simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

Remove private binary cache

Browse source 
I don’t actually use it and it adds complexity to installing new
machines.
This commit is contained in:
Simon Bruder 2022-06-09 23:33:21 +02:00
parent 25785ebd58
commit 67b30a52af
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
5 changed files with 6 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
machines/fuuko/configuration.nix
View file

@ -5,7 +5,6 @@
../../modules ../../modules
../../users/simon ../../users/simon
./services/binary-cache.nix
./services/dnsmasq.nix ./services/dnsmasq.nix
./services/fritzbox-exporter.nix ./services/fritzbox-exporter.nix
./services/media-backup.nix ./services/media-backup.nix

7
machines/fuuko/secrets.yaml
View file

@ -1,4 +1,3 @@
nix-binary-cache-htpasswd: ENC[AES256_GCM,data:IktPHrrvExeZlCPmP82W9AovC59ILPbMQExVDO7U2S9lJ9cQKP14mQPuYwA+yKTycIdA01MwRDbt/SxhVleZ+aKkyOPwx/iG5B0cQX6cVqQWVTNVmxlW2sjupnnwwibcdikU21CIw6YsDKs7pMqRAfC/U2OJ3POo2qH5GgFY,iv:ofzEQ143HQQGZIEVkdWCrcENz0i6JPljLDGmG0A7aJ8=,tag:a557cdgRD25jWHhZeT+CnQ==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str] wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str] wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str]
sops: sops:
@ -7,8 +6,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2022-03-25T20:50:42Z" lastmodified: "2022-06-09T21:32:26Z"
mac: ENC[AES256_GCM,data:623fh+8fAZnRTiCsrUsiwLB/tW/36Z8P6/rOSzUS4eF3byoHxI6W1481dnnWq5mriAdzUPIF7+XzjwPTpnQArckdSHIcNZyF4bvFI2vb2V+1GKUpvPlQS6SkbrkhCPCVaR5ZRfdh0wuEh2YHTvpkdxxLg3SFjTi5fsW/wK/nJqc=,iv:b11FNjIp42A2dO5Sey50kAYPWdNjPmN0f5VOJYWSC7I=,tag:nDfew0H783gyY6h55D8lBw==,type:str] mac: ENC[AES256_GCM,data:96T1CeXtmu98I0pHrg3tZ7LNOk2O9NkIzGXm0HfbPa2D0JJa5oNpkaW3pxY9mF+CNz3zBb8RaDLoeFPhcJ7i5eGtGwL/yqAKJsoZZ2VmBUbgjKhYQMP2A4vxk2NCKjgeicAUjXzkbyhPQP411hGNuZWjjcQtUZRa8ErSXZ4LHEw=,iv:SJLSvQCnIMiPJh4ysUOQLv1O0cySFcT2Z+vfrq2E3C4=,tag:wT4t23H7UG2qZR//j3biOQ==,type:str]
pgp: pgp:
- created_at: "2021-04-06T11:27:21Z" - created_at: "2021-04-06T11:27:21Z"
enc: | enc: |
@ -51,4 +50,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 2372651C56E22972C2D9F3F569C8187C9C43754E fp: 2372651C56E22972C2D9F3F569C8187C9C43754E
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.1 version: 3.7.3

