Put attic behind a proxy

2024-04-17 20:02:56 +02:00 · 2024-04-17 20:02:56 +02:00 · 68bb79a2b6
parent 4e2354e570
commit 68bb79a2b6
4 changed files with 18 additions and 4 deletions
--- a/home-manager/profiles/work-wsl.nix
+++ b/home-manager/profiles/work-wsl.nix
@ -47,11 +47,13 @@
        "https://nix-community.cachix.org"
        "https://cache.nixos.org"
        "https://devenv.cachix.org"
+        "https://cache.zweili.org/prod"
      ];
      trusted-public-keys = [
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
+        "prod:46pIZhqoueg1P4IPp8ciArCUgSXWJZAq63CwLTQN/uA="
      ];
    };
  };
--- a/modules/misc/common/default.nix
+++ b/modules/misc/common/default.nix
@ -141,7 +141,7 @@ in
        "https://nix-community.cachix.org"
        "https://cache.nixos.org"
        "https://devenv.cachix.org"
-        "http://10.7.89.150:8080/prod"
+        "https://cache.zweili.org/prod"
      ];
      trusted-public-keys = [
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
--- a/modules/services/attic/default.nix
+++ b/modules/services/attic/default.nix
@ -10,6 +10,7 @@ let
  cfg = config.services.az-attic-server;
  cacheStorage = "/mnt/binary-cache";
  atticPort = 8080;
+  atticDomain = "cache.zweili.org";
  attic-garbage-collect = pkgs.writeShellScriptBin "attic-garbage-collect" ''
    ${
      inputs.attic.packages.${system}.attic-server
@ -42,14 +43,20 @@ in
      attic-garbage-collect
    ];

-    networking.firewall.allowedTCPPorts = [ atticPort ];
+    networking.firewall.allowedTCPPorts = [ 443 ];
+
+    services.az-nginx-proxy = {
+      enable = true;
+      domain = atticDomain;
+      port = atticPort;
+    };
    services.atticd = {
      enable = true;
      credentialsFile = config.age.secrets.atticEnv.path;
      settings = {
        listen = "[::]:${toString atticPort}";
-        api-endpoint = "http://10.7.89.150:${toString atticPort}/";
-        allowed-hosts = [ ];
+        api-endpoint = "https://${atticDomain}/";
+        allowed-hosts = [ atticDomain ];
        storage = {
          type = "local";
          path = "${cacheStorage}";
--- a/modules/services/haproxy/default.nix
+++ b/modules/services/haproxy/default.nix
@ -44,6 +44,7 @@ in
          redirect scheme https code 301 if { hdr(host) -i nextcloud.2li.ch } !{ ssl_fc }
          redirect scheme https code 301 if { hdr(host) -i rss.zweili.org } !{ ssl_fc }
          redirect scheme https code 301 if { hdr(host) -i rss-bridge.zweili.org } !{ ssl_fc }
+          redirect scheme https code 301 if { hdr(host) -i cache.zweili.org } !{ ssl_fc }
          redirect scheme https code 301 if { hdr(host) -i www.2li.ch } !{ ssl_fc }
          redirect scheme https code 301 if { hdr_dom(host) -i 2li.ch } !{ ssl_fc }

@ -62,6 +63,7 @@ in
          use_backend nextcloud_server if { req_ssl_sni -i nextcloud.2li.ch }
          use_backend rss_server if { req_ssl_sni -i rss.zweili.org }
          use_backend rss_server if { req_ssl_sni -i rss-bridge.zweili.org }
+          use_backend cache_server if { req_ssl_sni -i cache.zweili.org }
          use_backend proxy if { req_ssl_sni -i www.2li.ch }
          use_backend proxy if { req_ssl_sni -i 2li.ch }

@ -83,6 +85,9 @@ in
        backend proxy
          mode tcp
          server server1 127.0.0.1:4433 check
+        backend cache_server
+          mode tcp
+          server server1 10.7.89.150:443 check
      '';
    };
  };