feat(snix-cache): Use snix-cache module

2025-04-19 11:06:22 +02:00 · 2025-04-19 11:06:22 +02:00 · e7b76d1579
commit e7b76d1579
parent 361572d013
19 changed files with 153 additions and 4768 deletions
--- a/machines/nixos/storage01/_configuration.nix
+++ b/machines/nixos/storage01/_configuration.nix
@ -13,7 +13,7 @@ lib.extra.mkConfig {

  enabledServices = [
    # List of services to enable
-    "tvix-cache"
+    "snix-cache"
    "forgejo"
    "forgejo-runners"
    "garage"
--- a/machines/nixos/storage01/secrets/nginx-tvix-store-password
+++ b/machines/nixos/storage01/secrets/nginx-tvix-store-password
--- a/machines/nixos/storage01/secrets/nginx-snix_cache_infra.signing
+++ b/machines/nixos/storage01/secrets/nginx-snix_cache_infra.signing
--- a/machines/nixos/storage01/secrets/secrets.nix
+++ b/machines/nixos/storage01/secrets/secrets.nix
@ -16,11 +16,11 @@
    "netbird-data_store_encryption_key_file"
    "netbird-relay_environment_file"
    "netbird-relay_secret_file"
-    "nginx-tvix-store-password"
-    "nginx-tvix-store-password-ci"
+    "nginx-snix_cache_infra"
+    "nginx-snix_cache_infra.signing"
    "peertube-secrets_file"
    "peertube-service_environment_file"
    "peertube-smtp_password_file"
+    "snix-cache-infra_signing_key"
    "vmagent-garage_api"
-    "tvix-store-infra-signing-key"
  ]
--- a/machines/nixos/storage01/secrets/snix-cache-infra_signing_key
+++ b/machines/nixos/storage01/secrets/snix-cache-infra_signing_key
--- a/machines/nixos/storage01/snix-cache/cache-settings.nix
+++ b/machines/nixos/storage01/snix-cache/cache-settings.nix
@ -5,8 +5,8 @@
 let
  cache-info = {
    infra = {
-      public-key = "infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=";
-      url = "https://tvix-store.dgnum.eu/infra";
+      public-key = "infra.snix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=";
+      url = "https://snix-store.dgnum.eu/infra";
    };
  };
 in
--- a/machines/nixos/storage01/snix-cache/default.nix
+++ b/machines/nixos/storage01/snix-cache/default.nix
@ -0,0 +1,72 @@
+# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, sources, ... }:
+let
+  dataDir = "/data/slow/tvix-store";
+in
+{
+
+  imports = [
+
+    "${sources.snix-cache}/nix/module.nix"
+  ];
+  nixpkgs.overlays = [
+
+    (import "${sources.snix-cache}/nix/overlay.nix")
+  ];
+  age-secrets.autoMatch = [
+    "snix-store"
+    "nginx"
+  ];
+
+  services = {
+    nginx.virtualHosts."snix-store.dgnum.eu" = {
+      enableACME = true;
+      forceSSL = true;
+      serverAliases = [ "tvix-store.dgnum.eu" ];
+    };
+    snix-cache = {
+      enable = true;
+      storeComposition = {
+        blobservices.default = {
+          type = "objectstore";
+          object_store_url = "file://${dataDir}/blob.objectstore";
+          object_store_options = { };
+        };
+        directoryservices = {
+          redb = {
+            type = "redb";
+            is_temporary = false;
+            path = "${dataDir}/directory.redb";
+          };
+        };
+        pathinfoservices = {
+          infra = {
+            type = "redb";
+            is_temporary = false;
+            path = "${dataDir}/pathinfo.redb";
+          };
+        };
+      };
+      host = "snix-store.dgnum.eu";
+      caches = {
+        infra = {
+          maxBodySize = "50G";
+
+          directoryService = "redb";
+          blobService = "default";
+          uploadPasswordFile = config.age.secrets."nginx-snix_cache_infra".path;
+          signing = {
+            passwordFile = config.age.secrets."nginx-snix_cache_infra.signing".path;
+            keyFile = config.age.secrets."snix-cache-infra_signing_key".path;
+            publicKey = "infra.snix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=";
+          };
+        };
+      };
+    };
+  };
+
+  systemd.services.snix-cache.serviceConfig.ReadWritePaths = [ dataDir ];
+}
--- a/machines/nixos/storage01/tvix-cache/default.nix
+++ b/machines/nixos/storage01/tvix-cache/default.nix
@ -1,159 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-{ pkgs, config, ... }:
-let
-
-  # How to add a cache:
-  #  - Add the relevant services (likely only a pathinfoservice) to the
-  #    composition config (store-config.composition).
-  #  - Add an endpoint (store-config.endpoints).
-  #  - Append a proxy configuration to nginx in order to make the store
-  #    accessible.
