From 2b6edc0d73bac2d771e2ac02d4bbe1b36d384c0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Tue, 3 Jun 2025 01:15:57 -0300 Subject: [PATCH 1/7] monolith: enable nix cache over ssh --- secrets/monolith/default.yaml | 5 +- system/gitlab-runner.nix | 138 +++++++++++++++++---------- system/gitlab-runner/nix-cache-end | 21 ++++ system/gitlab-runner/nix-cache-start | 18 ++++ system/monolith-gitlab-runner.nix | 10 +- 5 files changed, 139 insertions(+), 53 deletions(-) create mode 100755 system/gitlab-runner/nix-cache-end create mode 100755 system/gitlab-runner/nix-cache-start diff --git a/secrets/monolith/default.yaml b/secrets/monolith/default.yaml index 0dbc4ae..f2e12a9 100644 --- a/secrets/monolith/default.yaml +++ b/secrets/monolith/default.yaml @@ -5,6 +5,7 @@ gitlab-runners: thoreb-itinerario-nix: ENC[AES256_GCM,data:UdAAD0V895sFoEYR56sCG2LlpZugJ0K/nwkTygzWOnbTSmBRAcIQ8qVFPZGw+K+XMSLiCyio6Jp7k8AYP0K1VYm+6aEP3OkqR9FCLQTJgXo=,iv:UGUby50BYkn13OzItk6zZmxc5+SnbZZa4bebQHIow2A=,tag:LjDg3deWwdH2T71EtPo6jA==,type:str] docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str] wopus-gitlab-nix: ENC[AES256_GCM,data:asE7J0d58x9VfQFWc07f5T4s5NZ+/VqMQo66EX93J0LbJ4iI5YjvrrIE4pSI1e4Nz/SRQhltaJ0DfSH0+qgjD4wnAONPRi3UlFbSdGWS2bwwRtWe+Nci2krrUFxV2i/ZVE3CwCkNe4mqtII=,iv:gKrD/LhzI+jnDnX6CdxoHfjpiRdrsuRYJF9rTc8SffM=,tag:TczDGSU3gdKmERjBJ7tP/A==,type:str] + wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:MtYDK6P7nwBzr6p+lRX/dkosBfeDUAj/slf/a5SgVXNIbQlkEk7gvfW5iL+C2HgMwowqWx4F+3q2W+kGweqEYzEYAoZ9pR08a7Jci3Szyy49hkamxJXF+Qwhb5VQKxDppESne7DARCF0iYeUjgeXxCYyuWlGpisnkN3HCWrIYCqbk0LS+yqgkNhDxtxMaThGYztfPnLMEV/P5vuge9sRKu3Xi3iX2uDKtx4FTBsX30Lmd8kngOVnP/GaEHDa5ECO+/yW6ZRg3fIaqJ4RV+Vz79ovFUuZV/VE8eY3JOdK5tKIBWb31YUOjP7ccBes7mMhFLO3ceNeh+a6KAJbQ4pCojJwf/cLz663FKr5f/uWDicOBbL64l3+zV5zvSDzFls0ImXMNL6Fe3SaKP7ZcC5rVrRD8P+UN/OSFmbN5LM7uYY8nNsLxTH7MYsRHgTBUmTsFEhLGJIUjtf6J3/NWIlxjBq1MmpgxN0bD6gwVAxDPP489v918tsZtKdG8SJhLUPE4LWKsU7LHpgUBroKlbGE,iv:1jnF2TTlyTR59xM8Bgaz6bubDOwFexHBJipNVa0VPXY=,tag:VsDb6C6wYa9p4Yey3iG4eA==,type:str] sops: age: - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h @@ -25,8 +26,8 @@ sops: aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-24T11:51:22Z" - mac: ENC[AES256_GCM,data:onyjWlFsH/9YGSi2nGsPmZjhE4nFVQ5Jiwfi4s9KC7NetKD7Reyz2JY6i3YuZspBn3Jvbq8nOKVPGzttMAG+IrqQEv6+MxrCOEnJZXZcqocDNg7dACOXmJB5iwpFVdKscesTH2SScf7Pl/q6l9KOFjFuaZeBB7dlxHVA5zzCVOU=,iv:lEbxg2HfxU6ikgWSpUNAGIfgaz7DnZjXnLWcmsvt0A4=,tag:/Ag37QuJj9Xy/u20Nhy05Q==,type:str] + lastmodified: "2025-07-16T15:08:21Z" + mac: ENC[AES256_GCM,data:jGS7FqZqEeACNIoeSLokZFa8NdD4ItagH0MXDK/71VODxAHXyYx1YC1rjQoHtJ94wBJV+PAJBvsVXFLRpp9OrmSmHdEAxDAfk0/yQsbqpTyruYRC+bkf5V+Ul8DhtXLFlCQ0LVL+Ku9jTUGCUbV0MHLAN5OBfPglk2vICOoV8Qk=,iv:1HAG5eAoAscctpkYQ1BNUFfQAodb0KbMqgQMw9W6G3o=,tag:rpxbvG5l7eMvCTKYQeRtEw==,type:str] pgp: - created_at: "2025-03-07T22:49:16Z" enc: |- diff --git a/system/gitlab-runner.nix b/system/gitlab-runner.nix index 5650a52..602f3df 100644 --- a/system/gitlab-runner.nix +++ b/system/gitlab-runner.nix @@ -1,56 +1,96 @@ { pkgs, lib, ... }: let - installNixScript = pkgs.writeScriptBin "install-nix" '' - mkdir -p -m 0755 /nix/var/log/nix/drvs - mkdir -p -m 0755 /nix/var/nix/gcroots - mkdir -p -m 0755 /nix/var/nix/profiles - mkdir -p -m 0755 /nix/var/nix/temproots - mkdir -p -m 0755 /nix/var/nix/userpool - mkdir -p -m 1777 /nix/var/nix/gcroots/per-user - mkdir -p -m 1777 /nix/var/nix/profiles/per-user - mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root - mkdir -p -m 0700 "$HOME/.nix-defexpr" + installNixScript = + { + authenticationTokenConfigFile, + nixCacheSshPrivateKeyPath ? null, + ... + }: + pkgs.writeScriptBin "install-nix" '' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" - . ${pkgs.nix}/etc/profile.d/nix.sh + . ${pkgs.nix}/etc/profile.d/nix.sh - ${pkgs.nix}/bin/nix-env -i ${ - lib.concatStringsSep " " ( - with pkgs; - [ - nix - cacert - git - openssh - docker - ] - ) - } - ''; + ${pkgs.nix}/bin/nix-env -i ${ + lib.concatStringsSep " " ( + with pkgs; + [ + nix + cacert + git + openssh + docker + ] + ) + } + + ${lib.optionalString (nixCacheSshPrivateKeyPath != null) '' + NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}" + . ${./gitlab-runner/nix-cache-start} + ''} + ''; + + pushStoreContents = + { + authenticationTokenConfigFile, + nixCacheSshPrivateKeyPath ? null, + ... + }: + pkgs.writeScriptBin "push-to-cache" '' + ${lib.optionalString (nixCacheSshPrivateKeyPath != null) '' + . ${./gitlab-runner/nix-cache-end} + ''} + ''; in -{ - mkNixRunner = authenticationTokenConfigFile: { - # File should contain at least these two variables: - # `CI_SERVER_URL` - # `REGISTRATION_TOKEN` - inherit authenticationTokenConfigFile; # 2 - dockerImage = "alpine:3.18.2"; - dockerPullPolicy = "if-not-present"; - dockerVolumes = [ - "/etc/nix/nix.conf:/etc/nix/nix.conf:ro" - "/nix/store:/nix/store:ro" - "/nix/var/nix/db:/nix/var/nix/db:ro" - "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" - "/tmp:/tmp" - "/var/run/docker.sock:/var/run/docker.sock" - "/var/lib/docker/containers:/var/lib/docker/containers" - ]; - dockerDisableCache = true; - preBuildScript = "\". ${lib.getExe installNixScript}\""; - environmentVariables = { - ENV = "/etc/profile"; - USER = "root"; - NIX_REMOTE = "daemon"; - NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; +rec { + mkNixRunnerFull = + { + authenticationTokenConfigFile, + nixCacheSshPrivateKeyPath ? null, + ... + }@args: + { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + inherit authenticationTokenConfigFile; # 2 + dockerImage = "alpine:3.18.2"; + dockerPullPolicy = "if-not-present"; + dockerVolumes = + [ + "/etc/nix/nix.conf:/etc/nix/nix.conf:ro" + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + "/tmp:/tmp" + "/var/run/docker.sock:/var/run/docker.sock" + "/var/lib/docker/containers:/var/lib/docker/containers" + ] + ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [ + "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}" + ]; + dockerDisableCache = true; + preBuildScript = "\". ${lib.getExe (installNixScript args)}\""; + postBuildScript = "\". ${lib.getExe (pushStoreContents args)}\""; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; + }; + }; + + mkNixRunner = + authenticationTokenConfigFile: + mkNixRunnerFull { + inherit authenticationTokenConfigFile; }; - }; } diff --git a/system/gitlab-runner/nix-cache-end b/system/gitlab-runner/nix-cache-end new file mode 100755 index 0000000..5275fc3 --- /dev/null +++ b/system/gitlab-runner/nix-cache-end @@ -0,0 +1,21 @@ +#!/bin/sh + +echo "nix-cache: Storing new store items" +NEW_NIX_STORE_CONTENTS_FILE=$(mktemp) +find /nix/store/ -maxdepth 1 > $NEW_NIX_STORE_CONTENTS_FILE + +sort $OLD_NIX_STORE_CONTENTS_FILE -o $OLD_NIX_STORE_CONTENTS_FILE +sort $NEW_NIX_STORE_CONTENTS_FILE -o $NEW_NIX_STORE_CONTENTS_FILE + +echo "nix-cache: Comparing store paths" +FILTERED_NIX_STORE_CONTENTS_FILE=$(mktemp) +comm -13 $OLD_NIX_STORE_CONTENTS_FILE $NEW_NIX_STORE_CONTENTS_FILE > $FILTERED_NIX_STORE_CONTENTS_FILE +echo "nix-cache: New store paths:" +cat $FILTERED_NIX_STORE_CONTENTS_FILE | sed 's/^/ /g' + +if test -n "$(head -n1 $FILTERED_NIX_STORE_CONTENTS_FILE)"; then + echo "nix-cache: Sending new paths to cache" + nix copy --to "$STORE_URL" $(cat $FILTERED_NIX_STORE_CONTENTS_FILE) || true +else + echo "nix-cache: Nothing to send" +fi diff --git a/system/gitlab-runner/nix-cache-start b/system/gitlab-runner/nix-cache-start new file mode 100755 index 0000000..38797d2 --- /dev/null +++ b/system/gitlab-runner/nix-cache-start @@ -0,0 +1,18 @@ +#!