feat: add cache.toph.so Nix binary cache key and substituter

2026-02-18 13:39:06 +01:00 · 2026-02-18 13:39:06 +01:00 · c694915cd5
commit c694915cd5
parent beefd362d4
11 changed files with 95 additions and 4 deletions
--- a/home/by-host/endurance/config/aws.nix
+++ b/home/by-host/endurance/config/aws.nix
@ -0,0 +1,32 @@
 { pkgs, config, lib, ... }: {
  home.packages = [ pkgs.awscli2 ];
  # Derive AWS credentials from the existing nix-cache S3 secret — same
  # credentials, different format. No duplication, no Nomad API access needed.
  age.generators.aws-credentials = { decrypt, deps, ... }: ''
    KEY=$(${decrypt} ${lib.escapeShellArg deps.nix-cache-s3-env.file} \
      | grep AWS_ACCESS_KEY_ID | cut -d= -f2-)
    SECRET=$(${decrypt} ${lib.escapeShellArg deps.nix-cache-s3-env.file} \
      | grep AWS_SECRET_ACCESS_KEY | cut -d= -f2-)
    printf '[t4]\naws_access_key_id     = %s\naws_secret_access_key = %s\n' \
      "$KEY" "$SECRET"
  '';
  bosun.secrets.aws-credentials = {
    rekeyFile = "aws-credentials.age";
    path = "${config.home.homeDirectory}/.aws/credentials";
    mode = "0600";
    generator = {
      script = "aws-credentials";
      dependencies = {
        inherit (config.age.secrets) nix-cache-s3-env;
      };
    };
  };
  home.file.".aws/config".text = ''
    [profile t4]
    endpoint_url = https://s3.toph.so
    region = us-east-1
  '';
 }
--- a/hosts/endurance/default.nix
+++ b/hosts/endurance/default.nix
@ -20,6 +20,25 @@
    #quirks = ["avahi" "docker" "nix-ld"];
    key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjqieS4GkYAa1WRYZpxjgYsj7VGZ9U+rTFCkX8M0umD";
    secrets = {
      nix-cache-privkey = "nix-cache-privkey.age";
      nix-cache-s3-env = "nix-cache-s3.env.age";
    };
  };
  # Sign builds and push to the S3 binary cache at s3.toph.so/nix-cache.
  nix.settings = {
    secret-key-files = [config.age.secrets.nix-cache-privkey.path];
    post-build-hook = toString (pkgs.writeScript "nix-cache-upload" ''
      #!/bin/sh
      set -uf
      . ${config.age.secrets.nix-cache-s3-env.path}
      ${config.nix.package}/bin/nix copy \
        --to "s3://nix-cache?endpoint=https://s3.toph.so&region=us-east-1" \
        $OUT_PATHS \
        >> /tmp/nix-cache-upload.log 2>&1 &
    '');
  };
  networking = {
--- a/modules/generic/nix.nix
+++ b/modules/generic/nix.nix
@ -30,7 +30,15 @@
      keep-outputs = true;
      trusted-users = ["root" "@wheel"];
-      substituters = ["https://cache.nixos.org/"];
+      substituters = [
        "https://cache.nixos.org/"
        "https://s3.toph.so/nix-cache"
      ];
      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "cache.toph.so:sre7NaMFLUyRGuHY5MoC4Il4wD9lC53Ct0D1A/lwb+A="
        "cache.toph.so-ci:e5n27lZmhhdQvYClj9PZUFJIYwiBfC7eJkEXe8h4PKU="
      ];
    };
  };
--- a/modules/home/common/terminal/shell/fish.nix
