2025-07-14 00:56:49 +03:00
|
|
|
{ config, lib, ... }:
|
|
|
|
|
let
|
|
|
|
|
cfg = config.custom.services.nixCacheServer;
|
2025-07-14 03:03:22 +03:00
|
|
|
cacheDomain = "cache.sinerva.eu";
|
2025-07-14 00:56:49 +03:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options.custom.services.nixCacheServer.enable = lib.mkEnableOption "Nix SSH cache server";
|
|
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
|
sops.secrets.priv-cache-key.sopsFile = ../../secrets/ci.yaml;
|
|
|
|
|
|
2025-07-14 03:03:22 +03:00
|
|
|
services = {
|
|
|
|
|
nix-serve = {
|
|
|
|
|
enable = true;
|
|
|
|
|
bindAddress = "127.0.0.2";
|
|
|
|
|
port = 8081;
|
|
|
|
|
secretKeyFile = config.sops.secrets.priv-cache-key.path;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
nginx.virtualHosts = {
|
|
|
|
|
${cacheDomain}.locations."/" = {
|
|
|
|
|
proxyPass = "http://127.0.0.2:8081";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2025-07-14 00:56:49 +03:00
|
|
|
nix = {
|
|
|
|
|
extraOptions = ''
|
|
|
|
|
secret-key-files = ${config.sops.secrets.priv-cache-key.path}
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
sshServe = {
|
|
|
|
|
enable = true;
|
2025-07-14 01:51:32 +03:00
|
|
|
trusted = true;
|
2025-07-14 00:56:49 +03:00
|
|
|
write = true;
|
|
|
|
|
keys = [
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd root@cert-store"
|
2025-07-14 01:38:37 +03:00
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE root@forgejo"
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5HaiVVOfb8l19aVGG1CTkZ25G439Llg4aieZdKFzSq root@gaming"
|
|
|
|
|
# TODO Helium
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbOwFM599I7trhizhUe1ZpnXf8q4Uz3zgAnMCwwCf0K root@idacloud"
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRtE6KCyD6BFfzff9cuD2ZhEdPKEgp+WGsD0s81736J root@lithium"
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvVPRMrYsacSWyVSFFydgIB9vSiu5gKs7Pn+jipTGpV root@nextcloud"
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCp67Rr03FH0DGhl6d2w/otBNaC5sI1y6rt5Gfi2tP6 root@siit-dc"
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8s/x8NcdOHPVcTSuVj+X9/J+qbuZEB792YaOG0CUzD root@syncthing"
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII10aYyPOgpd+WAtgSyomH3sE6Cq54GftVm5xeC8KKlz root@vaultwarden"
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGvIc4sq+WzPqT2y003zga3StMgj7F8vwTjNkZ//d8 root@zfs-backup"
|
2025-07-14 00:56:49 +03:00
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Added because we are opening up SSH to the world
|
|
|
|
|
services.fail2ban = {
|
|
|
|
|
enable = true;
|
|
|
|
|
maxretry = 10;
|
|
|
|
|
bantime = "10m";
|
|
|
|
|
bantime-increment = {
|
|
|
|
|
enable = true;
|
|
|
|
|
maxtime = "1d";
|
|
|
|
|
};
|
|
|
|
|
jails = {
|
|
|
|
|
DEFAULT.settings = {
|
|
|
|
|
findtime = 3600;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
