lheckemann/binary-cache
0
0
Fork 0
forked from yu-re-ka/binary-cache
Code Pull requests Activity

fix(module): reenable dynamicuser

Browse source
This commit is contained in:
Yureka 2024-07-22 01:29:25 +02:00
parent fb64fb1eea
commit 9dcfcbf178
1 changed files with 36 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
modules/default.nix
View file

@ -14,7 +14,7 @@ let
ProtectKernelTunables = true; ProtectKernelTunables = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
#ProtectSystem = "strict"; ProtectSystem = "strict";
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
PrivateUsers = true; PrivateUsers = true;
@ -38,6 +38,25 @@ in
lib.types.submodule ( lib.types.submodule (
{ name, ... }@cacheAttrs: { name, ... }@cacheAttrs:
{ {
options = {
grpcListenAddress = lib.mkOption { type = lib.types.str; };
narBridgeListenAddress = lib.mkOption { type = lib.types.str; };
nar-bridge-composition = lib.mkOption { inherit (settingsFormat) type; };
tvix-daemon-composition = lib.mkOption { inherit (settingsFormat) type; };
name = lib.mkOption {
type = lib.types.str;
description = "Name of the cache";
default = name;
defaultText = lib.literalMD "Defaults to attribute name in services.tvix-binary-cache.caches";
};
remote-path-info-service-addr = lib.mkOption {
type = with lib.types; nullOr str;
description = "Upstream cache to substitute from if nothing in ";
example = "nix+https://cache.nixos.org?trusted-public-keys=cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=";
default = null;
};
};
config = config =
let let
common-composition = { common-composition = {
@ -72,7 +91,18 @@ in
nar-bridge-composition = lib.recursiveUpdate common-composition { nar-bridge-composition = lib.recursiveUpdate common-composition {
pathinfoservices.default = { pathinfoservices.default = {
type = "grpc"; type = "grpc";
url = "grpc+http://${cacheAttrs.config.grpcListenAddress}"; url = "grpc+http://${
lib.replaceStrings
[
"[::]"
"0.0.0.0"
]
[
"[::1]"
"127.0.0.1"
]
cacheAttrs.config.grpcListenAddress
}";
}; };
}; };
tvix-daemon-composition = lib.recursiveUpdate common-composition { tvix-daemon-composition = lib.recursiveUpdate common-composition {
@ -83,25 +113,6 @@ in
}; };
}; };
}; };
options = {
grpcListenAddress = lib.mkOption { type = lib.types.str; };
narBridgeListenAddress = lib.mkOption { type = lib.types.str; };
nar-bridge-composition = lib.mkOption { inherit (settingsFormat) type; };
tvix-daemon-composition = lib.mkOption { inherit (settingsFormat) type; };
name = lib.mkOption {
type = lib.types.str;
description = "Name of the cache";
default = name;
defaultText = lib.literalMD "Defaults to attribute name in services.tvix-binary-cache.caches";
};
remote-path-info-service-addr = lib.mkOption {
type = with lib.types; nullOr str;
description = "Upstream cache to substitute from if nothing in ";
example = "nix+https://cache.nixos.org?trusted-public-keys=cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=";
default = null;
};
};
} }
) )
); );
@ -112,10 +123,6 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.tvix ]; environment.systemPackages = [ pkgs.tvix ];
users.users.tvix-castore = {
isSystemUser = true;
group = "tvix-castore";
};
users.groups.tvix-castore = { }; users.groups.tvix-castore = { };
systemd.tmpfiles.rules = [ "d ${cfg.castoreDir} 770 root tvix-castore -" ]; systemd.tmpfiles.rules = [ "d ${cfg.castoreDir} 770 root tvix-castore -" ];
@ -129,12 +136,12 @@ in
}; };
serviceConfig = { serviceConfig = {
UMask = "007"; UMask = "007";
#ExecStart = "${pkgs.tvix-store}/bin/tvix-store --otlp=false daemon --listen-address=\"%t/tvix-castore/socket\"";
ExecStart = "${pkgs.tvix}/bin/tvix-store --otlp=false daemon --listen-address=\"${cache.grpcListenAddress}\""; ExecStart = "${pkgs.tvix}/bin/tvix-store --otlp=false daemon --listen-address=\"${cache.grpcListenAddress}\"";
StateDirectory = "tvix-daemon-${cache.name}"; StateDirectory = "tvix-daemon-${cache.name}";
RuntimeDirectory = "tvix-daemon-${cache.name}"; RuntimeDirectory = "tvix-daemon-${cache.name}";
User = "tvix-castore"; DynamicUser = true;
Group = "tvix-castore"; Group = "tvix-castore";
ReadWritePaths = cfg.castoreDir;
} // systemdHardening; } // systemdHardening;
}; };
"narbridge-${cache.name}" = { "narbridge-${cache.name}" = {
@ -146,9 +153,10 @@ in
}; };
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.tvix}/bin/nar-bridge --otlp=false --listen-address=\"${cache.narBridgeListenAddress}\""; ExecStart = "${pkgs.tvix}/bin/nar-bridge --otlp=false --listen-address=\"${cache.narBridgeListenAddress}\"";
User = "tvix-castore"; DynamicUser = true;
Group = "tvix-castore"; Group = "tvix-castore";
RuntimeDirectory = "narbridge-${cache.name}"; RuntimeDirectory = "narbridge-${cache.name}";
ReadWritePaths = cfg.castoreDir;
} // systemdHardening; } // systemdHardening;
}; };