From 5af29d9004fee262559405cac622fb3077071df0 Mon Sep 17 00:00:00 2001
From: kB01 <kb01@kb-one.de>
Date: Wed, 11 Dec 2024 02:31:30 +0100
Subject: [PATCH] Added Binary-Cache Experimental Implementation (Networking is
 borked)

---
 .../nixos/services/binary-cache/default.nix   | 36 +++++++++++++
 .../nixos/services/traefik-proxy/default.nix  | 50 +++++++++++++++++++
 systems/x86_64-linux/LoyAdjo/default.nix      |  8 ++-
 systems/x86_64-linux/kb-games-01/default.nix  |  6 +--
 4 files changed, 95 insertions(+), 5 deletions(-)
 create mode 100644 modules/nixos/services/binary-cache/default.nix
 create mode 100644 modules/nixos/services/traefik-proxy/default.nix

diff --git a/modules/nixos/services/binary-cache/default.nix b/modules/nixos/services/binary-cache/default.nix
new file mode 100644
index 0000000..88c3ac8
--- /dev/null
+++ b/modules/nixos/services/binary-cache/default.nix
@@ -0,0 +1,36 @@
+{ inputs, config, lib, pkgs, ... }:
+let
+  cfg = config.services.binary-cache;
+in
+{
+  imports = [
+  ];
+
+  options.services.binary-cache = {
+    enable = lib.mkOption {
+      type = with lib.types; uniq bool;
+      default = false;
+      description = "Enable minecraft server";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nix-serve = {
+      enable = true;
+      secretKeyFile = "/var/secrets/cache-games01-private-key.pem";
+      bindAddress = "cache.game01.kb-one.de";
+    };
+
+    # Configure Reverse-Proxy
+    services.traefik-proxy.enable = true;
+    services.traefik.staticConfigOptions = {
+      http.routers.nix-cache.entrypoints = "websecure";
+      http.routers.nix-cache.tls.certresolver = "letsencrypt";
+      http.routers.nix-cache.rule = "Host(`${config.services.nix-serve.bindAddress}`)";
+      http.routers.nix-cache.service = "nix-cache";
+      services.nix-cache.loadBalancer.servers = [ { url = "http://localhost:${toString config.services.nix-serve.port}/"; } ];
+    };
+
+  };
+}
+
diff --git a/modules/nixos/services/traefik-proxy/default.nix b/modules/nixos/services/traefik-proxy/default.nix
new file mode 100644
index 0000000..5a91905
--- /dev/null
+++ b/modules/nixos/services/traefik-proxy/default.nix
@@ -0,0 +1,50 @@
+{ inputs, config, lib, pkgs, ... }:
+let
+  cfg = config.services.traefik-proxy;
+in
+{
+  imports = [
+  ];
+
+  options.services.traefik-proxy = {
+    enable = lib.mkOption {
+      type = with lib.types; uniq bool;
+      default = false;
+      description = "Enable Pre-Configured Traefik Proxy";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.traefik = {
+      enable = true;
+      staticConfigOptions = {
+        entryPoints.web.address = ":80";
+        entryPoints.websecure.address = ":443";
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  
+    # Enable Secure Dashboard
+    services.traefik.staticConfigOptions.api = {};
+    services.traefik.staticConfigOptions = {
+      http.routers.dashboard.entrypoints = "websecure";
+      http.routers.dashboard.tls.certResolver = "letsencrypt";
+      http.routers.dashboard.rule = "Host(`game01.kb-one.de`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))";
+      http.routers.dashboard.service = "api@internal";
+      # TODO: Set Basicauth via SOPS
+      # http.routers.dashboard.middlewares = "auth";
+      # http.middlewares.auth.basicauth.users = "master:\$\$2y\$\$05\$\$JwzsNHz7CMJh0RU1eMe3AOfY5H30Qr1Q/glS1r/qEHCNpo5LvWnRW";
+    };
+
+    # Configure Letsencrypt
+    services.traefik.staticConfigOptions = {
+      certificatesResolvers.letsencrypt.acme = {
+        email = "kb01@kb-one.de";
+        tlsChallenge = {};
+        storage = "/var/secrets/traefik/acme.json";
+      };
+    };
+
+  };
+}
+
diff --git a/systems/x86_64-linux/LoyAdjo/default.nix b/systems/x86_64-linux/LoyAdjo/default.nix
index e9e80f5..b2f6043 100644
--- a/systems/x86_64-linux/LoyAdjo/default.nix
+++ b/systems/x86_64-linux/LoyAdjo/default.nix
@@ -8,7 +8,13 @@
 
   # Configure Nix
   nix.package = pkgs.lix;
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings = {
+    experimental-features = [ "nix-command" "flakes" ];
+    substituters = [ "https://cache.games01.kb-one.de" ];
+    trusted-public-keys = [ 
+      "cache.game01.kb-one.de:JF++7CgrasYciQeB5jlziqT5BTjaknEk9cMeh4lQf30="
+    ];
+  };
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.permittedInsecurePackages = [
     "electron-27.3.11"
diff --git a/systems/x86_64-linux/kb-games-01/default.nix b/systems/x86_64-linux/kb-games-01/default.nix
index e4d3d7d..6df58af 100644
--- a/systems/x86_64-linux/kb-games-01/default.nix
+++ b/systems/x86_64-linux/kb-games-01/default.nix
@@ -79,10 +79,8 @@
   # Forgejo Runner
   services.forgejo-runner.enable = true;
 
-  services.nix-serve = {
-    enable = true;
-    secretKeyFile = "/var/cache-kb-games-01-priv-key.pem";
-  };
+  # Binary Cache 
+  # services.binary-cache.enable = true;
 
   # Do NOT change this value 
   system.stateVersion = "24.05"; # Did you read the comment?