/bin/sh + +echo "nix-cache: Setting up ssh key and host" +STORE_HOST_PUB_KEY="IyBuaXgtY2FjaGUud29wdXMuZGV2OjIyIFNTSC0yLjAtT3BlblNTSF8xMC4wCm5peC1jYWNoZS53b3B1cy5kZXYgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU5VNzFONVF4ZENtTTdOMjVTbk9nNnUrWUxtdjkyem5wZURjeUlEYW1sZEkK" +STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY" +echo STORE_URL="$STORE_URL" + +NIX_EXTRA_CONFIG_FILE=$(mktemp) +cat > "$NIX_EXTRA_CONFIG_FILE" < $OLD_NIX_STORE_CONTENTS_FILE diff --git a/system/monolith-gitlab-runner.nix b/system/monolith-gitlab-runner.nix index 023dc66..db493fb 100644 --- a/system/monolith-gitlab-runner.nix +++ b/system/monolith-gitlab-runner.nix @@ -4,7 +4,7 @@ ... }: let - inherit (pkgs.callPackage ./gitlab-runner.nix { }) mkNixRunner; + inherit (pkgs.callPackage ./gitlab-runner.nix { }) mkNixRunner mkNixRunnerFull; in { boot.kernel.sysctl."net.ipv4.ip_forward" = true; @@ -18,7 +18,10 @@ in thoreb-telemetria-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-telemetria-nix".path; thoreb-itinerario-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-itinerario-nix".path; - wopus-gitlab-nix = mkNixRunner config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path; + wopus-gitlab-nix = mkNixRunnerFull { + authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path; + nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path; + }; default = { # File should contain at least these two variables: @@ -45,5 +48,8 @@ in "gitlab-runners/wopus-gitlab-nix" = { sopsFile = ../secrets/monolith/default.yaml; }; + "gitlab-runners/wopus-ssh-nix-cache-pk" = { + sopsFile = ../secrets/monolith/default.yaml; + }; }; } From 734a94fa8d0937453dd8e31be5de46db5f554099 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Tue, 3 Jun 2025 12:56:29 -0300 Subject: [PATCH 2/7] update nix ssh cache --- system/gitlab-runner.nix | 18 +++-------- system/gitlab-runner/nix-cache-end | 21 ------------- system/gitlab-runner/nix-cache-start | 45 +++++++++++++++++++++++----- 3 files changed, 42 insertions(+), 42 deletions(-) delete mode 100755 system/gitlab-runner/nix-cache-end diff --git a/system/gitlab-runner.nix b/system/gitlab-runner.nix index 602f3df..543071b 100644 --- a/system/gitlab-runner.nix +++ b/system/gitlab-runner.nix @@ -34,21 +34,11 @@ let ${lib.optionalString (nixCacheSshPrivateKeyPath != null) '' NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}" + NIX_CACHE_SSH_PUBLIC_KEY="# nix-cache.wopus.dev:22 SSH-2.0-OpenSSH_10.0 + nix-cache.wopus.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU71N5QxdCmM7N25SnOg6u+YLmv92znpeDcyIDamldI" . ${./gitlab-runner/nix-cache-start} ''} ''; - - pushStoreContents = - { - authenticationTokenConfigFile, - nixCacheSshPrivateKeyPath ? null, - ... - }: - pkgs.writeScriptBin "push-to-cache" '' - ${lib.optionalString (nixCacheSshPrivateKeyPath != null) '' - . ${./gitlab-runner/nix-cache-end} - ''} - ''; in rec { mkNixRunnerFull = @@ -73,13 +63,13 @@ rec { "/tmp:/tmp" "/var/run/docker.sock:/var/run/docker.sock" "/var/lib/docker/containers:/var/lib/docker/containers" + "/cache" ] ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [ "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}" ]; - dockerDisableCache = true; + # dockerDisableCache = true; preBuildScript = "\". ${lib.getExe (installNixScript args)}\""; - postBuildScript = "\". ${lib.getExe (pushStoreContents args)}\""; environmentVariables = { ENV = "/etc/profile"; USER = "root"; diff --git a/system/gitlab-runner/nix-cache-end b/system/gitlab-runner/nix-cache-end deleted file mode 100755 index 5275fc3..0000000 --- a/system/gitlab-runner/nix-cache-end +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -echo "nix-cache: Storing new store items" -NEW_NIX_STORE_CONTENTS_FILE=$(mktemp) -find /nix/store/ -maxdepth 1 > $NEW_NIX_STORE_CONTENTS_FILE - -sort $OLD_NIX_STORE_CONTENTS_FILE -o $OLD_NIX_STORE_CONTENTS_FILE -sort $NEW_NIX_STORE_CONTENTS_FILE -o $NEW_NIX_STORE_CONTENTS_FILE - -echo "nix-cache: Comparing store paths" -FILTERED_NIX_STORE_CONTENTS_FILE=$(mktemp) -comm -13 $OLD_NIX_STORE_CONTENTS_FILE $NEW_NIX_STORE_CONTENTS_FILE > $FILTERED_NIX_STORE_CONTENTS_FILE -echo "nix-cache: New store paths:" -cat $FILTERED_NIX_STORE_CONTENTS_FILE | sed 's/^/ /g' - -if test -n "$(head -n1 $FILTERED_NIX_STORE_CONTENTS_FILE)"; then - echo "nix-cache: Sending new paths to cache" - nix copy --to "$STORE_URL" $(cat $FILTERED_NIX_STORE_CONTENTS_FILE) || true -else - echo "nix-cache: Nothing to send" -fi diff --git a/system/gitlab-runner/nix-cache-start b/system/gitlab-runner/nix-cache-start index 38797d2..0fe9d4f 100755 --- a/system/gitlab-runner/nix-cache-start +++ b/system/gitlab-runner/nix-cache-start @@ -1,18 +1,49 @@ #!/bin/sh -echo "nix-cache: Setting up ssh key and host" -STORE_HOST_PUB_KEY="IyBuaXgtY2FjaGUud29wdXMuZGV2OjIyIFNTSC0yLjAtT3BlblNTSF8xMC4wCm5peC1jYWNoZS53b3B1cy5kZXYgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU5VNzFONVF4ZENtTTdOMjVTbk9nNnUrWUxtdjkyem5wZURjeUlEYW1sZEkK" +echo "nix-cache: Setting up ssh key and host" >&2 +STORE_HOST_PUB_KEY="$(echo "$NIX_CACHE_SSH_PUBLIC_KEY" | base64 | tr -d '\n')" STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY" -echo STORE_URL="$STORE_URL" +echo STORE_URL="$STORE_URL" >&2 NIX_EXTRA_CONFIG_FILE=$(mktemp) cat > "$NIX_EXTRA_CONFIG_FILE" <&2 export NIX_USER_CONF_FILES="$NIX_EXTRA_CONFIG_FILE:$NIX_USER_CONF_FILES" -echo "nix-cache: Storing existing store items" -OLD_NIX_STORE_CONTENTS_FILE=$(mktemp) -find /nix/store/ -maxdepth 1 > $OLD_NIX_STORE_CONTENTS_FILE +echo "nix-cache: Setting up nix hook" >&2 +nix() { + echo "nix-cache: executing nix hook" >&2 + command nix "$@" + local STATUS="$?" + + local BUILD=no + if test "$STATUS" = "0"; then + for arg in "$@"; do + echo "nix-cache: evaluating arg '$arg'" >&2 + case "$arg" in + build) + echo "nix-cache: enablig upload" >&2 + BUILD=yes + ;; + -*) + echo "nix-cache: ignoring argument '$arg'" >&2 + ;; + *) + if test "$BUILD" = yes; then + echo "nix-cache: Sending path $arg" >&2 + command nix copy --to "$STORE_URL" "$arg" || true + else + echo "nix-cache: not building, ignoring argument '$arg'" >&2 + fi + ;; + esac + done + else + echo "nix-cache: nix exited with code '$STATUS', ignoring" >&2 + fi + + return "$STATUS" +} From b3e0af1da6e7a1f49916246b7060038b7217cb8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Sat, 19 Jul 2025 16:53:59 -0300 Subject: [PATCH 3/7] gitlab-runner: get nix ssh cache as pub key --- secrets/monolith/default.yaml | 5 +++-- system/gitlab-runner.nix | 10 +++++++--- system/gitlab-runner/nix-cache-start | 2 +- system/monolith-gitlab-runner.nix | 4 ++++ 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/secrets/monolith/default.yaml b/secrets/monolith/default.yaml index f2e12a9..0e1bd4d 100644 --- a/secrets/monolith/default.yaml +++ b/secrets/monolith/default.yaml @@ -6,6 +6,7 @@ gitlab-runners: docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str] wopus-gitlab-nix: ENC[AES256_GCM,data:asE7J0d58x9VfQFWc07f5T4s5NZ+/VqMQo66EX93J0LbJ4iI5YjvrrIE4pSI1e4Nz/SRQhltaJ0DfSH0+qgjD4wnAONPRi3UlFbSdGWS2bwwRtWe+Nci2krrUFxV2i/ZVE3CwCkNe4mqtII=,iv:gKrD/LhzI+jnDnX6CdxoHfjpiRdrsuRYJF9rTc8SffM=,tag:TczDGSU3gdKmERjBJ7tP/A==,type:str] wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:MtYDK6P7nwBzr6p+lRX/dkosBfeDUAj/slf/a5SgVXNIbQlkEk7gvfW5iL+C2HgMwowqWx4F+3q2W+kGweqEYzEYAoZ9pR08a7Jci3Szyy49hkamxJXF+Qwhb5VQKxDppESne7DARCF0iYeUjgeXxCYyuWlGpisnkN3HCWrIYCqbk0LS+yqgkNhDxtxMaThGYztfPnLMEV/P5vuge9sRKu3Xi3iX2uDKtx4FTBsX30Lmd8kngOVnP/GaEHDa5ECO+/yW6ZRg3fIaqJ4RV+Vz79ovFUuZV/VE8eY3JOdK5tKIBWb31YUOjP7ccBes7mMhFLO3ceNeh+a6KAJbQ4pCojJwf/cLz663FKr5f/uWDicOBbL64l3+zV5zvSDzFls0ImXMNL6Fe3SaKP7ZcC5rVrRD8P+UN/OSFmbN5LM7uYY8nNsLxTH7MYsRHgTBUmTsFEhLGJIUjtf6J3/NWIlxjBq1MmpgxN0bD6gwVAxDPP489v918tsZtKdG8SJhLUPE4LWKsU7LHpgUBroKlbGE,iv:1jnF2TTlyTR59xM8Bgaz6bubDOwFexHBJipNVa0VPXY=,tag:VsDb6C6wYa9p4Yey3iG4eA==,type:str] + wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:F+QHv9wwgyQYobKwyG13tS2OKCZuBPKLe7RLkhxsqYmVEtkCnli9jG+unMp7MC5L0i3puNqfoXP2IC6g4ESHq1yE0ksUpUCHzps4oMZBQK9b5JcqXQs+c//hskTQ/sFmTfGPpdnQ7wAifnQf5Mx2E4RwiRznMgJGQ3RDDjg9xfWUyvw6PlslZH65aGrq3P/iURvj,iv:u34+rXKLcZjBlVJmdbf60I82Fb621lUjOBmR4CTJWGk=,tag:ToPtBIz3bgzAUKc6hh4Oxg==,type:str] sops: age: - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h @@ -26,8 +27,8 @@ sops: aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-16T15:08:21Z" - mac: ENC[AES256_GCM,data:jGS7FqZqEeACNIoeSLokZFa8NdD4ItagH0MXDK/71VODxAHXyYx1YC1rjQoHtJ94wBJV+PAJBvsVXFLRpp9OrmSmHdEAxDAfk0/yQsbqpTyruYRC+bkf5V+Ul8DhtXLFlCQ0LVL+Ku9jTUGCUbV0MHLAN5OBfPglk2vICOoV8Qk=,iv:1HAG5eAoAscctpkYQ1BNUFfQAodb0KbMqgQMw9W6G3o=,tag:rpxbvG5l7eMvCTKYQeRtEw==,type:str] + lastmodified: "2025-07-16T15:17:16Z" + mac: ENC[AES256_GCM,data:UKIJFzABE0vr7vSYL85iZdTvd0y3dN/MaBUoKf6OpcDtRphM8/yY5J0Xq6XM5f28WFN1GlSKUekQz+DkA6aR6aCI2SICVOJpFb/eXKQ3Y7Td+PGcBr07hFOGCSu2vAzgYB1ZnajfI659FcWmdOoJSYgHUz3G7iRTHHCRVcoaVVk=,iv:jmKwn9bkqvPa0dGge4FFW2uT4Oa1LlFpFMUlnqUgkAA=,tag:CL+0+frQMt2TmgYv9yZeuw==,type:str] pgp: - created_at: "2025-03-07T22:49:16Z" enc: |- diff --git a/system/gitlab-runner.nix b/system/gitlab-runner.nix index 543071b..2a715ab 100644 --- a/system/gitlab-runner.nix +++ b/system/gitlab-runner.nix @@ -4,6 +4,7 @@ let { authenticationTokenConfigFile, nixCacheSshPrivateKeyPath ? null, + nixCacheSshPublicKeyPath ? null, ... }: pkgs.writeScriptBin "install-nix" '' @@ -32,10 +33,9 @@ let ) } - ${lib.optionalString (nixCacheSshPrivateKeyPath != null) '' + ${lib.optionalString (nixCacheSshPrivateKeyPath != null && nixCacheSshPublicKeyPath != null) '' NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}" - NIX_CACHE_SSH_PUBLIC_KEY="# nix-cache.wopus.dev:22 SSH-2.0-OpenSSH_10.0 - nix-cache.wopus.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU71N5QxdCmM7N25SnOg6u+YLmv92znpeDcyIDamldI" + NIX_CACHE_SSH_PUBLIC_KEY_PATH="${nixCacheSshPublicKeyPath}" . ${./gitlab-runner/nix-cache-start} ''} ''; @@ -45,6 +45,7 @@ rec { { authenticationTokenConfigFile, nixCacheSshPrivateKeyPath ? null, + nixCacheSshPublicKeyPath ? null, ... }@args: { @@ -67,6 +68,9 @@ rec { ] ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [ "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}" + ] + ++ lib.optionals (nixCacheSshPublicKeyPath != null) [ + "${nixCacheSshPublicKeyPath}:${nixCacheSshPublicKeyPath}" ]; # dockerDisableCache = true; preBuildScript = "\". ${lib.getExe (installNixScript args)}\""; diff --git a/system/gitlab-runner/nix-cache-start b/system/gitlab-runner/nix-cache-start index 0fe9d4f..7cd1734 100755 --- a/system/gitlab-runner/nix-cache-start +++ b/system/gitlab-runner/nix-cache-start @@ -1,7 +1,7 @@ #!