mirror: add Nix binary cache mirroring support

Add support for a Nix binary cache mirroring infrastructure for
enterprise environments to reduce latencies and public bandwidth
consumption for CIs. This dramatically reduces NixOS package download
times from hundreds of packages to local cache hits.

Key features:
- nginx-based proxy caching for Nix binary cache
- Automatic mirror detection for client-side configuration
- systemd service and timer for cache synchronization
- Integration with existing defconfig-mirror infrastructure
- Client auto-configuration when local mirrors are available

Components:
- playbooks/roles/nix-cache-mirror/: Complete Ansible role
- scripts/check_nix_mirror.sh: Mirror detection and URL discovery
- kconfigs/Kconfig.mirror: Mirror configuration options
- Integration with defconfig-mirror for one-time setup

The mirror setup follows existing kdevops mirror patterns and
integrates with the git mirror infrastructure already in place.

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <[email protected]>

Author: mcgrof

defconfigs/mirror

@@ -2,3 +2,4 @@ CONFIG_SKIP_BRINGUP=y
 CONFIG_WORKFLOWS=n
 CONFIG_INSTALL_LOCAL_LINUX_MIRROR=y
 CONFIG_LINUX_MIRROR_NFS=y
+CONFIG_INSTALL_NIX_CACHE_MIRROR=y

kconfigs/Kconfig.mirror

@@ -379,15 +379,15 @@ choice
 config MIRROR_STABLE_RC_HTTPS
 	bool "HTTPS (kernel.org)"
 	help
-	  If you enable this option then the mirror will use HTTPS to access 
+	  If you enable this option then the mirror will use HTTPS to access
 	  the linux-stable-rc repository on git.kernel.org. The full URL is:
 
 	  https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git"
 
 config MIRROR_STABLE_RC_HTTPS_GOOGLE
 	bool "HTTPS (Google)"
 	help
-	  If you enable this option then the mirror will use HTTPS to access 
+	  If you enable this option then the mirror will use HTTPS to access
 	  the linux-stable-rc repository on kernel.googlesource.com The full
 	  URL is:
 
@@ -676,5 +676,69 @@ config MIRROR_MMTESTS_URL
 	string
 	default DEFAULT_MMTESTS_GITHUB_HTTPS_URL if MIRROR_MMTESTS_HTTPS_GITHUB
 
+config INSTALL_NIX_CACHE_MIRROR
+	bool "Install Nix binary cache mirror"
+	output yaml
+	depends on INSTALL_LOCAL_LINUX_MIRROR
+	help
+	  Enable this to set up a local Nix binary cache mirror for all guests.
+	  This will significantly speed up NixOS VM builds by caching downloaded
+	  packages locally.
+
+	  When enabled, this creates:
+	  - A local Nix binary cache at /mirror/nix-cache/
+	  - An nginx-based cache server on port 8080
+	  - Automatic synchronization from cache.nixos.org
+
+	  This saves bandwidth and speeds up NixOS builds dramatically as the
+	  initial build requires downloading ~679 packages (685MB).
+
+	  The cache will be available to all VMs and systems in your network
+	  at: http://mirror-host:8080/
+
+choice
+	prompt "Nix cache mirror source"
+	default MIRROR_NIX_CACHE_NIXOS_ORG
+	depends on INSTALL_NIX_CACHE_MIRROR
+
+config MIRROR_NIX_CACHE_NIXOS_ORG
+	bool "cache.nixos.org (official)"
+	help
+	  Use the official Nix binary cache at cache.nixos.org as the upstream
+	  source for the mirror.
+
+config MIRROR_NIX_CACHE_NIXOS_ORG_FALLBACK
+	bool "cache.nixos.org with fastly CDN fallback"
+	help
+	  Use cache.nixos.org with additional fastly CDN endpoints as fallbacks
+	  for better reliability and performance.
+
+endchoice
+
+config MIRROR_NIX_CACHE_UPSTREAM_URL
+	string
+	output yaml
+	default "https://cache.nixos.org" if MIRROR_NIX_CACHE_NIXOS_ORG
+	default "https://cache.nixos.org https://nixos.cachix.org" if MIRROR_NIX_CACHE_NIXOS_ORG_FALLBACK
+
+config NIX_CACHE_MIRROR_PORT
+	int "Nix cache mirror nginx port"
+	output yaml
+	default 8080
+	depends on INSTALL_NIX_CACHE_MIRROR
+	help
+	  The port for the local nginx server that will serve the Nix binary cache.
+	  Default is 8080. Ensure this port is available and not blocked by firewall.
+
+config NIX_CACHE_MIRROR_PATH
+	string "Nix cache mirror storage path"
+	output yaml
+	default "/mirror/nix-cache"
+	depends on INSTALL_NIX_CACHE_MIRROR
+	help
+	  Local filesystem path where the Nix binary cache will be stored.
+	  This should be on a filesystem with sufficient space as the cache
+	  can grow to several GB over time.
+
 endif # ENABLE_LOCAL_LINUX_MIRROR
 endif # TERRAFORM

kconfigs/Kconfig.nixos

@@ -91,6 +91,31 @@ config NIXOS_SSH_PORT
 	help
 	  SSH port to use for connecting to NixOS VMs.
 
