From 8d9e3af21158847eca886e83b4a23a196c2d469a Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Thu, 8 Apr 2021 16:19:57 +0200
Subject: [PATCH] Add binary cache hosted on fuuko

See machines/fuuko/services/binary-cache.nix for limitations.
---
 machines/fuuko/configuration.nix         |  1 +
 machines/fuuko/secrets.yaml              |  5 +-
 machines/fuuko/services/binary-cache.nix | 60 ++++++++++++++++++++++++
 modules/default.nix                      | 18 ++++++-
 secrets.yaml                             |  6 ++-
 5 files changed, 84 insertions(+), 6 deletions(-)
 create mode 100644 machines/fuuko/services/binary-cache.nix

diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix
index 6c2438d..b8a3c46 100644
--- a/machines/fuuko/configuration.nix
+++ b/machines/fuuko/configuration.nix
@@ -6,6 +6,7 @@
     ../../users/simon
 
     ./services/ankisyncd.nix
+    ./services/binary-cache.nix
     ./services/dnsmasq.nix
     ./services/drone
     ./services/gitea.nix
diff --git a/machines/fuuko/secrets.yaml b/machines/fuuko/secrets.yaml
index 6b95961..2130444 100644
--- a/machines/fuuko/secrets.yaml
+++ b/machines/fuuko/secrets.yaml
@@ -1,6 +1,7 @@
 drone-rpc-environment: ENC[AES256_GCM,data:2Alck43ZrOFzhY7fKonIyboROD5qGuKkalTXlUZM0vBYTNeFLblU4u4tIIaA4t9nNO4=,iv:EakQQ/8pVZlIzM9PbNB0EGzSW46t/dWbxOtQo6uVAhs=,tag:NEhSgzkx8AxIjqtGetGG9w==,type:str]
 drone-server-environment: ENC[AES256_GCM,data:73uDSq+u3nGiKhLqdhdegTIvec9mF9jxVLJLtCjer5jUiFEZu5PkeYv0AWAyLWbB7s8b0V+4fxNQo/QsAfBWH0eP2TVOAy1TAo/sOso9PEVRaQCdilw39UJBdT8II3dy9YIfGFUXRUXCMU+1xfzUFjhU0s7sc+mYQ4jEj2ZX90UbUDcbgppNjC7KIHo8mQdrxFHeMq+wQpaoncwFMlwwzn8lFlG75+dMnkPGYa4xSqkwjHn2tewLM8f9dCiBQVoMVQCWo+1RieMq2cd3CYEkP7MPl+y3OA==,iv:kggBBXdN01LJ82azzxOZap1lfWglshCjkKqaU+oi+T4=,tag:Zg0Ay2aLGok4fgX3/y4ILA==,type:str]
 gitea-mail: ENC[AES256_GCM,data:ck4S9YJ1BLUb6+mOrRmg22KWI1xQwsdIw1dowNk1OOk=,iv:+aQiTSGzmBOLYbIVgwH/SIhslKgdJKoL1ZaGAXCeqHY=,tag:H3vCEGMktqAV/9BASVR5tg==,type:str]
+nix-binary-cache-htpasswd: ENC[AES256_GCM,data:IktPHrrvExeZlCPmP82W9AovC59ILPbMQExVDO7U2S9lJ9cQKP14mQPuYwA+yKTycIdA01MwRDbt/SxhVleZ+aKkyOPwx/iG5B0cQX6cVqQWVTNVmxlW2sjupnnwwibcdikU21CIw6YsDKs7pMqRAfC/U2OJ3POo2qH5GgFY,iv:ofzEQ143HQQGZIEVkdWCrcENz0i6JPljLDGmG0A7aJ8=,tag:a557cdgRD25jWHhZeT+CnQ==,type:str]
 prometheus-htpasswd: ENC[AES256_GCM,data:eJOWrcTC3YISJJLuQV6sxzD0r8Gr8uoUt48D9sSEHhsbNUUy3pDgIPqJHrkG0ek2sIF6NvpWdDGK1kFcduRAL9h7nLxQLOtf7dxsdObGlPH5nwe6CwdR+1wTE/2WzrsmTGnUrMjMiBgLPV2yRiQg3VJ7W1Me8tHPYHrqYhM=,iv:WvgwIoIfxc3vyjF+znyUzOElv+sd/thoYpxWVaIavx0=,tag:9FnRw7ol++1PCbl1c2IyoA==,type:str]
 restic-password: ENC[AES256_GCM,data:IVFXmuzzvvqDS0T3P0R5ZMIn2wdkbE1AqwDMkWqMpDdCOVMP4/HhP4jF+tEarq22,iv:Eu6Wspzm0rPl0CuSoYTTLz+MmaEtmwCD57nH2JTBuaA=,tag:tKqt5Z7nF7lLcSsDKS4E3A==,type:str]
 restic-s3: ENC[AES256_GCM,data:VJ/jgYnUSkbsNMb1ciLiCcRVEpuaznsSFf0QkEnPhTRHpFv4Nt0f8ARnNtG5j3iXSIT4+H2+5HWKXEsjhvL85p0XE3xe4h45xGKnvvVO2obF+b/zsMDdceFJtLbcq+APzPBjchYU,iv:W+80GhAvYD/52dNZsNYiEhiLo4dhO8oxkd+GAbk42NU=,tag:Kj9CaGo/xAmYxdoLE/Lo1Q==,type:str]
@@ -13,8 +14,8 @@ sops:
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    lastmodified: '2021-04-07T10:20:03Z'
-    mac: ENC[AES256_GCM,data:OzXpColS5Di4qRXSdkV5Ue2FqysF/GYzX9kQcEiAOZaDb9uUoKBs8EakZ4pOfcgug2/v1BIQ0aQ/Xf2uCERJzvj3rC+2Gdng0p9AC1aelEIm3vxo4hliKEG1eo5KlIrroTaQlxb1wXGKDabuy+8P57reVbLNQuM9ioQ5teuSWLk=,iv:VksbYHEVP/5zvGCgFg9e3pegDrxljkosVretlvaa6w0=,tag:mafF7XQFchHrSA2n9mE0BQ==,type:str]