+++ b/modules/home/common/terminal/shell/fish.nix
@ -20,11 +20,13 @@ in {
    '';
    functions = {
-      nomad-ui = {
+      nomad-auth = {
-        description = "Fetches the Nomad management token from alvin and opens the authenticated UI";
+        description = "Fetches the Nomad management token from alvin. Pass --ui to also open the authenticated UI.";
        body = ''
          set -gx NOMAD_TOKEN (ssh root@alvin cat /var/lib/nomad-acl/management.token)
          if contains -- --ui $argv
            nomad ui -authenticate
          end
        '';
      };
      agx = {
--- a/new-secret-ci.key
+++ b/new-secret-ci.key
--- a/secrets/aws-credentials.age
+++ b/secrets/aws-credentials.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> X25519 j9CFK6quTBAviKfxt7nk/sdsTR/5swqEfqLgo7gjmTw
 BSrgJCxZY1nIOtjkzAdx60POzJ98IF5ryF1SLXKMgZk
 -> piv-p256 Kmn3OQ AwqKwTZh40d7YdbU3mMJFhKz75X/NKfXdBCzpKWf75uo
 FIuAwxkVMN12HoV7SN7iq1fOhqakL4Lbz5Wp/PabTO4
 -> F=1e<+J-grease pk rVDW+r/ Zme4
 y52QMNBhnOd9wwF4NauKUGkRCt99O7L+cqGD6od03cDf79bfsCxc0jyY7wW+fe9R
 TgFDwzdeRl4LQCL/3uH4bj+j
 --- zuMUxvMUyLES8iVG6tbdW/oU0bAaTDlRJwN7x+k6kTw
 Ê_Ï5ýZÄB£öÛù~Úi©Ç%<25>B¸3RÕ›ËrÜËôê˜<C3AA>W<| ASƒ•=œ×³Û*IÁ~Þ»Ø¦<C398>y$¦äY´`Óp|F¨Èz?nR	ÄÂâÚ4h7y·Á#‘
/r…Vy«|Ò¢B+~òBfÁƒ;±å|áÇWu¤$Y“E=ËÇIÁU'… ¬
 ¯
--- a/secrets/nix-cache-privkey.age
+++ b/secrets/nix-cache-privkey.age
--- a/secrets/nix-cache-s3.env.age
+++ b/secrets/nix-cache-s3.env.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> X25519 pxQqMT3kixRevDw5AOugW61Stxpa54NPwdaMDf5ywBc
 emM75EuTf5bL1eueeWsmFfbEZDT5+27VzBOQgCfGzlw
 -> piv-p256 Kmn3OQ A92Zkli15jy0zZZiW+VYVi5apkhwXi5gZdGsfz4Nzrai
 wP2maNvDOmxxA6PMcj930SJLFnExpQHYOqWVXvh2g3o
 -> ,*$Gmjb-grease `Ob>AA UG\`RJP S @-2
 +HbUwSV+W2xrg8coxxpvSQ+VfPGWfqr0HjtDmX3wCmCO0jpjqKqRCDEAsTj5oTKL
 MUOwTg
 --- Ib2BGSJRp6WTD55zNN072D+RFxRegKZhjXa48sKg3+Q
 ìLŸôÐô~\FþQ$Â€´¬šáûÌFõ²
 i¯ E±EØ®ÔMi[x¿/z ÒþŠ¢·ÿÃ×s‡ÆüÆg®l8· 6tÒìi]ø’¨0Èo6—¿%’ÆúáÜÐc/ïÃ+%Ô¹Œ~ùšHˆpPŽ‘%[úuQ;ÑˆŒ_[p_§²}ªw†È
--- a/secrets/rekeyed/endurance/50db29637a0b7d73f036321af22c8a9c-nix-cache-s3-env.age
+++ b/secrets/rekeyed/endurance/50db29637a0b7d73f036321af22c8a9c-nix-cache-s3-env.age
--- a/secrets/rekeyed/endurance/b26d17749592ba1595d566934c2ea6ba-nix-cache-privkey.age
+++ b/secrets/rekeyed/endurance/b26d17749592ba1595d566934c2ea6ba-nix-cache-privkey.age
--- a/secrets/rekeyed/toph.endurance/0948f172d4f8ec095d92d6d65af01f5e-aws-credentials.age
+++ b/secrets/rekeyed/toph.endurance/0948f172d4f8ec095d92d6d65af01f5e-aws-credentials.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 Sih9FA DiICdXQXdFzjmLaO3TbZmurGr7rRlOyeyT4B6Q2hbgw
 AMltu9LuCxoev0zm5Ihoa0aSYVvs7SAD04NIF4gyMxw
 -> K0!Lf-grease AnUy
 q4vQ1RJdAeh03A
 --- g4sTWmo/FkvfmPBcfalOQE3FUapLvqYKLEfqDUvt2Yw
 *ñUäA†±=¾w1üƒ·&º*d©UÙÎ<C399>s>a4¦s«˜hi<68>g<EFBFBD>€}K	Š»}ÒïàÆ8dÄþp‰¸œˆÔVë†bB¼•†TxéÊ<C3A9>ÈŒ0sˆüdÃ÷Q¿UR+
 nF?æÈÚ ýƒÏP'i¥Xœ²)¥UsÜq¶²EŒ~Êèi¥ûÀˆ=âµ|<7C>P.¥ùÁâ2