feat: serve the local store and fallback to the s3 bucket if it 404's

2025-07-27 10:07:44 +00:00 · 2025-02-27 19:02:15 +03:00 · 2025-02-27 19:02:15 +03:00 · 2efa94d35e
commit 2efa94d35e
parent 34d9e30529
6 changed files with 50 additions and 19 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,8 +7,8 @@
 !hosts/

 !hosts/best/
+!hosts/best/cache/
 !hosts/best/garage/
-!hosts/best/nix-serve/
 !hosts/best/hercules/

 !hosts/cube/
--- a/hosts/best/cache.nix
+++ b/hosts/best/cache.nix
@ -1,18 +0,0 @@
-{ self, config, lib, ... }: let
-  inherit (config.networking) domain;
-  inherit (lib) merge;
-
-  fqdn = "cache.${domain}";
-in {
-  imports = [(self + /modules/nginx.nix)];
-
-  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
-    locations."/" = {
-      extraConfig = /* nginx */ ''
-        proxy_set_header Host "hercules.${config.services.garage.settings.s3_web.root_domain}";
-      '';
-
-      proxyPass = "http://${config.services.garage.settings.s3_web.bind_addr}";
-    };
-  };
-}
--- a/hosts/best/cache/default.nix
+++ b/hosts/best/cache/default.nix
@ -0,0 +1,43 @@
+{ self, config, lib, pkgs, ... }: let
+  inherit (config.networking) domain;
+  inherit (lib) enabled merge;
+
+  fqdn = "cache.${domain}";
+
+  portNixServe = 8006;
+in {
+  imports = [(self + /modules/nginx.nix)];
+
+  secrets.nixServeKey = {
+    file  = ./key.age;
+    owner = "nix-serve";
+  };
+
+  services.nix-serve = enabled {
+    package       = pkgs.nix-serve-ng;
+    secretKeyFile = config.secrets.nixServeKey.path;
+
+    # Not ::1 because nix-serve doesn't like that.
+    bindAddress = "127.0.0.1";
+    port        = portNixServe;
+  };
+
+  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    extraConfig = /* nginx */ ''
+      proxy_intercept_errors on;
+      error_page 404 = @fallback;
+    '';
+
+    locations."= /".return = "301 https://${domain}/404";
+
+    locations."/".proxyPass = "http://127.0.0.1:${toString portNixServe}";
+
+    locations."@fallback" = {
+      extraConfig = /* nginx */ ''
+        proxy_set_header Host "hercules.${config.services.garage.settings.s3_web.root_domain}";
+      '';
+
+      proxyPass = "http://${config.services.garage.settings.s3_web.bind_addr}";
+    };
+  };
+}
--- a/hosts/best/cache/key.age
+++ b/hosts/best/cache/key.age
--- a/rebuild.nu
+++ b/rebuild.nu
@ -22,6 +22,10 @@ def main --wrapped [
  }

  if $host != (hostname) {
+    ssh -q -tt $host $"
+      rm -rf ncc
+    "
+
    git ls-files
    | sync --files-from - ./ ($host + ":ncc")

--- a/secrets.nix
+++ b/secrets.nix
@ -5,6 +5,8 @@ in {
  "hosts/best/id.age".publicKeys            = [ best ] ++ admins;
  "hosts/best/password.the.age".publicKeys  = [ best ] ++ admins;

+  "hosts/best/cache/key.age".publicKeys = [ best ] ++ admins;
+
  "hosts/best/garage/environment.age".publicKeys = [ best ] ++ admins;

  "hosts/best/hercules/caches.age".publicKeys       = [ best ] ++ admins;