diff --git a/common/binary-cache-server.nix b/common/binary-cache-server.nix index 52d83cd..02c9d59 100644 --- a/common/binary-cache-server.nix +++ b/common/binary-cache-server.nix @@ -1,53 +1,39 @@ { config, pkgs, lib, ... }: { - # Binary cache server using nix-serve - # Serves built packages to other hosts in the cluster for faster rebuilds + # Binary cache proxy using ncps (Nix Cache Proxy Server) + # Transparently caches packages from cache.nixos.org for faster LAN access + # + # How it works: + # - Acts as HTTP proxy for cache.nixos.org + # - Caches packages on first request + # - Subsequent requests served from local disk (LAN speed) + # - No signing needed (packages already signed by upstream) + # - Automatic fallback to cache.nixos.org if this host is down # # Setup: - # 1. Deploy this host first - # 2. SSH in and get public key: cat /persist/nix-cache/cache-pub-key.txt - # 3. Add that key to common/global/nix.nix in trusted-public-keys - # 4. Deploy all other hosts to pick up the cache + # 1. Deploy this host + # 2. Deploy all other hosts (they're already configured to use this) + # 3. Cache warms up automatically on first use - # Ensure cache directory is persisted - environment.persistence."/persist".directories = [ - { directory = "/var/nix-cache"; user = "nix-serve"; group = "nix-serve"; mode = "0755"; } - ]; - - # Auto-generate cache keys on first boot - systemd.services.nix-cache-key-init = { - description = "Generate binary cache keys if missing"; - wantedBy = [ "multi-user.target" ]; - before = [ "nix-serve.service" ]; - path = [ pkgs.nix ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - CACHE_DIR="/persist/nix-cache" - mkdir -p "$CACHE_DIR" - - if [ ! -f "$CACHE_DIR/cache-priv-key.pem" ]; then - echo "Generating binary cache key pair..." - nix-store --generate-binary-cache-key ${config.networking.hostName}-cache "$CACHE_DIR/cache-priv-key.pem" "$CACHE_DIR/cache-pub-key.txt" - chmod 600 "$CACHE_DIR/cache-priv-key.pem" - chmod 644 "$CACHE_DIR/cache-pub-key.txt" - echo "Binary cache keys generated at $CACHE_DIR" - echo "Public key:" - cat "$CACHE_DIR/cache-pub-key.txt" - fi - ''; - }; - - # Enable nix-serve - services.nix-serve = { + services.ncps = { enable = true; - secretKeyFile = "/persist/nix-cache/cache-priv-key.pem"; - bindAddress = "0.0.0.0"; - port = 5000; + cache = { + hostName = config.networking.hostName; + dataPath = "/persist/ncps/data"; + tempPath = "/persist/ncps/tmp"; + databaseURL = "sqlite:/persist/ncps/db/db.sqlite"; + maxSize = "300G"; # Adjust based on available disk space + lru.schedule = "0 3 * * *"; # Clean up daily at 3 AM if over maxSize + }; + server.addr = "0.0.0.0:8501"; + upstream = { + caches = [ "https://cache.nixos.org" ]; + publicKeys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + }; }; # Open firewall for LAN access - networking.firewall.allowedTCPPorts = [ 5000 ]; + networking.firewall.allowedTCPPorts = [ 8501 ]; } diff --git a/common/global/nix.nix b/common/global/nix.nix index 730f393..46aa57f 100644 --- a/common/global/nix.nix +++ b/common/global/nix.nix @@ -6,15 +6,14 @@ ]; # Binary cache configuration + # c3 runs ncps (Nix Cache Proxy Server) that caches cache.nixos.org + # Falls back to cache.nixos.org if c3 is unreachable substituters = [ - "http://c3:5000" # Local cluster cache on c3 + "http://c3:8501" # Local ncps cache proxy on c3 "https://cache.nixos.org" ]; trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - # TODO: Add c3 cache public key here after first deploy of c3 - # Get it with: ssh c3 cat /persist/nix-cache/cache-pub-key.txt - # "c3-cache:..." ]; # Performance tuning