| blob | 8f495bb0cca163ad3a29ace9928a2f11b8650cf2 |
1 {
2 config,
3 pkgs,
4 lib,
5 ...
6 }:
7 let
8 cfg = config.services.harmonia;
9 format = pkgs.formats.toml { };
11 signKeyPaths = cfg.signKeyPaths ++ lib.optional (cfg.signKeyPath != null) cfg.signKeyPath;
12 credentials = lib.imap0 (i: signKeyPath: {
13 id = "sign-key-${builtins.toString i}";
14 path = signKeyPath;
15 }) signKeyPaths;
16 in
17 {
18 options = {
19 services.harmonia = {
20 enable = lib.mkEnableOption "Harmonia: Nix binary cache written in Rust";
22 signKeyPath = lib.mkOption {
23 type = lib.types.nullOr lib.types.path;
24 default = null;
25 description = "DEPRECATED: Use `services.harmonia.signKeyPaths` instead. Path to the signing key to use for signing the cache";
26 };
28 signKeyPaths = lib.mkOption {
29 type = lib.types.listOf lib.types.path;
30 default = [ ];
31 description = "Paths to the signing keys to use for signing the cache";
32 };
34 package = lib.mkPackageOption pkgs "harmonia" { };
36 settings = lib.mkOption {
37 inherit (format) type;
38 default = { };
39 description = ''
40 Settings to merge with the default configuration.
41 For the list of the default configuration, see <https://github.com/nix-community/harmonia/tree/master#configuration>.
42 '';
43 };
44 };
45 };
47 config = lib.mkIf cfg.enable {
48 warnings = lib.optional (
49 cfg.signKeyPath != null
50 ) "`services.harmonia.signKeyPath` is deprecated, use `services.harmonia.signKeyPaths` instead";
51 nix.settings.extra-allowed-users = [ "harmonia" ];
52 users.users.harmonia = {
53 isSystemUser = true;
54 group = "harmonia";
55 };
56 users.groups.harmonia = { };
58 systemd.services.harmonia = {
59 description = "harmonia binary cache service";
61 requires = [ "nix-daemon.socket" ];
62 after = [ "network.target" ];
63 wantedBy = [ "multi-user.target" ];
65 environment = {
66 CONFIG_FILE = format.generate "harmonia.toml" cfg.settings;
67 SIGN_KEY_PATHS = lib.strings.concatMapStringsSep " " (
68 credential: "%d/${credential.id}"
69 ) credentials;
70 # Note: it's important to set this for nix-store, because it wants to use
71 # $HOME in order to use a temporary cache dir. bizarre failures will occur
72 # otherwise
73 HOME = "/run/harmonia";
74 };
76 serviceConfig = {
77 ExecStart = lib.getExe cfg.package;
78 User = "harmonia";
79 Group = "harmonia";
80 Restart = "on-failure";
81 PrivateUsers = true;
82 DeviceAllow = [ "" ];
83 UMask = "0066";
84 RuntimeDirectory = "harmonia";
85 LoadCredential = builtins.map (credential: "${credential.id}:${credential.path}") credentials;
86 SystemCallFilter = [
87 "@system-service"
88 "~@privileged"
89 "~@resources"
90 ];
91 CapabilityBoundingSet = "";
92 ProtectKernelModules = true;
93 ProtectKernelTunables = true;
94 ProtectControlGroups = true;
95 ProtectKernelLogs = true;
96 ProtectHostname = true;
97 ProtectClock = true;
98 RestrictRealtime = true;
99 MemoryDenyWriteExecute = true;
100 ProcSubset = "pid";
101 ProtectProc = "invisible";
102 RestrictNamespaces = true;
103 SystemCallArchitectures = "native";
104 PrivateNetwork = false;
105 PrivateTmp = true;
106 PrivateDevices = true;
107 PrivateMounts = true;
108 NoNewPrivileges = true;
109 ProtectSystem = "strict";
110 ProtectHome = true;
111 LockPersonality = true;
112 RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
113 LimitNOFILE = 65536;
114 };
115 };
116 };
117 }