Staging: let nodes use each other as Nix caches (only inside same site)

cluster/staging/cluster.nix

@@ -72,36 +72,74 @@
   # For Garage ipv6 communication
   networking.firewall.allowedTCPPorts = [ 3991 ];
 
-  ## -----
+  ## ===== EXPERIMENTAL SECTION FOR STAGING CLUSTER =====
 
-  ## EXPERIMENTAL ON STAGING: NIX NOMAD JOBS
+  # We're doing lots of experiments so GC periodically is usefull.
-  services.nomad.dropPrivileges = false;
+  nix.gc.automatic = true;
 
-  # ----- nomad-driver-nix & nomad-driver-nix2 -----
+  imports = [
-  services.nomad.extraSettingsPlugins = [
+    ## ---- Nix Nomad jobs using nomad-driver-nix2 ----
-    (import ./nomad-driver-nix2.nix { inherit pkgs; })
+    ({ pkgs, ... }: {
-  ];
+      services.nomad.dropPrivileges = false;
-  services.nomad.extraPackages = [
+      services.nomad.extraSettingsPlugins = [
-    pkgs.nix
+        (import ./nomad-driver-nix2.nix { inherit pkgs; })
-    pkgs.git
+      ];
-  ];
+      services.nomad.extraPackages = [
-  # default config for the nix2 driver
+        pkgs.nix
-  services.nomad.settings.plugin = [
+        pkgs.git
-    {
+      ];
-      "nix2-driver" = [
+      services.nomad.settings.plugin = [
         {
-          config = [
+          "nix2-driver" = [
             {
-              # default_nixpkgs = "github:nixos/nixpkgs/nixos-22.11";
+              config = [
+                {
+                  default_nixpkgs = "github:nixos/nixpkgs/nixos-22.11";
+                }
+              ];
             }
           ];
         }
       ];
-    }
+    })
+    ## ---- Nix cache: use our cache on Garage (prod cluster) ----
+    # Use our cache as additionnal substituer (this acts the same way for
+    # our Nix packages than the Docker hub acts for our Docker images)
+    ({ pkgs, ... }: {
+      nix.settings.substituters = [ "https://nix.web.deuxfleurs.fr" ];
+      nix.settings.trusted-public-keys = [ "nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=" ];
+    })
+    ## ---- Nix mutual cache ----
+    # Let nodes in a same site/zone copy from each other's Nix stores
+    # Note that nodes will only copy from one another packages that are
+    # signed by one of the trusted public keys, i.e. packages comming
+    # from cache.nixos.org and nix.web.deuxfleurs.fr.
+    # This is good as it kind of mitigates supply-chain attacks where
+    # one node's cache would become poisonned, although arguably when
+    # an attacker has gained root access on one node, it can easily
+    # become root on all the others through Nomad. Downsides include
+    # missed opportunities for not rebuilding stuff between machines
+    # (e.g. derivations that are built in the process of doing
+    # nixos-rebuild), and warnings appearing in the logs whenever such
+    # an opportunity was not taken due to missing signatures.
+    ({ pkgs, config, ... }:
+      let substituter_port = 1728;
+      in
+      {
+        services.nix-serve = {
+          enable = true;
+          port = substituter_port;
+          openFirewall = false;
+          bindAddress = config.deuxfleurs.cluster_ip;
+          package = pkgs.haskellPackages.nix-serve-ng;
+        };
+        nix.settings.substituters = map
+            ({ IP, ... }: "http://${IP}:${builtins.toString substituter_port}")
+            (builtins.filter
+              ({ site_name, IP, ...}:
+                (IP != config.deuxfleurs.cluster_ip
+                && site_name == config.deuxfleurs.site_name))
+              config.deuxfleurs.cluster_nodes);
+      })
   ];
-
-  # use our cache as additionnal substituer (we put precompiled packages there,
-  # like we used to do on the docker hub)
-  nix.settings.substituters = [ "https://nix.web.deuxfleurs.fr" ];
-  nix.settings.trusted-public-keys = [ "nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=" ];
 }