diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix index 3f7c941..78081d5 100644 --- a/cluster/staging/cluster.nix +++ b/cluster/staging/cluster.nix @@ -133,38 +133,5 @@ nix.settings.substituters = [ "https://nix.web.deuxfleurs.fr" ]; nix.settings.trusted-public-keys = [ "nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=" ]; }) - ## ---- Nix mutual cache ---- - # Let nodes in a same site/zone copy from each other's Nix stores - # Note that nodes will only copy from one another packages that are - # signed by one of the trusted public keys, i.e. packages comming - # from cache.nixos.org and nix.web.deuxfleurs.fr. - # This is good as it kind of mitigates supply-chain attacks where - # one node's cache would become poisonned, although arguably when - # an attacker has gained root access on one node, it can easily - # become root on all the others through Nomad. Downsides include - # missed opportunities for not rebuilding stuff between machines - # (e.g. derivations that are built in the process of doing - # nixos-rebuild), and warnings appearing in the logs whenever such - # an opportunity was not taken due to missing signatures. - ({ pkgs, config, ... }: - let substituter_port = 1728; - in - { - services.nix-serve = { - enable = true; - port = substituter_port; - openFirewall = false; - bindAddress = "0.0.0.0"; - #package = pkgs.haskellPackages.nix-serve-ng; - #package = pkgs.nix-serve-ng.override { nix = pkgs.nixVersions.nix_2_12; }; - }; - nix.settings.substituters = map - ({ address, ... }: "http://${address}:${builtins.toString substituter_port}") - (builtins.attrValues (pkgs.lib.filterAttrs - (hostname: { siteName, ...}: - (hostname != config.deuxfleurs.hostName - && siteName == config.deuxfleurs.siteName)) - config.deuxfleurs.clusterNodes)); - }) ]; }