pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / harmonia.nix
at 25.11-pre 3.6 kB view raw
1{ 2 config, 3 pkgs, 4 lib, 5 ... 6}: 7let 8 cfg = config.services.harmonia; 9 format = pkgs.formats.toml { }; 10 11 signKeyPaths = cfg.signKeyPaths ++ lib.optional (cfg.signKeyPath != null) cfg.signKeyPath; 12 credentials = lib.imap0 (i: signKeyPath: { 13 id = "sign-key-${builtins.toString i}"; 14 path = signKeyPath; 15 }) signKeyPaths; 16in 17{ 18 options = { 19 services.harmonia = { 20 enable = lib.mkEnableOption "Harmonia: Nix binary cache written in Rust"; 21 22 signKeyPath = lib.mkOption { 23 type = lib.types.nullOr lib.types.path; 24 default = null; 25 description = "DEPRECATED: Use `services.harmonia.signKeyPaths` instead. Path to the signing key to use for signing the cache"; 26 }; 27 28 signKeyPaths = lib.mkOption { 29 type = lib.types.listOf lib.types.path; 30 default = [ ]; 31 description = "Paths to the signing keys to use for signing the cache"; 32 }; 33 34 package = lib.mkPackageOption pkgs "harmonia" { }; 35 36 settings = lib.mkOption { 37 inherit (format) type; 38 default = { }; 39 description = '' 40 Settings to merge with the default configuration. 41 For the list of the default configuration, see <https://github.com/nix-community/harmonia/tree/master#configuration>. 42 ''; 43 }; 44 }; 45 }; 46 47 config = lib.mkIf cfg.enable { 48 warnings = lib.optional ( 49 cfg.signKeyPath != null 50 ) "`services.harmonia.signKeyPath` is deprecated, use `services.harmonia.signKeyPaths` instead"; 51 nix.settings.extra-allowed-users = [ "harmonia" ]; 52 users.users.harmonia = { 53 isSystemUser = true; 54 group = "harmonia"; 55 }; 56 users.groups.harmonia = { }; 57 58 systemd.services.harmonia = { 59 description = "harmonia binary cache service"; 60 61 requires = [ "nix-daemon.socket" ]; 62 after = [ "network.target" ]; 63 wantedBy = [ "multi-user.target" ]; 64 65 environment = { 66 CONFIG_FILE = format.generate "harmonia.toml" cfg.settings; 67 SIGN_KEY_PATHS = lib.strings.concatMapStringsSep " " ( 68 credential: "%d/${credential.id}" 69 ) credentials; 70 # Note: it's important to set this for nix-store, because it wants to use 71 # $HOME in order to use a temporary cache dir. bizarre failures will occur 72 # otherwise 73 HOME = "/run/harmonia"; 74 }; 75 76 serviceConfig = { 77 ExecStart = lib.getExe cfg.package; 78 User = "harmonia"; 79 Group = "harmonia"; 80 Restart = "on-failure"; 81 PrivateUsers = true; 82 DeviceAllow = [ "" ]; 83 UMask = "0066"; 84 RuntimeDirectory = "harmonia"; 85 LoadCredential = builtins.map (credential: "${credential.id}:${credential.path}") credentials; 86 SystemCallFilter = [ 87 "@system-service" 88 "~@privileged" 89 "~@resources" 90 ]; 91 CapabilityBoundingSet = ""; 92 ProtectKernelModules = true; 93 ProtectKernelTunables = true; 94 ProtectControlGroups = true; 95 ProtectKernelLogs = true; 96 ProtectHostname = true; 97 ProtectClock = true; 98 RestrictRealtime = true; 99 MemoryDenyWriteExecute = true; 100 ProcSubset = "pid"; 101 ProtectProc = "invisible"; 102 RestrictNamespaces = true; 103 SystemCallArchitectures = "native"; 104 PrivateNetwork = false; 105 PrivateTmp = true; 106 PrivateDevices = true; 107 PrivateMounts = true; 108 NoNewPrivileges = true; 109 ProtectSystem = "strict"; 110 ProtectHome = true; 111 LockPersonality = true; 112 RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; 113 LimitNOFILE = 65536; 114 }; 115 }; 116 }; 117}