From 792e04f82631a03b110527340e5f4a943354d716 Mon Sep 17 00:00:00 2001
From: Andre <andre@8bitbuddhism.com>
Date: Fri, 24 May 2024 17:33:37 -0400
Subject: [PATCH] Enable binary cache on Haven

---
 flake.lock                 | 16 ++++++++--------
 flake.nix                  |  2 +-
 hosts/Haven/default.nix    |  5 +++++
 modules/base/nix.nix       | 10 ++++++++--
 modules/services/cache.nix | 36 ++++++++++++++++++++++++++++++++++++
 nix-secrets                |  2 +-
 6 files changed, 59 insertions(+), 12 deletions(-)
 create mode 100644 modules/services/cache.nix

diff --git a/flake.lock b/flake.lock
index fa9bc05..bee420e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -249,11 +249,11 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1716565755,
-        "narHash": "sha256-J5TSspiAn+bA2LXSwVGKvzdEentj0w4qFqSwpHRbDsA=",
+        "lastModified": 1716585945,
+        "narHash": "sha256-OxYcOt2ZshJ+VYXSrYb7Wc36cvWd7YjwSFzaDWNqkMU=",
         "ref": "refs/heads/main",
-        "rev": "d926175d96d4eec4e564727a6b4fad6d79be4db5",
-        "revCount": 38,
+        "rev": "6c78f91590beb0f486a024b277d8e732f797d29c",
+        "revCount": 39,
         "type": "git",
         "url": "file:///home/aires/Development/nix-configuration/nix-secrets"
       },
@@ -264,16 +264,16 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1716522390,
-        "narHash": "sha256-m7PeeSOk/Lov702wXTmImwrK/YZXb7ymYgkeoBLvsJg=",
+        "lastModified": 1716214200,
+        "narHash": "sha256-ivQlBlSxC1mrBepFc3CeqUqFcsoQelpgxseA7YYtyAw=",
         "owner": "8bitbuddhist",
         "repo": "nixos-hardware",
-        "rev": "98564f268e74658d3620bd8eac09d8a0cd211671",
+        "rev": "704f05a3c8f8beb1d08837f43670c44946faad66",
         "type": "github"
       },
       "original": {
         "owner": "8bitbuddhist",
-        "ref": "lenovo-16ARHA7-remove-speaker-fix",
+        "ref": "surface-pro-9-disable-psr",
         "repo": "nixos-hardware",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index d38c173..ec267c1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,7 +25,7 @@
     nix-flatpak.url = "github:gmodena/nix-flatpak/v0.4.1";
 
     # Hardware configurations
-    nixos-hardware.url = "github:8bitbuddhist/nixos-hardware/lenovo-16ARHA7-remove-speaker-fix";
+    nixos-hardware.url = "github:8bitbuddhist/nixos-hardware/surface-pro-9-disable-psr";
 
     # Home-manager
     home-manager = {
diff --git a/hosts/Haven/default.nix b/hosts/Haven/default.nix
index deb7c7c..c27517b 100644
--- a/hosts/Haven/default.nix
+++ b/hosts/Haven/default.nix
@@ -10,6 +10,7 @@ let
 
   subdomains = [
     config.secrets.services.airsonic.url
+    config.secrets.services.cache.url
     config.secrets.services.forgejo.url
     config.secrets.services.gremlin-lab.url
   ];
@@ -51,6 +52,10 @@ in
         home = "/storage/services/airsonic-advanced";
       };
       boinc.enable = true;
+      cache = {
+        enable = true;
+        secretKeyFile = "/storage/services/nix-cache/cache-priv-key.pem";
+      };
       duplicacy-web = {
         enable = true;
         autostart = false;
diff --git a/modules/base/nix.nix b/modules/base/nix.nix
index 8034ce1..e42b7fb 100644
--- a/modules/base/nix.nix
+++ b/modules/base/nix.nix
@@ -16,8 +16,14 @@
       ];
 
       # Use Lix instead of Nix
-      extra-substituters = [ "https://cache.lix.systems" ];
-      trusted-public-keys = [ "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" ];
+      extra-substituters = [
+        "https://cache.lix.systems"
+        config.secrets.services.cache.url
+      ];
+      trusted-public-keys = [
+        "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
+        "${config.secrets.services.cache.url}:mTYvveYNhoXttGOxJj2uP0MQ/ZPJce5hY+xSvOxswls=%"
+      ];
 
       # Only allow these users to use Nix
       allowed-users = [
diff --git a/modules/services/cache.nix b/modules/services/cache.nix
new file mode 100644
index 0000000..f122b7c
--- /dev/null
+++ b/modules/services/cache.nix
@@ -0,0 +1,36 @@
+# Serves a binary cache for Nix packages
+{ config, lib, ... }:
+
+let
+  cfg = config.host.services.cache;
+in
+{
+  options = {
+    host.services.cache = {
+      enable = lib.mkEnableOption (lib.mdDoc "Enables binary cache hosting.");
+      secretKeyFile = lib.mkOption {
+        default = "/var/cache-priv-key.pem";
+        type = lib.types.str;
+        description = "Where the signing key lives.";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services = {
+      nix-serve = {
+        enable = true;
+        secretKeyFile = cfg.privateKeyFile;
+      };
+
+      nginx.virtualHosts."${config.secrets.services.cache.url}" = {
+        useACMEHost = config.secrets.networking.primaryDomain;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+          extraConfig = "proxy_ssl_server_name on;";
+        };
+      };
+    };
+  };
+}
diff --git a/nix-secrets b/nix-secrets
index d926175..6c78f91 160000
--- a/nix-secrets
+++ b/nix-secrets
@@ -1 +1 @@
-Subproject commit d926175d96d4eec4e564727a6b4fad6d79be4db5
+Subproject commit 6c78f91590beb0f486a024b277d8e732f797d29c