+    lastmodified: '2021-04-08T11:39:09Z'
+    mac: ENC[AES256_GCM,data:4Z7Gvr2wi0rIwS8iBlwEfap4aAP1BPMlKX2WwCYPxt6BTnK1LLoZvZq4Wk6R2tm/6PchtJt8YDx5abS+hq4xMS7EmJuvBMFNe1pWGo5xqvzQi+CuBJ7+oTWEURP+vsgYypMgzHh1NjpLXJOZr+F60ZzdeIVRu9qiETDY18o2h08=,iv:Qe/b0lOs0FQr68Ga2rSoh1xYa6V6vWPJOXXNxtJEZNI=,tag:kkJldwps/dC4ozpQ7HQaUw==,type:str]
     pgp:
     -   created_at: '2021-04-06T11:27:21Z'
         enc: |
diff --git a/machines/fuuko/services/binary-cache.nix b/machines/fuuko/services/binary-cache.nix
new file mode 100644
index 0000000..b724b7f
--- /dev/null
+++ b/machines/fuuko/services/binary-cache.nix
@@ -0,0 +1,60 @@
+# This serves a local binary cache. If the request comes from my home network,
+# it will set its priority higher than cache.nixos.org (which has a priority of
+# 40), so local devices get a faster binary cache. If the request coes from
+# outside my home network, it will set its priority lower, only store paths
+# exclusive to this cache will be substituted.
+# This only works well when a host does not change its “location”, since nix
+# caches binary caches locally (per-user, also for root!) in
+# ${XDG_CACHE_HOME:-$HOME/.cache}/.cache/nix/binary-cache-v6.sqlite and does
+# not re-check or invalidate them. Devices that often are not at home should
+# ensure that the cached priority is 50 to avoid slow substitutions.
+{ config, lib, ... }:
+let
+  binaryCachePath = "/data/cache/nix-binary-cache";
+in
+{
+  sops.secrets.nix-binary-cache-htpasswd = {
+    owner = "nginx";
+    sopsFile = ../secrets.yaml;
+  };
+
+  services.nginx = {
+    appendHttpConfig = ''
+      geo $nix_binary_cache_priority {
+          default                  50;
+
+          192.168.100.0/24         30;
+          2001:470:1f0b:abc::/64   30;
+      }
+    '';
+    virtualHosts."nix-cache.sbruder.de" = rec {
+      enableACME = true;
+      forceSSL = true;
+      root = binaryCachePath;
+      locations = {
+        "/nix-cache-info" = {
+          return = "200 \"StoreDir: /nix/store\\nPriority: $nix_binary_cache_priority\\n\"";
+        };
+        "/".extraConfig = ''
+          log_not_found off;
+
+          client_max_body_size 5G;
+
+          # WebDAV (for uploading)
+          dav_methods PUT DELETE;
+          create_full_put_path on; # nar/ does not exist by default
+          dav_access user:rw group:r all:r;
+          # same filesystem for temporary files
+          client_body_temp_path ${root}/.upload-tmp;
+
+          limit_except GET {
+              auth_basic "restricted upload";
+              auth_basic_user_file ${config.sops.secrets.nix-binary-cache-htpasswd.path};
+          }
+        '';
+      };
+    };
+  };
+
+  systemd.services.nginx.serviceConfig.ReadWritePaths = lib.singleton binaryCachePath;
+}
diff --git a/modules/default.nix b/modules/default.nix
index 36a3a28..f93a627 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -105,6 +105,9 @@ in
         allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; };
       };
 
+      sops.secrets.binary-cache-secret-key = { };
+      sops.secrets.nix-netrc = { };
+
       nix = {
         nixPath = [
           "/var/src" # pinned nixpkgs and configuration
@@ -114,10 +117,21 @@ in
         # Make sudoers trusted nix users
         trustedUsers = [ "@wheel" ];
 
