mirror of
https://github.com/Gerg-L/nixos.git
synced 2025-12-10 00:43:56 -05:00
builder substituter setup rework
This commit is contained in:
parent
c0bf5b79de
commit
92cfe9d05f
SSH key fingerprint:
SHA256:FPYDHIkvMocr4wdmZXpgpJjsb2Tw6rASs2ISPbOb0KI
5 changed files with 94 additions and 63 deletions
|
|
@ -8,7 +8,6 @@
|
|||
}:
|
||||
{
|
||||
local = {
|
||||
remoteBuild.isBuilder = true;
|
||||
DE.dwm.enable = true;
|
||||
DM = {
|
||||
lightdm.enable = true;
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ discordenv: ENC[AES256_GCM,data:GQVGLVlIutSEyCZYiGfc2ON4yOfCtKEApRYLHn98xKaflEQt
|
|||
searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str]
|
||||
minifluxenv: ENC[AES256_GCM,data:wgz6sxSbbjXrgBAak0Q0TlvG78+JHPpiPtcbqGo9HpSF3qY78edECCDB3qqIaynxdhI4,iv:mbsr+OG8fE5MggmC+TNkLmhhDNGvJo+uelNRo/rMLoo=,tag:xN+FbNHZIVCruQh23aMt5g==,type:str]
|
||||
gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str]
|
||||
store_key: ENC[AES256_GCM,data:/1wAHcMZl3loV2IR7mj1z51lwfKmaP24DgEjl2w8qwbrKHBIS09meLXrVTvsvQmFM4AvKig9ADs1aeYoVTTEa4QE9nKJ/LyRI5z8dHe7j7H5Y+UI+Syr0CUKN2I9UuqkOAyWrPM=,iv:5cLxhzNawFMTKn+MT5cHILTvggHmxteycL+2bxUPsoc=,tag:q8voriNRZUL4pYYfOvJT0A==,type:str]
|
||||
store_key: ENC[AES256_GCM,data:2XioKwoH0V5QuedXl4w2IFrT2qOQWF0kbchYTMhyL9BaUqYHhXQi4buvKUVbBQ8AnzD1GJT3ZRy1S13CxEkdQvXE0IY0iX5nkTJtI3VgpiF64wfvZqcLQGaaNTCg+AEDP304KtIZZiao,iv:PV0bORWHoRDM8HvFwOI2sl7QjfD9G0VXSZ9RrPBUsyM=,tag:caVnOow466eBT/5bqYU0Iw==,type:str]
|
||||
nextcloud: ENC[AES256_GCM,data:CJqcH+l7EMwV8q7S,iv:uiq+lRMYR8APoVCmliAvUEthBUABdPXxs53y8I1WB+M=,tag:ObRMNYp9xIKR4VPxQr3JfA==,type:str]
|
||||
github_token: ENC[AES256_GCM,data:nIWnOvoO8jcoPvKIF4TDdMZxO5H+mAEjLOfQpPmIh0gUSHjadFCwdI0FpMN3D/+8zUXVuAWd2FfCdzKIxGApGqlXAn3aajkUeBK8rYF554COuxa4B43SjRlfvanCZyfsbxzFxoO1RDlzHUMUSzYgFE8wdvj804luIA==,iv:OcRPCZP3KIKv+OuS28jIEp5zQyFw/41gMMdPBVj5N9w=,tag:t+oJDxqwyFU92kDh0ot+6w==,type:str]
|
||||
gerg_ssl_key: ENC[AES256_GCM,data:F51mBHbLzfgJ8SdFQwxRIHOfG/iYi35EwOzQ/PlWkI6VzAGoFn3K/Team1dMAS62CxIq96WByqctLhfgNl/sI63LT9KoGAKV/8sLKXav9FtVJlrsqWCCswMRV95ia6vUj6yiqCdX2qgawq+sYO1ztUu5pTfvG2DEO+2r+SXCFPBARJ5CQl39i+clnyjVSsZLHlRwdqSG5uzfNyjMand/0jgQ6yxFExaqahSiyf20H7liK0G8vnv4R4X1Gs+6Cqm2nMRy89rSLVndoX+IH7tvfjxMB+oHJkjdYqcznfUuIDeRMTxeQq6RiQuSmBYgPfYBWenMgMgt0IiuTRxfCdShjveDGXJr1lO8ZkmxPV6VUgL7stbRUs+UkWgpct7cUbgwcsbdgUvo3SiHRDHikqAJgWihV3V8jOUBsJrNbCyam999cZtyTCHRxnpHYR+zEfqA4823c9tW6KYQRr+FW8mHYxGCPLyDgXzCsNYf3bOzkKx6UIw5iNjRfQIPVlQinJtTfcYY20CXn25k+V15wRWMvs2QrOWj7qdssIyPgDalb70mj0lrLbdceHWW6JTmHiSQAjFK1pYEmXIEa9G1jES3Zq3G9Ty0/XUmt3