Use harmonia instead of attic for binary cache

2024-07-20 16:46:10 +01:00
parent 1ea172e690
commit 3005933aa5
7 changed files with 97 additions and 15 deletions
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -23,19 +23,17 @@ jobs:

            extra-substituters = https://nix-cache.nul.ie/main
            extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8=
-      - name: Set up attic
-        run: |
-          nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
-            login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}"

      - name: Check flake
-        run: nix flake check
+        run: nix flake check --no-build
      - name: Build the world
        id: build
        run: |
          path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out)
          echo "path=$path" >> "$GITHUB_OUTPUT"
+
      - name: Push to cache
+        env:
+          HARMONIA_SSH_KEY: ${{ secrets.HARMONIA_SSH_KEY }}
        run: |
-          nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
-            push main ${{ steps.build.outputs.path }}
+          ci/push-to-cache.sh "${{ steps.build.outputs.path }}"
--- a/.keys/harmonia.pub
+++ b/.keys/harmonia.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXRXkYnBf2opIjN+bXE7HmhUpa4hyXJUGmBT+MRccT4 harmonia
--- a/ci/known_hosts
+++ b/ci/known_hosts
@@ -0,0 +1 @@
+object-ctr.ams1.int.nul.ie ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdHbZErWLmTPO/aEWB1Fup/aGMf31Un5Wk66FJwTz/8
--- a/ci/push-to-cache.sh
+++ b/ci/push-to-cache.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+set -e
+
+REMOTE_STORE=/var/lib/harmonia
+SSH_HOST="harmonia@object-ctr.ams1.int.nul.ie"
+SSH_KEY=/tmp/harmonia.key
+STORE_URI="ssh-ng://$SSH_HOST?ssh-key=$SSH_KEY&remote-store=$REMOTE_STORE"
+
+remote_cmd() {
+  ssh -i "$SSH_KEY" "$SSH_HOST" env HOME=/run/harmonia NIX_REMOTE="$REMOTE_STORE" "$@"
+}
+
+umask_old=$(umask)
+umask 0066
+echo "$HARMONIA_SSH_KEY" | base64 -d > "$SSH_KEY"
+umask $umask_old
+
+mkdir -p ~/.ssh
+cp ci/known_hosts ~/.ssh/
+path="$1"
+
+echo "Pushing $path to cache..."
+nix copy --to "$STORE_URI" "$path"
+
+echo "Updating profile..."
+remote_cmd nix-env -p "$REMOTE_STORE"/nix/var/nix/profiles/nixfiles --set "$path"
+
+echo "Collecting garbage..."
+remote_cmd nix-collect-garbage --delete-older-than 30d
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -102,6 +102,7 @@ rec {
      ];
      keys = [
        "main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8="
+        "nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4="
      ];
      conf = ''
        extra-substituters = ${concatStringsSep " " substituters}
@@ -359,6 +360,7 @@ rec {
    deploy = ../.keys/deploy.pub;
    rsyncNet = ../.keys/zh2855.rsync.net.pub;
    mailcowAcme = ../.keys/mailcow-acme.pub;
+    harmonia = ../.keys/harmonia.pub;
  };
  sshHostKeys = {
    mail-vm = ../.keys/mail-vm-host.pub;
--- a/nixos/boxes/colony/vms/shill/containers/object.nix
+++ b/nixos/boxes/colony/vms/shill/containers/object.nix
@@ -31,6 +31,13 @@ in
    {
      config = mkMerge [
        {
+          fileSystems = {
+            "/var/lib/harmonia" = {
+              device = "/mnt/atticd/harmonia";
+              options = [ "bind" ];
+            };
+          };
+
          my = {
            deploy.enable = false;
            server.enable = true;
@@ -48,6 +55,7 @@ in
                  group = config.my.user.config.group;
                };
                "object/atticd.env" = {};
+                "nix-cache.key" = {};
                "object/hedgedoc.env" = {};
                "object/wastebin.env" = {};
              };
@@ -68,14 +76,26 @@ in
            };
          };

-          users = with lib.my.c.ids; let inherit (config.services.atticd) user group; in {
-            users."${user}" = {
-              isSystemUser = true;
-              uid = uids.atticd;
-              group = group;
-            };
-            groups."${user}".gid = gids.atticd;
-          };
+          users = with lib.my.c.ids; mkMerge [
+            (let inherit (config.services.atticd) user group; in {
+              users."${user}" = {
+                isSystemUser = true;
+                uid = uids.atticd;
+                group = group;
+              };
+              groups."${user}".gid = gids.atticd;
+            })
+            {
+              users = {
+                harmonia = {
+                  shell = pkgs.bashInteractive;
+                  openssh.authorizedKeys.keyFiles = [
+                    lib.my.c.sshKeyFiles.harmonia
+                  ];
+                };
+              };
+            }
+          ];

          systemd = {
            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
@@ -93,7 +113,9 @@ in
                  MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";
                };
              };
+
              sharry = awaitPostgres;
+
              atticd = mkMerge [
                awaitPostgres
                {
@@ -104,6 +126,15 @@ in
                  };
                }
              ];
+              harmonia = {
+                environment.NIX_REMOTE = "/var/lib/harmonia";
+                preStart = ''
+                  ${config.nix.package}/bin/nix store ping
+                '';
+                serviceConfig = {
+                  StateDirectory = "harmonia";
+                };
+              };
            };
          };

@@ -203,6 +234,14 @@ in
              };
            };

+            harmonia = {
+              enable = true;
+              signKeyPath = config.age.secrets."nix-cache.key".path;
+              settings = {
+                priority = 30;
+              };
+            };
+
            hedgedoc = {
              enable = true;
              environmentFile = config.age.secrets."object/hedgedoc.env".path;
--- a/secrets/nix-cache.key.age
+++ b/secrets/nix-cache.key.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhrYnR2ZyBpdExl
+TlRVTE44RlA1NVhHWGZoQWc0bWpCOHFySytnVmJsZlE4SXFQVnp3CjRoSXE4WWhr
+N1djTEtqNDFZdTJUcFVOc3RKUlpndHFBMFNQMnFBdVBpbzQKLT4gWDI1NTE5IEFV
+eHlMUTJlL3Bad1gxTFpJaTFONEkrc2dNUk55dVJqYmNubXNUcGtDRTQKRzRmWTVp
+L3FuaTg2UXpQbVdzTzk5R09VZzVTZzJHM010MUpadEZzU2d6SQotPiAuOlBBNGEt
+Z3JlYXNlIEI3VmMzNCQKUzFLS2NBeVloTnNvMTE2QgotLS0gY1ZuZFdnTmMzOUc0
+TzQyU3RSREE1a3RXZkJ1dXFmc0FqT0dKNVNoUklEUQoXL7+OqcAg1iXZUO1Hhh9T
+BD7Yk9PKVyq7KGDeXMo4HtYll8sWig14PmR7+XOr9Al/1w1WYOD5AAtIkk3G7veq
+TtWlJ76Lu9GZpaNR/47d/z0AzFbBBmu9F+WVWBiZqFEx7m4ZlvyiKgZK6E9IyioK
+8lT5QYaw8WhXcHPoE8a+DOnd9mY93D8MV0ob
+-----END AGE ENCRYPTED FILE-----
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXRXkYnBf2opIjN+bXE7HmhUpa4hyXJUGmBT+MRccT4 harmonia`
				`@@ -0,0 +1 @@`
				`object-ctr.ams1.int.nul.ie ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdHbZErWLmTPO/aEWB1Fup/aGMf31Un5Wk66FJwTz/8`