Loading nixos/modules/services/networking/harmonia.nix +19 −3 Original line number Diff line number Diff line Loading @@ -2,6 +2,12 @@ let cfg = config.services.harmonia; format = pkgs.formats.toml { }; signKeyPaths = cfg.signKeyPaths ++ lib.optional (cfg.signKeyPath != null) cfg.signKeyPath; credentials = lib.imap0 (i: signKeyPath: { id = "sign-key-${builtins.toString i}"; path = signKeyPath; }) signKeyPaths; in { options = { Loading @@ -11,7 +17,13 @@ in signKeyPath = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; description = "Path to the signing key that will be used for signing the cache"; description = "DEPRECATED: Use `services.harmonia.signKeyPaths` instead. Path to the signing key to use for signing the cache"; }; signKeyPaths = lib.mkOption { type = lib.types.listOf lib.types.path; default = [ ]; description = "Paths to the signing keys to use for signing the cache"; }; package = lib.mkPackageOption pkgs "harmonia" { }; Loading @@ -28,6 +40,8 @@ in }; config = lib.mkIf cfg.enable { warnings = lib.optional (cfg.signKeyPath != null) "`services.harmonia.signKeyPath` is deprecated, use `services.harmonia.signKeyPaths` instead"; nix.settings.extra-allowed-users = [ "harmonia" ]; users.users.harmonia = { isSystemUser = true; Loading @@ -44,7 +58,9 @@ in environment = { CONFIG_FILE = format.generate "harmonia.toml" cfg.settings; SIGN_KEY_PATH = lib.mkIf (cfg.signKeyPath != null) "%d/sign-key"; SIGN_KEY_PATHS = lib.strings.concatMapStringsSep " " ( credential: "%d/${credential.id}" ) credentials; # Note: it's important to set this for nix-store, because it wants to use # $HOME in order to use a temporary cache dir. bizarre failures will occur # otherwise Loading @@ -60,7 +76,7 @@ in DeviceAllow = [ "" ]; UMask = "0066"; RuntimeDirectory = "harmonia"; LoadCredential = lib.mkIf (cfg.signKeyPath != null) [ "sign-key:${cfg.signKeyPath}" ]; LoadCredential = builtins.map (credential: "${credential.id}:${credential.path}") credentials; SystemCallFilter = [ "@system-service" "~@privileged" Loading nixos/tests/harmonia.nix +1 −1 Original line number Diff line number Diff line Loading @@ -7,7 +7,7 @@ harmonia = { services.harmonia = { enable = true; signKeyPath = pkgs.writeText "cache-key" "cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg=="; signKeyPaths = [(pkgs.writeText "cache-key" "cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg==")]; settings.priority = 35; }; Loading Loading
nixos/modules/services/networking/harmonia.nix +19 −3 Original line number Diff line number Diff line Loading @@ -2,6 +2,12 @@ let cfg = config.services.harmonia; format = pkgs.formats.toml { }; signKeyPaths = cfg.signKeyPaths ++ lib.optional (cfg.signKeyPath != null) cfg.signKeyPath; credentials = lib.imap0 (i: signKeyPath: { id = "sign-key-${builtins.toString i}"; path = signKeyPath; }) signKeyPaths; in { options = { Loading @@ -11,7 +17,13 @@ in signKeyPath = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; description = "Path to the signing key that will be used for signing the cache"; description = "DEPRECATED: Use `services.harmonia.signKeyPaths` instead. Path to the signing key to use for signing the cache"; }; signKeyPaths = lib.mkOption { type = lib.types.listOf lib.types.path; default = [ ]; description = "Paths to the signing keys to use for signing the cache"; }; package = lib.mkPackageOption pkgs "harmonia" { }; Loading @@ -28,6 +40,8 @@ in }; config = lib.mkIf cfg.enable { warnings = lib.optional (cfg.signKeyPath != null) "`services.harmonia.signKeyPath` is deprecated, use `services.harmonia.signKeyPaths` instead"; nix.settings.extra-allowed-users = [ "harmonia" ]; users.users.harmonia = { isSystemUser = true; Loading @@ -44,7 +58,9 @@ in environment = { CONFIG_FILE = format.generate "harmonia.toml" cfg.settings; SIGN_KEY_PATH = lib.mkIf (cfg.signKeyPath != null) "%d/sign-key"; SIGN_KEY_PATHS = lib.strings.concatMapStringsSep " " ( credential: "%d/${credential.id}" ) credentials; # Note: it's important to set this for nix-store, because it wants to use # $HOME in order to use a temporary cache dir. bizarre failures will occur # otherwise Loading @@ -60,7 +76,7 @@ in DeviceAllow = [ "" ]; UMask = "0066"; RuntimeDirectory = "harmonia"; LoadCredential = lib.mkIf (cfg.signKeyPath != null) [ "sign-key:${cfg.signKeyPath}" ]; LoadCredential = builtins.map (credential: "${credential.id}:${credential.path}") credentials; SystemCallFilter = [ "@system-service" "~@privileged" Loading
nixos/tests/harmonia.nix +1 −1 Original line number Diff line number Diff line Loading @@ -7,7 +7,7 @@ harmonia = { services.harmonia = { enable = true; signKeyPath = pkgs.writeText "cache-key" "cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg=="; signKeyPaths = [(pkgs.writeText "cache-key" "cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg==")]; settings.priority = 35; }; Loading
