From 5c944626b0143359d6e324e90a10818bcbf3fe93 Mon Sep 17 00:00:00 2001
From: Marko Lindqvist <marko.lindqvist@unikie.com>
Date: Thu, 12 Dec 2024 09:40:58 +0200
Subject: [PATCH] Revert "Cleanup: hosts/binarycache configuration"

This reverts commit 47ab96bd42caabf6f2615d48091b3176c80f4b64.

Signed-off-by: Marko Lindqvist <marko.lindqvist@unikie.com>
---
 hosts/binarycache/configuration.nix | 38 ++++++++++++++++++++++++++++-
 services/binary-cache/default.nix   | 12 +++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 services/binary-cache/default.nix

diff --git a/hosts/binarycache/configuration.nix b/hosts/binarycache/configuration.nix
index 1da1c66f..db8693fc 100644
--- a/hosts/binarycache/configuration.nix
+++ b/hosts/binarycache/configuration.nix
@@ -5,10 +5,12 @@
   self,
   inputs,
   lib,
+  config,
   ...
 }:
 {
   sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets.cache-sig-key.owner = "root";
 
   imports =
     [
@@ -18,8 +20,11 @@
     ]
     ++ (with self.nixosModules; [
       common
+      qemu-common
       ficolo-common
       service-openssh
+      service-binary-cache
+      service-nginx
       user-jrautiola
       user-cazfi
       user-hrosten
@@ -27,11 +32,42 @@
       user-avnik
     ]);
 
+  nix.settings = {
+    # we don't want the cache to be a substitutor for itself
+    substituters = lib.mkForce [ "https://cache.nixos.org/" ];
+  };
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  networking.hostName = "binarycache";
+
+  networking = {
+    hostName = "binarycache";
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "trash@unikie.com";
+  };
 
   services.monitoring = {
     metrics.enable = true;
     logs.enable = true;
   };
+
+  services.nginx = {
+    recommendedZstdSettings = true;
+    virtualHosts = {
+      "cache.vedenemo.dev" = {
+        enableACME = true;
+        forceSSL = true;
+        default = true;
+        locations."/" = {
+          proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+          extraConfig = ''
+            zstd on;
+            zstd_types application/x-nix-archive;
+          '';
+        };
+      };
+    };
+  };
 }
diff --git a/services/binary-cache/default.nix b/services/binary-cache/default.nix
new file mode 100644
index 00000000..80993d92
--- /dev/null
+++ b/services/binary-cache/default.nix
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{ config, ... }:
+{
+  services = {
+    harmonia = {
+      enable = true;
+      signKeyPath = config.sops.secrets.cache-sig-key.path;
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 5000 ];
+}