]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/nginx/sourcephile.fr/nix-serve.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: revamp secrets
[sourcephile-nix.git] / hosts / losurdo / nginx / sourcephile.fr / nix-serve.nix
1 { domain, ... }:
2 { pkgs, lib, config, inputs, hostName, ... }:
3 let
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 inherit (config.services) nginx nix-serve;
7 inherit (config.users) users groups;
8 srv = "nix-serve";
9 in
10 {
11 nix.settings.trusted-users = [ users."nix-serve".name ];
12 users.users."nix-serve" = {
13 isSystemUser = true;
14 group = groups."nix-serve".name;
15 extraGroups = [ groups."keys".name ];
16 };
17 users.groups."nix-serve" = {};
18 security.gnupg.secrets."nix/binary-cache-key/1" = {
19 user = users."nix-serve".name;
20 systemdConfig = {
21 before = [ "nix-serve.service" ];
22 wantedBy = [ "nix-serve.service" ];
23 };
24 };
25 services.nix-serve = {
26 enable = true;
27 secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path;
28 bindAddress = "127.0.0.1";
29 };
30 nix.settings.allowed-users = [ users."nix-ssh".name ];
31 nix.sshServe = {
32 enable = true;
33 keys = users."julm".openssh.authorizedKeys.keys;
34 };
35
36 systemd.services.nginx.after = ["wireguard-wg-intra.service"];
37 services.nginx = let virtualHost = priority:
38 {
39 extraConfig = ''
40 #access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
41 #error_log /var/log/nginx/${domain}/${srv}/error.log warn;
42 access_log off;
43 error_log /dev/null crit;
44 '';
45 locations."/nix-cache-info" = {
46 # cache.nixos.org has priority 40
47 return = ''200 "StoreDir: ${builtins.storeDir}\nWantMassQuery: 1\nPriority: ${toString priority}\n"'';
48 extraConfig = ''
49 ${nginx.configs.https_add_headers}
50 add_header Content-Type text/plain;
51 '';
52 };
53 locations."/".extraConfig = ''
54 proxy_pass http://localhost:${toString nix-serve.port};
55 proxy_set_header Host $host;
56 proxy_set_header X-Real-IP $remote_addr;
57 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
58 '';
59 };
60 in {
61 # cache.nixos.org has priority over extracache
62 virtualHosts."nix-extracache.${hostName}.wg" = virtualHost 60 // {
63 listenAddresses = [ "nix-extracache.${hostName}.wg" ];
64 forceSSL = false;
65 };
66 # localcache has priority over cache.nixos.org
67 virtualHosts."nix-localcache.${hostName}.wg" = virtualHost 30 // {
68 listenAddresses = [ "nix-localcache.${hostName}.wg" ];
69 forceSSL = false;
70 };
71 };
72 systemd.services.nginx = {
73 serviceConfig = {
74 LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
75 };
76 };
77 }
NixOS configurations for Sourcephile's infrastructure