-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat(cache): add klarkc builder * feat(cache): upgrade keys * feat: change nix cache * feat(cache): add github * feat(cache): remove cachix and add builder user * feat(cache): readd builder, remove other keys * fix(cache): add builder as trusted user * ci(test): add nix cache * ci(test): add nix version * fix(cache): missing config * ci(test): add debug * ci(test): change to manual ssh key * ci(test): disable check * ci(test): move key add * ci(test): readd agent * ci(test): add example * ci(test): tryout with ng * ci(test): try out derivation and all * ci(test): remove derivation * ci(test): change nix installer * ci(test): add from and flags * ci(test): change to closure * ci(test): change to xargs * ci(test): return to nix copy simplified * ci(test): return to cachix install * ci(test): reenable check * ci(test): try with store * ci(test): remove store and dervir, add def * ci(test): add verbose, subst
- Loading branch information
Showing
6 changed files
with
30 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -11,11 +11,17 @@ jobs: | |
| - uses: actions/checkout@v3 | ||
| - uses: cachix/install-nix-action@v20 | ||
| with: | ||
| install_url: https://releases.nixos.org/nix/nix-2.19.1/install | ||
| extra_nix_config: | | ||
| accept-flake-config = true | ||
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | ||
| - uses: cachix/cachix-action@v12 | ||
| - uses: webfactory/[email protected] | ||
| with: | ||
| name: klarkc | ||
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | ||
| - run: nix flake check | ||
| ssh-private-key: ${{ secrets.BUILDER_TOKEN }} | ||
| - uses: gacts/run-and-post-run@v1 | ||
| with: | ||
| run: nix -v flake check -L --show-trace | ||
| post: | | ||
| mkdir -p ~/.ssh/ && touch ~/.ssh/known_hosts | ||
| ssh-keyscan cache.tcp4.me >> ~/.ssh/known_hosts | ||
| nix -v copy -s --all --to ssh://[email protected] | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPSuuFCsXXHk6JYXZ+hIrZGjb3d4wwRPoks0mrMmidk klarkc@ssdinarch |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| cache.tcp4.me:cmk2Iz81lQuX7FtTUcBgtqgI70E8p6SOamNAIcFDSew= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,9 +8,6 @@ let | |
| domain = "cache.tcp4.me"; | ||
| home = "/home/klarkc"; | ||
| email = "[email protected]"; | ||
| authorizedKeys.keys = [ | ||
| (builtins.readFile ../../secrets/klarkc.pub) | ||
| ]; | ||
| cache-module = { disks ? [ "/dev/vda" ], config, ... }: | ||
| { | ||
| imports = [ | ||
|
|
@@ -19,9 +16,9 @@ let | |
| disko | ||
| ]; | ||
| # cd secrets | ||
| # nix-store --generate-binary-cache-key cache.tcp4.me ./cache ./cache.skey | ||
| # cat cache | nix run github:ryantm/agenix -- -e cache.age -i cache-vultr.pub | ||
| # nix-store --generate-binary-cache-key cache.tcp4.me ./cache ./cache.pub | ||
| # scp ssh://[email protected]:/etc/ssh/ssh_host_ed25519_key.pub cache-vultr.pub | ||
| # cat cache | nix run github:ryantm/agenix -- -e cache.age -i cache-vultr.pub | ||
| age.secrets.cache.file = "${secrets}/cache.age"; | ||
| system.stateVersion = config.system.nixos.version; | ||
| boot.loader.systemd-boot.enable = true; | ||
|
|
@@ -30,6 +27,15 @@ let | |
| 22 | ||
| config.services.nix-serve.port | ||
| ]; | ||
| # builders | ||
| nix.settings.trusted-users = [ "builder" ]; | ||
| users.users.builder = { | ||
| home = "/home/builder"; | ||
| isNormalUser = true; | ||
| openssh. authorizedKeys.keys = [ | ||
| (builtins.readFile ../../secrets/builder.pub) | ||
| ]; | ||
| }; | ||
| # cache service | ||
| services.nix-serve = { | ||
| enable = true; | ||
|
|
@@ -41,7 +47,9 @@ let | |
| ''; | ||
| # SSH | ||
| services.sshd.enable = true; | ||
| users.users.root.openssh = { inherit authorizedKeys; }; | ||
| users.users.root.openssh.authorizedKeys.keys = [ | ||
| (builtins.readFile ../../secrets/klarkc.pub) | ||
| ]; | ||
| # beesd | ||
| services.beesd.filesystems = { | ||
| root = { | ||
|
|
||