1
0
Fork 0

Disabling cache due to possible security risk

This commit is contained in:
Aires 2024-05-25 11:07:10 -04:00
parent 41fc33fcfc
commit 1969741a25
5 changed files with 45 additions and 14 deletions

View file

@ -312,16 +312,16 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1716330097, "lastModified": 1716542732,
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=", "narHash": "sha256-0Y9fRr0CUqWT4KgBITmaGwlnNIGMYuydu2L8iLTfHU4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2", "rev": "d12251ef6e8e6a46e05689eeccd595bdbd3c9e60",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-unstable", "ref": "nixos-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }

View file

@ -4,8 +4,8 @@
description = "Aires' system Flake"; description = "Aires' system Flake";
inputs = { inputs = {
# Track base packages against unstable # Track base packagese
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-24.05";
# Replace Nix with Lix: https://lix.systems/ # Replace Nix with Lix: https://lix.systems/
lix = { lix = {
@ -67,7 +67,7 @@
defaultModules = [ defaultModules = [
{ {
_module.args = { _module.args = {
inherit inputs; inherit inputs self;
}; };
} }
./modules/autoimport.nix ./modules/autoimport.nix

View file

@ -53,7 +53,7 @@ in
}; };
boinc.enable = true; boinc.enable = true;
cache = { cache = {
enable = true; enable = false; # Disable for now
secretKeyFile = "/storage/services/nix-cache/cache-priv-key.pem"; secretKeyFile = "/storage/services/nix-cache/cache-priv-key.pem";
}; };
duplicacy-web = { duplicacy-web = {

View file

@ -16,13 +16,9 @@
]; ];
# Use Lix instead of Nix # Use Lix instead of Nix
extra-substituters = [ extra-substituters = [ "https://cache.lix.systems" ];
"https://cache.lix.systems"
config.secrets.services.cache.url
];
trusted-public-keys = [ trusted-public-keys = [
"cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
"${config.secrets.services.cache.url}:mTYvveYNhoXttGOxJj2uP0MQ/ZPJce5hY+xSvOxswls=%"
]; ];
# Only allow these users to use Nix # Only allow these users to use Nix

View file

@ -1,5 +1,10 @@
# Serves a binary cache for Nix packages # Serves a binary cache for Nix packages
{ config, lib, ... }: {
config,
lib,
self,
...
}:
let let
cfg = config.host.services.cache; cfg = config.host.services.cache;
@ -17,6 +22,7 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# Enable cache service
services = { services = {
nix-serve = { nix-serve = {
enable = true; enable = true;
@ -32,5 +38,34 @@ in
}; };
}; };
}; };
nix.settings = {
extra-substituters = [ "ssh://${config.secrets.services.cache.url}" ];
trusted-public-keys = [
"${config.secrets.services.cache.url}:mTYvveYNhoXttGOxJj2uP0MQ/ZPJce5hY+xSvOxswls=%"
];
};
# Run nightly builds for certain targets
systemd.timers."nix-distributed-build-timer" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = "true";
Unit = "nix-distributed-build.service";
};
};
systemd.services."nix-distributed-build" = {
# Add target names below as a new line
script = ''
set -eu
nh os build --update --hostname Khanda
'';
serviceConfig = {
Type = "oneshot";
User = config.users.users.aires.name;
};
};
}; };
} }