diff --git a/nix/systems/oci-nixos.nix b/nix/systems/oci-nixos.nix index 164671a..a0868b5 100644 --- a/nix/systems/oci-nixos.nix +++ b/nix/systems/oci-nixos.nix @@ -29,19 +29,88 @@ inputs: { flakes.enable = true; }; + users.groups.nix-cache = + { gid = 1500; }; + users.users.nix-cache = + { shell = "${pkgs.coreutils}/bin/nologin"; + group = "nix-cache"; + isSystemUser = true; + home = "/var/nix-cache"; + description = "User for uploading things to the cache."; + + uid = 1500; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFVkFvalffJ/SMjJGG3WPiqCqFygnWzhGUaeALBIoCsJ (none)" ]; + }; + + environment.systemPackages = + [ pkgs.git ]; + services.openssh = { enable = true; passwordAuthentication = true; permitRootLogin = "no"; + + extraConfig = '' + Match User nix-cache + ChrootDirectory /var/nix-cache + ForceCommand internal-sftp -d /cache + AllowTcpForwarding no + ''; + }; + + services.nginx = { + enable = true; + + config = (inputs.nixng.lib "${pkgs.stdenv.system}").generators.toNginx + [ + { + daemon = "off"; + worker_processes = 2; + + events."" = { + use = "epoll"; + worker_connections = 128; + }; + + error_log = [ "/dev/stderr" "warn" ]; + + pid = "/run/nginx/nginx.pid"; + + http."" = { + server_tokens = "off"; + + include = [ + [ "${pkgs.nginx}/conf/mime.types" ] + ]; + charset = "utf-8"; + access_log = [ "/dev/stdout" "combined" ]; + + server."" = { + listen = [ "80" "default_server" ]; + server_name = [ + "${hostName}.redalder.org" + ]; + + location."/" = { + return = "404"; + }; + + location."/cache" = { + root = "/var/nix-cache"; + }; + }; + }; + } + ]; }; networking = { firewall = { - allowedTCPPorts = [ 22 ]; + allowedTCPPorts = [ 22 80 ]; }; - useDHCP = true; - # interfaces.enp3s0.useDHCP = true; + interfaces.ens3.useDHCP = true; firewall.enable = true; inherit hostName;