76
machines/fuuko/services/binary-cache.nix
View file

@ -1,76 +0,0 @@
# This serves a local binary cache. If the request comes from my home network,
# it will set its priority higher than cache.nixos.org (which has a priority of
# 40), so local devices get a faster binary cache. If the request coes from
# outside my home network, it will set its priority lower, only store paths
# exclusive to this cache will be substituted.
# This only works well when a host does not change its “location”, since nix
# caches binary caches locally (per-user, also for root!) in
# ${XDG_CACHE_HOME:-$HOME/.cache}/.cache/nix/binary-cache-v6.sqlite and does
# not re-check or invalidate them. Devices that often are not at home should
# ensure that the cached priority is 50 to avoid slow substitutions.
{ config, lib, pkgs, ... }:
let
binaryCachePath = "/data/cache/nix-binary-cache";
in
{
sops.secrets.nix-binary-cache-htpasswd = {
owner = "nginx";
sopsFile = ../secrets.yaml;
};
services.nginx = {
appendHttpConfig = ''
geo $nix_binary_cache_priority {
default 50;
192.168.100.0/24 30;
2001:470:1f0b:abc::/64 30;
}
'';
virtualHosts."nix-cache.sbruder.de" = rec {
enableACME = true;
forceSSL = true;
root = binaryCachePath;
locations = {
"/nix-cache-info" = {
return = "200 \"StoreDir: /nix/store\\nPriority: $nix_binary_cache_priority\\n\"";
};
"/".extraConfig = ''
log_not_found off;
client_max_body_size 5G;
# WebDAV (for uploading)
dav_methods PUT DELETE;
create_full_put_path on; # nar/ does not exist by default
dav_access user:rw group:r all:r;
# same filesystem for temporary files
client_body_temp_path ${root}/.upload-tmp;
limit_except GET {
auth_basic "restricted upload";
auth_basic_user_file ${config.sops.secrets.nix-binary-cache-htpasswd.path};
}
# workaround for nginx dropping parent headers
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
${lib.concatStringsSep "\n" (lib.filter
(lib.hasPrefix "add_header ")
(lib.splitString "\n" config.services.nginx.commonHttpConfig))}
add_header Access-Control-Allow-Origin https://hydra.sbruder.de;
'';
"/nix/store/".proxyPass = "http://localhost:${toString config.services.nar-serve.port}";
};
};
};
systemd.services.nginx.serviceConfig.ReadWritePaths = lib.singleton binaryCachePath;
services.nar-serve = {
enable = true;
cacheURL = "file://${binaryCachePath}";
};
# nar-serve logs multiple lines on every request
systemd.services.nar-serve.serviceConfig.StandardOutput = "null";
}

19
modules/nix.nix
View file

@ -20,14 +20,6 @@ let
}; };
in in
{ {
sops.secrets = lib.mkIf config.sbruder.trusted {
binary-cache-secret-key = { };
nix-netrc = {
group = "wheel";
mode = "0440";
};
};
nix = { nix = {
# nix with flake support # nix with flake support
package = pkgs.nixFlakes; package = pkgs.nixFlakes;
@ -44,21 +36,10 @@ in
# Make sudoers trusted nix users # Make sudoers trusted nix users
trustedUsers = [ "@wheel" ]; trustedUsers = [ "@wheel" ];
binaryCaches = [
"https://nix-cache.sbruder.de/"
];
binaryCachePublicKeys = [
"nix-cache.sbruder.de-1:bU13eF6IMMW2hgO7StgB6JCAoZPeAQ27NAzV0kru1XM="
];
# On-the-fly optimisation of nix store # On-the-fly optimisation of nix store
autoOptimiseStore = true; autoOptimiseStore = true;
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
'' + lib.optionalString config.sbruder.trusted ''
# Binary cache upload
secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
netrc-file = ${config.sops.secrets.nix-netrc.path}
'' + lib.optionalString config.sbruder.full '' '' + lib.optionalString config.sbruder.full ''
# Keep output of derivations with gc root # Keep output of derivations with gc root
keep-outputs = true keep-outputs = true

