Use harmonia instead of attic for binary cache
Some checks failed
CI / Check, build and cache Nix flake (push) Failing after 48s
Some checks failed
CI / Check, build and cache Nix flake (push) Failing after 48s
This commit is contained in:
@@ -23,19 +23,18 @@ jobs:
|
|||||||
|
|
||||||
extra-substituters = https://nix-cache.nul.ie/main
|
extra-substituters = https://nix-cache.nul.ie/main
|
||||||
extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8=
|
extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8=
|
||||||
- name: Set up attic
|
|
||||||
run: |
|
|
||||||
nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
|
|
||||||
login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}"
|
|
||||||
|
|
||||||
- name: Check flake
|
# - name: Check flake
|
||||||
run: nix flake check
|
# run: nix flake check --no-build
|
||||||
- name: Build the world
|
- name: Build the world
|
||||||
id: build
|
id: build
|
||||||
run: |
|
run: |
|
||||||
path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out)
|
# path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out)
|
||||||
|
# nix build --no-link .#windowtolayer --json
|
||||||
|
path=$(nix build --no-link .#windowtolayer --json | jq -r .[0].outputs.out)
|
||||||
echo "path=$path" >> "$GITHUB_OUTPUT"
|
echo "path=$path" >> "$GITHUB_OUTPUT"
|
||||||
|
# cat "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
- name: Push to cache
|
- name: Push to cache
|
||||||
run: |
|
run: |
|
||||||
nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
|
ci/push-to-cache.sh "${{ steps.build.outputs.path }}"
|
||||||
push main ${{ steps.build.outputs.path }}
|
|
||||||
|
|||||||
1
.keys/harmonia.pub
Normal file
1
.keys/harmonia.pub
Normal file
@@ -0,0 +1 @@
|
|||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXRXkYnBf2opIjN+bXE7HmhUpa4hyXJUGmBT+MRccT4 harmonia
|
||||||
26
ci/push-to-cache.sh
Executable file
26
ci/push-to-cache.sh
Executable file
@@ -0,0 +1,26 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
set -e
|
||||||
|
|
||||||
|
REMOTE_STORE=/var/lib/harmonia
|
||||||
|
HOST="object-ctr.ams1.int.nul.ie"
|
||||||
|
SSH_HOST="harmonia@$HOST"
|
||||||
|
SSH_KEY=/tmp/harmonia.key
|
||||||
|
STORE_URI="ssh-ng://$SSH_HOST?ssh-key=$SSH_KEY&remote-store=$REMOTE_STORE"
|
||||||
|
|
||||||
|
remote_cmd() {
|
||||||
|
ssh -i "$SSH_KEY" "$SSH_HOST" env NIX_REMOTE="$REMOTE_STORE" "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
echo "$HARMONIA_SSH_KEY" | base64 -d > "$SSH_KEY"
|
||||||
|
mkdir -p ~/.ssh
|
||||||
|
awk "{ print \"$HOST \" \$1 \" \" \$2 }" < .keys/harmonia.pub >> ~/.ssh/known_hosts
|
||||||
|
path="$1"
|
||||||
|
|
||||||
|
echo "Pushing $path to cache..."
|
||||||
|
nix copy --to "$STORE_URI" "$path"
|
||||||
|
|
||||||
|
echo "Updating profile..."
|
||||||
|
remote_cmd nix-env -p "$REMOTE_STORE"/nix/var/nix/profiles/nixfiles --set "$path"
|
||||||
|
|
||||||
|
echo "Collecting garbage..."
