meta: reorganize nix-os and hosts to single directory nixos

2025-05-18 18:44:51 +02:00 · 2025-05-18 18:44:51 +02:00 · cb05ce5b44
commit cb05ce5b44
parent be46e02c61
76 changed files with 54 additions and 52 deletions
--- a/nixos/modules/services/nix-binary-cache.nix
+++ b/nixos/modules/services/nix-binary-cache.nix
@ -0,0 +1,54 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  options = {
+    services.nix-serve = {
+      keyName = lib.mkOption {
+        type = lib.types.str;
+        default = config.networking.fqdnOrHostName;
+        defaultText = "config.networking.fqdnOrHostName";
+        description = "Name of the key when generating (usually domain name)";
+      };
+      publicKeyFile = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/cache-pub-key.pem";
+        description = "Path to the public key file";
+      };
+    };
+  };
+  config = {
+    services.nix-serve = {
+      enable = true;
+      package = pkgs.nix-serve-ng;
+      secretKeyFile = "/var/cache-priv-key.pem";
+    };
+    systemd.services.nix-serve-generate-key = let
+      inherit (config.services.nix-serve) keyName secretKeyFile publicKeyFile;
+    in {
+      description = "Ensure existence of nix binary cache signing key";
+      wantedBy = [ config.systemd.services.nix-serve.name ];
+      script = ''
+        if [ -f ${secretKeyFile} ]; then
+          echo "File ${secretKeyFile} already exists, nothing to do" >&2
+          exit 0
+        fi
+        if [ -a ${secretKeyFile} ]; then
+          echo "File ${secretKeyFile} is not a regular file" >&2
+          exit 1
+        fi
+        echo "Generating nix binary cache signing key" >&2
+        touch ${secretKeyFile}
+        chmod 600 ${secretKeyFile}
+        mkdir -p $(dirname ${secretKeyFile})
+        ${lib.getExe' pkgs.nix "nix-store"} --generate-binary-cache-key \
+          ${keyName} ${secretKeyFile} ${publicKeyFile}
+      '';
+      restartIfChanged = true;
+    };
+  };
+}