mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-09-29 07:32:58 +00:00
Merge pull request #335344 from Mic92/harmonia
nixos/harmonia: switch to non-deprecated SIGN_KEY_PATHS
This commit is contained in:
commit
c43e67f69b
@ -2,6 +2,12 @@
|
|||||||
let
|
let
|
||||||
cfg = config.services.harmonia;
|
cfg = config.services.harmonia;
|
||||||
format = pkgs.formats.toml { };
|
format = pkgs.formats.toml { };
|
||||||
|
|
||||||
|
signKeyPaths = cfg.signKeyPaths ++ lib.optional (cfg.signKeyPath != null) cfg.signKeyPath;
|
||||||
|
credentials = lib.imap0 (i: signKeyPath: {
|
||||||
|
id = "sign-key-${builtins.toString i}";
|
||||||
|
path = signKeyPath;
|
||||||
|
}) signKeyPaths;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
@ -11,7 +17,13 @@ in
|
|||||||
signKeyPath = lib.mkOption {
|
signKeyPath = lib.mkOption {
|
||||||
type = lib.types.nullOr lib.types.path;
|
type = lib.types.nullOr lib.types.path;
|
||||||
default = null;
|
default = null;
|
||||||
description = "Path to the signing key that will be used for signing the cache";
|
description = "DEPRECATED: Use `services.harmonia.signKeyPaths` instead. Path to the signing key to use for signing the cache";
|
||||||
|
};
|
||||||
|
|
||||||
|
signKeyPaths = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.path;
|
||||||
|
default = [ ];
|
||||||
|
description = "Paths to the signing keys to use for signing the cache";
|
||||||
};
|
};
|
||||||
|
|
||||||
package = lib.mkPackageOption pkgs "harmonia" { };
|
package = lib.mkPackageOption pkgs "harmonia" { };
|
||||||
@ -28,6 +40,8 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
warnings = lib.optional (cfg.signKeyPath != null)
|
||||||
|
"`services.harmonia.signKeyPath` is deprecated, use `services.harmonia.signKeyPaths` instead";
|
||||||
nix.settings.extra-allowed-users = [ "harmonia" ];
|
nix.settings.extra-allowed-users = [ "harmonia" ];
|
||||||
users.users.harmonia = {
|
users.users.harmonia = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
@ -44,7 +58,9 @@ in
|
|||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
CONFIG_FILE = format.generate "harmonia.toml" cfg.settings;
|
CONFIG_FILE = format.generate "harmonia.toml" cfg.settings;
|
||||||
SIGN_KEY_PATH = lib.mkIf (cfg.signKeyPath != null) "%d/sign-key";
|
SIGN_KEY_PATHS = lib.strings.concatMapStringsSep " " (
|
||||||
|
credential: "%d/${credential.id}"
|
||||||
|
) credentials;
|
||||||
# Note: it's important to set this for nix-store, because it wants to use
|
# Note: it's important to set this for nix-store, because it wants to use
|
||||||
# $HOME in order to use a temporary cache dir. bizarre failures will occur
|
# $HOME in order to use a temporary cache dir. bizarre failures will occur
|
||||||
# otherwise
|
# otherwise
|
||||||
@ -60,7 +76,7 @@ in
|
|||||||
DeviceAllow = [ "" ];
|
DeviceAllow = [ "" ];
|
||||||
UMask = "0066";
|
UMask = "0066";
|
||||||
RuntimeDirectory = "harmonia";
|
RuntimeDirectory = "harmonia";
|
||||||
LoadCredential = lib.mkIf (cfg.signKeyPath != null) [ "sign-key:${cfg.signKeyPath}" ];
|
LoadCredential = builtins.map (credential: "${credential.id}:${credential.path}") credentials;
|
||||||
SystemCallFilter = [
|
SystemCallFilter = [
|
||||||
"@system-service"
|
"@system-service"
|
||||||
"~@privileged"
|
"~@privileged"
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
harmonia = {
|
harmonia = {
|
||||||
services.harmonia = {
|
services.harmonia = {
|
||||||
enable = true;
|
enable = true;
|
||||||
signKeyPath = pkgs.writeText "cache-key" "cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg==";
|
signKeyPaths = [(pkgs.writeText "cache-key" "cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg==")];
|
||||||
settings.priority = 35;
|
settings.priority = 35;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user