c3d2/nix-config
c3d2/nix-config
23
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

hydra: migrate domain nix-cache -> hydra.hq.c3d2.de

Browse Source
This commit is contained in:
Sandro - 2024-05-21 23:03:33 +02:00
parent 3ef0ac0666
commit e51a6f4e3c
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
11 changed files with 38 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -68,8 +68,8 @@ For every host that has a `nixosConfiguration` in our Flake, there are two scrip
To use the cache from hydra set the following nix options similar to enabling flakes:
```
trusted-public-keys = nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=
trusted-substituters = https://nix-cache.hq.c3d2.de
trusted-public-keys = hydra.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=
trusted-substituters = https://hydra.hq.c3d2.de
```
This can also be set with the `c3d2.addBinaryCache` option from the [c3d2-user-module](https://gitea.c3d2.de/c3d2/nix-user-module).

4
config/default.nix
View File

@ -157,12 +157,12 @@
# if a download from hydra fails, we want to stop and retry it, instead of building it
fallback = false;
trusted-public-keys = [
"nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
"hydra.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
];
stalled-download-timeout = 30; # in case hydra is not reachable fail faster
# don't self feed hydra
substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://nix-cache.hq.c3d2.de" ]
lib.mkBefore [ "https://hydra.hq.c3d2.de" ]
);
};
};

4
flake.nix
View File

@ -2,8 +2,8 @@
description = "C3D2 NixOS configurations";
nixConfig = {
extra-substituters = [ "https://nix-cache.hq.c3d2.de" ];
extra-trusted-public-keys = [ "nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=" ];
extra-substituters = [ "https://hydra.hq.c3d2.de" ];
extra-trusted-public-keys = [ "hydra.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=" ];
};
inputs = {

22
hosts/hydra/default.nix
View File

@ -174,11 +174,31 @@
default = true;
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
locations = let
harmonia = {
proxyPass = "http://127.0.0.1:${toString config.services.harmonia.port}";
# harmonia serves already compressed content and we want to preserve Content-Length
extraConfig = /* nginx */ ''
proxy_buffering off;
brotli off;
gzip off;
zstd off;
'';
};
in {
"/".proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
"/static/".alias = "${config.services.hydra.package}/libexec/hydra/root/static/";
"~ /.*\\.ls$" = harmonia;
"~ /.*\\.narinfo$" = harmonia;
"~ /nar/.*\\.nar$" = harmonia;
"= /version" = harmonia;
"= /nix-cache-info" = harmonia;
};
serverAliases = [
"hydra.serv.zentralwerk.org"
];
};
# TODO: deprecate
"nix-cache.hq.c3d2.de" = {
forceSSL = true;
enableACME = true;

8
hosts/hydra/secrets.yaml
View File

@ -2,8 +2,8 @@ machine-id: ENC[AES256_GCM,data:/DmTA1InXn2MWnqmhkHYWaI504qnT0dFoQj2gganMqA=,iv:
nix:
access-tokens: ENC[AES256_GCM,data:6qYsInpdUwkWCFroA9AMUIHfu2/XoKfHPtwLRyaIffrcAa9KaHfgO7fKAvsySkaQ7mc9yImZxC5/AurN6zDMTOe1YQ4tVxcsDcBOtjEF+EBJjY2gS5LmxkreIr5+I8TYHSO0Bj7CZQAZOdtQW7mZ6CQ=,iv:NW4moujf3yCEbmLIW5lp+Zc0IMAy1W8xsVXgaCIpNUY=,tag:GkQNy8IarFWPkCTIxbn1gw==,type:str]
signing-key:
publicKey: ENC[AES256_GCM,data:uCu93uTpOjgu0y41mduuP+wthq21Ywren0fwps2KF/7dnuOBbZ7N47khgemZV0mLzk0UTWqdcceRP1V12olpCRM=,iv:m+5kJdcGG+F+Wk2vjmNk/BAka8al6VVsjnP7eqq9VJI=,tag:hID2IX5WU+iRiQnHS9IW1w==,type:str]
secretKey: ENC[AES256_GCM,data:o9GEuqRQff4G7sv8f8OVr1tuvMQK97w3+l6MxHGy6ZAzklRQfrGmGCsKi5LVqpRXcc39VPp4kQZ7Iqlv4ZeaAM9p3FneXyPdyWyumsZVjPV8ChY9myQypXhngK/RD1+c+Wuzqlf8t5UnHY3F4Q==,iv:RBjPusXr46YQvuq2P/EenTcQJOutvCUheGya+zEnPHA=,tag:bXKzk4yRIktpZ1/w+6qsug==,type:str]
publicKey: ENC[AES256_GCM,data:xDx0iEJ83PYghXAm9veWyDbIbHqov3gqP90o+2GtwtmJeh/yeTnk+HRSQ0KRsHXIx+E1X9LX6OltuIjhGA==,iv:Fq1eoZXjRo65YazKoRBLV2RZ95W89oVaLIesE9+XlwM=,tag:TYiuAE58KGzaGL2uvJ9z/Q==,type:str]
secretKey: ENC[AES256_GCM,data:+Vee95OLrU2KsNY9O7OZcWpPFRBjaByNi7K5KXNuheBX+QGPZes7ITTsIGizScSd0QErJqGqJxU8iT/y42TYxKn02xKwYjhwDN/Lddu/uz8dBVjEVt40EO32Dsca7VaOwy+zVRQaLhx/,iv:lBjSGD+2ONWwL18xtoar4UqejWmnNYuRL78VQo+HNJ0=,tag:4zPnmGEpebxaW3kTdvO6FA==,type:str]
ldap:
search-user-pw: ENC[AES256_GCM,data:tSWin/QPIow2P5Aps/XaT42J+MXb8+a24SEri1QjF1O3bDlCxcR8RHqSX8d4Vg==,iv:P5qMaE2cdKxTaXuKO2nh+LDhKkY3psSlWf+JckmUYt4=,tag:eq8XW7P6FNlkviY5PydkZg==,type:str]
ssh-keys:
@ -44,8 +44,8 @@ sops:
Mk8wME9Uc3hhVkk1bVFRaWJ3cW1hWVEKym1kyQ+Z/rgT5jLMI7l1qdm+N+FpM+XT
tKq3ZrJdI6/yhBjMOD8aR6YL3lLo1ZSGse4PqszN/2QKjUz8cJezEg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-11T22:44:07Z"
mac: ENC[AES256_GCM,data:7MFxpAJo/7rlW4bTvVGVYT+TvjB/U7lXXusz5vjr5xTI4f+bAKOEV2YyINrEWTle43aivUr0HMCn/cM77dne189ojejZJayH6ICrtjM28nvQxEP4OahXkcUpK2q0Wq6+O/g0u+ApwmILx7EeIoGNYTJ+XJEBM3hfSc5p7BVfTuQ=,iv:vaYRoPK6vQvEYC7loExUbUtsLA0BSI8KLCkJieT80Ok=,tag:1q6GqBX9Tm9rO1lWh6pkXA==,type:str]
lastmodified: "2024-05-21T18:06:29Z"
mac: ENC[AES256_GCM,data:yeTzbQ0IoCg8DqmaRU1OMTe0saVnpm1LmeW9YJszKFajtue1jzDVHOrCxoMELPR8zQgF8fbdRtG8C/w1HUFoq6+PpF3QyH5v8HDEhtaMiEqaG9f4HOkHXIJ4xLCa50o/PiUbuN7ApsjCRJxMEWNt/LC3CGRd9elaV8WGnRAEpWg=,iv:RQdxFiPS2kMJjhp5Dwmb809lHGyuZHWfUk+RJoy4FjI=,tag:OFPQt7W1Hje1RPR57Luryw==,type:str]
pgp:
- created_at: "2023-08-08T22:43:36Z"
enc: |

