Switch to ncps.

common/binary-cache-server.nix

@@ -1,53 +1,39 @@
 { config, pkgs, lib, ... }:
 {
-  # Binary cache server using nix-serve
+  # Binary cache proxy using ncps (Nix Cache Proxy Server)
-  # Serves built packages to other hosts in the cluster for faster rebuilds
+  # Transparently caches packages from cache.nixos.org for faster LAN access
+  #
+  # How it works:
+  # - Acts as HTTP proxy for cache.nixos.org
+  # - Caches packages on first request
+  # - Subsequent requests served from local disk (LAN speed)
+  # - No signing needed (packages already signed by upstream)
+  # - Automatic fallback to cache.nixos.org if this host is down
   #
   # Setup:
-  # 1. Deploy this host first
+  # 1. Deploy this host
-  # 2. SSH in and get public key: cat /persist/nix-cache/cache-pub-key.txt
+  # 2. Deploy all other hosts (they're already configured to use this)
-  # 3. Add that key to common/global/nix.nix in trusted-public-keys
+  # 3. Cache warms up automatically on first use
-  # 4. Deploy all other hosts to pick up the cache
 
-  # Ensure cache directory is persisted
+  services.ncps = {
-  environment.persistence."/persist".directories = [
-    { directory = "/var/nix-cache"; user = "nix-serve"; group = "nix-serve"; mode = "0755"; }
-  ];
-
-  # Auto-generate cache keys on first boot
-  systemd.services.nix-cache-key-init = {
-    description = "Generate binary cache keys if missing";
-    wantedBy = [ "multi-user.target" ];
-    before = [ "nix-serve.service" ];
-    path = [ pkgs.nix ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      CACHE_DIR="/persist/nix-cache"
-      mkdir -p "$CACHE_DIR"
-
-      if [ ! -f "$CACHE_DIR/cache-priv-key.pem" ]; then
-        echo "Generating binary cache key pair..."
-        nix-store --generate-binary-cache-key ${config.networking.hostName}-cache "$CACHE_DIR/cache-priv-key.pem" "$CACHE_DIR/cache-pub-key.txt"
-        chmod 600 "$CACHE_DIR/cache-priv-key.pem"
-        chmod 644 "$CACHE_DIR/cache-pub-key.txt"
-        echo "Binary cache keys generated at $CACHE_DIR"
-        echo "Public key:"
-        cat "$CACHE_DIR/cache-pub-key.txt"
-      fi
-    '';
-  };
-
-  # Enable nix-serve
-  services.nix-serve = {
     enable = true;
-    secretKeyFile = "/persist/nix-cache/cache-priv-key.pem";
+    cache = {
-    bindAddress = "0.0.0.0";
+      hostName = config.networking.hostName;
-    port = 5000;
+      dataPath = "/persist/ncps/data";
+      tempPath = "/persist/ncps/tmp";
+      databaseURL = "sqlite:/persist/ncps/db/db.sqlite";
+      maxSize = "300G";  # Adjust based on available disk space
+      lru.schedule = "0 3 * * *";  # Clean up daily at 3 AM if over maxSize
+    };
+    server.addr = "0.0.0.0:8501";
+    upstream = {
+      caches = [ "https://cache.nixos.org" ];
+      publicKeys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      ];
+    };
   };
 
   # Open firewall for LAN access
-  networking.firewall.allowedTCPPorts = [ 5000 ];
+  networking.firewall.allowedTCPPorts = [ 8501 ];
 }

common/global/nix.nix

@@ -6,15 +6,14 @@
     ];
 
     # Binary cache configuration
+    # c3 runs ncps (Nix Cache Proxy Server) that caches cache.nixos.org
+    # Falls back to cache.nixos.org if c3 is unreachable
     substituters = [
-      "http://c3:5000"  # Local cluster cache on c3
+      "http://c3:8501"  # Local ncps cache proxy on c3
       "https://cache.nixos.org"
     ];
     trusted-public-keys = [
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-      # TODO: Add c3 cache public key here after first deploy of c3
-      # Get it with: ssh c3 cat /persist/nix-cache/cache-pub-key.txt
-      # "c3-cache:..."
     ];
 
     # Performance tuning