update nix ssh cache

2025-06-03 12:56:29 -03:00 · 2025-06-03 12:56:29 -03:00 · 72e4e38fe9
commit 72e4e38fe9
parent 868496d2b9
4 changed files with 43 additions and 43 deletions
--- a/system/gitlab-runner.nix
+++ b/system/gitlab-runner.nix
@ -34,21 +34,11 @@ let

      ${lib.optionalString (nixCacheSshPrivateKeyPath != null) ''
        NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}"
+        NIX_CACHE_SSH_PUBLIC_KEY="# nix-cache.wopus.dev:22 SSH-2.0-OpenSSH_10.0
+        nix-cache.wopus.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU71N5QxdCmM7N25SnOg6u+YLmv92znpeDcyIDamldI"
        . ${./gitlab-runner/nix-cache-start}
      ''}
    '';
-
-  pushStoreContents =
-    {
-      authenticationTokenConfigFile,
-      nixCacheSshPrivateKeyPath ? null,
-      ...
-    }:
-    pkgs.writeScriptBin "push-to-cache" ''
-      ${lib.optionalString (nixCacheSshPrivateKeyPath != null) ''
-        . ${./gitlab-runner/nix-cache-end}
-      ''}
-    '';
 in
 rec {
  mkNixRunnerFull =
@ -72,13 +62,13 @@ rec {
          "/tmp:/tmp"
          "/var/run/docker.sock:/var/run/docker.sock"
          "/var/lib/docker/containers:/var/lib/docker/containers"
+          "/cache"
        ]
        ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [
          "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}"
        ];
-      dockerDisableCache = true;
+      # dockerDisableCache = true;
      preBuildScript = "\". ${lib.getExe (installNixScript args)}\"";
-      postBuildScript = "\". ${lib.getExe (pushStoreContents args)}\"";
      environmentVariables = {
        ENV = "/etc/profile";
        USER = "root";
--- a/system/gitlab-runner/nix-cache-end
+++ b/system/gitlab-runner/nix-cache-end
@ -1,21 +0,0 @@
-#!/bin/sh
-
-echo "nix-cache: Storing new store items"
-NEW_NIX_STORE_CONTENTS_FILE=$(mktemp)
-find /nix/store/ -maxdepth 1 > $NEW_NIX_STORE_CONTENTS_FILE
-
-sort $OLD_NIX_STORE_CONTENTS_FILE -o $OLD_NIX_STORE_CONTENTS_FILE
-sort $NEW_NIX_STORE_CONTENTS_FILE -o $NEW_NIX_STORE_CONTENTS_FILE
-
-echo "nix-cache: Comparing store paths"
-FILTERED_NIX_STORE_CONTENTS_FILE=$(mktemp)
-comm -13 $OLD_NIX_STORE_CONTENTS_FILE $NEW_NIX_STORE_CONTENTS_FILE > $FILTERED_NIX_STORE_CONTENTS_FILE
-echo "nix-cache: New store paths:"
-cat $FILTERED_NIX_STORE_CONTENTS_FILE | sed 's/^/    /g'
-
-if test -n "$(head -n1 $FILTERED_NIX_STORE_CONTENTS_FILE)"; then
-    echo "nix-cache: Sending new paths to cache"
-    nix copy --to "$STORE_URL" $(cat $FILTERED_NIX_STORE_CONTENTS_FILE) || true
-else
-    echo "nix-cache: Nothing to send"
-fi
--- a/system/gitlab-runner/nix-cache-start
+++ b/system/gitlab-runner/nix-cache-start
@ -1,18 +1,49 @@
 #!/bin/sh

-echo "nix-cache: Setting up ssh key and host"
-STORE_HOST_PUB_KEY="IyBuaXgtY2FjaGUud29wdXMuZGV2OjIyIFNTSC0yLjAtT3BlblNTSF8xMC4wCm5peC1jYWNoZS53b3B1cy5kZXYgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU5VNzFONVF4ZENtTTdOMjVTbk9nNnUrWUxtdjkyem5wZURjeUlEYW1sZEkK"
+echo "nix-cache: Setting up ssh key and host" >&2
+STORE_HOST_PUB_KEY="$(echo "$NIX_CACHE_SSH_PUBLIC_KEY" | base64 | tr -d '\n')"
 STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY"
-echo STORE_URL="$STORE_URL"
+echo STORE_URL="$STORE_URL" >&2

 NIX_EXTRA_CONFIG_FILE=$(mktemp)
 cat > "$NIX_EXTRA_CONFIG_FILE" <<EOF
  extra-substituters = $STORE_URL
 EOF

-echo "nix-cache: Adding remote cache as substituter"
+echo "nix-cache: Adding remote cache as substituter" >&2
 export NIX_USER_CONF_FILES="$NIX_EXTRA_CONFIG_FILE:$NIX_USER_CONF_FILES"

-echo "nix-cache: Storing existing store items"
-OLD_NIX_STORE_CONTENTS_FILE=$(mktemp)
-find /nix/store/ -maxdepth 1 > $OLD_NIX_STORE_CONTENTS_FILE
+echo "nix-cache: Setting up nix hook" >&2
+nix() {
+    echo "nix-cache: executing nix hook" >&2
+    command nix "$@"
+    local STATUS="$?"
+
+    local BUILD=no
+    if test "$STATUS" = "0"; then
+        for arg in "$@"; do
+            echo "nix-cache: evaluating arg '$arg'" >&2
+            case "$arg" in
+                build)
+                    echo "nix-cache: enablig upload" >&2
+                    BUILD=yes
+                ;;
+                -*)
+                    echo "nix-cache: ignoring argument '$arg'" >&2
+                ;;
+                *)
+                    if test "$BUILD" = yes; then
+                        echo "nix-cache: Sending path $arg" >&2
+                        command nix copy --to "$STORE_URL" "$arg" || true
+                    else
+                        echo "nix-cache: not building, ignoring argument '$arg'" >&2
+                    fi
+                ;;
+            esac
+        done
+    else
+        echo "nix-cache: nix exited with code '$STATUS', ignoring" >&2
+    fi
+
+    return "$STATUS"
+}
--- a/system/monolith-gitlab-runner.nix
+++ b/system/monolith-gitlab-runner.nix
@ -11,7 +11,7 @@ in
  virtualisation.docker.enable = true;
  services.gitlab-runner = {
    enable = true;
-    settings.concurrent = 12;
+    settings.concurrent = 6;
    services = {
      # runner for building in docker via host's nix-daemon
      # nix store will be readable in runner, might be insecure