hosts/losurdo/nginx/sourcephile.fr/nix-serve.nix

   1 { domain, ... }:
   2 { pkgs, lib, config, hostName, ... }:
   3 let
   4   inherit (config) networking;
   5   inherit (config.security) gnupg;
   6   inherit (config.services) nginx nix-serve;
   7   inherit (config.users) users groups;
   8   srv = "nix-serve";
   9 in
  10 {
  11 nix.trustedUsers = [ users."nix-serve".name ];
  12 users.users."nix-serve".isSystemUser = true;
  13 users.users."nix-serve".extraGroups = [ groups."keys".name ];
  14 security.gnupg.secrets."nix/binary-cache-key/1" = {
  15   user = users."nix-serve".name;
  16   systemdConfig = {
  17     before = [ "nix-serve.service" ];
  18     wantedBy = [ "nix-serve.service" ];
  19   };
  20 };
  21 services.nix-serve = {
  22   enable = true;
  23   secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path;
  24   bindAddress = "127.0.0.1";
  25 };
  26 services.nginx = let vhostConfig = priority:
  27   {
  28     extraConfig = ''
  29       #access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
  30       #error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
  31       access_log off;
  32       error_log  /dev/null crit;
  33     '';
  34     locations."/nix-cache-info" = {
  35       # cache.nixos.org has priority 40
  36       return = ''200 "StoreDir: ${builtins.storeDir}\nWantMassQuery: 1\nPriority: ${toString priority}\n"'';
  37       extraConfig = ''
  38         ${nginx.configs.https_add_headers}
  39         add_header Content-Type text/plain;
  40       '';
  41     };
  42     locations."/".extraConfig = ''
  43       proxy_pass http://localhost:${toString nix-serve.port};
  44       proxy_set_header Host $host;
  45       proxy_set_header X-Real-IP $remote_addr;
  46       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  47     '';
  48   };
  49   in {
  50   virtualHosts."nix-extracache.${domain}" = vhostConfig 60 // {
  51     serverAliases = [ "${srv}.${domain}" ];
  52     forceSSL = true;
  53     useACMEHost = domain;
  54   };
  55   virtualHosts."nix-localcache.${domain}" = vhostConfig 30 // {
  56     forceSSL = true;
  57     useACMEHost = domain;
  58   };
  59   # cache.nixos.org has priority over extracache
  60   virtualHosts."nix-extracache.${hostName}.wg" = vhostConfig 60 // {
  61     listenAddresses = [ "nix-extracache.${hostName}.wg" ];
  62     forceSSL = false;
  63   };
  64   # localcache has priority over cache.nixos.org
  65   virtualHosts."nix-localcache.${hostName}.wg" = vhostConfig 30 // {
  66     listenAddresses = [ "nix-localcache.${hostName}.wg" ];
  67     forceSSL = false;
  68   };
  69 };
  70 systemd.services.nginx = {
  71   serviceConfig = {
  72     LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
  73   };
  74 };
  75 }