Add Attic binary cache and containerize gitea runner

Replace nix-serve-only setup with Attic for managed binary caching with upstream filtering and GC. Move gitea actions runner from host into an isolated NixOS container with private networking. nix-serve kept alongside Attic during migration.
2026-02-18 19:53:34 -08:00
parent 9154595910
commit fb17d81d49
10 changed files with 130 additions and 112 deletions
--- a/secrets/attic-netrc.age
+++ b/secrets/attic-netrc.age
--- a/secrets/atticd-credentials.age
+++ b/secrets/atticd-credentials.age
--- a/secrets/binary-cache-push-sshkey.age
+++ b/secrets/binary-cache-push-sshkey.age
--- a/secrets/gitea-actions-runner-token.age
+++ b/secrets/gitea-actions-runner-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,6 +7,9 @@ let

  # nobody is using this secret but I still need to be able to r/w it
  nobody = sshKeys.userKeys;
+
+  # For secrets that all machines need to know
+  everyone = roles.personal ++ roles.server;
 in

 with roles;
@@ -22,8 +25,10 @@ with roles;
  # nix binary cache
  # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
  "binary-cache-private-key.age".publicKeys = binary-cache;
-  # public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB
-  "binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea
+
+  # attic binary cache
+  "atticd-credentials.age".publicKeys = binary-cache;
+  "attic-netrc.age".publicKeys = everyone;

  # vpn
  "pia-login.age".publicKeys = pia;