staging: remove nix mutual cache
This commit is contained in:
parent
3ff35c5527
commit
6db49e0059
1 changed files with 0 additions and 33 deletions
|
@ -133,38 +133,5 @@
|
|||
nix.settings.substituters = [ "https://nix.web.deuxfleurs.fr" ];
|
||||
nix.settings.trusted-public-keys = [ "nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=" ];
|
||||
})
|
||||
## ---- Nix mutual cache ----
|
||||
# Let nodes in a same site/zone copy from each other's Nix stores
|
||||
# Note that nodes will only copy from one another packages that are
|
||||
# signed by one of the trusted public keys, i.e. packages comming
|
||||
# from cache.nixos.org and nix.web.deuxfleurs.fr.
|
||||
# This is good as it kind of mitigates supply-chain attacks where
|
||||
# one node's cache would become poisonned, although arguably when
|
||||
# an attacker has gained root access on one node, it can easily
|
||||
# become root on all the others through Nomad. Downsides include
|
||||
# missed opportunities for not rebuilding stuff between machines
|
||||
# (e.g. derivations that are built in the process of doing
|
||||
# nixos-rebuild), and warnings appearing in the logs whenever such
|
||||
# an opportunity was not taken due to missing signatures.
|
||||
({ pkgs, config, ... }:
|
||||
let substituter_port = 1728;
|
||||
in
|
||||
{
|
||||
services.nix-serve = {
|
||||
enable = true;
|
||||
port = substituter_port;
|
||||
openFirewall = false;
|
||||
bindAddress = "0.0.0.0";
|
||||
#package = pkgs.haskellPackages.nix-serve-ng;
|
||||
#package = pkgs.nix-serve-ng.override { nix = pkgs.nixVersions.nix_2_12; };
|
||||
};
|
||||
nix.settings.substituters = map
|
||||
({ address, ... }: "http://${address}:${builtins.toString substituter_port}")
|
||||
(builtins.attrValues (pkgs.lib.filterAttrs
|
||||
(hostname: { siteName, ...}:
|
||||
(hostname != config.deuxfleurs.hostName
|
||||
&& siteName == config.deuxfleurs.siteName))
|
||||
config.deuxfleurs.clusterNodes));
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue