From 94088b300863b6d0c1628ab5d6af418de2e77bc9 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Sat, 20 Jul 2024 16:46:10 +0100
Subject: [PATCH] Use harmonia instead of attic for binary cache

---
 .gitea/workflows/ci.yaml                      | 15 ++---
 .keys/harmonia.pub                            |  1 +
 ci/push-to-cache.sh                           | 22 ++++++++
 lib/constants.nix                             |  2 +
 .../colony/vms/shill/containers/object.nix    | 55 ++++++++++++++++---
 secrets/nix-cache.key.age                     | 12 ++++
 6 files changed, 90 insertions(+), 17 deletions(-)
 create mode 100644 .keys/harmonia.pub
 create mode 100755 ci/push-to-cache.sh
 create mode 100644 secrets/nix-cache.key.age

diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 91ad07e..8ec1133 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -23,19 +23,16 @@ jobs:
 
             extra-substituters = https://nix-cache.nul.ie/main
             extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8=
-      - name: Set up attic
-        run: |
-          nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
-            login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}"
 
-      - name: Check flake
-        run: nix flake check
+      # - name: Check flake
+      #   run: nix flake check --no-build
       - name: Build the world
         id: build
         run: |
-          path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out)
+          # path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out)
+          path=$(nix build --no-link .#chocolate-doom2xx --json | jq -r .[0].outputs.out)
           echo "path=$path" >> "$GITHUB_OUTPUT"
+
       - name: Push to cache
         run: |
-          nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
-            push main ${{ steps.build.outputs.path }}
+          ci/push-to-cache.sh "${{ steps.build.outputs.path }}"
diff --git a/.keys/harmonia.pub b/.keys/harmonia.pub
new file mode 100644
index 0000000..a32c056
--- /dev/null
+++ b/.keys/harmonia.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXRXkYnBf2opIjN+bXE7HmhUpa4hyXJUGmBT+MRccT4 harmonia
diff --git a/ci/push-to-cache.sh b/ci/push-to-cache.sh
new file mode 100755
index 0000000..e17b720
--- /dev/null
+++ b/ci/push-to-cache.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+REMOTE_STORE=/var/lib/harmonia
+SSH_HOST="harmonia@object-ctr.ams1.int.nul.ie"
+SSH_KEY=/tmp/harmonia.key
+STORE_URI="ssh-ng://$SSH_HOST?ssh-key=$SSH_KEY&remote-store=$REMOTE_STORE"
+
+remote_cmd() {
+  ssh -i "$SSH_KEY" "$SSH_HOST" env NIX_REMOTE="$REMOTE_STORE" "$@"
+}
+
+echo "$HARMONIA_SSH_KEY" | base64 -d > "$SSH_KEY"
+path="$1"
+
+echo "Pushing $path to cache..."
+nix copy --to "$STORE_URI" "$path"
+
+echo "Updating profile..."
+remote_cmd nix-env -p "$REMOTE_STORE"/nix/var/nix/profiles/nixfiles --set "$path"
+
+echo "Collecting garbage..."
+remote_cmd nix-collect-garbage --delete-older-than 30d
diff --git a/lib/constants.nix b/lib/constants.nix
index 35eb3b0..5459886 100644
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -102,6 +102,7 @@ rec {
       ];
       keys = [
         "main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8="
+        "nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4="
       ];
       conf = ''
         extra-substituters = ${concatStringsSep " " substituters}
@@ -359,6 +360,7 @@ rec {
     deploy = ../.keys/deploy.pub;
     rsyncNet = ../.keys/zh2855.rsync.net.pub;
     mailcowAcme = ../.keys/mailcow-acme.pub;
+    harmonia = ../.keys/harmonia.pub;
   };
   sshHostKeys = {
     mail-vm = ../.keys/mail-vm-host.pub;
diff --git a/nixos/boxes/colony/vms/shill/containers/object.nix b/nixos/boxes/colony/vms/shill/containers/object.nix
index 019fc1c..0240e06 100644
--- a/nixos/boxes/colony/vms/shill/containers/object.nix
+++ b/nixos/boxes/colony/vms/shill/containers/object.nix
@@ -31,6 +31,13 @@ in
     {
       config = mkMerge [
         {
+          fileSystems = {
+            "/var/lib/harmonia" = {
+              device = "/mnt/atticd/harmonia";
+              options = [ "bind" ];
+            };
+          };
+
           my = {
             deploy.enable = false;
             server.enable = true;
@@ -48,6 +55,7 @@ in
                   group = config.my.user.config.group;
                 };
                 "object/atticd.env" = {};
+                "nix-cache.key" = {};
                 "object/hedgedoc.env" = {};
                 "object/wastebin.env" = {};
               };
@@ -68,14 +76,26 @@ in
             };
           };
 
