feat(whitby): Configure nix-serve on cache.tvl.su

Having a slow cache is better than having no cache.

Change-Id: Ie3cfcd4a2937d90b0e2ad899816bc31ae806631f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2847
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>

ops/nixos/whitby/default.nix

@@ -24,6 +24,7 @@ in lib.fix(self: {
     "${depot.depotPath}/ops/nixos/tvl-slapd/default.nix"
     "${depot.depotPath}/ops/nixos/tvl-sso/default.nix"
     "${depot.depotPath}/ops/nixos/www/b.tvl.fyi.nix"
+    "${depot.depotPath}/ops/nixos/www/cache.tvl.su.nix"
     "${depot.depotPath}/ops/nixos/www/cl.tvl.fyi.nix"
     "${depot.depotPath}/ops/nixos/www/code.tvl.fyi.nix"
     "${depot.depotPath}/ops/nixos/www/cs.tvl.fyi.nix"
@@ -307,6 +308,13 @@ in lib.fix(self: {
     ];
   };
 
+  services.nix-serve = {
+    enable = true;
+    port = 6443;
+    secretKeyFile = "/etc/secrets/nix-cache-key.sec";
+    bindAddress = "localhost";
+  };
+
   environment.systemPackages = with nixpkgs; [
     bb
     curl

ops/nixos/www/cache.tvl.su.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+
+{
+  imports = [
+    ./base.nix
+  ];
+
+  config = {
+    services.nginx.virtualHosts."cache.tvl.su" = {
+      serverName = "cache.tvl.su";
+      serverAliases = [ "cache.tvl.fyi" ];
+      enableACME = true;
+      forceSSL = true;
+
+      extraConfig = ''
+        location = /cache-key.pub {
+          alias /etc/secrets/nix-cache-key.pub;
+        }
+
+        location / {
+          proxy_pass http://localhost:${toString config.services.nix-serve.port};
+        }
+      '';
+    };
+  };
+}