173 lines
3.7 KiB
Nix
173 lines
3.7 KiB
Nix
{
|
|
self,
|
|
attic,
|
|
caddy-with-plugins,
|
|
...
|
|
}:
|
|
{
|
|
pkgs,
|
|
modulesPath,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
(modulesPath + "/virtualisation/lxc-container.nix")
|
|
attic.nixosModules.atticd
|
|
../../users/root
|
|
../../users/erwin
|
|
];
|
|
|
|
eboskma = {
|
|
users.erwin = {
|
|
enable = true;
|
|
server = true;
|
|
};
|
|
nix-common = {
|
|
enable = true;
|
|
remote-builders = true;
|
|
};
|
|
tailscale.enable = true;
|
|
};
|
|
|
|
time.timeZone = "Europe/Amsterdam";
|
|
system.configurationRevision = lib.mkIf (self ? rev) self.rev;
|
|
|
|
networking = {
|
|
hostName = "nix-cache";
|
|
useDHCP = false;
|
|
useHostResolvConf = false;
|
|
networkmanager.enable = false;
|
|
useNetworkd = true;
|
|
|
|
firewall = {
|
|
trustedInterfaces = [ "tailscale0" ];
|
|
allowPing = true;
|
|
|
|
allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
};
|
|
};
|
|
|
|
systemd = {
|
|
network = {
|
|
enable = true;
|
|
|
|
wait-online.anyInterface = true;
|
|
|
|
networks = {
|
|
"40-eth0" = {
|
|
matchConfig = {
|
|
Name = "eth0";
|
|
};
|
|
|
|
networkConfig = {
|
|
Address = "10.0.0.209/24";
|
|
Gateway = "10.0.0.1";
|
|
DNS = "10.0.0.206";
|
|
DHCP = "no";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
|
|
};
|
|
|
|
security = {
|
|
sudo-rs = {
|
|
enable = true;
|
|
execWheelOnly = true;
|
|
wheelNeedsPassword = false;
|
|
};
|
|
sudo.enable = false;
|
|
};
|
|
|
|
services = {
|
|
atticd = {
|
|
enable = true;
|
|
|
|
credentialsFile = config.sops.secrets.attic-credentials.path;
|
|
settings = {
|
|
listen = "127.0.0.1:8080";
|
|
|
|
garbage-collection = {
|
|
default-retention-period = "6 weeks";
|
|
};
|
|
|
|
storage = {
|
|
type = "s3";
|
|
bucket = "nix-cache";
|
|
endpoint = "https://minio.datarift.nl";
|
|
region = "local";
|
|
};
|
|
|
|
# Data chunking
|
|
#
|
|
# Warning: If you change any of the values here, it will be
|
|
# difficult to reuse existing chunks for newly-uploaded NARs
|
|
# since the cutpoints will be different. As a result, the
|
|
# deduplication ratio will suffer for a while after the change.
|
|
chunking = {
|
|
# The minimum NAR size to trigger chunking
|
|
#
|
|
# If 0, chunking is disabled entirely for newly-uploaded NARs.
|
|
# If 1, all NARs are chunked.
|
|
nar-size-threshold = 256 * 1024; # 256 KiB
|
|
|
|
# The preferred minimum size of a chunk, in bytes
|
|
min-size = 128 * 1024; # 128 KiB
|
|
|
|
# The preferred average size of a chunk, in bytes
|
|
avg-size = 256 * 1024; # 256 KiB
|
|
|
|
# The preferred maximum size of a chunk, in bytes
|
|
max-size = 1024 * 1024; # 1024 KiB
|
|
};
|
|
};
|
|
};
|
|
|
|
caddy = {
|
|
enable = true;
|
|
package = caddy-with-plugins.lib.caddyWithPackages {
|
|
inherit (pkgs) caddy buildGoModule;
|
|
plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
|
|
vendorHash = "sha256-UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
|
|
};
|
|
|
|
email = "erwin@datarift.nl";
|
|
|
|
virtualHosts = {
|
|
"nix-cache.datarift.nl" = {
|
|
extraConfig = ''
|
|
@local_or_ts {
|
|
remote_ip 10.0.0.0/24 100.64.0.0/10
|
|
}
|
|
|
|
handle @local_or_ts {
|
|
reverse_proxy 127.0.0.1:8080
|
|
}
|
|
handle {
|
|
error "Nope." 401
|
|
}
|
|
|
|
tls {
|
|
dns cloudflare {env.CF_API_TOKEN}
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
sops.defaultSopsFile = ./secrets.yaml;
|
|
sops.secrets = {
|
|
attic-credentials = { };
|
|
caddy-env = { };
|
|
};
|
|
|
|
system.stateVersion = "24.05";
|
|
}
|