Disabling cache due to possible security risk
This commit is contained in:
parent
41fc33fcfc
commit
1969741a25
|
@ -312,16 +312,16 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1716330097,
|
||||
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
|
||||
"lastModified": 1716542732,
|
||||
"narHash": "sha256-0Y9fRr0CUqWT4KgBITmaGwlnNIGMYuydu2L8iLTfHU4=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
|
||||
"rev": "d12251ef6e8e6a46e05689eeccd595bdbd3c9e60",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"ref": "nixos-24.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
|
|
@ -4,8 +4,8 @@
|
|||
description = "Aires' system Flake";
|
||||
|
||||
inputs = {
|
||||
# Track base packages against unstable
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
# Track base packagese
|
||||
nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-24.05";
|
||||
|
||||
# Replace Nix with Lix: https://lix.systems/
|
||||
lix = {
|
||||
|
@ -67,7 +67,7 @@
|
|||
defaultModules = [
|
||||
{
|
||||
_module.args = {
|
||||
inherit inputs;
|
||||
inherit inputs self;
|
||||
};
|
||||
}
|
||||
./modules/autoimport.nix
|
||||
|
|
|
@ -53,7 +53,7 @@ in
|
|||
};
|
||||
boinc.enable = true;
|
||||
cache = {
|
||||
enable = true;
|
||||
enable = false; # Disable for now
|
||||
secretKeyFile = "/storage/services/nix-cache/cache-priv-key.pem";
|
||||
};
|
||||
duplicacy-web = {
|
||||
|
|
|
@ -16,13 +16,9 @@
|
|||
];
|
||||
|
||||
# Use Lix instead of Nix
|
||||
extra-substituters = [
|
||||
"https://cache.lix.systems"
|
||||
config.secrets.services.cache.url
|
||||
];
|
||||
extra-substituters = [ "https://cache.lix.systems" ];
|
||||
trusted-public-keys = [
|
||||
"cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
|
||||
"${config.secrets.services.cache.url}:mTYvveYNhoXttGOxJj2uP0MQ/ZPJce5hY+xSvOxswls=%"
|
||||
];
|
||||
|
||||
# Only allow these users to use Nix
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
# Serves a binary cache for Nix packages
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
self,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.host.services.cache;
|
||||
|
@ -17,6 +22,7 @@ in
|
|||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# Enable cache service
|
||||
services = {
|
||||
nix-serve = {
|
||||
enable = true;
|
||||
|
@ -32,5 +38,34 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
nix.settings = {
|
||||
extra-substituters = [ "ssh://${config.secrets.services.cache.url}" ];
|
||||
trusted-public-keys = [
|
||||
"${config.secrets.services.cache.url}:mTYvveYNhoXttGOxJj2uP0MQ/ZPJce5hY+xSvOxswls=%"
|
||||
];
|
||||
};
|
||||
|
||||
# Run nightly builds for certain targets
|
||||
systemd.timers."nix-distributed-build-timer" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnCalendar = "daily";
|
||||
Persistent = "true";
|
||||
Unit = "nix-distributed-build.service";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."nix-distributed-build" = {
|
||||
# Add target names below as a new line
|
||||
script = ''
|
||||
set -eu
|
||||
nh os build --update --hostname Khanda
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = config.users.users.aires.name;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue