71 lines
1.5 KiB
Nix
71 lines
1.5 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
cfg = config.custom.services.nixCacheServer;
|
|
cacheDomain = "cache.sinerva.eu";
|
|
in
|
|
{
|
|
options.custom.services.nixCacheServer.enable = lib.mkEnableOption "Nix SSH cache server";
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
sops.secrets.priv-cache-key.sopsFile = ../../secrets/ci.yaml;
|
|
|
|
services = {
|
|
nix-serve = {
|
|
enable = true;
|
|
bindAddress = "127.0.0.2";
|
|
port = 8081;
|
|
secretKeyFile = config.sops.secrets.priv-cache-key.path;
|
|
};
|
|
|
|
nginx.virtualHosts = {
|
|
${cacheDomain}.locations."/" = {
|
|
proxyPass = "http://127.0.0.2:8081";
|
|
};
|
|
};
|
|
};
|
|
|
|
nix = {
|
|
extraOptions = ''
|
|
secret-key-files = ${config.sops.secrets.priv-cache-key.path}
|
|
'';
|
|
|
|
sshServe = {
|
|
enable = true;
|
|
trusted = true;
|
|
write = true;
|
|
keys =
|
|
let
|
|
keys = config.custom.sshKeys;
|
|
in
|
|
[
|
|
keys.cert-store
|
|
keys.forgejo
|
|
keys.gaming
|
|
# TODO Helium
|
|
keys.idacloud
|
|
keys.lithium
|
|
keys.nextcloud
|
|
keys.syncthing
|
|
keys.vaultwarden
|
|
keys.zfs-backup
|
|
];
|
|
};
|
|
};
|
|
|
|
# Added because we are opening up SSH to the world
|
|
services.fail2ban = {
|
|
enable = true;
|
|
maxretry = 10;
|
|
bantime = "10m";
|
|
bantime-increment = {
|
|
enable = true;
|
|
maxtime = "1d";
|
|
};
|
|
jails = {
|
|
DEFAULT.settings = {
|
|
findtime = 3600;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|