diff --git a/.sops.yaml b/.sops.yaml index 1ec27cd..14ebb91 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -49,3 +49,8 @@ creation_rules: - age: - *admin_torjus - *server_ca + - path_regex: secrets/nix-cache01/.+ + key_groups: + - age: + - *admin_torjus + - *server_nix-cache01 diff --git a/secrets/nix-cache01/cache-secret b/secrets/nix-cache01/cache-secret new file mode 100644 index 0000000..6ba2717 --- /dev/null +++ b/secrets/nix-cache01/cache-secret @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:MQkR6FQGHK2AuhOmy2was49RY2XlLO5NwaXnUFzFo5Ata/2ufVoAj4Jvotw/dSrKL7f62A6s+2BPAyWrvACJ+pwYFlfyj3T9bNwhxwZPkEmiHEubJjWSiD6jkSW0gOxbY8ib6g/GbyF8I1cPeYr/hJD5qQ==,iv:eBL2Y3MOt9gYTETUZqsHo1D5hPOHxb4JR6Z/DFlzzqI=,tag:Qqbt39xZvQz/QhsggsArsw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQ0dGckxKMmZsM1JER3Qx\nYkRhb282OFlFSmRrNmU3c0dIYitmbHE1bHlFCnhpK0pCRlhlTlpBTHl6aU53blBP\nNGFuejRjOFhPWnhvUURPMzY1V1A5ZnMKLS0tIGhMSWhxVWtCbXd0Vnh6N1J1STBT\nVDRzWURscjNYT21kMzRYVnZDQlkreVkKMkRqbGfHd2/bRf8on8eqoJpFI8i9vMDK\ni0Lrw7Zpw0D1Arzq6rA8YGyAqboV4ixQVUjlrL8cJv9n3/8geCfOAQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaUt5VHBWY3NiR2U4MXVX\nREpLZXIxaDNSc2FmdEZkclNEeHdkSzBEdDI4CjNiS0xMV1hjMmxVd1QwekFXT29k\nMXIrQ2VIMTR2ejJWaGd2S00zQWVKVHcKLS0tIER1azhRRHVRZzJuQU5xL3hZb1lR\nZlN3NGV2a1c2M1AwSW1JeldOTkhRMjAKGDk5neEcVzSPtauiiqxkOaqaCj/+jzUk\nEE8g9XQuK5xAIxFlvqPilgo59VOL335VjUJZqGgFxfc7TvhZQTSAaQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-01-24T12:19:16Z", + "mac": "ENC[AES256_GCM,data:X8X91LVP1MMJ8ZYeSNPRO6XHN+NuswLZcHpAkbvoY+E9aTteO8UqS+fsStbNDlpF5jz/mhdMsKElnU8Z/CIWImwolI4GGE6blKy6gyqRkn4VeZotUoXcJadYV/5COud3XP2uSTb694JyQEZnBXFNeYeiHpN0y38zLxoX8kXHFbc=,iv:fFCRfv+Y1Nt2zgJNKsxElrYcuKkATJ3A/jvheUY2IK4=,tag:hYojbMGUAQvx7I4qkO7o9w==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.3" + } +} \ No newline at end of file diff --git a/services/nix-cache/build-flakes.nix b/services/nix-cache/build-flakes.nix index 155bc35..808749d 100644 --- a/services/nix-cache/build-flakes.nix +++ b/services/nix-cache/build-flakes.nix @@ -28,7 +28,7 @@ in { systemd.services."build-flakes" = { serviceConfig = { - Type = "oneshot"; + Type = "exec"; ExecStart = "${build-flake-script}/bin/build-flake-script"; }; }; @@ -36,7 +36,7 @@ in enable = true; wantedBy = [ "timers.target" ]; timerConfig = { - OnCalendar = "Sun 06:00:00"; + OnCalendar = "*-*-* *:30:00"; }; }; } diff --git a/services/nix-cache/default.nix b/services/nix-cache/default.nix index ea56849..5f6e1c4 100644 --- a/services/nix-cache/default.nix +++ b/services/nix-cache/default.nix @@ -2,5 +2,7 @@ { imports = [ ./build-flakes.nix + ./nix-serve.nix + ./proxy.nix ]; } diff --git a/services/nix-cache/nix-serve.nix b/services/nix-cache/nix-serve.nix new file mode 100644 index 0000000..e1771e9 --- /dev/null +++ b/services/nix-cache/nix-serve.nix @@ -0,0 +1,12 @@ +{ pkgs, config, ... }: +{ + sops.secrets."cache-secret" = { + sopsFile = ../../secrets/nix-cache01/cache-secret; + format = "binary"; + }; + services.nix-serve = { + enable = true; + package = pkgs.nix-serve-ng; + secretKeyFile = config.sops.secrets.cache-secret.path; + }; +} diff --git a/services/nix-cache/proxy.nix b/services/nix-cache/proxy.nix new file mode 100644 index 0000000..b392ac1 --- /dev/null +++ b/services/nix-cache/proxy.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +{ + services.caddy = { + enable = true; + configFile = pkgs.writeText "Caddyfile" '' + { + acme_ca https://ca.home.2rjus.net/acme/acme/directory + } + + nix-cache.home.2rjus.net { + log { + output file /var/log/caddy/nzbget.log + } + reverse_proxy http://localhost:5000 + } + ''; + }; +} diff --git a/services/ns/zones-home-2rjus-net.conf b/services/ns/zones-home-2rjus-net.conf index 0468b58..d13909f 100644 --- a/services/ns/zones-home-2rjus-net.conf +++ b/services/ns/zones-home-2rjus-net.conf @@ -1,7 +1,7 @@ $ORIGIN home.2rjus.net. $TTL 1800 @ IN SOA ns1.home.2rjus.net. admin.test.2rjus.net. ( - 2046 ; serial number + 2047 ; serial number 3600 ; refresh 900 ; retry 1209600 ; expire @@ -57,6 +57,7 @@ ca IN A 10.69.13.12 monitoring01 IN A 10.69.13.13 jelly01 IN A 10.69.13.14 nix-cache01 IN A 10.69.13.15 +nix-cache IN CNAME nix-cache01 ; http-proxy cnames nzbget IN CNAME http-proxy diff --git a/system/default.nix b/system/default.nix index 353f251..97e95c7 100644 --- a/system/default.nix +++ b/system/default.nix @@ -3,6 +3,7 @@ imports = [ ./monitoring ./packages.nix + ./nix.nix ./root-user.nix ./root-ca.nix ./sops.nix diff --git a/system/nix.nix b/system/nix.nix new file mode 100644 index 0000000..640ce32 --- /dev/null +++ b/system/nix.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: +{ + + nix.settings.trusted-substituters = [ + "https://nix-cache.home.2rjus.net" + "https://cache.nixos.org" + "https://cuda-maintainers.cachix.org" + ]; + nix.settings.substituters = [ + "https://nix-cache.home.2rjus.net" + "https://cache.nixos.org" + "https://cuda-maintainers.cachix.org" + ]; + nix.settings.trusted-public-keys = [ + "nix-cache.home.2rjus.net-1:2kowZOG6pvhoK4AHVO3alBlvcghH20wchzoR0V86UWI=" + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E=" + ]; +}