diff --git a/.gitea/workflows/check-flake.yaml b/.gitea/workflows/check-flake.yaml index 95f84c1..6a2f53e 100644 --- a/.gitea/workflows/check-flake.yaml +++ b/.gitea/workflows/check-flake.yaml @@ -4,35 +4,38 @@ on: [push] env: DEBIAN_FRONTEND: noninteractive - PATH: /run/current-system/sw/bin/:/nix/var/nix/profiles/per-user/gitea-runner/profile/bin - -# defaults: -# run: -# shell: nix shell nixpkgs#nodejs-18_x + SSH_AUTH_SOCK: /tmp/ssh_agent.sock jobs: check-flake: - runs-on: nixos + runs-on: ubuntu-latest steps: - # - run: node --version - # - name: Install basic dependencies - # run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils - - # - name: Install Nix - # uses: https://github.com/cachix/install-nix-action@v20 - # with: - # github_access_token: ${{ secrets.__GITHUB_TOKEN }} - - - name: Install dependencies - run: nix profile install nixpkgs#nodejs-18_x + - name: Install Nix + uses: https://github.com/cachix/install-nix-action@v23 + with: + github_access_token: ${{ secrets.__GITHUB_TOKEN }} + extra_nix_config: | + trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU= + substituters = https://cache.nixos.org/ http://s0.koi-bebop.ts.net:5000 - name: Checkout the repository uses: actions/checkout@v3 with: fetch-depth: 0 - # - name: Get ENV var names - # run: printenv | cut -d'=' -f1 - - name: Check Flake - run: nix flake check --show-trace \ No newline at end of file + run: nix flake check --show-trace + + - name: Setup SSH For Pushing to Binary Cache + run: | + # Set up push key with ssh-agent + echo "${{ secrets.BINARY_CACHE_PUSH_SSH_KEY }}" | base64 -d > ./.id_ed25519 + chmod 600 ./.id_ed25519 + eval $(ssh-agent -a $SSH_AUTH_SOCK) + ssh-add ./.id_ed25519 + # Add Binary Cache as known host + mkdir -p ~/.ssh + echo "s0.koi-bebop.ts.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q" | tee -a ~/.ssh/known_hosts + + - name: Copy all built derivations to remote cache + run: nix copy --to ssh://cache-push@s0.koi-bebop.ts.net /nix/store/* \ No newline at end of file diff --git a/machines/storage/s0/default.nix b/machines/storage/s0/default.nix index efa6afb..0afc8c7 100644 --- a/machines/storage/s0/default.nix +++ b/machines/storage/s0/default.nix @@ -32,6 +32,13 @@ secretKeyFile = "/run/agenix/binary-cache-private-key"; }; age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age; + users.users.cache-push = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ]; + }; + nix.settings = { + trusted-users = [ "cache-push" ]; + }; services.iperf3.enable = true; services.iperf3.openFirewall = true; diff --git a/secrets/binary-cache-push-sshkey.age b/secrets/binary-cache-push-sshkey.age new file mode 100644 index 0000000..5ae1484 Binary files /dev/null and b/secrets/binary-cache-push-sshkey.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 456fb03..37a15c2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,6 +22,8 @@ with roles; # nix binary cache # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU= "binary-cache-private-key.age".publicKeys = binary-cache; + # public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB + "binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea # vpn "iodine.age".publicKeys = iodine;