From 7c4d2d53f2bb6c0d056cc0faabf90117e8a20808 Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Sun, 16 Jun 2024 20:39:11 -0600
Subject: [PATCH] Use attic as nixos binary cache and update CI accordingly

---
 .gitea/workflows/check-flake.yaml    |   7 ++++
 common/binary-cache.nix              |   4 +--
 common/default.nix                   |   1 +
 common/server/atticd.nix             |  37 +++++++++++++++++++
 common/server/default.nix            |   1 +
 flake.lock                           |  52 +++++++++++++++++++++++++++
 flake.nix                            |  12 +++++++
 machines/storage/s0/default.nix      |  19 ++--------
 secrets/atticd-credentials.age       |   8 +++++
 secrets/binary-cache-private-key.age | Bin 541 -> 0 bytes
 secrets/binary-cache-push-sshkey.age | Bin 721 -> 0 bytes
 secrets/secrets.nix                  |   5 +--
 12 files changed, 123 insertions(+), 23 deletions(-)
 create mode 100644 common/server/atticd.nix
 create mode 100644 secrets/atticd-credentials.age
 delete mode 100644 secrets/binary-cache-private-key.age
 delete mode 100644 secrets/binary-cache-push-sshkey.age

diff --git a/.gitea/workflows/check-flake.yaml b/.gitea/workflows/check-flake.yaml
index a073f32..80b8cc7 100644
--- a/.gitea/workflows/check-flake.yaml
+++ b/.gitea/workflows/check-flake.yaml
@@ -15,5 +15,12 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Setup Attic Cache
+        uses: https://github.com/ryanccn/attic-action@v0
+        with:
+          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+          cache: ${{ secrets.ATTIC_CACHE }}
+          token: ${{ secrets.ATTIC_TOKEN }}
+
       - name: Check Flake
         run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
\ No newline at end of file
diff --git a/common/binary-cache.nix b/common/binary-cache.nix
index 531c386..5f75b80 100644
--- a/common/binary-cache.nix
+++ b/common/binary-cache.nix
@@ -6,11 +6,11 @@
       substituters = [
         "https://cache.nixos.org/"
         "https://nix-community.cachix.org"
-        "http://s0.koi-bebop.ts.net:5000"
+        "http://s0.koi-bebop.ts.net:28338/nixos"
       ];
       trusted-public-keys = [
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+        "nixos:IDhKojUaMz+UIiri1/DQk9EpqDokih8dwxmp41uJnls="
       ];
     };
   };
diff --git a/common/default.nix b/common/default.nix
index f2bbb1b..663c6d9 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -63,6 +63,7 @@
     lf
     gnumake
     tree
+    attic
   ];
 
   nixpkgs.config.allowUnfree = true;
diff --git a/common/server/atticd.nix b/common/server/atticd.nix
new file mode 100644
index 0000000..17a641a
--- /dev/null
+++ b/common/server/atticd.nix
@@ -0,0 +1,37 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.services.atticd;
+in
+{
+  config = lib.mkIf cfg.enable {
+    services.atticd = {
+      credentialsFile = "/run/agenix/atticd-credentials";
+
+      settings = {
+        listen = "[::]:28338";
+
+        chunking = {
+          # Disable chunking for performance (I have plenty of space)
+          nar-size-threshold = 0;
+
+          # Chunking is disabled due to poor performance so these values don't matter but are required anyway.
+          # One day, when I move away from ZFS maybe this will perform well enough.
+          # nar-size-threshold = 64 * 1024; # 64 KiB
+          min-size = 16 * 1024; # 16 KiB
+          avg-size = 64 * 1024; # 64 KiB
+          max-size = 256 * 1024; # 256 KiB
+        };
+
+        # Disable compression for performance (I have plenty of space)
+        compression.type = "none";
+
+        garbage-collection = {
+          default-retention-period = "6 months";
+        };
+      };
+    };
+
+    age.secrets.atticd-credentials.file = ../../secrets/atticd-credentials.age;
+  };
+}
diff --git a/common/server/default.nix b/common/server/default.nix
index af9df2c..d07af5d 100644
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -22,5 +22,6 @@
     ./dashy.nix
     ./librechat.nix
     ./actualbudget.nix
+    ./atticd.nix
   ];
 }
diff --git a/flake.lock b/flake.lock
index b9b6e01..59e4399 100644
--- a/flake.lock
+++ b/flake.lock
@@ -25,6 +25,36 @@
         "type": "github"
       }
     },
+    "attic": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717279440,
+        "narHash": "sha256-kH04ReTjxOpQumgWnqy40vvQLSnLGxWP6RF3nq5Esrk=",
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "rev": "717cc95983cdc357bc347d70be20ced21f935843",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "type": "github"
+      }
+    },
     "blobs": {
       "flake": false,
       "locked": {
@@ -41,6 +71,27 @@
         "type": "gitlab"
       }
     },
+    "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717025063,
+        "narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
     "dailybuild_modules": {
       "inputs": {
         "flake-utils": [
@@ -281,6 +332,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "attic": "attic",
         "dailybuild_modules": "dailybuild_modules",
         "deploy-rs": "deploy-rs",
         "flake-compat": "flake-compat",
diff --git a/flake.nix b/flake.nix
index 2bb0233..d8fa527 100644
--- a/flake.nix
+++ b/flake.nix
@@ -75,6 +75,17 @@
       url = "github:Mic92/nix-index-database";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    # Attic
+    attic = {
+      url = "github:zhaofengli/attic";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        nixpkgs-stable.follows = "nixpkgs";
+        flake-utils.follows = "flake-utils";
+        flake-compat.follows = "flake-compat";
+      };
+    };
   };
 