-          users = with lib.my.c.ids; let inherit (config.services.atticd) user group; in {
-            users."${user}" = {
-              isSystemUser = true;
-              uid = uids.atticd;
-              group = group;
-            };
-            groups."${user}".gid = gids.atticd;
-          };
+          users = with lib.my.c.ids; mkMerge [
+            (let inherit (config.services.atticd) user group; in {
+              users."${user}" = {
+                isSystemUser = true;
+                uid = uids.atticd;
+                group = group;
+              };
+              groups."${user}".gid = gids.atticd;
+            })
+            {
+              users = {
+                harmonia = {
+                  shell = pkgs.bashInteractive;
+                  openssh.authorizedKeys.keyFiles = [
+                    lib.my.c.sshKeyFiles.harmonia
+                  ];
+                };
+              };
+            }
+          ];
 
           systemd = {
             network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
@@ -93,7 +113,9 @@ in
                   MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";
                 };
               };
+
               sharry = awaitPostgres;
+
               atticd = mkMerge [
                 awaitPostgres
                 {
@@ -104,6 +126,15 @@ in
                   };
                 }
               ];
+              harmonia = {
+                environment.NIX_REMOTE = "/var/lib/harmonia";
+                preStart = ''
+                  ${config.nix.package}/bin/nix store ping
+                '';
+                serviceConfig = {
+                  StateDirectory = "harmonia";
+                };
+              };
             };
           };
 
@@ -203,6 +234,14 @@ in
               };
             };
 
+            harmonia = {
+              enable = true;
+              signKeyPath = config.age.secrets."nix-cache.key".path;
+              settings = {
+                priority = 30;
+              };
+            };
+
             hedgedoc = {
               enable = true;
               environmentFile = config.age.secrets."object/hedgedoc.env".path;
diff --git a/secrets/nix-cache.key.age b/secrets/nix-cache.key.age
new file mode 100644
index 0000000..570ab23
--- /dev/null
+++ b/secrets/nix-cache.key.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhrYnR2ZyBpdExl
+TlRVTE44RlA1NVhHWGZoQWc0bWpCOHFySytnVmJsZlE4SXFQVnp3CjRoSXE4WWhr
+N1djTEtqNDFZdTJUcFVOc3RKUlpndHFBMFNQMnFBdVBpbzQKLT4gWDI1NTE5IEFV
+eHlMUTJlL3Bad1gxTFpJaTFONEkrc2dNUk55dVJqYmNubXNUcGtDRTQKRzRmWTVp
+L3FuaTg2UXpQbVdzTzk5R09VZzVTZzJHM010MUpadEZzU2d6SQotPiAuOlBBNGEt
+Z3JlYXNlIEI3VmMzNCQKUzFLS2NBeVloTnNvMTE2QgotLS0gY1ZuZFdnTmMzOUc0
+TzQyU3RSREE1a3RXZkJ1dXFmc0FqT0dKNVNoUklEUQoXL7+OqcAg1iXZUO1Hhh9T
+BD7Yk9PKVyq7KGDeXMo4HtYll8sWig14PmR7+XOr9Al/1w1WYOD5AAtIkk3G7veq
+TtWlJ76Lu9GZpaNR/47d/z0AzFbBBmu9F+WVWBiZqFEx7m4ZlvyiKgZK6E9IyioK
+8lT5QYaw8WhXcHPoE8a+DOnd9mY93D8MV0ob
+-----END AGE ENCRYPTED FILE-----