From e62e4775dd0e25eb2e430b1daf88d532c10a3cef Mon Sep 17 00:00:00 2001
From: Sridhar Ratnakumar <srid@srid.ca>
Date: Fri, 23 Dec 2022 15:18:31 -0500
Subject: [PATCH] Factor out cache server in its own module

---
 flake.nix                |  5 +++++
 nixos/cache-server.nix   | 26 ++++++++++++++++++++++++++
 nixos/caches/oss.nix     |  2 +-
 nixos/default.nix        |  1 +
 secrets/cache-pub-key    |  1 +
 systems/hetzner/ax41.nix | 30 +++++-------------------------
 6 files changed, 39 insertions(+), 26 deletions(-)
 create mode 100644 nixos/cache-server.nix
 create mode 100644 secrets/cache-pub-key

diff --git a/flake.nix b/flake.nix
index cefa617..f694bac 100644
--- a/flake.nix
+++ b/flake.nix
@@ -74,6 +74,11 @@
               ./nixos/hercules.nix
               # I share my Hetzner server with other people who need it.
               self.nixosModules.guests
+              # I host a Nix cache
+              (import ./nixos/cache-server.nix {
+                keyName = "cache-priv-key";
+                domain = "cache.srid.ca";
+              })
             ];
           };
         };
diff --git a/nixos/cache-server.nix b/nixos/cache-server.nix
new file mode 100644
index 0000000..e6ddb30
--- /dev/null
+++ b/nixos/cache-server.nix
@@ -0,0 +1,26 @@
+{ keyName, domain }:
+
+{ pkgs, lib, config, inputs, ... }:
+{
+  imports = [
+    inputs.nix-serve-ng.nixosModules.default
+  ];
+
+  age.secrets.${keyName}.file = ../secrets/${keyName}.age;
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = config.age.secrets.${keyName}.path;
+  };
+  services.nginx = {
+    virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".extraConfig = ''
+        proxy_pass http://localhost:${toString config.services.nix-serve.port};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      '';
+    };
+  };
+}
diff --git a/nixos/caches/oss.nix b/nixos/caches/oss.nix
index 52f4c4c..1953ec0 100644
--- a/nixos/caches/oss.nix
+++ b/nixos/caches/oss.nix
@@ -1,6 +1,6 @@
 { pkgs, ... }: {
   nix.settings.trusted-public-keys = [
-    "cache.srid.ca:8sQkbPrOIoXktIwI0OucQBXod2e9fDjjoEZWn8OXbdo="
+    (builtins.readFile ../../secrets/cache-pub-key)
     # "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
     # "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
   ];
diff --git a/nixos/default.nix b/nixos/default.nix
index 319ec7a..d3d304b 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -24,6 +24,7 @@ in
       default.imports = [
         self.nixosModules.home-manager
         self.nixosModules.myself
+        inputs.agenix.nixosModule
         ./caches
         ./self-ide.nix
         ./takemessh
diff --git a/secrets/cache-pub-key b/secrets/cache-pub-key
new file mode 100644
index 0000000..3914500
--- /dev/null
+++ b/secrets/cache-pub-key
@@ -0,0 +1 @@
+cache.srid.ca:8sQkbPrOIoXktIwI0OucQBXod2e9fDjjoEZWn8OXbdo=
diff --git a/systems/hetzner/ax41.nix b/systems/hetzner/ax41.nix
index 1d3d3ce..81c8ace 100644
--- a/systems/hetzner/ax41.nix
+++ b/systems/hetzner/ax41.nix
@@ -4,8 +4,6 @@
   imports =
     [
       (modulesPath + "/installer/scan/not-detected.nix")
-      inputs.agenix.nixosModule
-      inputs.nix-serve-ng.nixosModules.default
     ];
 
   boot.initrd.availableKernelModules = [ "nvme" "ahci" "usbhid" ];
@@ -13,11 +11,10 @@
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    {
-      device = "/dev/disk/by-uuid/bede3321-d976-475a-ace3-33c8977a590a";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/bede3321-d976-475a-ace3-33c8977a590a";
+    fsType = "ext4";
+  };
 
   swapDevices = [ ];
 
@@ -113,24 +110,7 @@
   services.openssh.enable = true;
   services.tailscale.enable = true;
 
-  age.secrets.cache-priv-key.file = ../../secrets/cache-priv-key.age;
-  services.nix-serve = {
-    enable = true;
-    secretKeyFile = config.age.secrets.cache-priv-key.path;
-  };
-  services.nginx = {
-    enable = true;
-    virtualHosts."cache.srid.ca" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".extraConfig = ''
-        proxy_pass http://localhost:${toString config.services.nix-serve.port};
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      '';
-    };
-  };
+  services.nginx.enable = true;
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "srid@srid.ca";