test building optimized packages

2025-02-11 11:46:39 +01:00
parent 72b94b1d4b
commit a020611d49
7 changed files with 45 additions and 3 deletions
--- a/home-manager/firefox/config/privacy.nix
+++ b/home-manager/firefox/config/privacy.nix
@@ -57,14 +57,14 @@
  # Load the pages displayed on the new tab page in a private container when
  # creating thumbnails.
  "privacy.usercontext.about_newtab_segregation.enabled" = true;
-  # Disable WebGL
+  # Disable WebGL (override: enabled, to make those websites work.)
  # Disables the WebGL function, to prevent (ab)use the full power of the graphics
  # card (http://www.uniquemachine.org/">fingerprinting with WebGL</a>. Another
  # issue is, that websites can <a
  # href="https://isc.sans.edu/forums/diary/Time+to+disable+WebGL/10867). WebGL is
  # part of some fingerprinting scripts used in the wild. Some interactive websites
  # will not work, which are mostly games.
-  "webgl.disabled" = true;
+  "webgl.disabled" = false;
  # Override graphics card vendor and model strings in the WebGL API
  # Websites can read the graphics card vendor and model using a WebGL API. This
  # setting overrides both with " " without disabling WebGL.
--- a/modules/nix/settings.nix
+++ b/modules/nix/settings.nix
@@ -1,6 +1,8 @@
 { lib, inputs, config, pkgsVersion, ... }:
 with lib;
-let cfg = config.custom.nix.settings;
+let
+  cfg = config.custom.nix.settings;
+  cache = "https://cache.nixos.org";
 in {
  options.custom.nix.settings = {
    enable = mkEnableOption "Enables various nix settings";
@@ -18,6 +20,11 @@ in {
    nix = {
      optimise.automatic = cfg.optimise;
      settings.experimental-features = [ "nix-command" "flakes" ];
+      settings.substituters =
+        lib.mkIf (config.networking.hostName == "kop-pc")
+        [ "http://192.168.0.20:5000" ];
+      settings.trusted-public-keys =
+        [ "amd-server:r5S7vv/3sZ0knhMvpUzRHXFlBHgov2tLhtoKqLXYf28=" ];
      registry.nixpkgs.flake = pkgsVersion;
      gc = {
        automatic = true;
--- a/modules/services/nix-cache.nix
+++ b/modules/services/nix-cache.nix
@@ -0,0 +1,18 @@
+{ config, ... }: {
+
+  age.secrets.binary-cache = {
+    file = ../../secrets/binary-cache.age;
+  };
+  nix.sshServe = {
+    enable = true;
+    keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeP6qtVqE/gu72ZUZE8cdRi3INiUW9NqDR7SjXIzTw2 kopatz"
+    ];
+  };
+  services.nix-serve = {
+    enable = true;
+    openFirewall = true;
+    port = 5000;
+    secretKeyFile = config.age.secrets.binary-cache.path;
+  };
+}
--- a/secrets/binary-cache.age
+++ b/secrets/binary-cache.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 DCzi1A LrkyZ8axOcdIB+uaATOmn785EzMzTvhujhcSxmBx8kE
+E57IVdAOTIt1TWeyBYsHembim1YPKRxJYDQTNiPhIGI
+-> ssh-ed25519 lNJElA Y1jcFIXsCN0/s6xiLCLhQQhrc0N5Acpmv5K9xIYu42k
+WrhmfkCpLL4e+QhFwFICeH5BZDUQOOk4WyFoYnGbcVU
+--- LIVAI67ZG/+WLYki2A3HEmf6HMaLMZiAiDhgQYoWxdA
+>”cÛìTª{cR~‡©±‚\þ<>Üß<C39F>.ûík;$9m…–Ì-s7²÷>éZ ]žÛ<C5BE>êIŸ62‘æãÞÀÌ	§Š¿—ÑñBÔ±ï~0.-—0}¾j¸ú÷˜×ÝŠ0æ<30>J£eIa……œHë(òÚÑw˜ÆªjG4ÿ>FM.tÙó	b®SÃ†
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -35,4 +35,5 @@ in
  "plausible-keybase.age".publicKeys = [ adam-site kop ];
  "adminarea.age".publicKeys = [ adam-site kop ];
  "radicale.age".publicKeys = [ mini-pc mini-pc-proxmox kop ];
+  "binary-cache.age".publicKeys = [ kop amd-server ];
 }
--- a/systems/amd-server/configuration.nix
+++ b/systems/amd-server/configuration.nix
@@ -9,6 +9,7 @@
    ./hardware-configuration.nix
    ../../modules/kernel.nix
    ../../modules/services/ssh.nix
+    ../../modules/services/nix-cache.nix
  ];

  custom = {
--- a/systems/pc/configuration.nix
+++ b/systems/pc/configuration.nix
@@ -134,6 +134,14 @@
    #}
  ];

+  # https://github.com/NixOS/nixpkgs/blob/master/lib/systems/architectures.nix
+  nix.settings.system-features = ["znver3" "gccarch-znver3" ];
+  nixpkgs.hostPlatform = {
+    gcc.arch = "znver3";
+    gcc.tune = "znver3";
+    system = "x86_64-linux";
+  };
+
  # fix index
  services.xserver.extraConfig = ''
    Section "Monitor"