "echo Hello nixbuild.net; touch $out")'

The output should look something like this:

these derivations will be built:
  /nix/store/0alhvbxdqq4hakna5sp6l51180q2l1l9-test1598214851.drv
building '/nix/store/0alhvbxdqq4hakna5sp6l51180q2l1l9-test1598214851.drv' on 'ssh://eu.nixbuild.net'...
Hello nixbuild.net
copying 1 paths...
copying path '/nix/store/8zj14ysp2jd3whldi99hk501628a9gaf-test1598214851' from 'ssh://eu.nixbuild.net'...
/nix/store/8zj14ysp2jd3whldi99hk501628a9gaf-test1598214851

That's it, now you can use nixbuild.net!

Running Distributed Builds

Read through the Nix remote build documentation to get an understanding for how Nix performs remote builds. Everything there applies to nixbuild.net, since nixbuild.net just appears as an ordinary remote builder to Nix.

When setting up remote builds it can be helpful to use the --max-jobs 0 Nix option, that explicitly disables local builds. That way, if remote builds are not working for some reason, this will not be obscured by local building.

Nix prefers using remote builders before building locally. If you want to disable remote builds for a specific build session, you can provide nix-build with the option --builders ''.

NixOS configuration

NixOS users can use a configuration similar to the one below to configure both SSH and Nix distributed builds:

programs.ssh.extraConfig = ''
  Host eu.nixbuild.net
    PubkeyAcceptedKeyTypes ssh-ed25519
    IdentityFile /path/to/your/private/key
'';

programs.ssh.knownHosts = {
  nixbuild = {
    hostNames = [ "eu.nixbuild.net" ];
    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM";
  };
};

nix = {
  distributedBuilds = true;
  buildMachines = [
    { hostName = "eu.nixbuild.net";
      system = "x86_64-linux";
      maxJobs = 100;
      supportedFeatures = [ "benchmark" "big-parallel" ];
    }
  ];
};

If you use the above configuration you don't have to set up your known_hosts or .ssh/config files manually. You only need to put your private SSH key in place and assign it correct permissions.