nixos-config/machines/nix-cache/configuration.nix

{
  self,
  attic,
  caddy-with-plugins,
  ...
}:
{
  pkgs,
  modulesPath,
  lib,
  config,
  ...
}:
{
  imports = [
    (modulesPath + "/virtualisation/lxc-container.nix")
    attic.nixosModules.atticd
    ../../users/root
    ../../users/erwin
  ];

  eboskma = {
    users.erwin = {
      enable = true;
      server = true;
    };
    nix-common = {
      enable = true;
      remote-builders = true;
    };
    tailscale.enable = true;
  };

  time.timeZone = "Europe/Amsterdam";
  system.configurationRevision = lib.mkIf (self ? rev) self.rev;

  networking = {
    hostName = "nix-cache";
    useDHCP = false;
    useHostResolvConf = false;
    networkmanager.enable = false;
    useNetworkd = true;

    firewall = {
      trustedInterfaces = [ "tailscale0" ];
      allowPing = true;

      allowedTCPPorts = [
        80
        443
      ];
    };
  };

  systemd = {
    network = {
      enable = true;

      wait-online.anyInterface = true;

      networks = {
        "40-eth0" = {
          matchConfig = {
            Name = "eth0";
          };

          networkConfig = {
            Address = "10.0.0.209/24";
            Gateway = "10.0.0.1";
            DNS = "10.0.0.206";
            DHCP = "no";
          };
        };
      };
    };

    services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
  };

  security = {
    sudo-rs = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
    };
    sudo.enable = false;
  };

  services = {
    atticd = {
      enable = true;

      credentialsFile = config.sops.secrets.attic-credentials.path;
      settings = {
        listen = "127.0.0.1:8080";

        garbage-collection = {
          default-retention-period = "3 months";
        };

        storage = {
          type = "s3";
          bucket = "nix-cache";
          endpoint = "https://minio.datarift.nl";
          region = "local";
        };

        # Data chunking
        #
        # Warning: If you change any of the values here, it will be
        # difficult to reuse existing chunks for newly-uploaded NARs
        # since the cutpoints will be different. As a result, the
        # deduplication ratio will suffer for a while after the change.
        chunking = {
          # The minimum NAR size to trigger chunking
          #
          # If 0, chunking is disabled entirely for newly-uploaded NARs.
          # If 1, all NARs are chunked.
          nar-size-threshold = 64 * 1024; # 64 KiB

          # The preferred minimum size of a chunk, in bytes
          min-size = 16 * 1024; # 16 KiB

          # The preferred average size of a chunk, in bytes
          avg-size = 64 * 1024; # 64 KiB

          # The preferred maximum size of a chunk, in bytes
          max-size = 256 * 1024; # 256 KiB
        };
      };
    };

    caddy = {
      enable = true;
      package = caddy-with-plugins.lib.caddyWithPackages {
        inherit (pkgs) caddy buildGoModule;
        plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
        vendorHash = "sha256-UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
      };

      email = "erwin@datarift.nl";

      virtualHosts = {
        "nix-cache.datarift.nl" = {
          extraConfig = ''
            @local_or_ts {
              remote_ip 10.0.0.0/24 100.64.0.0/10
            }

            handle @local_or_ts {
              reverse_proxy 127.0.0.1:8080
            }
            handle {
              error "Nope." 401
            }

            tls {
              dns cloudflare {env.CF_API_TOKEN}
            }
          '';
        };
      };
    };
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    attic-credentials = { };
    caddy-env = { };
  };

  system.stateVersion = "24.05";
}