nixos-configuration/nix-os/services/nix-binary-cache.nix

{
  config,
  lib,
  pkgs,
  ...
}:

{
  options = {
    services.nix-serve = {
      keyName = lib.mkOption {
        type = lib.types.str;
        default = config.networking.fqdnOrHostName;
        defaultText = "config.networking.fqdnOrHostName";
        description = "Name of the key when generating (usually domain name)";
      };
      publicKeyFile = lib.mkOption {
        type = lib.types.path;
        default = "/var/cache-pub-key.pem";
        description = "Path to the public key file";
      };
    };
  };
  config = {
    services.nix-serve = {
      enable = true;
      package = pkgs.nix-serve-ng;
      secretKeyFile = "/var/cache-priv-key.pem";
    };
    systemd.services.nix-serve-generate-key = let
      inherit (config.services.nix-serve) keyName secretKeyFile publicKeyFile;
    in {
      description = "Ensure existence of nix binary cache signing key";
      wantedBy = [ config.systemd.services.nix-serve.name ];
      script = ''
        if [ -f ${secretKeyFile} ]; then
          echo "File ${secretKeyFile} already exists, nothing to do" >&2
          exit 0
        fi
        if [ -a ${secretKeyFile} ]; then
          echo "File ${secretKeyFile} is not a regular file" >&2
          exit 1
        fi
        echo "Generating nix binary cache signing key" >&2
        touch ${secretKeyFile}
        chmod 600 ${secretKeyFile}
        mkdir -p $(dirname ${secretKeyFile})
        ${lib.getExe' pkgs.nix "nix-store"} --generate-binary-cache-key \
          ${keyName} ${secretKeyFile} ${publicKeyFile}
      '';
      restartIfChanged = true;
    };
  };
}
nixos/nix-binary-cache: create nix cache signing key if doesn't exists 2025-02-24 12:54:04 +01:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`
nixos/services/nix-binary-cache: use nix-serve-ng 2024-09-09 19:47:35 +02:00
service/nix-binary-cache: create and use in main host 2024-05-19 13:27:41 +02:00			`{`
nixos/nix-binary-cache: create nix cache signing key if doesn't exists 2025-02-24 12:54:04 +01:00			`options = {`
			`services.nix-serve = {`
			`keyName = lib.mkOption {`
			`type = lib.types.str;`
			`default = config.networking.fqdnOrHostName;`
			`defaultText = "config.networking.fqdnOrHostName";`
			`description = "Name of the key when generating (usually domain name)";`
			`};`
			`publicKeyFile = lib.mkOption {`
			`type = lib.types.path;`
			`default = "/var/cache-pub-key.pem";`
			`description = "Path to the public key file";`
			`};`
			`};`
			`};`
service/nix-binary-cache: create and use in main host 2024-05-19 13:27:41 +02:00			`config = {`
			`services.nix-serve = {`
			`enable = true;`
nixos/services/nix-binary-cache: use nix-serve-ng 2024-09-09 19:47:35 +02:00			`package = pkgs.nix-serve-ng;`
service/nix-binary-cache: create and use in main host 2024-05-19 13:27:41 +02:00			`secretKeyFile = "/var/cache-priv-key.pem";`
			`};`
nixos/nix-binary-cache: create nix cache signing key if doesn't exists 2025-02-24 12:54:04 +01:00			`systemd.services.nix-serve-generate-key = let`
			`inherit (config.services.nix-serve) keyName secretKeyFile publicKeyFile;`
			`in {`
			`description = "Ensure existence of nix binary cache signing key";`
			`wantedBy = [ config.systemd.services.nix-serve.name ];`
			`script = ''`
			`if [ -f ${secretKeyFile} ]; then`
			`echo "File ${secretKeyFile} already exists, nothing to do" >&2`
			`exit 0`
			`fi`
			`if [ -a ${secretKeyFile} ]; then`
			`echo "File ${secretKeyFile} is not a regular file" >&2`
			`exit 1`
			`fi`
			`echo "Generating nix binary cache signing key" >&2`
			`touch ${secretKeyFile}`
			`chmod 600 ${secretKeyFile}`
			`mkdir -p $(dirname ${secretKeyFile})`
			`${lib.getExe' pkgs.nix "nix-store"} --generate-binary-cache-key \`
			`${keyName} ${secretKeyFile} ${publicKeyFile}`
			`'';`
			`restartIfChanged = true;`
			`};`
service/nix-binary-cache: create and use in main host 2024-05-19 13:27:41 +02:00			`};`
			`}`