binary-cache/modules/default.nix

{
  pkgs,
  lib,
  config,
  ...
}:
let
  cfg = config.services.tvix-binary-cache;
  settingsFormat = pkgs.formats.toml { };
  systemdHardening = {
    PrivateDevices = true;
    PrivateTmp = true;
    ProtectControlGroups = true;
    ProtectKernelTunables = true;
    RestrictSUIDSGID = true;

    #ProtectSystem = "strict";
    ProtectKernelLogs = true;
    ProtectProc = "invisible";
    PrivateUsers = true;
    ProtectHome = true;
    UMask = "0077";
    RuntimeDirectoryMode = "0750";
    StateDirectoryMode = "0750";
  };
in
{
  imports = [ ./nginx.nix ];
  options = {
    services.tvix-binary-cache = {
      enable = lib.mkEnableOption "BinaryCache using tvix ca-store";
      castoreDir = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = "/var/lib/castore";
      };
      caches = lib.mkOption {
        type = lib.types.attrsOf (
          lib.types.submodule (
            { name, ... }@cacheAttrs:
            {
              config =
                let
                  common-composition = {
                    blobservices.default = {
                      type = "objectstore";
                      object_store_url = "file://${cfg.castoreDir}/blobs.object-store";
                      object_store_options = { };
                    };
                    directoryservices = {
                      objectstore = {
                        type = "objectstore";
                        object_store_url = "file://${cfg.castoreDir}/directories.object-store";
                        object_store_options = { };
                      };
                      memory = {
                        type = "memory";
                      };
                      cache = {
                        type = "cache";
                        near = "memory";
                        far = "objectstore";
                      };
                      default = {
                        type = "router";
                        writes = "objectstore";
                        reads = "cache";
                      };
                    };
                  };
                in
                {
                  nar-bridge-composition = lib.recursiveUpdate common-composition {
                    pathinfoservices.default = {
                      type = "grpc";
                      url = "grpc+http://${cacheAttrs.config.grpcListenAddress}";
                    };
                  };
                  tvix-daemon-composition = lib.recursiveUpdate common-composition {
                    pathinfoservices.default = {
                      type = "sled";
                      is_temporary = false;
                      path = "/var/lib/tvix-daemon-${name}/pathinfos.sled";
                    };
                  };
                };

              options = {
                grpcListenAddress = lib.mkOption { type = lib.types.str; };
                narBridgeListenAddress = lib.mkOption { type = lib.types.str; };
                nar-bridge-composition = lib.mkOption { inherit (settingsFormat) type; };
                tvix-daemon-composition = lib.mkOption { inherit (settingsFormat) type; };
                name = lib.mkOption {
                  type = lib.types.str;
                  description = "Name of the cache";
                  default = name;
                  defaultText = lib.literalMD "Defaults to attribute name in services.tvix-binary-cache.caches";
                };
                remote-path-info-service-addr = lib.mkOption {
                  type = with lib.types; nullOr str;
                  description = "Upstream cache to substitute from if nothing in ";
                  example = "nix+https://cache.nixos.org?trusted-public-keys=cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=";
                  default = null;
                };
              };
            }
          )
        );
      };
    };
  };

  config = lib.mkIf cfg.enable {

    environment.systemPackages = [ pkgs.tvix ];
    users.users.tvix-castore = {
      isSystemUser = true;
      group = "tvix-castore";
    };
    users.groups.tvix-castore = { };

    systemd.tmpfiles.rules = [ "d ${cfg.castoreDir} 770 root tvix-castore -" ];