+config NIXOS_USE_LOCAL_MIRROR
+	bool "Use local Nix binary cache mirror"
+	output yaml
+	default $(shell, scripts/check_nix_mirror.sh USE_NIX_CACHE_MIRROR)
+	help
+	  Enable this to use a local Nix binary cache mirror if available.
+	  This dramatically speeds up NixOS builds by avoiding repeated
+	  downloads of packages from cache.nixos.org.
+
+	  When enabled, kdevops will automatically detect and configure
+	  VMs to use the local mirror if available at /mirror/nix-cache
+	  or via HTTP on port 8080.
+
+	  This requires that you have set up a mirror server using the
+	  defconfig-mirror configuration.
+
+config NIXOS_MIRROR_URL
+	string "Nix binary cache mirror URL"
+	output yaml
+	default ""
+	depends on NIXOS_USE_LOCAL_MIRROR
+	help
+	  The URL of the local Nix binary cache mirror. This will be
+	  automatically detected at runtime when available.
+
 config NIXOS_DEBUG_MODE
 	bool "Enable debug mode for NixOS provisioning"
 	default n

playbooks/linux-mirror.yml

@@ -1,5 +1,18 @@
 ---
 - name: Install Git mirrors using systemd.timer
   hosts: localhost
+  pre_tasks:
+    - name: Check if Nix mirror directory exists
+      ansible.builtin.stat:
+        path: /mirror/nix-cache
+      register: nix_mirror_dir_check
+      when: install_nix_cache_mirror | default(false) | bool
+
+    - name: Set nix mirror available fact
+      ansible.builtin.set_fact:
+        nix_mirror_available: "{{ install_nix_cache_mirror | default(false) | bool and nix_mirror_dir_check.stat.exists | default(false) }}"
+
   roles:
     - role: linux-mirror
+    - role: nix-cache-mirror
+      when: nix_mirror_available | default(false) | bool

playbooks/roles/nix-cache-mirror/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+# Default variables for nix-cache-mirror role
+nix_cache_mirror_path: "/mirror/nix-cache"
+nix_cache_mirror_port: 8080
+nix_cache_upstream_url: "https://cache.nixos.org"
+nix_cache_mirror_nginx_conf_path: "/etc/nginx/sites-available/nix-cache-mirror"
+nix_cache_mirror_nginx_enabled_path: "/etc/nginx/sites-enabled/nix-cache-mirror"

playbooks/roles/nix-cache-mirror/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Reload nginx
+  become: true
+  ansible.builtin.systemd:
+    name: nginx
+    state: reloaded
+
+- name: Reload systemd
+  become: true
+  ansible.builtin.systemd:
+    daemon_reload: true

playbooks/roles/nix-cache-mirror/tasks/main.yml

@@ -0,0 +1,133 @@
+---
+- name: Import optional extra_args file
+  ansible.builtin.include_vars: "{{ item }}"
+  ignore_errors: true
+  with_first_found:
+    - files:
+        - "../extra_vars.yml"
+        - "../extra_vars.yaml"
+        - "../extra_vars.json"
+      skip: true
+  tags: vars
+
+- name: Fail if nix cache mirror is enabled but user is not root
+  ansible.builtin.fail:
+    msg: "Nix cache mirror setup requires root privileges. Please run as root."
+  when:
+    - install_nix_cache_mirror | bool
+    - ansible_user_id != 'root'
+  tags: ["nix-cache", "mirror"]
+
+- name: Install nginx for Nix cache mirror
+  become: true
+  ansible.builtin.package:
+    name:
+      - nginx
+      - curl
+    state: present
+  when: install_nix_cache_mirror | bool
+  tags: ["nix-cache", "mirror"]
+
+- name: Create Nix cache mirror directory
+  become: true
+  ansible.builtin.file:
+    path: "{{ nix_cache_mirror_path }}"
+    state: directory
+    mode: "0755"
+    owner: www-data
+    group: www-data
+  when: install_nix_cache_mirror | bool
+  tags: ["nix-cache", "mirror"]
+
+- name: Template nginx configuration for Nix cache mirror
+  become: true
+  ansible.builtin.template:
+    src: nix-cache-mirror.nginx.j2
+    dest: "{{ nix_cache_mirror_nginx_conf_path }}"
+    mode: "0644"
+    owner: root
+    group: root
+  when: install_nix_cache_mirror | bool
+  notify: reload nginx
+  tags: ["nix-cache", "mirror"]
+
+- name: Enable nginx site for Nix cache mirror
+  become: true
+  ansible.builtin.file:
+    src: "{{ nix_cache_mirror_nginx_conf_path }}"
+    dest: "{{ nix_cache_mirror_nginx_enabled_path }}"
+    state: link
+  when: install_nix_cache_mirror | bool
+  notify: reload nginx
+  tags: ["nix-cache", "mirror"]
+
+- name: Remove default nginx site
+  become: true
+  ansible.builtin.file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  when: install_nix_cache_mirror | bool
+  notify: reload nginx
+  tags: ["nix-cache", "mirror"]
+
+- name: Create systemd service for Nix cache syncer
+  become: true
+  ansible.builtin.template:
+    src: nix-cache-sync.service.j2
+    dest: /etc/systemd/system/nix-cache-sync.service
+    mode: "0644"
+  when: install_nix_cache_mirror | bool
+  notify: reload systemd
+  tags: ["nix-cache", "mirror"]
+
+- name: Create systemd timer for Nix cache syncer
+  become: true
+  ansible.builtin.template:
+    src: nix-cache-sync.timer.j2
+    dest: /etc/systemd/system/nix-cache-sync.timer
+    mode: "0644"
+  when: install_nix_cache_mirror | bool
+  notify: reload systemd
+  tags: ["nix-cache", "mirror"]
+
+- name: Enable and start nginx service
+  become: true
+  ansible.builtin.systemd:
+    name: nginx
+    enabled: true
+    state: started
+    daemon_reload: true
+  when: install_nix_cache_mirror | bool
+  tags: ["nix-cache", "mirror"]
+
+- name: Enable and start nix-cache-sync timer
+  become: true
+  ansible.builtin.systemd:
+    name: nix-cache-sync.timer
+    enabled: true
+    state: started
+    daemon_reload: true
+  when: install_nix_cache_mirror | bool
+  tags: ["nix-cache", "mirror"]
+
+- name: Check if firewalld is running
+  ansible.builtin.command: systemctl is-active firewalld
+  register: firewalld_status
+  ignore_errors: true
+  when:
+    - install_nix_cache_mirror | bool
+    - linux_mirror_nfs | bool
+  tags: ["nix-cache", "mirror"]
+
+- name: Open firewall for Nix cache mirror HTTP traffic
+  become: true
+  ansible.posix.firewalld:
+    port: "{{ nix_cache_mirror_port }}/tcp"
+    permanent: true
+    state: enabled
+    immediate: true
+  when:
+    - install_nix_cache_mirror | bool
+    - linux_mirror_nfs | bool
+    - firewalld_status.rc == 0
+  tags: ["nix-cache", "mirror"]

