| blob | ac5c35ddb280bc3aca3c97e2e9adfe9050319c0b |
1 { config, pkgs, lib, ... }:
2 let
3 cfg = config.services.harmonia;
4 format = pkgs.formats.toml { };
6 signKeyPaths = cfg.signKeyPaths ++ lib.optional (cfg.signKeyPath != null) cfg.signKeyPath;
7 credentials = lib.imap0 (i: signKeyPath: {
8 id = "sign-key-${builtins.toString i}";
9 path = signKeyPath;
10 }) signKeyPaths;
11 in
12 {
13 options = {
14 services.harmonia = {
15 enable = lib.mkEnableOption "Harmonia: Nix binary cache written in Rust";
17 signKeyPath = lib.mkOption {
18 type = lib.types.nullOr lib.types.path;
19 default = null;
20 description = "DEPRECATED: Use `services.harmonia.signKeyPaths` instead. Path to the signing key to use for signing the cache";
21 };
23 signKeyPaths = lib.mkOption {
24 type = lib.types.listOf lib.types.path;
25 default = [ ];
26 description = "Paths to the signing keys to use for signing the cache";
27 };
29 package = lib.mkPackageOption pkgs "harmonia" { };
31 settings = lib.mkOption {
32 inherit (format) type;
33 default = { };
34 description = ''
35 Settings to merge with the default configuration.
36 For the list of the default configuration, see <https://github.com/nix-community/harmonia/tree/master#configuration>.
37 '';
38 };
39 };
40 };
42 config = lib.mkIf cfg.enable {
43 warnings = lib.optional (cfg.signKeyPath != null)
44 "`services.harmonia.signKeyPath` is deprecated, use `services.harmonia.signKeyPaths` instead";
45 nix.settings.extra-allowed-users = [ "harmonia" ];
46 users.users.harmonia = {
47 isSystemUser = true;
48 group = "harmonia";
49 };
50 users.groups.harmonia = { };
52 systemd.services.harmonia = {
53 description = "harmonia binary cache service";
55 requires = [ "nix-daemon.socket" ];
56 after = [ "network.target" ];
57 wantedBy = [ "multi-user.target" ];
59 environment = {
60 CONFIG_FILE = format.generate "harmonia.toml" cfg.settings;
61 SIGN_KEY_PATHS = lib.strings.concatMapStringsSep " " (
62 credential: "%d/${credential.id}"
63 ) credentials;
64 # Note: it's important to set this for nix-store, because it wants to use
65 # $HOME in order to use a temporary cache dir. bizarre failures will occur
66 # otherwise
67 HOME = "/run/harmonia";
68 };
70 serviceConfig = {
71 ExecStart = lib.getExe cfg.package;
72 User = "harmonia";
73 Group = "harmonia";
74 Restart = "on-failure";
75 PrivateUsers = true;
76 DeviceAllow = [ "" ];
77 UMask = "0066";
78 RuntimeDirectory = "harmonia";
79 LoadCredential = builtins.map (credential: "${credential.id}:${credential.path}") credentials;
80 SystemCallFilter = [
81 "@system-service"
82 "~@privileged"
83 "~@resources"
84 ];
85 CapabilityBoundingSet = "";
86 ProtectKernelModules = true;
87 ProtectKernelTunables = true;
88 ProtectControlGroups = true;
89 ProtectKernelLogs = true;
90 ProtectHostname = true;
91 ProtectClock = true;
92 RestrictRealtime = true;
93 MemoryDenyWriteExecute = true;
94 ProcSubset = "pid";
95 ProtectProc = "invisible";
96 RestrictNamespaces = true;
97 SystemCallArchitectures = "native";
98 PrivateNetwork = false;
99 PrivateTmp = true;
100 PrivateDevices = true;
101 PrivateMounts = true;
102 NoNewPrivileges = true;
103 ProtectSystem = "strict";
104 ProtectHome = true;
105 LockPersonality = true;
106 RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
107 LimitNOFILE = 65536;
108 };
109 };
110 };
111 }