fix(module): reenable dynamicuser
This commit is contained in:
Yureka
parent
fb64fb1eea
commit
9dcfcbf178
1 changed files with 36 additions and 28 deletions
|
|
@ -14,7 +14,7 @@ let
|
||||||
ProtectKernelTunables = true;
|
ProtectKernelTunables = true;
|
||||||
RestrictSUIDSGID = true;
|
RestrictSUIDSGID = true;
|
||||||
|
|
||||||
#ProtectSystem = "strict";
|
ProtectSystem = "strict";
|
||||||
ProtectKernelLogs = true;
|
ProtectKernelLogs = true;
|
||||||
ProtectProc = "invisible";
|
ProtectProc = "invisible";
|
||||||
PrivateUsers = true;
|
PrivateUsers = true;
|
||||||
|
|
@ -38,6 +38,25 @@ in
|
||||||
lib.types.submodule (
|
lib.types.submodule (
|
||||||
{ name, ... }@cacheAttrs:
|
{ name, ... }@cacheAttrs:
|
||||||
{
|
{
|
||||||
|
options = {
|
||||||
|
grpcListenAddress = lib.mkOption { type = lib.types.str; };
|
||||||
|
narBridgeListenAddress = lib.mkOption { type = lib.types.str; };
|
||||||
|
nar-bridge-composition = lib.mkOption { inherit (settingsFormat) type; };
|
||||||
|
tvix-daemon-composition = lib.mkOption { inherit (settingsFormat) type; };
|
||||||
|
name = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Name of the cache";
|
||||||
|
default = name;
|
||||||
|
defaultText = lib.literalMD "Defaults to attribute name in services.tvix-binary-cache.caches";
|
||||||
|
};
|
||||||
|
remote-path-info-service-addr = lib.mkOption {
|
||||||
|
type = with lib.types; nullOr str;
|
||||||
|
description = "Upstream cache to substitute from if nothing in ";
|
||||||
|
example = "nix+https://cache.nixos.org?trusted-public-keys=cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=";
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
config =
|
config =
|
||||||
let
|
let
|
||||||
common-composition = {
|
common-composition = {
|
||||||
|
|
@ -72,7 +91,18 @@ in
|
||||||
nar-bridge-composition = lib.recursiveUpdate common-composition {
|
nar-bridge-composition = lib.recursiveUpdate common-composition {
|
||||||
pathinfoservices.default = {
|
pathinfoservices.default = {
|
||||||
type = "grpc";
|
type = "grpc";
|
||||||
url = "grpc+http://${cacheAttrs.config.grpcListenAddress}";
|
url = "grpc+http://${
|
||||||
|
lib.replaceStrings
|
||||||
|
[
|
||||||
|
"[::]"
|
||||||
|
"0.0.0.0"
|
||||||
|
]
|
||||||
|
[
|
||||||
|
"[::1]"
|
||||||
|
"127.0.0.1"
|
||||||
|
]
|
||||||
|
cacheAttrs.config.grpcListenAddress
|
||||||
|
}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
tvix-daemon-composition = lib.recursiveUpdate common-composition {
|
tvix-daemon-composition = lib.recursiveUpdate common-composition {
|
||||||
|
|
@ -83,25 +113,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
options = {
|
|
||||||
grpcListenAddress = lib.mkOption { type = lib.types.str; };
|
|
||||||
narBridgeListenAddress = lib.mkOption { type = lib.types.str; };
|
|
||||||
nar-bridge-composition = lib.mkOption { inherit (settingsFormat) type; };
|
|
||||||
tvix-daemon-composition = lib.mkOption { inherit (settingsFormat) type; };
|
|
||||||
name = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "Name of the cache";
|
|
||||||
default = name;
|
|
||||||
defaultText = lib.literalMD "Defaults to attribute name in services.tvix-binary-cache.caches";
|
|
||||||
};
|
|
||||||
remote-path-info-service-addr = lib.mkOption {
|
|
||||||
type = with lib.types; nullOr str;
|
|
||||||
description = "Upstream cache to substitute from if nothing in ";
|
|
||||||
example = "nix+https://cache.nixos.org?trusted-public-keys=cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=";
|
|
||||||
default = null;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
@ -112,10 +123,6 @@ in
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.tvix ];
|
environment.systemPackages = [ pkgs.tvix ];
|
||||||
users.users.tvix-castore = {
|
|
||||||
isSystemUser = true;
|
|
||||||
group = "tvix-castore";
|
|
||||||
};
|
|
||||||
users.groups.tvix-castore = { };
|
users.groups.tvix-castore = { };
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [ "d ${cfg.castoreDir} 770 root tvix-castore -" ];
|
systemd.tmpfiles.rules = [ "d ${cfg.castoreDir} 770 root tvix-castore -" ];
|
||||||
|
|
@ -129,12 +136,12 @@ in
|
||||||
};
|
};
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
UMask = "007";
|
UMask = "007";
|
||||||
#ExecStart = "${pkgs.tvix-store}/bin/tvix-store --otlp=false daemon --listen-address=\"%t/tvix-castore/socket\"";
|
|
||||||
ExecStart = "${pkgs.tvix}/bin/tvix-store --otlp=false daemon --listen-address=\"${cache.grpcListenAddress}\"";
|
ExecStart = "${pkgs.tvix}/bin/tvix-store --otlp=false daemon --listen-address=\"${cache.grpcListenAddress}\"";
|
||||||
StateDirectory = "tvix-daemon-${cache.name}";
|
StateDirectory = "tvix-daemon-${cache.name}";
|
||||||
RuntimeDirectory = "tvix-daemon-${cache.name}";
|
RuntimeDirectory = "tvix-daemon-${cache.name}";
|
||||||
User = "tvix-castore";
|
DynamicUser = true;
|
||||||
Group = "tvix-castore";
|
Group = "tvix-castore";
|
||||||
|
ReadWritePaths = cfg.castoreDir;
|
||||||
} // systemdHardening;
|
} // systemdHardening;
|
||||||
};
|
};
|
||||||
"narbridge-${cache.name}" = {
|
"narbridge-${cache.name}" = {
|
||||||
|
|
@ -146,9 +153,10 @@ in
|
||||||
};
|
};
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${pkgs.tvix}/bin/nar-bridge --otlp=false --listen-address=\"${cache.narBridgeListenAddress}\"";
|
ExecStart = "${pkgs.tvix}/bin/nar-bridge --otlp=false --listen-address=\"${cache.narBridgeListenAddress}\"";
|
||||||
User = "tvix-castore";
|
DynamicUser = true;
|
||||||
Group = "tvix-castore";
|
Group = "tvix-castore";
|
||||||
RuntimeDirectory = "narbridge-${cache.name}";
|
RuntimeDirectory = "narbridge-${cache.name}";
|
||||||
|
ReadWritePaths = cfg.castoreDir;
|
||||||
} // systemdHardening;
|
} // systemdHardening;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue