diff --git a/modules/nixos/services/binary-cache/default.nix b/modules/nixos/services/binary-cache/default.nix new file mode 100644 index 0000000..88c3ac8 --- /dev/null +++ b/modules/nixos/services/binary-cache/default.nix @@ -0,0 +1,36 @@ +{ inputs, config, lib, pkgs, ... }: +let + cfg = config.services.binary-cache; +in +{ + imports = [ + ]; + + options.services.binary-cache = { + enable = lib.mkOption { + type = with lib.types; uniq bool; + default = false; + description = "Enable minecraft server"; + }; + }; + + config = lib.mkIf cfg.enable { + services.nix-serve = { + enable = true; + secretKeyFile = "/var/secrets/cache-games01-private-key.pem"; + bindAddress = "cache.game01.kb-one.de"; + }; + + # Configure Reverse-Proxy + services.traefik-proxy.enable = true; + services.traefik.staticConfigOptions = { + http.routers.nix-cache.entrypoints = "websecure"; + http.routers.nix-cache.tls.certresolver = "letsencrypt"; + http.routers.nix-cache.rule = "Host(`${config.services.nix-serve.bindAddress}`)"; + http.routers.nix-cache.service = "nix-cache"; + services.nix-cache.loadBalancer.servers = [ { url = "http://localhost:${toString config.services.nix-serve.port}/"; } ]; + }; + + }; +} + diff --git a/modules/nixos/services/traefik-proxy/default.nix b/modules/nixos/services/traefik-proxy/default.nix new file mode 100644 index 0000000..5a91905 --- /dev/null +++ b/modules/nixos/services/traefik-proxy/default.nix @@ -0,0 +1,50 @@ +{ inputs, config, lib, pkgs, ... }: +let + cfg = config.services.traefik-proxy; +in +{ + imports = [ + ]; + + options.services.traefik-proxy = { + enable = lib.mkOption { + type = with lib.types; uniq bool; + default = false; + description = "Enable Pre-Configured Traefik Proxy"; + }; + }; + + config = lib.mkIf cfg.enable { + services.traefik = { + enable = true; + staticConfigOptions = { + entryPoints.web.address = ":80"; + entryPoints.websecure.address = ":443"; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + # Enable Secure Dashboard + services.traefik.staticConfigOptions.api = {}; + services.traefik.staticConfigOptions = { + http.routers.dashboard.entrypoints = "websecure"; + http.routers.dashboard.tls.certResolver = "letsencrypt"; + http.routers.dashboard.rule = "Host(`game01.kb-one.de`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"; + http.routers.dashboard.service = "api@internal"; + # TODO: Set Basicauth via SOPS + # http.routers.dashboard.middlewares = "auth"; + # http.middlewares.auth.basicauth.users = "master:\$\$2y\$\$05\$\$JwzsNHz7CMJh0RU1eMe3AOfY5H30Qr1Q/glS1r/qEHCNpo5LvWnRW"; + }; + + # Configure Letsencrypt + services.traefik.staticConfigOptions = { + certificatesResolvers.letsencrypt.acme = { + email = "kb01@kb-one.de"; + tlsChallenge = {}; + storage = "/var/secrets/traefik/acme.json"; + }; + }; + + }; +} + diff --git a/systems/x86_64-linux/LoyAdjo/default.nix b/systems/x86_64-linux/LoyAdjo/default.nix index e9e80f5..b2f6043 100644 --- a/systems/x86_64-linux/LoyAdjo/default.nix +++ b/systems/x86_64-linux/LoyAdjo/default.nix @@ -8,7 +8,13 @@ # Configure Nix nix.package = pkgs.lix; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings = { + experimental-features = [ "nix-command" "flakes" ]; + substituters = [ "https://cache.games01.kb-one.de" ]; + trusted-public-keys = [ + "cache.game01.kb-one.de:JF++7CgrasYciQeB5jlziqT5BTjaknEk9cMeh4lQf30=" + ]; + }; nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ "electron-27.3.11" diff --git a/systems/x86_64-linux/kb-games-01/default.nix b/systems/x86_64-linux/kb-games-01/default.nix index e4d3d7d..6df58af 100644 --- a/systems/x86_64-linux/kb-games-01/default.nix +++ b/systems/x86_64-linux/kb-games-01/default.nix @@ -79,10 +79,8 @@ # Forgejo Runner services.forgejo-runner.enable = true; - services.nix-serve = { - enable = true; - secretKeyFile = "/var/cache-kb-games-01-priv-key.pem"; - }; + # Binary Cache + # services.binary-cache.enable = true; # Do NOT change this value system.stateVersion = "24.05"; # Did you read the comment?