working on using new created cache

2024-07-20 13:56:03 +02:00 · 2024-07-20 13:56:03 +02:00 · 6a07f4259a
parent 886535f95d
commit 6a07f4259a
8 changed files with 70 additions and 8 deletions
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@ -11,16 +11,16 @@ jobs:
          ${{ secrets.SSH_KEY }}
          EOF
          chmod 600 .id_rsa
-          
+
          eval $(ssh-agent)
          ssh-add .id_rsa
-          
+
          cat <<EOF > "$GITHUB_ENV"
          SSH_AUTH_SOCK="$SSH_AUTH_SOCK"
          SSH_AGENT_PID=$SSH_AGENT_PID
          EOF

-#      - run: nix flake update
+      #      - run: nix flake update
      - run: nix build .#nixosConfigurations.orbi.config.system.build.toplevel
      - run: nix build .#nixosConfigurations.cream.config.system.build.toplevel
      - run: nix build .#nixosConfigurations.cherry.config.system.build.toplevel
--- a/components/network/sshd/default.nix
+++ b/components/network/sshd/default.nix
@ -61,7 +61,7 @@ in
        # We might want to remove this once, openssh is fixed everywhere:
        # Workaround for CVE-2024-6387 and CVE-2024-6409
        # https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
-        settings.LoginGraceTime = 0;
+        # settings.LoginGraceTime = 0;
      };

      users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;
--- a/components/network/wireguard.nix
+++ b/components/network/wireguard.nix
@ -22,6 +22,12 @@ with lib;
  #  };
  #};

+  config = {
+    networking.extraHosts = ''
+      10.100.0.1 cache.orbi.wg0
+    '';
+  };
+

 }

--- a/flake.nix
+++ b/flake.nix
@ -179,6 +179,7 @@
          assets = ./assets;
          factsGenerator = clan-fact-generators.lib { inherit pkgs; };
          clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; };
+          zerotierDeviceName = "ztbn67ogn2";
        };
      };

@ -251,9 +252,15 @@
          ];
        })
        # configure nix
-        ({ pkgs, lib, ... }:
+        ({ pkgs, lib, clanLib, ... }:
          {
-            nix.settings.substituters = [ "https://cache.nixos.org/" ];
+            nix.settings.substituters = [
+              "https://cache.nixos.org/"
+              "http://cache.orbi.wg0/"
+            ];
+            nix.settings.trusted-public-keys = [
+              (clanLib.readFact "nix-serve.pub" "orbi")
+            ];
            nix.settings.experimental-features = [ "nix-command" "flakes" ];
            nix.settings.max-jobs = 1;
            # no channesl needed this way
--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@ -16,6 +16,7 @@
    ./service-vaultwarden.nix
    #./service-surrealdb.nix # not really needed at the moment
    ./service-vikunja.nix
+    ./service-nix-cache.nix

    ./nginx-ingolf-wagner-de.nix
    ./nginx-wkd.nix
--- a/machines/orbi/facts/nix-serve.pub
+++ b/machines/orbi/facts/nix-serve.pub
@ -0,0 +1 @@
+cache.orbi.wg0:TAQd7qqh08yKkCU6WofWTVH1ORFAnmwxZJaYXWtuojQ=
--- a/machines/orbi/service-forgejo-runner.nix
+++ b/machines/orbi/service-forgejo-runner.nix
@ -17,7 +17,7 @@ in
  };
  users.groups.gitea-runner = { };

-  clanCore.facts.services.gitea-runner = {
+  clan.core.facts.services.gitea-runner = {
    secret."gitea-runner.token" = { };
    generator = {
      prompt = "please enter your gitea-runner password";
@ -51,7 +51,7 @@ in
        pkgs.openssh
      ];
      url = "https://git.ingolf-wagner.de";
-      tokenFile = config.clanCore.facts.services.gitea-runner.secret."gitea-runner.token".path;
+      tokenFile = config.clan.core.facts.services.gitea-runner.secret."gitea-runner.token".path;
      name = "fick_deine_mudda";
      labels = [
        # provide a debian base with nodejs for actions
--- a/machines/orbi/service-nix-cache.nix
+++ b/machines/orbi/service-nix-cache.nix
@ -0,0 +1,47 @@
+{ config, lib, pkgs, ... }:
+{
+
+  # nixpkgs.config.packageOverrides = p: {
+  #   nix-serve = p.haskellPackages.nix-serve-ng;
+  # };
+
+  # generate private key with:
+  # nix-store --generate-binary-cache-key my-secret-key my-public-key
+  clan.core.facts.services."nix-serve" = {
+    secret."nix-serve.key" = { };
+    public."nix-serve.pub" = { };
+    generator.path = with pkgs; [ coreutils nix ];
+    generator.script = ''
+      nix-store --generate-binary-cache-key "cache.${config.networking.hostName}.wg0" nix-serve.key nix-serve.pub
+      mv nix-serve.key "$secrets"/nix-serve.key
+      mv nix-serve.pub "$facts"/nix-serve.pub
+    '';
+  };
+
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = config.clan.core.facts.services.nix-serve.secret."nix-serve.key".path;
+    port = 5005;
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."cache.${config.networking.hostName}.wg0" = {
+      locations."/".extraConfig = ''
+        proxy_pass http://localhost:${toString config.services.nix-serve.port};
+        allow ${config.wireguard.wg0.subnet};
+        deny all;
+      '';
+      locations."= /nix-cache-info".extraConfig = ''
+        alias ${pkgs.writeText "cache-info" ''
+          StoreDir: /nix/store
+          WantMassQuery: 1
+          Priority: 42
+        ''};
+        allow ${config.wireguard.wg0.subnet};
+        deny all;
+      '';
+    };
+  };
+}
+
				`@ -0,0 +1 @@`
				`cache.orbi.wg0:TAQd7qqh08yKkCU6WofWTVH1ORFAnmwxZJaYXWtuojQ=`