deploy binary cache

2023-07-05 17:27:07 +02:00 · 2023-07-05 17:27:07 +02:00 · ba3af50dd5
commit ba3af50dd5
parent 84dbe47895
7 changed files with 54 additions and 7 deletions
--- a/flake.nix
+++ b/flake.nix
@ -1,6 +1,11 @@
 {
  description = "Dependencies to deploy a clan";

+  nixConfig = {
+    extra-substituters = [ "https://cache.clan.lol" ];
+    extra-trusted-public-keys = [ "cache.clan.lol-1:j83TYLUVsrSXZvQdMoY+Ms81Xd/nO8GNuQQHqphzRSg=" ];
+  };
+
  inputs = {
    # https://github.com/NixOS/nixpkgs/pull/241526
    nixpkgs.url = "github:Mic92/nixpkgs/cloud-init";
--- a/modules/web01/default.nix
+++ b/modules/web01/default.nix
@ -3,6 +3,7 @@
    ./homepage.nix
    ./gitea
    ./postfix.nix
+    ./harmonia.nix
    ../zerotier
    ../zerotier/ctrl.nix
  ];
--- a/modules/web01/harmonia.nix
+++ b/modules/web01/harmonia.nix
@ -0,0 +1,24 @@
+{ config, ... }: {
+  services.harmonia.enable = true;
+  # $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub
+  services.harmonia.signKeyPath = config.sops.secrets.harmonia-key.path;
+  sops.secrets.harmonia-key = { };
+
+  services.nginx.virtualHosts."cache.clan.lol" = {
+    useACMEHost = "thalheim.io";
+    forceSSL = true;
+    enableACME = true;
+    locations."/".extraConfig = ''
+      proxy_pass http://127.0.0.1:5000;
+      proxy_set_header Host $host;
+      proxy_redirect http:// https://;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+
+      zstd on;
+      zstd_types application/x-nix-archive;
+    '';
+  };
+}
--- a/targets/web01/configuration.nix
+++ b/targets/web01/configuration.nix
@ -7,6 +7,7 @@ in
    self.nixosModules.web01
    self.nixosModules.hcloud
  ];
+  sops.defaultSopsFile = ./secrets.yaml;
  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
  system.stateVersion = "23.05";
 }
--- a/targets/web01/secrets.yaml
+++ b/targets/web01/secrets.yaml
@ -1,4 +1,5 @@
 ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str]
+harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKSWhkgJbdY3gO/pfa0zsnvZTrAiljR8Ugh/x9z70T/XhjgZ/dIKqtcrGw0or9WPDmVzD4UHYm6iWR30MZLa9EBK0GFInlcSa/g==,iv:9HRnOaqP1iKMyyRX7evl6woZgfw9h4t7mBD98v/iBng=,tag:MQDio//aEOAOTVWlgADYDQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -32,8 +33,8 @@ sops:
            Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix
            KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-05T15:15:11Z"
-    mac: ENC[AES256_GCM,data:oLM6L2SAPSypW2sbGnaE0hmRW8BoFxIT6RfGUAr2I8Q+K0wN4dUW1Cq+q8Ecfa4IJ8eI2iCw/7x8ZwlWiUFnreeaEGXIS2SEMMitwOUzfzB0QCXYIuQUxgH1KCpNwNKm/3cEg0GrWFim0SSSZztVsHQh5++Qa7WDXKYFQJLG+Fc=,iv:P9DUDlL9g5Q7fJyi7OvVDMyPQKbX1OzYKgQ19f+wrfI=,tag:An0m7oXeUACxWDVackxXAQ==,type:str]
+    lastmodified: "2023-07-05T15:22:34Z"
+    mac: ENC[AES256_GCM,data:sSrzzvy97ok92DNRP9rDruu+lPlG2NZEKTL7E7lCLCtSkbRh1ciVAEuavRhnGFBB4jCYNwT43oyLNOq9oVY3G7d2sehalMxG0DNpOkyeSkVcYv5DKQzSwd08rq0sl6MGMcEdJ4wx7lYGtHiN4NoPhzpqi9SyesSCsHcYzJ2uNfM=,iv:6jUTtEDY2zzn/7ZsmymY7gqafBmQ1791iWw6La9VD9A=,tag:46mE6aDPnkdzqcwzyouhXg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/targets/web01/terraform.tfstate
+++ b/targets/web01/terraform.tfstate
--- a/terraform/web01/dns.tf
+++ b/terraform/web01/dns.tf
@ -59,6 +59,20 @@ resource "netlify_dns_record" "mail_aaaa" {
  value    = hcloud_server.server.ipv6_address
 }

+resource "netlify_dns_record" "cache_a" {
+  zone_id  = netlify_dns_zone.server.id
+  hostname = "cache.${var.domain}"
+  type     = "A"
+  value    = hcloud_server.server.ipv4_address
+}
+
+resource "netlify_dns_record" "cache_aaaa" {
+  zone_id  = netlify_dns_zone.server.id
+  hostname = "cache.${var.domain}"
+  type     = "AAAA"
+  value    = hcloud_server.server.ipv6_address
+}
+
 # for sending emails
 resource "netlify_dns_record" "spf" {
  zone_id  = netlify_dns_zone.server.id
@ -89,6 +103,7 @@ resource "netlify_dns_record" "dmarc" {
  value    = "v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:joerc.dmarc@thalheim.io; ruf=mailto:joerg.dmarc@thalheim.io; pct=100"
 }

+
 resource "hcloud_rdns" "master_a" {
  server_id  = hcloud_server.server.id
  ip_address = hcloud_server.server.ipv4_address