Define a Nix Binary Caching Strategy

[vonjackets]

Description

To improve build times and efficiency in CI/CD, we need to define a Nix binary caching strategy. This will involve provisioning a dedicated machine to serve as a Nix binary cache, allowing us to avoid redundant builds and speed up deployments.

Tasks

• Evaluate Caching Options:
  • Use a remote NixOS machine with SSH - This is already mostly implemented aside from I/CaC.
  • Set up an S3-compatible binary cache using garage or minio
• Provision a NixOS Machine for Caching:
  • Select a cloud or on-premise host for running the cache
  • Configure nix-serve or nix-store-gcs for efficient cache distribution
  • Ensure authentication and access control via nix-store --sign
• CI/CD Integration:
  • Modify GitLab CI/CD pipelines to push built artifacts to the cache
  • Configure developers' local environments to pull from the cache
• Security Considerations:
  • Use signed builds to prevent cache poisoning
  • Restrict cache access with authentication
  • Regularly prune unused artifacts to manage storage efficiently

Acceptance Criteria

• A working Nix cache is deployed and accessible by CI/CD and local developers
• CI/CD pipelines are modified to push built artifacts to the cache
• A clear process for managing and securing cached artifacts is documented