39 lines
1.0 KiB
Nix
39 lines
1.0 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
service_configs,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
(lib.serviceFilePerms "harmonia" [
|
|
"Z /run/agenix/harmonia-sign-key 0400 harmonia harmonia"
|
|
])
|
|
];
|
|
|
|
services.harmonia = {
|
|
enable = true;
|
|
signKeyPaths = [ config.age.secrets.harmonia-sign-key.path ];
|
|
settings.bind = "127.0.0.1:${toString service_configs.ports.private.harmonia.port}";
|
|
};
|
|
|
|
# serve latest deploy store paths (unauthenticated — just a path string)
|
|
# CI writes to /var/lib/dotfiles-deploy/<hostname> after building
|
|
services.caddy.virtualHosts."nix-cache.${service_configs.https.domain}".extraConfig = ''
|
|
handle_path /deploy/* {
|
|
root * /var/lib/dotfiles-deploy
|
|
file_server
|
|
}
|
|
|
|
handle {
|
|
import ${config.age.secrets.nix-cache-auth.path}
|
|
reverse_proxy :${toString service_configs.ports.private.harmonia.port}
|
|
}
|
|
'';
|
|
|
|
# directory for CI to record latest deploy store paths
|
|
systemd.tmpfiles.rules = [
|
|
"d /var/lib/dotfiles-deploy 0755 gitea-runner gitea-runner"
|
|
];
|
|
}
|