hydra: revive nix-serve.hq.c3d2.de binary cache

2022-01-09 01:46:11 +01:00 · 2022-01-09 01:46:11 +01:00 · 37c3082fea
parent 944d227d17
commit 37c3082fea
6 changed files with 28 additions and 5 deletions
--- a/flake.lock
+++ b/flake.lock
@ -351,11 +351,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1641664373,
-        "narHash": "sha256-/F17oCX99lBf1IyypncSPL2dCH1qZ5ddgCiYXbjf+Tg=",
+        "lastModified": 1641685255,
+        "narHash": "sha256-x/uImmv13RVSeyviavHNuSrMbNgrAEUytIMMBku0bzc=",
        "ref": "master",
-        "rev": "4d3e2f68d22fa73effc45a32f675fbe125775ab4",
-        "revCount": 118,
+        "rev": "108355b99088b53eae238c1cee2d5922c1f1d2ac",
+        "revCount": 119,
        "type": "git",
        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -377,6 +377,9 @@
          modules = [
            ./lib/lxc-container.nix
            ./hosts/containers/hydra
+            {
+              sops.defaultSopsFile = "${secrets}/hosts/hydra/secrets.yaml";
+            }
          ];
          system = "x86_64-linux";
        };
--- a/hosts/containers/hydra/cache-pub.key
+++ b/hosts/containers/hydra/cache-pub.key
@ -0,0 +1 @@
+nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=
--- a/hosts/containers/hydra/cache.nix
+++ b/hosts/containers/hydra/cache.nix
@ -1,11 +1,17 @@
 { config, pkgs, ... }:

 {
+  sops.secrets."nix-serve/secretKey".mode = "0444";
+  # Nix binary cache
  services.nix-serve = {
    enable = true;
-    secretKeyFile = "/var/cache-priv-key.pem";
+    # secretKeyFile = config.sops.secrets."nix-serve/secretKey".path;
  };
+  # nix-serve requires a $HOME.
+  # also, systemd's LoadCredential mechanism doesn't work here.
+  systemd.services.nix-serve.serviceConfig.Environment = "HOME=%S NIX_SECRET_KEY_FILE=${config.sops.secrets."nix-serve/secretKey".path}";

+  # Nix binary cache thru reverse proxy for HTTPS
  services.nginx.virtualHosts."nix-serve.hq.c3d2.de" = {
    forceSSL = true;
    enableACME = true;
@ -17,6 +23,7 @@
    '';
  };

+  # TODO: what is this?
  services.nginx.virtualHosts."depot.hq.c3d2.de" = {
    forceSSL = true;
    enableACME = true;
--- a/lib/cache.nix
+++ b/lib/cache.nix
@ -0,0 +1,11 @@
+{ config, lib, ... }:
+{
+  nix = lib.mkIf (config.networking.hostName != "hydra") {
+    binaryCaches = [
+      "https://nix-serve.hq.c3d2.de"
+    ];
+    binaryCachePublicKeys = [
+      (builtins.readFile ../hosts/containers/hydra/cache-pub.key)
+    ];
+  };
+}
--- a/lib/default.nix
+++ b/lib/default.nix
@ -33,6 +33,7 @@ in {
    ./audio-server
    ./pi-sensors.nix
    ./ceph-storage.nix
+    ./cache.nix
  ];

  options.c3d2 = with lib;
				`@ -0,0 +1 @@`
				`nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=`