binary-cache/modules/default.nix

{
  pkgs,
  lib,
  config,
  ...
}:
let
  cfg = config.services.tvix-binary-cache;
in
{
  options = {
    services.tvix-binary-cache = {
      enable = lib.mkEnableOption "BinaryCache using tvix ca-store";
      port = lib.mkOption {
        type = lib.types.port;
        default = 9000;
      };
    };
  };

  config = {

    systemd.services =
      let
        stateDir = "tvix-binary-cache";
      in
      lib.mkIf cfg.enable {
        nar-bridge = {
          wants = [ "tvix-store.service" ];
          wantedBy = [ "multi-user.target" ];
          after = [ "tvix-store.service" ];
          serviceConfig = rec {
            ExecStart = "${lib.getExe pkgs.nar-bridge-go} --otlp=false --listen-addr=\"[::1]:${builtins.toString cfg.port}\" --store-addr=\"unix://%t/${stateDir}/socket\"";

            DynamicUser = true;
            User = "tvix-binary-cache";
            Group = "nginx";

            PrivateDevices = true;
            PrivateTmp = true;
            ProtectControlGroups = true;
            ProtectKernelTunables = true;
            RestrictSUIDSGID = true;

            ProtectSystem = "strict";
            ProtectKernelLogs = true;
            ProtectProc = "invisible";
            PrivateUsers = true;
            ProtectHome = true;
            UMask = "0077";
            RuntimeDirectoryMode = "0750";
            StateDirectoryMode = "0750";
          };
        };
        tvix-store = {
          environment = {
            BLOB_SERVICE_ADDR = "objectstore+file://%S/${stateDir}/blobs.object_store";
            DIRECTORY_SERVICE_ADDR = "sled://%S/${stateDir}/directories.sled";
            PATH_INFO_SERVICE_ADDR = "sled://%S/${stateDir}/pathinfo.sled";
          };
          serviceConfig = {
            ExecStart = "${pkgs.tvix-store}/bin/tvix-store --otlp=false daemon --listen-address=\"%t/${stateDir}/socket\"";

            DynamicUser = true;
            User = "tvix-binary-cache";
            Group = "nginx";
            StateDirectory = stateDir;
            RuntimeDirectory = stateDir;

            PrivateDevices = true;
            PrivateTmp = true;
            ProtectControlGroups = true;
            ProtectKernelTunables = true;
            RestrictSUIDSGID = true;

            ProtectSystem = "strict";
            ProtectKernelLogs = true;
            ProtectProc = "invisible";
            PrivateUsers = true;
            ProtectHome = true;
            UMask = "0077";
            RuntimeDirectoryMode = "0750";
            StateDirectoryMode = "0750";
          };
        };

      };

  };
}