diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index 91ad07e..ba9445b 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -21,12 +21,8 @@ jobs: # Big C++ projects fill up memory... cores = 6 - extra-substituters = https://nix-cache.nul.ie/main - extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8= - - name: Set up attic - run: | - nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \ - login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}" + extra-substituters = https://nix-cache.nul.ie + extra-trusted-public-keys = nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4= - name: Check flake run: nix flake check @@ -35,7 +31,9 @@ jobs: run: | path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out) echo "path=$path" >> "$GITHUB_OUTPUT" + - name: Push to cache + env: + HARMONIA_SSH_KEY: ${{ secrets.HARMONIA_SSH_KEY }} run: | - nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \ - push main ${{ steps.build.outputs.path }} + ci/push-to-cache.sh "${{ steps.build.outputs.path }}" diff --git a/.gitea/workflows/installer.yaml b/.gitea/workflows/installer.yaml index c233a36..1dbdfee 100644 --- a/.gitea/workflows/installer.yaml +++ b/.gitea/workflows/installer.yaml @@ -21,14 +21,8 @@ jobs: # Make sure we're using sandbox sandbox-fallback = false - extra-substituters = https://nix-cache.nul.ie/main - extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8= - - name: Set up attic - id: setup - run: | - nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \ - login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}" - echo "short_rev=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" + extra-substituters = https://nix-cache.nul.ie + extra-trusted-public-keys = nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4= - name: Build installer ISO run: | diff --git a/.keys/harmonia.pub b/.keys/harmonia.pub new file mode 100644 index 0000000..a32c056 --- /dev/null +++ b/.keys/harmonia.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXRXkYnBf2opIjN+bXE7HmhUpa4hyXJUGmBT+MRccT4 harmonia diff --git a/ci/known_hosts b/ci/known_hosts new file mode 100644 index 0000000..d284ff2 --- /dev/null +++ b/ci/known_hosts @@ -0,0 +1 @@ +object-ctr.ams1.int.nul.ie ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdHbZErWLmTPO/aEWB1Fup/aGMf31Un5Wk66FJwTz/8 diff --git a/ci/push-to-cache.sh b/ci/push-to-cache.sh new file mode 100755 index 0000000..7cab76d --- /dev/null +++ b/ci/push-to-cache.sh @@ -0,0 +1,29 @@ +#!/bin/sh +set -e + +REMOTE_STORE=/var/lib/harmonia +SSH_HOST="harmonia@object-ctr.ams1.int.nul.ie" +SSH_KEY=/tmp/harmonia.key +STORE_URI="ssh-ng://$SSH_HOST?ssh-key=$SSH_KEY&remote-store=$REMOTE_STORE" + +remote_cmd() { + ssh -i "$SSH_KEY" "$SSH_HOST" env HOME=/run/harmonia NIX_REMOTE="$REMOTE_STORE" "$@" +} + +umask_old=$(umask) +umask 0066 +echo "$HARMONIA_SSH_KEY" | base64 -d > "$SSH_KEY" +umask $umask_old + +mkdir -p ~/.ssh +cp ci/known_hosts ~/.ssh/ +path="$1" + +echo "Pushing $path to cache..." +nix copy --no-check-sigs --to "$STORE_URI" "$path" + +echo "Updating profile..." +remote_cmd nix-env -p "$REMOTE_STORE"/nix/var/nix/profiles/nixfiles --set "$path" + +echo "Collecting garbage..." +remote_cmd nix-collect-garbage --delete-older-than 30d diff --git a/devshell/default.nix b/devshell/default.nix index c696a5b..a542d93 100644 --- a/devshell/default.nix +++ b/devshell/default.nix @@ -28,6 +28,5 @@ in exec ${deploy-rs.deploy-rs}/bin/deploy --skip-checks "$@" '') home-manager - attic-client ]; } diff --git a/lib/constants.nix b/lib/constants.nix index 35eb3b0..1cb357f 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -98,10 +98,10 @@ rec { nix = { cache = rec { substituters = [ - "https://nix-cache.${pubDomain}/main" + "https://nix-cache.${pubDomain}" ]; keys = [ - "main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8=" + "nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4=" ]; conf = '' extra-substituters = ${concatStringsSep " " substituters} @@ -359,6 +359,7 @@ rec { deploy = ../.keys/deploy.pub; rsyncNet = ../.keys/zh2855.rsync.net.pub; mailcowAcme = ../.keys/mailcow-acme.pub; + harmonia = ../.keys/harmonia.pub; }; sshHostKeys = { mail-vm = ../.keys/mail-vm-host.pub; diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix index 33e021e..6b7ca23 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix @@ -239,6 +239,8 @@ in ]; recommendedTlsSettings = true; + recommendedBrotliSettings = true; + recommendedZstdSettings = true; clientMaxBodySize = "0"; serverTokens = true; resolver = { diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix index c7f7f46..6f19361 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix @@ -407,10 +407,13 @@ in ignore_invalid_headers off; ''; - nixCacheableRegex = ''^\/(\S+\.narinfo|nar\/\S+\.nar\.\S+)$''; + nixCacheableRegex = ''^\/(\S+\.narinfo|nar\/\S+\.nar.*|serve\/.+)$''; nixCacheHeaders = '' add_header Cache-Control $nix_cache_control; add_header Expires $nix_expires; + + brotli on; + brotli_types application/x-nix-archive; ''; in { @@ -452,9 +455,11 @@ in "nix-cache.${pubDomain}" = { locations = { - "/".proxyPass = "http://${host}:8069"; + "/" = { + proxyPass = "http://${host}:5000"; + }; "~ ${nixCacheableRegex}" = { - proxyPass = "http://${host}:8069"; + proxyPass = "http://${host}:5000"; extraConfig = nixCacheHeaders; }; }; diff --git a/nixos/boxes/colony/vms/shill/containers/object.nix b/nixos/boxes/colony/vms/shill/containers/object.nix index 019fc1c..75b9c5c 100644 --- a/nixos/boxes/colony/vms/shill/containers/object.nix +++ b/nixos/boxes/colony/vms/shill/containers/object.nix @@ -31,6 +31,13 @@ in { config = mkMerge [ { + fileSystems = { + "/var/lib/harmonia" = { + device = "/mnt/atticd/harmonia"; + options = [ "bind" ]; + }; + }; + my = { deploy.enable = false; server.enable = true; @@ -48,6 +55,7 @@ in group = config.my.user.config.group; }; "object/atticd.env" = {}; + "nix-cache.key" = {}; "object/hedgedoc.env" = {}; "object/wastebin.env" = {}; }; @@ -58,6 +66,7 @@ in 9000 9001 config.services.sharry.config.bind.port 8069 + 5000 config.services.hedgedoc.settings.port 8088 ]; @@ -68,14 +77,26 @@ in }; }; - users = with lib.my.c.ids; let inherit (config.services.atticd) user group; in { - users."${user}" = { - isSystemUser = true; - uid = uids.atticd; - group = group; - }; - groups."${user}".gid = gids.atticd; - }; + users = with lib.my.c.ids; mkMerge [ + (let inherit (config.services.atticd) user group; in { + users."${user}" = { + isSystemUser = true; + uid = uids.atticd; + group = group; + }; + groups."${user}".gid = gids.atticd; + }) + { + users = { + harmonia = { + shell = pkgs.bashInteractive; + openssh.authorizedKeys.keyFiles = [ + lib.my.c.sshKeyFiles.harmonia + ]; + }; + }; + } + ]; systemd = { network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; @@ -93,7 +114,9 @@ in MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie"; }; }; + sharry = awaitPostgres; + atticd = mkMerge [ awaitPostgres { @@ -104,6 +127,15 @@ in }; } ]; + harmonia = { + environment.NIX_REMOTE = "/var/lib/harmonia"; + preStart = '' + ${config.nix.package}/bin/nix store ping + ''; + serviceConfig = { + StateDirectory = "harmonia"; + }; + }; }; }; @@ -183,7 +215,7 @@ in }; atticd = { - enable = true; + enable = false; credentialsFile = config.age.secrets."object/atticd.env".path; settings = { listen = "[::]:8069"; @@ -203,6 +235,14 @@ in }; }; + harmonia = { + enable = true; + signKeyPath = config.age.secrets."nix-cache.key".path; + settings = { + priority = 30; + }; + }; + hedgedoc = { enable = true; environmentFile = config.age.secrets."object/hedgedoc.env".path; diff --git a/secrets/nix-cache.key.age b/secrets/nix-cache.key.age new file mode 100644 index 0000000..570ab23 --- /dev/null +++ b/secrets/nix-cache.key.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhrYnR2ZyBpdExl +TlRVTE44RlA1NVhHWGZoQWc0bWpCOHFySytnVmJsZlE4SXFQVnp3CjRoSXE4WWhr +N1djTEtqNDFZdTJUcFVOc3RKUlpndHFBMFNQMnFBdVBpbzQKLT4gWDI1NTE5IEFV +eHlMUTJlL3Bad1gxTFpJaTFONEkrc2dNUk55dVJqYmNubXNUcGtDRTQKRzRmWTVp +L3FuaTg2UXpQbVdzTzk5R09VZzVTZzJHM010MUpadEZzU2d6SQotPiAuOlBBNGEt +Z3JlYXNlIEI3VmMzNCQKUzFLS2NBeVloTnNvMTE2QgotLS0gY1ZuZFdnTmMzOUc0 +TzQyU3RSREE1a3RXZkJ1dXFmc0FqT0dKNVNoUklEUQoXL7+OqcAg1iXZUO1Hhh9T +BD7Yk9PKVyq7KGDeXMo4HtYll8sWig14PmR7+XOr9Al/1w1WYOD5AAtIkk3G7veq +TtWlJ76Lu9GZpaNR/47d/z0AzFbBBmu9F+WVWBiZqFEx7m4ZlvyiKgZK6E9IyioK +8lT5QYaw8WhXcHPoE8a+DOnd9mY93D8MV0ob +-----END AGE ENCRYPTED FILE-----