From 2efa94d35ed65796443726f82d297ee8ba6118f7 Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Thu, 27 Feb 2025 19:02:15 +0300
Subject: [PATCH] feat: serve the local store and fallback to the s3 bucket if
 it 404's

---
 .gitignore                   |   2 +-
 hosts/best/cache.nix         |  18 ---------------
 hosts/best/cache/default.nix |  43 +++++++++++++++++++++++++++++++++++
 hosts/best/cache/key.age     | Bin 0 -> 426 bytes
 rebuild.nu                   |   4 ++++
 secrets.nix                  |   2 ++
 6 files changed, 50 insertions(+), 19 deletions(-)
 delete mode 100644 hosts/best/cache.nix
 create mode 100644 hosts/best/cache/default.nix
 create mode 100644 hosts/best/cache/key.age

diff --git a/.gitignore b/.gitignore
index 2a03358..55d9b90 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,8 +7,8 @@
 !hosts/
 
 !hosts/best/
+!hosts/best/cache/
 !hosts/best/garage/
-!hosts/best/nix-serve/
 !hosts/best/hercules/
 
 !hosts/cube/
diff --git a/hosts/best/cache.nix b/hosts/best/cache.nix
deleted file mode 100644
index c35b74a..0000000
--- a/hosts/best/cache.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ self, config, lib, ... }: let
-  inherit (config.networking) domain;
-  inherit (lib) merge;
-
-  fqdn = "cache.${domain}";
-in {
-  imports = [(self + /modules/nginx.nix)];
-
-  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
-    locations."/" = {
-      extraConfig = /* nginx */ ''
-        proxy_set_header Host "hercules.${config.services.garage.settings.s3_web.root_domain}";
-      '';
-
-      proxyPass = "http://${config.services.garage.settings.s3_web.bind_addr}";
-    };
-  };
-}
diff --git a/hosts/best/cache/default.nix b/hosts/best/cache/default.nix
new file mode 100644
index 0000000..54ba52b
--- /dev/null
+++ b/hosts/best/cache/default.nix
@@ -0,0 +1,43 @@
+{ self, config, lib, pkgs, ... }: let
+  inherit (config.networking) domain;
+  inherit (lib) enabled merge;
+
+  fqdn = "cache.${domain}";
+
+  portNixServe = 8006;
+in {
+  imports = [(self + /modules/nginx.nix)];
+
+  secrets.nixServeKey = {
+    file  = ./key.age;
+    owner = "nix-serve";
+  };
+
+  services.nix-serve = enabled {
+    package       = pkgs.nix-serve-ng;
+    secretKeyFile = config.secrets.nixServeKey.path;
+
+    # Not ::1 because nix-serve doesn't like that.
+    bindAddress = "127.0.0.1";
+    port        = portNixServe;
+  };
+
+  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    extraConfig = /* nginx */ ''
+      proxy_intercept_errors on;
+      error_page 404 = @fallback;
+    '';
+
+    locations."= /".return = "301 https://${domain}/404";
+
+    locations."/".proxyPass = "http://127.0.0.1:${toString portNixServe}";
+
+    locations."@fallback" = {
+      extraConfig = /* nginx */ ''
+        proxy_set_header Host "hercules.${config.services.garage.settings.s3_web.root_domain}";
+      '';
+
+      proxyPass = "http://${config.services.garage.settings.s3_web.bind_addr}";
+    };
+  };
+}
diff --git a/hosts/best/cache/key.age b/hosts/best/cache/key.age
new file mode 100644
index 0000000000000000000000000000000000000000..b05a78e5f9547aa3b2885731bd01286479ec0dcb
GIT binary patch
literal 426
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)s5A~SD_8KY^!Bgx
zcgrd?aI7rO@Yc?AcQMKeF38q54A%B^H}MTL_b!TxN~=iE&F3;LaxHdob%`|dFib16
zEUOA}jL0d^EU8LP3{DMAOw2EIHTN_LiuChO_C>eNxvDTJAW$JaHLJWh(>*}nEGN&~
z&C4ev)x)L4%+Vy-!qG6@IWaxlD=5l2G&wNT*n}(6%*!LqCp0Q2**_}L-6F}zDJb2?
zGrP##qf$S^BFQb=(<RC+Bi-98&45c+S69K!)xfK&EThCQC^*V3*}|Z*D$&rgG|wo~
zJjFlQ*}$>DCA~u5E78R(!hkC^ApCZ!&3oVK{-Z9(JDkq!W~@_BdYO8V&+kU`F5MgH
z9>3pY+Pm=Y6nlA!H<01x=Pf=aS#i;!rwlep?u@cYzwxa|?5}6hf3}w8+ioAU*&iix
zp)~k(LnnKZe1XBaE$KEA|2&FATh{F`pK;pbO6Z5OH_{Wd-b~!qq|SEDuKcE}iuBx$
JyY9;2?*LAuovr`?

literal 0
HcmV?d00001

diff --git a/rebuild.nu b/rebuild.nu
index 7038a49..93e6d01 100755
--- a/rebuild.nu
+++ b/rebuild.nu
@@ -22,6 +22,10 @@ def main --wrapped [
   }
 
   if $host != (hostname) {
+    ssh -q -tt $host $"
+      rm -rf ncc
+    "
+
     git ls-files
     | sync --files-from - ./ ($host + ":ncc")
 
diff --git a/secrets.nix b/secrets.nix
index b57a206..63550be 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -5,6 +5,8 @@ in {
   "hosts/best/id.age".publicKeys            = [ best ] ++ admins;
   "hosts/best/password.the.age".publicKeys  = [ best ] ++ admins;
 
+  "hosts/best/cache/key.age".publicKeys = [ best ] ++ admins;
+
   "hosts/best/garage/environment.age".publicKeys = [ best ] ++ admins;
 
   "hosts/best/hercules/caches.age".publicKeys       = [ best ] ++ admins;