peerix/module.nix

{ lib, config, pkgs, ... }:
let
  cfg = config.services.peerix;
in
{
  options = with lib; {
    services.peerix = {
      enable = lib.mkEnableOption "peerix";

      openFirewall = lib.mkOption {
        type = types.bool;
        default = true;
        description = ''
          Defines whether or not firewall ports should be opened for it.
        '';
      };

      privateKeyFile = lib.mkOption {
        type = types.nullOr types.path;
        default = null;
        description = ''
          File containing the private key to sign the derivations with.
        '';
      };

      publicKeyFile = lib.mkOption {
        type = types.nullOr types.path;
        default = null;
        description = ''
          File containing the public key to sign the derivations with.
        '';
      };

      publicKey = lib.mkOption {
        type = types.nullOr types.str;
        default = null;
        description = ''
          The public key to sign the derivations with.
        '';
      };

      user = lib.mkOption {
        type = with types; oneOf [ str int ];
        default = "nobody";
        description = ''
          The user the service will use.
        '';
      };

      group = lib.mkOption {
        type = with types; oneOf [ str int ];
        default = "nobody";
        description = ''
          The user the service will use.
        '';
      };

      globalCacheTTL = lib.mkOption {
        type = types.nullOr types.int;
        default = null;
        description = ''
          How long should nix store narinfo files.

          If not defined, the module will not reconfigure the entry.
          If it is defined, this will define how many seconds a cache entry will
          be stored.

          By default not given, as it affects the UX of the nix installation.
        '';
      };

      package = mkOption {
        type = types.package;
        default = (import ./default.nix).default or pkgs.peerix;
        defaultText = literalExpression "pkgs.peerix";
        description = "The package to use for peerix";
      };
    };
  };

  config = lib.mkIf (cfg.enable) {
    systemd.services.peerix = {
      enable = true;
      description = "Local p2p nix caching daemon";
      wantedBy = ["multi-user.target"];
      serviceConfig = {
        Type = "simple";

        User = cfg.user;
        Group = cfg.group;

        PrivateMounts = true;
        PrivateDevices = true;
        PrivateTmp = true;
        PrivateIPC = true;
        PrivateUsers = true;

        SystemCallFilters = [
          "@aio"
          "@basic-io"
          "@file-system"
          "@io-event"
          "@process"
          "@network-io"
          "@timer"
          "@signal"
          "@alarm"
        ];
        SystemCallErrorNumber = "EPERM";

        ProtectSystem = "full";
        ProtectHome = true;
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        RestrictNamespaces = "";

        NoNewPrivileges = true;
        ReadOnlyPaths = lib.mkMerge [
          ([
            "/nix/var"
            "/nix/store"
          ])

          (lib.mkIf (cfg.privateKeyFile != null) [
            cfg.privateKeyFile
          ])
        ];
        ExecPaths = [
          "/nix/store"
        ];
        Environment = lib.mkIf (cfg.privateKeyFile != null) [
          "NIX_SECRET_KEY_FILE=${cfg.privateKeyFile}"
        ];
      };
      script = ''
        exec ${cfg.package}/bin/peerix
      '';
    };

    nix = {
      settings = {
        substituters = [
          "http://127.0.0.1:12304/"
        ];
        trusted-public-keys = [
          (lib.mkIf (cfg.publicKeyFile != null) (builtins.readFile cfg.publicKeyFile))
          (lib.mkIf (cfg.publicKey != null) cfg.publicKey)
        ];
      };
      extraOptions = lib.mkIf (cfg.globalCacheTTL != null) ''
        narinfo-cache-negative-ttl = ${toString cfg.globalCacheTTL}
        narinfo-cache-positive-ttl = ${toString cfg.globalCacheTTL}
      '';
    };

    networking.firewall = lib.mkIf (cfg.openFirewall) {
      allowedTCPPorts = [ 12304 ];
      allowedUDPPorts = [ 12304 ];
    };
  };
}
Implement modules. 2021-10-17 06:01:40 -04:00			`{ lib, config, pkgs, ... }:`
			`let`
			`cfg = config.services.peerix;`
			`in`
			`{`
			`options = with lib; {`
			`services.peerix = {`
			`enable = lib.mkEnableOption "peerix";`

			`openFirewall = lib.mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = ''`
			`Defines whether or not firewall ports should be opened for it.`
			`'';`
			`};`

			`privateKeyFile = lib.mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = ''`
allows for specifying the public key directly This makes it possible to use in pure mode 2021-10-23 10:57:55 -04:00			`File containing the private key to sign the derivations with.`
Implement modules. 2021-10-17 06:01:40 -04:00			`'';`
update nix options to silence warning 2022-07-14 00:02:15 -04:00			`};`
Implement modules. 2021-10-17 06:01:40 -04:00
			`publicKeyFile = lib.mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = ''`
allows for specifying the public key directly This makes it possible to use in pure mode 2021-10-23 10:57:55 -04:00			`File containing the public key to sign the derivations with.`
			`'';`
			`};`

			`publicKey = lib.mkOption {`
fix: change publicKey type to string 2021-10-31 21:28:01 -04:00			`type = types.nullOr types.str;`
allows for specifying the public key directly This makes it possible to use in pure mode 2021-10-23 10:57:55 -04:00			`default = null;`
			`description = ''`
			`The public key to sign the derivations with.`
Implement modules. 2021-10-17 06:01:40 -04:00			`'';`
			`};`

