diff options
author | Mark Karpov <markkarpov92@gmail.com> | 2020-02-12 11:39:09 +0100 |
---|---|---|
committer | Mark Karpov <markkarpov92@gmail.com> | 2020-03-02 16:01:14 +0100 |
commit | 96b472e95d661d3544048d066874a93b7180477a (patch) | |
tree | 47101f2c69c4a57c21c4d51f95dffecb4c0b9d7c /nixos/modules/services | |
parent | c6218f9e9950e46ed89fc8e606523c03ad20292e (diff) | |
download | nixpkgs-96b472e95d661d3544048d066874a93b7180477a.tar nixpkgs-96b472e95d661d3544048d066874a93b7180477a.tar.gz nixpkgs-96b472e95d661d3544048d066874a93b7180477a.tar.bz2 nixpkgs-96b472e95d661d3544048d066874a93b7180477a.tar.lz nixpkgs-96b472e95d661d3544048d066874a93b7180477a.tar.xz nixpkgs-96b472e95d661d3544048d066874a93b7180477a.tar.zst nixpkgs-96b472e95d661d3544048d066874a93b7180477a.zip |
module/nix-store-gcs-proxy: init
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/networking/nix-store-gcs-proxy.nix | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/nix-store-gcs-proxy.nix b/nixos/modules/services/networking/nix-store-gcs-proxy.nix new file mode 100644 index 00000000000..3f2ce5bca4d --- /dev/null +++ b/nixos/modules/services/networking/nix-store-gcs-proxy.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + opts = { name, config, ... }: { + options = { + enable = mkOption { + default = true; + type = types.bool; + example = true; + description = "Whether to enable proxy for this bucket"; + }; + bucketName = mkOption { + type = types.str; + default = name; + example = "my-bucket-name"; + description = "Name of Google storage bucket"; + }; + address = mkOption { + type = types.str; + example = "localhost:3000"; + description = "The address of the proxy."; + }; + }; + }; + enabledProxies = lib.filterAttrs (n: v: v.enable) config.services.nix-store-gcs-proxy; + mapProxies = function: lib.mkMerge (lib.mapAttrsToList function enabledProxies); +in +{ + options.services.nix-store-gcs-proxy = mkOption { + type = types.attrsOf (types.submodule opts); + default = {}; + description = '' + An attribute set describing an HTTP to GCS proxy that allows us to use GCS + bucket via HTTP protocol. + ''; + }; + + config.systemd.services = mapProxies (name: cfg: { + "nix-store-gcs-proxy-${name}" = { + description = "A HTTP nix store that proxies requests to Google Storage"; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + RestartSec = 5; + StartLimitInterval = 10; + ExecStart = '' + ${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \ + --bucket-name ${cfg.bucketName} \ + --addr ${cfg.address} + ''; + + DynamicUser = true; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + }; + }; + }); + + meta.maintainers = [ maintainers.mrkkrp ]; +} |