/bin/sh echo "nix-cache: Setting up ssh key and host" >&2 -STORE_HOST_PUB_KEY="$(echo "$NIX_CACHE_SSH_PUBLIC_KEY" | base64 | tr -d '\n')" +STORE_HOST_PUB_KEY="$(cat "$NIX_CACHE_SSH_PUBLIC_KEY_PATH" | base64 | tr -d '\n')" STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY" echo STORE_URL="$STORE_URL" >&2 diff --git a/system/monolith-gitlab-runner.nix b/system/monolith-gitlab-runner.nix index db493fb..85a5ffe 100644 --- a/system/monolith-gitlab-runner.nix +++ b/system/monolith-gitlab-runner.nix @@ -21,6 +21,7 @@ in wopus-gitlab-nix = mkNixRunnerFull { authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path; nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path; + nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path; }; default = { @@ -51,5 +52,8 @@ in "gitlab-runners/wopus-ssh-nix-cache-pk" = { sopsFile = ../secrets/monolith/default.yaml; }; + "gitlab-runners/wopus-ssh-nix-cache-pub" = { + sopsFile = ../secrets/monolith/default.yaml; + }; }; } From 58085e592c81d35bfafa2cbcbcd80b73fbc5cd5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Fri, 25 Jul 2025 10:22:39 -0300 Subject: [PATCH 4/7] lsfg: remove default 2x multiplier --- user/lsfg-vk/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/user/lsfg-vk/default.nix b/user/lsfg-vk/default.nix index 4967147..8493db6 100644 --- a/user/lsfg-vk/default.nix +++ b/user/lsfg-vk/default.nix @@ -11,7 +11,6 @@ in home.sessionVariables = { # ENABLE_LSFG = 1; # Don't enable session wide, to avoid bugs - LSFG_MULTIPLIER = 2; LSFG_DLL_PATH = LosslessDllPath; }; From 2d04cee148fcb6b5c0592069072671e52ad978cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Fri, 25 Jul 2025 10:23:19 -0300 Subject: [PATCH 5/7] update --- flake.lock | 44 +++++++++++++------------------------------- 1 file changed, 13 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index dd99371..464da18 100644 --- a/flake.lock +++ b/flake.lock @@ -519,15 +519,13 @@ } }, "lsfg-vk-flake": { - "inputs": { - "nixpkgs": "nixpkgs_4" - }, + "flake": false, "locked": { - "lastModified": 1752427857, - "narHash": "sha256-gF09uaUCp/uykgMfk3HE3fWxwm5sl5bTnJerKfKfX5w=", + "lastModified": 1752953626, + "narHash": "sha256-7lSTABdlvusWpeyNn/EWW0FajTwDTTMevKY0JodfhhA=", "owner": "pabloaul", "repo": "lsfg-vk-flake", - "rev": "f24d8fe3714cabc69073568efece5e9e5c153fe7", + "rev": "f6d9f067780d9ba56549831599c23c0df2cdece1", "type": "github" }, "original": { @@ -540,7 +538,7 @@ "inputs": { "crane": "crane_2", "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1728159958, @@ -695,22 +693,6 @@ } }, "nixpkgs_4": { - "locked": { - "lastModified": 1751984180, - "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { "locked": { "lastModified": 1719010183, "narHash": "sha256-8HMWaqpyjbVeEsmy/A2H6VFtW/Wr71vkPLnpTiAXu+8=", @@ -726,7 +708,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1751582995, "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=", @@ -741,7 +723,7 @@ "type": "indirect" } }, - "nixpkgs_7": { + "nixpkgs_6": { "locked": { "lastModified": 1747958103, "narHash": "sha256-qmmFCrfBwSHoWw7cVK4Aj+fns+c54EBP8cGqp/yK410=", @@ -757,7 +739,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_7": { "locked": { "lastModified": 1719010183, "narHash": "sha256-8HMWaqpyjbVeEsmy/A2H6VFtW/Wr71vkPLnpTiAXu+8=", @@ -773,7 +755,7 @@ "type": "github" } }, - "nixpkgs_9": { + "nixpkgs_8": { "locked": { "lastModified": 1714091391, "narHash": "sha256-68n3GBvlm1MIeJXadPzQ3v8Y9sIW3zmv8gI5w5sliC8=", @@ -836,7 +818,7 @@ "made-you-look": "made-you-look", "nix-index-database": "nix-index-database", "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_5", "nixpkgs-pre-broken-waybar": "nixpkgs-pre-broken-waybar", "nixpkgs-unstable": "nixpkgs-unstable", "plymouth-themes": "plymouth-themes", @@ -1059,7 +1041,7 @@ }, "treefmt-nix": { "inputs": { - "nixpkgs": "nixpkgs_7" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1750931469, @@ -1094,7 +1076,7 @@ "inputs": { "crane": "crane_3", "flake-utils": "flake-utils_6", - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1719076817, @@ -1113,7 +1095,7 @@ "wl-crosshair": { "inputs": { "flake-utils": "flake-utils_7", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1715216838, From 9f4328a73a98c87398b9032896f97b7f91be6891 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Fri, 1 Aug 2025 23:22:37 -0300 Subject: [PATCH 6/7] update lsfg-vk --- flake.lock | 12 ++++++++---- flake.nix | 2 +- overlays/default.nix | 3 ++- user/lsfg-vk/default.nix | 5 +++++ 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 464da18..8aa761b 100644 --- a/flake.lock +++ b/flake.lock @@ -519,13 +519,17 @@ } }, "lsfg-vk-flake": { - "flake": false, + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, "locked": { - "lastModified": 1752953626, - "narHash": "sha256-7lSTABdlvusWpeyNn/EWW0FajTwDTTMevKY0JodfhhA=", + "lastModified": 1753938292, + "narHash": "sha256-akeUWgvIIi163s/femzvTOuqqOiOB/8US5ioHsNqhYY=", "owner": "pabloaul", "repo": "lsfg-vk-flake", - "rev": "f6d9f067780d9ba56549831599c23c0df2cdece1", + "rev": "081cd66b1369188777ea146a759d35e99ea6b031", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 8dc0799..71b31b3 100644 --- a/flake.nix +++ b/flake.nix @@ -48,7 +48,7 @@ lsfg-vk-flake = { url = "github:pabloaul/lsfg-vk-flake"; - flake = false; + inputs.nixpkgs.follows = "nixpkgs"; }; disko = { diff --git a/overlays/default.nix b/overlays/default.nix index 3896e66..1c27ce0 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -35,7 +35,8 @@ rec { final: prev: packages // { - lsfg-vk = final.callPackage inputs.lsfg-vk-flake { }; + lsfg-vk = inputs.lsfg-vk-flake.packages.${prev.system}.lsfg-vk; + lsfg-vk-ui = inputs.lsfg-vk-flake.packages.${prev.system}.lsfg-vk-ui; dhist = inputs.dhist.packages.${prev.system}.dhist; demoji = inputs.demoji.packages.${prev.system}.default; tlauncher = inputs.tlauncher.packages.${prev.system}.tlauncher; diff --git a/user/lsfg-vk/default.nix b/user/lsfg-vk/default.nix index 8493db6..bd3053c 100644 --- a/user/lsfg-vk/default.nix +++ b/user/lsfg-vk/default.nix @@ -14,6 +14,11 @@ in LSFG_DLL_PATH = LosslessDllPath; }; + home.packages = with pkgs; [ + lsfg-vk + lsfg-vk-ui + ]; + # Put the dll in a reachable location for steam games # Secrets normally are a symlink to /run/user/1000/secrets.d/ # Every time sops-nix.service runs, we copy the dll From cc6110dcacf8f285a296af606a7272f920c49036 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Tue, 17 Jun 2025 13:04:57 -0300 Subject: [PATCH 7/7] sway: use caffeinated instead of disabling swayidle --- pkgs/caffeinated/default.nix | 51 ++++++++++++++++++++++++++++++++++++ pkgs/default.nix | 1 + scripts/_sway_idle_toggle | 11 -------- scripts/default.nix | 1 - user/sway/default.nix | 1 + user/sway/sway-binds.nix | 4 +-- user/waybar/default.nix | 6 ++--- 7 files changed, 57 insertions(+), 18 deletions(-) create mode 100644 pkgs/caffeinated/default.nix delete mode 100755 