feat(ops/machines): add temporary VolgaSprint cache machine r/8580

Change-Id: I5b5bb98f591e7bf3b1f16673f7f670b758444066
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12327
Reviewed-by: mrflos <mrflos@yeswiki.pro>
Tested-by: BuildkiteCI

2 files changed, 149 insertions, 0 deletions

diff --git a/ops/machines/volgasprint-cache/default.nix b/ops/machines/volgasprint-cache/default.nix
new file mode 100644
index 000000000000..536a7f6ce265
--- /dev/null
+++ b/ops/machines/volgasprint-cache/default.nix
@@ -0,0 +1,148 @@
+# temporary machine for local binary cache proxy during VolgaSprint
+
+{ depot, lib, pkgs, ... }: # readTree options
+{ config, ... }: # passed by module system
+
+let
+  mod = name: depot.path.origSrc + ("/ops/modules/" + name);
+in
+{
+  imports = [
+    (mod "tvl-users.nix")
+  ];
+
+  boot = {
+    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+    "/var/public-nix-cache" = {
+      device = "/dev/sda1";
+      fsType = "ext4";
+    };
+  };
+
+  networking = {
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 8098 ];
+    };
+
+    hostName = "cache";
+    domain = "volgasprint.org";
+
+    wireless = {
+      enable = true;
+      networks.VolgaSprint.psk = "nixos-unstable";
+      interfaces = [ "wlan0" ];
+    };
+
+    wg-quick.interfaces = {
+      wg0 = {
+        address = [ "10.10.10.2/24" "fd42::1/128" ];
+        dns = [ "1.1.1.1" ];
+        privateKeyFile = "/etc/wireguard_private_key";
+
+        peers = [
+          {
+            publicKey = "2MZzEGJzA3HrwkHf91TaKJEHwCNyVvsTLWoIYHrCxhY=";
+            presharedKeyFile = "/etc/wireguard_preshared_key";
+            allowedIPs = [ "0.0.0.0/0" "::/0" ];
+            endpoint = "195.201.63.240:8098";
+            persistentKeepalive = 15;
+          }
+        ];
+      };
+    };
+  };
+
+  services.openssh.enable = true;
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    appendHttpConfig = ''
+      proxy_cache_path /tmp/pkgcache levels=1:2 keys_zone=cachecache:100m max_size=20g inactive=365d use_temp_path=off;
+
+      # Cache only success status codes; in particular we don't want to cache 404s.
+      # See https://serverfault.com/a/690258/128321
+      map $status $cache_header {
+      200     "public";
+      302     "public";
+      default "no-cache";
+      }
+      access_log /var/log/nginx/access.log;
+    '';
+
+    virtualHosts."cache.volgasprint.org" = {
+      sslCertificate = "/etc/ssl/cache.volgasprint.org/key.pem";
+      sslCertificateKey = "/etc/ssl/cache.volgasprint.org/key.pem";
+      sslTrustedCertificate = "/etc/ssl/cache.volgasprint.org/chain.pem";
+
+      locations."/" = {
+        root = "/var/public-nix-cache";
+        extraConfig = ''
+          expires max;
+          add_header Cache-Control $cache_header always;
+          # Ask the upstream server if a file isn't available locally
+          error_page 404 = @fallback;
+        '';
+      };
+
+      extraConfig = ''
+        # Using a variable for the upstream endpoint to ensure that it is
+        # resolved at runtime as opposed to once when the config file is loaded
+        # and then cached forever (we don't want that):
+        # see https://tenzer.dk/nginx-with-dynamic-upstreams/
+        # This fixes errors like
+        #   nginx: [emerg] host not found in upstream "upstream.example.com"
+        # when the upstream host is not reachable for a short time when
+        # nginx is started.
+        resolver 80.67.169.12; # fdn dns
+        set $upstream_endpoint http://cache.nixos.org;
+      '';
+
+      locations."@fallback" = {
+        proxyPass = "$upstream_endpoint";
+        extraConfig = ''
+          proxy_cache cachecache;
+          proxy_cache_valid  200 302  60d;
+          expires max;
+          add_header Cache-Control $cache_header always;
+        '';
+      };
+
+      # We always want to copy cache.nixos.org's nix-cache-info file,
+      # and ignore our own, because `nix-push` by default generates one
+      # without `Priority` field, and thus that file by default has priority
+      # 50 (compared to cache.nixos.org's `Priority: 40`), which will make
+      # download clients prefer `cache.nixos.org` over our binary cache.
+      locations."= /nix-cache-info" = {
+        # Note: This is duplicated with the `@fallback` above,
+        # would be nicer if we could redirect to the @fallback instead.
+        proxyPass = "$upstream_endpoint";
+        extraConfig = ''
+          proxy_cache cachecache;
+          proxy_cache_valid  200 302  60d;
+          expires max;
+          add_header Cache-Control $cache_header always;
+        '';
+      };
+    };
+  };
+
+  hardware.enableRedistributableFirmware = true;
+  system.stateVersion = "23.11";
+}
diff --git a/ops/nixos.nix b/ops/nixos.nix
index 1442d89b30c1..c0410046c626 100644
--- a/ops/nixos.nix
+++ b/ops/nixos.nix
@@ -63,5 +63,6 @@ in rec {
   whitbySystem = (nixosFor depot.ops.machines.whitby).system;
   sandunySystem = (nixosFor depot.ops.machines.sanduny).system;
   nixeryDev01System = (nixosFor depot.ops.machines.nixery-01).system;
+  volgaSprintCacheSystem = (nixosFor depot.ops.machines.volgasprint-cache).system;
   meta.ci.targets = [ "sandunySystem" "whitbySystem" "nixeryDev01System" ];
 }