Finish nix-cache

2025-01-24 15:48:03 +01:00 · 2025-01-24 15:48:03 +01:00 · 006d0b9213
commit 006d0b9213
parent e70e892ab2
9 changed files with 85 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -49,3 +49,8 @@ creation_rules:
      - age:
        - *admin_torjus
        - *server_ca
+  - path_regex: secrets/nix-cache01/.+
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_nix-cache01
--- a/secrets/nix-cache01/cache-secret
+++ b/secrets/nix-cache01/cache-secret
@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:MQkR6FQGHK2AuhOmy2was49RY2XlLO5NwaXnUFzFo5Ata/2ufVoAj4Jvotw/dSrKL7f62A6s+2BPAyWrvACJ+pwYFlfyj3T9bNwhxwZPkEmiHEubJjWSiD6jkSW0gOxbY8ib6g/GbyF8I1cPeYr/hJD5qQ==,iv:eBL2Y3MOt9gYTETUZqsHo1D5hPOHxb4JR6Z/DFlzzqI=,tag:Qqbt39xZvQz/QhsggsArsw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQ0dGckxKMmZsM1JER3Qx\nYkRhb282OFlFSmRrNmU3c0dIYitmbHE1bHlFCnhpK0pCRlhlTlpBTHl6aU53blBP\nNGFuejRjOFhPWnhvUURPMzY1V1A5ZnMKLS0tIGhMSWhxVWtCbXd0Vnh6N1J1STBT\nVDRzWURscjNYT21kMzRYVnZDQlkreVkKMkRqbGfHd2/bRf8on8eqoJpFI8i9vMDK\ni0Lrw7Zpw0D1Arzq6rA8YGyAqboV4ixQVUjlrL8cJv9n3/8geCfOAQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaUt5VHBWY3NiR2U4MXVX\nREpLZXIxaDNSc2FmdEZkclNEeHdkSzBEdDI4CjNiS0xMV1hjMmxVd1QwekFXT29k\nMXIrQ2VIMTR2ejJWaGd2S00zQWVKVHcKLS0tIER1azhRRHVRZzJuQU5xL3hZb1lR\nZlN3NGV2a1c2M1AwSW1JeldOTkhRMjAKGDk5neEcVzSPtauiiqxkOaqaCj/+jzUk\nEE8g9XQuK5xAIxFlvqPilgo59VOL335VjUJZqGgFxfc7TvhZQTSAaQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-24T12:19:16Z",
+		"mac": "ENC[AES256_GCM,data:X8X91LVP1MMJ8ZYeSNPRO6XHN+NuswLZcHpAkbvoY+E9aTteO8UqS+fsStbNDlpF5jz/mhdMsKElnU8Z/CIWImwolI4GGE6blKy6gyqRkn4VeZotUoXcJadYV/5COud3XP2uSTb694JyQEZnBXFNeYeiHpN0y38zLxoX8kXHFbc=,iv:fFCRfv+Y1Nt2zgJNKsxElrYcuKkATJ3A/jvheUY2IK4=,tag:hYojbMGUAQvx7I4qkO7o9w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.3"
+	}
+}
--- a/services/nix-cache/build-flakes.nix
+++ b/services/nix-cache/build-flakes.nix
@ -28,7 +28,7 @@ in
 {
  systemd.services."build-flakes" = {
    serviceConfig = {
-      Type = "oneshot";
+      Type = "exec";
      ExecStart = "${build-flake-script}/bin/build-flake-script";
    };
  };
@ -36,7 +36,7 @@ in
    enable = true;
    wantedBy = [ "timers.target" ];
    timerConfig = {
-      OnCalendar = "Sun 06:00:00";
+      OnCalendar = "*-*-* *:30:00";
    };
  };
 }
--- a/services/nix-cache/default.nix
+++ b/services/nix-cache/default.nix
@ -2,5 +2,7 @@
 {
  imports = [
    ./build-flakes.nix
+    ./nix-serve.nix
+    ./proxy.nix
  ];
 }
--- a/services/nix-cache/nix-serve.nix
+++ b/services/nix-cache/nix-serve.nix
@ -0,0 +1,12 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets."cache-secret" = {
+    sopsFile = ../../secrets/nix-cache01/cache-secret;
+    format = "binary";
+  };
+  services.nix-serve = {
+    enable = true;
+    package = pkgs.nix-serve-ng;
+    secretKeyFile = config.sops.secrets.cache-secret.path;
+  };
+}
--- a/services/nix-cache/proxy.nix
+++ b/services/nix-cache/proxy.nix
@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  services.caddy = {
+    enable = true;
+    configFile = pkgs.writeText "Caddyfile" ''
+      {
+        acme_ca https://ca.home.2rjus.net/acme/acme/directory
+      }
+
+      nix-cache.home.2rjus.net {
+        log {
+          output file /var/log/caddy/nzbget.log
+        }
+        reverse_proxy http://localhost:5000
+      }
+    '';
+  };
+}
--- a/services/ns/zones-home-2rjus-net.conf
+++ b/services/ns/zones-home-2rjus-net.conf
@ -1,7 +1,7 @@
 $ORIGIN home.2rjus.net.
 $TTL 1800
@       IN      SOA     ns1.home.2rjus.net.      admin.test.2rjus.net. (
-                        2046                    ; serial number
+                        2047                    ; serial number
                        3600                    ; refresh
                        900                     ; retry
                        1209600                 ; expire
@ -57,6 +57,7 @@ ca                  IN      A       10.69.13.12
 monitoring01        IN      A       10.69.13.13
 jelly01             IN      A       10.69.13.14
 nix-cache01         IN      A       10.69.13.15
+nix-cache           IN      CNAME   nix-cache01

 ; http-proxy cnames
 nzbget              IN      CNAME   http-proxy
--- a/system/default.nix
+++ b/system/default.nix
@ -3,6 +3,7 @@
  imports = [
    ./monitoring
    ./packages.nix
+    ./nix.nix
    ./root-user.nix
    ./root-ca.nix
    ./sops.nix
--- a/system/nix.nix
+++ b/system/nix.nix
@ -0,0 +1,19 @@
+{ pkgs, ... }:
+{
+
+  nix.settings.trusted-substituters = [
+    "https://nix-cache.home.2rjus.net"
+    "https://cache.nixos.org"
+    "https://cuda-maintainers.cachix.org"
+  ];
+  nix.settings.substituters = [
+    "https://nix-cache.home.2rjus.net"
+    "https://cache.nixos.org"
+    "https://cuda-maintainers.cachix.org"
+  ];
+  nix.settings.trusted-public-keys = [
+    "nix-cache.home.2rjus.net-1:2kowZOG6pvhoK4AHVO3alBlvcghH20wchzoR0V86UWI="
+    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
+  ];
+}