nixos-conf/modules/services/nix-cache-server.nix

{ config, lib, ... }:
let
  cfg = config.custom.services.nixCacheServer;
  cacheDomain = "cache.sinerva.eu";
in
{
  options.custom.services.nixCacheServer.enable = lib.mkEnableOption "Nix SSH cache server";

  config = lib.mkIf cfg.enable {
    sops.secrets.priv-cache-key.sopsFile = ../../secrets/ci.yaml;

    services = {
      nix-serve = {
        enable = true;
        bindAddress = "127.0.0.2";
        port = 8081;
        secretKeyFile = config.sops.secrets.priv-cache-key.path;
      };

      nginx.virtualHosts = {
        ${cacheDomain}.locations."/" = {
          proxyPass = "http://127.0.0.2:8081";
        };
      };
    };

    nix = {
      extraOptions = ''
        secret-key-files = ${config.sops.secrets.priv-cache-key.path}
      '';

      sshServe = {
        enable = true;
        trusted = true;
        write = true;
        keys =
          let
            keys = config.custom.sshKeys;
          in
          [
            keys.borg
            keys.cert-store
            keys.forgejo
            keys.gaming
            keys.helium
            keys.idacloud
            keys.lithium
            keys.nextcloud
            keys.vaultwarden
          ];
      };
    };

    # Added because we are opening up SSH to the world
    services.fail2ban = {
      enable = true;
      maxretry = 10;
      bantime = "10m";
      bantime-increment = {
        enable = true;
        maxtime = "1d";
      };
      jails = {
        DEFAULT.settings = {
          findtime = 3600;
        };
      };
    };
  };
}
Change to SSH store + remote builders to reduce resource usage on other hosts 2025-07-14 00:56:49 +03:00			`{ config, lib, ... }:`
			`let`
			`cfg = config.custom.services.nixCacheServer;`
Move cache back to HTTPS 2025-07-14 03:03:22 +03:00			`cacheDomain = "cache.sinerva.eu";`
Change to SSH store + remote builders to reduce resource usage on other hosts 2025-07-14 00:56:49 +03:00			`in`
			`{`
			`options.custom.services.nixCacheServer.enable = lib.mkEnableOption "Nix SSH cache server";`

			`config = lib.mkIf cfg.enable {`
			`sops.secrets.priv-cache-key.sopsFile = ../../secrets/ci.yaml;`

Move cache back to HTTPS 2025-07-14 03:03:22 +03:00			`services = {`
			`nix-serve = {`
			`enable = true;`
			`bindAddress = "127.0.0.2";`
			`port = 8081;`
			`secretKeyFile = config.sops.secrets.priv-cache-key.path;`
			`};`

			`nginx.virtualHosts = {`
			`${cacheDomain}.locations."/" = {`
			`proxyPass = "http://127.0.0.2:8081";`
			`};`
			`};`
			`};`

Change to SSH store + remote builders to reduce resource usage on other hosts 2025-07-14 00:56:49 +03:00			`nix = {`
			`extraOptions = ''`
			`secret-key-files = ${config.sops.secrets.priv-cache-key.path}`
			`'';`

			`sshServe = {`
			`enable = true;`
Fix nix ssh settings 2025-07-14 01:51:32 +03:00			`trusted = true;`
Change to SSH store + remote builders to reduce resource usage on other hosts 2025-07-14 00:56:49 +03:00			`write = true;`
Centralize listing of SSH public keys 2025-07-18 18:55:17 +03:00			`keys =`
			`let`
			`keys = config.custom.sshKeys;`
			`in`
			`[`
Add borg to allowed machines for remote builder 2025-07-28 22:59:26 +03:00			`keys.borg`
Centralize listing of SSH public keys 2025-07-18 18:55:17 +03:00			`keys.cert-store`
			`keys.forgejo`
			`keys.gaming`
Re-organize SSH keys 2025-07-19 12:38:25 +03:00			`keys.helium`
Centralize listing of SSH public keys 2025-07-18 18:55:17 +03:00			`keys.idacloud`
			`keys.lithium`
			`keys.nextcloud`
			`keys.vaultwarden`
			`];`
Change to SSH store + remote builders to reduce resource usage on other hosts 2025-07-14 00:56:49 +03:00			`};`
			`};`

			`# Added because we are opening up SSH to the world`
			`services.fail2ban = {`
			`enable = true;`
			`maxretry = 10;`
			`bantime = "10m";`
			`bantime-increment = {`
			`enable = true;`
			`maxtime = "1d";`
			`};`
			`jails = {`
			`DEFAULT.settings = {`
			`findtime = 3600;`
			`};`
			`};`
			`};`
			`};`
			`}`