feat: bidirectional remote builders — server <> uConsole

Add reusable remote-builder NixOS module and builder system user.

Server (lazyworkhorse): dispatches aarch64-linux builds to uConsole
uConsole: dispatches x86_64-linux builds to server

The builder user uses the same SSH keypair on both hosts for
symmetric remote building. Generate the key with:
  ssh-keygen -t ed25519 -f /etc/ssh/builder_key -N ""
Add the public key to lib/keys.nix (replace PLACEHOLDER).

flake.nix

@@ -17,7 +17,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nixos-raspberrypi = {
-      url = "github:nvmd/nixos-raspberrypi/v1.20260317.0";
+      url = "github:nvmd/nixos-raspberrypi/v1.20260517.0";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     self.submodules = true;
@@ -69,9 +69,11 @@
               ./modules/nixos/services/open_code_server.nix
               ./modules/nixos/services/ollama_init_custom_models.nix
               ./modules/nixos/services/openclaw_node.nix
+              ./modules/nixos/services/remote-builder.nix
               ./modules/nixos/security/ai-worker-restricted.nix
               ./users/gortium.nix
               ./users/ai-worker.nix
+              ./users/builder.nix
             ];
           };
 
@@ -100,7 +102,9 @@
               }
               nixos-raspberrypi.nixosModules.raspberry-pi-5.base
               nixos-uconsole.nixosModules.uconsole-cm5
+              ./modules/nixos/services/remote-builder.nix
               ./hosts/uConsole/configuration.nix
+              ./users/builder.nix
               ./hosts/uConsole/hardware-configuration.nix
             ];
           };

hosts/lazyworkhorse/configuration.nix

@@ -11,6 +11,10 @@
   # Flakesss
   nix.settings.experimental-features = [ "nix-command" "flakes" "flake-self-attrs" ];
   nix.settings.trusted-users = [ "root" "gortium" ];
+  nix.settings.extra-platforms = [ "aarch64-linux" ];
+
+  # QEMU binfmt for cross-building aarch64 NixOS targets
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   # Garbage collection
   nix.gc = {
@@ -569,5 +573,23 @@
   # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
   system.stateVersion = "25.05"; # Did you read the comment?
 
+
+  # ============================================================
+  # Remote builder — dispatches aarch64-linux builds to uConsole
+  # ============================================================
+  services.remoteBuilder = {
+    enable = true;
+    machines = [
+      {
+        hostName = "192.168.1.120";
+        port = 22;
+        sshUser = "builder";
+        sshKey = "/etc/ssh/builder_key";
+        systems = [ "aarch64-linux" ];
+        maxJobs = 4;
+      }
+    ];
+  };
+
 }
 

hosts/uConsole/configuration.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, paths, self, ... }:
+{ config, lib, pkgs, paths, self, keys, ... }:
 
 {
   # Basic Host Info
@@ -9,15 +9,17 @@
   # System State
   system.stateVersion = "25.05";
 
-  # Boot & Hardware (uconsole-cm5 module handles boot.loader)
+  # Boot & Hardware (migrated to kernel bootloader per nixos-raspberrypi deprecation notice)
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.loader.raspberry-pi.bootloader = "kernel";
+  # kernel managed by nixos-raspberrypi module — don't override, patches are version-specific
+  # boot.kernelPackages = pkgs.linuxPackages_latest;
 
   # Networking
   networking.networkmanager.enable = true;
   services.openssh = {
     enable = true;
-    settings.PermitRootLogin = "prohibit-password";
+    settings.PermitRootLogin = lib.mkForce "prohibit-password";
-    settings.PasswordAuthentication = false;
+    settings.PasswordAuthentication = lib.mkForce false;
   };
 
   # User
@@ -106,6 +108,7 @@
   # ============================================================
   systemd.services.rnsd = {
     description = "Reticulum Network Stack Daemon";
+    wants = [ "network-online.target" ];
     after = [ "network-online.target" ];
     wantedBy = [ "multi-user.target" ];
     serviceConfig = {
@@ -123,6 +126,7 @@
   # ============================================================
   systemd.services.kismet = {
     description = "Kismet Wi-Fi Monitor & IDS";
+    wants = [ "network-online.target" ];
     after = [ "network-online.target" ];
     wantedBy = [ "multi-user.target" ];
     serviceConfig = {
@@ -164,4 +168,23 @@
   # Reticulum uses its own encryption and doesn't need open ports
   # for basic mesh operations (peer-to-peer discovery).
   # For TCP interfaces, open additional ports as needed.
+
+  # ============================================================
+  # Remote builder — dispatches x86_64-linux builds to server
+  # ============================================================
+  services.remoteBuilder = {
+    enable = true;
+    machines = [
+      {
+        hostName = "lazyworkhorse.net";
+        port = 2424;
+        sshUser = "builder";
+        sshKey = "/etc/ssh/builder_key";
+        systems = [ "x86_64-linux" ];
+        maxJobs = 36;
+        supportedFeatures = [ "benchmark" "big-parallel" "nixos-test" ];
+      }
+    ];
+  };
+
 }

