feat(deertopia): Binary cache

- Provides a container whose traffic is routed through Mullvad VPN.
- An option `sydnix.deertopia.mullvad.container.modules` is provided to
  "hook into" the container's NixOS config.

hosts/deertopia/configuration.nix

@@ -47,6 +47,7 @@
       webdav.enable = true;
       copyparty.enable = true;
       syncthing.enable = true;
+      cache.enable = true;
 
       # A simple default webpage.  This should probably live somewhere else.
       nginx.vhosts."www" = {

modules/nixos/deertopia/cache.nix

@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.cache;
+in {
+  options.sydnix.deertopia.cache.enable =
+    lib.mkEnableOption "Deertopia's binary cache";
+
+  config = lib.mkIf cfg.enable {
+    sydnix.sops.secrets.deertopia-cache-key.mode = "0600";
+
+    services.nix-serve = {
+      enable = true;
+      secretKeyFile = config.sops.secrets.deertopia-cache-key.path;
+    };
+
+    sydnix.deertopia.nginx.vhosts."cache".vhost = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".proxyPass =
+        let port = builtins.toString config.services.nix-serve.port;
+        in "http://127.0.0.1:${port}";
+    };
+  };
+}
+

public-keys/deertopia-cache.pub.pem

@@ -0,0 +1 @@
+cache.deertopia.net:ZWh5BQrFHNKtZ/WvwgDglwy/eJuJUfpQdURDNlQlWoI=

secrets.yaml

@@ -15,6 +15,8 @@ authelia-jwt-secret: ENC[AES256_GCM,data:uKWCq7x0mSZJKXDDhMNNPFCglLchlbzCDd68Gao
 authelia-session-secret: ENC[AES256_GCM,data:4RXVjaR4O3Zy0MbS/yHV/YKTlJyrL0PmBhYQxYiadI3R/aoZaT7VwPyMVRgia031au6UojZFooETdWdzEVKRwA==,iv:rdUk5UsWI56myFu3necp+iIzMNMkzRZQcOGmjG3UD4I=,tag:pqFFuLb5TdPic/n+Ccf/cQ==,type:str]
 authelia-storage-encryption-key: ENC[AES256_GCM,data:z/k/wXyLp53lZ50oaca/QIs55kF9iKT5ck/s6clFnhyLPkjFeTnVz9Met6klCrs/IkfPHOu50bS2o894D0Xa+A==,iv:Kd8xv6Rk1tTKYmp5/wFlj4HRqjVJQT5QzlpUQO9AF8o=,tag:nNzUumbV9Fgt+DveAmXY2w==,type:str]
 authelia-authentication-backend-ldap-password: ENC[AES256_GCM,data:VWHW3rjjYCiEw2TuDCAXBhkTMVFsjjQmHByB6H8SwNuF5rAxsZTN99jF9+BE66S3GBtgMJ7loJ/RHkZ4ukC1lQ==,iv:8Iz/ydhN6cnVqlUt0zsp0N6OGuiDwgu858MsJsp7SNM=,tag:8O9lbI//3CR0D7ATGmfLsw==,type:str]
+mullvad-account-number: ENC[AES256_GCM,data:4YwyUGIjpkszBJ/rApsqfw==,iv:fz40K9elmeO19ZdhTT+VjI/DXa8emmSYd1Wqx+JBfU0=,tag:GJmbTVb1VB2cKarg+V1qbA==,type:str]
+deertopia-cache-key: ENC[AES256_GCM,data:icKy8QZ59/zvQXgsTqN0PInUH3kgZBquwoAF0Lz3yy1avRI6z5DPuBAmj15lC8UmoDhTqi8nCvm5CGW1Xp5YgAQ5TgEWRpm8FWXxSofhLw8BotM4S3zxtCyefxcrW8Z7Lh7p25ECLrSX5F1h,iv:NNOWrgLrtg4WgG6IYWrVOhaTBmAaSeephvVwTT3VeUQ=,tag:zHmAil/falzhWXkvAV4PQA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -39,8 +41,8 @@ sops:
             TXFLY2l0UHJ3Z0NGZjVpbTQ2UC8yaTQKA7wTmW9Ha6T2KmCr/nkXdizgv8+V6SAp
             ZhDO+uDQ1evIh2wLWMOXNJ3d/zplLCOTzR2xkqBIUp5V7MXj45RUIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-21T22:42:25Z"
-    mac: ENC[AES256_GCM,data:a/xPkNMYY6rhiy3aPqQIVneSLvDkLVeZ0ugtiGKUrOn540CnSn2tCNACoqTfGRuOExpWqTjs6ihoE8R9eN8hIY3VKCRhXBFkO+sEZKwsF/YsXQcRprDKSQdRTjYBDa8OURlJlevLGLy1N+UY7l3IPW9cD5WhBW/nwqP++WnvQbc=,iv:PxsAguORboTxe+bL5OlVEQwTg+o+WBm7dY1IC08OcQY=,tag:JV9FwvwHFK7kRQHREnz5Vw==,type:str]
+    lastmodified: "2025-03-12T18:28:36Z"
+    mac: ENC[AES256_GCM,data:jQCvZ/quZSDdkjzUKLbdbHSWuTvSs8TvMHxW2+nUt/ZUcwvel+Qhv0Yn4Ao1iDcwaO+MqPquXWQpBlRy3K3ADgThhKBkL2ZcCSaZ6bJA8KkCvk5BxE4+Il77cTr/gAYk/anWVLK8qLoMhjvSHVWUydGzsIL0w0kDHlEfIM4WC14=,iv:Z0tvSatR6d54LOtz1dlJuwYMrmE3uPh9L08OpUkF8zc=,tag:b/MrbFhhgPGtCEMvW7JGYQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4