2 { pkgs, lib, config, inputs, hostName, ... }:
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 inherit (config.services) nginx nix-serve;
7 inherit (config.users) users groups;
11 nix.trustedUsers = [ users."nix-serve".name ];
12 users.users."nix-serve" = {
14 group = groups."nix-serve".name;
15 extraGroups = [ groups."keys".name ];
17 users.groups."nix-serve" = {};
18 security.gnupg.secrets."nix/binary-cache-key/1" = {
19 user = users."nix-serve".name;
21 before = [ "nix-serve.service" ];
22 wantedBy = [ "nix-serve.service" ];
25 services.nix-serve = {
27 secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path;
28 bindAddress = "127.0.0.1";
30 nix.allowedUsers = [ users."nix-ssh".name ];
33 keys = map lib.readFile [
34 (inputs.secrets + "/members/ssh/julm-losurdo.pub")
35 (inputs.secrets + "/members/ssh/julm-oignon.pub")
36 (inputs.secrets + "/members/ssh/sevy-patate.pub")
40 services.nginx = let virtualHost = priority:
43 #access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
44 #error_log /var/log/nginx/${domain}/${srv}/error.log warn;
46 error_log /dev/null crit;
48 locations."/nix-cache-info" = {
49 # cache.nixos.org has priority 40
50 return = ''200 "StoreDir: ${builtins.storeDir}\nWantMassQuery: 1\nPriority: ${toString priority}\n"'';
52 ${nginx.configs.https_add_headers}
53 add_header Content-Type text/plain;
56 locations."/".extraConfig = ''
57 proxy_pass http://localhost:${toString nix-serve.port};
58 proxy_set_header Host $host;
59 proxy_set_header X-Real-IP $remote_addr;
60 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
64 # cache.nixos.org has priority over extracache
65 virtualHosts."nix-extracache.${hostName}.wg" = virtualHost 60 // {
66 listenAddresses = [ "nix-extracache.${hostName}.wg" ];
69 # localcache has priority over cache.nixos.org
70 virtualHosts."nix-localcache.${hostName}.wg" = virtualHost 30 // {
71 listenAddresses = [ "nix-localcache.${hostName}.wg" ];
75 systemd.services.nginx = {
77 LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];