{ domain, ... }:
-{ pkgs, lib, config, inputs, hostName, ... }:
+{ lib, config, hostName, ... }:
let
- inherit (config) networking;
inherit (config.security) gnupg;
inherit (config.services) nginx nix-serve;
inherit (config.users) users groups;
srv = "nix-serve";
in
{
-nix.settings.trusted-users = [ users."nix-serve".name ];
-users.users."nix-serve" = {
- isSystemUser = true;
- group = groups."nix-serve".name;
- extraGroups = [ groups."keys".name ];
-};
-users.groups."nix-serve" = {};
-security.gnupg.secrets."nix/binary-cache-key/1" = {
- user = users."nix-serve".name;
- systemdConfig = {
- before = [ "nix-serve.service" ];
- wantedBy = [ "nix-serve.service" ];
+ nix.settings.trusted-users = [ users."nix-serve".name ];
+ users.users."nix-serve" = {
+ isSystemUser = true;
+ group = groups."nix-serve".name;
+ extraGroups = [ groups."keys".name ];
};
-};
-services.nix-serve = {
- enable = true;
- secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path;
- bindAddress = "127.0.0.1";
-};
-nix.settings.allowed-users = [ users."nix-ssh".name ];
-nix.sshServe = {
- enable = true;
- keys = users."julm".openssh.authorizedKeys.keys;
-};
-
-systemd.services.nginx.after = ["wireguard-wg-intra.service"];
-services.nginx = let virtualHost = priority:
- {
- extraConfig = ''
- #access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
- #error_log /var/log/nginx/${domain}/${srv}/error.log warn;
- access_log off;
- error_log /dev/null crit;
- '';
- locations."/nix-cache-info" = {
- # cache.nixos.org has priority 40
- return = ''200 "StoreDir: ${builtins.storeDir}\nWantMassQuery: 1\nPriority: ${toString priority}\n"'';
- extraConfig = ''
- ${nginx.configs.https_add_headers}
- add_header Content-Type text/plain;
- '';
+ users.groups."nix-serve" = { };
+ security.gnupg.secrets."nix/binary-cache-key/1" = {
+ user = users."nix-serve".name;
+ systemdConfig = {
+ before = [ "nix-serve.service" ];
+ wantedBy = [ "nix-serve.service" ];
};
- locations."/".extraConfig = ''
- proxy_pass http://localhost:${toString nix-serve.port};
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- '';
};
- in {
- # cache.nixos.org has priority over extracache
- virtualHosts."nix-extracache.${hostName}.wg" = virtualHost 60 // {
- listenAddresses = [ "nix-extracache.${hostName}.wg" ];
- forceSSL = false;
+ services.nix-serve = {
+ enable = true;
+ secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path;
+ bindAddress = "127.0.0.1";
};
- # localcache has priority over cache.nixos.org
- virtualHosts."nix-localcache.${hostName}.wg" = virtualHost 30 // {
- listenAddresses = [ "nix-localcache.${hostName}.wg" ];
- forceSSL = false;
+ nix.settings.allowed-users = [ users."nix-ssh".name ];
+ nix.sshServe = {
+ enable = true;
+ keys = users."julm".openssh.authorizedKeys.keys;
};
-};
-systemd.services.nginx = {
- serviceConfig = {
- LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
+
+ systemd.services.nginx.after = [ "wireguard-wg-intra.service" ];
+ services.nginx =
+ let
+ virtualHost = priority:
+ {
+ extraConfig = ''
+ #access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
+ #error_log /var/log/nginx/${domain}/${srv}/error.log warn;
+ access_log off;
+ error_log /dev/null crit;
+ '';
+ locations."/nix-cache-info" = {
+ # cache.nixos.org has priority 40
+ return = ''200 "StoreDir: ${builtins.storeDir}\nWantMassQuery: 1\nPriority: ${toString priority}\n"'';
+ extraConfig = ''
+ ${nginx.configs.https_add_headers}
+ add_header Content-Type text/plain;
+ '';
+ };
+ locations."/".extraConfig = ''
+ proxy_pass http://localhost:${toString nix-serve.port};
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ '';
+ };
+ in
+ {
+ # cache.nixos.org has priority over extracache
+ virtualHosts."nix-extracache.${hostName}.sp" = virtualHost 60 // {
+ listenAddresses = [ "nix-extracache.${hostName}.sp" ];
+ forceSSL = false;
+ };
+ # localcache has priority over cache.nixos.org
+ virtualHosts."nix-localcache.${hostName}.sp" = virtualHost 30 // {
+ listenAddresses = [ "nix-localcache.${hostName}.sp" ];
+ forceSSL = false;
+ };
+ };
+ systemd.services.nginx = {
+ serviceConfig = {
+ LogsDirectory = lib.mkForce [ "nginx/${domain}/${srv}" ];
+ };
};
-};
}
sourcephile / git / sourcephile-nix.git / blobdiff