feat(servers): add self-hosted bin cache

2023-12-26 00:48:43 -05:00 · 2023-12-26 00:48:43 -05:00 · f969c050cf
parent 035bd58eb2
commit f969c050cf
7 changed files with 64 additions and 52 deletions
--- a/.forgejo/workflows/cachix.yml
+++ b/.forgejo/workflows/cachix.yml
@ -1,42 +0,0 @@
-name: Binary Cache
-
-on: [push, pull_request, workflow_dispatch]
-
-jobs:
-  nix:
-    name: "Build"
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout
-      uses: https://github.com/actions/checkout@v3
-      with:
-        submodules: recursive
-
-    - name: Setup-Nix
-      uses: https://github.com/cachix/install-nix-action@v24
-      with:
-        github_access_token: ${{ secrets.TOKEN_GH }}
-
-    - name: Install-nixci
-      uses: https://github.com/yaxitech/nix-install-pkgs-action@v3
-      with:
-        packages: "nixpkgs#nixci, dig"
-
-    - name: Setup-cachix
-      uses: https://github.com/cachix/cachix-action@v12
-      with:
-        name: archives
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-
-    - name: Install SSH key
-      run: |
-        install -m 600 -D /dev/null ~/.ssh/id_rsa
-        echo "${{ secrets.PRIVATE_SSH_KEY }}" > ~/.ssh/id_rsa
-        host='git.nelim.org'
-        hosts="$(dig +short "$host" | grep -v '\.$' | sed -z 's|\n|,|g')$host"
-        ssh-keyscan -H "$hosts" > ~/.ssh/known_hosts
-
-    - name: Build-configs
-      run: |
-        nix flake update
-        nixci
--- a/common/modules/cachix.nix
+++ b/common/modules/cachix.nix
@ -15,7 +15,7 @@
        # Caddy
        "https://caddycf.cachix.org"
        # Personal config cache
-        "https://archives.cachix.org"
+        "https://cache.nelim.org"
      ];
      trusted-public-keys = [
        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
@ -30,7 +30,7 @@
        # Caddy
        "caddycf.cachix.org-1:6vbQaeiec/zKv9XfEwi9yWVCe7opbeJMu6w81UEXugY="
        # Personal config cache
-        "archives.cachix.org-1:6fvCc0qfKnnYVUmNw0TeT4qH/ZNAGLOzw7SlgWN5bV0="
+        "cache.nelim.org:JmFqkUdH11EA9EZOFAGVHuRYp7EbsdJDHvTQzG2pPyY="
      ];
    };
  };
--- a/devices/oksys/modules/caddy.nix
+++ b/devices/oksys/modules/caddy.nix
@ -28,6 +28,7 @@ in {
    virtualHosts = let
      dockerIP = "10.0.0.122";
      jellyIP = "10.0.0.123";
+      servivi = "10.0.0.249";
    in {
      "nelim.org" = {
        serverAliases = ["*.nelim.org"];
@ -68,6 +69,11 @@ in {
            reverseProxy = "${dockerIP}:3000";
          };

+          nix-binary-cache = {
+            subDomainName = "cache";
+            reverseProxy = "${servivi}:5000";
+          };
+
          calibre = {
            subDomainName = "books";
            reverseProxy = "${dockerIP}:8083";
--- a/devices/servivi/default.nix
+++ b/devices/servivi/default.nix
@ -4,6 +4,8 @@

    ../../modules/kmscon.nix
    ../../modules/tailscale.nix
+
+    ./modules/binary-cache.nix
  ];

  vars = {
--- a/devices/servivi/modules/binary-cache.nix
+++ b/devices/servivi/modules/binary-cache.nix
@ -0,0 +1,43 @@
+{
+  config,
+  pkgs,
+  nixpkgs,
+  ...
+}: let
+  secrets = config.sops.secrets;
+  vars = config.vars;
+in {
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = secrets.binary-cache-key.path;
+  };
+
+  systemd = {
+    services.buildAll = {
+      serviceConfig = {
+        Type = "oneshot";
+        User = vars.user;
+        Group = config.users.users.${vars.user}.group;
+      };
+      script = ''
+        cd /tmp
+        ${pkgs.nix}/bin/nix-shell \
+          -I "nixpkgs=${nixpkgs}" \
+          -p openssh nix git nixci --run \
+        "${builtins.concatStringsSep "; " [
+          "git clone https://git.nelim.org/matt1432/nixos-configs.git nix-clone"
+          "cd nix-clone"
+          "nix flake update"
+          "nixci ."
+          "cd .."
+          "rm -r nix-clone"
+        ]}"
+      '';
+    };
+    timers.buildAll = {
+      wantedBy = ["timers.target"];
+      partOf = ["buildAll.service"];
+      timerConfig.OnCalendar = ["*-*-* 0:00:00"];
+    };
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -878,11 +878,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1703558681,
-        "narHash": "sha256-nMkDgZbKOxq6Nscj86U5uzxmDu6nfLSm/GNNqQx7j4E=",
+        "lastModified": 1703562846,
+        "narHash": "sha256-ZMoJ8o+ey78WUN4CVXWOD+XacH+uRuoZIFJFmB+mTug=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "b3967cffef433fe025ef03ebca93a56376fbcb88",
+        "rev": "a40c29c5c7beb812885ef39f0682457655dc6017",
        "type": "github"
      },
      "original": {
@ -940,11 +940,11 @@
        "sops-nix": "sops-nix"
      },
      "locked": {
-        "lastModified": 1703364898,
-        "narHash": "sha256-sU02sZfhdxHlMMqSKdlPE9upZ5RXKVzgfW1GSAuf30U=",
+        "lastModified": 1703563864,
+        "narHash": "sha256-sP2Hool59oPdB3pORlEYMg5Fhb+GSzGwSzeYl2+hBXQ=",
        "ref": "refs/heads/main",
-        "rev": "04081fc81d9df533d0f81f89b1730eb15bdbc6a8",
-        "revCount": 6,
+        "rev": "810545ee6ef90fa41f8c0a28e5de45aa646f411c",
+        "revCount": 14,
        "type": "git",
        "url": "ssh://git@git.nelim.org/matt1432/nixos-secrets"
      },
--- a/flake.nix
+++ b/flake.nix
@ -33,7 +33,10 @@
      wim = mkNixOS [./devices/wim];
      binto = mkNixOS [./devices/binto];

-      servivi = mkNixOS [./devices/servivi];
+      servivi = mkNixOS [
+        ./devices/servivi
+        secrets.nixosModules.servivi
+      ];
      oksys = mkNixOS [
        ./devices/oksys
        secrets.nixosModules.oksys