in
{
nix.trustedUsers = [ users."nix-serve".name ];
-users.users."nix-serve".extraGroups = [ groups."keys".name ];
+users.users."nix-serve" = {
+ isSystemUser = true;
+ group = groups."nix-serve".name;
+ extraGroups = [ groups."keys".name ];
+};
+users.groups."nix-serve" = {};
security.gnupg.secrets."nix/binary-cache-key/1" = {
user = users."nix-serve".name;
systemdConfig = {
};
services.nginx = let vhostConfig = priority:
{
- #onlySSL = true;
- #addSSL = true;
- forceSSL = true;
- useACMEHost = domain;
extraConfig = ''
- #access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
+ #access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
#error_log /var/log/nginx/${domain}/${srv}/error.log warn;
access_log off;
error_log /dev/null crit;
'';
};
in {
- virtualHosts."nix-localcache.${domain}" = vhostConfig 30;
virtualHosts."nix-extracache.${domain}" = vhostConfig 60 // {
serverAliases = [ "${srv}.${domain}" ];
+ forceSSL = true;
+ useACMEHost = domain;
+ };
+ virtualHosts."nix-localcache.${domain}" = vhostConfig 30 // {
+ forceSSL = true;
+ useACMEHost = domain;
+ };
+ # cache.nixos.org has priority over extracache
+ virtualHosts."nix-extracache.${hostName}.wg" = vhostConfig 60 // {
+ listenAddresses = [ "nix-extracache.${hostName}.wg" ];
+ forceSSL = false;
+ };
+ # localcache has priority over cache.nixos.org
+ virtualHosts."nix-localcache.${hostName}.wg" = vhostConfig 30 // {
+ listenAddresses = [ "nix-localcache.${hostName}.wg" ];
+ forceSSL = false;
};
};
systemd.services.nginx = {
sourcephile / git / sourcephile-nix.git / blobdiff