Set up a Nix binary cache with attic

.sops.yaml

@@ -8,6 +8,7 @@ keys:
   - &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc
   - &mimir age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj
   - &minio age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5
+  - &nix-cache age1ffpkfl4ged52ym7ynyhjc40t9v2g6pgjp4ue670lxcr6mxy7mdtqt5qjlq
   - &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5
   - &k3s-1 age1gsjy4em8u668tnx77jr7kk345m4hzmmt3seclzvsd25ldgwd45pq6zu7cv
   - &k3s-2 age1ghda0mj5wc2vpksjuvaf3t0xklpcgnykvepzu9k5csf482ngpans9h05pp
@@ -58,6 +59,12 @@ creation_rules:
           - *erwin
           - *erwin_horus
           - *minio
+  - path_regex: machines/nix-cache/[^/]+\.yaml$
+    key_groups:
+      - age:
+        - *erwin
+        - *erwin_horus
+        - *nix-cache
   - path_regex: machines/proxy/[^/]+\.ya?ml$
     key_groups:
       - age:

flake.nix

@@ -91,6 +91,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    attic = {
+      url = "github:zhaofengli/attic";
+      # inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     caddy-with-plugins = {
       url = "github:eboskma/caddy-with-plugins";
       inputs = {

machines/loki/configuration.nix

@@ -1,4 +1,4 @@
-{ nixos-hardware, nix-ld-rs, ... }:
+{ nixos-hardware, nix-ld-rs, attic, ... }:
 { pkgs, config, ... }:
 {
   imports = [
@@ -441,6 +441,19 @@
     ];
   };
 
+  nix.settings.post-build-hook =
+    let
+      inherit (attic.packages.${pkgs.system}) attic-client;
+    in
+    pkgs.writeScript "upload-to-cache" ''
+      set -eu
+      set -f
+      export IFS=' '
+
+      echo "Uploading paths to cache " ''${OUT_PATHS}
+      exec ${attic-client}/bin/attic push main ''${OUT_PATHS}
+    '';
+
   sops.defaultSopsFile = ./secrets.yaml;
   sops.secrets = {
     ha_now_playing_token = {

machines/nix-cache/configuration.nix

@@ -0,0 +1,157 @@
+{ self, attic, caddy-with-plugins, ... }:
+{ pkgs, modulesPath, lib, config, ... }: {
+  imports = [
+    (modulesPath + "/virtualisation/lxc-container.nix")
+    attic.nixosModules.atticd
+    ../../users/root
+    ../../users/erwin
+  ];
+
+  eboskma = {
+    users.erwin = {
+      enable = true;
+      server = true;
+    };
+    nix-common = {
+      enable = true;
+      remote-builders = true;
+    };
+    tailscale.enable = true;
+  };
+
+  time.timeZone = "Europe/Amsterdam";
+  system.configurationRevision = lib.mkIf (self ? rev) self.rev;
+
+  networking = {
+    hostName = "nix-cache";
+    useDHCP = false;
+    useHostResolvConf = false;
+    networkmanager.enable = false;
+    useNetworkd = true;
+
+    firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      allowPing = true;
+
+      allowedTCPPorts = [ 80 443 ];
+    };
+  };
+
+  systemd = {
+    network = {
+      enable = true;
+
+      networks = {
+        "40-eth0" = {
+          matchConfig = {
+            Name = "eth0";
+          };
+
+          networkConfig = {
+            Address = "10.0.0.209/24";
+            Gateway = "10.0.0.1";
+            DNS = "10.0.0.206";
+            DHCP = "no";
+          };
+        };
+      };
+    };
+
+    services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
+  };
+
+  security = {
+    sudo-rs = {
+      enable = true;
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+    sudo.enable = false;
+  };
+
+  services = {
+    atticd = {
+      enable = true;
+
+      credentialsFile = config.sops.secrets.attic-credentials.path;
+      settings = {
+        listen = "127.0.0.1:8080";
+
+        garbage-collection = {
+          default-retention-period = "3 months";
+        };
+
+        storage = {
+          type = "s3";
+          bucket = "nix-cache";
+          endpoint = "https://minio.datarift.nl";
+          region = "local";
+        };
+
+        # Data chunking
+        #
+        # Warning: If you change any of the values here, it will be
+        # difficult to reuse existing chunks for newly-uploaded NARs
+        # since the cutpoints will be different. As a result, the
+        # deduplication ratio will suffer for a while after the change.
+        chunking = {
+          # The minimum NAR size to trigger chunking
+          #
+          # If 0, chunking is disabled entirely for newly-uploaded NARs.
+          # If 1, all NARs are chunked.
+          nar-size-threshold = 64 * 1024; # 64 KiB
+
+          # The preferred minimum size of a chunk, in bytes
+          min-size = 16 * 1024; # 16 KiB
+
+          # The preferred average size of a chunk, in bytes
+          avg-size = 64 * 1024; # 64 KiB
+
+          # The preferred maximum size of a chunk, in bytes
+          max-size = 256 * 1024; # 256 KiB
+        };
+      };
+    };
+
+    caddy = {
+      enable = true;
+      package = caddy-with-plugins.lib.caddyWithPackages {
+        inherit (pkgs) caddy buildGoModule;
+        plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
+        vendorSha256 = "UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
+      };
+
+      email = "erwin@datarift.nl";
+
+      virtualHosts = {
+        "nix-cache.datarift.nl" = {
+          extraConfig = ''
+            @local_or_ts {
+              remote_ip 10.0.0.0/24 100.64.0.0/10
+            }
+
+            handle @local_or_ts {
+              reverse_proxy 127.0.0.1:8080
+            }
+            handle {
+              error "Nope." 401
+            }
+
+            tls {
+              dns cloudflare {env.CF_API_TOKEN}
+            }
+          '';
+        };
+      };
+    };
+  };
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    attic-credentials = { };
+    caddy-env = { };
+  };
+
+  system.stateVersion = "24.05";
+
+}

