From 1969741a257e8d26d03e3a852c7aa8411362ca34 Mon Sep 17 00:00:00 2001 From: Andre Date: Sat, 25 May 2024 11:07:10 -0400 Subject: [PATCH] Disabling cache due to possible security risk --- flake.lock | 8 ++++---- flake.nix | 6 +++--- hosts/Haven/default.nix | 2 +- modules/base/nix.nix | 6 +----- modules/services/cache.nix | 37 ++++++++++++++++++++++++++++++++++++- 5 files changed, 45 insertions(+), 14 deletions(-) diff --git a/flake.lock b/flake.lock index cd63397..0202730 100644 --- a/flake.lock +++ b/flake.lock @@ -312,16 +312,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1716330097, - "narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=", + "lastModified": 1716542732, + "narHash": "sha256-0Y9fRr0CUqWT4KgBITmaGwlnNIGMYuydu2L8iLTfHU4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2", + "rev": "d12251ef6e8e6a46e05689eeccd595bdbd3c9e60", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 1aafa00..8df4570 100644 --- a/flake.nix +++ b/flake.nix @@ -4,8 +4,8 @@ description = "Aires' system Flake"; inputs = { - # Track base packages against unstable - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + # Track base packagese + nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-24.05"; # Replace Nix with Lix: https://lix.systems/ lix = { @@ -67,7 +67,7 @@ defaultModules = [ { _module.args = { - inherit inputs; + inherit inputs self; }; } ./modules/autoimport.nix diff --git a/hosts/Haven/default.nix b/hosts/Haven/default.nix index c27517b..1b9e004 100644 --- a/hosts/Haven/default.nix +++ b/hosts/Haven/default.nix @@ -53,7 +53,7 @@ in }; boinc.enable = true; cache = { - enable = true; + enable = false; # Disable for now secretKeyFile = "/storage/services/nix-cache/cache-priv-key.pem"; }; duplicacy-web = { diff --git a/modules/base/nix.nix b/modules/base/nix.nix index e42b7fb..0ad285f 100644 --- a/modules/base/nix.nix +++ b/modules/base/nix.nix @@ -16,13 +16,9 @@ ]; # Use Lix instead of Nix - extra-substituters = [ - "https://cache.lix.systems" - config.secrets.services.cache.url - ]; + extra-substituters = [ "https://cache.lix.systems" ]; trusted-public-keys = [ "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" - "${config.secrets.services.cache.url}:mTYvveYNhoXttGOxJj2uP0MQ/ZPJce5hY+xSvOxswls=%" ]; # Only allow these users to use Nix diff --git a/modules/services/cache.nix b/modules/services/cache.nix index a41d341..d38f374 100644 --- a/modules/services/cache.nix +++ b/modules/services/cache.nix @@ -1,5 +1,10 @@ # Serves a binary cache for Nix packages -{ config, lib, ... }: +{ + config, + lib, + self, + ... +}: let cfg = config.host.services.cache; @@ -17,6 +22,7 @@ in }; config = lib.mkIf cfg.enable { + # Enable cache service services = { nix-serve = { enable = true; @@ -32,5 +38,34 @@ in }; }; }; + + nix.settings = { + extra-substituters = [ "ssh://${config.secrets.services.cache.url}" ]; + trusted-public-keys = [ + "${config.secrets.services.cache.url}:mTYvveYNhoXttGOxJj2uP0MQ/ZPJce5hY+xSvOxswls=%" + ]; + }; + + # Run nightly builds for certain targets + systemd.timers."nix-distributed-build-timer" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = "true"; + Unit = "nix-distributed-build.service"; + }; + }; + + systemd.services."nix-distributed-build" = { + # Add target names below as a new line + script = '' + set -eu + nh os build --update --hostname Khanda + ''; + serviceConfig = { + Type = "oneshot"; + User = config.users.users.aires.name; + }; + }; }; }