Add production cache

.github/workflows/test.yml

@@ -11,11 +11,17 @@ jobs:
       - uses: actions/checkout@v3
       - uses: cachix/install-nix-action@v20
         with:
+          install_url: https://releases.nixos.org/nix/nix-2.19.1/install
           extra_nix_config: |
             accept-flake-config = true
             access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
-      - uses: cachix/cachix-action@v12
+      - uses: webfactory/[email protected]
         with:
-          name: klarkc
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-      - run: nix flake check
+          ssh-private-key: ${{ secrets.BUILDER_TOKEN }}
+      - uses: gacts/run-and-post-run@v1
+        with:
+          run: nix -v flake check -L --show-trace
+          post: |
+            mkdir -p ~/.ssh/ && touch ~/.ssh/known_hosts
+            ssh-keyscan cache.tcp4.me >> ~/.ssh/known_hosts
+            nix -v copy -s --all --to ssh://[email protected]

flake.nix

@@ -52,7 +52,8 @@
         inherit (setups.cache.machines) cache-vultr;
       };
 
-      packages.${system} = {
+      packages.${system} = rec {
+        default = cache-vm;
         inherit (setups.recover.packages) recover-efi recover-vm;
         inherit (setups.cache.packages) cache-vm;
       };
@@ -65,12 +66,10 @@
     # Nix should ask for permission before using it,
     # but remove it here if you do not want it to.
     extra-substituters = [
-      "https://klarkc.cachix.org?priority=99"
-      "https://cache.nixos.org"
+      "https://cache.tcp4.me"
     ];
     extra-trusted-public-keys = [
-      "klarkc.cachix.org-1:R+z+m4Cq0hMgfZ7AQ42WRpGuHJumLLx3k0XhwpNFq9U="
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "cache.tcp4.me:cmk2Iz81lQuX7FtTUcBgtqgI70E8p6SOamNAIcFDSew="
     ];
   };
 }

secrets/builder.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPSuuFCsXXHk6JYXZ+hIrZGjb3d4wwRPoks0mrMmidk klarkc@ssdinarch

secrets/cache.pub

@@ -0,0 +1 @@
+cache.tcp4.me:cmk2Iz81lQuX7FtTUcBgtqgI70E8p6SOamNAIcFDSew=

setups/cache/default.nix

@@ -8,9 +8,6 @@ let
   domain = "cache.tcp4.me";
   home = "/home/klarkc";
   email = "[email protected]";
-  authorizedKeys.keys = [
-    (builtins.readFile ../../secrets/klarkc.pub)
-  ];
   cache-module = { disks ? [ "/dev/vda" ], config, ... }:
     {
       imports = [
@@ -19,9 +16,9 @@ let
         disko
       ];
       # cd secrets
-      # nix-store --generate-binary-cache-key cache.tcp4.me ./cache ./cache.skey
-      # cat cache | nix run github:ryantm/agenix -- -e cache.age -i cache-vultr.pub 
+      # nix-store --generate-binary-cache-key cache.tcp4.me ./cache ./cache.pub
       # scp ssh://[email protected]:/etc/ssh/ssh_host_ed25519_key.pub cache-vultr.pub
+      # cat cache | nix run github:ryantm/agenix -- -e cache.age -i cache-vultr.pub 
       age.secrets.cache.file = "${secrets}/cache.age";
       system.stateVersion = config.system.nixos.version;
       boot.loader.systemd-boot.enable = true;
@@ -30,6 +27,15 @@ let
         22
         config.services.nix-serve.port
       ];
+      # builders
+      nix.settings.trusted-users = [ "builder" ];
+      users.users.builder = {
+        home = "/home/builder";
+        isNormalUser = true;
+        openssh. authorizedKeys.keys = [
+          (builtins.readFile ../../secrets/builder.pub)
+        ];
+      };
       # cache service
       services.nix-serve = {
         enable = true;
@@ -41,7 +47,9 @@ let
       '';
       # SSH
       services.sshd.enable = true;
-      users.users.root.openssh = { inherit authorizedKeys; };
+      users.users.root.openssh.authorizedKeys.keys = [
+        (builtins.readFile ../../secrets/klarkc.pub)
+      ];
       # beesd
       services.beesd.filesystems = {
         root = {