8
secrets.yaml
View file

@ -1,5 +1,3 @@
binary-cache-secret-key: ENC[AES256_GCM,data:EHBLyOPY0WYrJLfdML3c1ZqXLknWTKmx1nmxpSzOeyR2vKOlu50Xjldnoyff/BwIAB1E16rJuuHtMb5PRXfL57AvLBAprg5RzqIzJqnCKl/EIk2bJ3NoD9t2aw48M9R4nk3ixXGYJztdoIz+G0/gnQ==,iv:jwwTaktWMPWFnCN3Ur84cgUm1kNZqzEEbyfZ7dIysWA=,tag:ky4fYddxwVpB4+8NzlmLWg==,type:str]
nix-netrc: ENC[AES256_GCM,data:F0vHeSsDDcaE5qAt7mNV0Az7NBdGjXfvn3v82R43bHhUJIH5lbbCUWQSyhDgA9aQ+NYACAhJCPAh7aWBzoimyfTSqZlSVglgZ3mkUT41BSanJYWTTyI6bW4YUsF+J4netFljsE15cn3+twZmNgtkTuzTEg==,iv:sISKlZx+pMU7LnaT1ZC6tZo8ITYXpgLwYPpkoG51zks=,tag:ZP7YN7Q2wVYpdV0huO+qeA==,type:str]
media-proxy-auth: ENC[AES256_GCM,data:OcmYZq/tyzMB61NfyYZ8gAlEE+8w2IhlPlZ+dfedtfqVlPHk3iJsd9mvsXHf5ODTtuy00ll0MF4KYNePZkz7TeuaIdBgGlshFyE4gwsJdPXZNYnhcg==,iv:qo6SOaHrWsXfvRwgSKDTSnreOcO9xy3RKrfE2k+VLEg=,tag:14DT86PQdEuK9zyZzcAohA==,type:str] media-proxy-auth: ENC[AES256_GCM,data:OcmYZq/tyzMB61NfyYZ8gAlEE+8w2IhlPlZ+dfedtfqVlPHk3iJsd9mvsXHf5ODTtuy00ll0MF4KYNePZkz7TeuaIdBgGlshFyE4gwsJdPXZNYnhcg==,iv:qo6SOaHrWsXfvRwgSKDTSnreOcO9xy3RKrfE2k+VLEg=,tag:14DT86PQdEuK9zyZzcAohA==,type:str]
media-ssh-key: ENC[AES256_GCM,data:cT5Jp5asgF2GZL4nn0rS4+tmli5adZjDa/G6WD/QXbOLtAjquytX63LKrLYUoTjOa7rNAjxDBIYEi90uvubKxOI0QbXACj0MSt6WbkxmosYResnFl9/WefpROctpGcDvn60fzer0K75IRBAtpAogVU7VynOkOuPa0xhTyAU8ZPOmij456UjpbtIgSg4yKVDn14jj/OZ1Oz+qd3bHC8FSQvp0jSKD9xfIizc2kb6ca3LRdR7VtJtTnJOOADRKaLC+rBywVyTOlCQBLiZ6LE9i6SmgFOdI+l6z9jE1Vi3vZ3BAe8Q/wWQ6Kjts+3+RkjPbgdjdWzxyHly/dr8lU1HcwtMHgKBV84asJBghCm6B1o48AEqd4oF9W039rCRQkR/VMb/ser0ifEjwnpDnDskrFYxWzidMKsfHGOtZxm7rzvOxSRA+Rcx9vxwa90gRsU4mBdx7QG0y3f/AbxRvVCuLLZW/y0JpCtE2B/mcObRvjsZP3RXQIS4vGAeTerd18RwsrsWO,iv:+ASa0hhWXmQ2hgJ9UuRFjnf/fA65kxWXiC+rDI6Lnx8=,tag:LDYSsN0DXAFiW0w+YBcopA==,type:str] media-ssh-key: