working on using new created cache

This commit is contained in:
Ingolf Wagner 2024-07-20 13:56:03 +02:00
parent 886535f95d
commit 6a07f4259a
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
8 changed files with 70 additions and 8 deletions

View file

@ -11,16 +11,16 @@ jobs:
${{ secrets.SSH_KEY }}
EOF
chmod 600 .id_rsa
eval $(ssh-agent)
ssh-add .id_rsa
cat <<EOF > "$GITHUB_ENV"
SSH_AUTH_SOCK="$SSH_AUTH_SOCK"
SSH_AGENT_PID=$SSH_AGENT_PID
EOF
# - run: nix flake update
# - run: nix flake update
- run: nix build .#nixosConfigurations.orbi.config.system.build.toplevel
- run: nix build .#nixosConfigurations.cream.config.system.build.toplevel
- run: nix build .#nixosConfigurations.cherry.config.system.build.toplevel

View file

@ -61,7 +61,7 @@ in
# We might want to remove this once, openssh is fixed everywhere:
# Workaround for CVE-2024-6387 and CVE-2024-6409
# https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
settings.LoginGraceTime = 0;
# settings.LoginGraceTime = 0;
};
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;

View file

@ -22,6 +22,12 @@ with lib;
# };
#};
config = {
networking.extraHosts = ''
10.100.0.1 cache.orbi.wg0
'';
};
}

View file

@ -179,6 +179,7 @@
assets = ./assets;
factsGenerator = clan-fact-generators.lib { inherit pkgs; };
clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; };
zerotierDeviceName = "ztbn67ogn2";
};
};
@ -251,9 +252,15 @@
];
})
# configure nix
({ pkgs, lib, ... }:
({ pkgs, lib, clanLib, ... }:
{
nix.settings.substituters = [ "https://cache.nixos.org/" ];
nix.settings.substituters = [
"https://cache.nixos.org/"
"http://cache.orbi.wg0/"
];
nix.settings.trusted-public-keys = [
(clanLib.readFact "nix-serve.pub" "orbi")
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.max-jobs = 1;
# no channesl needed this way

View file

@ -16,6 +16,7 @@
./service-vaultwarden.nix
#./service-surrealdb.nix # not really needed at the moment
./service-vikunja.nix
./service-nix-cache.nix
./nginx-ingolf-wagner-de.nix
./nginx-wkd.nix

View file

@ -0,0 +1 @@
cache.orbi.wg0:TAQd7qqh08yKkCU6WofWTVH1ORFAnmwxZJaYXWtuojQ=

View file

@ -17,7 +17,7 @@ in
};
users.groups.gitea-runner = { };
clanCore.facts.services.gitea-runner = {
clan.core.facts.services.gitea-runner = {
secret."gitea-runner.token" = { };
generator = {
prompt = "please enter your gitea-runner password";
@ -51,7 +51,7 @@ in
pkgs.openssh
];
url = "https://git.ingolf-wagner.de";
tokenFile = config.clanCore.facts.services.gitea-runner.secret."gitea-runner.token".path;
tokenFile = config.clan.core.facts.services.gitea-runner.secret."gitea-runner.token".path;
name = "fick_deine_mudda";
labels = [
# provide a debian base with nodejs for actions

View file

@ -0,0 +1,47 @@
{ config, lib, pkgs, ... }:
{
# nixpkgs.config.packageOverrides = p: {
# nix-serve = p.haskellPackages.nix-serve-ng;
# };
# generate private key with:
# nix-store --generate-binary-cache-key my-secret-key my-public-key
clan.core.facts.services."nix-serve" = {
secret."nix-serve.key" = { };
public."nix-serve.pub" = { };
generator.path = with pkgs; [ coreutils nix ];
generator.script = ''
nix-store --generate-binary-cache-key "cache.${config.networking.hostName}.wg0" nix-serve.key nix-serve.pub
mv nix-serve.key "$secrets"/nix-serve.key
mv nix-serve.pub "$facts"/nix-serve.pub
'';
};
services.nix-serve = {
enable = true;
secretKeyFile = config.clan.core.facts.services.nix-serve.secret."nix-serve.key".path;
port = 5005;
};
services.nginx = {
enable = true;
virtualHosts."cache.${config.networking.hostName}.wg0" = {
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
allow ${config.wireguard.wg0.subnet};
deny all;
'';
locations."= /nix-cache-info".extraConfig = ''
alias ${pkgs.writeText "cache-info" ''
StoreDir: /nix/store
WantMassQuery: 1
Priority: 42
''};
allow ${config.wireguard.wg0.subnet};
deny all;
'';
};
};
}