From 837f9ade96af02c4328e190e4e9790b2314776e3 Mon Sep 17 00:00:00 2001 From: Andre Date: Mon, 2 Dec 2024 16:26:29 +0000 Subject: [PATCH] Hevana: add authentication to binary cache --- flake.lock | 12 +- hosts/Hevana/default.nix | 8 +- modules/secrets/default.nix | 213 +++++++++++++++--------------- modules/services/binary-cache.nix | 24 +++- modules/system/nix.nix | 12 ++ 5 files changed, 150 insertions(+), 119 deletions(-) diff --git a/flake.lock b/flake.lock index 89676d7..efb0de2 100644 --- a/flake.lock +++ b/flake.lock @@ -268,11 +268,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1733066523, - "narHash": "sha256-aQorWITXZu7b095UwnpUvcGt9dNJie/GO9r4hZfe2sU=", + "lastModified": 1733139194, + "narHash": "sha256-PVQW9ovo0CJbhuhCsrhFJGGdD1euwUornspKpBIgdok=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "fe01780d356d70fd119a19277bff71d3e78dad00", + "rev": "c6c90887f84c02ce9ebf33b95ca79ef45007bf88", "type": "github" }, "original": { @@ -316,11 +316,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1732837521, - "narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=", + "lastModified": 1733015953, + "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "970e93b9f82e2a0f3675757eb0bfc73297cc6370", + "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff", "type": "github" }, "original": { diff --git a/hosts/Hevana/default.nix b/hosts/Hevana/default.nix index bcfc191..6aecef1 100644 --- a/hosts/Hevana/default.nix +++ b/hosts/Hevana/default.nix @@ -120,12 +120,14 @@ in onCalendar = "daily"; user = config.users.users.aires.name; }; - # FIXME: Find a way to require user authentication before enabling the cache again binary-cache = { - enable = false; - home = "${services-root}/nixos-binary-cache"; + enable = true; secretKeyFile = "${services-root}/nixos-binary-cache/certs/cache-priv-key.pem"; url = config.secrets.services.binary-cache.url; + auth = { + user = config.secrets.services.binary-cache.auth.username; + password = config.secrets.services.binary-cache.auth.password; + }; }; boinc = { enable = false; diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix index c51f7ad..f6b3fc7 100644 --- a/modules/secrets/default.nix +++ b/modules/secrets/default.nix @@ -1,105 +1,108 @@ -U2FsdGVkX1/cSpFu+Shxo2hjjU+rjYuOce2GRe2r+T8IFOg2Hf66ahIHqDK4SvCC -n+XzBQX4KFo2s+hpYu+8ik6EisJxEqNRiheQyQRgNitfQQ4hmHJxNrXP3APxSz8t -jsMMYjINs9wgsAe/YukNTeV0GDjjEn76D3ykFbQr0LJIDm2Nh+WYDJjHAdTZanMq -9DqWXh/wFM2PskIfSfrgizumLHgDlxSyRpTHoIXghHd9E1O49mQeXZdE+gdnfhnw -pinEf3GkvCmXJd6MbFUTL/hzWKjk69OghN4siPUg2fqm8uTfapGu9lxh3e0iljEY -lCtkYKoe5Oj857RZDqHB5CB53PI16B9Mdw0GSlqVuU1oR0Z1nPCCteJsz9FOylxQ -JVp8uhfXUWu/NeVpArv5TB0zIpeNzuIscGFcmFzgFAFOkmIvovo386kOyf5wMHEn -9FaFtEV0u82DN6VFcptgoJ1SQECl2cHC9mYnRVcr9Ab7jZVssm7Kqg3XGfJBME5Q -pe3dD2I2/+4jFGSHuU0+FWhPyeCpZ5aLmFTVkh/LfH7EiV8540hl22K7K4zy7m0a -X9LyC5GIiWU/rkHDDouANRRhvaMUGIPg4fWOEcx2qwt4EwU7rZreom4Hjp0VIRgR -PboE04k35kR/m/fFo8sp271mbUm2Mrl2r4JW1vT9gLmCpma4tZC9RsUNPTr13uzb -481jvphquAL6jYgPhH48sSLJ6WnHxMDBcwckey1LtoDxcIS1LTRx24BWfe6b2kT7 -gFH0x14JTMQB1DAn0FjcBVx8rXlqlb3Jpxh3Wdhg8ic4F3v6sonuCmaW9eCNGrkm -tqciHoFz8f4uzssRWDydz3zvLF5dfiAR8MWshDucS4H4Urbuw3br5utxH/21guG2 -vWoPVzbpqc4qwxOjCe9XniYkWrNScFUiESePsCZrGBIzHmQjcNXFsooRDzge64tn -hKa1FRfD3FfDXAL6/GPHuyWs/jidpVWElAVlY0bLpvXwEFF6oUtP26qQhnnfV1pl -l3vvBZDy7WP0nV2Qwc+gOAzIX9A1rEn85HPIR8yeWRETsE9kyVETwdcv9pVVXB98 -k7E9Kso+sPigJXWGXO2pkJJ63VhnOihBFrW6JSkqSQ55po6hCldtJOKFrFcpIqR6 -eR1y+nuAsYssh0vgzaOAasAu5zS3T3BYKDfQ4v2aqdd9T7JHGHEcVH0nUDd3UEtf -TleUHzH2YqDRuX8iPc0bMxbbm0he6AyGvReUiFEOfXIbxVenjv84nWtWuW55/iM8 -9DOC5mASYJkMiw2E82CSN2/lcm2ZeJiUoKi5AvMWK9qJ1Gkn1AXgiqJG9LAlUlxQ -e0HOmkCDatGDEtuRvhBf6YEmPJW+7Yxccat3XFdqItp5UukfipRJJ0oZJwPLEmWX -zdMT08cMn+/76ExqIcre8Pc4G9i8eWfG2JF5bOTZe7obQgar3gE9Yb6ZfPUkiKJk -Iy46yv9qJq6zjBbFjOIqH00llwn3l2ArqcmKJvg/jyLuK1/6kWXUpOQytkihE9Py -/2X2KM2n7lBHE7nuwGh4sy3sXT7byiu8OD003UpGytHsUaJDiZZIOyb3yOSHo34i -8JaZBpFZfnZnBct+qdoLGwbZhrNY+NVSSyTaLKucfC8lpc1FLoyY6XBHJr6n+c43 -rqFF6SqW4mXw7HWU22zF4RgIa6129ZyF5AzM8XJnvC8scg1jXc/Ywo18gT7eVnZf -X3sYhFt+BIIKDjsAUtePnhD469kT84sx+nlxwwyXhYoJXPyMy8r9bVqrmIAVUXDT -wE21vUrUnogoqhgjKSZAHbtZNOAxKIlrdm+JKq/sUiYacN6XuZDn9b9YpIDxCIPQ -IFi+eHwyGYkkgzeuKb50rhA5OPMiOHk2xhvS9ptyYWv33e+KQEMFFv3XiURz3TWg -75N55Lw2vrsv4RkesTGnkqD6B/D73Y18GiycCpQUjxqYrVIDZiGvdLUV+tJGOij2 -6Nrj3II1HDWR/pN5/FtOPRUyluITmWWQODGiucqZvMzWGRoUC+wEXdGmLLVQAeS0 -j2tQFpXJMVdaRBH0BcVbifx18tD0BW1pTPGvXVgP+IgKf6Q9x76SAkI8T3o8TorY -U+jqxGfUPpS888fwDLnQLBC9r8O+RKMBDGYsf/2l2crN9QXPF4tCy4LKs/BjksFE -BunBa68vc5eAiNhlLZWKfMa76ybeQWjJC1+DyRjCyGgR8R+oACiGbfI9HdV+EikL -99u5vvlHYWyH9EltqkfeKfVq5/XzkQltUG3kS2N9S1QWYBJN+Q8DeH9UjcMO1JB+ -krcpF3/9gPN6G+Id9H5FlkmmQ7qqLzlRxphnw0l6gB3NPFUil6bUbhDA4lEkkxKl -1lLjfyf+s6y7TQ+rZRptv2x4IuYVchWX0X8fXxrHoBGJt3yBNalBnG3SIfuvQNaC -oEy+3U80Ow4ecpTBVOZstjHimlE7qN4kX0+YL3hmDeDI30wIgDOnSISZADMXNGer -Nngt54H2cy8/0ipN05+H1M+5viD/X6BeXDCN+bQ2NtanhExlpUSfCCMqG6BBJD5F -p38kux8XXuNwgPccTLedqf9sutjDGtRjyrKOoa6H25pnPKwKCNPcPzfD3+nmfMaf -Zu4P2CM5MYZQmH/k+ToC0DYR9kgiQeWqmW+Mdz8f2R8XMyFuvOFHPwkF3CFsoACQ -Dwj+93rjOQiQVJ+ZgoDIOIxrdKzp5XC2ZqaYQnwHvrPihZFkM2PtjZLGGQBarD/r -gV/WgjpAWRPIWgr284/uCbAyYw2uWPKFOzktSaY+/gPoPB3o2Ram9b3T/icoearO -hv3GmDPntSe9DcSoKjh9b8ZTrmNhr/fKjK4nd7UD64jwA6ySy3nLl/CNBPZQULiO -lFQOWKGIcvySLH1vZ9afgoGOh5fAApgMsbVnaF1bEtBxJ6xXV7mkfr1YK8GASUUI -ILJta7zyJNQc5XSpwScEcnfjJR5cqOXWUO4IyJfsVMhE5CZW3nbZkOnczNREf2Pj -CSqqEtoJeajuHyPy8V5EKf3GgOG3cJvPFG1Xm/CwtXT4QhH33U+8nOiqgv8V5BeX -H2hNg/9xeYvu/WZg65R/z5sf7LtSC5HHKqUw9SQN12/SiwzmWBafcrgiRwnH13uq -o/N1BHcP7ie0ySOdWL1+C0p/vBwKu179kKHtCoc78XxXujioE+blGhN3n+gOSTYH -a3TeCLiTUcB9arwc0rK6MaABvIyws0+aDwNxYQozsu0U3yayx5Dz3dp9G0UvpRVc -04WQx3tfePBtM/wz3UHU++Paj565Gj8WRW7ISAmUzTZqZQ85Vg9j+3YotsHdennj -Nbbf/FIqnzvAUuSKUNgqJfwelPtBB4BExBUt2KQY0Lg1BeVHgeoX1QGUy3Gou3Cn -guGlkapNZw/WMwaso06yzbsep+VjF603gQv0Freh59CRWss0gqMlCcZPMcxW6mU2 -PbqV4r8TwBxBLTLu7pTY9YUyfL44mDdyvpv/3KHEGYL5KL76u7bNIeBDM8P1P4tZ -+HnlSIZZYXDhWR9giJiJrqNnAIouargdvU6PLVIi4hGoVq+RdRtQ8kWbTQFTarej -4JcoKzlPVsahW+O8AEU1ZKhhV8RSNm7wBvIAdHRTxxJexTzG5+3U+IBAKOPRtMsq -TNQf9PQYIHKc2jrcYevgRRlMXSoxxvoWEObh1Vumi/Ack9E+VqXbNeGPQ5ZZGX6N -9MpTMEZhKy9cPTdUa7Yk6MdzC55jydCqRYvtJTTUwZmIdI17TchnT8hBKHQCZS7G -7UsfJwJsK3rKPVo9ASdtiubZc3NfQ8pcyu3UTJnRgx6UnH9ByUwSaTXU1d8l87mU -dKEEAX5FZmRn2hE/8ziPuSS1zByL0/gfMyupT2Nlk3XKO68DKc+VEtJmZexli47l -2BdrktreYib/N6MO2Dd4J+OdyusFZ0vxPGe2fGGJnGptMEhe7Kcf+P6PtN+htEMd -nM6/v37tHTLY2mU0hAlLhTq0TGJc+Vuirqpbrd0NJSF8N+s7/g0hvaFlG2APa8DD -8Ti0ij58dyuGErbkexHzILztoNh1vX1Uw2NMLF0gaU33FOb8Vef9yPylIDFFa0I9 -6vW/Zd+G9s0Rgvl0RhjM/YPLr/KT7UuvgWUVgKaVsaiMItU4FLvGTIeX1dggEtoa -2Ci91rdD0NEhFpaT5jYk1uEZe/K7OxpSoawqT9IhQ/IbaYqljYqSSbVFjSf5OV2N -cLC1ac7rQHnwY2BsOaYo7NR5XvMEFpThotdq10X+S63AVZg8GNZkBaasfjXlL4j8 -mFpiK/IkTdjqY3nVuPHCXqxoZOHNr92MKwjCo5ER4cp8m8Wq5SS7yYCaWwbcN+3S -b7SK4Iz1yaDyX9Bv+Alub32Ep4eu+Ldmp4zDuUOM3dAuactqRIRA1WFwAeoGRdht -6vhz9GZBYS7bmOwxaI4wnkzUevyVKIDsFzYetgPgi2ZPo0gNrapbfvRDhIP5m22Z -IynjN0IYu6V8y7dYOX301v5NlTJ1XCIpRHdoDzQuE97pcVZUwr/h0WRrhSZ/bo/t -Kn0l+g6Qv7t37ffvHgEyGNc+koA+ouNzO7B3dyehenZKeA88M+PbAw1px84no/qm -p3EYho72sWA1SXpU6EPVVmXzI6QIiKmkzifHarf2X82fGnjzWLdOpQUFjAM8izp/ -cbpe+Ar51iYXlhAVR5GxKHHPX7StIwqJSwkOjxLzlRjTMzSVtRh9ORC+zBZHzrCl -2L1IjN6Zws+eJpHwqwNuD4v25XJ0jAEjKlTnZ7isc/lAsD0/tOeR2AhH+VxBq5X2 -t0ztO/F+RLKN9p3voR80Zj2ijiv1kVczRFBn9rdWAdxUUUpPYFWTH/tKsHlwW5Ut -eIXNZtnQfMwxZNS6Z39xDj0uw4xfN+j9TMkHQOygNB5xyAh7/nfTolSKogHqvvtI -9QmVx3YBMwivQXhOgH5QrXhihu4Nunq4MpHMZdt9sz/rEDdBFl/2NnndiJMY/94q -xTCvDwC1iY6HpI03lUUfD8C6ZSyij01iEGZDJNquvMGL0uYRVM1R987KYkeGNyoQ -+jgpYaJ/jTiZQDKA+otcVDTwj5LQnbYYv4uj6L52Fn2amHtN2cKOjKRNtCGSFuJU -oC7MZBQ4Dn68q6Tz/h9BhTSKKN10GriXKeMdEVcBrct4k1b03aaA3A3lo7bgGsFP -qSl5gqW6YDYJ8tiwckAOHEXbf3x5xTTxYtdhB6tcKpRSsnQOApEgNGVH6a+m7T+B -tL/teR1UUgQvBRDVXV92lUzjzQVFSezQn8DL7W26N5PD3tsLlGWV4qFPOQxUrUpj -W7hg7/VQm6dpMxzlx3UUJASSaBmujJkA8pcd7E8rRlmH65ftKpcEEYBCxXssNPUn -0RjOrr62UDh1nk/MB/5iOJV4bPnTHPRNeIvRq39GAH4JO1p25jTI0Sg8vBPfTjHG -UfvforsakHGyVeUZQTPkWx5GV1J6KDyzZXie8hmRSNtf/THauXeQf+jHhiN0uXQD -C3UkrKykgBSZDQNwpzWWTmmnz3a+O/xfOuQs+3Kw7AI8u7lGXT71OKWgjOcvTaT7 -TjMDfHQobr/SAZ8sYa4dO57RFdTcDTX9tfYR9Rft6c9GtYmC1KVGy3+1tI39JFNA -ZSIOn6Yb8edH8oYmuAoLJ1hJ/m8WXWDEv6gidWULO4Yl8kIicxcM+e57SLm9/G7J -flUgjA3m15VJXrMQpR01FZ7zZW7W8Q2yzvmYc009hdTq0a9591Hmumi88CMrnZpg -7ix3aIbAocET8KXMmQBb8DZyV1aSVUJ14SXBoLTLCq2OEb8n9K68wE4gLujWvDBD -Fi+nruogqRxnZnzjhCYjaGzdV9ac8EJ9zZ8pwr6YitS7+jN6K+S8EbdfvdVtNJ5d -yALI+/TzClJXV2A3TLfekgjE9wkrBtaTBNAHed3n005mKYpVdBzjjMQ8Yr/wfFXX -419eJsvY9G/v5jxqGHbaYImL+5ECPq2yRsXoCyAgtM+C6lw7PvPT/K+tUAxzc+A4 -Qmv7/Yvwz4cECee4cjQVt43O7+p7NQN1Xy1cpqCAIxiz7QMf5UKxVJlq5GgV11z4 -4QGBeg47uEtolS96mIaiJ2IIzqR+5i+M9F0R2Szu20ExjFh9pKyZqU+d4jX5LBzp -MHpL6G16CC8O5wAJxZE0HUWJ38IZR611r7QnVZ5B6E/TTA0CdsNv0nIaNoigcKZf -t4mtpKguVNdcYDVPCieo9fUVlg0swShP66+K2dPBdrONZxvrR7OpSf9cSEdvnijb -2XkLHMoh9mByOrqRFxZhLy3sWV5BqIc+wxoVXb4bF5ve9+E+7d0w0wMO8bsdixE/ -rMcH2TrMbnfF+LXXf+NHWQxzPvto6EUQjc0vmXQ9Z9La4Q8Mc1Q40YyAWIoQ7Kvl -jSzoggxwkp2Rlh59slijz22oTht2meHseA0dQC8+sUbxo1gnEIIUH8sbUaAr+CO9 -ObSVnXz9OQrQ5XtNwXmblaaZD8Qn+AyyuEDzbdlDv1WMrGIxkokLeDDmdFWtmiyU -A3FtpE4XOoQPgMv/UsIpUtdu9N1ImTXXWGFfFYvp+1u8wFp/rYxZpsLx8fpTctWj -OX8ge0Ivy2sfVgLVRCg2nd4HBrBdBU//lPHwEeZtKVgcUmvRGMEDqTDAc2brtG/u -XKIaixhUto2Gqo83CT4EJg== +U2FsdGVkX19USw6XheqcSEjdoumO7SJGW+Qm4tMjtredkCsIRTRp7OBxFKyOcieE +s9feEZ3DwJlMxXKOsgtd0bvcPPDFFUyOzSgFAEFP+IDFE54C0P521WxW7fDTZj25 +BKTz2ZO9W6t5HpiyF9R9FbK2fTNs2gI7arCw2LHnJzb2BnzUsDkSDH4oplKchtmA +ETBBI1PzVAJklVesXvWOysUjDRIFuF3KbeoC3Lu9YTtKDrRFgwAOy+zX8IGs8RTu +0D19+y3Wl5qfKYNum20W0r6QHM41tM3MrzQzd6qoliNMdEZ3YkTDzYymdOjsLK1t +N7JLd/JmSIU6/pXIV4ZOQWCk1Rpl+Wv/3zqieFhB2d2MEQ/R8JbuTN+Is5bar44u +I87Kp3Xtmtt88bZoDKhduL5Q9O2koHoP1v2UsY0KXweg08WMwVeaoI27IJpTd7/D +/FbHYJy26dqZKEQpvFnl/rG9MEbLLh9na0SamX4OCNsBMNAgUQ9AvDzJQ+5UaVmA +ctlk5hXRNBitkQr5g5/hUir9bmjTlYlxb4DyvIOYUjaOkYc+5mAaphfrN25S/MiC +OWLUo5x4+FpEbfNuzOf5dye+ucZyclJXTzNDR59ALnGCRARnx5Gh3ArRVgpE911k +b+DzWrGCzcrwQUclEoJYEJt0GQqdSiTj1141NU+zGPZb5a435KeTJsMrfz07+O8S +2acu2QluIe12KPIKijUKcYQ1ZihVxrwuCQvFQ7sfzbB1aCZ7h2uHJGyDIpT/OBPw +GTqiUXblRs4zAsNumXHIloj62L1l0CqBvO8XLCays8HhWPpNAxOZLcgUgoHSFxzt +hpHRSvHhNRyXAP5WEYHP8fL3G801XwEcZK8PkDUAv9RD3p/Kigw/kxfcd1OjQXJO +7XcWh8lyv9InpQ8SpixmaF2UZ20cyoc7otYApmSQnbAhFTHe3665UGFFQB/HUgF8 +F8Vv7uEyjmI+BcaTNdzOjz7p6SVtzlbfjg7/rYmLF/naleYxMnbNRHgFD/Z7U2+c +uK5BZC9q3W1d5XtJe1z6XXklnx0BU/qk+50T+A84xIjhKDist8rbzP8OVQuTdb+K +UI0I1nE9Eyvthx13oscFxQlRGKArbsRyWscFThzXwEvO7qNGRpuOZhlHFYcw63uF +GwxqPxNpOScReTEIemtZyaamfxzJhxoJjm85bRDEKAadS+fGFnGLs+Jd3bFeK6q/ +D7f7dMRYTM9qNM55DPDk0DQoXvW2qCOWVQelObc3FrQ1XrRGZO12XQhIgoAP+fNo +fmXc/gfSeVU2HPtV32sxv2bGzaFqNEjAC0mTgJz3Pm1FkOrXVbNcGKahlBCRs1r0 +hQQAELHz3sZ551/XCfZ0sHXDLYO1CqE1cjbFklGuLYXMiQvkC2gFHQFdergOie4m +r5jyzFupo+SxKop7N/zTtues/1em/F6KTN5GXkSS+Gmo2oCcHWcb/qxeu4FQqPOk +f9L3NvzOuMptSSfTNMsQl50+o8UdU5GOE9DmourEJUjW7+TZkhW6CkufizVNi7B2 +OFdCsZ4jWd/37ncoPzRu+F6Ub8ymnu+dPiyjmk9PyW8m/+98KY4auimgwBGvqLCe +OD59TC6XE+cKgtNEhiwbdrmzH1qEhmvHY/jh2EiijCjw5lSb7eKFT5nOt9CdyGhN +KItEWDMub/1OxuwArVPZg+pner0SCdtpKU7g86s591i0vJwMHqkAMYr/zqVHLogq +3y8/Ov+4Xgn/UGf9p6XplunT8W0nZkWdND9HerRra00JOrMt9vw5v9/aTxKI1ps0 +USAmCo887lPQ9Yh9D+2e8Mc0c5Fsvu6RJ1aX+ZCSkvZ1QTdHJcukaH0Y2a4Qbzna +Mztw9AjbohUjSb9ZseK5bBXazoSBqUuc9/pnbkPzsW9uDBgfu7YWWpLtU5XISWXH +aovsyoJmRDqfIC4n7GuQsQ+5XwGOLPtH/NPjrebKQTBl/ppqdYPq/q0JxsCeEw6P +RJHV6ymaeoZTsjjIw85YD1h4idDeMbCfOXkZuCTwbUX5TI7/BQ+4dLiPSGpwatsg +ou+kg62eJ/lIhW/lwPfykvQ0g+lm2AxzHdyZHFCLQaMd2VxhU0jZw7WoPgoWnKwL +TlW7XUjCg1TFxoB5qD1zG5VkJZaeFfHwP6D3tr/aDf8sBUxvjD3BWWQiG9i6gkFK +lMfDAewphCXYcTw0wqRl6QdWn1tMXyHweDppvvBGxFNIVtX6O+eHnVqfrKRo1w6K +vL18KTZ4kSzIwQpdcIMFUKpeYVh2UUbh0d276pHbuQM3xqsubMBeiLXiKF2yN8HJ +cGEr7uq0BZaemQD/5xfJ+tI2ArEQ8ti7rLxBNkZg9GoMq/l55CCTgj9jwDo5V0p7 +C49ezV6pgfDclIdlFsJocSuqrLJTFiofkzJRyG0/nVbZzO5lOXWN0sYAjN06unsm +hpxtcmhuUhk0QNcr0fNQYdwfhj+GzJZ0LtvOWt2u7D8xoDiWnQzWWWd2zqN+gLNI +ryFnNBeoiNxMpz8xJDZybZp/sG7wgugAsaYwBCbx0Dk20sKeU08vbDE9I5V6wRa6 +bhmeT7+yb7YmATGwohbTRWygfc9+b7LIIsU7oBTOxkBRdNyzwkhTA7vGQuBYYxBY +uHDxY+ao36cWiWSidEwLEAoNWl3zUx+EaT8uuuMT3c/524dMsHJAhUXEvk3ayUGQ +KDnEVat7rTQ5wSSfO0YhoHmQ8NdIrM3YBlwepT1Rav1zg4jnVS6YHZY2py05aRKm +B8Z0MBu/+LwC6Vrv2n1YroWVCmtJjtKbwUYYv60Qi5SVtsCKMn4DYMEJUCC/EnNn +NeJ6CZ4VeDbzE+oWF4hw0s6MvLmcki+9MNB/CjqZEtUWtDS3I3axn84J4vwRZ2mk +iHGVDSTZsrIIf61+i6fJjT9E7xhGHCKrAf6qoHYgew6ABuI6rGjpHnSZdXbDY4Vv +sUrNdLPuTvWpM7p1Xub48LNRPo5cAa3H4zF5C/brI7i00MGMwoZGbTIpj4FerWNy +R21vtOaeYrSeKKLZxzvhsaiSfb5xHIRzNurP/tTZcwyjNLX5GBoo+d5zqCwKObRE +dhL3K69f+GWS7EXh30HbMiGd6snUhALUjPQAuLFwX3gsnTuGzOijsiRB4HUf65ZW +zX/QFywqBYl1WS6gyeV2Ab9sKFvbXNC4R7zrLpKp8MsZj8tjK4zeSvTUaKjvcc3G +6vYzzhFs8QAIyw7o5MUKh4IdskH5231dgIhjRX0K+G0QOB6QLLdBwMx5Bn3ymW+M +SLf8hQpf0knNQL3oFE3eNCLazsEK104dZzq+J50bCGGCIX5qSYJ+l5L442OjBW7v +vpQkEv6z/LToyFNoWfpS/WLy6nEw9Vud7Qk45AtaN5Gs1dO6L738M9as6sMDwAE3 +RzU5UOLNjp+OkGJ3BvCOv8S73gojEWr+K9If/aEjDRodXNi8plqcXEPizaX35u82 +tIAbeM9sVPB3PTW9bUct4TWkbtdaaZc/+PFI0acz3+h9tn4pcnOVLq8iqeUP5SJd +NfsMzVGU7PcU1ujJKax225kwdHKJgxFzMC7eL3pWFDYqLHIeXV3BWCjvLD/zsQDK +Iq0jpE4b0ORmQlBQB83EJ5YK0p4hq/ULD97iYRPk9vv1FgJMRCFAFgK0YnQSX1LI +1XiWgYUZhJiThNCnUKb+s2cbgFE9S0rxlRIcJvwv0L4MBl7YYCWDTycDH1VRWoaH +zt8SzJ3N/QSjbRKuqFhkiA5vMkqsjRnmRx+nDLi/VTnqc5RdERXUuCsyUVkTj/fc +4CihdB9avZyWYvjgMUYhsOrTfovEw8inR39vTGiC9tGaBJewCWz/Kifi1tYrRiHI +XZDvJgNPoTSDtiVuD+vNNVT/+0VFzxRZI4Ww1o3ooFigwrDPYbU8pexKgGe/xVfo +cT1Rh6EixsJVyyXcNgSISmRuWytPRrlBSVS/Yg/jjjQpwxT0Pwdg5i0syRVHnq4z +moxU2B02HGSZdKivMHzW0StFT1JhmXkZcL7Zm0NCSaznNoGB5z2z5j9d5EbYmtNv +HljqwlTwFXlYU1Vpc5isQJQ29l3t9vGXNs2Rp4rvbhUG7BpzCXuLnPSe++qy4re/ +7ioPQAbAGZA+C6eLZlFVCD2rs9kldi5Af/KL9f8yBM6541IkP9e4LIC/Y4h/ePjH +0XO9A2Md41lP/QcJ1cI4WyMH9svUCSkgG8NY5Ayp5SNo426n4YmmF2fLpgiYmMdR +2hT/FhkC4HcOlSmx7yM/drEO4QJt9MtwPXp8Q27+xGwBEzFbUuWHpXPHHm7ECXm+ +hQSB8EmGtPPebIrNUsFiJSYcvDLmIlpq0p8ug2YL4DhAij43jTIzfzj2/GLYLHzA +/uQYN0IVbcnHFJ1w9HdfRTphuw40PLBUHRtP3Y2aOCMtCDMiz3r4vlfDPCsqQwtt +S6mN/eTCH5fDf+75NK1NrvwfcfASpR+a5n34xeaUAJ15MPTpdOLADfj19J8wEsPp +sQqjuxw9UjDiZ0WQFdD6feoYWxhGgoDaD+AhsEt7vuMjlZTxupcPsJNzh92YKpUT +ihTu7KQI7dBsLEYH9Zu6gMvATuBej6txrv6b96kTWO9ukqwgxtfSjirkNl9uX36z +kW3Q2XKC7uX/MECy3syUw0ltUYZgKSF49g+aX3OUPkoWAPhDpRTHJaC17VQATH1Z +0TFsIL0zuKHAOn3zAITFtOXfJ8l2ACkj8ZSuChHJCUCh0lZ5LcdWLhXhZJI4+/+v +JxtXk5X47dvldupOOoWiC7dZEGNjkJ1s8GBXXS+MKGPIyNw4Pt2Ww0CzDUccu3u6 +wkXsue3OWvxCamsJiJQF1YXui8AT6nMfJRgZbCsTXTCwsy20l/76nnWFKjx8trxL +C0rNorRZoBDvudjdu3rB9TarXASMyafdztvIXWeD/8b+4jsO7xiyULuiCnx0kKhd +peNvwAyliKJjQfn/jZdZ/OWMy5UJuSGYGlEwufAA1ZrMp0VQmxUzP3iuZxw7SXTB +nuESN/kCrzElyk9UPi7RMX61FJuSLPx1OxK3VLU/gKuBs/d3jrud1BUCx5fPHPkG +8E+Y+sUakkjvcfDM98sjBUROocSBP2XD072hEm826RStAmv7/XXytbTL0AsP/GRx +DiNrIyjIxkdhEEo6L7+ogCQ9OlZ24bHIiEc3wmyFffos7WO23FrrSkemfR4CAvQR +ntY4HerBiAhkz7YJZm4NTLEpWIAbCFyKeBhX9YOB/5sn2In6h8A6+vtr3qtZqle4 +jkDVOhkU77VtmKWdQq1+RDHPNdbYNL5PB+W7Nn8/rXwSSS4G9i5jUzunwG2WXdzb +Jhro7GsAPlbvo/2/gtsCBzp5ReRYSbs4SiVBC7+Xf4A/26fhuF4unax0t89Y2yVv +OQ6/F5nfDLUZXiytjaFUbePCazbggi0xhgDmMVAEj48Yc03pipQb+dIoqsrzCLHJ +d0f8VmhZ/Tv8DXHRjFM7EUKgApVf5cijyOQUwuUDZekuuMDi59pxiDrHu2r6p8X5 +JFV5GohvIp5vJvAKbVFWGR4jbNyF7CukCNAsw8wiLZBbAF+3aZc4X4k02dEtAX2f +ttrIzVVzHyD8i7j5ZvY32Li5isbbzY4IvaI3ElKH6l+vfkOeMpied48fcneVLEWZ +ze2VuixunnPU3O3GojtO3hJaSZRfUfRRBF6G3dIuyrpyrqHAFQvbtjhoYXiCcmv8 +g3McZ6KZL3w/k6dpsBrB9pG61/8dkpRRyld8ZKjGQSUM+X7WN4AEP4IKVThN7RXy +DdTklccJ+6jA8/5sCEulyo+hYQG+wRRv5Utxm8fBFgAvec9xGVEEBvZTQWcK1fKj +4aopQlNZiTEaXQl/08N+tvI4fMtnq6eqR99v2ydPyb8Ko/e9wAxU5skietmBw/3Q +aSkVJdRo4IM1kWuXwrK+3NteZTed/o7VQFuuib8yZNl2gyaIU0afzk7JxPCcdlhe +06rYnLMmeXiScagLiGjA60QmZN7WbDT9AdsxTbHNiMdogegb2mvxMCZIlM7SnK7M +J4WzTcGAaMeGDvH48iZqyMPYiiCeLR6ODsCBvCzDULOid7ZQrOIs2hXpHeYb8gWt +6aoIK8JtxJOGSk2qQO2sfpHTQ94uM/enfXglkAAJDPs1a9p5POXurqhw+aemlolY +wlh20+U8pyVTqiPJB/CkJSTIZsWLZTCvSusRRIO5FpmEhl0G+nhQhu2jmne+3zd0 +IIva89zfh01dlYgTEBmngZBiF2Jp0SerUvU6x9RBofNdl7sA8je6ahrTp910JSKz +lHeZGOoet4wzXnmq9OJG69ROA/L6KnAXiGR8xLk0wVcLokZndHBcF4C3A7RJwSnS +sm5ffi1JVLgiqC5ER8J6Ja0+o88w9aSLGN7rXRQa64ZKjVSiL2Em5BLpo3PY59NA +63j5/GH6EsbowGU4Tzskj6jqGO4t7TzwyBUNzxkBQ+xK4J7yFhLsRfKFEzMKj4cG +n/fMcXshAy5Fc4Ab1Csp95YyS48KRF+cfSv+CMTEeaPf+TOtYm8UbAdzuC8sikJ9 +thSd+aRKYQo4VhMPYkPIbmOLGtWEIsICqML3qF7TdYybIUEFaextrwTcmj0MGBuF +TjVKi7GfcJglrL0/ErvCvkJy9TXL1SR2aFoYb13XQy6XMS3Es7Qzs7MoKEp2k9HY +a056c//TPaXEE8iWcLDrQvBMzYxbwT6gaTSUcgTLyrJdBPv8fytZoy9P8kQ2T1TS +PTE83yXe+47oPItWvOPwh49JYBMovGudfQoieX8R6ZpGT99xseMeIM6W0tBAijeW +0fKocgrxTdvAeers/0SMBo1Sec5I7YlY8TCdokUKgthiCu5XM7skFeZ8sEClbwH8 +QIOv0aGXGLLkbC5f3WU+RA== diff --git a/modules/services/binary-cache.nix b/modules/services/binary-cache.nix index 44a24c3..9ec5e74 100644 --- a/modules/services/binary-cache.nix +++ b/modules/services/binary-cache.nix @@ -12,11 +12,6 @@ in options = { aux.system.services.binary-cache = { enable = lib.mkEnableOption "Enable a binary cache hosting service."; - home = lib.mkOption { - default = "/var/lib/nix-binary-cache"; - type = lib.types.str; - description = "Where to store the binary cache and its config files."; - }; secretKeyFile = lib.mkOption { default = "/var/lib/nix-binary-cache/privkey.pem"; type = lib.types.str; @@ -28,6 +23,20 @@ in description = "The complete URL where the cache is hosted."; example = "https://cache.example.com"; }; + auth = { + password = lib.mkOption { + default = ""; + type = lib.types.str; + description = "The password to use for basic authentication for the cache."; + example = "MySuperSecurePassword123"; + }; + user = lib.mkOption { + default = "cache-user"; + type = lib.types.str; + description = "The username to use for basic auth."; + }; + + }; }; }; @@ -42,10 +51,15 @@ in nginx.virtualHosts."${cfg.url}" = { useACMEHost = pkgs.util.getDomainFromURL cfg.url; forceSSL = true; + basicAuth = { + "${cfg.auth.user}" = cfg.auth.password; + }; locations."/" = { proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; }; }; }; + + systemd.services.nginx.wants = [ config.systemd.services.nix-serve.name ]; }; } diff --git a/modules/system/nix.nix b/modules/system/nix.nix index 5d15484..2e6d03e 100644 --- a/modules/system/nix.nix +++ b/modules/system/nix.nix @@ -30,6 +30,11 @@ in { nixpkgs.config.allowUnfree = cfg.allowUnfree; nix = { + extraOptions = '' + # Ensure we can still build when secondary caches are unavailable + fallback = true + ''; + settings = { # Enable Flakes experimental-features = [ @@ -47,6 +52,13 @@ in config.secrets.services.binary-cache.pubcert ]; + # Authentication for Hevana's binary cache + netrc-file = + with config.secrets.services.binary-cache; + pkgs.writeText "netrc" '' + machine ${url} login ${auth.username} password ${auth.password} + ''; + # Only allow these users to use Nix allowed-users = with config.users.users; [ root.name