feat(ops/bugry): run nixery instance

Running Nixery on bugry is much more cost efficient (better traffic economics
than on a cloud provider, and Nixery is mostly a traffic-heavy service), and
frees up my Yandex Cloud credits for adding another builder.

Change-Id: Id6c8c76b28a5ce13cc8b743ad6e72fffd19353fb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12997
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>

ops/machines/bugry/default.nix

@@ -6,8 +6,12 @@ let
 in
 {
   imports = [
+    (mod "known-hosts.nix")
+    (mod "nixery.nix")
     (mod "tvl-cache.nix")
     (mod "tvl-users.nix")
+    (mod "www/nixery.dev.nix")
+
     (depot.third_party.agenix.src + "/modules/age.nix")
   ];
 
@@ -167,5 +171,15 @@ in
   tvl.cache.enable = true;
   tvl.cache.builderball = true;
 
+  services.depot.nixery.enable = true;
+
+  services.depot.automatic-gc = {
+    enable = true;
+    interval = "1 hour";
+    diskThreshold = 50; # GiB (10% of disk)
+    maxFreed = 150; # GiB
+    preserveGenerations = "14d";
+  };
+
   system.stateVersion = "24.11";
 }

ops/modules/www/nixery.dev.nix

@@ -11,6 +11,11 @@
       enableACME = true;
       forceSSL = true;
 
+      acmeFallbackHost = {
+        "nixery-01" = "bugry.tvl.fyi";
+        "bugry" = "nixery-01.tvl.fyi";
+      }."${config.networking.hostName}";
+
       extraConfig = ''
         location / {
           proxy_pass http://localhost:${toString config.services.depot.nixery.port};