nixpkgs/nixos/modules/services/networking/nix-store-gcs-proxy.nix

{ config, lib, pkgs, ... }:

with lib;

let
  opts = { name, config, ... }: {
    options = {
      enable = mkOption {
        default = true;
        type = types.bool;
        example = true;
        description = "Whether to enable proxy for this bucket";
      };
      bucketName = mkOption {
        type = types.str;
        default = name;
        example = "my-bucket-name";
        description = "Name of Google storage bucket";
      };
      address = mkOption {
        type = types.str;
        example = "localhost:3000";
        description = "The address of the proxy.";
      };
    };
  };
  enabledProxies = lib.filterAttrs (n: v: v.enable) config.services.nix-store-gcs-proxy;
  mapProxies = function: lib.mkMerge (lib.mapAttrsToList function enabledProxies);
in
{
  options.services.nix-store-gcs-proxy = mkOption {
    type = types.attrsOf (types.submodule opts);
    default = {};
    description = ''
      An attribute set describing an HTTP to GCS proxy that allows us to use GCS
      bucket via HTTP protocol.
    '';
  };

  config.systemd.services = mapProxies (name: cfg: {
    "nix-store-gcs-proxy-${name}" = {
      description = "A HTTP nix store that proxies requests to Google Storage";
      wantedBy = ["multi-user.target"];

      serviceConfig = {
        RestartSec = 5;
        StartLimitInterval = 10;
        ExecStart = ''
          ${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \
            --bucket-name ${cfg.bucketName} \
            --addr ${cfg.address}
        '';

        DynamicUser = true;

        ProtectSystem = "strict";
        ProtectHome = true;
        PrivateTmp = true;
        PrivateDevices = true;
        PrivateMounts = true;
        PrivateUsers = true;

        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;

        NoNewPrivileges = true;
        LockPersonality = true;
        RestrictRealtime = true;
      };
    };
  });

  meta.maintainers = [ maintainers.mrkkrp ];
}
module/nix-store-gcs-proxy: init 2020-02-12 11:39:09 +01:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`opts = { name, config, ... }: {`
			`options = {`
			`enable = mkOption {`
			`default = true;`
			`type = types.bool;`
			`example = true;`
			`description = "Whether to enable proxy for this bucket";`
			`};`
			`bucketName = mkOption {`
			`type = types.str;`
			`default = name;`
			`example = "my-bucket-name";`
			`description = "Name of Google storage bucket";`
			`};`
			`address = mkOption {`
			`type = types.str;`
			`example = "localhost:3000";`
			`description = "The address of the proxy.";`
			`};`
			`};`
			`};`
			`enabledProxies = lib.filterAttrs (n: v: v.enable) config.services.nix-store-gcs-proxy;`
			`mapProxies = function: lib.mkMerge (lib.mapAttrsToList function enabledProxies);`
			`in`
			`{`
			`options.services.nix-store-gcs-proxy = mkOption {`
			`type = types.attrsOf (types.submodule opts);`
			`default = {};`
			`description = ''`
			`An attribute set describing an HTTP to GCS proxy that allows us to use GCS`
			`bucket via HTTP protocol.`
			`'';`
			`};`

			`config.systemd.services = mapProxies (name: cfg: {`
			`"nix-store-gcs-proxy-${name}" = {`
			`description = "A HTTP nix store that proxies requests to Google Storage";`
			`wantedBy = ["multi-user.target"];`

			`serviceConfig = {`
			`RestartSec = 5;`
			`StartLimitInterval = 10;`
			`ExecStart = ''`
			`${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \`
			`--bucket-name ${cfg.bucketName} \`
			`--addr ${cfg.address}`
			`'';`

			`DynamicUser = true;`

			`ProtectSystem = "strict";`
			`ProtectHome = true;`
			`PrivateTmp = true;`
			`PrivateDevices = true;`
			`PrivateMounts = true;`
			`PrivateUsers = true;`

			`ProtectKernelTunables = true;`
			`ProtectKernelModules = true;`
			`ProtectControlGroups = true;`

			`NoNewPrivileges = true;`
			`LockPersonality = true;`
			`RestrictRealtime = true;`
			`};`
			`};`
			`});`

			`meta.maintainers = [ maintainers.mrkkrp ];`
			`}`