erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

Set up a Nix binary cache with attic

Browse source
This commit is contained in:
Erwin Boskma 2024-01-17 09:29:16 +01:00
parent a828dbed0d
commit 9494fd52d0
Signed by: erwin
SSH key fingerprint: SHA256:/Wk1WZdLg+vQHs3in9qq7PsIp8SMzwGSk/RLZ5zPuZk
6 changed files with 224 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -8,6 +8,7 @@ keys:
- &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc
- &mimir age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj
- &minio age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5
- &nix-cache age1ffpkfl4ged52ym7ynyhjc40t9v2g6pgjp4ue670lxcr6mxy7mdtqt5qjlq
- &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5
- &k3s-1 age1gsjy4em8u668tnx77jr7kk345m4hzmmt3seclzvsd25ldgwd45pq6zu7cv
- &k3s-2 age1ghda0mj5wc2vpksjuvaf3t0xklpcgnykvepzu9k5csf482ngpans9h05pp
@ -58,6 +59,12 @@ creation_rules:
- *erwin
- *erwin_horus
- *minio
- path_regex: machines/nix-cache/[^/]+\.yaml$
key_groups:
- age:
- *erwin
- *erwin_horus
- *nix-cache
- path_regex: machines/proxy/[^/]+\.ya?ml$
key_groups:
- age:

5
flake.nix
View file

@ -91,6 +91,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
attic = {
url = "github:zhaofengli/attic";
# inputs.nixpkgs.follows = "nixpkgs";
};
caddy-with-plugins = {
url = "github:eboskma/caddy-with-plugins";
inputs = {

15
machines/loki/configuration.nix
View file

@ -1,4 +1,4 @@
{ nixos-hardware, nix-ld-rs, ... }:
{ nixos-hardware, nix-ld-rs, attic, ... }:
{ pkgs, config, ... }:
{
imports = [
@ -441,6 +441,19 @@
];
};
nix.settings.post-build-hook =
let
inherit (attic.packages.${pkgs.system}) attic-client;
in
pkgs.writeScript "upload-to-cache" ''
set -eu
set -f
export IFS=' '
echo "Uploading paths to cache " ''${OUT_PATHS}
exec ${attic-client}/bin/attic push main ''${OUT_PATHS}
'';
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
ha_now_playing_token = {

157
machines/nix-cache/configuration.nix Normal file
View file

@ -0,0 +1,157 @@
{ self, attic, caddy-with-plugins, ... }:
{ pkgs, modulesPath, lib, config, ... }: {
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
attic.nixosModules.atticd
../../users/root
../../users/erwin
];
eboskma = {
users.erwin = {
enable = true;
server = true;
};
nix-common = {
enable = true;
remote-builders = true;
};
tailscale.enable = true;
};
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = lib.mkIf (self ? rev) self.rev;
networking = {
hostName = "nix-cache";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
firewall = {
trustedInterfaces = [ "tailscale0" ];
allowPing = true;
allowedTCPPorts = [ 80 443 ];
};
};
systemd = {
network = {
enable = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.209/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
services = {
atticd = {
enable = true;
credentialsFile = config.sops.secrets.attic-credentials.path;
settings = {
listen = "127.0.0.1:8080";
garbage-collection = {
default-retention-period = "3 months";
};
storage = {
type = "s3";
bucket = "nix-cache";
endpoint = "https://minio.datarift.nl";
region = "local";
};
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
};
};
caddy = {
enable = true;
package = caddy-with-plugins.lib.caddyWithPackages {
inherit (pkgs) caddy buildGoModule;
plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
vendorSha256 = "UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
};
email = "erwin@datarift.nl";
virtualHosts = {
"nix-cache.datarift.nl" = {
extraConfig = ''
@local_or_ts {
remote_ip 10.0.0.0/24 100.64.0.0/10
}
handle @local_or_ts {
reverse_proxy 127.0.0.1:8080
}
handle {
error "Nope." 401
}
tls {
dns cloudflare {env.CF_API_TOKEN}
}
'';
};
};
};
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
attic-credentials = { };
caddy-env = { };
};
system.stateVersion = "24.05";
}

