Loading nixos/modules/services/networking/ncps.nix +24 −1 Original line number Diff line number Diff line Loading @@ -27,6 +27,9 @@ let cfg.openTelemetry.grpcURL != null ) "--otel-grpc-url='${cfg.openTelemetry.grpcURL}'") )) ++ (lib.optionals cfg.prometheus.enable [ "--prometheus-enabled" ]) ); serveFlags = lib.concatStringsSep " " ( Loading @@ -34,6 +37,7 @@ let "--cache-hostname='${cfg.cache.hostName}'" "--cache-data-path='${cfg.cache.dataPath}'" "--cache-database-url='${cfg.cache.databaseURL}'" "--cache-temp-path='${cfg.cache.tempPath}'" "--server-addr='${cfg.server.addr}'" ] ++ (lib.optional cfg.cache.allowDeleteVerb "--cache-allow-delete-verb") Loading Loading @@ -76,6 +80,8 @@ in }; }; prometheus.enable = lib.mkEnableOption "Enable Prometheus metrics endpoint at /metrics"; logLevel = lib.mkOption { type = lib.types.enum logLevels; default = "info"; Loading Loading @@ -165,6 +171,14 @@ in empty to automatically generate a private/public key. ''; }; tempPath = lib.mkOption { type = lib.types.str; default = "/tmp"; description = '' The path to the temporary directory that is used by the cache to download NAR files ''; }; }; server = { Loading Loading @@ -214,7 +228,7 @@ in }; users.groups.ncps = { }; systemd.services.ncps-create-datadirs = { systemd.services.ncps-create-directories = { description = "Created required directories by ncps"; serviceConfig = { Type = "oneshot"; Loading @@ -232,6 +246,12 @@ in mkdir -p ${dbDir} chown ncps:ncps ${dbDir} fi '') + (lib.optionalString (cfg.cache.tempPath != "/tmp") '' if ! test -d ${cfg.cache.tempPath}; then mkdir -p ${cfg.cache.tempPath} chown ncps:ncps ${cfg.cache.tempPath} fi ''); wantedBy = [ "ncps.service" ]; before = [ "ncps.service" ]; Loading Loading @@ -273,6 +293,9 @@ in (lib.mkIf (isSqlite && !lib.strings.hasPrefix "/var/lib/ncps" dbDir) { ReadWritePaths = [ dbDir ]; }) (lib.mkIf (cfg.cache.tempPath != "/tmp") { ReadWritePaths = [ cfg.cache.tempPath ]; }) # Hardening { Loading Loading
nixos/modules/services/networking/ncps.nix +24 −1 Original line number Diff line number Diff line Loading @@ -27,6 +27,9 @@ let cfg.openTelemetry.grpcURL != null ) "--otel-grpc-url='${cfg.openTelemetry.grpcURL}'") )) ++ (lib.optionals cfg.prometheus.enable [ "--prometheus-enabled" ]) ); serveFlags = lib.concatStringsSep " " ( Loading @@ -34,6 +37,7 @@ let "--cache-hostname='${cfg.cache.hostName}'" "--cache-data-path='${cfg.cache.dataPath}'" "--cache-database-url='${cfg.cache.databaseURL}'" "--cache-temp-path='${cfg.cache.tempPath}'" "--server-addr='${cfg.server.addr}'" ] ++ (lib.optional cfg.cache.allowDeleteVerb "--cache-allow-delete-verb") Loading Loading @@ -76,6 +80,8 @@ in }; }; prometheus.enable = lib.mkEnableOption "Enable Prometheus metrics endpoint at /metrics"; logLevel = lib.mkOption { type = lib.types.enum logLevels; default = "info"; Loading Loading @@ -165,6 +171,14 @@ in empty to automatically generate a private/public key. ''; }; tempPath = lib.mkOption { type = lib.types.str; default = "/tmp"; description = '' The path to the temporary directory that is used by the cache to download NAR files ''; }; }; server = { Loading Loading @@ -214,7 +228,7 @@ in }; users.groups.ncps = { }; systemd.services.ncps-create-datadirs = { systemd.services.ncps-create-directories = { description = "Created required directories by ncps"; serviceConfig = { Type = "oneshot"; Loading @@ -232,6 +246,12 @@ in mkdir -p ${dbDir} chown ncps:ncps ${dbDir} fi '') + (lib.optionalString (cfg.cache.tempPath != "/tmp") '' if ! test -d ${cfg.cache.tempPath}; then mkdir -p ${cfg.cache.tempPath} chown ncps:ncps ${cfg.cache.tempPath} fi ''); wantedBy = [ "ncps.service" ]; before = [ "ncps.service" ]; Loading Loading @@ -273,6 +293,9 @@ in (lib.mkIf (isSqlite && !lib.strings.hasPrefix "/var/lib/ncps" dbDir) { ReadWritePaths = [ dbDir ]; }) (lib.mkIf (cfg.cache.tempPath != "/tmp") { ReadWritePaths = [ cfg.cache.tempPath ]; }) # Hardening { Loading
