mirror: add Nix binary cache mirroring support

Add support for a Nix binary cache mirroring infrastructure for
enterprise environments to reduce latencies and public bandwidth
consumption for CIs. This dramatically reduces NixOS package download
times from hundreds of packages to local cache hits.

Key features:
- nginx-based proxy caching for Nix binary cache
- Automatic mirror detection for client-side configuration
- systemd service and timer for cache synchronization
- Integration with existing defconfig-mirror infrastructure
- Client auto-configuration when local mirrors are available

Components:
- playbooks/roles/nix-cache-mirror/: Complete Ansible role
- scripts/check_nix_mirror.sh: Mirror detection and URL discovery
- kconfigs/Kconfig.mirror: Mirror configuration options
- Integration with defconfig-mirror for one-time setup

The mirror setup follows existing kdevops mirror patterns and
integrates with the git mirror infrastructure already in place.

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <[email protected]>

Author: mcgrof

defconfigs/mirror

@@ -2,3 +2,4 @@ CONFIG_SKIP_BRINGUP=y
 CONFIG_WORKFLOWS=n
 CONFIG_INSTALL_LOCAL_LINUX_MIRROR=y
 CONFIG_LINUX_MIRROR_NFS=y
+CONFIG_INSTALL_NIX_CACHE_MIRROR=y

kconfigs/Kconfig.mirror

@@ -379,15 +379,15 @@ choice
 config MIRROR_STABLE_RC_HTTPS
 	bool "HTTPS (kernel.org)"
 	help
-	  If you enable this option then the mirror will use HTTPS to access 
+	  If you enable this option then the mirror will use HTTPS to access
 	  the linux-stable-rc repository on git.kernel.org. The full URL is:
 
 	  https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git"
 
 config MIRROR_STABLE_RC_HTTPS_GOOGLE
 	bool "HTTPS (Google)"
 	help
-	  If you enable this option then the mirror will use HTTPS to access 
+	  If you enable this option then the mirror will use HTTPS to access
 	  the linux-stable-rc repository on kernel.googlesource.com The full
 	  URL is:
 
@@ -676,5 +676,69 @@ config MIRROR_MMTESTS_URL
 	string
 	default DEFAULT_MMTESTS_GITHUB_HTTPS_URL if MIRROR_MMTESTS_HTTPS_GITHUB
 
+config INSTALL_NIX_CACHE_MIRROR
+	bool "Install Nix binary cache mirror"
+	output yaml
+	depends on INSTALL_LOCAL_LINUX_MIRROR
+	help
+	  Enable this to set up a local Nix binary cache mirror for all guests.
+	  This will significantly speed up NixOS VM builds by caching downloaded
+	  packages locally.
+
+	  When enabled, this creates:
+	  - A local Nix binary cache at /mirror/nix-cache/
+	  - An nginx-based cache server on port 8080
+	  - Automatic synchronization from cache.nixos.org
+
+	  This saves bandwidth and speeds up NixOS builds dramatically as the
+	  initial build requires downloading ~679 packages (685MB).
+
+	  The cache will be available to all VMs and systems in your network
+	  at: http://mirror-host:8080/
+
+choice
+	prompt "Nix cache mirror source"
+	default MIRROR_NIX_CACHE_NIXOS_ORG
+	depends on INSTALL_NIX_CACHE_MIRROR
+
+config MIRROR_NIX_CACHE_NIXOS_ORG
+	bool "cache.nixos.org (official)"
+	help
+	  Use the official Nix binary cache at cache.nixos.org as the upstream
+	  source for the mirror.
+
+config MIRROR_NIX_CACHE_NIXOS_ORG_FALLBACK
+	bool "cache.nixos.org with fastly CDN fallback"
+	help
+	  Use cache.nixos.org with additional fastly CDN endpoints as fallbacks
+	  for better reliability and performance.
+
+endchoice
+
+config MIRROR_NIX_CACHE_UPSTREAM_URL
+	string
+	output yaml
+	default "https://cache.nixos.org" if MIRROR_NIX_CACHE_NIXOS_ORG
+	default "https://cache.nixos.org https://nixos.cachix.org" if MIRROR_NIX_CACHE_NIXOS_ORG_FALLBACK
+
+config NIX_CACHE_MIRROR_PORT
+	int "Nix cache mirror nginx port"
+	output yaml
+	default 8080
+	depends on INSTALL_NIX_CACHE_MIRROR
+	help
+	  The port for the local nginx server that will serve the Nix binary cache.
+	  Default is 8080. Ensure this port is available and not blocked by firewall.
+
+config NIX_CACHE_MIRROR_PATH
+	string "Nix cache mirror storage path"
+	output yaml
+	default "/mirror/nix-cache"
+	depends on INSTALL_NIX_CACHE_MIRROR
+	help
+	  Local filesystem path where the Nix binary cache will be stored.
+	  This should be on a filesystem with sufficient space as the cache
+	  can grow to several GB over time.
+
 endif # ENABLE_LOCAL_LINUX_MIRROR
 endif # TERRAFORM