+        binaryCaches = [
+          "https://nix-cache.sbruder.de/"
+        ];
+        binaryCachePublicKeys = [
+          "nix-cache.sbruder.de-1:bU13eF6IMMW2hgO7StgB6JCAoZPeAQ27NAzV0kru1XM="
+        ];
+
         # On-the-fly optimisation of nix store
         autoOptimiseStore = true;
-        # Keep output of derivations with gc root
-        extraOptions = lib.optionalString config.sbruder.full ''
+        extraOptions = ''
+          # Binary cache upload
+          secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
+          netrc-file = ${config.sops.secrets.nix-netrc.path}
+        '' + lib.optionalString config.sbruder.full ''
+          # Keep output of derivations with gc root
           keep-outputs = true
           keep-derivations = true
         '';
diff --git a/secrets.yaml b/secrets.yaml
index 1df4ae7..c4c7a4d 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,3 +1,5 @@
+binary-cache-secret-key: ENC[AES256_GCM,data:HIx+SJzTeWIOD89xXGHDgVerDLFO0t6/S8E+QTVPtet5SUxiJLs8X+6/FZfm5WiILU6utecSV6+vpDap/yKcuin63OhXeUWbpD3pnOMtIElfs3tR1EUkJ3tiOJFVsThqi9JDNySGlq36ch2MTSfPdQ==,iv:jwwTaktWMPWFnCN3Ur84cgUm1kNZqzEEbyfZ7dIysWA=,tag:qDDpMJDYM8WUTqlJWOzaVg==,type:str]
+nix-netrc: ENC[AES256_GCM,data:vOcauP7BpcWriA6Q+UO8apdc+zfJej8OQswnaDEfIf2Gi3IbrNaeusGVwtzvRC5DI/Mqdjzmg0+SYvket0X7HSLzAFbML3YDl28btutzby1jpkTKWnJL0Gq3GDG0DgOqzbemQGJDtejI7pTPo6NLtMlmvA==,iv:sISKlZx+pMU7LnaT1ZC6tZo8ITYXpgLwYPpkoG51zks=,tag:u0h9l85CxEi6awwRdFXkog==,type:str]
 media-proxy-auth: ENC[AES256_GCM,data:KaYd8TCMVlHbgoj1QQfRwTXAK2hJUDr0UJqhTXvILylyR+mdJy7smn5EtFdNNFWZk6eJituvGG7naT2/UiNoYne4ljlJhu/IuObTLY5AI9ELDtYBDQ==,iv:qo6SOaHrWsXfvRwgSKDTSnreOcO9xy3RKrfE2k+VLEg=,tag:SND1zp2Cd2gqQdOVWw2eWw==,type:str]
 torrent-proxy-auth: ENC[AES256_GCM,data:9XuDRdUjOClPuZFvI7VwYQdbegzg400zfmFmE3qt5kTo6bD7m74V9F3b73aUueqMQ+80PxBc1KusTTlPYy2LAf6mT4PQ2TpqSu0kBXAezfL4e5fxdQ==,iv:26d+hQ9yn5CzDGNZvi9A5bvzgo87IrJHz67xTac4UA4=,tag:5FtjmtIY1gSixu/9UZhBVA==,type:str]
 restic-s3: ENC[AES256_GCM,data:lRcwoChzSX+ICXyafAtBGjkBTBdzL5v/imUL2yHtApMOe+MkP5CjXr47WoWGt17tdLPVRQ9v7/6jcagTKIk3IfjmhRhMip3CMyPkio62uDxArlaKpi9GoZNQOCt+XHWlpiBJ609H,iv:yrp2QZLXJypWh5XjsAHcpiXEPUcYF8A+mQZ+W2w7zpU=,tag:Xis3NQ2KNQqG+Rmgzpy3Tg==,type:str]
@@ -7,8 +9,8 @@ sops:
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    lastmodified: '2021-04-06T11:12:39Z'
-    mac: ENC[AES256_GCM,data:guWWnJb9153SmSFwvDEqru0GGYUgQCmCtDb/bmKCehUvQ2ecVDulYYKAQ5jq2v3Eo5pfKmdrtIMV/jf6TOwNyEqBuWxU5aUODMheSqYgDNKAcFSvwpdldyVATspt7XT0s0waUbFBPjMOmQC0TEp5rtZXS7PlRT8DgohUlyy6jhI=,iv:Eh3Uwctaw0hrI6Ux2q0WUixZiLF5Fdj3/AVG8PluCHc=,tag:Jo3bzKNQzH7tsatfLphagQ==,type:str]
+    lastmodified: '2021-04-08T14:05:22Z'
+    mac: ENC[AES256_GCM,data:jCe1m/OqWyAWBYXSqk2oHmNkVuMTGVzjBzzD6o2fbo2YmoloUqsYDuGbpThlTxKIl9nL/5UJjKVJ2QMHFrB3+vvg0KH4LxoR9aFtCXFtIbeJcv77x1MT9s+8mrib75B4JulqMhSmnzqQ6bXA8l7tIUhg2ezaGZsT4Q/V1E72aJQ=,iv:hdB4MmgBGUN7HwUMv2Wn7qZ6C5HlBlOjRniJ9qV420s=,tag:dP0FAOf1A9u1H/l0L1ejcA==,type:str]
     pgp:
     -   created_at: '2021-04-06T11:13:25Z'
         enc: |