# nix-cache

Serves a Nix binary cache from Cloudflare R2 with JWT-based authentication.
Only users with a valid Keycloak token and membership in the `nix-cache-users`
group can read from the cache.

Nix clients authenticate via netrc (Basic auth), while other clients can use
Bearer tokens directly. JWTs are verified locally using cached JWKS public keys.

## Development

```bash
npm install    # install dependencies
npm test       # run vitest (uses miniflare locally)
npm run dev    # start wrangler dev server on localhost:8787
```

## Cloudflare Setup

1. Create an A record on the subdomain you want this Worker to run on which
   points to `192.0.2.1`
2. Edit `wrangler.jsonc`:
   - `route` should be the subdomain followed by `/*`
   - `bucket_name` should be the name of the R2 bucket you'll use
3. Run `npx wrangler login` to login to Wrangler
4. Run `npm run deploy`
5. Upload an `index.html` to your bucket if you want a landing page