   outputs = { self, nixpkgs, ... }@inputs:
@@ -94,6 +105,7 @@
             agenix.nixosModules.default
             dailybuild_modules.nixosModule
             nix-index-database.nixosModules.nix-index
+            attic.nixosModules.atticd
             self.nixosModules.kernel-modules
             ({ lib, ... }: {
               config = {
diff --git a/machines/storage/s0/default.nix b/machines/storage/s0/default.nix
index 2599ca6..7850aa7 100644
--- a/machines/storage/s0/default.nix
+++ b/machines/storage/s0/default.nix
@@ -10,23 +10,6 @@
 
   # system.autoUpgrade.enable = true;
 
-  nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
-
-  # binary cache
-  services.nix-serve = {
-    enable = true;
-    openFirewall = true;
-    secretKeyFile = "/run/agenix/binary-cache-private-key";
-  };
-  age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
-  users.users.cache-push = {
-    isNormalUser = true;
-    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
-  };
-  nix.settings = {
-    trusted-users = [ "cache-push" ];
-  };
-
   services.iperf3.enable = true;
   services.iperf3.openFirewall = true;
 
@@ -235,4 +218,6 @@
   };
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
+
+  services.atticd.enable = true;
 }
diff --git a/secrets/atticd-credentials.age b/secrets/atticd-credentials.age
new file mode 100644
index 0000000..95ab704
--- /dev/null
+++ b/secrets/atticd-credentials.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPp1nw tMy5kLAcQD62yAfEVJ4LQZjs0kkEEQOfM4HN9yj3hBY
+JvlklGTxxfAZbP+alm3nxLxqhmcu2mTKwRU5WaapL9w
+-> ssh-ed25519 w3nu8g ZGzufldXq7kmIpqFecbkpDxiykWZ207k0+09I2dmxEM
+SK25e5HBe4b5reGXXfCjIFbFGzfu32RFjY++/yteRVc
+--- xZOe1syYAcVRDhiNRv+CsfFgoQbiANA6vNCon+5NExc
+-·ñ1Å,C-.M§Áè?ÐêóµµàY|u+
+‹	³Ø÷ŽæÒ¡ôm†Œûäfß]=érøÜüÎAg¤€æSú:Ð8•S¦LiœùªsêÁâ9JŠð<>¸ÏæñÄÐÃ<ûAz¹[ý§xï:‡'U*wÀ™D/…±VpM~!õ,* ¿”µ¡øk¥Ö´ßEíîïh› {¢p$¾R`ÿ”
\ No newline at end of file
diff --git a/secrets/binary-cache-private-key.age b/secrets/binary-cache-private-key.age
deleted file mode 100644
index a27e7d895e706a5fe2486746e627116ab5966588..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 541
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU72q-YjD_1Bls?>H)
z@+fdK@F`2oFwVA!$|yB6&nb?I2q^YUj0`k&3M;qt^fdFVu;7Z)PA>>I&5g)Pi!v;5
z&o=XNugEIT&oT}Ra8C*{jWl+R$kQ*#$j=H5DMz=h+&Hh)B3&WSCELg)F)+Cx%C#g_
zyR;yvurN8dyeJ|u#L>(rF}FO;#WcLY(a9n#(2*;n%)~D%t<a#{$+IZkz|GvuD>1#;
zq^!)zC(pgYG$JA+Dz!Kz(%C8BA{*Vd6yLze{B#A!tRmz5<nmN~li*_W4F8BocQ4oE
z3P1CZ5-%6O(h&1NzY0r3xA4ToAXhHSY>OOMAIFNE9D@i0%g8jp)RIuk^u)r%(2}ww
z{VdOl(y~y4P-EwUh<q+xU0sEg>>zWq{NhyqaKA{iv>=lLN5{nQuw>JS^r}$b^6;uc
zznm&lCvR=fB1bOvQhQ~|$^WjeEwHW(J*&cE9C(tW&eQ%;kN0Aq(yu$N7fkN)x_3MK
z!dIO=;*wf-o_^eO{LGy4!WYa!g8y7@Z@<QHbZKbK&PSeJc6)Lsm{$3$Sa)OPg82zM
z<x3yRbsgu9n!5Lb<o@mT?{jCFwdHr4ewzE^Jo68ZgDiYUUHZZgHeR|tQ}(MGle-Da
Izt^4R0AJ<Fx&QzG

