lelgenio/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 2 Releases Packages Wiki Activity Actions

update nix ssh cache

Browse source
This commit is contained in:
Leonardo Eugênio 2025-06-03 12:56:29 -03:00
parent 868496d2b9
commit 72e4e38fe9
No known key found for this signature in database
GPG key ID: 2F8F21CE8721456B
4 changed files with 43 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

18
system/gitlab-runner.nix
View file

@ -34,21 +34,11 @@ let
${lib.optionalString (nixCacheSshPrivateKeyPath != null) '' ${lib.optionalString (nixCacheSshPrivateKeyPath != null) ''
NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}" NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}"
NIX_CACHE_SSH_PUBLIC_KEY="# nix-cache.wopus.dev:22 SSH-2.0-OpenSSH_10.0
nix-cache.wopus.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU71N5QxdCmM7N25SnOg6u+YLmv92znpeDcyIDamldI"
. ${./gitlab-runner/nix-cache-start} . ${./gitlab-runner/nix-cache-start}
''} ''}
''; '';
pushStoreContents =
{
authenticationTokenConfigFile,
nixCacheSshPrivateKeyPath ? null,
...
}:
pkgs.writeScriptBin "push-to-cache" ''
${lib.optionalString (nixCacheSshPrivateKeyPath != null) ''
. ${./gitlab-runner/nix-cache-end}
''}
'';
in in
rec { rec {
mkNixRunnerFull = mkNixRunnerFull =
@ -72,13 +62,13 @@ rec {
"/tmp:/tmp" "/tmp:/tmp"
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
"/var/lib/docker/containers:/var/lib/docker/containers" "/var/lib/docker/containers:/var/lib/docker/containers"
"/cache"
] ]
++ lib.optionals (nixCacheSshPrivateKeyPath != null) [ ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [
"${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}" "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}"
]; ];
dockerDisableCache = true; # dockerDisableCache = true;
preBuildScript = "\". ${lib.getExe (installNixScript args)}\""; preBuildScript = "\". ${lib.getExe (installNixScript args)}\"";
postBuildScript = "\". ${lib.getExe (pushStoreContents args)}\"";
environmentVariables = { environmentVariables = {
ENV = "/etc/profile"; ENV = "/etc/profile";
USER = "root"; USER = "root";

21
system/gitlab-runner/nix-cache-end
View file

@ -1,21 +0,0 @@
#!/bin/sh
echo "nix-cache: Storing new store items"
NEW_NIX_STORE_CONTENTS_FILE=$(mktemp)
find /nix/store/ -maxdepth 1 > $NEW_NIX_STORE_CONTENTS_FILE
sort $OLD_NIX_STORE_CONTENTS_FILE -o $OLD_NIX_STORE_CONTENTS_FILE
sort $NEW_NIX_STORE_CONTENTS_FILE -o $NEW_NIX_STORE_CONTENTS_FILE
echo "nix-cache: Comparing store paths"
FILTERED_NIX_STORE_CONTENTS_FILE=$(mktemp)
comm -13 $OLD_NIX_STORE_CONTENTS_FILE $NEW_NIX_STORE_CONTENTS_FILE > $FILTERED_NIX_STORE_CONTENTS_FILE
echo "nix-cache: New store paths:"
cat $FILTERED_NIX_STORE_CONTENTS_FILE | sed 's/^/ /g'
if test -n "$(head -n1 $FILTERED_NIX_STORE_CONTENTS_FILE)"; then
echo "nix-cache: Sending new paths to cache"
nix copy --to "$STORE_URL" $(cat $FILTERED_NIX_STORE_CONTENTS_FILE) || true
else
echo "nix-cache: Nothing to send"
fi

45
system/gitlab-runner/nix-cache-start
View file

@ -1,18 +1,49 @@
#!/bin/sh #!/bin/sh
echo "nix-cache: Setting up ssh key and host" echo "nix-cache: Setting up ssh key and host" >&2
STORE_HOST_PUB_KEY="IyBuaXgtY2FjaGUud29wdXMuZGV2OjIyIFNTSC0yLjAtT3BlblNTSF8xMC4wCm5peC1jYWNoZS53b3B1cy5kZXYgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU5VNzFONVF4ZENtTTdOMjVTbk9nNnUrWUxtdjkyem5wZURjeUlEYW1sZEkK" STORE_HOST_PUB_KEY="$(echo "$NIX_CACHE_SSH_PUBLIC_KEY" | base64 | tr -d '\n')"
STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY" STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY"
echo STORE_URL="$STORE_URL" echo STORE_URL="$STORE_URL" >&2
NIX_EXTRA_CONFIG_FILE=$(mktemp) NIX_EXTRA_CONFIG_FILE=$(mktemp)
cat > "$NIX_EXTRA_CONFIG_FILE" <<EOF cat > "$NIX_EXTRA_CONFIG_FILE" <<EOF
extra-substituters = $STORE_URL extra-substituters = $STORE_URL
EOF EOF
echo "nix-cache: Adding remote cache as substituter" echo "nix-cache: Adding remote cache as substituter" >&2
export NIX_USER_CONF_FILES="$NIX_EXTRA_CONFIG_FILE:$NIX_USER_CONF_FILES" export NIX_USER_CONF_FILES="$NIX_EXTRA_CONFIG_FILE:$NIX_USER_CONF_FILES"
echo "nix-cache: Storing existing store items" echo "nix-cache: Setting up nix hook" >&2
OLD_NIX_STORE_CONTENTS_FILE=$(mktemp) nix() {
find /nix/store/ -maxdepth 1 > $OLD_NIX_STORE_CONTENTS_FILE echo "nix-cache: executing nix hook" >&2
command nix "$@"
local STATUS="$?"
local BUILD=no
if test "$STATUS" = "0"; then
for arg in "$@"; do
echo "nix-cache: evaluating arg '$arg'" >&2
case "$arg" in
build)
echo "nix-cache: enablig upload" >&2
BUILD=yes
;;
-*)
echo "nix-cache: ignoring argument '$arg'" >&2
;;
*)
if test "$BUILD" = yes; then
echo "nix-cache: Sending path $arg" >&2
command nix copy --to "$STORE_URL" "$arg" || true
else
echo "nix-cache: not building, ignoring argument '$arg'" >&2
fi
;;
esac
done
else
echo "nix-cache: nix exited with code '$STATUS', ignoring" >&2
fi
return "$STATUS"
}

2
system/monolith-gitlab-runner.nix
View file

@ -11,7 +11,7 @@ in
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
services.gitlab-runner = { services.gitlab-runner = {
enable = true; enable = true;
settings.concurrent = 12; settings.concurrent = 6;
services = { services = {
# runner for building in docker via host's nix-daemon # runner for building in docker via host's nix-daemon
# nix store will be readable in runner, might be insecure # nix store will be readable in runner, might be insecure