ci: re-enable cache push step (named-volume bind for relative path)

This commit is contained in:
2026-05-18 19:17:21 +00:00
parent abbc16cdc0
commit 202f6389bc
5 changed files with 78 additions and 5 deletions

5
runner/.gitignore vendored
View File

@@ -1,3 +1,8 @@
.env
data/
result
# Binary cache state + signing keys. The cache.sec must never be
# committed; the public key is regenerated per deployment too
# (`nix-store --generate-binary-cache-key`).
cache/

View File

@@ -46,7 +46,39 @@ Self-hosted Gitea Actions runner that validates package PRs.
GITEA_RUNNER_LABELS=self-hosted
```
4. **Start the runner**:
4. **Generate the binary-cache signing key** + cache directory. The
workflow's "push to binary cache" step writes here; nginx (or
anything you point at it) serves it back over HTTPS to consumers.
```sh
mkdir -p cache/store
nix-store --generate-binary-cache-key \
cache.cargoxx.<your-domain> \
cache/cache.sec cache/cache.pub
chmod 600 cache/cache.sec
```
The `cache/` directory is gitignored. Both keys live alongside
`compose.yml`; the named volume binds use `${PWD}/cache/...`.
5. **(optional) Front the store with nginx** so substituters can read it:
```nginx
# /etc/nginx/sites-available/cargoxx-cache
server {
listen 443 ssl;
server_name cache.cargoxx.<your-domain>;
root /path/to/cargoxx-pkgs/runner/cache/store;
autoindex off;
location / { try_files $uri =404; }
}
```
Consumers later need `substituters = https://cache.cargoxx.<your-domain>`
and `trusted-public-keys = <contents of cache.pub>` in their nix
config (bake this into the cargoxx wrapper once ready).
6. **Start the runner**:
```sh
docker compose up -d

View File

@@ -18,3 +18,24 @@ services:
- ./config.yaml:/config.yaml:ro
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
# Binary cache — `validate-pr.yml`'s push step writes `$out` NAR
# archives here. Named volumes (defined below) make the same
# storage reachable from both this runner container AND every
# job container act_runner spawns. nginx (on the host) serves
# ./cache/store over HTTPS for consumers' substituter config.
- cargoxx-cache-store:/srv/cargoxx-cache/store
- cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro
volumes:
cargoxx-cache-store:
driver: local
driver_opts:
type: none
o: bind
device: "${PWD}/cache/store"
cargoxx-cache-keys:
driver: local
driver_opts:
type: none
o: bind
device: "${PWD}/cache/keys"

View File

@@ -18,7 +18,12 @@ cache:
container:
network: bridge
privileged: false
options: ""
# Bind the binary cache into every job container by referencing the
# named volumes defined in compose.yml — those, in turn, are bound
# to ./cache/{store,cache.sec} via `${PWD}` so the path is
# deployment-relative, not absolute.
options: "-v cargoxx-cache-store:/srv/cargoxx-cache/store
-v cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro"
workdir_parent: /workspace
valid_volumes: []
docker_host: "unix:///var/run/docker.sock"