From c804397843211dfa87c62598455bb5e177d0c28f Mon Sep 17 00:00:00 2001
From: KlarkC <walkerleite490@gmail.com>
Date: Fri, 22 Dec 2023 03:56:26 -0300
Subject: [PATCH] Add production cache (#12)

* feat(cache): add klarkc builder

* feat(cache): upgrade keys

* feat: change nix cache

* feat(cache): add github

* feat(cache): remove cachix and add builder user

* feat(cache): readd builder, remove other keys

* fix(cache): add builder as trusted user

* ci(test): add nix cache

* ci(test): add nix version

* fix(cache): missing config

* ci(test): add debug

* ci(test): change to manual ssh key

* ci(test): disable check

* ci(test): move key add

* ci(test): readd agent

* ci(test): add example

* ci(test): tryout with ng

* ci(test): try out derivation and all

* ci(test): remove derivation

* ci(test): change nix installer

* ci(test): add from and flags

* ci(test): change to closure

* ci(test): change to xargs

* ci(test): return to nix copy simplified

* ci(test): return to cachix install

* ci(test): reenable check

* ci(test): try with store

* ci(test): remove store and dervir, add def

* ci(test): add verbose, subst
---
 .github/workflows/test.yml |  14 ++++++++++----
 flake.nix                  |   9 ++++-----
 secrets/builder.pub        |   1 +
 secrets/cache.age          | Bin 412 -> 371 bytes
 secrets/cache.pub          |   1 +
 setups/cache/default.nix   |  20 ++++++++++++++------
 6 files changed, 30 insertions(+), 15 deletions(-)
 create mode 100644 secrets/builder.pub
 create mode 100644 secrets/cache.pub

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 5f333b0..b2f208b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,11 +11,17 @@ jobs:
       - uses: actions/checkout@v3
       - uses: cachix/install-nix-action@v20
         with:
+          install_url: https://releases.nixos.org/nix/nix-2.19.1/install
           extra_nix_config: |
             accept-flake-config = true
             access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
-      - uses: cachix/cachix-action@v12
+      - uses: webfactory/ssh-agent@v0.8.0
         with:
-          name: klarkc
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-      - run: nix flake check
+          ssh-private-key: ${{ secrets.BUILDER_TOKEN }}
+      - uses: gacts/run-and-post-run@v1
+        with:
+          run: nix -v flake check -L --show-trace
+          post: |
+            mkdir -p ~/.ssh/ && touch ~/.ssh/known_hosts
+            ssh-keyscan cache.tcp4.me >> ~/.ssh/known_hosts
+            nix -v copy -s --all --to ssh://builder@cache.tcp4.me
diff --git a/flake.nix b/flake.nix
index a41c70e..1ee4b00 100644
--- a/flake.nix
+++ b/flake.nix
@@ -52,7 +52,8 @@
         inherit (setups.cache.machines) cache-vultr;
       };
 
-      packages.${system} = {
+      packages.${system} = rec {
+        default = cache-vm;
         inherit (setups.recover.packages) recover-efi recover-vm;
         inherit (setups.cache.packages) cache-vm;
       };
@@ -65,12 +66,10 @@
     # Nix should ask for permission before using it,
     # but remove it here if you do not want it to.
     extra-substituters = [
-      "https://klarkc.cachix.org?priority=99"
-      "https://cache.nixos.org"
+      "https://cache.tcp4.me"
     ];
     extra-trusted-public-keys = [
-      "klarkc.cachix.org-1:R+z+m4Cq0hMgfZ7AQ42WRpGuHJumLLx3k0XhwpNFq9U="
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "cache.tcp4.me:cmk2Iz81lQuX7FtTUcBgtqgI70E8p6SOamNAIcFDSew="
     ];
   };
 }
diff --git a/secrets/builder.pub b/secrets/builder.pub
new file mode 100644
index 0000000..4c982b6
--- /dev/null
+++ b/secrets/builder.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPSuuFCsXXHk6JYXZ+hIrZGjb3d4wwRPoks0mrMmidk klarkc@ssdinarch
diff --git a/secrets/cache.age b/secrets/cache.age
index ab7db47e1e729f6081678086a22ab7e3ded87f74..07a5da945f93612fb5c73defb6b05fc31c7f1a17 100644
GIT binary patch
delta 336
zcmV-W0k8g?1M>oqEPqW-S8z>4ZDLh*PIO^dMpr9OW>-RJcXKOGH*{xmWl~poWKVKY
zOfPwAa|&WpT5B>=Vr4>5Fh*8pHdQiAD{fj;P-JyCX)rcZcsWNiX=5}?a7Z;nFbXX`
zATlf=UqLNra%Ew2WgupCQ*n8FRv>sqE;U|ecS8zTR$)?iGJj8XPflrMW>rjjSTHtC
zQ#n}*EiEk|D{(VRQdLMcVQ*M>a#}QNcT`4VdQ@mKD{5vhOLajrcyuyXcwu%?P<TNK
zXC9jhdWpeP^T>U(ZYLdP`wWf&qM(*X01)0wf(EV>aG^|65x^^^pYumNO9%`>(H-mi
z5Ym++*Pyp8jY&+zzhC!gP?!5J{sf^et@touJg%zY!B(dH$=E`=q&$Rx?@SPIc8Ezm
i0we>Qv;9t;8CN?THajD@z!<3pzth|2o$Z_7Ue*cQm4Pz=