diff --git a/secrets/binary-cache-push-sshkey.age b/secrets/binary-cache-push-sshkey.age
deleted file mode 100644
index 195d854bc604d6c216a08c18da77d94c0baa625a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 721
zcmV;?0xtbwXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LcQbBvIA<VN
zQ%iGeLT_0zIAKsqRxfR6b7e9%K{i2ZSZX+0Ms#68N;p?*HDY*hRC5YqNM(0=VrY6w
zIblOMMPq9(H%@voI9X<DR!VwxRajXyXkvO)bz)^XbyW&2J|J^*Xf0)AGBq_ZIUr<B
zQCV+iAZjmWLTglPS!Y9dYEDaGZ*p39NMcVkZ!3B^V`pV}RZMwAP-RRsFE=qw3UE?H
zYcX(cY-ne3I4dw{V>m)@cz7>USW7o|Xi0T8FiK%rYFJNBaW8363N0-yAb2%&Vs|S~
zPgZSdPB3g(c2P=Vc{OchPD*lmW_E6CFiuWbHA-PaMPoy23LQkK{Q5o;SaxFO9+|IX
z%W)`*5~q(+It&Vr5ZMK4(pNZ*)RBGeabv2rabyNx(4U|MssAH+PT$0p!&n59ZC842
zY#Pk0P?gR<wC$&e#mGiSteqy~r~x(r=?fqjEOX_zk#!=w-h;<lN467vXs;&ZWEfb5
zLftIKEO__E5q<X`HV^_GitEa!J=ak`5Fv1~w`>A0=W4bD3H2A=jlDtt+)+R2IRH<q
zR?MEx0}#alh&#rsMzG1I{{~*<H5LSh*h&*YdJ3`yS-uDGAa)dVyi87WNFBr`71Q8`
z-L^LTK2DWLhLoU&Uk^Y!r(2oR#ecvM1)6Lrxksd=^ZKie8G^vMyfeOHy(fVkk_*tL
zdqVe}#eab-akb9*AGb|nM#J*#u`0I><e&(mJ_-A+c_Ui@U5Vy;*4E@xZRaWI8GkDH
zd3m?n{ekgFA`C>{^TaR%^m)??BwYo@>%5G8Yf~XjPvoEpH*s>(WLfc5JVZaf51kol
zXF*E^3~%PwEsKl#hzp_>&l(Xl%)w?G!&Y&<`29uSyJ)N3AB<`Y0J$b{oX{Jq){8{Y
DBJeCv

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4c119e1..8185d87 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -20,10 +20,7 @@ with roles;
   "robots-email-pw.age".publicKeys = gitea;
 
   # nix binary cache
-  # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
-  "binary-cache-private-key.age".publicKeys = binary-cache;
-  # public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB
-  "binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea
+  "atticd-credentials.age".publicKeys = binary-cache;
 
   # vpn
   "iodine.age".publicKeys = iodine;