working on using new created cache
This commit is contained in:
parent
886535f95d
commit
6a07f4259a
8 changed files with 70 additions and 8 deletions
|
@ -11,16 +11,16 @@ jobs:
|
|||
${{ secrets.SSH_KEY }}
|
||||
EOF
|
||||
chmod 600 .id_rsa
|
||||
|
||||
|
||||
eval $(ssh-agent)
|
||||
ssh-add .id_rsa
|
||||
|
||||
|
||||
cat <<EOF > "$GITHUB_ENV"
|
||||
SSH_AUTH_SOCK="$SSH_AUTH_SOCK"
|
||||
SSH_AGENT_PID=$SSH_AGENT_PID
|
||||
EOF
|
||||
|
||||
# - run: nix flake update
|
||||
# - run: nix flake update
|
||||
- run: nix build .#nixosConfigurations.orbi.config.system.build.toplevel
|
||||
- run: nix build .#nixosConfigurations.cream.config.system.build.toplevel
|
||||
- run: nix build .#nixosConfigurations.cherry.config.system.build.toplevel
|
||||
|
|
|
@ -61,7 +61,7 @@ in
|
|||
# We might want to remove this once, openssh is fixed everywhere:
|
||||
# Workaround for CVE-2024-6387 and CVE-2024-6409
|
||||
# https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
|
||||
settings.LoginGraceTime = 0;
|
||||
# settings.LoginGraceTime = 0;
|
||||
};
|
||||
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;
|
||||
|
|
|
@ -22,6 +22,12 @@ with lib;
|
|||
# };
|
||||
#};
|
||||
|
||||
config = {
|
||||
networking.extraHosts = ''
|
||||
10.100.0.1 cache.orbi.wg0
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
|
11
flake.nix
11
flake.nix
|
@ -179,6 +179,7 @@
|
|||
assets = ./assets;
|
||||
factsGenerator = clan-fact-generators.lib { inherit pkgs; };
|
||||
clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; };
|
||||
zerotierDeviceName = "ztbn67ogn2";
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -251,9 +252,15 @@
|
|||
];
|
||||
})
|
||||
# configure nix
|
||||
({ pkgs, lib, ... }:
|
||||
({ pkgs, lib, clanLib, ... }:
|
||||
{
|
||||
nix.settings.substituters = [ "https://cache.nixos.org/" ];
|
||||
nix.settings.substituters = [
|
||||
"https://cache.nixos.org/"
|
||||
"http://cache.orbi.wg0/"
|
||||
];
|
||||
nix.settings.trusted-public-keys = [
|
||||
(clanLib.readFact "nix-serve.pub" "orbi")
|
||||
];
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
nix.settings.max-jobs = 1;
|
||||
# no channesl needed this way
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
./service-vaultwarden.nix
|
||||
#./service-surrealdb.nix # not really needed at the moment
|
||||
./service-vikunja.nix
|
||||
./service-nix-cache.nix
|
||||
|
||||
./nginx-ingolf-wagner-de.nix
|
||||
./nginx-wkd.nix
|
||||
|
|
1
machines/orbi/facts/nix-serve.pub
Normal file
1
machines/orbi/facts/nix-serve.pub
Normal file
|
@ -0,0 +1 @@
|
|||
cache.orbi.wg0:TAQd7qqh08yKkCU6WofWTVH1ORFAnmwxZJaYXWtuojQ=
|
|
@ -17,7 +17,7 @@ in
|
|||
};
|
||||
users.groups.gitea-runner = { };
|
||||
|
||||
clanCore.facts.services.gitea-runner = {
|
||||
clan.core.facts.services.gitea-runner = {
|
||||
secret."gitea-runner.token" = { };
|
||||
generator = {
|
||||
prompt = "please enter your gitea-runner password";
|
||||
|
@ -51,7 +51,7 @@ in
|
|||
pkgs.openssh
|
||||
];
|
||||
url = "https://git.ingolf-wagner.de";
|
||||
tokenFile = config.clanCore.facts.services.gitea-runner.secret."gitea-runner.token".path;
|
||||
tokenFile = config.clan.core.facts.services.gitea-runner.secret."gitea-runner.token".path;
|
||||
name = "fick_deine_mudda";
|
||||
labels = [
|
||||
# provide a debian base with nodejs for actions
|
||||
|
|
47
machines/orbi/service-nix-cache.nix
Normal file
47
machines/orbi/service-nix-cache.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
|
||||
# nixpkgs.config.packageOverrides = p: {
|
||||
# nix-serve = p.haskellPackages.nix-serve-ng;
|
||||
# };
|
||||
|
||||
# generate private key with:
|
||||
# nix-store --generate-binary-cache-key my-secret-key my-public-key
|
||||
clan.core.facts.services."nix-serve" = {
|
||||
secret."nix-serve.key" = { };
|
||||
public."nix-serve.pub" = { };
|
||||
generator.path = with pkgs; [ coreutils nix ];
|
||||
generator.script = ''
|
||||
nix-store --generate-binary-cache-key "cache.${config.networking.hostName}.wg0" nix-serve.key nix-serve.pub
|
||||
mv nix-serve.key "$secrets"/nix-serve.key
|
||||
mv nix-serve.pub "$facts"/nix-serve.pub
|
||||
'';
|
||||
};
|
||||
|
||||
services.nix-serve = {
|
||||
enable = true;
|
||||
secretKeyFile = config.clan.core.facts.services.nix-serve.secret."nix-serve.key".path;
|
||||
port = 5005;
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."cache.${config.networking.hostName}.wg0" = {
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
||||
allow ${config.wireguard.wg0.subnet};
|
||||
deny all;
|
||||
'';
|
||||
locations."= /nix-cache-info".extraConfig = ''
|
||||
alias ${pkgs.writeText "cache-info" ''
|
||||
StoreDir: /nix/store
|
||||
WantMassQuery: 1
|
||||
Priority: 42
|
||||
''};
|
||||
allow ${config.wireguard.wg0.subnet};
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in a new issue