diff --git a/README.md b/README.md index 119a26d..186ad0b 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,23 @@ You're expected to read this document before commiting to the repo. Some documentation for the development tools are provided in the aforementioned file. +# Using the binary cache + +Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...): +``` +{ lib, ... }: +let + dgnum-infra = PINNED_PATH_TO_INFRA; +in { + nix.settings = (import dgnum-infra).mkCacheSettings { + caches = [ + "infra" + ]; + }; +} +``` + + # Adding a new machine The first step is to create a minimal viable NixOS host, using tha means necessary. diff --git a/default.nix b/default.nix index 093a7fb..7913471 100644 --- a/default.nix +++ b/default.nix @@ -76,6 +76,8 @@ in dns = import ./meta/dns.nix; + mkCacheSettings = import ./machines/storage01/tvix-store/cache-settings.nix; + shells = { default = pkgs.mkShell { name = "dgnum-infra"; diff --git a/machines/storage01/tvix-cache/cache-settings.nix b/machines/storage01/tvix-cache/cache-settings.nix new file mode 100644 index 0000000..90d7945 --- /dev/null +++ b/machines/storage01/tvix-cache/cache-settings.nix @@ -0,0 +1,14 @@ +let + cache-info = { + infra = { + public-key = "infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8="; + url = "https://tvix-store.dgnum.eu/infra"; + }; + }; +in + +{ caches }: +{ + trusted-substituters = builtins.map (cache: cache-info.${cache}.url) caches; + trusted-public-keys = builtins.map (cache: cache-info.${cache}.public-key) caches; +} diff --git a/machines/storage01/tvix-cache/default.nix b/machines/storage01/tvix-cache/default.nix index d46af4e..97447c2 100644 --- a/machines/storage01/tvix-cache/default.nix +++ b/machines/storage01/tvix-cache/default.nix @@ -1,9 +1,13 @@ { pkgs, config, ... }: let - settingsFormat = pkgs.formats.toml { }; - - dataDir = "/data/slow/tvix-store"; + # How to add a cache: + # - Add the relevant services (likely only a pathinfoservice) to the + # composition config (store-config.composition). + # - Add an endpoint (store-config.endpoints). + # - Append a proxy configuration to nginx in order to make the store + # accessible. + # - Update cache-info.nix so users can add the cache to their configuration store-config = { composition = { blobservices.default = { @@ -54,6 +58,13 @@ let }; }; }; + + settingsFormat = pkgs.formats.toml { }; + + webHost = "tvix-store.dgnum.eu"; + + dataDir = "/data/slow/tvix-store"; + systemdHardening = { PrivateDevices = true; PrivateTmp = true; @@ -70,10 +81,12 @@ let RuntimeDirectoryMode = "0750"; StateDirectoryMode = "0750"; }; + toml = { composition = settingsFormat.generate "composition.toml" store-config.composition; endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints; }; + package = pkgs.callPackage ./package { }; in { @@ -83,7 +96,7 @@ in "nginx" ]; - services.nginx.virtualHosts."tvix-store.dgnum.eu" = { + services.nginx.virtualHosts.${webHost} = { enableACME = true; forceSSL = true; locations = { @@ -105,14 +118,12 @@ in auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path}; ''; }; - "/.well-known/nix-signing-keys/" = { - alias = "${./pubkeys}/"; - extraConfig = "autoindex on;"; - }; }; }; + # TODO add tvix-store cli here # environment.systemPackages = [ ]; + users.users.tvix-store = { isSystemUser = true; group = "tvix-store"; diff --git a/machines/storage01/tvix-cache/pubkeys/infra b/machines/storage01/tvix-cache/pubkeys/infra deleted file mode 100644 index fdadccf..0000000 --- a/machines/storage01/tvix-cache/pubkeys/infra +++ /dev/null @@ -1 +0,0 @@ -infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8= \ No newline at end of file