machines/nix-cache/secrets.yaml

@@ -0,0 +1,40 @@
+attic-credentials: ENC[AES256_GCM,data:etoZnGbOvf9Bdi9WnQn22zwVl0MIiEy4w8RqFjAEURfknYMsdEe7PVn2P7rFIgDveFEFSdjkAeMLQayVlWTnMgxiDLudChqo9yHIM7iX/Atprp88hVqyCD4jzMdUigEdRDeeQArvTdqt5ggHf+3n4Z8tUUocT8RhKnV/72tyluNqxZhIHazM8vmd29w1bZ00zQZ5oznW67oEs1mamJ64Qif9UzxaiHNuH0lq1ZfNKOp/sr+zUeNYMtPVtqhCr1rAtTnmjPQtucMS0f7LG+3YOk3wuqVXqLmP6f/b3HT4FKZrCayIhVDCyjfd9Yw1v1pajSjcuxqfwseh,iv:wwMXAm2tfriVOUcdf32JS1VJJOXpH1zw6p3qRSXOkPw=,tag:sF2DFSQBrYe/GIzY24lU0A==,type:str]
+caddy-env: ENC[AES256_GCM,data:ijlseM95t8VKfnGqLqwbcQtTC/RQO9FUsA+xKmuvnyx7NhSjeiRt28MPTFC+r88TQgIAn6Rb,iv:j7zPkwu50rbH68L9+5IVSLti5LYg5UXTtlfB/X0dYE4=,tag:tTenmoTOZhrqUP1cX5UOjQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyeHVsbzI1Qy9rRHRDZHJp
+            U3RNRjA4dHh4WEU3c3FnRVVidDdNRGt2OUZRClhONmZMLzNBSlVocXczNnJQVzMw
+            N254MzVzOUlBSE0yRDdTZ2JuL0RhbmcKLS0tIEF1T3REaDlNckxWOFpxamxRUmFQ
+            S1hjb2k2ZWF6Z2VuclMwTWNMZnFJYXMKZbnomnD+ldSjuFgz5oBEx4K5zur7ije7
+            EqTxD4jkzhObETbBWuRp06Y+Chyg7OUWGyVcqtrGzPuWGO1IuqaJ4w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UXhxTXYwL1FqZ0xtNUw5
+            dHFzMjhwdDZKbDA2ZkFQc3ZHUDJtZ1IyWVRrClVoWnQ0VFNJQTBpbVBnb2VMWkow
+            VWZXODgzeThGUm5JeGRZdnlhdHNackEKLS0tIGhSWVZtZzJTK3E4aWt4Y3VlbjRU
+            b1ROUGlZVXc1aVl1ZGExM1lwVllwTWsKU44QxI1hotMyuegwluGZfAh6HuEJqyEt
+            TMqNzfszzEZgfEygvGdOvlw0XYBhXm2l8o7HB6gGRveNKvtKaBlnYg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ffpkfl4ged52ym7ynyhjc40t9v2g6pgjp4ue670lxcr6mxy7mdtqt5qjlq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRzI2THYwbFpldU9rVXli
+            Z2FiZURYdEU0cWZUYTdzalhjVk5iRWNRL21VCjNmN1M1MnRwWFpMMDVGbHlFNXVC
+            amRQRkxUMjc1bTR2empqeDVRZzVraUEKLS0tIDlscm4vTk9XRUlIU0d3MnFrS05B
+            ZzFUMnMxMmloaUpxWlRubUM2bHhOTFkKIRtS3xGjED+0cH7Kj9q/milF1J2C2Nwq
+            +RB4wcVOrlA2Ak6pVZhdQ6yIbIt206GhqRaJT7Mss3jyuUrV7REizQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-14T16:42:16Z"
+    mac: ENC[AES256_GCM,data:0T230+KRS9BJhS2VJC/n01VezyH8f5I+FK+ZAqlIGYSU0d5CsAkFzP2fZCsfBMELCXaqNLriVMTF3nwJXG+V+HysjS6RFWoxd77T8j6FSri0LDo6ftT5Zy88/HOlIM/2Tng2YGHhXyeW3hDz++Xzw+ZY+dLSHzINFty7ORD8loA=,iv:o6w/FzyVwXIcAoYur8742r6VRsfNWgtocajKL1LdgdE=,tag:OaHhsaQbZs/AJbQg1gcxBA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

users/erwin/home.nix

@@ -162,6 +162,7 @@ in
             [
               ardour
               atool
+              inputs.attic.packages.${pkgs.system}.attic-client
               bitwarden
               blink1-tool
               bottom