blob: 88f2f2863dde2625ed55fd9277b916a321816c0c (
plain) (
tree)
|
|
# temporary machine for local binary cache proxy during VolgaSprint
{ depot, lib, pkgs, ... }: # readTree options
{ config, ... }: # passed by module system
let
mod = name: depot.path.origSrc + ("/ops/modules/" + name);
in
{
imports = [
(mod "tvl-users.nix")
];
boot = {
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
};
depot.auto-deploy = {
enable = true;
interval = "hourly";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
"/var/public-nix-cache" = {
device = "/dev/sda1";
fsType = "ext4";
};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 8098 ];
};
hostName = "volgacache";
domain = "volgasprint.org";
wireless = {
enable = true;
networks.VolgaSprint.psk = "nixos-unstable";
interfaces = [ "wlan0" ];
};
wg-quick.interfaces = {
wg0 = {
address = [ "10.10.10.2/24" "fd42::1/128" ];
dns = [ "1.1.1.1" ];
privateKeyFile = "/etc/wireguard_private_key";
peers = [
{
publicKey = "2MZzEGJzA3HrwkHf91TaKJEHwCNyVvsTLWoIYHrCxhY=";
presharedKeyFile = "/etc/wireguard_preshared_key";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "195.201.63.240:8098";
persistentKeepalive = 15;
}
];
};
};
};
services.openssh.enable = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
appendHttpConfig = ''
proxy_cache_path /tmp/pkgcache levels=1:2 keys_zone=cachecache:100m max_size=20g inactive=365d use_temp_path=off;
# Cache only success status codes; in particular we don't want to cache 404s.
# See https://serverfault.com/a/690258/128321
map $status $cache_header {
200 "public";
302 "public";
default "no-cache";
}
access_log /var/log/nginx/access.log;
'';
virtualHosts."cache.volgasprint.org" = {
sslCertificate = "/etc/ssl/cache.volgasprint.org/key.pem";
sslCertificateKey = "/etc/ssl/cache.volgasprint.org/key.pem";
sslTrustedCertificate = "/etc/ssl/cache.volgasprint.org/chain.pem";
locations."/" = {
root = "/var/public-nix-cache";
extraConfig = ''
expires max;
add_header Cache-Control $cache_header always;
# Ask the upstream server if a file isn't available locally
error_page 404 = @fallback;
'';
};
extraConfig = ''
# Using a variable for the upstream endpoint to ensure that it is
# resolved at runtime as opposed to once when the config file is loaded
# and then cached forever (we don't want that):
# see https://tenzer.dk/nginx-with-dynamic-upstreams/
# This fixes errors like
# nginx: [emerg] host not found in upstream "upstream.example.com"
# when the upstream host is not reachable for a short time when
# nginx is started.
resolver 80.67.169.12; # fdn dns
set $upstream_endpoint http://cache.nixos.org;
'';
locations."@fallback" = {
proxyPass = "$upstream_endpoint";
extraConfig = ''
proxy_cache cachecache;
proxy_cache_valid 200 302 60d;
expires max;
add_header Cache-Control $cache_header always;
'';
};
# We always want to copy cache.nixos.org's nix-cache-info file,
# and ignore our own, because `nix-push` by default generates one
# without `Priority` field, and thus that file by default has priority
# 50 (compared to cache.nixos.org's `Priority: 40`), which will make
# download clients prefer `cache.nixos.org` over our binary cache.
locations."= /nix-cache-info" = {
# Note: This is duplicated with the `@fallback` above,
# would be nicer if we could redirect to the @fallback instead.
proxyPass = "$upstream_endpoint";
extraConfig = ''
proxy_cache cachecache;
proxy_cache_valid 200 302 60d;
expires max;
add_header Cache-Control $cache_header always;
'';
};
};
};
hardware.enableRedistributableFirmware = true;
system.stateVersion = "23.11";
}
|
