• 36 Posts
  • 41 Comments
Joined 1 year ago
cake
Cake day: November 29th, 2023

help-circle









  • Sure. I import the certificates like this:

    { config, pkgs, inputs, ... }:
    {
      security.pki.certificateFiles = [
        ./certificates/home.pem
      ];
    }
    

    where home.pem is a default PEM formatted certificate. It works fine to import the cert system wide this way.

    If I enter the flake.nix and run a simple curl against the remote server I get the following, which is typical for a TLS certificate error.

    curl https://webpage.home
    curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme
    

    So it seems to me that the development shell does not pick up the certificates installed on the system. I can work around that by using an impure shell, but I think that this is not how nix should be used.






  • Thanks for the response. You are right, the config was at the wrong path. Unfortunately, the config itself does not work, too. After a bit of testing around this worked for me:

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: nix-cache-volume
    spec:
      capacity:
        storage: 500Gi
      storageClassName: manual
      accessModes:
        - ReadWriteOnce
      hostPath:
        path: "/mnt/k8s/nix-cache" # Needs exists before PV is created!
      persistentVolumeReclaimPolicy: Retain
    ---
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: nix-cache-pvc
    spec:
      accessModes:
        - ReadWriteOnce
      storageClassName: manual
      resources:
        requests:
          storage: 500Gi
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: nix-cache
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: nix-cache
      template:
        metadata:
          labels:
            app: nix-cache
            name: nix-cache
        spec:
          volumes:
            - name: nix-cache-storage
              persistentVolumeClaim:
                claimName: nix-cache-pvc
            - name: nix-cache-config
              configMap:
                name: nix-cache-config
          containers:
            - name: nix-cache
              image: nginx:1.27.0 
              ports:
                - containerPort: 80
              volumeMounts:
                - name: nix-cache-storage
                  mountPath: /data
                - name: nix-cache-config
                  mountPath: /etc/nginx/nginx.conf
                  subPath: nginx.conf
                  readOnly: true
              resources:
                limits:
                  memory: "512Mi"
                  cpu: "300m"
                requests:
                  memory: "256Mi"
                  cpu: "200m"
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: nix-cache
    spec:
      selector:
        app: nix-cache
      ports:
        - protocol: TCP
          port: 80
          targetPort: 80
    ---
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: nix-cache-ingress
      annotations:
        traefik.ingress.kubernetes.io/router.tls: "true"
    spec:
      rules:
        - host: "nix-cache.raspi.home"
          http:
            paths:
              - pathType: Prefix
                path: "/"
                backend:
                  service:
                    name: nix-cache
                    port:
                      number: 80
      tls:
        - secretName: nix-cache-raspi-home-tls
          hosts:
            - "nix-cache.raspi.home"
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: nix-cache.raspi.home
    spec:
      commonName: nix-cache.raspi.home
      dnsNames:
        - "nix-cache.raspi.home"
      secretName: nix-cache-raspi-home-tls
      issuerRef:
        name: ca-issuer
        kind: ClusterIssuer
    ---
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: nix-cache-config
    data:
      # See: https://www.channable.com/tech/setting-up-a-private-nix-cache-for-fun-and-profit
      nginx.conf: |
        events {
            worker_connections 1024;
        }
        http {
          proxy_cache_path /data/nginx/cache max_size=500G keys_zone=cache_zone:50m inactive=365d;
          proxy_cache cache_zone;
          proxy_cache_valid 200 365d;
          proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_504 http_403 http_404 http_429;
          proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
          proxy_cache_lock on;
    
          server {
              listen 80;
    
              server_name nix-cache.raspi.home;
    
              location /nix-cache-info {
                  return 200 "StoreDir: /nix/store\nWantMassQuery: 1\nPriority: 41\n";
              }
    
              location / {
                  proxy_set_header Host $proxy_host;
                  proxy_pass https://cache.nixos.org;
              }
          }
        }
    
    

    The config is an adaption from this blog post: https://www.channable.com/tech/setting-up-a-private-nix-cache-for-fun-and-profit





  • Unfortunately not. But I try to work on it a few hours every week in my spare time. I think that having an easy and free crate registry is crucial for the adaption of Rust in the commercial space. Companies don’t want to share their code publicly on crates.io. My full time job is in the IT security sector. My hope is that by pushing Rust as a safe language, we can close some fundamental design flaws that languages like C/C++ introduced and make software landscape more secure.