feat: add attic cache

2025-10-14 22:30:20 +02:00
parent 7fd35b79c4
commit 09e381ecc4
4 changed files with 126 additions and 3 deletions
--- a/utils/modules/attic-cache/default.nix
+++ b/utils/modules/attic-cache/default.nix
@@ -0,0 +1,87 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cacheUrl = "https://attic.cloonar.com";
+  cacheName = "cloonar-nixos";
+  publicKey = "cloonar-nixos:u0S8Q3CShMkXeBk/eo8iooqrcSBTwNGBxQDS9HfkseE=";
+  authTokenFile = config.sops.secrets.attic_auth_token.path;
+
+  # Post-build hook script that pushes to Attic
+  atticPushHook = pkgs.writeShellScript "attic-push-hook" ''
+    #!${pkgs.bash}/bin/bash
+    set -euo pipefail
+
+    # Load configuration from sops secrets at runtime
+    ATTIC_CACHE="${cacheName}"
+    ATTIC_URL="${cacheUrl}"
+
+    # Check if we have the required configuration
+    if [[ -z "$ATTIC_CACHE" ]] || [[ -z "$ATTIC_URL" ]]; then
+      echo "Attic cache not configured, skipping push" >&2
+      exit 0
+    fi
+
+    # Read the auth token from sops if available
+    ATTIC_AUTH_TOKEN=$(cat "${authTokenFile}")
+
+    # Function to check if a path exists in cache
+    path_in_cache() {
+      local path="$1"
+      ${pkgs.attic-client}/bin/attic cache info "$ATTIC_CACHE" "$path" &>/dev/null
+    }
+
+    # Function to push a path to cache
+    push_to_cache() {
+      local path="$1"
+      echo "Pushing $path to Attic cache..." >&2
+      if ${pkgs.attic-client}/bin/attic push "$ATTIC_CACHE" "$path"; then
+        echo "Successfully pushed $path" >&2
+      else
+        echo "Failed to push $path (non-fatal)" >&2
+      fi
+    }
+
+    # Read paths from stdin (provided by Nix post-build-hook)
+    while IFS= read -r path; do
+      if [[ -e "$path" ]]; then
+        # Check if already in cache before pushing
+        if ! path_in_cache "$path"; then
+          push_to_cache "$path"
+        else
+          echo "Path $path already in cache, skipping" >&2
+        fi
+      fi
+    done
+
+    echo "Attic cache push completed" >&2
+  '';
+
+in {
+  sops.secrets.attic_auth_token = {
+    sopsFile = ./secrets.yaml;
+  };
+
+  # Install attic client
+  environment.systemPackages = with pkgs; [
+    attic-client
+  ];
+
+  # Configure Nix settings
+  nix.settings = {
+    substituters = [ cacheUrl ];
+    trusted-public-keys = [ publicKey ];
+    post-build-hook = atticPushHook;
+  };
+
+  # Create a systemd service for manual cache operations
+  systemd.services.attic-push-closure = {
+    description = "Push a closure to Attic cache";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.attic-client}/bin/attic push ${cacheName} $CLOSURE_PATH'";
+      EnvironmentFile = authTokenFile;
+    };
+  };
+}