Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
ada9db79424e1d9244e80e6b90afe62de01c40cd
nixos/utils/modules/attic-cache/default.nix
Dominik Polakovics 67906cbf16 fix: attic cache
2025-10-15 10:09:26 +02:00

121 lines
3.4 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
cacheUrl = "https://attic.cloonar.com";
cacheName = "cloonar-nixos";
publicKey = "cloonar-nixos:u0S8Q3CShMkXeBk/eo8iooqrcSBTwNGBxQDS9HfkseE=";
authTokenFile = config.sops.secrets.attic_auth_token.path;
# Post-build hook script that pushes to Attic
atticPushHook = pkgs.writeShellScript "attic-push-hook" ''
#!${pkgs.bash}/bin/bash
set -euo pipefail
# Load configuration from sops secrets at runtime
ATTIC_CACHE="${cacheName}"
ATTIC_URL="${cacheUrl}"
# Check if we have the required configuration
if [[ -z "$ATTIC_CACHE" ]] || [[ -z "$ATTIC_URL" ]]; then
echo "Attic cache not configured, skipping push" >&2
exit 0
fi
# Read the auth token from sops if available
export ATTIC_AUTH_TOKEN
ATTIC_AUTH_TOKEN=$(cat "${authTokenFile}")
# Login to Attic cache
echo "Logging in to Attic cache at $ATTIC_URL..." >&2
if ! ${pkgs.attic-client}/bin/attic login "$ATTIC_CACHE" "$ATTIC_URL" "$ATTIC_AUTH_TOKEN"; then
echo "Failed to login to Attic cache, skipping push" >&2
exit 0
fi
echo "Successfully logged in to Attic cache" >&2
# Function to check if a path exists in cache
path_in_cache() {
local path="$1"
${pkgs.attic-client}/bin/attic cache info "$ATTIC_CACHE" "$path" &>/dev/null
}
# Function to push a path to cache
push_to_cache() {
local path="$1"
echo "Pushing $path to Attic cache..." >&2
if ${pkgs.attic-client}/bin/attic push "$ATTIC_CACHE" "$path"; then
echo "Successfully pushed $path" >&2
else
echo "Failed to push $path (non-fatal)" >&2
fi
}
# Read paths from OUT_PATHS environment variable (provided by Nix post-build-hook)
echo "Reading paths from OUT_PATHS..." >&2
echo "DRV_PATH: $DRV_PATH" >&2
echo "OUT_PATHS: $OUT_PATHS" >&2
if [[ -z "$OUT_PATHS" ]]; then
echo "No output paths provided, skipping push" >&2
exit 0
fi
path_count=0
# Split OUT_PATHS by space and process each path
for path in $OUT_PATHS; do
path_count=$((path_count + 1))
echo "Processing path #$path_count: $path" >&2
if [[ -e "$path" ]]; then
# Check if already in cache before pushing
if ! path_in_cache "$path"; then
push_to_cache "$path"
else
echo "Path $path already in cache, skipping" >&2
fi
else
echo "Path $path does not exist, skipping" >&2
fi
done
echo "Attic cache push completed (processed $path_count paths)" >&2
'';
in {
sops.secrets.attic_auth_token = {
sopsFile = ./secrets.yaml;
};
# Create netrc file for authenticated cache access
sops.secrets.attic_netrc = {
sopsFile = ./secrets.yaml;
mode = "0440";
group = "nixbld";
};
# Install attic client
environment.systemPackages = with pkgs; [
attic-client
];
# Configure Nix settings
nix.settings = {
substituters = [ cacheUrl ];
trusted-public-keys = [ publicKey ];
post-build-hook = atticPushHook;
netrc-file = config.sops.secrets.attic_netrc.path;
};
# Create a systemd service for manual cache operations
systemd.services.attic-push-closure = {
description = "Push a closure to Attic cache";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.attic-client}/bin/attic push ${cacheName} $CLOSURE_PATH'";
EnvironmentFile = authTokenFile;
};
};
}
Reference in New Issue View Git Blame Copy Permalink