blob: 390f0ddaee83c1ba3f090fde9d5c88e8a19cf906 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.nix-serve;
in
{
options = {
services.nix-serve = {
enable = mkEnableOption "nix-serve, the standalone Nix binary cache server";
port = mkOption {
type = types.port;
default = 5000;
description = ''
Port number where nix-serve will listen on.
'';
};
bindAddress = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
IP address where nix-serve will bind its listening socket.
'';
};
secretKeyFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The path to the file used for signing derivation data.
Generate with:
```
nix-store --generate-binary-cache-key key-name secret-key-file public-key-file
```
For more details see <citerefentry><refentrytitle>nix-store</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
'';
};
extraParams = mkOption {
type = types.separatedString " ";
default = "";
description = ''
Extra command line parameters for nix-serve.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.nix-serve = {
description = "nix-serve binary cache server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ config.nix.package.out pkgs.bzip2.bin ];
environment.NIX_REMOTE = "daemon";
script = ''
${lib.optionalString (cfg.secretKeyFile != null) ''
export NIX_SECRET_KEY_FILE="$CREDENTIALS_DIRECTORY/NIX_SECRET_KEY_FILE"
''}
exec ${pkgs.nix-serve}/bin/nix-serve --listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}
'';
serviceConfig = {
Restart = "always";
RestartSec = "5s";
User = "nix-serve";
Group = "nix-serve";
DynamicUser = true;
LoadCredential = lib.optionalString (cfg.secretKeyFile != null)
"NIX_SECRET_KEY_FILE:${cfg.secretKeyFile}";
};
};
};
}
|