mirror of
https://github.com/zhaofengli/attic.git
synced 2025-03-05 08:17:05 +00:00
nixos: Match nixpkgs formatting
Co-authored-by: Adam Stephens <adam@valkor.net>
This commit is contained in:
parent
b3a76bc237
commit
7ffcf2d138
1 changed files with 117 additions and 93 deletions
210
nixos/atticd.nix
210
nixos/atticd.nix
|
@ -1,4 +1,9 @@
|
||||||
{ lib, pkgs, config, ... }:
|
{
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) types;
|
inherit (lib) types;
|
||||||
|
@ -11,16 +16,19 @@ let
|
||||||
|
|
||||||
format = pkgs.formats.toml { };
|
format = pkgs.formats.toml { };
|
||||||
|
|
||||||
checkedConfigFile = pkgs.runCommand "checked-attic-server.toml" {
|
checkedConfigFile =
|
||||||
configFile = cfg.configFile;
|
pkgs.runCommand "checked-attic-server.toml"
|
||||||
} ''
|
{
|
||||||
cat $configFile
|
configFile = cfg.configFile;
|
||||||
|
}
|
||||||
|
''
|
||||||
|
cat $configFile
|
||||||
|
|
||||||
export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="dGVzdCBzZWNyZXQ="
|
export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="dGVzdCBzZWNyZXQ="
|
||||||
export ATTIC_SERVER_DATABASE_URL="sqlite://:memory:"
|
export ATTIC_SERVER_DATABASE_URL="sqlite://:memory:"
|
||||||
${cfg.package}/bin/atticd --mode check-config -f $configFile
|
${cfg.package}/bin/atticd --mode check-config -f $configFile
|
||||||
cat <$configFile >$out
|
cat <$configFile >$out
|
||||||
'';
|
'';
|
||||||
|
|
||||||
atticadmShim = pkgs.writeShellScript "atticadm" ''
|
atticadmShim = pkgs.writeShellScript "atticadm" ''
|
||||||
if [ -n "$ATTICADM_PWD" ]; then
|
if [ -n "$ATTICADM_PWD" ]; then
|
||||||
|
@ -51,29 +59,25 @@ let
|
||||||
${atticadmShim} "$@"
|
${atticadmShim} "$@"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
hasLocalPostgresDB = let
|
hasLocalPostgresDB =
|
||||||
url = cfg.settings.database.url or "";
|
let
|
||||||
localStrings = [ "localhost" "127.0.0.1" "/run/postgresql" ];
|
url = cfg.settings.database.url or "";
|
||||||
hasLocalStrings = lib.any (lib.flip lib.hasInfix url) localStrings;
|
localStrings = [
|
||||||
in config.services.postgresql.enable && lib.hasPrefix "postgresql://" url && hasLocalStrings;
|
"localhost"
|
||||||
|
"127.0.0.1"
|
||||||
|
"/run/postgresql"
|
||||||
|
];
|
||||||
|
hasLocalStrings = lib.any (lib.flip lib.hasInfix url) localStrings;
|
||||||
|
in
|
||||||
|
config.services.postgresql.enable && lib.hasPrefix "postgresql://" url && hasLocalStrings;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
services.atticd = {
|
services.atticd = {
|
||||||
enable = lib.mkOption {
|
enable = lib.mkEnableOption "the atticd, the Nix Binary Cache server";
|
||||||
description = ''
|
|
||||||
Whether to enable the atticd, the Nix Binary Cache server.
|
package = lib.mkPackageOption pkgs "attic-server" { };
|
||||||
'';
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
};
|
|
||||||
package = lib.mkOption {
|
|
||||||
description = ''
|
|
||||||
The package to use.
|
|
||||||
'';
|
|
||||||
type = types.package;
|
|
||||||
default = pkgs.attic-server;
|
|
||||||
};
|
|
||||||
credentialsFile = lib.mkOption {
|
credentialsFile = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Path to an EnvironmentFile containing required environment
|
Path to an EnvironmentFile containing required environment
|
||||||
|
@ -85,6 +89,7 @@ in
|
||||||
type = types.nullOr types.path;
|
type = types.nullOr types.path;
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
|
|
||||||
user = lib.mkOption {
|
user = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
The group under which attic runs.
