From 56cc86052fc8b43cadacbe4b149ed28a5929a1a4 Mon Sep 17 00:00:00 2001
From: TheGeneralist <180094941+thegeneralist01@users.noreply.github.com>
Date: Mon, 30 Jun 2025 21:00:51 +0200
Subject: [PATCH] feat: set up cache

---
 hosts/thegeneralist-central/cache/default.nix | 27 +++++++++++++++++++
 hosts/thegeneralist-central/cache/key.age     |  7 +++++
 hosts/thegeneralist-central/configuration.nix |  2 +-
 hosts/thegeneralist-central/site.nix          |  1 +
 modules/common/nix.nix                        | 21 ++++++++++-----
 secrets.nix                                   |  1 +
 6 files changed, 51 insertions(+), 8 deletions(-)
 create mode 100644 hosts/thegeneralist-central/cache/default.nix
 create mode 100644 hosts/thegeneralist-central/cache/key.age

diff --git a/hosts/thegeneralist-central/cache/default.nix b/hosts/thegeneralist-central/cache/default.nix
new file mode 100644
index 0000000..b65f9b5
--- /dev/null
+++ b/hosts/thegeneralist-central/cache/default.nix
@@ -0,0 +1,27 @@
+{ pkgs, config, ... }: let
+  domain = "cache.thegeneralist01.com";
+
+  ssl = {
+    quic        = true;
+    useACMEHost = "thegeneralist01.com";
+  };
+in {
+  age.secrets.cacheSigningKey.file = ./key.age;
+  services.nix-serve = {
+    enable = true;
+    package = pkgs.nix-serve-ng;
+    secretKeyFile = config.age.secrets.cacheSigningKey.path;
+    port = 1337;
+    openFirewall = false;
+  };
+
+  services.nginx.virtualHosts.${domain} = ssl // {
+    locations."/".proxyPass = "http://127.0.0.1:1337";
+    locations."= /".return = "301 https://thegeneralist01.com/404";
+
+    extraConfig = /* nginx */ ''
+      proxy_intercept_errors on;
+      error_page 404 = thegeneralist01.com/404.html;
+    '';
+  };
+}
diff --git a/hosts/thegeneralist-central/cache/key.age b/hosts/thegeneralist-central/cache/key.age
new file mode 100644
index 0000000..402c191
--- /dev/null
+++ b/hosts/thegeneralist-central/cache/key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 pp9qdQ 7QBh40bF+3U+uQaQiZNMVsIWX2ZX162OKbuzgNwIR3A
+Fj2ACjgfeswbIt+ril51zlNaacqgMzkl8p3CQpiUGFo
+--- yVZxFaEnzft0ovxvy0CbdIZso0qVMyFPGocBRiONTQM
+b²Q^4öø4ƒy!Rq9+AE6î²ÓòÅåW&ÃÇÃt[Ñç.ƒ…â/ª„ª™J¼#Bu„zwIïêÖ/ÊGCo¼xÕn©™0Ö1·J¡ckJv/¸p¤qwÿûz B/ßíëÖy$,¥;I–À3©wˆYÙ»üòSÔ
+ë³ÑP2‡
+_ƒÀ”Á_µõDPž
\ No newline at end of file
diff --git a/hosts/thegeneralist-central/configuration.nix b/hosts/thegeneralist-central/configuration.nix
index 714ccc3..f62fb37 100644
--- a/hosts/thegeneralist-central/configuration.nix
+++ b/hosts/thegeneralist-central/configuration.nix
@@ -5,7 +5,7 @@
 { self, config, pkgs, lib, inputs, ... }:
 
 {
-  imports = [ ./hardware-configuration.nix ./site.nix ];
+  imports = [ ./hardware-configuration.nix ./site.nix ./cache ];
 
   users.users.thegeneralist = {
     isNormalUser = true;
diff --git a/hosts/thegeneralist-central/site.nix b/hosts/thegeneralist-central/site.nix
index 3fd0c4c..7af1517 100644
--- a/hosts/thegeneralist-central/site.nix
+++ b/hosts/thegeneralist-central/site.nix
@@ -66,6 +66,7 @@ in {
       ingress = {
         "thegeneralist01.com" = "http://localhost:80";
         "www.thegeneralist01.com" = "http://localhost:80";
+        "cache.thegeneralist01.com" = "http://localhost:80";
       };
       default = "http_status:404";
 
diff --git a/modules/common/nix.nix b/modules/common/nix.nix
index 0a97149..a60ad6f 100644
--- a/modules/common/nix.nix
+++ b/modules/common/nix.nix
@@ -1,17 +1,24 @@
 { pkgs, lib, ...}: {
   # todo: gc
-  # todo: cache
   environment.systemPackages = with pkgs; [
     nh
   ];
 
-  lib.debug.traceVal = pkgs.nh;
+  nix.settings = {
+    experimental-features = [
+      "flakes"
+      "nix-command"
+      "pipe-operators"
+    ];
 
-  nix.settings.experimental-features = [
-    "flakes"
-    "nix-command"
-    "pipe-operators"
-  ];
+    extra-substituters = [
+      "https://cache.thegeneralist01.com/"
+    ];
+
+    extra-trusted-public-keys = [
+      "etc.thegeneralist01.com:BIhIf7HJ5xjFX+2e0WrGDQ4LdHeEEyQrtWBB1li2Ve8="
+    ];
+  };
 
   home-manager.sharedModules  = [{
     programs.nh = {
diff --git a/secrets.nix b/secrets.nix
index fb85e81..290df64 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -7,6 +7,7 @@ in {
   "hosts/thegeneralist-central/acme/acmeEnvironment.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/cert.pem.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/credentials.age".publicKeys = [ thegeneralist ];
+  "hosts/thegeneralist-central/cache/key.age".publicKeys = [ thegeneralist ];
 
   "modules/linux/tailscale-marshall.age".publicKeys = [ thegeneralist ];
 }