diff --git a/modules/default.nix b/modules/default.nix index c2d00df..bb7dee7 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -14,7 +14,7 @@ let ProtectKernelTunables = true; RestrictSUIDSGID = true; - #ProtectSystem = "strict"; + ProtectSystem = "strict"; ProtectKernelLogs = true; ProtectProc = "invisible"; PrivateUsers = true; @@ -38,6 +38,25 @@ in lib.types.submodule ( { name, ... }@cacheAttrs: { + options = { + grpcListenAddress = lib.mkOption { type = lib.types.str; }; + narBridgeListenAddress = lib.mkOption { type = lib.types.str; }; + nar-bridge-composition = lib.mkOption { inherit (settingsFormat) type; }; + tvix-daemon-composition = lib.mkOption { inherit (settingsFormat) type; }; + name = lib.mkOption { + type = lib.types.str; + description = "Name of the cache"; + default = name; + defaultText = lib.literalMD "Defaults to attribute name in services.tvix-binary-cache.caches"; + }; + remote-path-info-service-addr = lib.mkOption { + type = with lib.types; nullOr str; + description = "Upstream cache to substitute from if nothing in "; + example = "nix+https://cache.nixos.org?trusted-public-keys=cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="; + default = null; + }; + }; + config = let common-composition = { @@ -72,7 +91,18 @@ in nar-bridge-composition = lib.recursiveUpdate common-composition { pathinfoservices.default = { type = "grpc"; - url = "grpc+http://${cacheAttrs.config.grpcListenAddress}"; + url = "grpc+http://${ + lib.replaceStrings + [ + "[::]" + "0.0.0.0" + ] + [ + "[::1]" + "127.0.0.1" + ] + cacheAttrs.config.grpcListenAddress + }"; }; }; tvix-daemon-composition = lib.recursiveUpdate common-composition { @@ -83,25 +113,6 @@ in }; }; }; - - options = { - grpcListenAddress = lib.mkOption { type = lib.types.str; }; - narBridgeListenAddress = lib.mkOption { type = lib.types.str; }; - nar-bridge-composition = lib.mkOption { inherit (settingsFormat) type; }; - tvix-daemon-composition = lib.mkOption { inherit (settingsFormat) type; }; - name = lib.mkOption { - type = lib.types.str; - description = "Name of the cache"; - default = name; - defaultText = lib.literalMD "Defaults to attribute name in services.tvix-binary-cache.caches"; - }; - remote-path-info-service-addr = lib.mkOption { - type = with lib.types; nullOr str; - description = "Upstream cache to substitute from if nothing in "; - example = "nix+https://cache.nixos.org?trusted-public-keys=cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="; - default = null; - }; - }; } ) ); @@ -112,10 +123,6 @@ in config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.tvix ]; - users.users.tvix-castore = { - isSystemUser = true; - group = "tvix-castore"; - }; users.groups.tvix-castore = { }; systemd.tmpfiles.rules = [ "d ${cfg.castoreDir} 770 root tvix-castore -" ]; @@ -129,12 +136,12 @@ in }; serviceConfig = { UMask = "007"; - #ExecStart = "${pkgs.tvix-store}/bin/tvix-store --otlp=false daemon --listen-address=\"%t/tvix-castore/socket\""; ExecStart = "${pkgs.tvix}/bin/tvix-store --otlp=false daemon --listen-address=\"${cache.grpcListenAddress}\""; StateDirectory = "tvix-daemon-${cache.name}"; RuntimeDirectory = "tvix-daemon-${cache.name}"; - User = "tvix-castore"; + DynamicUser = true; Group = "tvix-castore"; + ReadWritePaths = cfg.castoreDir; } // systemdHardening; }; "narbridge-${cache.name}" = { @@ -146,9 +153,10 @@ in }; serviceConfig = { ExecStart = "${pkgs.tvix}/bin/nar-bridge --otlp=false --listen-address=\"${cache.narBridgeListenAddress}\""; - User = "tvix-castore"; + DynamicUser = true; Group = "tvix-castore"; RuntimeDirectory = "narbridge-${cache.name}"; + ReadWritePaths = cfg.castoreDir; } // systemdHardening; };