|
||||||
|
remote_cmd nix-collect-garbage --delete-older-than 30d
|
||||||
@@ -102,6 +102,7 @@ rec {
|
|||||||
];
|
];
|
||||||
keys = [
|
keys = [
|
||||||
"main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8="
|
"main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8="
|
||||||
|
"nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4="
|
||||||
];
|
];
|
||||||
conf = ''
|
conf = ''
|
||||||
extra-substituters = ${concatStringsSep " " substituters}
|
extra-substituters = ${concatStringsSep " " substituters}
|
||||||
@@ -359,6 +360,7 @@ rec {
|
|||||||
deploy = ../.keys/deploy.pub;
|
deploy = ../.keys/deploy.pub;
|
||||||
rsyncNet = ../.keys/zh2855.rsync.net.pub;
|
rsyncNet = ../.keys/zh2855.rsync.net.pub;
|
||||||
mailcowAcme = ../.keys/mailcow-acme.pub;
|
mailcowAcme = ../.keys/mailcow-acme.pub;
|
||||||
|
harmonia = ../.keys/harmonia.pub;
|
||||||
};
|
};
|
||||||
sshHostKeys = {
|
sshHostKeys = {
|
||||||
mail-vm = ../.keys/mail-vm-host.pub;
|
mail-vm = ../.keys/mail-vm-host.pub;
|
||||||
|
|||||||
@@ -31,6 +31,13 @@ in
|
|||||||
{
|
{
|
||||||
config = mkMerge [
|
config = mkMerge [
|
||||||
{
|
{
|
||||||
|
fileSystems = {
|
||||||
|
"/var/lib/harmonia" = {
|
||||||
|
device = "/mnt/atticd/harmonia";
|
||||||
|
options = [ "bind" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
my = {
|
my = {
|
||||||
deploy.enable = false;
|
deploy.enable = false;
|
||||||
server.enable = true;
|
server.enable = true;
|
||||||
@@ -48,6 +55,7 @@ in
|
|||||||
group = config.my.user.config.group;
|
group = config.my.user.config.group;
|
||||||
};
|
};
|
||||||
"object/atticd.env" = {};
|
"object/atticd.env" = {};
|
||||||
|
"nix-cache.key" = {};
|
||||||
"object/hedgedoc.env" = {};
|
"object/hedgedoc.env" = {};
|
||||||
"object/wastebin.env" = {};
|
"object/wastebin.env" = {};
|
||||||
};
|
};
|
||||||
@@ -68,14 +76,26 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
users = with lib.my.c.ids; let inherit (config.services.atticd) user group; in {
|
users = with lib.my.c.ids; mkMerge [
|
||||||
|
(let inherit (config.services.atticd) user group; in {
|
||||||
users."${user}" = {
|
users."${user}" = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
uid = uids.atticd;
|
uid = uids.atticd;
|
||||||
group = group;
|
group = group;
|
||||||
};
|
};
|
||||||
groups."${user}".gid = gids.atticd;
|
groups."${user}".gid = gids.atticd;
|
||||||
|
})
|
||||||
|
{
|
||||||
|
users = {
|
||||||
|
harmonia = {
|
||||||
|
shell = pkgs.bashInteractive;
|
||||||
|
openssh.authorizedKeys.keyFiles = [
|
||||||
|
lib.my.c.sshKeyFiles.harmonia
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
|
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
|
||||||
@@ -93,7 +113,9 @@ in
|
|||||||
MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";
|
MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sharry = awaitPostgres;
|
sharry = awaitPostgres;
|
||||||
|
|
||||||
atticd = mkMerge [
|
atticd = mkMerge [
|
||||||
awaitPostgres
|
awaitPostgres
|
||||||
{
|
{
|
||||||
@@ -104,6 +126,15 @@ in
|
|||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
harmonia = {
|
||||||
|
environment.NIX_REMOTE = "/var/lib/harmonia";
|
||||||
|
preStart = ''
|
||||||
|
${config.nix.package}/bin/nix store ping
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
StateDirectory = "harmonia";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -203,6 +234,14 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
harmonia = {
|
||||||
|
enable = true;
|
||||||
|
signKeyPath = config.age.secrets."nix-cache.key".path;
|
||||||
|
settings = {
|
||||||
|
priority = 30;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
hedgedoc = {
|
hedgedoc = {
|
||||||
enable = true;
|
enable = true;
|
||||||
environmentFile = config.age.secrets."object/hedgedoc.env".path;
|
environmentFile = config.age.secrets."object/hedgedoc.env".path;
|
||||||
|
|||||||
12
secrets/nix-cache.key.age
Normal file
12
secrets/nix-cache.key.age
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhrYnR2ZyBpdExl
|
||||||
|
TlRVTE44RlA1NVhHWGZoQWc0bWpCOHFySytnVmJsZlE4SXFQVnp3CjRoSXE4WWhr
|
||||||
|
N1djTEtqNDFZdTJUcFVOc3RKUlpndHFBMFNQMnFBdVBpbzQKLT4gWDI1NTE5IEFV
|
||||||
|
eHlMUTJlL3Bad1gxTFpJaTFONEkrc2dNUk55dVJqYmNubXNUcGtDRTQKRzRmWTVp
|
||||||
|
L3FuaTg2UXpQbVdzTzk5R09VZzVTZzJHM010MUpadEZzU2d6SQotPiAuOlBBNGEt
|
||||||
|
Z3JlYXNlIEI3VmMzNCQKUzFLS2NBeVloTnNvMTE2QgotLS0gY1ZuZFdnTmMzOUc0
|
||||||
|
TzQyU3RSREE1a3RXZkJ1dXFmc0FqT0dKNVNoUklEUQoXL7+OqcAg1iXZUO1Hhh9T
|
||||||
|
BD7Yk9PKVyq7KGDeXMo4HtYll8sWig14PmR7+XOr9Al/1w1WYOD5AAtIkk3G7veq
|
||||||
|
TtWlJ76Lu9GZpaNR/47d/z0AzFbBBmu9F+WVWBiZqFEx7m4ZlvyiKgZK6E9IyioK
|
||||||
|
8lT5QYaw8WhXcHPoE8a+DOnd9mY93D8MV0ob
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
Reference in New Issue
Block a user