Disabling cache due to possible security risk

2024-05-25 11:07:10 -04:00 · 2024-05-25 11:07:10 -04:00 · 1969741a25
parent 41fc33fcfc
commit 1969741a25
5 changed files with 45 additions and 14 deletions
--- a/flake.lock
+++ b/flake.lock
@ -312,16 +312,16 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1716330097,
-        "narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
+        "lastModified": 1716542732,
+        "narHash": "sha256-0Y9fRr0CUqWT4KgBITmaGwlnNIGMYuydu2L8iLTfHU4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
+        "rev": "d12251ef6e8e6a46e05689eeccd595bdbd3c9e60",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -4,8 +4,8 @@
  description = "Aires' system Flake";

  inputs = {
-    # Track base packages against unstable
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # Track base packagese
+    nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-24.05";

    # Replace Nix with Lix: https://lix.systems/
    lix = {
@ -67,7 +67,7 @@
      defaultModules = [
        {
          _module.args = {
-            inherit inputs;
+            inherit inputs self;
          };
        }
        ./modules/autoimport.nix
--- a/hosts/Haven/default.nix
+++ b/hosts/Haven/default.nix
@ -53,7 +53,7 @@ in
      };
      boinc.enable = true;
      cache = {
-        enable = true;
+        enable = false; # Disable for now
        secretKeyFile = "/storage/services/nix-cache/cache-priv-key.pem";
      };
      duplicacy-web = {
--- a/modules/base/nix.nix
+++ b/modules/base/nix.nix
@ -16,13 +16,9 @@
      ];

      # Use Lix instead of Nix
-      extra-substituters = [
-        "https://cache.lix.systems"
-        config.secrets.services.cache.url
-      ];
+      extra-substituters = [ "https://cache.lix.systems" ];
      trusted-public-keys = [
        "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
-        "${config.secrets.services.cache.url}:mTYvveYNhoXttGOxJj2uP0MQ/ZPJce5hY+xSvOxswls=%"
      ];

      # Only allow these users to use Nix
--- a/modules/services/cache.nix
+++ b/modules/services/cache.nix
@ -1,5 +1,10 @@
 # Serves a binary cache for Nix packages
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  self,
+  ...
+}:

 let
  cfg = config.host.services.cache;
@ -17,6 +22,7 @@ in
  };

  config = lib.mkIf cfg.enable {
+    # Enable cache service
    services = {
      nix-serve = {
        enable = true;
@ -32,5 +38,34 @@ in
        };
      };
    };
+
+    nix.settings = {
+      extra-substituters = [ "ssh://${config.secrets.services.cache.url}" ];
+      trusted-public-keys = [
+        "${config.secrets.services.cache.url}:mTYvveYNhoXttGOxJj2uP0MQ/ZPJce5hY+xSvOxswls=%"
+      ];
+    };
+
+    # Run nightly builds for certain targets
+    systemd.timers."nix-distributed-build-timer" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = "true";
+        Unit = "nix-distributed-build.service";
+      };
+    };
+
+    systemd.services."nix-distributed-build" = {
+      # Add target names below as a new line
+      script = ''
+        set -eu
+        nh os build --update --hostname Khanda
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = config.users.users.aires.name;
+      };
+    };
  };
 }