allow consuming attic cache from ci runner

2025-07-04 19:23:41 +02:00 · 2025-07-04 19:23:41 +02:00 · a5ec137b4f
commit a5ec137b4f
parent 16e1f9a6a3
5 changed files with 52 additions and 1 deletions
--- a/default.nix
+++ b/default.nix
@ -65,6 +65,7 @@ in
        pkgs.httpie
        pkgs.jq
        pkgs.nix-unit
+        pkgs.attic-client
        test-loop
        nixops4.packages.${system}.default
      ];
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@ -24,6 +24,14 @@ in
    experimental-features = nix-command flakes
  '';

+  nix.settings = {
+    substituters = [
+      "https://attic.fediversity.net/demo"
+    ];
+    trusted-public-keys = [
+      "demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM="
+    ];
+  };
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
--- a/machines/dev/forgejo-ci/forgejo-actions-runner.nix
+++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
@ -6,9 +6,9 @@
 }:
 let
  system = builtins.currentSystem;
+  sources = import ../../../npins;
  packages =
    let
-      sources = import ../../../npins;
      inherit (import sources.flake-inputs) import-flake;
      inherit ((import-flake { src = ../../..; }).inputs) nixops4;
    in
@ -42,6 +42,47 @@ in
 {
  _class = "nixos";

+  imports = with sources; [
+    "${home-manager}/nixos"
+    "${vars}/options.nix"
+    "${vars}/backends/on-machine.nix"
+  ];
+
+  vars.settings.on-machine.enable = true;
+  vars.generators."templates" = rec {
+    dependencies = [ "attic" ];
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.gnused
+    ];
+    script = lib.concatStringsSep "\n" (
+      lib.mapAttrsToList (template: _: ''
+        cp "$templates/${template}" "$out/${template}"
+        echo "filling placeholders in template ${template}..."
+        sed -i "s/${placeholder}/$(cat "${config.age.secrets.wiki-password.path}")/g" "$out/${template}"
+      '') files
+    );
+
+    files."attic.toml" = {
+      secret = true;
+      template = pkgs.writeText "attic.toml" ''
+        default-server = "fediversity"
+
+        [servers.fediversity]
+        endpoint = "http://localhost:8080"
+        token = "${config.vars.generators.attic.files.token.placeholder}"
+      '';
+    };
+  };
+
+  home-manager = {
+    users.gitea-runner.home = {
+      stateVersion = "25.05";
+      file.".config/attic/config.toml".source =
+        config.vars.generators."templates".files."attic.toml".path;
+    };
+  };
+
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (_: {
--- a/secrets/attic-ci-token.age
+++ b/secrets/attic-ci-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -25,6 +25,7 @@ concatMapAttrs
    ## are able to decrypt them.

    {
+      attic-ci-token = [ forgejo-ci ];
      forgejo-database-password = [ vm02116 ];
      forgejo-email-password = [ vm02116 ];
      forgejo-runner-token = [ forgejo-ci ];