zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Push derivations built during nix flake check to binary cache
Some checks failed
Check Flake / check-flake (push) Failing after 1m17s
Details

Browse Source
This commit is contained in:
Zuckerberg 2023-10-15 18:00:28 -06:00
parent 0446d18712
commit 52ed25f1b9
4 changed files with 33 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
.gitea/workflows/check-flake.yaml
View File

@ -4,35 +4,38 @@ on: [push]
env: env:
DEBIAN_FRONTEND: noninteractive DEBIAN_FRONTEND: noninteractive
PATH: /run/current-system/sw/bin/:/nix/var/nix/profiles/per-user/gitea-runner/profile/bin SSH_AUTH_SOCK: /tmp/ssh_agent.sock
# defaults:
# run:
# shell: nix shell nixpkgs#nodejs-18_x
jobs: jobs:
check-flake: check-flake:
runs-on: nixos runs-on: ubuntu-latest
steps: steps:
# - run: node --version - name: Install Nix
# - name: Install basic dependencies uses: https://github.com/cachix/install-nix-action@v23
# run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils with:
github_access_token: ${{ secrets.__GITHUB_TOKEN }}
# - name: Install Nix extra_nix_config: |
# uses: https://github.com/cachix/install-nix-action@v20 trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
# with: substituters = https://cache.nixos.org/ http://s0.koi-bebop.ts.net:5000
# github_access_token: ${{ secrets.__GITHUB_TOKEN }}
- name: Install dependencies
run: nix profile install nixpkgs#nodejs-18_x
- name: Checkout the repository - name: Checkout the repository
uses: actions/checkout@v3 uses: actions/checkout@v3
with: with:
fetch-depth: 0 fetch-depth: 0
# - name: Get ENV var names
# run: printenv | cut -d'=' -f1
- name: Check Flake - name: Check Flake
run: nix flake check --show-trace run: nix flake check --show-trace
- name: Setup SSH For Pushing to Binary Cache
run: |
# Set up push key with ssh-agent
echo "${{ secrets.BINARY_CACHE_PUSH_SSH_KEY }}" | base64 -d > ./.id_ed25519
chmod 600 ./.id_ed25519
eval $(ssh-agent -a $SSH_AUTH_SOCK)
ssh-add ./.id_ed25519
# Add Binary Cache as known host
mkdir -p ~/.ssh
echo "s0.koi-bebop.ts.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q" | tee -a ~/.ssh/known_hosts
- name: Copy all built derivations to remote cache
run: nix copy --to ssh://cache-push@s0.koi-bebop.ts.net /nix/store/*

7
machines/storage/s0/default.nix
View File

@ -32,6 +32,13 @@
secretKeyFile = "/run/agenix/binary-cache-private-key"; secretKeyFile = "/run/agenix/binary-cache-private-key";
}; };
age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age; age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
users.users.cache-push = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
};
nix.settings = {
trusted-users = [ "cache-push" ];
};
services.iperf3.enable = true; services.iperf3.enable = true;
services.iperf3.openFirewall = true; services.iperf3.openFirewall = true;

BIN
secrets/binary-cache-push-sshkey.age Normal file
View File

Binary file not shown.

2
secrets/secrets.nix
View File

@ -22,6 +22,8 @@ with roles;
# nix binary cache # nix binary cache
# public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU= # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
"binary-cache-private-key.age".publicKeys = binary-cache; "binary-cache-private-key.age".publicKeys = binary-cache;
# public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB
"binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea
# vpn # vpn
"iodine.age".publicKeys = iodine; "iodine.age".publicKeys = iodine;