{ domain, ... }: { pkgs, lib, config, inputs, hostName, ... }: let inherit (config) networking; inherit (config.security) gnupg; inherit (config.services) nginx nix-serve; inherit (config.users) users groups; srv = "nix-serve"; in { nix.trustedUsers = [ users."nix-serve".name ]; users.users."nix-serve" = { isSystemUser = true; group = groups."nix-serve".name; extraGroups = [ groups."keys".name ]; }; users.groups."nix-serve" = {}; security.gnupg.secrets."nix/binary-cache-key/1" = { user = users."nix-serve".name; systemdConfig = { before = [ "nix-serve.service" ]; wantedBy = [ "nix-serve.service" ]; }; }; services.nix-serve = { enable = true; secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path; bindAddress = "127.0.0.1"; }; nix.allowedUsers = [ users."nix-ssh".name ]; nix.sshServe = { enable = true; keys = map lib.readFile [ (inputs.secrets + "/members/ssh/julm-losurdo.pub") (inputs.secrets + "/members/ssh/julm-oignon.pub") (inputs.secrets + "/members/ssh/sevy-patate.pub") ]; }; services.nginx = let virtualHost = priority: { extraConfig = '' #access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k; #error_log /var/log/nginx/${domain}/${srv}/error.log warn; access_log off; error_log /dev/null crit; ''; locations."/nix-cache-info" = { # cache.nixos.org has priority 40 return = ''200 "StoreDir: ${builtins.storeDir}\nWantMassQuery: 1\nPriority: ${toString priority}\n"''; extraConfig = '' ${nginx.configs.https_add_headers} add_header Content-Type text/plain; ''; }; locations."/".extraConfig = '' proxy_pass http://localhost:${toString nix-serve.port}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ''; }; in { # cache.nixos.org has priority over extracache virtualHosts."nix-extracache.${hostName}.wg" = virtualHost 60 // { listenAddresses = [ "nix-extracache.${hostName}.wg" ]; forceSSL = false; }; # localcache has priority over cache.nixos.org virtualHosts."nix-localcache.${hostName}.wg" = virtualHost 30 // { listenAddresses = [ "nix-localcache.${hostName}.wg" ]; forceSSL = false; }; }; systemd.services.nginx = { serviceConfig = { LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"]; }; }; }