feat: Nginx | add local nix cache behind reverse proxy

2025-11-15 13:21:44 +05:00
parent 5ee891fe2b
commit d17c8b1b34
3 changed files with 139 additions and 0 deletions
--- a/nginx/nix-cache.ts
+++ b/nginx/nix-cache.ts
@@ -0,0 +1,105 @@
+import { Construct } from "constructs";
+import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
+import { IngressV1 } from "@cdktf/provider-kubernetes/lib/ingress-v1";
+import { PersistentVolumeClaimV1 } from "@cdktf/provider-kubernetes/lib/persistent-volume-claim-v1";
+
+export interface NixCacheProps {
+  namespace: string;
+  host: string;
+  ingressClassName?: string;
+  externalName?: string;
+}
+
+export class NixCache extends Construct {
+  constructor(scope: Construct, id: string, props: NixCacheProps) {
+    super(scope, id);
+
+    const {
+      namespace,
+      host,
+      ingressClassName: ingressClass = "nginx-internal",
+      externalName: upstreamHost = "cache.nixos.org",
+    } = props;
+
+    // 1) ExternalName Service -> cache.nixos.org
+    new ServiceV1(this, "nixcache-upstream-svc", {
+      metadata: {
+        name: "nixcache-upstream",
+        namespace,
+      },
+      spec: {
+        type: "ExternalName",
+        externalName: upstreamHost,
+      },
+    });
+
+    // 2) Ingress that targets the ExternalName Service over HTTPS:443
+    new IngressV1(this, "nixcache-ingress", {
+      metadata: {
+        name: "nix-cache",
+        namespace,
+        annotations: {
+          // Use the cache zone defined in controller.config.http-snippet
+          "nginx.ingress.kubernetes.io/proxy-cache": "cachecache",
+          "nginx.ingress.kubernetes.io/proxy-cache-valid": "200 302 60d",
+          "nginx.ingress.kubernetes.io/proxy-cache-lock": "true",
+          "nginx.ingress.kubernetes.io/proxy-buffering": "on",
+
+          // Upstream is HTTPS with SNI and a fixed Host header
+          "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
+          "nginx.ingress.kubernetes.io/proxy-ssl-server-name": "true",
+          "nginx.ingress.kubernetes.io/upstream-vhost": upstreamHost,
+
+          // Use cert-manager to provision TLS certs via Cloudflare
+          "cert-manager.io/cluster-issuer": "cloudflare-issuer",
+          "cert-manager.io/acme-challenge-type": "dns01",
+          "cert-manager.io/private-key-size": "4096",
+        },
+      },
+      spec: {
+        ingressClassName: ingressClass,
+        rule: [
+          {
+            host,
+            http: {
+              path: [
+                {
+                  path: "/",
+                  pathType: "Prefix",
+                  backend: {
+                    service: {
+                      name: "nixcache-upstream",
+                      port: { number: 443 },
+                    },
+                  },
+                },
+              ],
+            },
+          },
+        ],
+        tls: [
+          {
+            hosts: [host],
+            secretName: "nix-cache-tls",
+          },
+        ],
+      },
+    });
+
+    // 3) PersistentVolumeClaim for caching
+    new PersistentVolumeClaimV1(this, "nix-cache-pvc", {
+      metadata: {
+        name: "nix-cache",
+        namespace,
+      },
+      spec: {
+        accessModes: ["ReadWriteMany"],
+        resources: {
+          requests: {
+            storage: "128Gi",
+          },
+        },
+      },
+    });
+  }
+}