feat: serve the local store and fallback to the s3 bucket if it 404's

hosts/best/cache.nix

@@ -1,18 +0,0 @@
-{ self, config, lib, ... }: let
-  inherit (config.networking) domain;
-  inherit (lib) merge;
-
-  fqdn = "cache.${domain}";
-in {
-  imports = [(self + /modules/nginx.nix)];
-
-  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
-    locations."/" = {
-      extraConfig = /* nginx */ ''
-        proxy_set_header Host "hercules.${config.services.garage.settings.s3_web.root_domain}";
-      '';
-
-      proxyPass = "http://${config.services.garage.settings.s3_web.bind_addr}";
-    };
-  };
-}

hosts/best/cache/default.nix

@@ -0,0 +1,43 @@
+{ self, config, lib, pkgs, ... }: let
+  inherit (config.networking) domain;
+  inherit (lib) enabled merge;
+
+  fqdn = "cache.${domain}";
+
+  portNixServe = 8006;
+in {
+  imports = [(self + /modules/nginx.nix)];
+
+  secrets.nixServeKey = {
+    file  = ./key.age;
+    owner = "nix-serve";
+  };
+
+  services.nix-serve = enabled {
+    package       = pkgs.nix-serve-ng;
+    secretKeyFile = config.secrets.nixServeKey.path;
+
+    # Not ::1 because nix-serve doesn't like that.
+    bindAddress = "127.0.0.1";
+    port        = portNixServe;
+  };
+
+  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    extraConfig = /* nginx */ ''
+      proxy_intercept_errors on;
+      error_page 404 = @fallback;
+    '';
+
+    locations."= /".return = "301 https://${domain}/404";
+
+    locations."/".proxyPass = "http://127.0.0.1:${toString portNixServe}";
+
+    locations."@fallback" = {
+      extraConfig = /* nginx */ ''
+        proxy_set_header Host "hercules.${config.services.garage.settings.s3_web.root_domain}";
+      '';
+
+      proxyPass = "http://${config.services.garage.settings.s3_web.bind_addr}";
+    };
+  };
+}