experiment with cache.nixos.org proxy

nixos/machines/cream/configuration.nix

@@ -24,6 +24,9 @@
     ./trilium.nix
 
     ./test.nix
+
+    #./proxy.nix
+
   ];
 
 

nixos/machines/cream/packages.nix

@@ -100,14 +100,14 @@ in
     #)
 
     tor-browser-bundle-bin
-    (tor-browser-bundle-bin.overrideAttrs (old: rec {
-      version = "11.0.1";
-      name = "tor-browser-bundle-${version}";
-      src = pkgs.fetchurl {
-        url = "https://dist.torproject.org/torbrowser/11.0.1/tor-browser-linux64-11.0.1_en-US.tar.xz";
-        sha256 = "1ah69jmfgik063f9gkvyv9d4k706pqihmzc4k7cc95zyd17v8wrs";
-      };
-    }))
+    #(tor-browser-bundle-bin.overrideAttrs (old: rec {
+    #  version = "11.0.1";
+    #  name = "tor-browser-bundle-${version}";
+    #  src = pkgs.fetchurl {
+    #    url = "https://dist.torproject.org/torbrowser/11.0.1/tor-browser-linux64-11.0.1_en-US.tar.xz";
+    #    sha256 = "1ah69jmfgik063f9gkvyv9d4k706pqihmzc4k7cc95zyd17v8wrs";
+    #  };
+    #}))
 
 
     sops

nixos/machines/cream/proxy.nix

@@ -0,0 +1,71 @@
+{ config, lib, ... }:
+let
+  domain = "awesome.cache";
+in
+{
+
+  networking.extraHosts = ''
+    127.0.0.1 ${domain}
+  '';
+
+  services.nginx = {
+    enable = true;
+
+    proxyCachePath.nixos = {
+      enable = true;
+      inactive = "365d";
+      keysZoneSize = "100m";
+      keysZoneName = "nixos";
+    };
+
+    virtualHosts = {
+      ${domain} = {
+        extraConfig = ''
+          proxy_cache nixos;
+          proxy_ignore_headers "Set-Cookie";
+          proxy_hide_header "Set-Cookie";
+          proxy_buffering on;
+        '';
+        locations."/" = {
+          recommendedProxySettings = false;
+          proxyPass = "https://cache.nixos.org";
+          extraConfig = ''
+            proxy_set_header Host "cache.nixos.org";
+          '';
+        };
+      };
+    };
+  };
+
+
+  # most likely not needed
+  systemd.services.nginx.serviceConfig = {
+    RestrictNamespaces = lib.mkForce false;
+    ProtectSystem = lib.mkForce false;
+    ProtectControlGroups = lib.mkForce false;
+    ProtectHome = lib.mkForce false;
+    ProtectHostname = lib.mkForce false;
+    ProtectKernelLogs = lib.mkForce false;
+    ProtectKernelModules = lib.mkForce false;
+    ProtectKernelTunables = lib.mkForce false;
+    PrivateDevices = lib.mkForce false;
+    PrivateMounts = lib.mkForce false;
+    PrivateTmp = lib.mkForce false;
+    MemoryDenyWriteExecute = lib.mkForce false;
+    NoNewPrivileges = lib.mkForce false;
+    ProtectProc = lib.mkForce "default";
+    RestrictRealtime = lib.mkForce false;
+    RestrictSUIDSGID = lib.mkForce false;
+  };
+
+
+  #services.permown."/data" = {
+  #  owner = "nginx";
+  #};
+
+  #systemd.services."permown./data" = {
+  #  bindsTo = [ "nginx.service" ];
+  #  after = [ "nginx.service" ];
+  #};
+
+}