Fix pure eval and harden nix script bootstrap

modules/nix/cache-client.nix

@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  nix.settings = {
+    substituters = [
+      "http://nix-cache"
+      "https://cache.nixos.org/"
+    ];
+    trusted-public-keys = [
+      "cache.local-1:usoWYanY3Kpq2+kDIS2nhWoLZiRxanmdysdzqCFBHW4="
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    ];
+    auto-optimise-store = true;
+  };
+}

modules/nix/cache-server.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, ... }:
+
+{
+  # Generate the binary cache key pair on the nix-cache host:
+  #   sudo install -d -m 0700 /etc/nix
+  #   sudo nix-store --generate-binary-cache-key nix-cache-1 \
+  #     /etc/nix/cache-priv.pem \
+  #     /etc/nix/cache-pub.pem
+  #   sudo chmod 0600 /etc/nix/cache-priv.pem
+  #   sudo chmod 0644 /etc/nix/cache-pub.pem
+  #   cat /etc/nix/cache-pub.pem
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = "/etc/nix/cache-priv.pem";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts."nix-cache" = {
+      locations."/" = {
+        proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  users.groups.nixremote = {};
+
+  users.users.nixremote = {
+    isSystemUser = true;
+    group = "nixremote";
+    createHome = true;
+    home = "/var/lib/nixremote";
+    shell = pkgs.bashInteractive;
+    # Provide remote builder public keys here (safe to commit public keys only):
+    # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA... client@host" ];
+    #
+    # Avoid absolute keyFiles paths here because they break pure flake evaluation.
+    openssh.authorizedKeys.keys = [ ];
+  };
+
+  services.openssh.enable = true;
+
+  nix.settings = {
+    trusted-users = [ "root" "nixremote" ];
+    experimental-features = [ "nix-command" "flakes" ];
+    auto-optimise-store = true;
+    builders-use-substitutes = true;
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+}

modules/nix/remote-builder-client.nix

@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+
+{
+  # Install the remote builder key on each client host (do not commit private keys):
+  #   sudo install -d -m 0700 /root/.ssh
+  #   sudo install -m 0600 ./nixremote /root/.ssh/nixremote
+  #   sudo ssh -i /root/.ssh/nixremote nixremote@nix-cache nix-store --version
+  nix.distributedBuilds = true;
+
+  nix.buildMachines = [
+    {
+      hostName = "nix-cache";
+      sshUser = "nixremote";
+      sshKey = "/root/.ssh/nixremote";
+      system = pkgs.stdenv.hostPlatform.system;
+      maxJobs = 4;
+      speedFactor = 2;
+      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    }
+  ];
+
+  nix.settings = {
+    builders-use-substitutes = true;
+    max-jobs = "auto";
+  };
+}