port magic

2025-12-10 00:43:56 -05:00 · 2025-03-02 22:49:05 -05:00 · 2025-03-02 22:49:05 -05:00 · c7c87ec8b2
commit c7c87ec8b2
parent 7dad855bd8
8 changed files with 144 additions and 73 deletions
--- a/nixosConfigurations/gerg-desktop/services/nix-serve.nix
+++ b/nixosConfigurations/gerg-desktop/services/nix-serve.nix
@ -1,28 +1,22 @@
 {
  config,
  pkgs,
-  lib,
 }:
+let
+  link = config.local.links.nix-serve;
+in
 {
-  sops.secrets.store_key.owner = "nix-serve";
+  local.links.nix-serve = { };
+
+  sops.secrets.store_key = { };

  users = {
-    groups = {
-      builder = { };
-      nix-serve = { };
-    };
-    users = {
-      ${config.services.nginx.user}.extraGroups = [ "nix-serve" ];
-      builder = {
-        isSystemUser = true;
-        openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
-        group = "builder";
-        shell = pkgs.bashInteractive;
-      };
-      nix-serve = {
-        isSystemUser = true;
-        group = "nix-serve";
-      };
+    groups.builder = { };
+    users.builder = {
+      isSystemUser = true;
+      openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
+      group = "builder";
+      shell = pkgs.bashInteractive;
    };
  };

@ -38,37 +32,18 @@

  nix.settings = {
    trusted-users = [ "builder" ];
-    allowed-users = [ "nix-serve" ];
    keep-outputs = true;
    keep-derivations = true;
    secret-key-files = config.sops.secrets.store_key.path;
  };

-  systemd.services.nix-serve = {
-    description = "nix-serve binary cache server";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-
-    path = [
-      config.nix.package
-      pkgs.bzip2
-    ];
-
-    serviceConfig = {
-      ExecStart = "${lib.getExe pkgs.nix-serve-ng} --socket /run/nix-serve/nix-serve.sock";
-      Restart = "always";
-      RestartSec = "5s";
-      User = "nix-serve";
-      Group = "nix-serve";
-      RuntimeDirectory = "nix-serve";
-      UMask = "0117";
-    };
-
-    environment = {
-      NIX_REMOTE = "daemon";
-      NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path;
-    };
-
+  services.nix-serve = {
+    enable = true;
+    inherit (link) port;
+    package = pkgs.nix-serve-ng;
+    bindAddress = link.ipv4;
+    secretKeyFile = config.sops.secrets.store_key.path;
  };
-  local.nginx.proxyVhosts."cache.gerg-l.com" = "http://unix:/run/nix-serve/nix-serve.sock";
+
+  local.nginx.proxyVhosts."cache.gerg-l.com" = link.url;
 }