playbooks/roles/nix-cache-mirror/templates/nix-cache-mirror.nginx.j2

@@ -0,0 +1,77 @@
+server {
+    listen {{ nix_cache_mirror_port }};
+    server_name _;
+
+    # Cache location
+    root {{ nix_cache_mirror_path }};
+
+    # Enable directory listings
+    autoindex on;
+    autoindex_exact_size off;
+    autoindex_localtime on;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Logging
+    access_log /var/log/nginx/nix-cache-mirror.access.log;
+    error_log /var/log/nginx/nix-cache-mirror.error.log;
+
+    # Main location for cached files
+    location / {
+        try_files $uri $uri/ @upstream;
+
+        # Cache headers for clients
+        expires 1d;
+        add_header Cache-Control "public, immutable";
+
+        # Enable range requests for large files
+        location ~* \.(nar|narinfo)$ {
+            add_header Accept-Ranges bytes;
+        }
+    }
+
+    # Upstream fallback for cache misses
+    location @upstream {
+        # Proxy to upstream cache with caching
+        proxy_pass {{ mirror_nix_cache_upstream_url | default('https://cache.nixos.org') }};
+        proxy_set_header Host cache.nixos.org;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Cache configuration
+        proxy_cache_path {{ nix_cache_mirror_path }}/nginx-cache levels=1:2 keys_zone=nixcache:100m max_size=50g inactive=7d use_temp_path=off;
+        proxy_cache nixcache;
+        proxy_cache_valid 200 206 301 302 7d;
+        proxy_cache_valid 404 1m;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        proxy_cache_lock on;
+        proxy_cache_lock_timeout 5s;
+
+        # Store successful requests to filesystem
+        proxy_store on;
+        proxy_store_access user:rw group:rw all:r;
+        proxy_temp_path {{ nix_cache_mirror_path }}/tmp;
+
+        # Add headers to indicate cache status
+        add_header X-Cache-Status $upstream_cache_status;
+        add_header X-Cache-Date $upstream_http_date;
+    }
+
+    # Status endpoint
+    location /status {
+        access_log off;
+        return 200 "Nix Cache Mirror OK\n";
+        add_header Content-Type text/plain;
+    }
+
+    # Health check
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+}

playbooks/roles/nix-cache-mirror/templates/nix-cache-sync.service.j2

@@ -0,0 +1,17 @@
+[Unit]
+Description=Nix Binary Cache Sync Service
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+User=www-data
+Group=www-data
+ExecStart=/usr/bin/curl -f -s "{{ mirror_nix_cache_upstream_url | default('https://cache.nixos.org') }}/nix-cache-info" -o "{{ nix_cache_mirror_path }}/nix-cache-info"
+ExecStartPost=/bin/bash -c 'find {{ nix_cache_mirror_path }} -name "*.narinfo" -mtime +7 -delete'
+ExecStartPost=/bin/bash -c 'find {{ nix_cache_mirror_path }} -name "*.nar*" -mtime +7 -delete'
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target