lib/keys.nix

@@ -9,6 +9,13 @@
     ai-worker = {
       main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAXeGtPPcsP2IYRQNvII41NVWhJsarEk8c4qxs/a5sXf";
     };
+
+    builder = {
+      # Same key on both hosts for bidirectional remote building.
+      # Generate with: ssh-keygen -t ed25519 -f /etc/ssh/builder_key -N ""
+      # Replace the placeholder below with the public key (builder_key.pub).
+      main = "PLACEHOLDER_ADD_BUILDER_PUBKEY_HERE";
+    };
   };
 
   hosts = {

modules/nixos/services/remote-builder.nix

@@ -0,0 +1,74 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.remoteBuilder;
+in {
+  options.services.remoteBuilder = {
+    enable = lib.mkEnableOption "remote Nix build machine";
+
+    machines = lib.mkOption {
+      type = lib.types.listOf (lib.types.submodule {
+        options = {
+          hostName = lib.mkOption {
+            type = lib.types.str;
+            description = "Hostname or IP of the remote build machine.";
+          };
+          port = lib.mkOption {
+            type = lib.types.port;
+            default = 22;
+            description = "SSH port.";
+          };
+          sshUser = lib.mkOption {
+            type = lib.types.str;
+            default = "builder";
+            description = "SSH user on the remote build machine.";
+          };
+          sshKey = lib.mkOption {
+            type = lib.types.str;
+            description = "Path to SSH private key for the builder.";
+          };
+          systems = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = [ "aarch64-linux" ];
+            description = "System types the remote builder can build for.";
+          };
+          maxJobs = lib.mkOption {
+            type = lib.types.int;
+            default = 4;
+            description = "Max parallel jobs on the remote builder.";
+          };
+          supportedFeatures = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = [ "benchmark" "big-parallel" "nixos-test" ];
+            description = "Features the remote builder supports.";
+          };
+        };
+      });
+      default = [];
+      description = "List of remote Nix build machines.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    nix.distributedBuilds = true;
+    nix.buildMachines = map (m: {
+      hostName = m.hostName;
+      sshUser = m.sshUser;
+      sshKey = m.sshKey;
+      systems = m.systems;
+      maxJobs = m.maxJobs;
+      supportedFeatures = m.supportedFeatures;
+    }) cfg.machines;
+
+    # SSH config for port + key (nix.buildMachines has no port option)
+    programs.ssh.extraConfig = lib.concatStringsSep "\n" (map (m: ''
+      Host ${m.hostName}
+        HostName ${m.hostName}
+        Port ${toString m.port}
+        User ${m.sshUser}
+        IdentityFile ${m.sshKey}
+        StrictHostKeyChecking no
+        UserKnownHostsFile /dev/null
+    '') cfg.machines);
+  };
+}

overlays/reticulum.nix

@@ -5,6 +5,7 @@ in {
   reticulumStack = python3.pkgs.buildPythonApplication rec {
     pname = "reticulum";
     version = "1.2.9";
+    format = "setuptools";
     src = pyPkgs.fetchPypi {
       pname = "rns";
       inherit version;
@@ -24,6 +25,7 @@ in {
   lxmf = python3.pkgs.buildPythonApplication rec {
     pname = "lxmf";
     version = "0.9.8";
+    format = "setuptools";
     src = pyPkgs.fetchPypi {
       inherit pname version;
       sha256 = "30f39f3a975a049c12ee2cfceb3261d24cb5adec881c6821f7354464b3f3650c";
@@ -42,6 +44,7 @@ in {
   nomadnet = python3.pkgs.buildPythonApplication rec {
     pname = "nomadnet";
     version = "1.1.1";
+    format = "setuptools";
     src = pyPkgs.fetchPypi {
       inherit pname version;
       sha256 = "fa13b64a10e75b705a58024815ab72451700aa726af96d415ba99dec28dfc40a";
@@ -60,6 +63,7 @@ in {
   rnsh = python3.pkgs.buildPythonApplication rec {
     pname = "rnsh";
     version = "0.1.7";
+    format = "setuptools";
     src = pyPkgs.fetchPypi {
       inherit pname version;
       sha256 = "9cb72f25abb1c6d300f8014b264184ff78f592fe88e36094938012990b797c93";

users/builder.nix

@@ -0,0 +1,13 @@
+{ config, lib, pkgs, keys, ... }: {
+  users.users.builder = {
+    isSystemUser = true;
+    group = "builder";
+    home = "/var/empty";
+    createHome = false;
+    shell = pkgs.nologin;
+    openssh.authorizedKeys.keys = with keys; [
+      users.builder.main
+    ];
+  };
+  users.groups.builder = {};
+}