{ pkgs, config, ... }: let settingsFormat = pkgs.formats.toml { }; dataDir = "/data/slow/tvix-store"; store-config = { composition = { blobservices.default = { type = "objectstore"; object_store_url = "file://${dataDir}/blob.objectstore"; object_store_options = { }; }; directoryservices = { sled = { type = "sled"; is_temporary = false; path = "${dataDir}/directory.sled"; }; object = { type = "objectstore"; object_store_url = "file://${dataDir}/directory.objectstore"; object_store_options = { }; }; }; pathinfoservices = { infra = { type = "sled"; is_temporary = false; path = "${dataDir}/pathinfo.sled"; }; infra-signing = { type = "keyfile-signing"; inner = "infra"; keyfile = config.age.secrets."tvix-store-infra-signing-key".path; }; }; }; endpoints = { "127.0.0.1:8056" = { endpoint_type = "Http"; blob_service = "default"; directory_service = "object"; path_info_service = "infra"; }; "127.0.0.1:8058" = { endpoint_type = "Http"; blob_service = "default"; directory_service = "object"; path_info_service = "infra-signing"; }; # Add grpc for management and because it is nice "127.0.0.1:8057" = { endpoint_type = "Grpc"; blob_service = "default"; directory_service = "object"; path_info_service = "infra"; }; }; }; systemdHardening = { PrivateDevices = true; PrivateTmp = true; ProtectControlGroups = true; ProtectKernelTunables = true; RestrictSUIDSGID = true; ProtectSystem = "strict"; ProtectKernelLogs = true; ProtectProc = "invisible"; PrivateUsers = true; ProtectHome = true; UMask = "0077"; RuntimeDirectoryMode = "0750"; StateDirectoryMode = "0750"; }; toml = { composition = settingsFormat.generate "composition.toml" store-config.composition; endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints; }; package = pkgs.callPackage ./package { }; in { age-secrets.autoMatch = [ "tvix-store" "nginx" ]; services.nginx.virtualHosts."tvix-store.dgnum.eu" = { enableACME = true; forceSSL = true; locations = { "/infra/" = { proxyPass = "http://127.0.0.1:8056/"; extraConfig = '' client_max_body_size 50G; limit_except GET { auth_basic "Password required"; auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password".path}; } ''; }; "/infra-signing/" = { proxyPass = "http://127.0.0.1:8058/"; extraConfig = '' client_max_body_size 50G; auth_basic "Password required"; auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path}; ''; }; "/.well-known/nix-signing-keys/" = { alias = "${./pubkeys}/"; extraConfig = "autoindex on;"; }; }; }; # TODO add tvix-store cli here # environment.systemPackages = [ ]; users.users.tvix-store = { isSystemUser = true; group = "tvix-store"; }; users.groups.tvix-store = { }; systemd.tmpfiles.rules = [ "d ${dataDir} 770 tvix-castore tvix-castore -" ]; systemd.services."tvix-store" = { wantedBy = [ "multi-user.target" ]; environment = { RUST_LOG = "debug"; }; serviceConfig = { UMask = "007"; ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}"; StateDirectory = "tvix-store"; RuntimeDirectory = "tvix-store"; User = "tvix-store"; Group = "tvix-store"; ReadWritePaths = [ dataDir ]; } // systemdHardening; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; }