yGUJr2TBQxhDbryr5Kd6PLfIrHBh/msw1QlSbdSv4a4BeGos1qD0HJgXrE/xqHPCUX07wCYpXVeEHR5OXF0SVgc6dCWo+s5iE7AggS4j3dKqZoDV2l0rZGI7RQvf8BoEAl+RwsCgrgY2zo7qeSb12NVP8Kb/wA0hIWT3IFrj4wLyk93vjsHwdbt9QJWf7yAFqIkB3y2MwPGQdn0s88FzZTeZCqDo+Q2vH0+GhzNozg1NV6XorV8kRO5t0hTM8fw8PGFdt7cUm1PGg60Fg5lBOs3t/y9OFDZcfsgEuxnOwZeslzkPmnLHf3DBPizdc2XCXuYmEKGiBiiFSC+zJF6+3S9W9/6uHvHEffJrIRSPxC4ElDfyvpxxY4kA5BMCXALpkYDaDCRPQSpu1EF1bi0mBSONHl6in+aYr1leVG185n+AOR3SsaY8jftN/rU4VxV2W5zszx2KZk/LzAjoDAZbBHgBVgY7KsD8Zs2+TBJppnxg35S4s0+PRQM/0t7mFfSNGv75ih98UX9jzvIpb/evR5vD8ImUJy1BzO1nVyzKHQiILETixxz6kRMDUlvP6OpsBXcAWR0w0AKX4irAXT6xVyaSYfIBIJuwzE/mN68kNhPT62eaFnTUTV7KLf7yM/3+blXHcELtEVO2z1WcC3QJZNTA9WVTli+YTeJ//2M5gyBKOAQ3bfYeNz8mubxJQh0XpZaVdUu6TGVG3bIjbj0ixnnuAt6IVlZQK74h/Ah542oSuqLclrXlmNYn5vU5OdxjRgThZZKhZFoqiY+W79OulXDzSbhlMvI5tiGGjiIc31iFSKS0JYyISt1jdiwogv/b8/d7whQCwh9IvG7loKFsPBP2NgW6hYlixqcdaSpP9S7hrG54BPZe2o2S0Ci3BMasits2WFr6u7Qsx1AvuWyJ/rO+llmuvWVl64WNQxi8EYKiMJx0QI3Pr1Od66wVir/LtAlR04vsNHAvzM6gjuQYefWV9X2cXlklbGJYrE/9DCWr8fvUzmh659/81d2+CCkd7jxxFh8BHTR7oFHhM/H21BEUzOSu35vrMTPwy8y4mLhywNqmbLdOiOIGgkw4g+q5r4v9Byf15PqGcR02K+TmpQpF3HIpnv/3UH3lD4TtjIzWocTIdlKuriHsZcIIlHDxoWj/2mlo6+QxOiiTyR0jhQA372T2tlEo5/v3VFDuWikrBhgnmVe5zngkTqUUghrucbxJDDsehlwzSbrcczvYGwSNYu+DdS+57WDUGoLTJ7oOWovz5XCbV11LOQUNP8TYP597YzeV/eVguYvjUoSqSmo0m6kHGkhLZWbWyZrl7e2F7cOf+S6cdheREkp2Q/Eet8/B9fVWxRBBTXTLnOCC2q/Y1A9Ls+lpW4OXYO7QJjQAx9SKXfrjGgujrXH7oLMxQZfORwjnZzT1LQU7T0wNhQvZLHmUoA0VRZdSxSqEWlEjSF0eJjx/SNoKOacinHTCiT3r0P0cKmIypENef9czRURKgiunmlvSgQ5jOeu2C69KmF9Qau5YnRt6rXjkJzu+lji5ArVfkDxDG+mx5dtVSxwovbdAh065JDHo52ROaXLCb3nfFWKWSgoemYXrsbH9lT4/Ro3P2JC+iDeJFwz4r9OjTvPDWh9YTfzOlhfvg7m+2lg9vV74gmXd+IgSKh,iv:aE4/hxhfju3jJXjwK0TrfI/cbLsFgDEDspg2zTgqo4M=,tag:LAmit77WTZnpoCX1iuhkbQ==,type:str]
|
||||
|
|
@ -25,8 +25,8 @@ sops:
|
|||
dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy
|
||||
MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-21T19:08:47Z"
|
||||
mac: ENC[AES256_GCM,data:/oeiVvzik1o3T0T6HlaNq16ZnZ2Fb0YhNDZ8pT2G/SHtpfz3ELjS/1yj8tfZjt2YOBlM1TrYN4+Yr0yJr7vhekWtpCZvN4I+FHrrnlyWGohg7quScArdXjVD+zWcahG41Q2Qu8ffmSARKf+aR3WpjcWnO6ueD5hXO4xm5es9wl0=,iv:gCLxoO13p/5da0VwP5LSlaL6vcMNaYzML5T5ejutf30=,tag:zHVoAS0FUJxFLhChjnfBpQ==,type:str]
|
||||
lastmodified: "2024-06-29T16:39:17Z"
|
||||
mac: ENC[AES256_GCM,data:bLgrdArl7eSHIAyyBeYH5riD81VschZ4bdrq1ppQ3Ru7EucA4SqDNGXVkny0JA/U+3A8W1llRmAWH/BDCg11vSwIQ9YhmVVs1MSkmCBKQRSmX6t4UaWzPTNG6+HbIuSGcpvZvPO3iYg9u43kYRSz3zOjTVll7w1nzvlcpM7AOD8=,iv:mVj0SprdijAfsojC4fvAJjMY6Jp/K00JG5SRbVDpX84=,tag:6nfJmY5UEMCHuZ0GOvw0Kw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