    systemd.services = lib.mkMerge (
      (lib.singleton { })
      ++ (lib.mapAttrsToList (name: cache: {
        "tvix-daemon-${cache.name}" = {
          environment = {
            EXPERIMENTAL_STORE_COMPOSITION = settingsFormat.generate "Config.toml" cache.tvix-daemon-composition;
          };
          serviceConfig = {
            UMask = "007";
            #ExecStart = "${pkgs.tvix-store}/bin/tvix-store --otlp=false daemon --listen-address=\"%t/tvix-castore/socket\"";
            ExecStart = "${pkgs.tvix}/bin/tvix-store --otlp=false daemon --listen-address=\"${cache.grpcListenAddress}\"";
            StateDirectory = "tvix-daemon-${cache.name}";
            RuntimeDirectory = "tvix-daemon-${cache.name}";
            User = "tvix-castore";
            Group = "tvix-castore";
          } // systemdHardening;
        };
        "narbridge-${cache.name}" = {
          wantedBy = [ "multi-user.target" ];
          wants = [ "tvix-daemon-${cache.name}.service" ];
          after = [ "tvix-daemon-${cache.name}.service" ];
          environment = {
            EXPERIMENTAL_STORE_COMPOSITION = settingsFormat.generate "Config.toml" cache.nar-bridge-composition;
          };
          serviceConfig = {
            ExecStart = "${pkgs.tvix}/bin/nar-bridge --otlp=false --listen-address=\"${cache.narBridgeListenAddress}\"";
            User = "tvix-castore";
            Group = "tvix-castore";
            RuntimeDirectory = "narbridge-${cache.name}";
          } // systemdHardening;
        };

      }) cfg.caches)
    );

  };
}
feat(init): init 2024-06-29 15:53:57 +00:00			`{`
			`pkgs,`
			`lib,`
			`config,`
			`...`
			`}:`
			`let`
			`cfg = config.services.tvix-binary-cache;`
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`settingsFormat = pkgs.formats.toml { };`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`systemdHardening = {`
			`PrivateDevices = true;`
			`PrivateTmp = true;`
			`ProtectControlGroups = true;`
			`ProtectKernelTunables = true;`
			`RestrictSUIDSGID = true;`

refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`#ProtectSystem = "strict";`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`ProtectKernelLogs = true;`
			`ProtectProc = "invisible";`
			`PrivateUsers = true;`
			`ProtectHome = true;`
			`UMask = "0077";`
			`RuntimeDirectoryMode = "0750";`
			`StateDirectoryMode = "0750";`
			`};`
feat(init): init 2024-06-29 15:53:57 +00:00			`in`
			`{`
feat: Add nginx module 2024-07-19 08:51:57 +00:00			`imports = [ ./nginx.nix ];`
feat(init): init 2024-06-29 15:53:57 +00:00			`options = {`
			`services.tvix-binary-cache = {`
			`enable = lib.mkEnableOption "BinaryCache using tvix ca-store";`
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`castoreDir = lib.mkOption {`
			`type = lib.types.nullOr lib.types.str;`
			`default = "/var/lib/castore";`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`};`
			`caches = lib.mkOption {`
			`type = lib.types.attrsOf (`
			`lib.types.submodule (`
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`{ name, ... }@cacheAttrs:`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`{`
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`config =`
			`let`
			`common-composition = {`
			`blobservices.default = {`
			`type = "objectstore";`
			`object_store_url = "file://${cfg.castoreDir}/blobs.object-store";`
			`object_store_options = { };`
			`};`
			`directoryservices = {`
			`objectstore = {`
			`type = "objectstore";`
			`object_store_url = "file://${cfg.castoreDir}/directories.object-store";`
			`object_store_options = { };`
			`};`
			`memory = {`
			`type = "memory";`
			`};`
			`cache = {`
			`type = "cache";`
			`near = "memory";`
			`far = "objectstore";`
			`};`
			`default = {`
			`type = "router";`
			`writes = "objectstore";`
			`reads = "cache";`
			`};`
			`};`
			`};`
			`in`
			`{`
			`nar-bridge-composition = lib.recursiveUpdate common-composition {`
			`pathinfoservices.default = {`
			`type = "grpc";`
			`url = "grpc+http://${cacheAttrs.config.grpcListenAddress}";`
			`};`
			`};`
			`tvix-daemon-composition = lib.recursiveUpdate common-composition {`
			`pathinfoservices.default = {`
			`type = "sled";`
			`is_temporary = false;`
			`path = "/var/lib/tvix-daemon-${name}/pathinfos.sled";`
			`};`
			`};`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`};`
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00
			`options = {`
			`grpcListenAddress = lib.mkOption { type = lib.types.str; };`
			`narBridgeListenAddress = lib.mkOption { type = lib.types.str; };`
			`nar-bridge-composition = lib.mkOption { inherit (settingsFormat) type; };`
			`tvix-daemon-composition = lib.mkOption { inherit (settingsFormat) type; };`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`name = lib.mkOption {`
			`type = lib.types.str;`
			`description = "Name of the cache";`
			`default = name;`
			`defaultText = lib.literalMD "Defaults to attribute name in services.tvix-binary-cache.caches";`
			`};`
feat: Add upstream cache option 2024-07-18 20:21:03 +00:00			`remote-path-info-service-addr = lib.mkOption {`
			`type = with lib.types; nullOr str;`
			`description = "Upstream cache to substitute from if nothing in ";`
			`example = "nix+https://cache.nixos.org?trusted-public-keys=cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=";`
			`default = null;`
			`};`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`};`
			`}`
			`)`
			`);`
feat(init): init 2024-06-29 15:53:57 +00:00			`};`
			`};`
			`};`

feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`config = lib.mkIf cfg.enable {`
feat(init): init 2024-06-29 15:53:57 +00:00
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`environment.systemPackages = [ pkgs.tvix ];`
			`users.users.tvix-castore = {`
			`isSystemUser = true;`
			`group = "tvix-castore";`
			`};`
			`users.groups.tvix-castore = { };`

			`systemd.tmpfiles.rules = [ "d ${cfg.castoreDir} 770 root tvix-castore -" ];`
feat: Add tvix-store cli to system packages 2024-07-18 14:57:05 +00:00
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`systemd.services = lib.mkMerge (`
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`(lib.singleton { })`
			`++ (lib.mapAttrsToList (name: cache: {`
			`"tvix-daemon-${cache.name}" = {`
feat(init): init 2024-06-29 15:53:57 +00:00			`environment = {`
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`EXPERIMENTAL_STORE_COMPOSITION = settingsFormat.generate "Config.toml" cache.tvix-daemon-composition;`
feat(init): init 2024-06-29 15:53:57 +00:00			`};`
			`serviceConfig = {`
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`UMask = "007";`
			`#ExecStart = "${pkgs.tvix-store}/bin/tvix-store --otlp=false daemon --listen-address=\"%t/tvix-castore/socket\"";`
			`ExecStart = "${pkgs.tvix}/bin/tvix-store --otlp=false daemon --listen-address=\"${cache.grpcListenAddress}\"";`
			`StateDirectory = "tvix-daemon-${cache.name}";`
			`RuntimeDirectory = "tvix-daemon-${cache.name}";`
			`User = "tvix-castore";`
			`Group = "tvix-castore";`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`} // systemdHardening;`
			`};`
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`"narbridge-${cache.name}" = {`
			`wantedBy = [ "multi-user.target" ];`
			`wants = [ "tvix-daemon-${cache.name}.service" ];`
			`after = [ "tvix-daemon-${cache.name}.service" ];`
			`environment = {`
			`EXPERIMENTAL_STORE_COMPOSITION = settingsFormat.generate "Config.toml" cache.nar-bridge-composition;`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`};`
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`serviceConfig = {`
			`ExecStart = "${pkgs.tvix}/bin/nar-bridge --otlp=false --listen-address=\"${cache.narBridgeListenAddress}\"";`
			`User = "tvix-castore";`
			`Group = "tvix-castore";`
			`RuntimeDirectory = "narbridge-${cache.name}";`
			`} // systemdHardening;`
			`};`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00
refactor(modules): use store composition 2024-07-21 23:13:19 +00:00			`}) cfg.caches)`
feat: Add options for multiple decoupled caches with same storage backend 2024-07-08 17:35:59 +00:00			`);`
feat(init): init 2024-06-29 15:53:57 +00:00
			`};`
			`}`