CI with attic cache

.gitea/workflows/ci.yaml

@@ -10,6 +10,8 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
+      - name: Install jq
+        run: apt-get update -y && apt-get install -y jq
       - uses: cachix/install-nix-action@v23
         with:
           # Gitea will supply a token in GITHUB_TOKEN, which this action will
@@ -18,16 +20,19 @@ jobs:
           extra_nix_config: |
             # Make sure we're using sandbox
             sandbox-fallback = false
-      - name: Fix Nix path
-        run: ln -s $(which nix) /usr/local/bin/nix
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-        env:
-          # Arch is amd64 in Gitea actions, this forms the download path for the cache
-          RUNNER_ARCH: X64
+      - name: Set up attic
+        run: |
+          nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
+            login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}"
+          nix run .#nixpkgs.mine.x86_64-linux.attic-client -- use main
 
       - name: Write agenix secrets key to file
         env:
           KEY: ${{ secrets.AGENIX_SECRETS_KEY }}
         run: printf "$KEY" > .keys/ci.key
-      - name: Check flake
-        run: nix flake check
+      # - name: Check flake
+      #   run: nix flake check
+      - name: Push to cache
+        run: |
+          path=$(nix build --no-link .#nixosConfigurations.middleman.config.system.build.toplevel --json | jq -r .[0].outputs.out)
+          attic push main $path

devshell/default.nix

@@ -27,5 +27,6 @@ in
     rage
     deploy-rs.deploy-rs
     home-manager
+    attic-client
   ];
 }

flake.nix

@@ -95,6 +95,7 @@
             inputs.ragenix.overlays.default
             inputs.deploy-rs.overlay
             (flakePackageOverlay inputs.home-manager-unstable system)
+            inputs.attic.overlays.default
           ];
         }))
         pkgsFlakes;

nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix

@@ -440,14 +440,10 @@ in
       };
 
       "nix-cache.${pubDomain}" = {
-        extraConfig = ''
-          ${extraConfig}
-          proxy_set_header Host "nix-cache.s3.nul.ie";
-        '';
         locations = {
-          "/".proxyPass = s3Upstream;
+          "/".proxyPass = "http://${host}:8069";
           "~ ${nixCacheableRegex}" = {
-            proxyPass = s3Upstream;
+            proxyPass = "http://${host}:8069";
             extraConfig = nixCacheHeaders;
           };
         };

nixos/boxes/colony/vms/shill/containers/object.nix

@@ -1,6 +1,7 @@
 { lib, ... }:
 let
   inherit (lib.my) net;
+  inherit (lib.my.c) pubDomain;
   inherit (lib.my.c.colony) domain prefixes;
 in
 {
@@ -23,7 +24,7 @@ in
 
     configuration = { lib, pkgs, config, assignments, ... }:
     let
-      inherit (lib) mkMerge mkIf;
+      inherit (lib) mkMerge mkIf mkForce;
       inherit (config.my.user.homeConfig.lib.file) mkOutOfStoreSymlink;
       inherit (lib.my) networkdAssignment systemdAwaitPostgres;
     in
@@ -46,11 +47,12 @@ in
                   owner = config.my.user.config.name;
                   group = config.my.user.config.group;
                 };
+                "object/atticd.env" = {};
               };
             };
 
             firewall = {
-              tcp.allowed = [ 9000 9001 config.services.sharry.config.bind.port ];
+              tcp.allowed = [ 9000 9001 config.services.sharry.config.bind.port 8069 ];
             };
 
             user.homeConfig = {
@@ -147,6 +149,29 @@ in
                 };
               };
             };
+
+            atticd = {
+              enable = true;
+              credentialsFile = config.age.secrets."object/atticd.env".path;
+              settings = {
+                listen = "[::]:8069";
+                allowed-hosts = [ "nix-cache.${pubDomain}" ];
+                api-endpoint = "https://nix-cache.${pubDomain}/";
+                database = mkForce {}; # blank to pull from env
+                storage = {
+                  type = "s3";
+                  region = "eu-central-1";
+                  bucket = "nix-attic";
+                  endpoint = "http://localhost:9000";
+                };
+                chunking = {
+                  nar-size-threshold = 65536;
+                  min-size = 16384;
+                  avg-size = 65536;
+                  max-size = 262144;
+                };
+              };
+            };
           };
         }
         (mkIf config.my.build.isDevVM {

secrets/object/atticd.env.age

@@ -0,0 +1,19 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhrYnR2ZyBFZGRt
+cjlNMnY4eDJ6enMzbjRrYk9rdk5aUlpjUFhWUXhrL0N1RFhOVnp3CmJWNzJXV3RW
+RGEzRTJxT01nZlIyTE84Y1poblUwa3VUUkxvK2ZUdHVFWlUKLT4gWDI1NTE5IEJn
+NFVUNk9mZXpUUCtRc1E2WjFhY2k1K1RpTFBLSTZpZzkrRjZEMC9nRzgKRXQvR1ZY
+d2gwOENSN283TlpBQlU3K2pndk5vZldqUmxQczloTEhFZFlFNAotPiBYMjU1MTkg
+cURjVytMNU1xUFdWcVVVL2pweXE3VUFHdkZvcVk1eUFpcEVWQkk4NkFYbwpUZkJv
+QnlXRFZmMi8wMUFOVHhIRVUxOG9VaENrbGwwUHI5YTBzbE5oMnVJCi0+IHMtZ3Jl
+YXNlClp4NmpRSTlOUjF2MnZnZVFaYUltNVdEZmdxSFpYK1NDVUY4TGFXRTB6KzlW
+dzBHVEs2TVdyNEpZTVU5ZktoMSsKNEtjUyttSVA5VTJoazg0ay9BCi0tLSBQbGx4
+T3BVUmo2KzNzdFd2MmlVWHM3OUtvRTV5dm9Hc1ZtdW9KT1UrYmNRCleCUn5rMaT3
+1eZtb7kLC2CATBgghXRv/ao9RAal9IrqEUiaeFk6H2IS5VL2ew97Chz2Rq48NQFG
+WpVxdM/Uhc2mVHXhHA7tUcMkICPwRSZ/B++1CvYBfzpGq+B2rPmMKAGeIk+yGFgt
+hWpssoaSMnaI58wBfT1SpNDPMm5ukQqcqb5LON/UZ4ExajNeTVEXZUJE6+cEfgrG
+/1n4Jp86A0jI45/IF+kxzP8MMgQs6aZ4/iiynMubJE8D7dB51QhTfx8RMQ4zOPyT
+Ak46cl7tZB+4sww7DE5sz5VXWMoEHig6qlLu0j/AonQCOMqoQj3dRiU0gfRJacu9
+4TMeDiY3GS0AjIIO6ENgnsk6gCn8tZ8HOZ85a9EbOT+LVjnL3EVVSup81uquGoJf
+Q6/0JkjFOWZuVJIaI2s6NFbfyA3vC1ig
+-----END AGE ENCRYPTED FILE-----