nixos-config/machines/nix-cache/configuration.nix

173 lines
3.7 KiB
Nix

{
self,
attic,
caddy-with-plugins,
...
}:
{
pkgs,
modulesPath,
lib,
config,
...
}:
{
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
attic.nixosModules.atticd
../../users/root
../../users/erwin
];
eboskma = {
users.erwin = {
enable = true;
server = true;
};
nix-common = {
enable = true;
remote-builders = true;
};
tailscale.enable = true;
};
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = lib.mkIf (self ? rev) self.rev;
networking = {
hostName = "nix-cache";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
firewall = {
trustedInterfaces = [ "tailscale0" ];
allowPing = true;
allowedTCPPorts = [
80
443
];
};
};
systemd = {
network = {
enable = true;
wait-online.anyInterface = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.209/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
services = {
atticd = {
enable = true;
credentialsFile = config.sops.secrets.attic-credentials.path;
settings = {
listen = "127.0.0.1:8080";
garbage-collection = {
default-retention-period = "6 weeks";
};
storage = {
type = "s3";
bucket = "nix-cache";
endpoint = "https://minio.datarift.nl";
region = "local";
};
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 256 * 1024; # 256 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 128 * 1024; # 128 KiB
# The preferred average size of a chunk, in bytes
avg-size = 256 * 1024; # 256 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 1024 * 1024; # 1024 KiB
};
};
};
caddy = {
enable = true;
package = caddy-with-plugins.lib.caddyWithPackages {
inherit (pkgs) caddy buildGoModule;
plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
vendorHash = "sha256-UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
};
email = "erwin@datarift.nl";
virtualHosts = {
"nix-cache.datarift.nl" = {
extraConfig = ''
@local_or_ts {
remote_ip 10.0.0.0/24 100.64.0.0/10
}
handle @local_or_ts {
reverse_proxy 127.0.0.1:8080
}
handle {
error "Nope." 401
}
tls {
dns cloudflare {env.CF_API_TOKEN}
}
'';
};
};
};
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
attic-credentials = { };
caddy-env = { };
};
system.stateVersion = "24.05";
}