infrastructure/machines/storage01/tvix-cache/default.nix

144 lines
3.8 KiB
Nix
Raw Normal View History

2024-07-23 20:47:25 +02:00
{ pkgs, config, ... }:
let
settingsFormat = pkgs.formats.toml { };
dataDir = "/data/slow/tvix-store";
store-config = {
composition = {
blobservices.default = {
type = "objectstore";
object_store_url = "file://${dataDir}/blob.objectstore";
object_store_options = { };
};
directoryservices = {
redb = {
type = "redb";
2024-07-23 20:47:25 +02:00
is_temporary = false;
path = "${dataDir}/directory.redb";
2024-07-23 20:47:25 +02:00
};
};
pathinfoservices = {
infra = {
type = "redb";
2024-07-23 20:47:25 +02:00
is_temporary = false;
path = "${dataDir}/pathinfo.redb";
2024-07-23 20:47:25 +02:00
};
infra-signing = {
type = "keyfile-signing";
inner = "infra";
keyfile = config.age.secrets."tvix-store-infra-signing-key".path;
};
};
};
endpoints = {
"127.0.0.1:8056" = {
endpoint_type = "Http";
blob_service = "default";
directory_service = "redb";
2024-07-23 20:47:25 +02:00
path_info_service = "infra";
};
"127.0.0.1:8058" = {
endpoint_type = "Http";
blob_service = "default";
directory_service = "redb";
2024-07-23 20:47:25 +02:00
path_info_service = "infra-signing";
};
# Add grpc for management and because it is nice
"127.0.0.1:8057" = {
endpoint_type = "Grpc";
blob_service = "default";
directory_service = "redb";
2024-07-23 20:47:25 +02:00
path_info_service = "infra";
};
};
};
systemdHardening = {
PrivateDevices = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectKernelTunables = true;
RestrictSUIDSGID = true;
ProtectSystem = "strict";
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateUsers = true;
ProtectHome = true;
UMask = "0077";
RuntimeDirectoryMode = "0750";
StateDirectoryMode = "0750";
};
toml = {
composition = settingsFormat.generate "composition.toml" store-config.composition;
endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
};
package = pkgs.callPackage ./package { };
in
{
age-secrets.autoMatch = [
"tvix-store"
"nginx"
];
services.nginx.virtualHosts."tvix-store.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations = {
"/infra/" = {
proxyPass = "http://127.0.0.1:8056/";
extraConfig = ''
client_max_body_size 50G;
limit_except GET {
auth_basic "Password required";
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password".path};
}
'';
};
"/infra-signing/" = {
proxyPass = "http://127.0.0.1:8058/";
extraConfig = ''
client_max_body_size 50G;
auth_basic "Password required";
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
'';
};
"/.well-known/nix-signing-keys/" = {
alias = "${./pubkeys}/";
extraConfig = "autoindex on;";
};
};
};
# TODO add tvix-store cli here
# environment.systemPackages = [ ];
users.users.tvix-store = {
isSystemUser = true;
group = "tvix-store";
};
users.groups.tvix-store = { };
systemd.tmpfiles.rules = [ "d ${dataDir} 770 tvix-castore tvix-castore -" ];
systemd.services."tvix-store" = {
wantedBy = [ "multi-user.target" ];
environment = {
RUST_LOG = "debug";
};
serviceConfig = {
UMask = "007";
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
StateDirectory = "tvix-store";
RuntimeDirectory = "tvix-store";
User = "tvix-store";
Group = "tvix-store";
ReadWritePaths = [ dataDir ];
} // systemdHardening;
};
networking.firewall.allowedTCPPorts = [
80
443
];
}