feat: enable always-allow-substitutes on nix config

This mainly prevents servers from building trivial derivations that they can just fetch from the cache (and often include pulling other dependencies as well just for the build). Also sets this on CI to prevent builds of hosts that have not changed.
diogotcorreia · Nov 23, 2024 · cc1a8cf · cc1a8cf
1 parent c284008
commit cc1a8cf
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -82,15 +82,27 @@ jobs:
             extra-platforms = i686-linux aarch64-linux
             substituters = https://nix-cache.diogotc.com/dtc?priority=43 https://cache.nixos.org/
             trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= dtc:HU5hQrzlNDSFAcA/kvzKx+IhyDYLvR+xUS/1drh3o2U=
+            always-allow-substitutes = true
       - uses: DeterminateSystems/magic-nix-cache-action@main
 
+      # We check if this system actually has anything to be built or if we're just going
+      # to be fetching from cache
+      - name: Check if build needed
+        id: build-needed
+        run: |
+          nix build .#nixosConfigurations.${{ matrix.machine.host }}.config.system.build.toplevel --dry-run 2> dry-run-output
+          echo "needs-build=$(cat dry-run-output | grep 'will be built' &> /dev/null && echo 1 || echo 0)" >> $GITHUB_OUTPUT
+        shell: bash
+
       # We build each system in a separate job, targeting the configuration using matrix.machine.host
       - name: Build system
+        if: steps.build-needed.outputs.needs-build == '1'
         run: |
           nix build .#nixosConfigurations.${{ matrix.machine.host }}.config.system.build.toplevel
 
       # Once built, we login to Attic and push the built system to our cache!
       - name: Push system
+        if: steps.build-needed.outputs.needs-build == '1'
         run: |
           nix run .#attic login phobos https://nix-cache.diogotc.com ${{ secrets.ATTIC_TOKEN }}
           nix run .#attic push dtc result -j 2
@@ -123,6 +135,7 @@ jobs:
             extra-platforms = i686-linux aarch64-linux
             substituters = https://nix-cache.diogotc.com/dtc?priority=43 https://cache.nixos.org/
             trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= dtc:HU5hQrzlNDSFAcA/kvzKx+IhyDYLvR+xUS/1drh3o2U=
+            always-allow-substitutes = true
       - uses: DeterminateSystems/magic-nix-cache-action@main
 
       # We check if this package actually has anything to be built or if we're just going

diff --git a/modules/system.nix b/modules/system.nix
@@ -24,6 +24,9 @@
 
       # https://jackson.dev/post/nix-reasonable-defaults/
       fallback = true; # skip offline binary-caches (can end up building from source)
+
+      # Use substituters even for trivial derivations
+      always-allow-substitutes = true;
     };
 
     # Lock flake registry to keep it synced with the inputs