| blob | 828f4d5c244dc9068fbccdd46bc578a550669d57 |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
8 with lib;
10 let
11 opts =
12 { name, config, ... }:
13 {
14 options = {
15 enable = mkOption {
16 default = true;
17 type = types.bool;
18 example = true;
19 description = "Whether to enable proxy for this bucket";
20 };
21 bucketName = mkOption {
22 type = types.str;
23 default = name;
24 example = "my-bucket-name";
25 description = "Name of Google storage bucket";
26 };
27 address = mkOption {
28 type = types.str;
29 example = "localhost:3000";
30 description = "The address of the proxy.";
31 };
32 };
33 };
34 enabledProxies = lib.filterAttrs (n: v: v.enable) config.services.nix-store-gcs-proxy;
35 mapProxies = function: lib.mkMerge (lib.mapAttrsToList function enabledProxies);
36 in
37 {
38 options.services.nix-store-gcs-proxy = mkOption {
39 type = types.attrsOf (types.submodule opts);
40 default = { };
41 description = ''
42 An attribute set describing an HTTP to GCS proxy that allows us to use GCS
43 bucket via HTTP protocol.
44 '';
45 };
47 config.systemd.services = mapProxies (
48 name: cfg: {
49 "nix-store-gcs-proxy-${name}" = {
50 description = "A HTTP nix store that proxies requests to Google Storage";
51 wantedBy = [ "multi-user.target" ];
53 startLimitIntervalSec = 10;
54 serviceConfig = {
55 RestartSec = 5;
56 ExecStart = ''
57 ${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \
58 --bucket-name ${cfg.bucketName} \
59 --addr ${cfg.address}
60 '';
62 DynamicUser = true;
64 ProtectSystem = "strict";
65 ProtectHome = true;
66 PrivateTmp = true;
67 PrivateDevices = true;
68 PrivateMounts = true;
69 PrivateUsers = true;
71 ProtectKernelTunables = true;
72 ProtectKernelModules = true;
73 ProtectControlGroups = true;
75 NoNewPrivileges = true;
76 LockPersonality = true;
77 RestrictRealtime = true;
78 };
79 };
80 }
81 );
83 meta.maintainers = [ maintainers.mrkkrp ];
84 }