experiment with cache.nixos.org proxy

2023-10-10 14:58:23 +02:00 · 2023-10-10 14:58:23 +02:00 · c1bcacb7c0
parent 67d463ad69
commit c1bcacb7c0
3 changed files with 82 additions and 8 deletions
--- a/nixos/machines/cream/configuration.nix
+++ b/nixos/machines/cream/configuration.nix
@ -24,6 +24,9 @@
    ./trilium.nix

    ./test.nix
+
+    #./proxy.nix
+
  ];


--- a/nixos/machines/cream/packages.nix
+++ b/nixos/machines/cream/packages.nix
@ -100,14 +100,14 @@ in
    #)

    tor-browser-bundle-bin
-    (tor-browser-bundle-bin.overrideAttrs (old: rec {
-      version = "11.0.1";
-      name = "tor-browser-bundle-${version}";
-      src = pkgs.fetchurl {
-        url = "https://dist.torproject.org/torbrowser/11.0.1/tor-browser-linux64-11.0.1_en-US.tar.xz";
-        sha256 = "1ah69jmfgik063f9gkvyv9d4k706pqihmzc4k7cc95zyd17v8wrs";
-      };
-    }))
+    #(tor-browser-bundle-bin.overrideAttrs (old: rec {
+    #  version = "11.0.1";
+    #  name = "tor-browser-bundle-${version}";
+    #  src = pkgs.fetchurl {
+    #    url = "https://dist.torproject.org/torbrowser/11.0.1/tor-browser-linux64-11.0.1_en-US.tar.xz";
+    #    sha256 = "1ah69jmfgik063f9gkvyv9d4k706pqihmzc4k7cc95zyd17v8wrs";
+    #  };
+    #}))


    sops
--- a/nixos/machines/cream/proxy.nix
+++ b/nixos/machines/cream/proxy.nix
@ -0,0 +1,71 @@
+{ config, lib, ... }:
+let
+  domain = "awesome.cache";
+in
+{
+
+  networking.extraHosts = ''
+    127.0.0.1 ${domain}
+  '';
+
+  services.nginx = {
+    enable = true;
+
+    proxyCachePath.nixos = {
+      enable = true;
+      inactive = "365d";
+      keysZoneSize = "100m";
+      keysZoneName = "nixos";
+    };
+
+    virtualHosts = {
+      ${domain} = {
+        extraConfig = ''
+          proxy_cache nixos;
+          proxy_ignore_headers "Set-Cookie";
+          proxy_hide_header "Set-Cookie";
+          proxy_buffering on;
+        '';
+        locations."/" = {
+          recommendedProxySettings = false;
+          proxyPass = "https://cache.nixos.org";
+          extraConfig = ''
+            proxy_set_header Host "cache.nixos.org";
+          '';
+        };
+      };
+    };
+  };
+
+
+  # most likely not needed
+  systemd.services.nginx.serviceConfig = {
+    RestrictNamespaces = lib.mkForce false;
+    ProtectSystem = lib.mkForce false;
+    ProtectControlGroups = lib.mkForce false;
+    ProtectHome = lib.mkForce false;
+    ProtectHostname = lib.mkForce false;
+    ProtectKernelLogs = lib.mkForce false;
+    ProtectKernelModules = lib.mkForce false;
+    ProtectKernelTunables = lib.mkForce false;
+    PrivateDevices = lib.mkForce false;
+    PrivateMounts = lib.mkForce false;
+    PrivateTmp = lib.mkForce false;
+    MemoryDenyWriteExecute = lib.mkForce false;
+    NoNewPrivileges = lib.mkForce false;
+    ProtectProc = lib.mkForce "default";
+    RestrictRealtime = lib.mkForce false;
+    RestrictSUIDSGID = lib.mkForce false;
+  };
+
+
+  #services.permown."/data" = {
+  #  owner = "nginx";
+  #};
+
+  #systemd.services."permown./data" = {
+  #  bindsTo = [ "nginx.service" ];
+  #  after = [ "nginx.service" ];
+  #};
+
+}