|
The group under which attic runs.
|
||||||
|
@ -92,6 +97,7 @@ in
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "atticd";
|
default = "atticd";
|
||||||
};
|
};
|
||||||
|
|
||||||
group = lib.mkOption {
|
group = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
The user under which attic runs.
|
The user under which attic runs.
|
||||||
|
@ -99,13 +105,15 @@ in
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "atticd";
|
default = "atticd";
|
||||||
};
|
};
|
||||||
|
|
||||||
settings = lib.mkOption {
|
settings = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Structured configurations of atticd.
|
Structured configurations of atticd.
|
||||||
'';
|
'';
|
||||||
type = format.type;
|
type = format.type;
|
||||||
default = {}; # setting defaults here does not compose well
|
default = { }; # setting defaults here does not compose well
|
||||||
};
|
};
|
||||||
|
|
||||||
configFile = lib.mkOption {
|
configFile = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Path to an existing atticd configuration file.
|
Path to an existing atticd configuration file.
|
||||||
|
@ -131,7 +139,11 @@ in
|
||||||
|
|
||||||
There are several other supported modes that perform one-off operations, but these are the only ones that make sense to run via the NixOS module.
|
There are several other supported modes that perform one-off operations, but these are the only ones that make sense to run via the NixOS module.
|
||||||
'';
|
'';
|
||||||
type = lib.types.enum ["monolithic" "api-server" "garbage-collector"];
|
type = lib.types.enum [
|
||||||
|
"monolithic"
|
||||||
|
"api-server"
|
||||||
|
"garbage-collector"
|
||||||
|
];
|
||||||
default = "monolithic";
|
default = "monolithic";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -146,77 +158,89 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = lib.mkIf (cfg.enable) (lib.mkMerge [
|
|
||||||
{
|
|
||||||
assertions = [
|
|
||||||
{
|
|
||||||
assertion = cfg.credentialsFile != null;
|
|
||||||
message = ''
|
|
||||||
<option>services.atticd.credentialsFile</option> is not set.
|
|
||||||
|
|
||||||
Run `openssl genrsa -traditional -out private_key.pem 4096 | base64 -w0` and create a file with the following contents:
|
config = lib.mkIf cfg.enable {
|
||||||
|
assertions = [
|
||||||
|
{
|
||||||
|
assertion = cfg.credentialsFile != null;
|
||||||
|
message = ''
|
||||||
|
<option>services.atticd.credentialsFile</option> is not set.
|
||||||
|
|
||||||
ATTIC_SERVER_TOKEN_RS256_SECRET="output from command"
|
Run `openssl genrsa -traditional -out private_key.pem 4096 | base64 -w0` and create a file with the following contents:
|
||||||
|
|
||||||
Then, set `services.atticd.credentialsFile` to the quoted absolute path of the file.
|
ATTIC_SERVER_TOKEN_RS256_SECRET="output from command"
|
||||||
'';
|
|
||||||
}
|
|
||||||
{
|
|
||||||
assertion = !lib.isStorePath cfg.credentialsFile;
|
|
||||||
message = ''
|
|
||||||
<option>services.atticd.credentialsFile</option> points to a path in the Nix store. The Nix store is globally readable.
|
|
||||||
|
|
||||||
You should use a quoted absolute path to prevent this.
|
Then, set `services.atticd.credentialsFile` to the quoted absolute path of the file.
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
assertion = !lib.isStorePath cfg.credentialsFile;
|
||||||
|
message = ''
|
||||||
|
<option>services.atticd.credentialsFile</option> points to a path in the Nix store. The Nix store is globally readable.
|
||||||
|
|
||||||
|
You should use a quoted absolute path to prevent this.
