nixpkgs/nixos/modules/services/system/cachix-watch-store.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

{ config, pkgs, lib, ... }:

with lib;

let
  cfg = config.services.cachix-watch-store;
in
{
  meta.maintainers = [ lib.maintainers.jfroche lib.maintainers.domenkozar ];

  options.services.cachix-watch-store = {
    enable = mkEnableOption (lib.mdDoc "Cachix Watch Store: https://docs.cachix.org");

    cacheName = mkOption {
      type = types.str;
      description = lib.mdDoc "Cachix binary cache name";
    };

    cachixTokenFile = mkOption {
      type = types.path;
      description = lib.mdDoc ''
        Required file that needs to contain the cachix auth token.
      '';
    };

    signingKeyFile = mkOption {
      type = types.nullOr types.path;
      description = lib.mdDoc ''
        Optional file containing a self-managed signing key to sign uploaded store paths.
      '';
      default = null;
    };

    compressionLevel = mkOption {
      type = types.nullOr types.int;
      description = lib.mdDoc "The compression level for ZSTD compression (between 0 and 16)";
      default = null;
    };

    jobs = mkOption {
      type = types.nullOr types.int;
      description = lib.mdDoc "Number of threads used for pushing store paths";
      default = null;
    };

    host = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = lib.mdDoc "Cachix host to connect to";
    };

    verbose = mkOption {
      type = types.bool;
      description = lib.mdDoc "Enable verbose output";
      default = false;
    };

    package = mkPackageOption pkgs "cachix" { };
  };

  config = mkIf cfg.enable {
    systemd.services.cachix-watch-store-agent = {
      description = "Cachix watch store Agent";
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      path = [ config.nix.package ];
      wantedBy = [ "multi-user.target" ];
      unitConfig = {
        # allow to restart indefinitely
        StartLimitIntervalSec = 0;
      };
      serviceConfig = {
        # don't put too much stress on the machine when restarting
        RestartSec = 1;
        # we don't want to kill children processes as those are deployments
        KillMode = "process";
        Restart = "on-failure";
        DynamicUser = true;
        LoadCredential = [
          "cachix-token:${toString cfg.cachixTokenFile}"
        ]
        ++ lib.optional (cfg.signingKeyFile != null) "signing-key:${toString cfg.signingKeyFile}";
      };
      script =
        let
          command = [ "${cfg.package}/bin/cachix" ]
            ++ (lib.optional cfg.verbose "--verbose") ++ (lib.optionals (cfg.host != null) [ "--host" cfg.host ])
            ++ [ "watch-store" ] ++ (lib.optionals (cfg.compressionLevel != null) [ "--compression-level" (toString cfg.compressionLevel) ])
            ++ (lib.optionals (cfg.jobs != null) [ "--jobs" (toString cfg.jobs) ]) ++ [ cfg.cacheName ];
        in
        ''
          export CACHIX_AUTH_TOKEN="$(<"$CREDENTIALS_DIRECTORY/cachix-token")"
          ${lib.optionalString (cfg.signingKeyFile != null) ''export CACHIX_SIGNING_KEY="$(<"$CREDENTIALS_DIRECTORY/signing-key")"''}
          ${lib.escapeShellArgs command}
        '';
    };
  };
}