|
|||
|
|
@ -58,6 +58,12 @@
|
|||
sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
|
||||
locations."/".proxyPass = "http://unix:${config.systemd.services.miniflux.environment.LISTEN_ADDR}";
|
||||
};
|
||||
"cache.gerg-L.com" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
|
||||
sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
|
||||
locations."/".proxyPass = "http://unix:/run/nix-serve/nix-serve.sock";
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
|
|
|
|||
78
hosts/gerg-desktop/services/nix-serve.nix
Normal file
78
hosts/gerg-desktop/services/nix-serve.nix
Normal file
|
|
@ -0,0 +1,78 @@
|
|||
{ config, pkgs }:
|
||||
{
|
||||
sops.secrets.store_key.owner = "nix-serve";
|
||||
|
||||
users = {
|
||||
groups = {
|
||||
builder = { };
|
||||
nix-serve = { };
|
||||
};
|
||||
users = {
|
||||
|
||||
${config.services.nginx.user}.extraGroups = [ "nix-serve" ];
|
||||
builder = {
|
||||
isSystemUser = true;
|
||||
openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
|
||||
group = "builder";
|
||||
};
|
||||
nix-serve = {
|
||||
isSystemUser = true;
|
||||
group = "nix-serve";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.extraConfig = ''
|
||||
Match User builder
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
PermitTTY no
|
||||
PermitTunnel no
|
||||
X11Forwarding no
|
||||
Match All
|
||||
'';
|
||||
|
||||
nix.settings = {
|
||||
trusted-users = [
|
||||
"builder"
|
||||
"nix-ssh"
|
||||
];
|
||||
allowed-users = [ "nix-serve" ];
|
||||
keep-outputs = true;
|
||||
keep-derivations = true;
|
||||
secret-key-files = config.sops.secrets.store_key.path;
|
||||
};
|
||||
|
||||
systemd.services.nix-serve = {
|
||||
description = "nix-serve binary cache server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
path = [
|
||||
config.nix.package
|
||||
pkgs.bzip2
|
||||
pkgs.nix-serve-ng
|
||||
];
|
||||
|
||||
environment = {
|
||||
NIX_REMOTE = "daemon";
|
||||
NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path;
|
||||
};
|
||||
|
||||
script = ''
|
||||
nix-serve --socket /run/nix-serve/nix-serve.sock &
|
||||
PID=$!
|
||||
sleep 1
|
||||
chmod 660 /run/nix-serve/nix-serve.sock
|
||||
wait "$PID"
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Restart = "always";
|
||||
RestartSec = "5s";
|
||||
User = "nix-serve";
|
||||
Group = "nix-serve";
|
||||
};
|
||||
};
|
||||
systemd.tmpfiles.rules = [ "d /run/nix-serve - nix-serve nix-serve - -" ];
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue