Hevana: add authentication to binary cache

2024-12-02 16:26:29 +00:00 · 2024-12-02 16:26:29 +00:00 · 837f9ade96
parent 3057997004
commit 837f9ade96
5 changed files with 150 additions and 119 deletions
--- a/flake.lock
+++ b/flake.lock
@ -268,11 +268,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1733066523,
-        "narHash": "sha256-aQorWITXZu7b095UwnpUvcGt9dNJie/GO9r4hZfe2sU=",
+        "lastModified": 1733139194,
+        "narHash": "sha256-PVQW9ovo0CJbhuhCsrhFJGGdD1euwUornspKpBIgdok=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "fe01780d356d70fd119a19277bff71d3e78dad00",
+        "rev": "c6c90887f84c02ce9ebf33b95ca79ef45007bf88",
        "type": "github"
      },
      "original": {
@ -316,11 +316,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1732837521,
-        "narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=",
+        "lastModified": 1733015953,
+        "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "970e93b9f82e2a0f3675757eb0bfc73297cc6370",
+        "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff",
        "type": "github"
      },
      "original": {
--- a/hosts/Hevana/default.nix
+++ b/hosts/Hevana/default.nix
@ -120,12 +120,14 @@ in
        onCalendar = "daily";
        user = config.users.users.aires.name;
      };
-      # FIXME: Find a way to require user authentication before enabling the cache again
      binary-cache = {
-        enable = false;
-        home = "${services-root}/nixos-binary-cache";
+        enable = true;
        secretKeyFile = "${services-root}/nixos-binary-cache/certs/cache-priv-key.pem";
        url = config.secrets.services.binary-cache.url;
+        auth = {
+          user = config.secrets.services.binary-cache.auth.username;
+          password = config.secrets.services.binary-cache.auth.password;
+        };
      };
      boinc = {
        enable = false;
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@ -1,105 +1,108 @@
-U2FsdGVkX1/cSpFu+Shxo2hjjU+rjYuOce2GRe2r+T8IFOg2Hf66ahIHqDK4SvCC
-n+XzBQX4KFo2s+hpYu+8ik6EisJxEqNRiheQyQRgNitfQQ4hmHJxNrXP3APxSz8t
-jsMMYjINs9wgsAe/YukNTeV0GDjjEn76D3ykFbQr0LJIDm2Nh+WYDJjHAdTZanMq
-9DqWXh/wFM2PskIfSfrgizumLHgDlxSyRpTHoIXghHd9E1O49mQeXZdE+gdnfhnw
-pinEf3GkvCmXJd6MbFUTL/hzWKjk69OghN4siPUg2fqm8uTfapGu9lxh3e0iljEY
-lCtkYKoe5Oj857RZDqHB5CB53PI16B9Mdw0GSlqVuU1oR0Z1nPCCteJsz9FOylxQ
-JVp8uhfXUWu/NeVpArv5TB0zIpeNzuIscGFcmFzgFAFOkmIvovo386kOyf5wMHEn
-9FaFtEV0u82DN6VFcptgoJ1SQECl2cHC9mYnRVcr9Ab7jZVssm7Kqg3XGfJBME5Q
-pe3dD2I2/+4jFGSHuU0+FWhPyeCpZ5aLmFTVkh/LfH7EiV8540hl22K7K4zy7m0a
-X9LyC5GIiWU/rkHDDouANRRhvaMUGIPg4fWOEcx2qwt4EwU7rZreom4Hjp0VIRgR
-PboE04k35kR/m/fFo8sp271mbUm2Mrl2r4JW1vT9gLmCpma4tZC9RsUNPTr13uzb
-481jvphquAL6jYgPhH48sSLJ6WnHxMDBcwckey1LtoDxcIS1LTRx24BWfe6b2kT7
-gFH0x14JTMQB1DAn0FjcBVx8rXlqlb3Jpxh3Wdhg8ic4F3v6sonuCmaW9eCNGrkm
-tqciHoFz8f4uzssRWDydz3zvLF5dfiAR8MWshDucS4H4Urbuw3br5utxH/21guG2
-vWoPVzbpqc4qwxOjCe9XniYkWrNScFUiESePsCZrGBIzHmQjcNXFsooRDzge64tn
-hKa1FRfD3FfDXAL6/GPHuyWs/jidpVWElAVlY0bLpvXwEFF6oUtP26qQhnnfV1pl
-l3vvBZDy7WP0nV2Qwc+gOAzIX9A1rEn85HPIR8yeWRETsE9kyVETwdcv9pVVXB98
-k7E9Kso+sPigJXWGXO2pkJJ63VhnOihBFrW6JSkqSQ55po6hCldtJOKFrFcpIqR6
-eR1y+nuAsYssh0vgzaOAasAu5zS3T3BYKDfQ4v2aqdd9T7JHGHEcVH0nUDd3UEtf
-TleUHzH2YqDRuX8iPc0bMxbbm0he6AyGvReUiFEOfXIbxVenjv84nWtWuW55/iM8
-9DOC5mASYJkMiw2E82CSN2/lcm2ZeJiUoKi5AvMWK9qJ1Gkn1AXgiqJG9LAlUlxQ
-e0HOmkCDatGDEtuRvhBf6YEmPJW+7Yxccat3XFdqItp5UukfipRJJ0oZJwPLEmWX
-zdMT08cMn+/76ExqIcre8Pc4G9i8eWfG2JF5bOTZe7obQgar3gE9Yb6ZfPUkiKJk
-Iy46yv9qJq6zjBbFjOIqH00llwn3l2ArqcmKJvg/jyLuK1/6kWXUpOQytkihE9Py
-/2X2KM2n7lBHE7nuwGh4sy3sXT7byiu8OD003UpGytHsUaJDiZZIOyb3yOSHo34i
-8JaZBpFZfnZnBct+qdoLGwbZhrNY+NVSSyTaLKucfC8lpc1FLoyY6XBHJr6n+c43
-rqFF6SqW4mXw7HWU22zF4RgIa6129ZyF5AzM8XJnvC8scg1jXc/Ywo18gT7eVnZf
-X3sYhFt+BIIKDjsAUtePnhD469kT84sx+nlxwwyXhYoJXPyMy8r9bVqrmIAVUXDT
-wE21vUrUnogoqhgjKSZAHbtZNOAxKIlrdm+JKq/sUiYacN6XuZDn9b9YpIDxCIPQ
-IFi+eHwyGYkkgzeuKb50rhA5OPMiOHk2xhvS9ptyYWv33e+KQEMFFv3XiURz3TWg
-75N55Lw2vrsv4RkesTGnkqD6B/D73Y18GiycCpQUjxqYrVIDZiGvdLUV+tJGOij2
-6Nrj3II1HDWR/pN5/FtOPRUyluITmWWQODGiucqZvMzWGRoUC+wEXdGmLLVQAeS0
-j2tQFpXJMVdaRBH0BcVbifx18tD0BW1pTPGvXVgP+IgKf6Q9x76SAkI8T3o8TorY
-U+jqxGfUPpS888fwDLnQLBC9r8O+RKMBDGYsf/2l2crN9QXPF4tCy4LKs/BjksFE
-BunBa68vc5eAiNhlLZWKfMa76ybeQWjJC1+DyRjCyGgR8R+oACiGbfI9HdV+EikL
-99u5vvlHYWyH9EltqkfeKfVq5/XzkQltUG3kS2N9S1QWYBJN+Q8DeH9UjcMO1JB+
-krcpF3/9gPN6G+Id9H5FlkmmQ7qqLzlRxphnw0l6gB3NPFUil6bUbhDA4lEkkxKl
-1lLjfyf+s6y7TQ+rZRptv2x4IuYVchWX0X8fXxrHoBGJt3yBNalBnG3SIfuvQNaC
-oEy+3U80Ow4ecpTBVOZstjHimlE7qN4kX0+YL3hmDeDI30wIgDOnSISZADMXNGer
-Nngt54H2cy8/0ipN05+H1M+5viD/X6BeXDCN+bQ2NtanhExlpUSfCCMqG6BBJD5F
-p38kux8XXuNwgPccTLedqf9sutjDGtRjyrKOoa6H25pnPKwKCNPcPzfD3+nmfMaf
-Zu4P2CM5MYZQmH/k+ToC0DYR9kgiQeWqmW+Mdz8f2R8XMyFuvOFHPwkF3CFsoACQ
-Dwj+93rjOQiQVJ+ZgoDIOIxrdKzp5XC2ZqaYQnwHvrPihZFkM2PtjZLGGQBarD/r
-gV/WgjpAWRPIWgr284/uCbAyYw2uWPKFOzktSaY+/gPoPB3o2Ram9b3T/icoearO
-hv3GmDPntSe9DcSoKjh9b8ZTrmNhr/fKjK4nd7UD64jwA6ySy3nLl/CNBPZQULiO
-lFQOWKGIcvySLH1vZ9afgoGOh5fAApgMsbVnaF1bEtBxJ6xXV7mkfr1YK8GASUUI
-ILJta7zyJNQc5XSpwScEcnfjJR5cqOXWUO4IyJfsVMhE5CZW3nbZkOnczNREf2Pj
-CSqqEtoJeajuHyPy8V5EKf3GgOG3cJvPFG1Xm/CwtXT4QhH33U+8nOiqgv8V5BeX
-H2hNg/9xeYvu/WZg65R/z5sf7LtSC5HHKqUw9SQN12/SiwzmWBafcrgiRwnH13uq
-o/N1BHcP7ie0ySOdWL1+C0p/vBwKu179kKHtCoc78XxXujioE+blGhN3n+gOSTYH
-a3TeCLiTUcB9arwc0rK6MaABvIyws0+aDwNxYQozsu0U3yayx5Dz3dp9G0UvpRVc
-04WQx3tfePBtM/wz3UHU++Paj565Gj8WRW7ISAmUzTZqZQ85Vg9j+3YotsHdennj
-Nbbf/FIqnzvAUuSKUNgqJfwelPtBB4BExBUt2KQY0Lg1BeVHgeoX1QGUy3Gou3Cn
-guGlkapNZw/WMwaso06yzbsep+VjF603gQv0Freh59CRWss0gqMlCcZPMcxW6mU2
-PbqV4r8TwBxBLTLu7pTY9YUyfL44mDdyvpv/3KHEGYL5KL76u7bNIeBDM8P1P4tZ
-+HnlSIZZYXDhWR9giJiJrqNnAIouargdvU6PLVIi4hGoVq+RdRtQ8kWbTQFTarej
-4JcoKzlPVsahW+O8AEU1ZKhhV8RSNm7wBvIAdHRTxxJexTzG5+3U+IBAKOPRtMsq
-TNQf9PQYIHKc2jrcYevgRRlMXSoxxvoWEObh1Vumi/Ack9E+VqXbNeGPQ5ZZGX6N
-9MpTMEZhKy9cPTdUa7Yk6MdzC55jydCqRYvtJTTUwZmIdI17TchnT8hBKHQCZS7G
-7UsfJwJsK3rKPVo9ASdtiubZc3NfQ8pcyu3UTJnRgx6UnH9ByUwSaTXU1d8l87mU
-dKEEAX5FZmRn2hE/8ziPuSS1zByL0/gfMyupT2Nlk3XKO68DKc+VEtJmZexli47l
-2BdrktreYib/N6MO2Dd4J+OdyusFZ0vxPGe2fGGJnGptMEhe7Kcf+P6PtN+htEMd
-nM6/v37tHTLY2mU0hAlLhTq0TGJc+Vuirqpbrd0NJSF8N+s7/g0hvaFlG2APa8DD
-8Ti0ij58dyuGErbkexHzILztoNh1vX1Uw2NMLF0gaU33FOb8Vef9yPylIDFFa0I9
-6vW/Zd+G9s0Rgvl0RhjM/YPLr/KT7UuvgWUVgKaVsaiMItU4FLvGTIeX1dggEtoa
-2Ci91rdD0NEhFpaT5jYk1uEZe/K7OxpSoawqT9IhQ/IbaYqljYqSSbVFjSf5OV2N
-cLC1ac7rQHnwY2BsOaYo7NR5XvMEFpThotdq10X+S63AVZg8GNZkBaasfjXlL4j8
-mFpiK/IkTdjqY3nVuPHCXqxoZOHNr92MKwjCo5ER4cp8m8Wq5SS7yYCaWwbcN+3S
-b7SK4Iz1yaDyX9Bv+Alub32Ep4eu+Ldmp4zDuUOM3dAuactqRIRA1WFwAeoGRdht
-6vhz9GZBYS7bmOwxaI4wnkzUevyVKIDsFzYetgPgi2ZPo0gNrapbfvRDhIP5m22Z
-IynjN0IYu6V8y7dYOX301v5NlTJ1XCIpRHdoDzQuE97pcVZUwr/h0WRrhSZ/bo/t
-Kn0l+g6Qv7t37ffvHgEyGNc+koA+ouNzO7B3dyehenZKeA88M+PbAw1px84no/qm
-p3EYho72sWA1SXpU6EPVVmXzI6QIiKmkzifHarf2X82fGnjzWLdOpQUFjAM8izp/
-cbpe+Ar51iYXlhAVR5GxKHHPX7StIwqJSwkOjxLzlRjTMzSVtRh9ORC+zBZHzrCl
-2L1IjN6Zws+eJpHwqwNuD4v25XJ0jAEjKlTnZ7isc/lAsD0/tOeR2AhH+VxBq5X2
-t0ztO/F+RLKN9p3voR80Zj2ijiv1kVczRFBn9rdWAdxUUUpPYFWTH/tKsHlwW5Ut
-eIXNZtnQfMwxZNS6Z39xDj0uw4xfN+j9TMkHQOygNB5xyAh7/nfTolSKogHqvvtI
-9QmVx3YBMwivQXhOgH5QrXhihu4Nunq4MpHMZdt9sz/rEDdBFl/2NnndiJMY/94q
-xTCvDwC1iY6HpI03lUUfD8C6ZSyij01iEGZDJNquvMGL0uYRVM1R987KYkeGNyoQ
-+jgpYaJ/jTiZQDKA+otcVDTwj5LQnbYYv4uj6L52Fn2amHtN2cKOjKRNtCGSFuJU
-oC7MZBQ4Dn68q6Tz/h9BhTSKKN10GriXKeMdEVcBrct4k1b03aaA3A3lo7bgGsFP
-qSl5gqW6YDYJ8tiwckAOHEXbf3x5xTTxYtdhB6tcKpRSsnQOApEgNGVH6a+m7T+B
-tL/teR1UUgQvBRDVXV92lUzjzQVFSezQn8DL7W26N5PD3tsLlGWV4qFPOQxUrUpj
-W7hg7/VQm6dpMxzlx3UUJASSaBmujJkA8pcd7E8rRlmH65ftKpcEEYBCxXssNPUn
-0RjOrr62UDh1nk/MB/5iOJV4bPnTHPRNeIvRq39GAH4JO1p25jTI0Sg8vBPfTjHG
-UfvforsakHGyVeUZQTPkWx5GV1J6KDyzZXie8hmRSNtf/THauXeQf+jHhiN0uXQD
-C3UkrKykgBSZDQNwpzWWTmmnz3a+O/xfOuQs+3Kw7AI8u7lGXT71OKWgjOcvTaT7
-TjMDfHQobr/SAZ8sYa4dO57RFdTcDTX9tfYR9Rft6c9GtYmC1KVGy3+1tI39JFNA
-ZSIOn6Yb8edH8oYmuAoLJ1hJ/m8WXWDEv6gidWULO4Yl8kIicxcM+e57SLm9/G7J
-flUgjA3m15VJXrMQpR01FZ7zZW7W8Q2yzvmYc009hdTq0a9591Hmumi88CMrnZpg
-7ix3aIbAocET8KXMmQBb8DZyV1aSVUJ14SXBoLTLCq2OEb8n9K68wE4gLujWvDBD
-Fi+nruogqRxnZnzjhCYjaGzdV9ac8EJ9zZ8pwr6YitS7+jN6K+S8EbdfvdVtNJ5d
-yALI+/TzClJXV2A3TLfekgjE9wkrBtaTBNAHed3n005mKYpVdBzjjMQ8Yr/wfFXX
-419eJsvY9G/v5jxqGHbaYImL+5ECPq2yRsXoCyAgtM+C6lw7PvPT/K+tUAxzc+A4
-Qmv7/Yvwz4cECee4cjQVt43O7+p7NQN1Xy1cpqCAIxiz7QMf5UKxVJlq5GgV11z4
-4QGBeg47uEtolS96mIaiJ2IIzqR+5i+M9F0R2Szu20ExjFh9pKyZqU+d4jX5LBzp
-MHpL6G16CC8O5wAJxZE0HUWJ38IZR611r7QnVZ5B6E/TTA0CdsNv0nIaNoigcKZf
-t4mtpKguVNdcYDVPCieo9fUVlg0swShP66+K2dPBdrONZxvrR7OpSf9cSEdvnijb
-2XkLHMoh9mByOrqRFxZhLy3sWV5BqIc+wxoVXb4bF5ve9+E+7d0w0wMO8bsdixE/
-rMcH2TrMbnfF+LXXf+NHWQxzPvto6EUQjc0vmXQ9Z9La4Q8Mc1Q40YyAWIoQ7Kvl
-jSzoggxwkp2Rlh59slijz22oTht2meHseA0dQC8+sUbxo1gnEIIUH8sbUaAr+CO9
-ObSVnXz9OQrQ5XtNwXmblaaZD8Qn+AyyuEDzbdlDv1WMrGIxkokLeDDmdFWtmiyU
-A3FtpE4XOoQPgMv/UsIpUtdu9N1ImTXXWGFfFYvp+1u8wFp/rYxZpsLx8fpTctWj
-OX8ge0Ivy2sfVgLVRCg2nd4HBrBdBU//lPHwEeZtKVgcUmvRGMEDqTDAc2brtG/u
-XKIaixhUto2Gqo83CT4EJg==
+U2FsdGVkX19USw6XheqcSEjdoumO7SJGW+Qm4tMjtredkCsIRTRp7OBxFKyOcieE
+s9feEZ3DwJlMxXKOsgtd0bvcPPDFFUyOzSgFAEFP+IDFE54C0P521WxW7fDTZj25
+BKTz2ZO9W6t5HpiyF9R9FbK2fTNs2gI7arCw2LHnJzb2BnzUsDkSDH4oplKchtmA
+ETBBI1PzVAJklVesXvWOysUjDRIFuF3KbeoC3Lu9YTtKDrRFgwAOy+zX8IGs8RTu
+0D19+y3Wl5qfKYNum20W0r6QHM41tM3MrzQzd6qoliNMdEZ3YkTDzYymdOjsLK1t
+N7JLd/JmSIU6/pXIV4ZOQWCk1Rpl+Wv/3zqieFhB2d2MEQ/R8JbuTN+Is5bar44u
+I87Kp3Xtmtt88bZoDKhduL5Q9O2koHoP1v2UsY0KXweg08WMwVeaoI27IJpTd7/D
+/FbHYJy26dqZKEQpvFnl/rG9MEbLLh9na0SamX4OCNsBMNAgUQ9AvDzJQ+5UaVmA
+ctlk5hXRNBitkQr5g5/hUir9bmjTlYlxb4DyvIOYUjaOkYc+5mAaphfrN25S/MiC
+OWLUo5x4+FpEbfNuzOf5dye+ucZyclJXTzNDR59ALnGCRARnx5Gh3ArRVgpE911k
+b+DzWrGCzcrwQUclEoJYEJt0GQqdSiTj1141NU+zGPZb5a435KeTJsMrfz07+O8S
+2acu2QluIe12KPIKijUKcYQ1ZihVxrwuCQvFQ7sfzbB1aCZ7h2uHJGyDIpT/OBPw
+GTqiUXblRs4zAsNumXHIloj62L1l0CqBvO8XLCays8HhWPpNAxOZLcgUgoHSFxzt
+hpHRSvHhNRyXAP5WEYHP8fL3G801XwEcZK8PkDUAv9RD3p/Kigw/kxfcd1OjQXJO
+7XcWh8lyv9InpQ8SpixmaF2UZ20cyoc7otYApmSQnbAhFTHe3665UGFFQB/HUgF8
+F8Vv7uEyjmI+BcaTNdzOjz7p6SVtzlbfjg7/rYmLF/naleYxMnbNRHgFD/Z7U2+c
+uK5BZC9q3W1d5XtJe1z6XXklnx0BU/qk+50T+A84xIjhKDist8rbzP8OVQuTdb+K
+UI0I1nE9Eyvthx13oscFxQlRGKArbsRyWscFThzXwEvO7qNGRpuOZhlHFYcw63uF
+GwxqPxNpOScReTEIemtZyaamfxzJhxoJjm85bRDEKAadS+fGFnGLs+Jd3bFeK6q/
+D7f7dMRYTM9qNM55DPDk0DQoXvW2qCOWVQelObc3FrQ1XrRGZO12XQhIgoAP+fNo
+fmXc/gfSeVU2HPtV32sxv2bGzaFqNEjAC0mTgJz3Pm1FkOrXVbNcGKahlBCRs1r0
+hQQAELHz3sZ551/XCfZ0sHXDLYO1CqE1cjbFklGuLYXMiQvkC2gFHQFdergOie4m
+r5jyzFupo+SxKop7N/zTtues/1em/F6KTN5GXkSS+Gmo2oCcHWcb/qxeu4FQqPOk
+f9L3NvzOuMptSSfTNMsQl50+o8UdU5GOE9DmourEJUjW7+TZkhW6CkufizVNi7B2
+OFdCsZ4jWd/37ncoPzRu+F6Ub8ymnu+dPiyjmk9PyW8m/+98KY4auimgwBGvqLCe
+OD59TC6XE+cKgtNEhiwbdrmzH1qEhmvHY/jh2EiijCjw5lSb7eKFT5nOt9CdyGhN
+KItEWDMub/1OxuwArVPZg+pner0SCdtpKU7g86s591i0vJwMHqkAMYr/zqVHLogq
+3y8/Ov+4Xgn/UGf9p6XplunT8W0nZkWdND9HerRra00JOrMt9vw5v9/aTxKI1ps0
+USAmCo887lPQ9Yh9D+2e8Mc0c5Fsvu6RJ1aX+ZCSkvZ1QTdHJcukaH0Y2a4Qbzna
+Mztw9AjbohUjSb9ZseK5bBXazoSBqUuc9/pnbkPzsW9uDBgfu7YWWpLtU5XISWXH
+aovsyoJmRDqfIC4n7GuQsQ+5XwGOLPtH/NPjrebKQTBl/ppqdYPq/q0JxsCeEw6P
+RJHV6ymaeoZTsjjIw85YD1h4idDeMbCfOXkZuCTwbUX5TI7/BQ+4dLiPSGpwatsg
+ou+kg62eJ/lIhW/lwPfykvQ0g+lm2AxzHdyZHFCLQaMd2VxhU0jZw7WoPgoWnKwL
+TlW7XUjCg1TFxoB5qD1zG5VkJZaeFfHwP6D3tr/aDf8sBUxvjD3BWWQiG9i6gkFK
+lMfDAewphCXYcTw0wqRl6QdWn1tMXyHweDppvvBGxFNIVtX6O+eHnVqfrKRo1w6K
+vL18KTZ4kSzIwQpdcIMFUKpeYVh2UUbh0d276pHbuQM3xqsubMBeiLXiKF2yN8HJ
+cGEr7uq0BZaemQD/5xfJ+tI2ArEQ8ti7rLxBNkZg9GoMq/l55CCTgj9jwDo5V0p7
+C49ezV6pgfDclIdlFsJocSuqrLJTFiofkzJRyG0/nVbZzO5lOXWN0sYAjN06unsm
+hpxtcmhuUhk0QNcr0fNQYdwfhj+GzJZ0LtvOWt2u7D8xoDiWnQzWWWd2zqN+gLNI
+ryFnNBeoiNxMpz8xJDZybZp/sG7wgugAsaYwBCbx0Dk20sKeU08vbDE9I5V6wRa6
+bhmeT7+yb7YmATGwohbTRWygfc9+b7LIIsU7oBTOxkBRdNyzwkhTA7vGQuBYYxBY
+uHDxY+ao36cWiWSidEwLEAoNWl3zUx+EaT8uuuMT3c/524dMsHJAhUXEvk3ayUGQ
+KDnEVat7rTQ5wSSfO0YhoHmQ8NdIrM3YBlwepT1Rav1zg4jnVS6YHZY2py05aRKm
+B8Z0MBu/+LwC6Vrv2n1YroWVCmtJjtKbwUYYv60Qi5SVtsCKMn4DYMEJUCC/EnNn
+NeJ6CZ4VeDbzE+oWF4hw0s6MvLmcki+9MNB/CjqZEtUWtDS3I3axn84J4vwRZ2mk
+iHGVDSTZsrIIf61+i6fJjT9E7xhGHCKrAf6qoHYgew6ABuI6rGjpHnSZdXbDY4Vv
+sUrNdLPuTvWpM7p1Xub48LNRPo5cAa3H4zF5C/brI7i00MGMwoZGbTIpj4FerWNy
+R21vtOaeYrSeKKLZxzvhsaiSfb5xHIRzNurP/tTZcwyjNLX5GBoo+d5zqCwKObRE
+dhL3K69f+GWS7EXh30HbMiGd6snUhALUjPQAuLFwX3gsnTuGzOijsiRB4HUf65ZW
+zX/QFywqBYl1WS6gyeV2Ab9sKFvbXNC4R7zrLpKp8MsZj8tjK4zeSvTUaKjvcc3G
+6vYzzhFs8QAIyw7o5MUKh4IdskH5231dgIhjRX0K+G0QOB6QLLdBwMx5Bn3ymW+M
+SLf8hQpf0knNQL3oFE3eNCLazsEK104dZzq+J50bCGGCIX5qSYJ+l5L442OjBW7v
+vpQkEv6z/LToyFNoWfpS/WLy6nEw9Vud7Qk45AtaN5Gs1dO6L738M9as6sMDwAE3
+RzU5UOLNjp+OkGJ3BvCOv8S73gojEWr+K9If/aEjDRodXNi8plqcXEPizaX35u82
+tIAbeM9sVPB3PTW9bUct4TWkbtdaaZc/+PFI0acz3+h9tn4pcnOVLq8iqeUP5SJd
+NfsMzVGU7PcU1ujJKax225kwdHKJgxFzMC7eL3pWFDYqLHIeXV3BWCjvLD/zsQDK
+Iq0jpE4b0ORmQlBQB83EJ5YK0p4hq/ULD97iYRPk9vv1FgJMRCFAFgK0YnQSX1LI
+1XiWgYUZhJiThNCnUKb+s2cbgFE9S0rxlRIcJvwv0L4MBl7YYCWDTycDH1VRWoaH
+zt8SzJ3N/QSjbRKuqFhkiA5vMkqsjRnmRx+nDLi/VTnqc5RdERXUuCsyUVkTj/fc
+4CihdB9avZyWYvjgMUYhsOrTfovEw8inR39vTGiC9tGaBJewCWz/Kifi1tYrRiHI
+XZDvJgNPoTSDtiVuD+vNNVT/+0VFzxRZI4Ww1o3ooFigwrDPYbU8pexKgGe/xVfo
+cT1Rh6EixsJVyyXcNgSISmRuWytPRrlBSVS/Yg/jjjQpwxT0Pwdg5i0syRVHnq4z
+moxU2B02HGSZdKivMHzW0StFT1JhmXkZcL7Zm0NCSaznNoGB5z2z5j9d5EbYmtNv
+HljqwlTwFXlYU1Vpc5isQJQ29l3t9vGXNs2Rp4rvbhUG7BpzCXuLnPSe++qy4re/
+7ioPQAbAGZA+C6eLZlFVCD2rs9kldi5Af/KL9f8yBM6541IkP9e4LIC/Y4h/ePjH
+0XO9A2Md41lP/QcJ1cI4WyMH9svUCSkgG8NY5Ayp5SNo426n4YmmF2fLpgiYmMdR
+2hT/FhkC4HcOlSmx7yM/drEO4QJt9MtwPXp8Q27+xGwBEzFbUuWHpXPHHm7ECXm+
+hQSB8EmGtPPebIrNUsFiJSYcvDLmIlpq0p8ug2YL4DhAij43jTIzfzj2/GLYLHzA
+/uQYN0IVbcnHFJ1w9HdfRTphuw40PLBUHRtP3Y2aOCMtCDMiz3r4vlfDPCsqQwtt
+S6mN/eTCH5fDf+75NK1NrvwfcfASpR+a5n34xeaUAJ15MPTpdOLADfj19J8wEsPp
+sQqjuxw9UjDiZ0WQFdD6feoYWxhGgoDaD+AhsEt7vuMjlZTxupcPsJNzh92YKpUT
+ihTu7KQI7dBsLEYH9Zu6gMvATuBej6txrv6b96kTWO9ukqwgxtfSjirkNl9uX36z
+kW3Q2XKC7uX/MECy3syUw0ltUYZgKSF49g+aX3OUPkoWAPhDpRTHJaC17VQATH1Z
+0TFsIL0zuKHAOn3zAITFtOXfJ8l2ACkj8ZSuChHJCUCh0lZ5LcdWLhXhZJI4+/+v
+JxtXk5X47dvldupOOoWiC7dZEGNjkJ1s8GBXXS+MKGPIyNw4Pt2Ww0CzDUccu3u6
