2024-07-23 20:47:25 +02:00
|
|
|
{ pkgs, config, ... }:
|
|
|
|
let
|
|
|
|
settingsFormat = pkgs.formats.toml { };
|
|
|
|
|
|
|
|
dataDir = "/data/slow/tvix-store";
|
|
|
|
|
|
|
|
store-config = {
|
|
|
|
composition = {
|
|
|
|
blobservices.default = {
|
|
|
|
type = "objectstore";
|
|
|
|
object_store_url = "file://${dataDir}/blob.objectstore";
|
|
|
|
object_store_options = { };
|
|
|
|
};
|
|
|
|
directoryservices = {
|
2024-09-23 00:40:06 +02:00
|
|
|
redb = {
|
|
|
|
type = "redb";
|
2024-07-23 20:47:25 +02:00
|
|
|
is_temporary = false;
|
2024-09-23 00:40:06 +02:00
|
|
|
path = "${dataDir}/directory.redb";
|
2024-07-23 20:47:25 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
pathinfoservices = {
|
|
|
|
infra = {
|
2024-09-23 00:40:06 +02:00
|
|
|
type = "redb";
|
2024-07-23 20:47:25 +02:00
|
|
|
is_temporary = false;
|
2024-09-23 00:40:06 +02:00
|
|
|
path = "${dataDir}/pathinfo.redb";
|
2024-07-23 20:47:25 +02:00
|
|
|
};
|
|
|
|
infra-signing = {
|
|
|
|
type = "keyfile-signing";
|
|
|
|
inner = "infra";
|
|
|
|
keyfile = config.age.secrets."tvix-store-infra-signing-key".path;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
endpoints = {
|
|
|
|
"127.0.0.1:8056" = {
|
|
|
|
endpoint_type = "Http";
|
|
|
|
blob_service = "default";
|
2024-09-23 00:40:06 +02:00
|
|
|
directory_service = "redb";
|
2024-07-23 20:47:25 +02:00
|
|
|
path_info_service = "infra";
|
|
|
|
};
|
|
|
|
"127.0.0.1:8058" = {
|
|
|
|
endpoint_type = "Http";
|
|
|
|
blob_service = "default";
|
2024-09-23 00:40:06 +02:00
|
|
|
directory_service = "redb";
|
2024-07-23 20:47:25 +02:00
|
|
|
path_info_service = "infra-signing";
|
|
|
|
};
|
|
|
|
# Add grpc for management and because it is nice
|
|
|
|
"127.0.0.1:8057" = {
|
|
|
|
endpoint_type = "Grpc";
|
|
|
|
blob_service = "default";
|
2024-09-23 00:40:06 +02:00
|
|
|
directory_service = "redb";
|
2024-07-23 20:47:25 +02:00
|
|
|
path_info_service = "infra";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
systemdHardening = {
|
|
|
|
PrivateDevices = true;
|
|
|
|
PrivateTmp = true;
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
RestrictSUIDSGID = true;
|
|
|
|
|
|
|
|
ProtectSystem = "strict";
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
ProtectProc = "invisible";
|
|
|
|
PrivateUsers = true;
|
|
|
|
ProtectHome = true;
|
|
|
|
UMask = "0077";
|
|
|
|
RuntimeDirectoryMode = "0750";
|
|
|
|
StateDirectoryMode = "0750";
|
|
|
|
};
|
|
|
|
toml = {
|
|
|
|
composition = settingsFormat.generate "composition.toml" store-config.composition;
|
|
|
|
endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
|
|
|
|
};
|
|
|
|
package = pkgs.callPackage ./package { };
|
|
|
|
in
|
|
|
|
{
|
|
|
|
|
|
|
|
age-secrets.autoMatch = [
|
|
|
|
"tvix-store"
|
|
|
|
"nginx"
|
|
|
|
];
|
|
|
|
|
|
|
|
services.nginx.virtualHosts."tvix-store.dgnum.eu" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations = {
|
|
|
|
"/infra/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:8056/";
|
|
|
|
extraConfig = ''
|
|
|
|
client_max_body_size 50G;
|
|
|
|
limit_except GET {
|
|
|
|
auth_basic "Password required";
|
|
|
|
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password".path};
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
"/infra-signing/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:8058/";
|
|
|
|
extraConfig = ''
|
|
|
|
client_max_body_size 50G;
|
|
|
|
auth_basic "Password required";
|
|
|
|
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
"/.well-known/nix-signing-keys/" = {
|
|
|
|
alias = "${./pubkeys}/";
|
|
|
|
extraConfig = "autoindex on;";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
# TODO add tvix-store cli here
|
|
|
|
# environment.systemPackages = [ ];
|
|
|
|
users.users.tvix-store = {
|
|
|
|
isSystemUser = true;
|
|
|
|
group = "tvix-store";
|
|
|
|
};
|
|
|
|
users.groups.tvix-store = { };
|
|
|
|
|
|
|
|
systemd.tmpfiles.rules = [ "d ${dataDir} 770 tvix-castore tvix-castore -" ];
|
|
|
|
|
|
|
|
systemd.services."tvix-store" = {
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
environment = {
|
|
|
|
RUST_LOG = "debug";
|
|
|
|
};
|
|
|
|
serviceConfig = {
|
|
|
|
UMask = "007";
|
|
|
|
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
|
|
|
|
StateDirectory = "tvix-store";
|
|
|
|
RuntimeDirectory = "tvix-store";
|
|
|
|
User = "tvix-store";
|
|
|
|
Group = "tvix-store";
|
|
|
|
ReadWritePaths = [ dataDir ];
|
|
|
|
} // systemdHardening;
|
|
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
80
|
|
|
|
443
|
|
|
|
];
|
|
|
|
}
|