From 67906cbf16e33a2ee052e94182d668b442908cb5 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Wed, 15 Oct 2025 10:09:26 +0200 Subject: [PATCH] fix: attic cache --- utils/modules/attic-cache/default.nix | 39 ++++++++++++++++++++++++-- utils/modules/attic-cache/secrets.yaml | 5 ++-- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/utils/modules/attic-cache/default.nix b/utils/modules/attic-cache/default.nix index 1b65bbc..34bf3d2 100644 --- a/utils/modules/attic-cache/default.nix +++ b/utils/modules/attic-cache/default.nix @@ -24,8 +24,17 @@ let fi # Read the auth token from sops if available + export ATTIC_AUTH_TOKEN ATTIC_AUTH_TOKEN=$(cat "${authTokenFile}") + # Login to Attic cache + echo "Logging in to Attic cache at $ATTIC_URL..." >&2 + if ! ${pkgs.attic-client}/bin/attic login "$ATTIC_CACHE" "$ATTIC_URL" "$ATTIC_AUTH_TOKEN"; then + echo "Failed to login to Attic cache, skipping push" >&2 + exit 0 + fi + echo "Successfully logged in to Attic cache" >&2 + # Function to check if a path exists in cache path_in_cache() { local path="$1" @@ -43,8 +52,22 @@ let fi } - # Read paths from stdin (provided by Nix post-build-hook) - while IFS= read -r path; do + # Read paths from OUT_PATHS environment variable (provided by Nix post-build-hook) + echo "Reading paths from OUT_PATHS..." >&2 + echo "DRV_PATH: $DRV_PATH" >&2 + echo "OUT_PATHS: $OUT_PATHS" >&2 + + if [[ -z "$OUT_PATHS" ]]; then + echo "No output paths provided, skipping push" >&2 + exit 0 + fi + + path_count=0 + # Split OUT_PATHS by space and process each path + for path in $OUT_PATHS; do + path_count=$((path_count + 1)) + echo "Processing path #$path_count: $path" >&2 + if [[ -e "$path" ]]; then # Check if already in cache before pushing if ! path_in_cache "$path"; then @@ -52,10 +75,12 @@ let else echo "Path $path already in cache, skipping" >&2 fi + else + echo "Path $path does not exist, skipping" >&2 fi done - echo "Attic cache push completed" >&2 + echo "Attic cache push completed (processed $path_count paths)" >&2 ''; in { @@ -63,6 +88,13 @@ in { sopsFile = ./secrets.yaml; }; + # Create netrc file for authenticated cache access + sops.secrets.attic_netrc = { + sopsFile = ./secrets.yaml; + mode = "0440"; + group = "nixbld"; + }; + # Install attic client environment.systemPackages = with pkgs; [ attic-client @@ -73,6 +105,7 @@ in { substituters = [ cacheUrl ]; trusted-public-keys = [ publicKey ]; post-build-hook = atticPushHook; + netrc-file = config.sops.secrets.attic_netrc.path; }; # Create a systemd service for manual cache operations diff --git a/utils/modules/attic-cache/secrets.yaml b/utils/modules/attic-cache/secrets.yaml index 8a41058..12d79e7 100644 --- a/utils/modules/attic-cache/secrets.yaml +++ b/utils/modules/attic-cache/secrets.yaml @@ -1,4 +1,5 @@ attic_auth_token: