feat(cache): change to nix-serve-ng

klarkc · Dec 20, 2023 · aa9d4f8 · aa9d4f8
1 parent 3dd316c
commit aa9d4f8
Show file tree

Hide file tree

Showing 6 changed files with 99 additions and 125 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -3,12 +3,12 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     generators.url = "github:nix-community/nixos-generators";
     agenix.url = "github:ryantm/agenix";
-    attic.url = "github:zhaofengli/attic";
+    nix-serve-ng.url = github:aristanetworks/nix-serve-ng;
     everyday.url = "github:klarkc/nixos-everyday";
     # optimizations
     generators.inputs.nixpkgs.follows = "nixpkgs";
-    attic.inputs.nixpkgs.follows = "nixpkgs";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
+    nix-serve-ng.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = { self, ... }@inputs:

diff --git a/secrets/cache.age b/secrets/cache.age
diff --git a/secrets/env.age b/secrets/env.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -1,4 +1,4 @@
 let klarkc = builtins.readFile ./klarkc.pub; in
 {
-  "env.age".publicKeys = [ klarkc ];
+  "cache.age".publicKeys = [ klarkc ];
 }
diff --git a/setups/cache/default.nix b/setups/cache/default.nix
@@ -2,59 +2,54 @@
 let
   inherit (flake.inputs.generators.nixosModules) vm-nogui;
   inherit (flake.inputs.everyday.nixosModules) logger host-keys;
-  inherit (flake.inputs.attic.nixosModules) atticd;
   inherit (flake.outputs.lib) mkSystem secrets;
   agenix = flake.inputs.agenix.nixosModules.default;
-  domain = "cache.klarkc.is-a.dev";
+  nix-serve = flake.inputs.nix-serve-ng.nixosModules.default;
+  domain = "wcasa.wifizone.org";
   home = "/home/klarkc";
-  port = 8080;
-  cache-module = { config, ... }: {
-    imports = [ logger atticd vm-nogui agenix host-keys ];
-    # cd secrets
-    # echo -n 'ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="' > env
-    # openssl rand 64 | base64 -w0 >> env
-    # echo -n '"' >> env
-    # cat env | nix run github:ryantm/agenix -- -e env.age -i ~/.ssh/id_ed25519
-    # cp ~/.ssh/id_ed25519.pub klarkc.pub
-    age.secrets.env.file = "${secrets}/env.age";
-    services.atticd.credentialsFile = config.age.secrets.env.path;
-    host-keys.source = "${home}/.ssh";
-    system.stateVersion = config.system.nixos.version;
-    fileSystems."/".device = "none";
-    boot.loader.grub.device = "nodev";
-    services.atticd = {
-      enable = true;
-      settings = {
-        listen = "[::]:8080";
-        chunking = {
-          nar-size-threshold = 64 * 1024; # 64 KiB
-          min-size = 16 * 1024; # 16 KiB
-          avg-size = 64 * 1024; # 64 KiB
-          max-size = 256 * 1024; # 256 KiB
-        };
+  cache-module = { config, ... }:
+    let
+      inherit (config.services.nix-serve) port;
+    in
+    {
+      imports = [ logger nix-serve vm-nogui agenix host-keys ];
+      # cd secrets
+      # nix-store --generate-binary-cache-key wcasa.wifizone.org ./cache ./cache.skey
+      # cat cache | nix run github:ryantm/agenix -- -e cache.age -i ~/.ssh/id_ed25519
+      # cp ~/.ssh/id_ed25519.pub klarkc.pub
+      age.secrets.cache.file = "${secrets}/cache.age";
+      host-keys.source = "${home}/.ssh";
+      system.stateVersion = config.system.nixos.version;
+      fileSystems."/".device = "none";
+      boot.loader.grub.device = "nodev";
+      services.nix-serve = {
+        enable = true;
+        secretKeyFile = config.age.secrets.cache.path;
       };
-    };
-    networking.firewall.allowedTCPPorts = [
-      80
-      port
-    ];
-    virtualisation.forwardPorts = [
-      { from = "host"; host.port = port; guest.port = port; }
-    ];
-    # Web server
-    services.nginx = {
-      virtualHosts.${domain} = {
-        forceSSL = true;
-        enableACME = true;
-        locations."/".extraConfig = ''
-          proxy_pass http://localhost:${port};
-          proxy_set_header Host $host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        '';
+      users.users.cache = {
+        password = "cache";
+        isNormalUser = true;
+        home = "/home/cache";
+        extraGroups = [ "wheel" ];
+      };
+      networking.firewall.allowedTCPPorts = [ port ];
+      virtualisation.forwardPorts = [
+        { from = "host"; host.port = port; guest.port = port; }
+      ];
+      # Web server
+      services.nginx = {
+        virtualHosts.${domain} = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".extraConfig = ''
+            proxy_pass http://localhost:${config.services.nix-serve.port};
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          '';
+        };
       };
     };
-  };
 in
 rec {
   modules.cache = cache-module;