scripts/_sway_idle_toggle diff --git a/pkgs/caffeinated/default.nix b/pkgs/caffeinated/default.nix new file mode 100644 index 0000000..2545a5c --- /dev/null +++ b/pkgs/caffeinated/default.nix @@ -0,0 +1,51 @@ +{ + stdenv, + lib, + fetchFromGitHub, + + pkgconf, + pkg-config, + wayland-scanner, + + systemd, + libbsd, + wayland, + wayland-protocols, +}: + +stdenv.mkDerivation { + pname = "caffeinated"; + version = "2022-12-08"; + + src = fetchFromGitHub { + owner = "electrickite"; + repo = "caffeinated"; + rev = "5a8eff054bdce225a19cf3ab785dc1bbc9bd3265"; + hash = "sha256-X1w/YWljcwb5ZH8Nt92CDhPU/yqBLH3lBS7yVJUeyzY="; + }; + + nativeBuildInputs = [ + pkgconf + pkg-config + wayland-scanner + ]; + + buildInputs = [ + systemd + libbsd + wayland + wayland-protocols + ]; + + makeFlags = [ "WAYLAND=1" ]; + + installFlags = [ "PREFIX=$(out)" ]; + + meta = { + description = "Utility to prevent the system from entering an idle state"; + homepage = "https://github.com/electrickite/caffeinated"; + license = lib.licenses.mit; + platforms = lib.platforms.linux; + maintainers = with lib.maintainers; [ lelgenio ]; + }; +} diff --git a/pkgs/default.nix b/pkgs/default.nix index b702886..abb2bb5 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -3,6 +3,7 @@ { pkgs, inputs }: rec { + caffeinated = pkgs.callPackage ./caffeinated { }; cargo-checkmate = pkgs.callPackage ./cargo-checkmate.nix { }; lipsum = pkgs.callPackage ./lipsum.nix { }; emmet-cli = pkgs.callPackage ./emmet-cli.nix { }; diff --git a/scripts/_sway_idle_toggle b/scripts/_sway_idle_toggle deleted file mode 100755 index e77952c..0000000 --- a/scripts/_sway_idle_toggle +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -swayidlectl() { - systemctl --user $1 swayidle.service -} - -if swayidlectl status > /dev/null; then - swayidlectl stop -else - swayidlectl start -fi diff --git a/scripts/default.nix b/scripts/default.nix index 9b0b728..3003685 100644 --- a/scripts/default.nix +++ b/scripts/default.nix @@ -44,7 +44,6 @@ ]; _diffr = [ diffr ]; _thunar-terminal = [ terminal ]; - _sway_idle_toggle = [ swayidle ]; kak-pager = [ fish _diffr diff --git a/user/sway/default.nix b/user/sway/default.nix index 5fbd379..bc53b36 100644 --- a/user/sway/default.nix +++ b/user/sway/default.nix @@ -154,6 +154,7 @@ in wl-clipboard wtype wl-crosshair + caffeinated grim satty diff --git a/user/sway/sway-binds.nix b/user/sway/sway-binds.nix index ae71cf4..3d61b4e 100644 --- a/user/sway/sway-binds.nix +++ b/user/sway/sway-binds.nix @@ -19,7 +19,7 @@ let ''; _suspend = pkgs.writeShellScriptBin "_suspend" '' ${pkgs.sway}/bin/swaymsg mode default - systemctl --user start swayidle.service + pkill caffeinated || true systemctl suspend ''; @@ -143,7 +143,7 @@ let system_binds = { "--locked Ctrl+${mod}+z" = "exec ${_suspend}/bin/_suspend"; - "${mod}+Alt+c" = "exec ${pkgs._sway_idle_toggle}/bin/_sway_idle_toggle"; + "${mod}+Alt+c" = "exec pkill caffeinated || exec caffeinated"; }; screenshot_binds = { diff --git a/user/waybar/default.nix b/user/waybar/default.nix index 5af72bc..696f062 100644 --- a/user/waybar/default.nix +++ b/user/waybar/default.nix @@ -3,12 +3,10 @@ osConfig, pkgs, lib, - font, ... }: let inherit (config.my) - key theme accent font @@ -170,8 +168,8 @@ in }; "custom/caffeine" = { format = "{}"; - exec = "systemctl --user status swayidle > /dev/null && echo 󰒲 || echo 󰒳"; - on-click = "${pkgs._sway_idle_toggle}/bin/_sway_idle_toggle"; + exec = "pgrep caffeinated > /dev/null && echo '󰒳' || echo '󰒲' "; + on-click = "pkill caffeinated || exec caffeinated"; interval = 1; tooltip = false; };