From 52ed25f1b9391d16826d8f7ce0c263c588b0e5a8 Mon Sep 17 00:00:00 2001 From: Zuckerberg Date: Sun, 15 Oct 2023 18:00:28 -0600 Subject: [PATCH] Push derivations built during `nix flake check` to binary cache --- .gitea/workflows/check-flake.yaml | 45 ++++++++++++++------------- machines/storage/s0/default.nix | 7 +++++ secrets/binary-cache-push-sshkey.age | Bin 0 -> 763 bytes secrets/secrets.nix | 2 ++ 4 files changed, 33 insertions(+), 21 deletions(-) create mode 100644 secrets/binary-cache-push-sshkey.age diff --git a/.gitea/workflows/check-flake.yaml b/.gitea/workflows/check-flake.yaml index 95f84c1..6a2f53e 100644 --- a/.gitea/workflows/check-flake.yaml +++ b/.gitea/workflows/check-flake.yaml @@ -4,35 +4,38 @@ on: [push] env: DEBIAN_FRONTEND: noninteractive - PATH: /run/current-system/sw/bin/:/nix/var/nix/profiles/per-user/gitea-runner/profile/bin - -# defaults: -# run: -# shell: nix shell nixpkgs#nodejs-18_x + SSH_AUTH_SOCK: /tmp/ssh_agent.sock jobs: check-flake: - runs-on: nixos + runs-on: ubuntu-latest steps: - # - run: node --version - # - name: Install basic dependencies - # run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils - - # - name: Install Nix - # uses: https://github.com/cachix/install-nix-action@v20 - # with: - # github_access_token: ${{ secrets.__GITHUB_TOKEN }} - - - name: Install dependencies - run: nix profile install nixpkgs#nodejs-18_x + - name: Install Nix + uses: https://github.com/cachix/install-nix-action@v23 + with: + github_access_token: ${{ secrets.__GITHUB_TOKEN }} + extra_nix_config: | + trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU= + substituters = https://cache.nixos.org/ http://s0.koi-bebop.ts.net:5000 - name: Checkout the repository uses: actions/checkout@v3 with: fetch-depth: 0 - # - name: Get ENV var names - # run: printenv | cut -d'=' -f1 - - name: Check Flake - run: nix flake check --show-trace \ No newline at end of file + run: nix flake check --show-trace + + - name: Setup SSH For Pushing to Binary Cache + run: | + # Set up push key with ssh-agent + echo "${{ secrets.BINARY_CACHE_PUSH_SSH_KEY }}" | base64 -d > ./.id_ed25519 + chmod 600 ./.id_ed25519 + eval $(ssh-agent -a $SSH_AUTH_SOCK) + ssh-add ./.id_ed25519 + # Add Binary Cache as known host + mkdir -p ~/.ssh + echo "s0.koi-bebop.ts.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q" | tee -a ~/.ssh/known_hosts + + - name: Copy all built derivations to remote cache + run: nix copy --to ssh://cache-push@s0.koi-bebop.ts.net /nix/store/* \ No newline at end of file diff --git a/machines/storage/s0/default.nix b/machines/storage/s0/default.nix index efa6afb..0afc8c7 100644 --- a/machines/storage/s0/default.nix +++ b/machines/storage/s0/default.nix @@ -32,6 +32,13 @@ secretKeyFile = "/run/agenix/binary-cache-private-key"; }; age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age; + users.users.cache-push = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ]; + }; + nix.settings = { + trusted-users = [ "cache-push" ]; + }; services.iperf3.enable = true; services.iperf3.openFirewall = true; diff --git a/secrets/binary-cache-push-sshkey.age b/secrets/binary-cache-push-sshkey.age new file mode 100644 index 0000000000000000000000000000000000000000..5ae14844e836e022ca16be1baae2b2d0143fe37e GIT binary patch literal 763 zcmV8QDI|RS~E6eSZ`KpQ7{U6PEJd7bxUby zctu)rFHdwbR%B2#HBC!nYE4#oVpDo?bwYSgWO7qCa5xGrJ|K52SyW~}UU)5Ma%Ew2 zWgtIzXDUfVAT3;ZX(u2~H6TiEdNB$#MrUYrGH-fAM@&|ALQh#yGj()LOmHhwL3L+O zVNgdpRd-Z(H8ELsa&$~{a7K4nFF|w)Y*R^5I7%;7a%D6`Of@f5 zb#O0dZERyNH8eJ)2gvWF}u7El}9xcAHhi7Lv({>Jn_OUb`$IwvJk1{ptFC4 zms9cVB!kT;VA-hPf+5H{?^`TM^ar>(BZ)7L|LRt^bd(@mulwFj!BCaYu3v!TdfC)H zsHVsA)A|?Q`CLtG!K|NzR@L+CroYaYSbI$ z8{ukhvw4+&j@m24o;e;|`^Wk~2=)fJtvYzmmLWzY9;s@0-7H@OiZ~S^2ITHwPoKwQ z_1`*s!PSeZ4dB$iXv2jMZ0gT