uninsane: enable nix-cache

note that the other machines can't easily use it unitl i upgrade to nixos-22.05
2022-05-28 03:36:59 -07:00 · 2022-05-28 03:36:59 -07:00 · 6318e66314
commit 6318e66314
parent e9b5ef29c3
5 changed files with 43 additions and 1 deletions
--- a/helpers/universal/nix-cache.nix
+++ b/helpers/universal/nix-cache.nix
@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  # use our own binary cache
+  nix.settings = {
+    substituters = [
+      "https://nixcache.uninsane.org"
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+}
--- a/machines/uninsane/default.nix
+++ b/machines/uninsane/default.nix
@ -14,6 +14,7 @@
    ./services/jellyfin.nix
    ./services/matrix.nix
    ./services/nginx.nix
+    ./services/nix-serve.nix
    ./services/pleroma.nix
    ./services/postfix.nix
    ./services/postgres.nix
--- a/machines/uninsane/services/nginx.nix
+++ b/machines/uninsane/services/nginx.nix
@ -1,5 +1,5 @@
 # docs: https://nixos.wiki/wiki/Nginx
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:

 {
  services.nginx.enable = true;
@ -220,6 +220,17 @@
    forceSSL = true;
    enableACME = true;
  };
+  services.nginx.virtualHosts."nixcache.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    # serverAliases = [ "nixcache" ];
+    locations."/".extraConfig = ''
+      proxy_pass http://localhost:${toString config.services.nix-serve.port};
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    '';
+  };

  security.acme.acceptTerms = true;
  security.acme.email = "acme@uninsane.org";
--- a/machines/uninsane/services/nix-serve.nix
+++ b/machines/uninsane/services/nix-serve.nix
@ -0,0 +1,12 @@
+# docs: https://nixos.wiki/wiki/Binary_Cache
+# to copy something to this machine's nix cache, do:
+#   nix copy --to ssh://nixcache.uninsane.org PACKAGE
+{ secrets, ... }:
+
+{
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = builtins.toFile "nix-serve-priv-key.pem" secrets.nix-serve.cache-priv-key;
+    #  "/var/cache-priv-key.pem";
+  };
+}
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -29,4 +29,7 @@
  # use nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "my passwd" to generate the password
  dovecot.hashedPasswd.colin = "<REPLACEME>";
  dovecot.hashedPasswd.matrix-synapse = "<REPLACEME>";
+
+  # generate with nix-store --generate-binary-cache-key nixcache.uninsane.org cache-priv-key.pem cache-pub-key.pem
+  nix-serve.cache-priv-key = "<REPLACEME>";
 } // import ./local.nix