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
services.atticd.settings = {
|
||||||
|
database.url = lib.mkDefault "sqlite:///var/lib/atticd/server.db?mode=rwc";
|
||||||
|
|
||||||
|
# "storage" is internally tagged
|
||||||
|
# if the user sets something the whole thing must be replaced
|
||||||
|
storage = lib.mkDefault {
|
||||||
|
type = "local";
|
||||||
|
path = "/var/lib/atticd/storage";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.atticd = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ] ++ lib.optionals hasLocalPostgresDB [
|
||||||
|
"postgresql.service"
|
||||||
|
"nss-lookup.target"
|
||||||
];
|
];
|
||||||
|
|
||||||
services.atticd.settings = {
|
serviceConfig = {
|
||||||
database.url = lib.mkDefault "sqlite:///var/lib/atticd/server.db?mode=rwc";
|
ExecStart = "${cfg.package}/bin/atticd -f ${checkedConfigFile} --mode ${cfg.mode}";
|
||||||
|
EnvironmentFile = cfg.credentialsFile;
|
||||||
|
StateDirectory = "atticd"; # for usage with local storage and sqlite
|
||||||
|
DynamicUser = true;
|
||||||
|
User = cfg.user;
|
||||||
|
Group = cfg.group;
|
||||||
|
Restart = "on-failure";
|
||||||
|
RestartSec = 10;
|
||||||
|
|
||||||
# "storage" is internally tagged
|
ProtectHome = true;
|
||||||
# if the user sets something the whole thing must be replaced
|
ProtectHostname = true;
|
||||||
storage = lib.mkDefault {
|
ProtectKernelLogs = true;
|
||||||
type = "local";
|
ProtectKernelModules = true;
|
||||||
path = "/var/lib/atticd/storage";
|
ProtectKernelTunables = true;
|
||||||
};
|
ProtectProc = "invisible";
|
||||||
};
|
ProtectSystem = "strict";
|
||||||
|
ReadWritePaths =
|
||||||
systemd.services.atticd = {
|
let
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "network.target" ]
|
|
||||||
++ lib.optionals hasLocalPostgresDB [ "postgresql.service" "nss-lookup.target" ];
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${cfg.package}/bin/atticd -f ${checkedConfigFile} --mode ${cfg.mode}";
|
|
||||||
EnvironmentFile = cfg.credentialsFile;
|
|
||||||
StateDirectory = "atticd"; # for usage with local storage and sqlite
|
|
||||||
DynamicUser = true;
|
|
||||||
User = cfg.user;
|
|
||||||
Group = cfg.group;
|
|
||||||
ProtectHome = true;
|
|
||||||
ProtectHostname = true;
|
|
||||||
ProtectKernelLogs = true;
|
|
||||||
ProtectKernelModules = true;
|
|
||||||
ProtectKernelTunables = true;
|
|
||||||
ProtectProc = "invisible";
|
|
||||||
ProtectSystem = "strict";
|
|
||||||
Restart = "on-failure";
|
|
||||||
RestartSec = 10;
|
|
||||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
|
||||||
RestrictNamespaces = true;
|
|
||||||
RestrictRealtime = true;
|
|
||||||
RestrictSUIDSGID = true;
|
|
||||||
ReadWritePaths = let
|
|
||||||
path = cfg.settings.storage.path;
|
path = cfg.settings.storage.path;
|
||||||
isDefaultStateDirectory = path == "/var/lib/atticd" || lib.hasPrefix "/var/lib/atticd/" path;
|
isDefaultStateDirectory = path == "/var/lib/atticd" || lib.hasPrefix "/var/lib/atticd/" path;
|
||||||
in lib.optionals (cfg.settings.storage.type or "" == "local" && !isDefaultStateDirectory) [ path ];
|
in
|
||||||
};
|
lib.optionals (cfg.settings.storage.type or "" == "local" && !isDefaultStateDirectory) [ path ];
|
||||||
|
RestrictAddressFamilies = [
|
||||||
|
"AF_INET"
|
||||||
|
"AF_INET6"
|
||||||
|
"AF_UNIX"
|
||||||
|
];
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
environment.systemPackages = [ atticadmWrapper ];
|
environment.systemPackages = [
|
||||||
}
|
atticadmWrapper
|
||||||
(lib.mkIf cfg.useFlakeCompatOverlay {
|
];
|
||||||
nixpkgs.overlays = [ overlay ];
|
|
||||||
})
|
nixpkgs.overlays = lib.mkIf cfg.useFlakeCompatOverlay [
|
||||||
]);
|
overlay
|
||||||
|
];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue