pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 opts = { name, config, ... }: {
7 options = {
8 enable = mkOption {
9 default = true;
10 type = types.bool;
11 example = true;
12 description = lib.mdDoc "Whether to enable proxy for this bucket";
13 };
14 bucketName = mkOption {
15 type = types.str;
16 default = name;
17 example = "my-bucket-name";
18 description = lib.mdDoc "Name of Google storage bucket";
19 };
20 address = mkOption {
21 type = types.str;
22 example = "localhost:3000";
23 description = lib.mdDoc "The address of the proxy.";
24 };
25 };
26 };
27 enabledProxies = lib.filterAttrs (n: v: v.enable) config.services.nix-store-gcs-proxy;
28 mapProxies = function: lib.mkMerge (lib.mapAttrsToList function enabledProxies);
29in
30{
31 options.services.nix-store-gcs-proxy = mkOption {
32 type = types.attrsOf (types.submodule opts);
33 default = {};
34 description = lib.mdDoc ''
35 An attribute set describing an HTTP to GCS proxy that allows us to use GCS
36 bucket via HTTP protocol.
37 '';
38 };
39
40 config.systemd.services = mapProxies (name: cfg: {
41 "nix-store-gcs-proxy-${name}" = {
42 description = "A HTTP nix store that proxies requests to Google Storage";
43 wantedBy = ["multi-user.target"];
44
45 startLimitIntervalSec = 10;
46 serviceConfig = {
47 RestartSec = 5;
48 ExecStart = ''
49 ${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \
50 --bucket-name ${cfg.bucketName} \
51 --addr ${cfg.address}
52 '';
53
54 DynamicUser = true;
55
56 ProtectSystem = "strict";
57 ProtectHome = true;
58 PrivateTmp = true;
59 PrivateDevices = true;
60 PrivateMounts = true;
61 PrivateUsers = true;
62
63 ProtectKernelTunables = true;
64 ProtectKernelModules = true;
65 ProtectControlGroups = true;
66
67 NoNewPrivileges = true;
68 LockPersonality = true;
69 RestrictRealtime = true;
70 };
71 };
72 });
73
74 meta.maintainers = [ maintainers.mrkkrp ];
75}