Factor out cache server in its own module

2025-12-26 15:04:59 +08:00 · 2022-12-23 15:18:31 -05:00 · 2022-12-23 15:18:31 -05:00 · e62e4775dd
commit e62e4775dd
parent 6326d27460
6 changed files with 39 additions and 26 deletions
--- a/flake.nix
+++ b/flake.nix
@ -74,6 +74,11 @@
              ./nixos/hercules.nix
              # I share my Hetzner server with other people who need it.
              self.nixosModules.guests
+              # I host a Nix cache
+              (import ./nixos/cache-server.nix {
+                keyName = "cache-priv-key";
+                domain = "cache.srid.ca";
+              })
            ];
          };
        };
--- a/nixos/cache-server.nix
+++ b/nixos/cache-server.nix
@ -0,0 +1,26 @@
+{ keyName, domain }:
+
+{ pkgs, lib, config, inputs, ... }:
+{
+  imports = [
+    inputs.nix-serve-ng.nixosModules.default
+  ];
+
+  age.secrets.${keyName}.file = ../secrets/${keyName}.age;
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = config.age.secrets.${keyName}.path;
+  };
+  services.nginx = {
+    virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".extraConfig = ''
+        proxy_pass http://localhost:${toString config.services.nix-serve.port};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      '';
+    };
+  };
+}
--- a/nixos/caches/oss.nix
+++ b/nixos/caches/oss.nix
@ -1,6 +1,6 @@
 { pkgs, ... }: {
  nix.settings.trusted-public-keys = [
-    "cache.srid.ca:8sQkbPrOIoXktIwI0OucQBXod2e9fDjjoEZWn8OXbdo="
+    (builtins.readFile ../../secrets/cache-pub-key)
    # "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    # "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
  ];
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -24,6 +24,7 @@ in
      default.imports = [
        self.nixosModules.home-manager
        self.nixosModules.myself
+        inputs.agenix.nixosModule
        ./caches
        ./self-ide.nix
        ./takemessh
--- a/secrets/cache-pub-key
+++ b/secrets/cache-pub-key
@ -0,0 +1 @@
+cache.srid.ca:8sQkbPrOIoXktIwI0OucQBXod2e9fDjjoEZWn8OXbdo=
--- a/systems/hetzner/ax41.nix
+++ b/systems/hetzner/ax41.nix
@ -4,8 +4,6 @@
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
-      inputs.agenix.nixosModule
-      inputs.nix-serve-ng.nixosModules.default
    ];

  boot.initrd.availableKernelModules = [ "nvme" "ahci" "usbhid" ];
@ -13,11 +11,10 @@
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    {
-      device = "/dev/disk/by-uuid/bede3321-d976-475a-ace3-33c8977a590a";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/bede3321-d976-475a-ace3-33c8977a590a";
+    fsType = "ext4";
+  };

  swapDevices = [ ];

@ -113,24 +110,7 @@
  services.openssh.enable = true;
  services.tailscale.enable = true;

-  age.secrets.cache-priv-key.file = ../../secrets/cache-priv-key.age;
-  services.nix-serve = {
-    enable = true;
-    secretKeyFile = config.age.secrets.cache-priv-key.path;
-  };
-  services.nginx = {
-    enable = true;
-    virtualHosts."cache.srid.ca" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".extraConfig = ''
-        proxy_pass http://localhost:${toString config.services.nix-serve.port};
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      '';
-    };
-  };
+  services.nginx.enable = true;
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "srid@srid.ca";
				`@ -0,0 +1 @@`
				`cache.srid.ca:8sQkbPrOIoXktIwI0OucQBXod2e9fDjjoEZWn8OXbdo=`