+wkXsue3OWvxCamsJiJQF1YXui8AT6nMfJRgZbCsTXTCwsy20l/76nnWFKjx8trxL
+C0rNorRZoBDvudjdu3rB9TarXASMyafdztvIXWeD/8b+4jsO7xiyULuiCnx0kKhd
+peNvwAyliKJjQfn/jZdZ/OWMy5UJuSGYGlEwufAA1ZrMp0VQmxUzP3iuZxw7SXTB
+nuESN/kCrzElyk9UPi7RMX61FJuSLPx1OxK3VLU/gKuBs/d3jrud1BUCx5fPHPkG
+8E+Y+sUakkjvcfDM98sjBUROocSBP2XD072hEm826RStAmv7/XXytbTL0AsP/GRx
+DiNrIyjIxkdhEEo6L7+ogCQ9OlZ24bHIiEc3wmyFffos7WO23FrrSkemfR4CAvQR
+ntY4HerBiAhkz7YJZm4NTLEpWIAbCFyKeBhX9YOB/5sn2In6h8A6+vtr3qtZqle4
+jkDVOhkU77VtmKWdQq1+RDHPNdbYNL5PB+W7Nn8/rXwSSS4G9i5jUzunwG2WXdzb
+Jhro7GsAPlbvo/2/gtsCBzp5ReRYSbs4SiVBC7+Xf4A/26fhuF4unax0t89Y2yVv
+OQ6/F5nfDLUZXiytjaFUbePCazbggi0xhgDmMVAEj48Yc03pipQb+dIoqsrzCLHJ
+d0f8VmhZ/Tv8DXHRjFM7EUKgApVf5cijyOQUwuUDZekuuMDi59pxiDrHu2r6p8X5
+JFV5GohvIp5vJvAKbVFWGR4jbNyF7CukCNAsw8wiLZBbAF+3aZc4X4k02dEtAX2f
+ttrIzVVzHyD8i7j5ZvY32Li5isbbzY4IvaI3ElKH6l+vfkOeMpied48fcneVLEWZ
+ze2VuixunnPU3O3GojtO3hJaSZRfUfRRBF6G3dIuyrpyrqHAFQvbtjhoYXiCcmv8
+g3McZ6KZL3w/k6dpsBrB9pG61/8dkpRRyld8ZKjGQSUM+X7WN4AEP4IKVThN7RXy
+DdTklccJ+6jA8/5sCEulyo+hYQG+wRRv5Utxm8fBFgAvec9xGVEEBvZTQWcK1fKj
+4aopQlNZiTEaXQl/08N+tvI4fMtnq6eqR99v2ydPyb8Ko/e9wAxU5skietmBw/3Q
+aSkVJdRo4IM1kWuXwrK+3NteZTed/o7VQFuuib8yZNl2gyaIU0afzk7JxPCcdlhe
+06rYnLMmeXiScagLiGjA60QmZN7WbDT9AdsxTbHNiMdogegb2mvxMCZIlM7SnK7M
+J4WzTcGAaMeGDvH48iZqyMPYiiCeLR6ODsCBvCzDULOid7ZQrOIs2hXpHeYb8gWt
+6aoIK8JtxJOGSk2qQO2sfpHTQ94uM/enfXglkAAJDPs1a9p5POXurqhw+aemlolY
+wlh20+U8pyVTqiPJB/CkJSTIZsWLZTCvSusRRIO5FpmEhl0G+nhQhu2jmne+3zd0
+IIva89zfh01dlYgTEBmngZBiF2Jp0SerUvU6x9RBofNdl7sA8je6ahrTp910JSKz
+lHeZGOoet4wzXnmq9OJG69ROA/L6KnAXiGR8xLk0wVcLokZndHBcF4C3A7RJwSnS
+sm5ffi1JVLgiqC5ER8J6Ja0+o88w9aSLGN7rXRQa64ZKjVSiL2Em5BLpo3PY59NA
+63j5/GH6EsbowGU4Tzskj6jqGO4t7TzwyBUNzxkBQ+xK4J7yFhLsRfKFEzMKj4cG
+n/fMcXshAy5Fc4Ab1Csp95YyS48KRF+cfSv+CMTEeaPf+TOtYm8UbAdzuC8sikJ9
+thSd+aRKYQo4VhMPYkPIbmOLGtWEIsICqML3qF7TdYybIUEFaextrwTcmj0MGBuF
+TjVKi7GfcJglrL0/ErvCvkJy9TXL1SR2aFoYb13XQy6XMS3Es7Qzs7MoKEp2k9HY
+a056c//TPaXEE8iWcLDrQvBMzYxbwT6gaTSUcgTLyrJdBPv8fytZoy9P8kQ2T1TS
+PTE83yXe+47oPItWvOPwh49JYBMovGudfQoieX8R6ZpGT99xseMeIM6W0tBAijeW
+0fKocgrxTdvAeers/0SMBo1Sec5I7YlY8TCdokUKgthiCu5XM7skFeZ8sEClbwH8
+QIOv0aGXGLLkbC5f3WU+RA==
--- a/modules/services/binary-cache.nix
+++ b/modules/services/binary-cache.nix
@ -12,11 +12,6 @@ in
  options = {
    aux.system.services.binary-cache = {
      enable = lib.mkEnableOption "Enable a binary cache hosting service.";
-      home = lib.mkOption {
-        default = "/var/lib/nix-binary-cache";
-        type = lib.types.str;
-        description = "Where to store the binary cache and its config files.";
-      };
      secretKeyFile = lib.mkOption {
        default = "/var/lib/nix-binary-cache/privkey.pem";
        type = lib.types.str;
@ -28,6 +23,20 @@ in
        description = "The complete URL where the cache is hosted.";
        example = "https://cache.example.com";
      };
+      auth = {
+        password = lib.mkOption {
+          default = "";
+          type = lib.types.str;
+          description = "The password to use for basic authentication for the cache.";
+          example = "MySuperSecurePassword123";
+        };
+        user = lib.mkOption {
+          default = "cache-user";
+          type = lib.types.str;
+          description = "The username to use for basic auth.";
+        };
+
+      };
    };
  };

@ -42,10 +51,15 @@ in
      nginx.virtualHosts."${cfg.url}" = {
        useACMEHost = pkgs.util.getDomainFromURL cfg.url;
        forceSSL = true;
+        basicAuth = {
+          "${cfg.auth.user}" = cfg.auth.password;
+        };
        locations."/" = {
          proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
        };
      };
    };
+
+    systemd.services.nginx.wants = [ config.systemd.services.nix-serve.name ];
  };
 }
--- a/modules/system/nix.nix
+++ b/modules/system/nix.nix
@ -30,6 +30,11 @@ in
    {
      nixpkgs.config.allowUnfree = cfg.allowUnfree;
      nix = {
+        extraOptions = ''
+          # Ensure we can still build when secondary caches are unavailable
+          fallback = true
+        '';
+
        settings = {
          # Enable Flakes
          experimental-features = [
@ -47,6 +52,13 @@ in
            config.secrets.services.binary-cache.pubcert
          ];

+          # Authentication for Hevana's binary cache
+          netrc-file =
+            with config.secrets.services.binary-cache;
+            pkgs.writeText "netrc" ''
+              machine ${url} login ${auth.username} password ${auth.password}
+            '';
+
          # Only allow these users to use Nix
          allowed-users = with config.users.users; [
            root.name