delta 377
zcmV-<0fzqb0-OVoEPqBxFH2-JV?irXSa?H8SVm!NL3Kx2K{ax0VMRDGMK5bicx_@@
zFlcf?V+vDaSVuH>bume9a#%7<Nn~$nX>4;Zc3N|7Yg08wW;irsVN*G9PEbW~MG7rG
zAWCp8K|5<KXDw%PWnpt=AXRsAE?+4jAUAz*PFgBGR3K(hSAR!GS4$vfJY8XMaaK4A
za(P%ZL1!~BSV2KEV@@+MW@9sVYHxUROlnAIVOm;3bW3k^P)|ujYhzJ13N0-yAWJq@
zO>%NZD>qbPVtHjvIWTELb!KIANjGA8NjPpxZDenCQcqb@RdZu&3h6DbZB}Fdz_C2n
z%ED-Hvt>L~u5yfOkMFoAUc1@@`A^wZxi!xt{Dza%tDcB>*dS(t#cLT?gZ-|tV4IS9
zhhRd{vdkneFEb2`3V9R*is`t3y)(qE_tB)8rSRqj<kI*rqY9Uau2?O57uJN7@Zsa}
XRI+bMQqEKlN30`P$T|`{wVIBOd7+gY

diff --git a/secrets/cache.pub b/secrets/cache.pub
new file mode 100644
index 0000000..4421764
--- /dev/null
+++ b/secrets/cache.pub
@@ -0,0 +1 @@
+cache.tcp4.me:cmk2Iz81lQuX7FtTUcBgtqgI70E8p6SOamNAIcFDSew=
\ No newline at end of file
diff --git a/setups/cache/default.nix b/setups/cache/default.nix
index 93e760a..d7dbdbe 100644
--- a/setups/cache/default.nix
+++ b/setups/cache/default.nix
@@ -8,9 +8,6 @@ let
   domain = "cache.tcp4.me";
   home = "/home/klarkc";
   email = "walkerleite490@gmail.com";
-  authorizedKeys.keys = [
-    (builtins.readFile ../../secrets/klarkc.pub)
-  ];
   cache-module = { disks ? [ "/dev/vda" ], config, ... }:
     {
       imports = [
@@ -19,9 +16,9 @@ let
         disko
       ];
       # cd secrets
-      # nix-store --generate-binary-cache-key cache.tcp4.me ./cache ./cache.skey
-      # cat cache | nix run github:ryantm/agenix -- -e cache.age -i cache-vultr.pub 
+      # nix-store --generate-binary-cache-key cache.tcp4.me ./cache ./cache.pub
       # scp ssh://root@cache.tcp4.me:/etc/ssh/ssh_host_ed25519_key.pub cache-vultr.pub
+      # cat cache | nix run github:ryantm/agenix -- -e cache.age -i cache-vultr.pub 
       age.secrets.cache.file = "${secrets}/cache.age";
       system.stateVersion = config.system.nixos.version;
       boot.loader.systemd-boot.enable = true;
@@ -30,6 +27,15 @@ let
         22
         config.services.nix-serve.port
       ];
+      # builders
+      nix.settings.trusted-users = [ "builder" ];
+      users.users.builder = {
+        home = "/home/builder";
+        isNormalUser = true;
+        openssh. authorizedKeys.keys = [
+          (builtins.readFile ../../secrets/builder.pub)
+        ];
+      };
       # cache service
       services.nix-serve = {
         enable = true;
@@ -41,7 +47,9 @@ let
       '';
       # SSH
       services.sshd.enable = true;
-      users.users.root.openssh = { inherit authorizedKeys; };
+      users.users.root.openssh.authorizedKeys.keys = [
+        (builtins.readFile ../../secrets/klarkc.pub)
+      ];
       # beesd
       services.beesd.filesystems = {
         root = {