feat(ops/modules): configure builderball cache setup

Configures an experimental setup for a builderball-based public cache. This cache only includes the two build machines (whitby & nevsky), for the time period where both of them exist simultaneously. The idea is this: All participating hosts run a harmonia binary cache locally (whitby already does). They then run builderball instances pointing at each other's harmonia caches (through dedicated public hostnames). When a request comes in, the first matching cache address is returned and Nix will substitute from there. Change-Id: Ia7d5357fd5e04f77b460205544fa24e82b100230 Reviewed-on: https://cl.tvl.fyi/c/depot/+/12975 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2025-01-12 16:44:11 +03:00 · 2025-01-12 16:44:11 +03:00 · c948a26d7d
commit c948a26d7d
parent 6733b26ba5
9 changed files with 214 additions and 11 deletions
--- a/ops/machines/nevsky/default.nix
+++ b/ops/machines/nevsky/default.nix
@ -6,8 +6,13 @@ let
 in
 {
  imports = [
+    (mod "builderball.nix")
+    (mod "harmonia.nix")
    (mod "known-hosts.nix")
    (mod "tvl-users.nix")
+    (mod "www/cache.tvl.fyi.nix")
+    (mod "www/self-cache.tvl.fyi.nix")
+    (mod "www/self-redirect.nix")
    (depot.third_party.agenix.src + "/modules/age.nix")
  ];

@ -85,9 +90,25 @@ in
    };
  };

-  age.secrets = {
-    wg-privkey.file = depot.ops.secrets."wg-nevsky.age";
-  };
+  age.secrets =
+    let
+      secretFile = name: depot.ops.secrets."${name}.age";
+    in
+    {
+      wg-privkey.file = depot.ops.secrets."wg-nevsky.age";
+
+      nix-cache-priv = {
+        file = secretFile "nix-cache-priv";
+        mode = "0440";
+        group = "harmonia";
+      };
+
+      # Not actually a secret
+      nix-cache-pub = {
+        file = secretFile "nix-cache-pub";
+        mode = "0444";
+      };
+    };

  networking = {
    hostName = "nevsky";
@ -175,12 +196,22 @@ in
    useRoutingFeatures = "both";
  };

-  security.sudo.extraRules = [
-    {
-      groups = [ "wheel" ];
-      commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }];
-    }
-  ];
+  # Run a Harmonia binary cache.
+  #
+  # TODO(tazjin): switch to upstream module after fix for Nix 2.3
+  services.depot.harmonia = {
+    enable = true;
+    signKeyPaths = [ (config.age.secretsDir + "/nix-cache-priv") ];
+    settings.bind = "127.0.0.1:6443";
+    settings.priority = 50;
+  };
+
+  services.depot.builderball.enable = true;
+
+  security.sudo.extraRules = [{
+    groups = [ "wheel" ];
+    commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }];
+  }];

  zramSwap.enable = true;

--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@ -10,6 +10,7 @@ in
 {
  imports = [
    (mod "atward.nix")
+    (mod "builderball.nix")
    (mod "cgit.nix")
    (mod "cheddar.nix")
    (mod "clbot.nix")
@ -33,11 +34,13 @@ in
    (mod "www/atward.tvl.fyi.nix")
    (mod "www/auth.tvl.fyi.nix")
    (mod "www/b.tvl.fyi.nix")
+    (mod "www/cache.tvl.fyi.nix")
    (mod "www/cache.tvl.su.nix")
    (mod "www/cl.tvl.fyi.nix")
    (mod "www/code.tvl.fyi.nix")
    (mod "www/cs.tvl.fyi.nix")
    (mod "www/deploys.tvl.fyi.nix")
+    (mod "www/self-cache.tvl.fyi.nix")
    (mod "www/self-redirect.nix")
    (mod "www/signup.tvl.fyi.nix")
    (mod "www/static.tvl.fyi.nix")
@ -386,6 +389,9 @@ in
    # Run a livegrep code search instance
    livegrep.enable = true;

+    # Run Nix cache proxy
+    builderball.enable = true;
+
    # Run the Panettone issue tracker
    panettone = {
      enable = true;