Sure. I import the certificates like this:
{ config, pkgs, inputs, ... }:
{
security.pki.certificateFiles = [
./certificates/home.pem
];
}
where home.pem
is a default PEM formatted certificate. It works fine to import the cert system wide this way.
If I enter the flake.nix and run a simple curl
against the remote server I get the following, which is typical for a TLS certificate error.
curl https://webpage.home
curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme
So it seems to me that the development shell does not pick up the certificates installed on the system. I can work around that by using an impure shell, but I think that this is not how nix should be used.
I use that too. Unfortunately it does only work with Docker and on some machines I’ve only containerd+nerdctl available. Would be cool if test containers supports more than Docker as a runtime.
I reworked the whole CI/CD pipeline for https://kellnr.io. Switched from Ubuntu as the base image to the official Rust (Debian) image. Additionally, musl targets are build and released on github. This should allow kellnr to run out-of-the-box on any Linux distro.
Thanks for the response. You are right, the config was at the wrong path. Unfortunately, the config itself does not work, too. After a bit of testing around this worked for me:
apiVersion: v1
kind: PersistentVolume
metadata:
name: nix-cache-volume
spec:
capacity:
storage: 500Gi
storageClassName: manual
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/k8s/nix-cache" # Needs exists before PV is created!
persistentVolumeReclaimPolicy: Retain
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nix-cache-pvc
spec:
accessModes:
- ReadWriteOnce
storageClassName: manual
resources:
requests:
storage: 500Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nix-cache
spec:
replicas: 1
selector:
matchLabels:
app: nix-cache
template:
metadata:
labels:
app: nix-cache
name: nix-cache
spec:
volumes:
- name: nix-cache-storage
persistentVolumeClaim:
claimName: nix-cache-pvc
- name: nix-cache-config
configMap:
name: nix-cache-config
containers:
- name: nix-cache
image: nginx:1.27.0
ports:
- containerPort: 80
volumeMounts:
- name: nix-cache-storage
mountPath: /data
- name: nix-cache-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
resources:
limits:
memory: "512Mi"
cpu: "300m"
requests:
memory: "256Mi"
cpu: "200m"
---
apiVersion: v1
kind: Service
metadata:
name: nix-cache
spec:
selector:
app: nix-cache
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nix-cache-ingress
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
- host: "nix-cache.raspi.home"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: nix-cache
port:
number: 80
tls:
- secretName: nix-cache-raspi-home-tls
hosts:
- "nix-cache.raspi.home"
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nix-cache.raspi.home
spec:
commonName: nix-cache.raspi.home
dnsNames:
- "nix-cache.raspi.home"
secretName: nix-cache-raspi-home-tls
issuerRef:
name: ca-issuer
kind: ClusterIssuer
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nix-cache-config
data:
# See: https://www.channable.com/tech/setting-up-a-private-nix-cache-for-fun-and-profit
nginx.conf: |
events {
worker_connections 1024;
}
http {
proxy_cache_path /data/nginx/cache max_size=500G keys_zone=cache_zone:50m inactive=365d;
proxy_cache cache_zone;
proxy_cache_valid 200 365d;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_504 http_403 http_404 http_429;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
proxy_cache_lock on;
server {
listen 80;
server_name nix-cache.raspi.home;
location /nix-cache-info {
return 200 "StoreDir: /nix/store\nWantMassQuery: 1\nPriority: 41\n";
}
location / {
proxy_set_header Host $proxy_host;
proxy_pass https://cache.nixos.org;
}
}
}
The config is an adaption from this blog post: https://www.channable.com/tech/setting-up-a-private-nix-cache-for-fun-and-profit
Thanks, I’ll try that!