From 72e4e38fe93dabe448f2c0e050daf6082eca0629 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Tue, 3 Jun 2025 12:56:29 -0300
Subject: [PATCH] update nix ssh cache

---
 system/gitlab-runner.nix             | 18 +++--------
 system/gitlab-runner/nix-cache-end   | 21 -------------
 system/gitlab-runner/nix-cache-start | 45 +++++++++++++++++++++++-----
 system/monolith-gitlab-runner.nix    |  2 +-
 4 files changed, 43 insertions(+), 43 deletions(-)
 delete mode 100755 system/gitlab-runner/nix-cache-end

diff --git a/system/gitlab-runner.nix b/system/gitlab-runner.nix
index 1836419..bb803a4 100644
--- a/system/gitlab-runner.nix
+++ b/system/gitlab-runner.nix
@@ -34,21 +34,11 @@ let
 
       ${lib.optionalString (nixCacheSshPrivateKeyPath != null) ''
         NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}"
+        NIX_CACHE_SSH_PUBLIC_KEY="# nix-cache.wopus.dev:22 SSH-2.0-OpenSSH_10.0
+        nix-cache.wopus.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU71N5QxdCmM7N25SnOg6u+YLmv92znpeDcyIDamldI"
         . ${./gitlab-runner/nix-cache-start}
       ''}
     '';
-
-  pushStoreContents =
-    {
-      authenticationTokenConfigFile,
-      nixCacheSshPrivateKeyPath ? null,
-      ...
-    }:
-    pkgs.writeScriptBin "push-to-cache" ''
-      ${lib.optionalString (nixCacheSshPrivateKeyPath != null) ''
-        . ${./gitlab-runner/nix-cache-end}
-      ''}
-    '';
 in
 rec {
   mkNixRunnerFull =
@@ -72,13 +62,13 @@ rec {
           "/tmp:/tmp"
           "/var/run/docker.sock:/var/run/docker.sock"
           "/var/lib/docker/containers:/var/lib/docker/containers"
+          "/cache"
         ]
         ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [
           "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}"
         ];
-      dockerDisableCache = true;
+      # dockerDisableCache = true;
       preBuildScript = "\". ${lib.getExe (installNixScript args)}\"";
-      postBuildScript = "\". ${lib.getExe (pushStoreContents args)}\"";
       environmentVariables = {
         ENV = "/etc/profile";
         USER = "root";
diff --git a/system/gitlab-runner/nix-cache-end b/system/gitlab-runner/nix-cache-end
deleted file mode 100755
index 5275fc3..0000000
--- a/system/gitlab-runner/nix-cache-end
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/sh
-
-echo "nix-cache: Storing new store items"
-NEW_NIX_STORE_CONTENTS_FILE=$(mktemp)
-find /nix/store/ -maxdepth 1 > $NEW_NIX_STORE_CONTENTS_FILE
-
-sort $OLD_NIX_STORE_CONTENTS_FILE -o $OLD_NIX_STORE_CONTENTS_FILE
-sort $NEW_NIX_STORE_CONTENTS_FILE -o $NEW_NIX_STORE_CONTENTS_FILE
-
-echo "nix-cache: Comparing store paths"
-FILTERED_NIX_STORE_CONTENTS_FILE=$(mktemp)
-comm -13 $OLD_NIX_STORE_CONTENTS_FILE $NEW_NIX_STORE_CONTENTS_FILE > $FILTERED_NIX_STORE_CONTENTS_FILE
-echo "nix-cache: New store paths:"
-cat $FILTERED_NIX_STORE_CONTENTS_FILE | sed 's/^/    /g'
-
-if test -n "$(head -n1 $FILTERED_NIX_STORE_CONTENTS_FILE)"; then
-    echo "nix-cache: Sending new paths to cache"
-    nix copy --to "$STORE_URL" $(cat $FILTERED_NIX_STORE_CONTENTS_FILE) || true
-else
-    echo "nix-cache: Nothing to send"
-fi
diff --git a/system/gitlab-runner/nix-cache-start b/system/gitlab-runner/nix-cache-start
index 38797d2..0fe9d4f 100755
--- a/system/gitlab-runner/nix-cache-start
+++ b/system/gitlab-runner/nix-cache-start
@@ -1,18 +1,49 @@
 #!/bin/sh
 
-echo "nix-cache: Setting up ssh key and host"
-STORE_HOST_PUB_KEY="IyBuaXgtY2FjaGUud29wdXMuZGV2OjIyIFNTSC0yLjAtT3BlblNTSF8xMC4wCm5peC1jYWNoZS53b3B1cy5kZXYgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU5VNzFONVF4ZENtTTdOMjVTbk9nNnUrWUxtdjkyem5wZURjeUlEYW1sZEkK"
+echo "nix-cache: Setting up ssh key and host" >&2
+STORE_HOST_PUB_KEY="$(echo "$NIX_CACHE_SSH_PUBLIC_KEY" | base64 | tr -d '\n')"
 STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY"
-echo STORE_URL="$STORE_URL"
+echo STORE_URL="$STORE_URL" >&2
 
 NIX_EXTRA_CONFIG_FILE=$(mktemp)
 cat > "$NIX_EXTRA_CONFIG_FILE" <<EOF
   extra-substituters = $STORE_URL
 EOF
 
-echo "nix-cache: Adding remote cache as substituter"
+echo "nix-cache: Adding remote cache as substituter" >&2
 export NIX_USER_CONF_FILES="$NIX_EXTRA_CONFIG_FILE:$NIX_USER_CONF_FILES"
 
-echo "nix-cache: Storing existing store items"
-OLD_NIX_STORE_CONTENTS_FILE=$(mktemp)
-find /nix/store/ -maxdepth 1 > $OLD_NIX_STORE_CONTENTS_FILE
+echo "nix-cache: Setting up nix hook" >&2
+nix() {
+    echo "nix-cache: executing nix hook" >&2
+    command nix "$@"
+    local STATUS="$?"
+
+    local BUILD=no
+    if test "$STATUS" = "0"; then
+        for arg in "$@"; do
+            echo "nix-cache: evaluating arg '$arg'" >&2
+            case "$arg" in
+                build)
+                    echo "nix-cache: enablig upload" >&2
+                    BUILD=yes
+                ;;
+                -*)
+                    echo "nix-cache: ignoring argument '$arg'" >&2
+                ;;
+                *)
+                    if test "$BUILD" = yes; then
+                        echo "nix-cache: Sending path $arg" >&2
+                        command nix copy --to "$STORE_URL" "$arg" || true
+                    else
+                        echo "nix-cache: not building, ignoring argument '$arg'" >&2
+                    fi
+                ;;
+            esac
+        done
+    else
+        echo "nix-cache: nix exited with code '$STATUS', ignoring" >&2
+    fi
+
+    return "$STATUS"
+}
diff --git a/system/monolith-gitlab-runner.nix b/system/monolith-gitlab-runner.nix
index d22f90e..9571dbf 100644
--- a/system/monolith-gitlab-runner.nix
+++ b/system/monolith-gitlab-runner.nix
@@ -11,7 +11,7 @@ in
   virtualisation.docker.enable = true;
   services.gitlab-runner = {
     enable = true;
-    settings.concurrent = 12;
+    settings.concurrent = 6;
     services = {
       # runner for building in docker via host's nix-daemon
       # nix store will be readable in runner, might be insecure