61 lines
1.9 KiB
Nix
61 lines
1.9 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
# Generate the binary cache key pair on the nix-cache host:
|
|
# sudo install -d -m 0700 /etc/nix
|
|
# sudo nix-store --generate-binary-cache-key nix-cache-1 \
|
|
# /etc/nix/cache-priv.pem \
|
|
# /etc/nix/cache-pub.pem
|
|
# sudo chmod 0600 /etc/nix/cache-priv.pem
|
|
# sudo chmod 0644 /etc/nix/cache-pub.pem
|
|
# cat /etc/nix/cache-pub.pem
|
|
services.nix-serve = {
|
|
enable = true;
|
|
secretKeyFile = "/etc/nix/cache-priv.pem";
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts."nix-cache" = {
|
|
locations."/" = {
|
|
proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
|
|
|
users.groups.nixremote = {};
|
|
|
|
users.users.nixremote = {
|
|
isSystemUser = true;
|
|
group = "nixremote";
|
|
createHome = true;
|
|
home = "/var/lib/nixremote";
|
|
shell = pkgs.bashInteractive;
|
|
# Provide remote builder public keys here (safe to commit public keys only):
|
|
# openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA... client@host" ];
|
|
#
|
|
# Avoid absolute keyFiles paths here because they break pure flake evaluation.
|
|
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDEA1S2ikpObREgbP5uVBWMxIOGbY8B+Wx7VTZK1m6t root@server"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAYIT9ormlmxZ0SziyDQaUntnKI8HK9/s3Qac1ZKjP2 root@docker"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKKzoEPl/ZW9KBRHBcp6/ThOngGpwMv5EhkTlgC4aDf root@nixos"];
|
|
};
|
|
|
|
services.openssh.enable = true;
|
|
|
|
nix.settings = {
|
|
trusted-users = [ "root" "nixremote" ];
|
|
experimental-features = [ "nix-command" "flakes" ];
|
|
auto-optimise-store = true;
|
|
builders-use-substitutes = true;
|
|
};
|
|
|
|
nix.gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
options = "--delete-older-than 30d";
|
|
};
|
|
}
|