-  #  - Update cache-info.nix so users can add the cache to their configuration
-  store-config = {
-    composition = {
-      blobservices.default = {
-        type = "objectstore";
-        object_store_url = "file://${dataDir}/blob.objectstore";
-        object_store_options = { };
-      };
-      directoryservices = {
-        redb = {
-          type = "redb";
-          is_temporary = false;
-          path = "${dataDir}/directory.redb";
-        };
-      };
-      pathinfoservices = {
-        infra = {
-          type = "redb";
-          is_temporary = false;
-          path = "${dataDir}/pathinfo.redb";
-        };
-        infra-signing = {
-          type = "keyfile-signing";
-          inner = "infra";
-          keyfile = config.age.secrets."tvix-store-infra-signing-key".path;
-        };
-      };
-    };
-
-    endpoints = {
-      "127.0.0.1:8056" = {
-        endpoint_type = "Http";
-        blob_service = "default";
-        directory_service = "redb";
-        path_info_service = "infra";
-      };
-      "127.0.0.1:8058" = {
-        endpoint_type = "Http";
-        blob_service = "default";
-        directory_service = "redb";
-        path_info_service = "infra-signing";
-      };
-      # Add grpc for management and because it is nice
-      "127.0.0.1:8057" = {
-        endpoint_type = "Grpc";
-        blob_service = "default";
-        directory_service = "redb";
-        path_info_service = "infra";
-      };
-    };
-  };
-
-  settingsFormat = pkgs.formats.toml { };
-
-  webHost = "tvix-store.dgnum.eu";
-
-  dataDir = "/data/slow/tvix-store";
-
-  systemdHardening = {
-    PrivateDevices = true;
-    PrivateTmp = true;
-    ProtectControlGroups = true;
-    ProtectKernelTunables = true;
-    RestrictSUIDSGID = true;
-
-    ProtectSystem = "strict";
-    ProtectKernelLogs = true;
-    ProtectProc = "invisible";
-    PrivateUsers = true;
-    ProtectHome = true;
-    UMask = "0077";
-    RuntimeDirectoryMode = "0750";
-    StateDirectoryMode = "0750";
-  };
-
-  toml = {
-    composition = settingsFormat.generate "composition.toml" store-config.composition;
-    endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
-  };
-
-  package = pkgs.callPackage ./package { };
-in
-{
-
-  age-secrets.autoMatch = [
-    "tvix-store"
-    "nginx"
-  ];
-
-  services.nginx.virtualHosts.${webHost} = {
-    enableACME = true;
-    forceSSL = true;
-    locations = {
-      "/infra/" = {
-        proxyPass = "http://127.0.0.1:8056/";
-        extraConfig = ''
-          client_max_body_size 50G;
-          limit_except GET {
-            auth_basic "Password required";
-            auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password".path};
-          }
-        '';
-      };
-      "/infra-signing/" = {
-        proxyPass = "http://127.0.0.1:8058/";
-        extraConfig = ''
-          client_max_body_size 50G;
-          auth_basic "Password required";
-          auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
-        '';
-      };
-    };
-  };
-
-  # TODO add tvix-store cli here
-  # environment.systemPackages = [ ];
-
-  users.users.tvix-store = {
-    isSystemUser = true;
-    group = "tvix-store";
-  };
-  users.groups.tvix-store = { };
-
-  systemd.tmpfiles.rules = [ "d ${dataDir} 770 tvix-castore tvix-castore -" ];
-
-  systemd.services."tvix-store" = {
-    wantedBy = [ "multi-user.target" ];
-    environment = {
-      RUST_LOG = "info";
-    };
-    serviceConfig = {
-      UMask = "007";
-      LimitNOFILE = 1048576;
-      ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
-      StateDirectory = "tvix-store";
-      RuntimeDirectory = "tvix-store";
-      User = "tvix-store";
-      Group = "tvix-store";
-      ReadWritePaths = [ dataDir ];
-    } // systemdHardening;
-  };
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-}
--- a/machines/nixos/storage01/tvix-cache/package/Cargo.lock
+++ b/machines/nixos/storage01/tvix-cache/package/Cargo.lock
--- a/machines/nixos/storage01/tvix-cache/package/default.nix
+++ b/machines/nixos/storage01/tvix-cache/package/default.nix
@ -1,50 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-{
-  fetchgit,
-  rustPlatform,
-  protobuf,
-  runCommand,
-}:
-let
-  tvix-hash = "sha256-I4GJD1nbZ9gdYhXWOKBkqUvTdCxEoQe+Y5ZOYVRWi2w=";
-  tvix-src = fetchgit {
-    name = "tvix";
-    url = "https://git.dgnum.eu/mdebray/tvl-depot";
-    rev = "5d3769594ed6eb57dbb06dfb947a8429bdcca4f6";
-    hash = tvix-hash;
-  };
-  protos = runCommand "tvix-protos" { } ''
-    mkdir $out
-    cd ${tvix-src}/tvix #remove tvix maybe
-    find . -name '*.proto' -exec install -D {} $out/{} \;
-  '';
-in
-
-rustPlatform.buildRustPackage {
-  pname = "multitenant-binary-cache";
-  version = "0.1.0";
-
-  src = fetchgit {
-    url = "https://git.lix.systems/sinavir/multitenant-tvix-binary-cache.git";
-    rev = "5f5a54d3d3c1c349b5d67f58b8392467705dbc06";
-    hash = "sha256-FZuvkHKvnFuFu50bC7wMRtEJv9wpo5OfXV0u4eQKrvw=";
-  };
-
-  PROTO_ROOT = protos;
-
-  nativeBuildInputs = [ protobuf ];
-
-  cargoLock = {
-    lockFile = ./Cargo.lock;
-    outputHashes = {
-      "wu-manber-0.1.0" = "sha256-7YIttaQLfFC/32utojh2DyOHVsZiw8ul/z0lvOhAE/4=";
-      "nar-bridge-0.1.0" = tvix-hash;
-    };
-  };
-  cargoHash = "";
-
-  meta = { };
-}