Push derivations built during nix flake check to binary cache

.gitea/workflows/check-flake.yaml

@@ -4,39 +4,38 @@ on: [push]
 
 env:
   DEBIAN_FRONTEND: noninteractive
-  PATH: /run/current-system/sw/bin/:/nix/var/nix/profiles/per-user/gitea-runner/profile/bin
+  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-
-# defaults:
-#   run:
-#     shell: nix shell nixpkgs#nodejs-18_x
 
 jobs:
   check-flake:
     runs-on: ubuntu-latest
     steps:
-      # - run: node --version
-      - name: Install basic dependencies
-        run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils
-
       - name: Install Nix
-        uses: https://github.com/cachix/install-nix-action@v20
+        uses: https://github.com/cachix/install-nix-action@v23
         with:
           github_access_token: ${{ secrets.__GITHUB_TOKEN }}
-
+          extra_nix_config: |
-      # - name: Install dependencies
+            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
-      #   run: nix profile install nixpkgs#nodejs-18_x
+            substituters = https://cache.nixos.org/ http://s0.koi-bebop.ts.net:5000
 
       - name: Checkout the repository
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - name: Get ENV var names
-        run: printenv | cut -d'=' -f1
-
-      - name: List files in the repository
-        run: |
-          ls ${{ gitea.workspace }}
-
       - name: Check Flake
         run: nix flake check --show-trace
+
+      - name: Setup SSH For Pushing to Binary Cache
+        run: |
+          # Set up push key with ssh-agent
+          echo "${{ secrets.BINARY_CACHE_PUSH_SSH_KEY }}" | base64 -d > ./.id_ed25519
+          chmod 600 ./.id_ed25519
+          eval $(ssh-agent -a $SSH_AUTH_SOCK)
+          ssh-add ./.id_ed25519
+          # Add Binary Cache as known host
+          mkdir -p ~/.ssh
+          echo "s0.koi-bebop.ts.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q" | tee -a ~/.ssh/known_hosts
+
+      - name: Copy all built derivations to remote cache
+        run: nix copy --to ssh://cache-push@s0.koi-bebop.ts.net /nix/store/*

machines/phil/default.nix

@@ -13,12 +13,8 @@
     url = "https://git.neet.dev/";
     tokenFile = "/run/agenix/gitea-actions-runner-token";
     labels = [
-      # provide a debian base with nodejs for actions
+      "debian-latest:docker://catthehacker/ubuntu:act-latest"
-      "debian-latest:docker://node:18-bullseye"
+      "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
-      # fake the ubuntu name, because node provides no ubuntu builds
-      "ubuntu-latest:docker://node:18-bullseye"
-      # provide native execution on the host
-      #"native:host"
     ];
   };
   virtualisation.docker.enable = true;

machines/storage/s0/default.nix

@@ -16,15 +16,11 @@
     url = "https://git.neet.dev/";
     tokenFile = "/run/agenix/gitea-actions-runner-token";
     labels = [
-      # provide a debian base with nodejs for actions
+      "debian-latest:docker://catthehacker/ubuntu:act-latest"
-      "debian-latest:docker://node:18-bullseye"
+      "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
-      # fake the ubuntu name, because node provides no ubuntu builds
-      "ubuntu-latest:docker://node:18-bullseye"
-      # provide native execution on the host
-      #"native:host"
     ];
   };
-  virtualisation.docker.enable = true;
+  virtualisation.podman.enable = true;
   age.secrets.gitea-actions-runner-token.file = ../../../secrets/gitea-actions-runner-token.age;
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # todo: still needed?
   nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
@@ -36,6 +32,13 @@
     secretKeyFile = "/run/agenix/binary-cache-private-key";
   };
   age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
+  users.users.cache-push = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
+  };
+  nix.settings = {
+    trusted-users = [ "cache-push" ];
+  };
 
   services.iperf3.enable = true;
   services.iperf3.openFirewall = true;

secrets/gitea-actions-runner-token.age

@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 hPp1nw H88561/4YspJuLV0lOA7mfeHjwL291W/N3HWmiq8E0M
+-> ssh-ed25519 WBT1Hw ucC+p6pRevUWJIVqG5DfXSO4W0PjR2lUW7tY924FVHA
-mqLeaNk2B2OUZo4NEDLicpSN9Qw1NAsLOSCb3Ar+iXA
+te6rrH/nsn/Pn4mySjQ0mv2M3ZTCOwbglCcnH2ZiUJQ
--> ssh-ed25519 dMQYog CUuZSrofDHbBLtxgc4kg2h3Qgs99c3oudBGGV0iP/24
+-> ssh-ed25519 hPp1nw 1nmzowG+nzD8ixyqTU+duUxV3g4yWo7RqKJ+dDlf0g8
-9D/ZjZqJh8XeUo/UFA6ojcJIlwUqYSg+Itx2vREXdas
+ln3CyhUYuZ71EdyqIPBdeRP98dun4cs9uZnxAGadDG0
--> p-grease #!rAT w\]efbQ
+-> ssh-ed25519 dMQYog pHRtIaJr39QqD7xqX2ovUf8QfUPwDl58TmqHa1xhSDQ
-/WNOqhMfFrl1holyeok7pf/joMso1LtjbB00BeUGecVdkDhj71TxLgc+5tor/3D/
+dr8tYQ3oFrQehq2326jimOCRDX6Zrsq/epQbVA8+UPw
-FC65ymMPL2t1j/G+qcow19X6bjWkytY
+-> I)m(V&-grease i5{
---- XDThYXsCIJLrOEBXbKwpnRSzvcBuVp+NiQ2Uung74fk
+lYnHQc5cQahDoah2rPlIlGOLc49nTDp+aHPB
-—L93%g\šqcÃÂZÏ÷ÆH\ 7ß—Ü<E28094>€Liµ¹W u¶â]¶ÇT=ÒHjl%—HÁfW=ðjþí£³Î“Ë­ÂáJ’–1a<31>Kéþ
+--- AdMW2y8Z9XmbxzmvSAP9NKqgj2JGgkimXJqcXIFPdtI
+]°m]pmòžY.ؽ¢âÞzÀhÑ<68>Sß!fI~Åpô³ˆ]¦KÅ‹Còü\KHgÎí_ÇÌ»§6ÌÑðÜ–Üj”)ü«@á‹[¿

secrets/secrets.nix

@@ -22,6 +22,8 @@ with roles;
   # nix binary cache
   # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
   "binary-cache-private-key.age".publicKeys = binary-cache;
+  # public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB
+  "binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea
 
   # vpn
   "iodine.age".publicKeys = iodine;