ENC[AES256_GCM,data:cT5Jp5asgF2GZL4nn0rS4+tmli5adZjDa/G6WD/QXbOLtAjquytX63LKrLYUoTjOa7rNAjxDBIYEi90uvubKxOI0QbXACj0MSt6WbkxmosYResnFl9/WefpROctpGcDvn60fzer0K75IRBAtpAogVU7VynOkOuPa0xhTyAU8ZPOmij456UjpbtIgSg4yKVDn14jj/OZ1Oz+qd3bHC8FSQvp0jSKD9xfIizc2kb6ca3LRdR7VtJtTnJOOADRKaLC+rBywVyTOlCQBLiZ6LE9i6SmgFOdI+l6z9jE1Vi3vZ3BAe8Q/wWQ6Kjts+3+RkjPbgdjdWzxyHly/dr8lU1HcwtMHgKBV84asJBghCm6B1o48AEqd4oF9W039rCRQkR/VMb/ser0ifEjwnpDnDskrFYxWzidMKsfHGOtZxm7rzvOxSRA+Rcx9vxwa90gRsU4mBdx7QG0y3f/AbxRvVCuLLZW/y0JpCtE2B/mcObRvjsZP3RXQIS4vGAeTerd18RwsrsWO,iv:+ASa0hhWXmQ2hgJ9UuRFjnf/fA65kxWXiC+rDI6Lnx8=,tag:LDYSsN0DXAFiW0w+YBcopA==,type:str]
torrent-proxy-auth: ENC[AES256_GCM,data:4oi4uZCgslTvmso1SCedu3gKsOTCtYIAf3g1mBS6/ta3d/hd6GJ0Ns+/9w51WrhcyJQRLSR7jLlzxRzKFp6JvKXlNAeflXDqOKNfk0LXY1GKTZynOA==,iv:26d+hQ9yn5CzDGNZvi9A5bvzgo87IrJHz67xTac4UA4=,tag:e8fO5Xpu7wpDiSC4CBsaaQ==,type:str] torrent-proxy-auth: ENC[AES256_GCM,data:4oi4uZCgslTvmso1SCedu3gKsOTCtYIAf3g1mBS6/ta3d/hd6GJ0Ns+/9w51WrhcyJQRLSR7jLlzxRzKFp6JvKXlNAeflXDqOKNfk0LXY1GKTZynOA==,iv:26d+hQ9yn5CzDGNZvi9A5bvzgo87IrJHz67xTac4UA4=,tag:e8fO5Xpu7wpDiSC4CBsaaQ==,type:str]
@ -11,8 +9,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2022-05-14T14:52:12Z" lastmodified: "2022-06-09T21:33:06Z"
mac: ENC[AES256_GCM,data:EX4EUdhx1i9gdWmq+U3AAIGef2OLwsmwedR2K3jqz3Kf0fpF6rWdc5Rl1xZjW329lCwiTure5akyzU+y3bgDPPlxYUK+rBLasLzmeWQds49h0lBoibKJ6svfwt6rVguJMkpCnlLd8o/ROR3F8/UTm/+VBYL1cQyZI36fmJKR6Jk=,iv:87riv7ubEC2T4XKLpQ65J/yNrnyiyRzMWQkxgYff72o=,tag:Agol878GjW7iHJN6j+Mnyg==,type:str] mac: ENC[AES256_GCM,data:fIxn3nnbgF/IcQTGiFXPdzElupUw4mc8ri7GTwkE6uv9fw3AaoReVNIRIpoxjhoUE0ZkJs3wOElfmGJ8wFtkXQTF+PkeeI5RQB1+xofkQQnuHjBGbgYwD9mEHU36FkmSIkKzkkozvZBhGNZSrcKwKL83QpIOlxBTnRFIUmDm4n0=,iv:BLeAzU+mXJ00uxsMN/y8VzXU14O5reNKB3Kl5zRU3TY=,tag:5f83PCjyklB5g9rsxQQt+A==,type:str]
pgp: pgp:
- created_at: "2022-06-09T21:22:41Z" - created_at: "2022-06-09T21:22:41Z"
enc: | enc: |
@ -171,4 +169,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: FD4E1FB15DD0F36A77790229826C04C0BE319FA2 fp: FD4E1FB15DD0F36A77790229826C04C0BE319FA2
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.2 version: 3.7.3