40
machines/nix-cache/secrets.yaml Normal file
View file

@ -0,0 +1,40 @@
attic-credentials: ENC[AES256_GCM,data:etoZnGbOvf9Bdi9WnQn22zwVl0MIiEy4w8RqFjAEURfknYMsdEe7PVn2P7rFIgDveFEFSdjkAeMLQayVlWTnMgxiDLudChqo9yHIM7iX/Atprp88hVqyCD4jzMdUigEdRDeeQArvTdqt5ggHf+3n4Z8tUUocT8RhKnV/72tyluNqxZhIHazM8vmd29w1bZ00zQZ5oznW67oEs1mamJ64Qif9UzxaiHNuH0lq1ZfNKOp/sr+zUeNYMtPVtqhCr1rAtTnmjPQtucMS0f7LG+3YOk3wuqVXqLmP6f/b3HT4FKZrCayIhVDCyjfd9Yw1v1pajSjcuxqfwseh,iv:wwMXAm2tfriVOUcdf32JS1VJJOXpH1zw6p3qRSXOkPw=,tag:sF2DFSQBrYe/GIzY24lU0A==,type:str]
caddy-env: ENC[AES256_GCM,data:ijlseM95t8VKfnGqLqwbcQtTC/RQO9FUsA+xKmuvnyx7NhSjeiRt28MPTFC+r88TQgIAn6Rb,iv:j7zPkwu50rbH68L9+5IVSLti5LYg5UXTtlfB/X0dYE4=,tag:tTenmoTOZhrqUP1cX5UOjQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyeHVsbzI1Qy9rRHRDZHJp
U3RNRjA4dHh4WEU3c3FnRVVidDdNRGt2OUZRClhONmZMLzNBSlVocXczNnJQVzMw
N254MzVzOUlBSE0yRDdTZ2JuL0RhbmcKLS0tIEF1T3REaDlNckxWOFpxamxRUmFQ
S1hjb2k2ZWF6Z2VuclMwTWNMZnFJYXMKZbnomnD+ldSjuFgz5oBEx4K5zur7ije7
EqTxD4jkzhObETbBWuRp06Y+Chyg7OUWGyVcqtrGzPuWGO1IuqaJ4w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UXhxTXYwL1FqZ0xtNUw5
dHFzMjhwdDZKbDA2ZkFQc3ZHUDJtZ1IyWVRrClVoWnQ0VFNJQTBpbVBnb2VMWkow
VWZXODgzeThGUm5JeGRZdnlhdHNackEKLS0tIGhSWVZtZzJTK3E4aWt4Y3VlbjRU
b1ROUGlZVXc1aVl1ZGExM1lwVllwTWsKU44QxI1hotMyuegwluGZfAh6HuEJqyEt
TMqNzfszzEZgfEygvGdOvlw0XYBhXm2l8o7HB6gGRveNKvtKaBlnYg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ffpkfl4ged52ym7ynyhjc40t9v2g6pgjp4ue670lxcr6mxy7mdtqt5qjlq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRzI2THYwbFpldU9rVXli
Z2FiZURYdEU0cWZUYTdzalhjVk5iRWNRL21VCjNmN1M1MnRwWFpMMDVGbHlFNXVC
amRQRkxUMjc1bTR2empqeDVRZzVraUEKLS0tIDlscm4vTk9XRUlIU0d3MnFrS05B
ZzFUMnMxMmloaUpxWlRubUM2bHhOTFkKIRtS3xGjED+0cH7Kj9q/milF1J2C2Nwq
+RB4wcVOrlA2Ak6pVZhdQ6yIbIt206GhqRaJT7Mss3jyuUrV7REizQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-14T16:42:16Z"
mac: ENC[AES256_GCM,data:0T230+KRS9BJhS2VJC/n01VezyH8f5I+FK+ZAqlIGYSU0d5CsAkFzP2fZCsfBMELCXaqNLriVMTF3nwJXG+V+HysjS6RFWoxd77T8j6FSri0LDo6ftT5Zy88/HOlIM/2Tng2YGHhXyeW3hDz++Xzw+ZY+dLSHzINFty7ORD8loA=,iv:o6w/FzyVwXIcAoYur8742r6VRsfNWgtocajKL1LdgdE=,tag:OaHhsaQbZs/AJbQg1gcxBA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
users/erwin/home.nix
View file

@ -162,6 +162,7 @@ in
[
ardour
atool
inputs.attic.packages.${pkgs.system}.attic-client
bitwarden
blink1-tool
bottom