kconfigs/Kconfig.nixos

@@ -91,6 +91,35 @@ config NIXOS_SSH_PORT
 	help
 	  SSH port to use for connecting to NixOS VMs.
 
+config NIXOS_USE_LOCAL_MIRROR
+	bool "Use local Nix binary cache mirror"
+	output yaml
+	default $(shell, scripts/check_nix_mirror.sh USE_NIX_CACHE_MIRROR)
+	help
+	  Enable this to use a local Nix binary cache mirror if available.
+	  This dramatically speeds up NixOS builds by avoiding repeated
+	  downloads of packages from cache.nixos.org.
+
+	  When enabled, kdevops will automatically detect and configure
+	  VMs to use the local mirror if available at /mirror/nix-cache
+	  or via HTTP on port 8080.
+
+	  This requires that you have set up a mirror server using the
+	  defconfig-mirror configuration.
+
+config NIXOS_MIRROR_URL
+	string "Nix binary cache mirror URL"
+	output yaml
+	default $(shell, scripts/check_nix_mirror.sh NIX_CACHE_MIRROR_URL)
+	depends on NIXOS_USE_LOCAL_MIRROR
+	help
+	  The URL of the local Nix binary cache mirror. This is
+	  automatically detected based on available mirrors:
+	  - HTTP mirror if running on port 8080
+	  - File-based mirror at /mirror/nix-cache (for NFS mounts)
+
+	  Leave empty to auto-detect at runtime.
+
 config NIXOS_DEBUG_MODE
 	bool "Enable debug mode for NixOS provisioning"
 	default n

playbooks/linux-mirror.yml

@@ -3,3 +3,5 @@
   hosts: localhost
   roles:
     - role: linux-mirror
+    - role: nix-cache-mirror
+      when: install_nix_cache_mirror | default(false) | bool

playbooks/nixos.yml

@@ -95,6 +95,21 @@
           ansible.builtin.set_fact:
             nixos_ssh_authorized_key: "{{ ssh_public_key['content'] | b64decode | trim }}"
 
+    - name: Detect local Nix cache mirror URL if enabled
+      ansible.builtin.shell: |
+        bash {{ playbook_dir }}/../scripts/check_nix_mirror.sh NIX_CACHE_MIRROR_URL
+      register: detected_mirror_url
+      when: nixos_use_local_mirror | default(false) | bool and (nixos_mirror_url is not defined or nixos_mirror_url == "")
+      changed_when: false
+
+    - name: Set detected mirror URL
+      ansible.builtin.set_fact:
+        nixos_mirror_url: "{{ detected_mirror_url.stdout | trim }}"
+      when:
+        - detected_mirror_url is defined
+        - detected_mirror_url.stdout is defined
+        - detected_mirror_url.stdout | trim != ""
+
     - name: Template base NixOS configuration
       ansible.builtin.template:
         src: nixos/configuration.nix.j2
@@ -176,9 +191,18 @@
         fi
 
         # Configure Nix to use local mirror if available
-        {% if nixos_use_local_mirror is defined and nixos_use_local_mirror and nixos_mirror_url is defined and nixos_mirror_url != "" %}
+        {% if nixos_use_local_mirror is defined and nixos_use_local_mirror %}
+        # Dynamically detect mirror URL if not provided
+        {% if nixos_mirror_url is not defined or nixos_mirror_url == "" %}
+        DETECTED_MIRROR=$(bash {{ playbook_dir }}/../scripts/check_nix_mirror.sh NIX_CACHE_MIRROR_URL)
+        if [ -n "$DETECTED_MIRROR" ]; then
+          export NIX_CONFIG="substituters = $DETECTED_MIRROR https://cache.nixos.org"
+          echo "Using detected local Nix cache mirror: $DETECTED_MIRROR"
+        fi
+        {% else %}
         export NIX_CONFIG="substituters = {{ nixos_mirror_url }} https://cache.nixos.org"
-        echo "Using local Nix cache mirror: {{ nixos_mirror_url }}"
+        echo "Using configured local Nix cache mirror: {{ nixos_mirror_url }}"
+        {% endif %}
         {% endif %}
 
         cd {{ nixos_generation_dir }}

playbooks/roles/linux-mirror/python/start-mirroring.py

@@ -54,7 +54,8 @@ def mirror_entry(mirror, args):
     cmd = cmd + reference_args
     mirror_target = mirror_path + target
     if os.path.isdir(mirror_target):
-        return
+        sys.stdout.write("Skipping %s - mirror already exists at %s\n" % (short_name, mirror_target))
+        return "skipped"
     sys.stdout.write("Mirroring: %s onto %s\n" % (short_name, mirror_target))
     if args.verbose:
         sys.stdout.write("%s\n" % (cmd))
@@ -74,6 +75,7 @@ def mirror_entry(mirror, args):
         process.wait()
         if process.returncode != 0:
             raise Exception(f"Failed clone with:\n%s" % (" ".join(cmd)))
+        return "cloned"
 
 
 def main():
@@ -134,15 +136,36 @@ def main():
                 % (mirror.get("short_name"), args.yaml_mirror, total)
             )
 
+    # Statistics tracking
+    stats = {"skipped": 0, "cloned": 0, "failed": 0}
     # Mirror trees without a reference first
     for mirror in yaml_vars["mirrors"]:
         if not mirror.get("reference"):
-            mirror_entry(mirror, args)
+            result = mirror_entry(mirror, args)
+            if result == "skipped":
+                stats["skipped"] += 1
+            elif result == "cloned":
+                stats["cloned"] += 1
+            else:
+                stats["failed"] += 1
 
     # Mirror trees which need a reference last
     for mirror in yaml_vars["mirrors"]:
         if mirror.get("reference"):
-            mirror_entry(mirror, args)
+            result = mirror_entry(mirror, args)
+            if result == "skipped":
+                stats["skipped"] += 1
+            elif result == "cloned":
+                stats["cloned"] += 1
+            else:
+                stats["failed"] += 1
+    # Print summary
+    sys.stdout.write("\n=== Mirror Summary ===\n")
+    sys.stdout.write("Total repositories: %d\n" % total)
+    sys.stdout.write("Skipped (already exist): %d\n" % stats["skipped"])
+    sys.stdout.write("Cloned (new): %d\n" % stats["cloned"])
+    if stats["failed"] > 0:
+        sys.stdout.write("Failed: %d\n" % stats["failed"])
 
 
 if __name__ == "__main__":

playbooks/roles/nix-cache-mirror/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+# Default variables for nix-cache-mirror role
+nix_cache_mirror_path: "/mirror/nix-cache"
+nix_cache_mirror_port: 8080
+nix_cache_upstream_url: "https://cache.nixos.org"
+nix_cache_mirror_nginx_conf_path: "/etc/nginx/sites-available/nix-cache-mirror"
+nix_cache_mirror_nginx_enabled_path: "/etc/nginx/sites-enabled/nix-cache-mirror"

playbooks/roles/nix-cache-mirror/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: reload nginx
+  become: true
+  ansible.builtin.systemd:
+    name: nginx
+    state: reloaded
+
+- name: reload systemd
+  become: true
+  ansible.builtin.systemd:
+    daemon_reload: true