From 6a07f4259ad0d685f4bbc7c2392098b8b81a748d Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Sat, 20 Jul 2024 13:56:03 +0200 Subject: [PATCH] working on using new created cache --- .forgejo/workflows/build.yaml | 6 +-- components/network/sshd/default.nix | 2 +- components/network/wireguard.nix | 6 +++ flake.nix | 11 +++++- machines/orbi/configuration.nix | 1 + machines/orbi/facts/nix-serve.pub | 1 + machines/orbi/service-forgejo-runner.nix | 4 +- machines/orbi/service-nix-cache.nix | 47 ++++++++++++++++++++++++ 8 files changed, 70 insertions(+), 8 deletions(-) create mode 100644 machines/orbi/facts/nix-serve.pub create mode 100644 machines/orbi/service-nix-cache.nix diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml index b1e0f69..d1d2304 100644 --- a/.forgejo/workflows/build.yaml +++ b/.forgejo/workflows/build.yaml @@ -11,16 +11,16 @@ jobs: ${{ secrets.SSH_KEY }} EOF chmod 600 .id_rsa - + eval $(ssh-agent) ssh-add .id_rsa - + cat < "$GITHUB_ENV" SSH_AUTH_SOCK="$SSH_AUTH_SOCK" SSH_AGENT_PID=$SSH_AGENT_PID EOF -# - run: nix flake update + # - run: nix flake update - run: nix build .#nixosConfigurations.orbi.config.system.build.toplevel - run: nix build .#nixosConfigurations.cream.config.system.build.toplevel - run: nix build .#nixosConfigurations.cherry.config.system.build.toplevel diff --git a/components/network/sshd/default.nix b/components/network/sshd/default.nix index 0eb8395..8498d89 100644 --- a/components/network/sshd/default.nix +++ b/components/network/sshd/default.nix @@ -61,7 +61,7 @@ in # We might want to remove this once, openssh is fixed everywhere: # Workaround for CVE-2024-6387 and CVE-2024-6409 # https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128 - settings.LoginGraceTime = 0; + # settings.LoginGraceTime = 0; }; users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles; diff --git a/components/network/wireguard.nix b/components/network/wireguard.nix index 77f2680..52a232f 100644 --- a/components/network/wireguard.nix +++ b/components/network/wireguard.nix @@ -22,6 +22,12 @@ with lib; # }; #}; + config = { + networking.extraHosts = '' + 10.100.0.1 cache.orbi.wg0 + ''; + }; + } diff --git a/flake.nix b/flake.nix index b384187..400e7e4 100644 --- a/flake.nix +++ b/flake.nix @@ -179,6 +179,7 @@ assets = ./assets; factsGenerator = clan-fact-generators.lib { inherit pkgs; }; clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; }; + zerotierDeviceName = "ztbn67ogn2"; }; }; @@ -251,9 +252,15 @@ ]; }) # configure nix - ({ pkgs, lib, ... }: + ({ pkgs, lib, clanLib, ... }: { - nix.settings.substituters = [ "https://cache.nixos.org/" ]; + nix.settings.substituters = [ + "https://cache.nixos.org/" + "http://cache.orbi.wg0/" + ]; + nix.settings.trusted-public-keys = [ + (clanLib.readFact "nix-serve.pub" "orbi") + ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.max-jobs = 1; # no channesl needed this way diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix index f781c19..d8b61d7 100644 --- a/machines/orbi/configuration.nix +++ b/machines/orbi/configuration.nix @@ -16,6 +16,7 @@ ./service-vaultwarden.nix #./service-surrealdb.nix # not really needed at the moment ./service-vikunja.nix + ./service-nix-cache.nix ./nginx-ingolf-wagner-de.nix ./nginx-wkd.nix diff --git a/machines/orbi/facts/nix-serve.pub b/machines/orbi/facts/nix-serve.pub new file mode 100644 index 0000000..648e5dd --- /dev/null +++ b/machines/orbi/facts/nix-serve.pub @@ -0,0 +1 @@ +cache.orbi.wg0:TAQd7qqh08yKkCU6WofWTVH1ORFAnmwxZJaYXWtuojQ= \ No newline at end of file diff --git a/machines/orbi/service-forgejo-runner.nix b/machines/orbi/service-forgejo-runner.nix index 87cca39..db3c9f6 100644 --- a/machines/orbi/service-forgejo-runner.nix +++ b/machines/orbi/service-forgejo-runner.nix @@ -17,7 +17,7 @@ in }; users.groups.gitea-runner = { }; - clanCore.facts.services.gitea-runner = { + clan.core.facts.services.gitea-runner = { secret."gitea-runner.token" = { }; generator = { prompt = "please enter your gitea-runner password"; @@ -51,7 +51,7 @@ in pkgs.openssh ]; url = "https://git.ingolf-wagner.de"; - tokenFile = config.clanCore.facts.services.gitea-runner.secret."gitea-runner.token".path; + tokenFile = config.clan.core.facts.services.gitea-runner.secret."gitea-runner.token".path; name = "fick_deine_mudda"; labels = [ # provide a debian base with nodejs for actions diff --git a/machines/orbi/service-nix-cache.nix b/machines/orbi/service-nix-cache.nix new file mode 100644 index 0000000..c0d8e91 --- /dev/null +++ b/machines/orbi/service-nix-cache.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: +{ + + # nixpkgs.config.packageOverrides = p: { + # nix-serve = p.haskellPackages.nix-serve-ng; + # }; + + # generate private key with: + # nix-store --generate-binary-cache-key my-secret-key my-public-key + clan.core.facts.services."nix-serve" = { + secret."nix-serve.key" = { }; + public."nix-serve.pub" = { }; + generator.path = with pkgs; [ coreutils nix ]; + generator.script = '' + nix-store --generate-binary-cache-key "cache.${config.networking.hostName}.wg0" nix-serve.key nix-serve.pub + mv nix-serve.key "$secrets"/nix-serve.key + mv nix-serve.pub "$facts"/nix-serve.pub + ''; + }; + + services.nix-serve = { + enable = true; + secretKeyFile = config.clan.core.facts.services.nix-serve.secret."nix-serve.key".path; + port = 5005; + }; + + services.nginx = { + enable = true; + virtualHosts."cache.${config.networking.hostName}.wg0" = { + locations."/".extraConfig = '' + proxy_pass http://localhost:${toString config.services.nix-serve.port}; + allow ${config.wireguard.wg0.subnet}; + deny all; + ''; + locations."= /nix-cache-info".extraConfig = '' + alias ${pkgs.writeText "cache-info" '' + StoreDir: /nix/store + WantMassQuery: 1 + Priority: 42 + ''}; + allow ${config.wireguard.wg0.subnet}; + deny all; + ''; + }; + }; +} +