nixos-config/machines/nix-cache/configuration.nix

{ self, attic, caddy-with-plugins, ... }:
{ pkgs, modulesPath, lib, config, ... }: {
  imports = [
    (modulesPath + "/virtualisation/lxc-container.nix")
    attic.nixosModules.atticd
    ../../users/root
    ../../users/erwin
  ];

  eboskma = {
    users.erwin = {
      enable = true;
      server = true;
    };
    nix-common = {
      enable = true;
      remote-builders = true;
    };
    tailscale.enable = true;
  };

  time.timeZone = "Europe/Amsterdam";
  system.configurationRevision = lib.mkIf (self ? rev) self.rev;

  networking = {
    hostName = "nix-cache";
    useDHCP = false;
    useHostResolvConf = false;
    networkmanager.enable = false;
    useNetworkd = true;

    firewall = {
      trustedInterfaces = [ "tailscale0" ];
      allowPing = true;

      allowedTCPPorts = [ 80 443 ];
    };
  };

  systemd = {
    network = {
      enable = true;

      networks = {
        "40-eth0" = {
          matchConfig = {
            Name = "eth0";
          };

          networkConfig = {
            Address = "10.0.0.209/24";
            Gateway = "10.0.0.1";
            DNS = "10.0.0.206";
            DHCP = "no";
          };
        };
      };
    };

    services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
  };

  security = {
    sudo-rs = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
    };
    sudo.enable = false;
  };

  services = {
    atticd = {
      enable = true;

      credentialsFile = config.sops.secrets.attic-credentials.path;
      settings = {
        listen = "127.0.0.1:8080";

        garbage-collection = {
          default-retention-period = "3 months";
        };

        storage = {
          type = "s3";
          bucket = "nix-cache";
          endpoint = "https://minio.datarift.nl";
          region = "local";
        };

        # Data chunking
        #
        # Warning: If you change any of the values here, it will be
        # difficult to reuse existing chunks for newly-uploaded NARs
        # since the cutpoints will be different. As a result, the
        # deduplication ratio will suffer for a while after the change.
        chunking = {
          # The minimum NAR size to trigger chunking
          #
          # If 0, chunking is disabled entirely for newly-uploaded NARs.
          # If 1, all NARs are chunked.
          nar-size-threshold = 64 * 1024; # 64 KiB

          # The preferred minimum size of a chunk, in bytes
          min-size = 16 * 1024; # 16 KiB

          # The preferred average size of a chunk, in bytes
          avg-size = 64 * 1024; # 64 KiB

          # The preferred maximum size of a chunk, in bytes
          max-size = 256 * 1024; # 256 KiB
        };
      };
    };

    caddy = {
      enable = true;
      package = caddy-with-plugins.lib.caddyWithPackages {
        inherit (pkgs) caddy buildGoModule;
        plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
        vendorSha256 = "UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
      };

      email = "erwin@datarift.nl";

      virtualHosts = {
        "nix-cache.datarift.nl" = {
          extraConfig = ''
            @local_or_ts {
              remote_ip 10.0.0.0/24 100.64.0.0/10
            }

            handle @local_or_ts {
              reverse_proxy 127.0.0.1:8080
            }
            handle {
              error "Nope." 401
            }

            tls {
              dns cloudflare {env.CF_API_TOKEN}
            }
          '';
        };
      };
    };
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    attic-credentials = { };
    caddy-env = { };
  };

  system.stateVersion = "24.05";

}
Set up a Nix binary cache with attic 2024-01-17 09:29:16 +01:00			`{ self, attic, caddy-with-plugins, ... }:`
			`{ pkgs, modulesPath, lib, config, ... }: {`
			`imports = [`
			`(modulesPath + "/virtualisation/lxc-container.nix")`
			`attic.nixosModules.atticd`
			`../../users/root`
			`../../users/erwin`
			`];`

