{ config, lib, ... }: let domain = "awesome.cache"; in { networking.extraHosts = '' 127.0.0.1 ${domain} ''; services.nginx = { enable = true; proxyCachePath.nixos = { enable = true; inactive = "365d"; keysZoneSize = "100m"; keysZoneName = "nixos"; }; virtualHosts = { ${domain} = { extraConfig = '' proxy_cache nixos; proxy_ignore_headers "Set-Cookie"; proxy_hide_header "Set-Cookie"; proxy_buffering on; ''; locations."/" = { recommendedProxySettings = false; proxyPass = "https://cache.nixos.org"; extraConfig = '' proxy_set_header Host "cache.nixos.org"; ''; }; }; }; }; # most likely not needed systemd.services.nginx.serviceConfig = { RestrictNamespaces = lib.mkForce false; ProtectSystem = lib.mkForce false; ProtectControlGroups = lib.mkForce false; ProtectHome = lib.mkForce false; ProtectHostname = lib.mkForce false; ProtectKernelLogs = lib.mkForce false; ProtectKernelModules = lib.mkForce false; ProtectKernelTunables = lib.mkForce false; PrivateDevices = lib.mkForce false; PrivateMounts = lib.mkForce false; PrivateTmp = lib.mkForce false; MemoryDenyWriteExecute = lib.mkForce false; NoNewPrivileges = lib.mkForce false; ProtectProc = lib.mkForce "default"; RestrictRealtime = lib.mkForce false; RestrictSUIDSGID = lib.mkForce false; }; #services.permown."/data" = { # owner = "nginx"; #}; #systemd.services."permown./data" = { # bindsTo = [ "nginx.service" ]; # after = [ "nginx.service" ]; #}; }