Basic binary cache

2023-04-29 19:52:31 -06:00 · 2023-04-29 19:52:31 -06:00 · 96de109d62
commit 96de109d62
parent 0efcf8f3fc
6 changed files with 41 additions and 0 deletions
--- a/common/binary-cache.nix
+++ b/common/binary-cache.nix
@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+{
+  nix = {
+    settings = {
+      substituters = [
+        "http://s0.koi-bebop.ts.net:5000"
+        "https://nix-community.cachix.org"
+        "https://cache.nixos.org/"
+      ];
+      trusted-public-keys = [
+        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
+  };
+}
--- a/common/default.nix
+++ b/common/default.nix
@ -3,6 +3,7 @@
 {
  imports = [
    ./backups.nix
+    ./binary-cache.nix
    ./flakes.nix
    ./auto-update.nix
    ./shell.nix
--- a/machines/storage/s0/default.nix
+++ b/machines/storage/s0/default.nix
@ -14,6 +14,14 @@
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache

+  # binary cache
+  services.nix-serve = {
+    enable = true;
+    openFirewall = true;
+    secretKeyFile = "/run/agenix/binary-cache-private-key";
+  };
+  age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
+
  services.iperf3.enable = true;
  services.iperf3.openFirewall = true;

--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@ -9,6 +9,7 @@
    "storage"
    "server"
    "pia"
+    "binary-cache"
  ];

  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
--- a/secrets/binary-cache-private-key.age
+++ b/secrets/binary-cache-private-key.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPp1nw 4fyRGsaEo25EOj/VwPsF0tayghF0URctont4/re6OmY
+rs09DCSb2bd/v45a7ABxfLo+Sz3OPLkRzfnP5Tmgi0g
+-> ssh-ed25519 dMQYog seRjdySBF1GISaSUWqZNvoW4INDUCxvBKJOgvGeyX1Q
+fe6JE5f9A48ujVtuc0QZ7e7pWW+Tu0yyQEyexTvQWAQ
+-> Uqf![<-grease O}' _h*Y~ .@=$H,~W
+jDlO5MEGPDjJ44cAWuJaTeADbG+wz5PTqq9Pw75QV3Exrsb8/PNGOrUZKuSTCCl3
+g/z3ZHelBBqHp16ZTc+LSxDYgvnEfWMPZKo4mxgu
+--- GTBCzHJYUKbpcgq7+0HzBpqvo0F7TNSPjFKqdRDUYDk
+ÈÚú¡T+ñ—êtµ(×¤ÉF	ÆS<C386>/R±+¢¼Š¯‘âLÃÝcÁ‰·‹1
â<>
ÕwÝøº.iFd#TJ±clbâH€5(öï6)®y¯"
Ãà¼Î¿ž<C2BF>±~Ëº7!Õñ?(Qb
“]x(åÛ°Å1ÿðÃZsaôï<15>ûþåTÁ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -19,6 +19,10 @@ with roles;
  "hashed-robots-email-pw.age".publicKeys = email-server;
  "robots-email-pw.age".publicKeys = gitea;

+  # nix binary cache
+  # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
+  "binary-cache-private-key.age".publicKeys = binary-cache;
+
  # vpn
  "iodine.age".publicKeys = iodine;
  "pia-login.age".publicKeys = pia;