From 65bff745388e37b879c230b03d8e25524bfaf357 Mon Sep 17 00:00:00 2001
From: Emery Hemingway <ehmry@posteo.net>
Date: Fri, 24 Jan 2020 15:30:11 +0100
Subject: [PATCH] Server7: stop building with other hydra, new nix-serve keys

---
 hosts/server7/configuration.nix | 25 +++++++++----------------
 hosts/server7/hydra.nix         | 17 +++++++++++------
 hosts/server7/nix-serve.nix     | 20 ++++++++++++++++++--
 lib/emery.nix                   | 15 ++++++++-------
 4 files changed, 46 insertions(+), 31 deletions(-)

diff --git a/hosts/server7/configuration.nix b/hosts/server7/configuration.nix
index 57a4193f..e20d9bae 100644
--- a/hosts/server7/configuration.nix
+++ b/hosts/server7/configuration.nix
@@ -5,7 +5,6 @@ in {
   imports = [
     <nixpkgs/nixos/modules/profiles/minimal.nix>
     ../../lib
-    ../../lib/hq.nix
     ../../lib/default-gateway.nix
     ../../lib/emery.nix
     ../../lib/windsleep.nix
@@ -26,6 +25,14 @@ in {
     };
   };
 
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    statusPage = true;
+  };
+
   # Route IPv6
   boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
   # Obtain global IPv6 despite being a router myself
@@ -54,21 +61,7 @@ in {
     package = pkgs.nixFlakes;
     extraOptions = "experimental-features = nix-command flakes ca-references";
     gc.automatic = true;
-    distributedBuilds = true;
-    buildMachines = [
-      {
-        hostName = "localhost";
-        system = "x86_64-linux";
-        supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
-        maxJobs = 8;
-      }
-      {
-        hostName = "hydra.hq";
-        system = "x86_64-linux";
-        sshUser = "buildfarmer";
-        sshKey = "/etc/hydra.id_ed25519"; # shit is dumb
-      }
-    ];
+    optimise.automatic = true;
   };
 
   virtualisation.docker.enable = true;
diff --git a/hosts/server7/hydra.nix b/hosts/server7/hydra.nix
index 2fdfe196..45f34df2 100644
--- a/hosts/server7/hydra.nix
+++ b/hosts/server7/hydra.nix
@@ -162,22 +162,27 @@ in { config, pkgs, ... }: {
   users.users.root.password = "k-ot";
   services.hydra = {
     enable = true;
-    hydraURL = "https://flakes.hq.c3d2.de";
+    hydraURL = "https://server7.hq.c3d2.de";
     logo = ./hydra.svg;
     notificationSender = "hydra@spam.works";
     package = hydraFlakes pkgs;
     listenHost = "127.0.0.1";
   };
 
+  nix.buildMachines = [{
+    hostName = "localhost";
+    system = "x86_64-linux";
+    supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
+    maxJobs = 8;
+  }];
+
   services.nginx = {
     enable = true;
-    recommendedProxySettings = true;
-    recommendedGzipSettings = true;
     virtualHosts = {
-      "flakes.hq.c3d2.de" = {
+      "server7.hq.c3d2.de" = {
         default = true;
-        forceSSL = false;
-        enableACME = false;
+        addSSL = true;
+        enableACME = true;
         locations."/".proxyPass =
           "http://127.0.0.1:${toString config.services.hydra.port}";
       };
diff --git a/hosts/server7/nix-serve.nix b/hosts/server7/nix-serve.nix
index 40fef2ac..a3456808 100644
--- a/hosts/server7/nix-serve.nix
+++ b/hosts/server7/nix-serve.nix
@@ -1,8 +1,24 @@
-{ ... }:
+{ config, ... }:
 
 {
+  nix.sshServe.enable = true;
+
   services.nix-serve = {
     enable = true;
-    secretKeyFile = "/var/cache-priv-key.pem";
+    secretKeyFile = "/var/lib/nix-serve.key";
   };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "cache.server7.hq.c3d2.de" = {
+        addSSL = true;
+        enableACME = true;
+        locations."/".proxyPass =
+            "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+      };
+    };
+  };
+
 }
+
diff --git a/lib/emery.nix b/lib/emery.nix
index e31a4690..284f8ae4 100644
--- a/lib/emery.nix
+++ b/lib/emery.nix
@@ -1,11 +1,6 @@
 { config, pkgs, ... }:
 
-let
-  keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgL2kRs+cXAcUzOO2Tp+mtMBVuHqMuslQy3LN+HLSP4 emery@nixos"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVmyXQNE5IhcFdAWNfd4Cgg+rc+z/uClSQdPcaAVbYf emery@nixos"
-  ];
-in {
+{
 
   nix.trustedUsers = [ "emery" ];
 
@@ -20,7 +15,11 @@ in {
     extraGroups = [ "users" "wheel" ];
     hashedPassword =
       "$6$ZgiLSFCQPW0DB0i$aPeZ9E62y2OvqRbNAEL.8IK30YgvyLy6UOitN6A.li.YmUrmYAh1ukB844MFp3KlTpYzi5e80hRIg1Vx1F0uO/";
-    openssh.authorizedKeys = { inherit keys; };
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgL2kRs+cXAcUzOO2Tp+mtMBVuHqMuslQy3LN+HLSP4 emery@nixos"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVmyXQNE5IhcFdAWNfd4Cgg+rc+z/uClSQdPcaAVbYf emery@nixos"
+    ];
+
     shell = pkgs.fish;
   };
 
@@ -31,4 +30,6 @@ in {
   users.users.buildfarmer.openssh = {
     inherit (config.users.users.emery.openssh) authorizedKeys;
   };
+
+  nix.sshServe.keys = config.users.users.emery.openssh.authorizedKeys.keys;
 }