aboutsummaryrefslogtreecommitdiff
path: root/cluster
diff options
context:
space:
mode:
Diffstat (limited to 'cluster')
-rw-r--r--cluster/staging/cluster.nix33
1 files changed, 0 insertions, 33 deletions
diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix
index 3f7c941..78081d5 100644
--- a/cluster/staging/cluster.nix
+++ b/cluster/staging/cluster.nix
@@ -133,38 +133,5 @@
nix.settings.substituters = [ "https://nix.web.deuxfleurs.fr" ];
nix.settings.trusted-public-keys = [ "nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=" ];
})
- ## ---- Nix mutual cache ----
- # Let nodes in a same site/zone copy from each other's Nix stores
- # Note that nodes will only copy from one another packages that are
- # signed by one of the trusted public keys, i.e. packages comming
- # from cache.nixos.org and nix.web.deuxfleurs.fr.
- # This is good as it kind of mitigates supply-chain attacks where
- # one node's cache would become poisonned, although arguably when
- # an attacker has gained root access on one node, it can easily
- # become root on all the others through Nomad. Downsides include
- # missed opportunities for not rebuilding stuff between machines
- # (e.g. derivations that are built in the process of doing
- # nixos-rebuild), and warnings appearing in the logs whenever such
- # an opportunity was not taken due to missing signatures.
- ({ pkgs, config, ... }:
- let substituter_port = 1728;
- in
- {
- services.nix-serve = {
- enable = true;
- port = substituter_port;
- openFirewall = false;
- bindAddress = "0.0.0.0";
- #package = pkgs.haskellPackages.nix-serve-ng;
- #package = pkgs.nix-serve-ng.override { nix = pkgs.nixVersions.nix_2_12; };
- };
- nix.settings.substituters = map
- ({ address, ... }: "http://${address}:${builtins.toString substituter_port}")
- (builtins.attrValues (pkgs.lib.filterAttrs
- (hostname: { siteName, ...}:
- (hostname != config.deuxfleurs.hostName
- && siteName == config.deuxfleurs.siteName))
- config.deuxfleurs.clusterNodes));
- })
];
}