ENC[AES256_GCM,data:O9wRQe+llEvCE/9mx7VckgCY/5/ZryUFz+0qpgauFRsnNWiB31yOTXo1sOn1lPldGpfsSpUZnGDTLvg5S6mzZ9UYdhDTcSk6V+E9YV5wXLFJv6HGVVI7TVhkSSBIUrxx8sbQvC/hYQ+YQ0zzfreaIz7eMVbHgk+FNnNr3pFNcLYLTacugvMOyZDwkEJcKIFMcWj+zCGu90s3W7LutfudJ37LB4M9sU1Ifjj46NGTe3fAj+lmS1IyJ+2ZUlVoQd4pCbWB0wm3bTpwjJhDYhjQj5gJPuMjBQcCpP7uBvelcmBo+8V/LJ9HY6pRFxPlp48+tOwlGGrzb5WyqWPE3sP3F2eQj4EnlQoULrfi6ARO0xO4qs0FJhN2YhvHJYRyd9leNWNLIe1SdRQ9PK5ksvuoM1rTlbgrPotPYa1PkfmgFuWBMwI+hBf0+DMJtZxJpVES3WAcOuibZukeA5lvQ+AAFTpHRW8AiZF2ry3gWxStLsUrqNQTTt1gZQq6WrHbYbXr3DCuTXxqVLX4mXO1Slbm7JLxni7Sn5nCfUiKCAmFdxuL0L22RMa5yd9+7+wdcFJfhqu9pZ8U5KoTMuaJKnxp0KISog3gDVAfxkrrtfhLnHtJkkLB+/Aa3Ypqowle9iAq1I0IdH6Nzwl63C2nbqPafL5mcXkFMwPktHlkqrflUl/QKnJqBBvcgThdHZIbsQUq2xo589cpvDLouWL2xUHNpIqWotowF5m4n/iN53i6/cJayNpLWMEWWLtslXtG1CN7arjoYYJOuEqdzkqTjornSU7Q1kF6/eLgB8e2BVnMKfBT59F4sX2c6kuK0QXPohcpLWI1ZEYxnSv/44W0i/Ij5NvqZOQ1pEsyMIlPbuh37khw1gv+fMKrbEUUyquzHTX7DEGYEECzWjHQ3/WeDuRmiHlrZC/3StMf9888qm5v2yw/Vk5rQwNY1nbeTf8yWg47qKi2GgSSdsqrUrW5yWLs4MWKF2cSSDMC/kbgvGkHoS9KVI5dBGJhGuAf98tzOBO/UO39X0TjTzcay0AQ27/r8+QeIimviaZO41/GQOjoMzzSDHGxWEf2Nf/40nrM5Vcqj3I6hvRFE4u2m6jxCMqCqsIuy9avW8EuZyC6zJMoHSe/lUnYrx4tSUf3VhN85o6QSSJqfIFUN0jPQwNFpsz3X+A=,iv:X6xSygAtem7ekQruSZirdW/LKwf0kw+/Iq35wAcNyyQ=,tag:gRuPBxM5VeoJHimC6sbSow==,type:str] +attic_netrc: ENC[AES256_GCM,data:fdVz6YSl9ZJr0AZopowCzB9q+PWn2RYcP+vGMTUW1Irchmag7+ETwyMZUJfYHKgYdROzK6TI9xCY2aKkpMqaRc/yP8PsniLIA2t4cOxoJksyE1PZOMAUGJKfgdgGwTzRckqLnxkSK5AunHCYpPrQjHtALHOBYuIIyS/zzMGFmCcl3dJs7eSrWMpMP+HDI2A/mtsRMXMcGXGnYOoNhfwtwWcnEIcAGY2BCjKWWk6XKaRXSex+Jp8f+eAhlXE0Yon8IA8E42w+B2o+Bhzektlru6h0AVjcf+WgrvaVRPiDlkNK+NBdy+iOI1DFFmcKdXX9eKrHsD1wnDav5QuXE78q0NiwTrm6LyHINbjcmzwAAUkgOyvb9+cLZiZf9vI3ZekcofLjTe3Hwn/fj1luIOmuE6pThFZLyGxWXZ1shPrurGwISSLYLI5dq8ZIUzCcXdGcCxs1QokFhpNjpE6fdABakB62pFZfYwG9Ulqv4jX5Jj9a2ZX41xXrziCUuKusxxdjQgSo8lEPvpLoZljyB6v1UPIcVw6/r1Nwrmyx8P9RwTcv7DYU3vKQw3h/UjzOfP+iCoS2+m6N0ebIjW77MeksBVDtociN93uxKrg6G3oCcv48tc6CRG9zK5uoKOgn4Eym+hFAcFZXuBOorEGNLhAEEoZroubmqnlDm1bq2eNWv5t+8zzm2FStHonI0vLWfT3WDLNRIUiHeYH7+SEdXH8OxC8RbzuIEk0kb2gNKMiYPer0nvt8SsQ762/N15rJ29F9HccTfNIhz9210XBICB0OL0AIobF3gXzmWmIA6Q6JWETa0g72IC6HMqbDCf5U55lx5y56qCNFXz2HddIaIqYX0YWxV2mlKVP+gjZcsD1W8Emc2bWoZml/P+uaRWkzFMSFqfmwZhvCKEqZlrUY9mshOvBfcZCQaZrbarLbdhdpTikO70jMuQiFzOoFO2sC2afSu3GtGYVRmdYMcBzZcbWehx0K2jMOtqsG5STBoCvP9jUjMhPUV5eF48uiLjOYRPCclTLiIb7gJ7xorbyWr5FTrkUMK1w4t4sX7RAE7DwwLDsY4xY226TUjEf34H1kDGtXCFqlMJXA80C2qwks6PkiLQ1sToCvXpLTmO+PEVdJahA7zV4JG5E9C3C89ZwzS1p7Th3I31jnZofeU8xaJZqkg/kR5q9ButgYubkV4TTRzwkmcqOuoa48E6upMBMkP265i4wZzt+iTfAgvXvT5MEO0Ak=,iv:K5ysCVEvCa0199iu22gANPjq4CRWlYPKq+8jlM5t9e4=,tag:U17SdmXGL+5NbJ4g9MZZEw==,type:str] sops: age: - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 @@ -28,7 +29,7 @@ sops: UzVENGtNSnZVcDQvR1hDR2oyZDh5KzAKhg+AQNdiJM/RvCdMNLH5er25U+yvcnM2 4Z0rOkkYsT6TerZHLllbm5AAyOLnKUn4PhZFMvKvGhVbc1Xg9t2XDg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-14T20:22:06Z" - mac: ENC[AES256_GCM,data:dt+rZ7GTlooTFhQOxRQvVpqKJksEJC5I5vsjSQ6GWPsi4EewGl2NY2gyjF6bVjYj6DHWuw/Kp79KGzJajmlYtQFdL54ydjaJUz4oMhoKO3xR4TxshW9XYEfOWavlMVqHHZQ6mPR1pyWQkonzwyni9ug8XmOJ0cN2OmZmKwdWzZQ=,iv:6AJocLlXZcNGG3nuXLc+ycfm6OA/oZOUFqFw4OoBetU=,tag:Qpa1RKS1/nqbDiAL5Jrb7w==,type:str] + lastmodified: "2025-10-14T21:33:39Z" + mac: ENC[AES256_GCM,data:uKJe6/T0TGNm466dsF6DVdhCDjhCswGKAmyx/3xcIcce2VmVEOKk/zEpO9KmD5aydHfH/3s88huImIRRCGp6xFwDReRC4zx7kLI8mtjupix984/61aXy2TbOiN80mIVShMleQs09ESU2y0YtvqT771uNgaNa8bGBPQaAqpz0v68=,iv:9hBPQ7Ad8li0bu6Sy+CFGh/SUXo15hL/X3TQaS5B8ZE=,tag:XEK7DPZaNzNNTFA3oPAGBw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0