peerix/module.nix

{ lib, config, pkgs, ... }:
let
  cfg = config.services.peerix;

  peerix = pkgs.callPackage ./default.nix {};
in
{
  options = with lib; {
    services.peerix = {
      enable = lib.mkEnableOption "peerix";

      openFirewall = lib.mkOption {
        type = types.bool;
        default = true;
        description = ''
          Defines whether or not firewall ports should be opened for it.
        '';
      };

      privateKeyFile = lib.mkOption {
        type = types.nullOr types.path;
        default = null;
        description = ''
          The private key to sign the derivations with.
        '';
      }; 

      publicKeyFile = lib.mkOption {
        type = types.nullOr types.path;
        default = null;
        description = ''
          The private key to sign the derivations with.
        '';
      };

      user = lib.mkOption {
        type = with types; oneOf [ str int ];
        default = "nobody";
        description = ''
          The user the service will use.
        '';
      };

      group = lib.mkOption {
        type = with types; oneOf [ str int ];
        default = "nobody";
        description = ''
          The user the service will use.
        '';
      };
    };
  };

  config = lib.mkIf (cfg.enable) {
    systemd.services.peerix = {
      description = "Local p2p nix caching daemon";
      wantedBy = ["multi-user.target"];
      serviceConfig = {
        Type = "simple";

        User = cfg.user;
        Group = cfg.group;

        PrivateMounts = true;
        # PrivateDevices = true;
        # PrivateTmp = true;
        # PrivateIPC = true;
        # PrivateUsers = true;

        # SystemCallFilters = [
        #   "@aio"
        #   "@basic-io"
        #   "@file-system"
        #   "@io-event"
        #   "@process"
        #   "@network-io"
        #   "@timer"
        #   "@signal"
        #   "@alarm"
        # ];
        # SystemCallErrorNumber = "EPERM";

        # ProtectSystem = "full";
        # ProtectHome = true;
        # ProtectHostname = true;
        # ProtectClock = true;
        # ProtectKernelTunables = true;
        # ProtectKernelModules = true;
        # ProtectKernelLogs = true;
        # ProtectControlGroups = true;
        # RestrictNamespaces = "";

        NoNewPrivileges = true;
        ReadOnlyPaths = lib.mkMerge [
          ([
            "/nix/var"
            "/nix/store"
          ])

          (lib.mkIf (cfg.privateKeyFile != null) [
            (toString cfg.privateKeyFile)
          ])
        ];
        ExecPaths = [
          "/nix/store"
        ];
        Environment = lib.mkIf (cfg.privateKeyFile != null) [
          "NIX_SECRET_KEY_FILE=${toString cfg.privateKeyFile}"
        ];
      };
      script = ''
        exec ${peerix}/bin/peerix
      '';
    };

    nix = {
      binaryCaches = [
        "http://127.0.0.1:12304/"
      ];
      binaryCachePublicKeys = lib.mkIf (cfg.publicKeyFile != null) [
        (builtins.readFile cfg.publicKeyFile)
      ];
    };

    networking.firewall = lib.mkIf (cfg.openFirewall) {
      allowedTCPPorts = [ 12304 ];
      allowedUDPPorts = [ 12304 ];
    };
  };
}
Implement modules. 2021-10-17 06:01:40 -04:00			`{ lib, config, pkgs, ... }:`
			`let`
			`cfg = config.services.peerix;`

			`peerix = pkgs.callPackage ./default.nix {};`
			`in`
			`{`
			`options = with lib; {`
			`services.peerix = {`
			`enable = lib.mkEnableOption "peerix";`

			`openFirewall = lib.mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = ''`
			`Defines whether or not firewall ports should be opened for it.`
			`'';`
			`};`

			`privateKeyFile = lib.mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = ''`
			`The private key to sign the derivations with.`
			`'';`
			`};`

			`publicKeyFile = lib.mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = ''`
			`The private key to sign the derivations with.`
			`'';`
			`};`

			`user = lib.mkOption {`
			`type = with types; oneOf [ str int ];`
			`default = "nobody";`
			`description = ''`
			`The user the service will use.`
			`'';`
			`};`

			`group = lib.mkOption {`
			`type = with types; oneOf [ str int ];`
			`default = "nobody";`
			`description = ''`
			`The user the service will use.`
			`'';`
			`};`
			`};`
			`};`

			`config = lib.mkIf (cfg.enable) {`
			`systemd.services.peerix = {`
			`description = "Local p2p nix caching daemon";`
			`wantedBy = ["multi-user.target"];`
			`serviceConfig = {`
			`Type = "simple";`

			`User = cfg.user;`
			`Group = cfg.group;`

			`PrivateMounts = true;`
Let's disable some security. 2021-10-17 08:05:45 -04:00			`# PrivateDevices = true;`
			`# PrivateTmp = true;`
			`# PrivateIPC = true;`
			`# PrivateUsers = true;`
Implement modules. 2021-10-17 06:01:40 -04:00
Let's disable some security. 2021-10-17 08:05:45 -04:00			`# SystemCallFilters = [`
			`# "@aio"`
			`# "@basic-io"`
			`# "@file-system"`
			`# "@io-event"`
			`# "@process"`
			`# "@network-io"`
			`# "@timer"`
			`# "@signal"`
			`# "@alarm"`
			`# ];`
			`# SystemCallErrorNumber = "EPERM";`
Implement modules. 2021-10-17 06:01:40 -04:00
Let's disable some security. 2021-10-17 08:05:45 -04:00			`# ProtectSystem = "full";`
			`# ProtectHome = true;`
			`# ProtectHostname = true;`
			`# ProtectClock = true;`
			`# ProtectKernelTunables = true;`
			`# ProtectKernelModules = true;`
			`# ProtectKernelLogs = true;`
			`# ProtectControlGroups = true;`
			`# RestrictNamespaces = "";`
Implement modules. 2021-10-17 06:01:40 -04:00
			`NoNewPrivileges = true;`
fucking typos. 2021-10-17 06:43:52 -04:00			`ReadOnlyPaths = lib.mkMerge [`
Implement modules. 2021-10-17 06:01:40 -04:00			`([`
			`"/nix/var"`
			`"/nix/store"`
			`])`

Fix wrong name. 2021-10-17 06:34:40 -04:00			`(lib.mkIf (cfg.privateKeyFile != null) [`
			`(toString cfg.privateKeyFile)`
and even more. 2021-10-17 06:46:25 -04:00			`])`
Implement modules. 2021-10-17 06:01:40 -04:00			`];`
			`ExecPaths = [`
			`"/nix/store"`
			`];`
Fix wrong name. 2021-10-17 06:34:40 -04:00			`Environment = lib.mkIf (cfg.privateKeyFile != null) [`
			`"NIX_SECRET_KEY_FILE=${toString cfg.privateKeyFile}"`
Implement modules. 2021-10-17 06:01:40 -04:00			`];`
			`};`
			`script = ''`
			`exec ${peerix}/bin/peerix`
			`'';`
			`};`

			`nix = {`
			`binaryCaches = [`
			`"http://127.0.0.1:12304/"`
			`];`
Fix wrong name. 2021-10-17 06:34:40 -04:00			`binaryCachePublicKeys = lib.mkIf (cfg.publicKeyFile != null) [`
			`(builtins.readFile cfg.publicKeyFile)`
Implement modules. 2021-10-17 06:01:40 -04:00			`];`
			`};`

			`networking.firewall = lib.mkIf (cfg.openFirewall) {`
			`allowedTCPPorts = [ 12304 ];`
			`allowedUDPPorts = [ 12304 ];`
			`};`
			`};`
			`}`