2
hosts/nfsroot/default.nix
View File

@ -17,7 +17,7 @@ let
)
${lib.getExe config.nix.package} --extra-experimental-features nix-command \
copy \
--from https://nix-cache.hq.c3d2.de \
--from https://hydra.hq.c3d2.de \
--to /var/lib/nfsroot/dacbert \
--no-check-sigs \
$SYSTEM $BOOT

2
hosts/public-access-proxy/default.nix
View File

@ -82,7 +82,7 @@
} {
hostNames = [
"hydra.hq.c3d2.de"
"nix-cache.hq.c3d2.de"
"nix-cache.hq.c3d2.de" # TODO: deprecate
];
proxyTo.host = hostRegistry.hydra.ip4;
# TODO: enable in hydra

4
modules/autoupdate.nix
View File

@ -38,7 +38,7 @@
if [ "$OLD" != "$NEW" ]; then
echo "Fetching new system built by https://hydra.hq.c3d2.de/jobset/c3d2/nix-config"
# this should fetch the new system from the binary cache
nix copy --from https://nix-cache.hq.c3d2.de "$NEW"
nix copy --from https://hydra.hq.c3d2.de "$NEW"
if [ -e "$NEW/etc/systemd/system/autoupdate.timer" ]; then
echo "Switch to the new system..."
nix-env -p /nix/var/nix/profiles/system --set $NEW
@ -85,7 +85,7 @@
if [ "$OLD" != "$NEW" ]; then
echo "Fetching new system built by https://hydra.hq.c3d2.de/jobset/c3d2/nix-config"
# this should fetch the new system from the binary cache
nix copy --from https://nix-cache.hq.c3d2.de "$NEW"
nix copy --from https://hydra.hq.c3d2.de "$NEW"
echo "Switch to the new system..."
nix-env -p /nix/var/nix/profiles/system --set $NEW
"$NEW/bin/switch-to-configuration" switch

2
modules/baremetal.nix
View File

@ -73,7 +73,7 @@
# just assume there are ssd's everywhere
fstrim.enable = true;
resolved.extraConfig = /* systemd */ ''
# don't cache NXDOMAIN which often happened for nix-cache.hq.c3d2.de after a restart
# don't cache NXDOMAIN which often happened for hydra.hq.c3d2.de after a restart
Cache=no-negative
'';
smartd.enable = true;

2
modules/microvm-host.nix
View File

@ -94,7 +94,7 @@
cd /var/lib/microvms/$NAME
if [ "$(cat flake)" = "git+https://gitea.c3d2.de/c3d2/nix-config?ref=flake-update" ]; then
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/$NAME/latest | ${pkgs.jq}/bin/jq -er .buildoutputs.out.path)
nix copy --from https://nix-cache.hq.c3d2.de $NEW
nix copy --from https://hydra.hq.c3d2.de $NEW
if [ -e booted ]; then
nix store diff-closures $(readlink booted) $NEW

2
packages.nix
View File

@ -151,7 +151,7 @@ lib.attrsets.mapAttrs
ssh ${target} -- bash -e <<EOF
[[ \$(cat /etc/hostname) == ${name} ]]
echo Copying data from Hydra to ${name}
nix copy --from https://nix-cache.hq.c3d2.de \
nix copy --from https://hydra.hq.c3d2.de \
$TOPLEVEL
echo Activation on ${name}: "$@"