tweedledum&tweedledee: add Nginx and ssh user

Signed-off-by: Magic_RB <magic_rb@redalder.org>

nix/systems/oci-nixos.nix

@@ -29,19 +29,88 @@ inputs: {
           flakes.enable = true;
         };
 
+        users.groups.nix-cache =
+          { gid = 1500; };
+        users.users.nix-cache =
+          { shell = "${pkgs.coreutils}/bin/nologin";
+            group = "nix-cache";
+            isSystemUser = true;
+            home = "/var/nix-cache";
+            description = "User for uploading things to the cache.";
+
+            uid = 1500;
+            openssh.authorizedKeys.keys =
+              [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFVkFvalffJ/SMjJGG3WPiqCqFygnWzhGUaeALBIoCsJ (none)" ];
+          };
+
+        environment.systemPackages =
+          [ pkgs.git ];
+
         services.openssh = {
           enable = true;
           passwordAuthentication = true;
           permitRootLogin = "no";
+
+          extraConfig = ''
+            Match User nix-cache
+              ChrootDirectory /var/nix-cache
+              ForceCommand internal-sftp -d /cache
+              AllowTcpForwarding no
+          '';
+        };
+
+        services.nginx = {
+          enable = true;
+
+          config = (inputs.nixng.lib "${pkgs.stdenv.system}").generators.toNginx
+            [
+              {
+                daemon = "off";
+                worker_processes = 2;
+
+                events."" = {
+                  use = "epoll";
+                  worker_connections = 128;
+                };
+
+                error_log = [ "/dev/stderr" "warn" ];
+
+                pid = "/run/nginx/nginx.pid";
+
+                http."" = {
+                  server_tokens = "off";
+
+                  include = [
+                    [ "${pkgs.nginx}/conf/mime.types" ]
+                  ];
+                  charset = "utf-8";
+                  access_log = [ "/dev/stdout" "combined" ];
+
+                  server."" = {
+                    listen = [ "80" "default_server" ];
+                    server_name = [
+                      "${hostName}.redalder.org"
+                    ];
+
+                    location."/" = {
+                      return = "404";
+                    };
+
+                    location."/cache" = {
+                      root = "/var/nix-cache";
+                    };
+                  };
+                };
+              }
+            ];
         };
 
         networking = {
           firewall = {
-            allowedTCPPorts = [ 22 ];
+            allowedTCPPorts = [ 22 80 ];
           };
 
-          useDHCP = true;
-          # interfaces.enp3s0.useDHCP = true;
+          interfaces.ens3.useDHCP = true;
 
           firewall.enable = true;
           inherit hostName;