pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / nix-store-gcs-proxy.nix
at 25.11-pre 2.1 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8with lib; 9 10let 11 opts = 12 { name, config, ... }: 13 { 14 options = { 15 enable = mkOption { 16 default = true; 17 type = types.bool; 18 example = true; 19 description = "Whether to enable proxy for this bucket"; 20 }; 21 bucketName = mkOption { 22 type = types.str; 23 default = name; 24 example = "my-bucket-name"; 25 description = "Name of Google storage bucket"; 26 }; 27 address = mkOption { 28 type = types.str; 29 example = "localhost:3000"; 30 description = "The address of the proxy."; 31 }; 32 }; 33 }; 34 enabledProxies = lib.filterAttrs (n: v: v.enable) config.services.nix-store-gcs-proxy; 35 mapProxies = function: lib.mkMerge (lib.mapAttrsToList function enabledProxies); 36in 37{ 38 options.services.nix-store-gcs-proxy = mkOption { 39 type = types.attrsOf (types.submodule opts); 40 default = { }; 41 description = '' 42 An attribute set describing an HTTP to GCS proxy that allows us to use GCS 43 bucket via HTTP protocol. 44 ''; 45 }; 46 47 config.systemd.services = mapProxies ( 48 name: cfg: { 49 "nix-store-gcs-proxy-${name}" = { 50 description = "A HTTP nix store that proxies requests to Google Storage"; 51 wantedBy = [ "multi-user.target" ]; 52 53 startLimitIntervalSec = 10; 54 serviceConfig = { 55 RestartSec = 5; 56 ExecStart = '' 57 ${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \ 58 --bucket-name ${cfg.bucketName} \ 59 --addr ${cfg.address} 60 ''; 61 62 DynamicUser = true; 63 64 ProtectSystem = "strict"; 65 ProtectHome = true; 66 PrivateTmp = true; 67 PrivateDevices = true; 68 PrivateMounts = true; 69 PrivateUsers = true; 70 71 ProtectKernelTunables = true; 72 ProtectKernelModules = true; 73 ProtectControlGroups = true; 74 75 NoNewPrivileges = true; 76 LockPersonality = true; 77 RestrictRealtime = true; 78 }; 79 }; 80 } 81 ); 82 83 meta.maintainers = [ maintainers.mrkkrp ]; 84}