+1 -1

crane.nix

reviewed

··· 24 24 let 25 25 version = "0.1.0"; 26 26 27 27 - ignoredPaths = [ ".github" "target" "book" ]; 27 27 + ignoredPaths = [ ".github" "target" "book" "nixos" ]; 28 28 29 29 src = lib.cleanSourceWith { 30 30 filter = name: type: !(type == "directory" && builtins.elem (baseNameOf name) ignoredPaths);

+14

flake.nix

reviewed

··· 115 115 inherit (cranePkgs) attic attic-client attic-server; 116 116 }; 117 117 }; 118 118 + 119 119 + nixosModules = { 120 120 + atticd = { 121 121 + imports = [ 122 122 + ./nixos/atticd.nix 123 123 + ]; 124 124 + 125 125 + services.atticd.useFlakeCompatOverlay = false; 126 126 + 127 127 + nixpkgs.overlays = [ 128 128 + self.overlays.default 129 129 + ]; 130 130 + }; 131 131 + }; 118 132 }; 119 133 }

+138

nixos/atticd.nix

reviewed

··· 1 1 + { lib, pkgs, config, ... }: 2 2 + 3 3 + let 4 4 + inherit (lib) types; 5 5 + 6 6 + cfg = config.services.atticd; 7 7 + 8 8 + # unused when the entrypoint is flake 9 9 + flake = import ../flake-compat.nix; 10 10 + overlay = flake.defaultNix.overlays.default; 11 11 + 12 12 + format = pkgs.formats.toml { }; 13 13 + 14 14 + checkedConfigFile = pkgs.runCommand "checked-attic-server.toml" { 15 15 + configFile = cfg.configFile; 16 16 + } '' 17 17 + cat $configFile 18 18 + 19 19 + export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="dGVzdCBzZWNyZXQ=" 20 20 + ${cfg.package}/bin/atticd --mode check-config -f $configFile 21 21 + cat <$configFile >$out 22 22 + ''; 23 23 + 24 24 + hasLocalPostgresDB = let 25 25 + url = cfg.settings.database.url; 26 26 + localStrings = [ "localhost" "127.0.0.1" "/run/postgresql" ]; 27 27 + hasLocalStrings = lib.any (lib.flip lib.hasInfix url) localStrings; 28 28 + in config.services.postgresql.enable && lib.hasPrefix "postgresql://" url && hasLocalStrings; 29 29 + in 30 30 + { 31 31 + options = { 32 32 + services.atticd = { 33 33 + enable = lib.mkOption { 34 34 + description = '' 35 35 + Whether to enable the atticd, the Nix Binary Cache server. 36 36 + ''; 37 37 + type = types.bool; 38 38 + default = false; 39 39 + }; 40 40 + package = lib.mkOption { 41 41 + description = '' 42 42 + The package to use. 43 43 + ''; 44 44 + type = types.package; 45 45 + default = pkgs.attic-server; 46 46 + }; 47 47 + credentialsFile = lib.mkOption { 48 48 + description = '' 49 49 + Path to an EnvironmentFile containing required environment 50 50 + variables: 51 51 + 52 52 + - ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64: The Base64-encoded version of the 53 53 + HS256 JWT secret. 54 54 + ''; 55 55 + type = types.path; 56 56 + }; 57 57 + settings = lib.mkOption { 58 58 + description = '' 59 59 + Structured configurations of atticd. 60 60 + ''; 61 61 + type = format.type; 62 62 + default = {}; # setting defaults here does not compose well 63 63 + }; 64 64 + configFile = lib.mkOption { 65 65 + description = '' 66 66 + Path to an existing atticd configuration file. 67 67 + 68 68 + By default, it's generated from `services.atticd.settings`. 69 69 + ''; 70 70 + type = types.path; 71 71 + default = format.generate "server.toml" cfg.settings; 72 72 + defaultText = "generated from `services.atticd.settings`"; 73 73 + }; 74 74 + 75 75 + # Internal flags 76 76 + useFlakeCompatOverlay = lib.mkOption { 77 77 + description = '' 78 78 + Whether to insert the overlay with flake-compat. 79 79 + ''; 80 80 + type = types.bool; 81 81 + internal = true; 82 82 + default = true; 83 83 + }; 84 84 + }; 85 85 + }; 86 86 + config = lib.mkIf (cfg.enable) (lib.mkMerge [ 87 87 + { 88 88 + assertions = [ 89 89 + { 90 90 + assertion = !lib.isStorePath cfg.credentialsFile; 91 91 + message = '' 92 92 + <option>services.atticd.credentialsFile</option> points to a path in the Nix store. The Nix store is globally readable. 93 93 + 94 94 + You should use a quoted absolute path to prevent this. 95 95 + ''; 96 96 + } 97 97 + ]; 98 98 + 99 99 + services.atticd.settings = { 100 100 + database.url = lib.mkDefault "sqlite:///var/lib/atticd/server.db?mode=rwc"; 101 101 + 102 102 + # "storage" is internally tagged 103 103 + # if the user sets something the whole thing must be replaced 104 104 + storage = lib.mkDefault { 105 105 + type = "local"; 106 106 + path = "/var/lib/atticd/storage"; 107 107 + }; 108 108 + }; 109 109 + 110 110 + systemd.services.atticd = { 111 111 + wantedBy = [ "multi-user.target" ]; 112 112 + after = [ "network.target" ] ++ lib.optional hasLocalPostgresDB "postgresql.service"; 113 113 + serviceConfig = { 114 114 + ExecStart = "${cfg.package}/bin/atticd -f ${checkedConfigFile}"; 115 115 + EnvironmentFile = cfg.credentialsFile; 116 116 + StateDirectory = "atticd"; # for usage with local storage and sqlite 117 117 + DynamicUser = true; 118 118 + ProtectHome = true; 119 119 + ProtectHostname = true; 120 120 + ProtectKernelLogs = true; 121 121 + ProtectKernelModules = true; 122 122 + ProtectKernelTunables = true; 123 123 + ProtectProc = "invisible"; 124 124 + ProtectSystem = "strict"; 125 125 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; 126 126 + RestrictNamespaces = true; 127 127 + RestrictRealtime = true; 128 128 + RestrictSUIDSGID = true; 129 129 + }; 130 130 + }; 131 131 + 132 132 + environment.systemPackages = [ cfg.package ]; 133 133 + } 134 134 + (lib.mkIf cfg.useFlakeCompatOverlay { 135 135 + nixpkgs.overlays = [ overlay ]; 136 136 + }) 137 137 + ]); 138 138 + }