]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/nginx/sourcephile.fr/nix-serve.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add 1 git-crypt collaborator
[sourcephile-nix.git] / hosts / losurdo / nginx / sourcephile.fr / nix-serve.nix
1 { domain, ... }:
2 { pkgs, lib, config, inputs, hostName, ... }:
3 let
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 inherit (config.services) nginx nix-serve;
7 inherit (config.users) users groups;
8 srv = "nix-serve";
9 in
10 {
11 nix.settings.trusted-users = [ users."nix-serve".name ];
12 users.users."nix-serve" = {
13 isSystemUser = true;
14 group = groups."nix-serve".name;
15 extraGroups = [ groups."keys".name ];
16 };
17 users.groups."nix-serve" = {};
18 security.gnupg.secrets."nix/binary-cache-key/1" = {
19 user = users."nix-serve".name;
20 systemdConfig = {
21 before = [ "nix-serve.service" ];
22 wantedBy = [ "nix-serve.service" ];
23 };
24 };
25 services.nix-serve = {
26 enable = true;
27 secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path;
28 bindAddress = "127.0.0.1";
29 };
30 nix.settings.allowed-users = [ users."nix-ssh".name ];
31 nix.sshServe = {
32 enable = true;
33 keys = map lib.readFile [
34 (inputs.secrets + "/members/ssh/julm-losurdo.pub")
35 (inputs.secrets + "/members/ssh/julm-oignon.pub")
36 (inputs.secrets + "/members/ssh/sevy-patate.pub")
37 ];
38 };
39
40 systemd.services.nginx.after = ["wireguard-wg-intra.service"];
41 services.nginx = let virtualHost = priority:
42 {
43 extraConfig = ''
44 #access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
45 #error_log /var/log/nginx/${domain}/${srv}/error.log warn;
46 access_log off;
47 error_log /dev/null crit;
48 '';
49 locations."/nix-cache-info" = {
50 # cache.nixos.org has priority 40
51 return = ''200 "StoreDir: ${builtins.storeDir}\nWantMassQuery: 1\nPriority: ${toString priority}\n"'';
52 extraConfig = ''
53 ${nginx.configs.https_add_headers}
54 add_header Content-Type text/plain;
55 '';
56 };
57 locations."/".extraConfig = ''
58 proxy_pass http://localhost:${toString nix-serve.port};
59 proxy_set_header Host $host;
60 proxy_set_header X-Real-IP $remote_addr;
61 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
62 '';
63 };
64 in {
65 # cache.nixos.org has priority over extracache
66 virtualHosts."nix-extracache.${hostName}.wg" = virtualHost 60 // {
67 listenAddresses = [ "nix-extracache.${hostName}.wg" ];
68 forceSSL = false;
69 };
70 # localcache has priority over cache.nixos.org
71 virtualHosts."nix-localcache.${hostName}.wg" = virtualHost 30 // {
72 listenAddresses = [ "nix-localcache.${hostName}.wg" ];
73 forceSSL = false;
74 };
75 };
76 systemd.services.nginx = {
77 serviceConfig = {
78 LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
79 };
80 };
81 }
NixOS configurations for Sourcephile's infrastructure