			`eboskma = {`
			`users.erwin = {`
			`enable = true;`
			`server = true;`
			`};`
			`nix-common = {`
			`enable = true;`
			`remote-builders = true;`
			`};`
			`tailscale.enable = true;`
			`};`

			`time.timeZone = "Europe/Amsterdam";`
			`system.configurationRevision = lib.mkIf (self ? rev) self.rev;`

			`networking = {`
			`hostName = "nix-cache";`
			`useDHCP = false;`
			`useHostResolvConf = false;`
			`networkmanager.enable = false;`
			`useNetworkd = true;`

			`firewall = {`
			`trustedInterfaces = [ "tailscale0" ];`
			`allowPing = true;`

			`allowedTCPPorts = [ 80 443 ];`
			`};`
			`};`

			`systemd = {`
			`network = {`
			`enable = true;`

			`networks = {`
			`"40-eth0" = {`
			`matchConfig = {`
			`Name = "eth0";`
			`};`

			`networkConfig = {`
			`Address = "10.0.0.209/24";`
			`Gateway = "10.0.0.1";`
			`DNS = "10.0.0.206";`
			`DHCP = "no";`
			`};`
			`};`
			`};`
			`};`

			`services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];`
			`};`

			`security = {`
			`sudo-rs = {`
			`enable = true;`
			`execWheelOnly = true;`
			`wheelNeedsPassword = false;`
			`};`
			`sudo.enable = false;`
			`};`

			`services = {`
			`atticd = {`
			`enable = true;`

			`credentialsFile = config.sops.secrets.attic-credentials.path;`
			`settings = {`
			`listen = "127.0.0.1:8080";`

			`garbage-collection = {`
			`default-retention-period = "3 months";`
			`};`

			`storage = {`
			`type = "s3";`
			`bucket = "nix-cache";`
			`endpoint = "https://minio.datarift.nl";`
			`region = "local";`
			`};`

			`# Data chunking`
			`#`
			`# Warning: If you change any of the values here, it will be`
			`# difficult to reuse existing chunks for newly-uploaded NARs`
			`# since the cutpoints will be different. As a result, the`
			`# deduplication ratio will suffer for a while after the change.`
			`chunking = {`
			`# The minimum NAR size to trigger chunking`
			`#`
			`# If 0, chunking is disabled entirely for newly-uploaded NARs.`
			`# If 1, all NARs are chunked.`
			`nar-size-threshold = 64 * 1024; # 64 KiB`

			`# The preferred minimum size of a chunk, in bytes`
			`min-size = 16 * 1024; # 16 KiB`

			`# The preferred average size of a chunk, in bytes`
			`avg-size = 64 * 1024; # 64 KiB`

			`# The preferred maximum size of a chunk, in bytes`
			`max-size = 256 * 1024; # 256 KiB`
			`};`
			`};`
			`};`

			`caddy = {`
			`enable = true;`
			`package = caddy-with-plugins.lib.caddyWithPackages {`
			`inherit (pkgs) caddy buildGoModule;`
			`plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];`
			`vendorSha256 = "UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";`
			`};`

			`email = "erwin@datarift.nl";`

			`virtualHosts = {`
			`"nix-cache.datarift.nl" = {`
			`extraConfig = ''`
			`@local_or_ts {`
			`remote_ip 10.0.0.0/24 100.64.0.0/10`
			`}`

			`handle @local_or_ts {`
			`reverse_proxy 127.0.0.1:8080`
			`}`
			`handle {`
			`error "Nope." 401`
			`}`

			`tls {`
			`dns cloudflare {env.CF_API_TOKEN}`
			`}`
			`'';`
			`};`
			`};`
			`};`
			`};`

			`sops.defaultSopsFile = ./secrets.yaml;`
			`sops.secrets = {`
			`attic-credentials = { };`
			`caddy-env = { };`
			`};`

			`system.stateVersion = "24.05";`

			`}`