builder substituter setup rework

2025-12-10 00:43:56 -05:00 · 2024-06-29 16:01:53 -04:00 · 2024-06-29 16:01:53 -04:00 · 92cfe9d05f
commit 92cfe9d05f
parent c0bf5b79de
5 changed files with 94 additions and 63 deletions
--- a/hosts/gerg-desktop/services/nginx.nix
+++ b/hosts/gerg-desktop/services/nginx.nix
@ -58,6 +58,12 @@
        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
        locations."/".proxyPass = "http://unix:${config.systemd.services.miniflux.environment.LISTEN_ADDR}";
      };
+      "cache.gerg-L.com" = {
+        forceSSL = true;
+        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
+        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        locations."/".proxyPass = "http://unix:/run/nix-serve/nix-serve.sock";
+      };
    };
  };
  networking.firewall.allowedTCPPorts = [
--- a/hosts/gerg-desktop/services/nix-serve.nix
+++ b/hosts/gerg-desktop/services/nix-serve.nix
@ -0,0 +1,78 @@
+{ config, pkgs }:
+{
+  sops.secrets.store_key.owner = "nix-serve";
+
+  users = {
+    groups = {
+      builder = { };
+      nix-serve = { };
+    };
+    users = {
+
+      ${config.services.nginx.user}.extraGroups = [ "nix-serve" ];
+      builder = {
+        isSystemUser = true;
+        openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
+        group = "builder";
+      };
+      nix-serve = {
+        isSystemUser = true;
+        group = "nix-serve";
+      };
+    };
+  };
+
+  services.openssh.extraConfig = ''
+    Match User builder
+      AllowAgentForwarding no
+      AllowTcpForwarding no
+      PermitTTY no
+      PermitTunnel no
+      X11Forwarding no
+    Match All
+  '';
+
+  nix.settings = {
+    trusted-users = [
+      "builder"
+      "nix-ssh"
+    ];
+    allowed-users = [ "nix-serve" ];
+    keep-outputs = true;
+    keep-derivations = true;
+    secret-key-files = config.sops.secrets.store_key.path;
+  };
+
+  systemd.services.nix-serve = {
+    description = "nix-serve binary cache server";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    path = [
+      config.nix.package
+      pkgs.bzip2
+      pkgs.nix-serve-ng
+    ];
+
+    environment = {
+      NIX_REMOTE = "daemon";
+      NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path;
+    };
+
+    script = ''
+      nix-serve --socket /run/nix-serve/nix-serve.sock &
+      PID=$!
+      sleep 1
+      chmod 660 /run/nix-serve/nix-serve.sock
+      wait "$PID"
+    '';
+
+    serviceConfig = {
+      Restart = "always";
+      RestartSec = "5s";
+      User = "nix-serve";
+      Group = "nix-serve";
+    };
+  };
+  systemd.tmpfiles.rules = [ "d /run/nix-serve - nix-serve nix-serve - -" ];
+}