ci: re-enable cache push step (named-volume bind for relative path)
This commit is contained in:
@@ -46,7 +46,39 @@ Self-hosted Gitea Actions runner that validates package PRs.
|
||||
GITEA_RUNNER_LABELS=self-hosted
|
||||
```
|
||||
|
||||
4. **Start the runner**:
|
||||
4. **Generate the binary-cache signing key** + cache directory. The
|
||||
workflow's "push to binary cache" step writes here; nginx (or
|
||||
anything you point at it) serves it back over HTTPS to consumers.
|
||||
|
||||
```sh
|
||||
mkdir -p cache/store
|
||||
nix-store --generate-binary-cache-key \
|
||||
cache.cargoxx.<your-domain> \
|
||||
cache/cache.sec cache/cache.pub
|
||||
chmod 600 cache/cache.sec
|
||||
```
|
||||
|
||||
The `cache/` directory is gitignored. Both keys live alongside
|
||||
`compose.yml`; the named volume binds use `${PWD}/cache/...`.
|
||||
|
||||
5. **(optional) Front the store with nginx** so substituters can read it:
|
||||
|
||||
```nginx
|
||||
# /etc/nginx/sites-available/cargoxx-cache
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name cache.cargoxx.<your-domain>;
|
||||
root /path/to/cargoxx-pkgs/runner/cache/store;
|
||||
autoindex off;
|
||||
location / { try_files $uri =404; }
|
||||
}
|
||||
```
|
||||
|
||||
Consumers later need `substituters = https://cache.cargoxx.<your-domain>`
|
||||
and `trusted-public-keys = <contents of cache.pub>` in their nix
|
||||
config (bake this into the cargoxx wrapper once ready).
|
||||
|
||||
6. **Start the runner**:
|
||||
|
||||
```sh
|
||||
docker compose up -d
|
||||
|
||||
Reference in New Issue
Block a user