Use harmonia instead of attic for binary cache
Some checks failed
CI / Check, build and cache Nix flake (push) Failing after 1m40s
Some checks failed
CI / Check, build and cache Nix flake (push) Failing after 1m40s
This commit is contained in:
parent
1ea172e690
commit
94088b3008
@ -23,19 +23,16 @@ jobs:
|
||||
|
||||
extra-substituters = https://nix-cache.nul.ie/main
|
||||
extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8=
|
||||
- name: Set up attic
|
||||
run: |
|
||||
nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
|
||||
login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}"
|
||||
|
||||
- name: Check flake
|
||||
run: nix flake check
|
||||
# - name: Check flake
|
||||
# run: nix flake check --no-build
|
||||
- name: Build the world
|
||||
id: build
|
||||
run: |
|
||||
path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out)
|
||||
# path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out)
|
||||
path=$(nix build --no-link .#chocolate-doom2xx --json | jq -r .[0].outputs.out)
|
||||
echo "path=$path" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Push to cache
|
||||
run: |
|
||||
nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
|
||||
push main ${{ steps.build.outputs.path }}
|
||||
ci/push-to-cache.sh "${{ steps.build.outputs.path }}"
|
||||
|
1
.keys/harmonia.pub
Normal file
1
.keys/harmonia.pub
Normal file
@ -0,0 +1 @@
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXRXkYnBf2opIjN+bXE7HmhUpa4hyXJUGmBT+MRccT4 harmonia
|
22
ci/push-to-cache.sh
Executable file
22
ci/push-to-cache.sh
Executable file
@ -0,0 +1,22 @@
|
||||
#!/bin/sh
|
||||
|
||||
REMOTE_STORE=/var/lib/harmonia
|
||||
SSH_HOST="harmonia@object-ctr.ams1.int.nul.ie"
|
||||
SSH_KEY=/tmp/harmonia.key
|
||||
STORE_URI="ssh-ng://$SSH_HOST?ssh-key=$SSH_KEY&remote-store=$REMOTE_STORE"
|
||||
|
||||
remote_cmd() {
|
||||
ssh -i "$SSH_KEY" "$SSH_HOST" env NIX_REMOTE="$REMOTE_STORE" "$@"
|
||||
}
|
||||
|
||||
echo "$HARMONIA_SSH_KEY" | base64 -d > "$SSH_KEY"
|
||||
path="$1"
|
||||
|
||||
echo "Pushing $path to cache..."
|
||||
nix copy --to "$STORE_URI" "$path"
|
||||
|
||||
echo "Updating profile..."
|
||||
remote_cmd nix-env -p "$REMOTE_STORE"/nix/var/nix/profiles/nixfiles --set "$path"
|
||||
|
||||
echo "Collecting garbage..."
|
||||
remote_cmd nix-collect-garbage --delete-older-than 30d
|
@ -102,6 +102,7 @@ rec {
|
||||
];
|
||||
keys = [
|
||||
"main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8="
|
||||
"nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4="
|
||||
];
|
||||
conf = ''
|
||||
extra-substituters = ${concatStringsSep " " substituters}
|
||||
@ -359,6 +360,7 @@ rec {
|
||||
deploy = ../.keys/deploy.pub;
|
||||
rsyncNet = ../.keys/zh2855.rsync.net.pub;
|
||||
mailcowAcme = ../.keys/mailcow-acme.pub;
|
||||
harmonia = ../.keys/harmonia.pub;
|
||||
};
|
||||
sshHostKeys = {
|
||||
mail-vm = ../.keys/mail-vm-host.pub;
|
||||
|
@ -31,6 +31,13 @@ in
|
||||
{
|
||||
config = mkMerge [
|
||||
{
|
||||
fileSystems = {
|
||||
"/var/lib/harmonia" = {
|
||||
device = "/mnt/atticd/harmonia";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
|
||||
my = {
|
||||
deploy.enable = false;
|
||||
server.enable = true;
|
||||
@ -48,6 +55,7 @@ in
|
||||
group = config.my.user.config.group;
|
||||
};
|
||||
"object/atticd.env" = {};
|
||||
"nix-cache.key" = {};
|
||||
"object/hedgedoc.env" = {};
|
||||
"object/wastebin.env" = {};
|
||||
};
|
||||
@ -68,14 +76,26 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
users = with lib.my.c.ids; let inherit (config.services.atticd) user group; in {
|
||||
users = with lib.my.c.ids; mkMerge [
|
||||
(let inherit (config.services.atticd) user group; in {
|
||||
users."${user}" = {
|
||||
isSystemUser = true;
|
||||
uid = uids.atticd;
|
||||
group = group;
|
||||
};
|
||||
groups."${user}".gid = gids.atticd;
|
||||
})
|
||||
{
|
||||
users = {
|
||||
harmonia = {
|
||||
shell = pkgs.bashInteractive;
|
||||
openssh.authorizedKeys.keyFiles = [
|
||||
lib.my.c.sshKeyFiles.harmonia
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
systemd = {
|
||||
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
|
||||
@ -93,7 +113,9 @@ in
|
||||
MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";
|
||||
};
|
||||
};
|
||||
|
||||
sharry = awaitPostgres;
|
||||
|
||||
atticd = mkMerge [
|
||||
awaitPostgres
|
||||
{
|
||||
@ -104,6 +126,15 @@ in
|
||||
};
|
||||
}
|
||||
];
|
||||
harmonia = {
|
||||
environment.NIX_REMOTE = "/var/lib/harmonia";
|
||||
preStart = ''
|
||||
${config.nix.package}/bin/nix store ping
|
||||
'';
|
||||
serviceConfig = {
|
||||
StateDirectory = "harmonia";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -203,6 +234,14 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
harmonia = {
|
||||
enable = true;
|
||||
signKeyPath = config.age.secrets."nix-cache.key".path;
|
||||
settings = {
|
||||
priority = 30;
|
||||
};
|
||||
};
|
||||
|
||||
hedgedoc = {
|
||||
enable = true;
|
||||
environmentFile = config.age.secrets."object/hedgedoc.env".path;
|
||||
|
12
secrets/nix-cache.key.age
Normal file
12
secrets/nix-cache.key.age
Normal file
@ -0,0 +1,12 @@
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhrYnR2ZyBpdExl
|
||||
TlRVTE44RlA1NVhHWGZoQWc0bWpCOHFySytnVmJsZlE4SXFQVnp3CjRoSXE4WWhr
|
||||
N1djTEtqNDFZdTJUcFVOc3RKUlpndHFBMFNQMnFBdVBpbzQKLT4gWDI1NTE5IEFV
|
||||
eHlMUTJlL3Bad1gxTFpJaTFONEkrc2dNUk55dVJqYmNubXNUcGtDRTQKRzRmWTVp
|
||||
L3FuaTg2UXpQbVdzTzk5R09VZzVTZzJHM010MUpadEZzU2d6SQotPiAuOlBBNGEt
|
||||
Z3JlYXNlIEI3VmMzNCQKUzFLS2NBeVloTnNvMTE2QgotLS0gY1ZuZFdnTmMzOUc0
|
||||
TzQyU3RSREE1a3RXZkJ1dXFmc0FqT0dKNVNoUklEUQoXL7+OqcAg1iXZUO1Hhh9T
|
||||
BD7Yk9PKVyq7KGDeXMo4HtYll8sWig14PmR7+XOr9Al/1w1WYOD5AAtIkk3G7veq
|
||||
TtWlJ76Lu9GZpaNR/47d/z0AzFbBBmu9F+WVWBiZqFEx7m4ZlvyiKgZK6E9IyioK
|
||||
8lT5QYaw8WhXcHPoE8a+DOnd9mY93D8MV0ob
|
||||
-----END AGE ENCRYPTED FILE-----
|
Loading…
Reference in New Issue
Block a user