			`user = lib.mkOption {`
			`type = with types; oneOf [ str int ];`
			`default = "nobody";`
			`description = ''`
			`The user the service will use.`
			`'';`
			`};`

			`group = lib.mkOption {`
			`type = with types; oneOf [ str int ];`
			`default = "nobody";`
			`description = ''`
			`The user the service will use.`
			`'';`
			`};`
Improve UI. 2021-10-18 08:50:16 -04:00
			`globalCacheTTL = lib.mkOption {`
			`type = types.nullOr types.int;`
			`default = null;`
			`description = ''`
			`How long should nix store narinfo files.`

			`If not defined, the module will not reconfigure the entry.`
			`If it is defined, this will define how many seconds a cache entry will`
			`be stored.`

			`By default not given, as it affects the UX of the nix installation.`
			`'';`
Fix typo. 2021-10-18 08:55:07 -04:00			`};`
add overlay 2021-10-31 21:18:12 -04:00
			`package = mkOption {`
			`type = types.package;`
			`default = (import ./default.nix).default or pkgs.peerix;`
			`defaultText = literalExpression "pkgs.peerix";`
			`description = "The package to use for peerix";`
			`};`
Implement modules. 2021-10-17 06:01:40 -04:00			`};`
			`};`

			`config = lib.mkIf (cfg.enable) {`
			`systemd.services.peerix = {`
Autostart peerix. 2021-10-18 09:29:00 -04:00			`enable = true;`
Implement modules. 2021-10-17 06:01:40 -04:00			`description = "Local p2p nix caching daemon";`
			`wantedBy = ["multi-user.target"];`
			`serviceConfig = {`
			`Type = "simple";`

			`User = cfg.user;`
			`Group = cfg.group;`

Reenable security again. 2021-10-17 09:03:26 -04:00			`PrivateMounts = true;`
			`PrivateDevices = true;`
			`PrivateTmp = true;`
			`PrivateIPC = true;`
			`PrivateUsers = true;`
Implement modules. 2021-10-17 06:01:40 -04:00
Reenable security again. 2021-10-17 09:03:26 -04:00			`SystemCallFilters = [`
			`"@aio"`
			`"@basic-io"`
			`"@file-system"`
			`"@io-event"`
			`"@process"`
			`"@network-io"`
			`"@timer"`
			`"@signal"`
			`"@alarm"`
			`];`
			`SystemCallErrorNumber = "EPERM";`
Implement modules. 2021-10-17 06:01:40 -04:00
Reenable security again. 2021-10-17 09:03:26 -04:00			`ProtectSystem = "full";`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectClock = true;`
			`ProtectKernelTunables = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelLogs = true;`
			`ProtectControlGroups = true;`
			`RestrictNamespaces = "";`
Implement modules. 2021-10-17 06:01:40 -04:00
Reenable security again. 2021-10-17 09:03:26 -04:00			`NoNewPrivileges = true;`
			`ReadOnlyPaths = lib.mkMerge [`
			`([`
			`"/nix/var"`
			`"/nix/store"`
			`])`
Implement modules. 2021-10-17 06:01:40 -04:00
Reenable security again. 2021-10-17 09:03:26 -04:00			`(lib.mkIf (cfg.privateKeyFile != null) [`
module: Fix pkgs.callPackage not neccessary. 2021-10-29 17:32:38 -04:00			`cfg.privateKeyFile`
Reenable security again. 2021-10-17 09:03:26 -04:00			`])`
			`];`
			`ExecPaths = [`
			`"/nix/store"`
			`];`
Fix wrong name. 2021-10-17 06:34:40 -04:00			`Environment = lib.mkIf (cfg.privateKeyFile != null) [`
module: Fix pkgs.callPackage not neccessary. 2021-10-29 17:32:38 -04:00			`"NIX_SECRET_KEY_FILE=${cfg.privateKeyFile}"`
Implement modules. 2021-10-17 06:01:40 -04:00			`];`
			`};`
			`script = ''`
add overlay 2021-10-31 21:18:12 -04:00			`exec ${cfg.package}/bin/peerix`
Implement modules. 2021-10-17 06:01:40 -04:00			`'';`
			`};`

			`nix = {`
update nix options to silence warning 2022-07-14 00:02:15 -04:00			`settings = {`
			`substituters = [`
			`"http://127.0.0.1:12304/"`
			`];`
			`trusted-public-keys = [`
			`(lib.mkIf (cfg.publicKeyFile != null) (builtins.readFile cfg.publicKeyFile))`
			`(lib.mkIf (cfg.publicKey != null) cfg.publicKey)`
			`];`
			`};`
Improve UI. 2021-10-18 08:50:16 -04:00			`extraOptions = lib.mkIf (cfg.globalCacheTTL != null) ''`
ffs 2021-10-18 09:09:07 -04:00			`narinfo-cache-negative-ttl = ${toString cfg.globalCacheTTL}`
			`narinfo-cache-positive-ttl = ${toString cfg.globalCacheTTL}`
Improve UI. 2021-10-18 08:50:16 -04:00			`'';`
Implement modules. 2021-10-17 06:01:40 -04:00			`};`

			`networking.firewall = lib.mkIf (cfg.openFirewall) {`
			`allowedTCPPorts = [ 12304 ];`
			`allowedUDPPorts = [ 12304 ];`
			`};`
			`};`
			`}`