update nix ssh cache

This commit is contained in:
Leonardo Eugênio 2025-06-03 12:56:29 -03:00
parent 868496d2b9
commit 72e4e38fe9
No known key found for this signature in database
GPG key ID: 2F8F21CE8721456B
4 changed files with 43 additions and 43 deletions

View file

@ -34,21 +34,11 @@ let
${lib.optionalString (nixCacheSshPrivateKeyPath != null) ''
NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}"
NIX_CACHE_SSH_PUBLIC_KEY="# nix-cache.wopus.dev:22 SSH-2.0-OpenSSH_10.0
nix-cache.wopus.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU71N5QxdCmM7N25SnOg6u+YLmv92znpeDcyIDamldI"
. ${./gitlab-runner/nix-cache-start}
''}
'';
pushStoreContents =
{
authenticationTokenConfigFile,
nixCacheSshPrivateKeyPath ? null,
...
}:
pkgs.writeScriptBin "push-to-cache" ''
${lib.optionalString (nixCacheSshPrivateKeyPath != null) ''
. ${./gitlab-runner/nix-cache-end}
''}
'';
in
rec {
mkNixRunnerFull =
@ -72,13 +62,13 @@ rec {
"/tmp:/tmp"
"/var/run/docker.sock:/var/run/docker.sock"
"/var/lib/docker/containers:/var/lib/docker/containers"
"/cache"
]
++ lib.optionals (nixCacheSshPrivateKeyPath != null) [
"${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}"
];
dockerDisableCache = true;
# dockerDisableCache = true;
preBuildScript = "\". ${lib.getExe (installNixScript args)}\"";
postBuildScript = "\". ${lib.getExe (pushStoreContents args)}\"";
environmentVariables = {
ENV = "/etc/profile";
USER = "root";

View file

@ -1,21 +0,0 @@
#!/bin/sh
echo "nix-cache: Storing new store items"
NEW_NIX_STORE_CONTENTS_FILE=$(mktemp)
find /nix/store/ -maxdepth 1 > $NEW_NIX_STORE_CONTENTS_FILE
sort $OLD_NIX_STORE_CONTENTS_FILE -o $OLD_NIX_STORE_CONTENTS_FILE
sort $NEW_NIX_STORE_CONTENTS_FILE -o $NEW_NIX_STORE_CONTENTS_FILE
echo "nix-cache: Comparing store paths"
FILTERED_NIX_STORE_CONTENTS_FILE=$(mktemp)
comm -13 $OLD_NIX_STORE_CONTENTS_FILE $NEW_NIX_STORE_CONTENTS_FILE > $FILTERED_NIX_STORE_CONTENTS_FILE
echo "nix-cache: New store paths:"
cat $FILTERED_NIX_STORE_CONTENTS_FILE | sed 's/^/ /g'
if test -n "$(head -n1 $FILTERED_NIX_STORE_CONTENTS_FILE)"; then
echo "nix-cache: Sending new paths to cache"
nix copy --to "$STORE_URL" $(cat $FILTERED_NIX_STORE_CONTENTS_FILE) || true
else
echo "nix-cache: Nothing to send"
fi

View file

@ -1,18 +1,49 @@
#!/bin/sh
echo "nix-cache: Setting up ssh key and host"
STORE_HOST_PUB_KEY="IyBuaXgtY2FjaGUud29wdXMuZGV2OjIyIFNTSC0yLjAtT3BlblNTSF8xMC4wCm5peC1jYWNoZS53b3B1cy5kZXYgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU5VNzFONVF4ZENtTTdOMjVTbk9nNnUrWUxtdjkyem5wZURjeUlEYW1sZEkK"
echo "nix-cache: Setting up ssh key and host" >&2
STORE_HOST_PUB_KEY="$(echo "$NIX_CACHE_SSH_PUBLIC_KEY" | base64 | tr -d '\n')"
STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY"
echo STORE_URL="$STORE_URL"
echo STORE_URL="$STORE_URL" >&2
NIX_EXTRA_CONFIG_FILE=$(mktemp)
cat > "$NIX_EXTRA_CONFIG_FILE" <<EOF
extra-substituters = $STORE_URL
EOF
echo "nix-cache: Adding remote cache as substituter"
echo "nix-cache: Adding remote cache as substituter" >&2
export NIX_USER_CONF_FILES="$NIX_EXTRA_CONFIG_FILE:$NIX_USER_CONF_FILES"
echo "nix-cache: Storing existing store items"
OLD_NIX_STORE_CONTENTS_FILE=$(mktemp)
find /nix/store/ -maxdepth 1 > $OLD_NIX_STORE_CONTENTS_FILE
echo "nix-cache: Setting up nix hook" >&2
nix() {
echo "nix-cache: executing nix hook" >&2
command nix "$@"
local STATUS="$?"
local BUILD=no
if test "$STATUS" = "0"; then
for arg in "$@"; do
echo "nix-cache: evaluating arg '$arg'" >&2
case "$arg" in
build)
echo "nix-cache: enablig upload" >&2
BUILD=yes
;;
-*)
echo "nix-cache: ignoring argument '$arg'" >&2
;;
*)
if test "$BUILD" = yes; then
echo "nix-cache: Sending path $arg" >&2
command nix copy --to "$STORE_URL" "$arg" || true
else
echo "nix-cache: not building, ignoring argument '$arg'" >&2
fi
;;
esac
done
else
echo "nix-cache: nix exited with code '$STATUS', ignoring" >&2
fi
return "$STATUS"
}

View file

@ -11,7 +11,7 @@ in
virtualisation.docker.enable = true;
services.gitlab-runner = {
enable = true;
settings.concurrent = 12;
settings.concurrent = 6;
services = {
# runner for building in docker via host's nix-daemon
# nix store will be readable in runner, might be insecure