]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/nginx/sourcephile.fr/nix-serve.nix
fail2ban: use a profile
[sourcephile-nix.git] / hosts / losurdo / nginx / sourcephile.fr / nix-serve.nix
1 { domain, ... }:
2 { lib, config, hostName, ... }:
3 let
4 inherit (config.security) gnupg;
5 inherit (config.services) nginx nix-serve;
6 inherit (config.users) users groups;
7 srv = "nix-serve";
8 in
9 {
10 nix.settings.trusted-users = [ users."nix-serve".name ];
11 users.users."nix-serve" = {
12 isSystemUser = true;
13 group = groups."nix-serve".name;
14 extraGroups = [ groups."keys".name ];
15 };
16 users.groups."nix-serve" = { };
17 security.gnupg.secrets."nix/binary-cache-key/1" = {
18 user = users."nix-serve".name;
19 systemdConfig = {
20 before = [ "nix-serve.service" ];
21 wantedBy = [ "nix-serve.service" ];
22 };
23 };
24 services.nix-serve = {
25 enable = true;
26 secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path;
27 bindAddress = "127.0.0.1";
28 };
29 nix.settings.allowed-users = [ users."nix-ssh".name ];
30 nix.sshServe = {
31 enable = true;
32 keys = users."julm".openssh.authorizedKeys.keys;
33 };
34
35 systemd.services.nginx.after = [ "wireguard-wg-intra.service" ];
36 services.nginx =
37 let
38 virtualHost = priority:
39 {
40 extraConfig = ''
41 #access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
42 #error_log /var/log/nginx/${domain}/${srv}/error.log warn;
43 access_log off;
44 error_log /dev/null crit;
45 '';
46 locations."/nix-cache-info" = {
47 # cache.nixos.org has priority 40
48 return = ''200 "StoreDir: ${builtins.storeDir}\nWantMassQuery: 1\nPriority: ${toString priority}\n"'';
49 extraConfig = ''
50 ${nginx.configs.https_add_headers}
51 add_header Content-Type text/plain;
52 '';
53 };
54 locations."/".extraConfig = ''
55 proxy_pass http://localhost:${toString nix-serve.port};
56 proxy_set_header Host $host;
57 proxy_set_header X-Real-IP $remote_addr;
58 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
59 '';
60 };
61 in
62 {
63 # cache.nixos.org has priority over extracache
64 virtualHosts."nix-extracache.${hostName}.wg" = virtualHost 60 // {
65 listenAddresses = [ "nix-extracache.${hostName}.wg" ];
66 forceSSL = false;
67 };
68 # localcache has priority over cache.nixos.org
69 virtualHosts."nix-localcache.${hostName}.wg" = virtualHost 30 // {
70 listenAddresses = [ "nix-localcache.${hostName}.wg" ];
71 forceSSL = false;
72 };
73 };
74 systemd.services.nginx = {
75 serviceConfig = {
76 LogsDirectory = lib.mkForce [ "nginx/${domain}/${srv}" ];
77 };
78 };
79 }