diff options
| author | Mel <mel@rnrd.eu> | 2025-02-14 01:21:56 +0100 |
|---|---|---|
| committer | Mel <mel@rnrd.eu> | 2025-02-14 01:21:56 +0100 |
| commit | ea98b5d508d40f06e42fb905d6c26e39b9e0d498 (patch) | |
| tree | a3d1e0f1de713b33ccf1e4759eba3c5344875021 | |
| parent | 0db876e1688da709ad2ed62a2fb96b274615f2c4 (diff) | |
| download | network-ea98b5d508d40f06e42fb905d6c26e39b9e0d498.tar.zst network-ea98b5d508d40f06e42fb905d6c26e39b9e0d498.zip | |
Serve a binary cache (harmonia) on renard
Signed-off-by: Mel <mel@rnrd.eu>
| -rw-r--r-- | machines/renard/default.nix | 3 | ||||
| -rw-r--r-- | modules/binary-cache.nix | 48 | ||||
| -rw-r--r-- | secrets/binary-cache-key.age | bin | 0 -> 647 bytes | |||
| -rw-r--r-- | secrets/secrets.nix | 4 |
4 files changed, 54 insertions, 1 deletions
diff --git a/machines/renard/default.nix b/machines/renard/default.nix index 0188340..f56c2f5 100644 --- a/machines/renard/default.nix +++ b/machines/renard/default.nix @@ -8,6 +8,7 @@ ./devices.nix ../../modules/www + ../../modules/binary-cache.nix ../../modules/git.nix ../../modules/syncthing.nix @@ -26,7 +27,7 @@ }) machines; }; - services = [ "base" "tailnet" "git" "mel" "shorest" ]; + services = [ "base" "tailnet" "cache" "git" "mel" "shorest" ]; }; services.nginx.virtualHosts = { diff --git a/modules/binary-cache.nix b/modules/binary-cache.nix new file mode 100644 index 0000000..d0e0a72 --- /dev/null +++ b/modules/binary-cache.nix @@ -0,0 +1,48 @@ +# the public key for the current iteration of this cache is: +# cache.rnrd.eu-1:6Q2MPTZ6ycAzWcc0VzXR+pKRlJ+6kfdQfj6iRsN5s1I= + +{ config, unstablePkgs, ... }: + +let + inherit (config.age) secrets; + + cachePort = 3138; +in +{ + age.secrets.binary-cache-key = { + file = ../secrets/binary-cache-key.age; + }; + + services = { + harmonia = { + enable = true; + # 24.11 does not include built-in zstd compression for harmonia yet. + package = unstablePkgs.harmonia; + signKeyPaths = [ secrets.binary-cache-key.path ]; + + settings = { + bind = "127.0.0.1:${toString cachePort}"; + workers = 6; + }; + }; + + nginx.virtualHosts."cache.rnrd.eu" = { + useACMEHost = "rnrd.eu"; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cachePort}"; + # i'm not sure whether harmonia actually does anything + # with websockets, but their example includes nginx settings + # that can be toggled on with this setting. + # see: https://github.com/nix-community/harmonia#configuration-for-public-binary-cache-on-nixos + proxyWebsockets = true; + }; + + extraConfig = '' + proxy_redirect http:// https://; + access_log /var/log/nginx/cache.access.log json_combined; + ''; + }; + }; +} diff --git a/secrets/binary-cache-key.age b/secrets/binary-cache-key.age new file mode 100644 index 0000000..f14c399 --- /dev/null +++ b/secrets/binary-cache-key.age Binary files differdiff --git a/secrets/secrets.nix b/secrets/secrets.nix index 8571672..1b768d4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -5,6 +5,10 @@ let inherit (keys.system) renard lapin corsac; in { + "binary-cache-key.age".publicKeys = [ + renard + ] ++ allAdmins; + "cloudflare-dns.age".publicKeys = allSystems ++ allAdmins; "pds-secrets.age".publicKeys = [ |