aboutsummaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/apps/nix-serve.nix126
-rw-r--r--modules/pkgs/nix-serve/default.nix31
-rw-r--r--modules/pkgs/nix-serve/nix-serve.psgi61
3 files changed, 218 insertions, 0 deletions
diff --git a/modules/apps/nix-serve.nix b/modules/apps/nix-serve.nix
new file mode 100644
index 0000000..20deab6
--- /dev/null
+++ b/modules/apps/nix-serve.nix
@@ -0,0 +1,126 @@
+{ config, pkgs, lib, ... }:
+
+let
+
+ inherit (lib)
+ mkEnableOption mkIf mkOption optionalString ;
+
+ inherit (lib.types)
+ int nullOr package path str ;
+
+ cfg = config.nixsap.apps.nix-serve;
+
+ start =
+ let
+ maybeTCP = optionalString (cfg.port != null)
+ "--listen '${cfg.address}:${toString cfg.port}'";
+ in pkgs.writeBashScriptBin "nix-serve" ''
+ umask 0117 # for socket mode
+
+ export NIX_REMOTE="daemon"
+
+ ${optionalString (cfg.secretKeyFile != null) ''
+ export NIX_SECRET_KEY_FILE='${cfg.secretKeyFile}'
+ ''}
+
+ exec "${cfg.package}/bin/nix-serve" \
+ ${maybeTCP} \
+ --listen '${cfg.socket}' \
+ --workers ${toString cfg.workers}
+ '';
+
+in
+{
+ options = {
+ nixsap.apps.nix-serve = {
+ enable = mkEnableOption "nix-serve, the standalone Nix binary cache server";
+
+ user = mkOption {
+ description = "User and group to run as";
+ type = str;
+ default = "nix-serve";
+ };
+
+ home = mkOption {
+ description = "Home directory (currently for Unix socket only)";
+ type = path;
+ default = "/nix-serve";
+ };
+
+ package = mkOption {
+ description = "nix-serve package";
+ type = package;
+ default = pkgs.nix-serve;
+ };
+
+ workers = mkOption {
+ type = int;
+ default = 5;
+ description = "Specifies the number of worker pool";
+ };
+
+ port = mkOption {
+ type = nullOr int;
+ default = null;
+ description = ''
+ Port number where nix-serve will listen on in addition to Unix
+ socket. By default nix-serve listens on Unix socket only.
+ '';
+ };
+
+ address = mkOption {
+ type = str;
+ default = "127.0.0.1";
+ description = ''
+ IP address where nix-serve will bind its TCP listening socket.
+ '';
+ };
+
+ socket = mkOption {
+ description = ''
+ Unix socket to listen on.
+ '';
+ readOnly = true;
+ type = path;
+ default = "${cfg.home}/socket";
+ };
+
+ secretKeyFile = mkOption {
+ type = nullOr path;
+ default = null;
+ description = ''
+ The path to the file used for signing derivation data.
+ '';
+ };
+ };
+ };
+
+ config = mkIf cfg.enable {
+ nix.allowedUsers = [ cfg.user ];
+
+ nixsap.deployment.keyrings.${cfg.user} = [ cfg.secretKeyFile ];
+ nixsap.system.users.daemons = [ cfg.user ];
+
+ systemd.services.nix-serve = {
+ description = "nix-serve binary cache server";
+ wantedBy = [ "multi-user.target" ];
+ wants = [ "keys.target" ];
+ after = [ "keys.target" "network.target" "local-fs.target" ];
+
+ preStart = ''
+ mkdir -p -- '${cfg.home}'
+ rm -rf -- '${cfg.socket}'
+ chown -Rc '${cfg.user}:${cfg.user}' -- '${cfg.home}'
+ chmod -Rc u=rwX,g=rX,o= -- '${cfg.home}'
+ '';
+
+ serviceConfig = {
+ ExecStart = "${start}/bin/nix-serve";
+ KillMode = "mixed";
+ PermissionsStartOnly = true;
+ Restart = "always";
+ User = cfg.user;
+ };
+ };
+ };
+}
diff --git a/modules/pkgs/nix-serve/default.nix b/modules/pkgs/nix-serve/default.nix
new file mode 100644
index 0000000..7dcd9df
--- /dev/null
+++ b/modules/pkgs/nix-serve/default.nix
@@ -0,0 +1,31 @@
+{ stdenv, coreutils, pxz, nix, perl, perlPackages }:
+
+let
+ inherit (stdenv.lib)
+ makeBinPath
+ ;
+
+in stdenv.mkDerivation {
+ name = "nix-serve";
+
+ src = "${./nix-serve.psgi}";
+
+ buildInputs = [ pxz perl nix ]
+ ++ (with perlPackages; [ DBI DBDSQLite Plack Starman ]);
+
+ phases = [ "installPhase" ];
+
+ installPhase = ''
+ mkdir -p $out/libexec/nix-serve
+ cat "$src" > "$out/libexec/nix-serve.psgi"
+
+ mkdir -p $out/bin
+ cat > $out/bin/nix-serve <<EOF
+ #! ${stdenv.shell}
+ export PATH=${makeBinPath [ coreutils pxz nix ]}:\$PATH
+ export PERL5LIB=$PERL5LIB
+ exec ${perlPackages.Starman}/bin/starman "$out/libexec/nix-serve.psgi" "\$@"
+ EOF
+ chmod +x $out/bin/nix-serve
+ '';
+}
diff --git a/modules/pkgs/nix-serve/nix-serve.psgi b/modules/pkgs/nix-serve/nix-serve.psgi
new file mode 100644
index 0000000..ac4071b
--- /dev/null
+++ b/modules/pkgs/nix-serve/nix-serve.psgi
@@ -0,0 +1,61 @@
+# This is nix-serve (https://github.com/edolstra/nix-serve) using pxz instead of bzip2
+use MIME::Base64;
+use Nix::Config;
+use Nix::Manifest;
+use Nix::Store;
+use Nix::Utils;
+use strict;
+
+sub stripPath {
+ my ($x) = @_;
+ $x =~ s/.*\///; $x
+}
+
+my $app = sub {
+ my $env = shift;
+ my $path = $env->{PATH_INFO};
+
+ if ($path eq "/nix-cache-info") {
+ return [200, ['Content-Type' => 'text/plain'], ["StoreDir: $Nix::Config::storeDir\nWantMassQuery: 1\nPriority: 30\n"]];
+ }
+
+ elsif ($path =~ "/([0-9a-z]+)\.narinfo") {
+ my $hashPart = $1;
+ my $storePath = queryPathFromHashPart($hashPart);
+ return [404, ['Content-Type' => 'text/plain'], ["No such path.\n"]] unless $storePath;
+ my ($deriver, $narHash, $time, $narSize, $refs) = queryPathInfo($storePath, 1) or die;
+ my $res =
+ "StorePath: $storePath\n" .
+ "URL: nar/$hashPart.nar.xz\n" .
+ "Compression: xz\n" .
+ "NarHash: $narHash\n" .
+ "NarSize: $narSize\n";
+ $res .= "References: " . join(" ", map { stripPath($_) } @$refs) . "\n"
+ if scalar @$refs > 0;
+ $res .= "Deriver: " . stripPath($deriver) . "\n" if defined $deriver;
+ my $secretKeyFile = $ENV{'NIX_SECRET_KEY_FILE'};
+ if (defined $secretKeyFile) {
+ my $s = readFile $secretKeyFile;
+ chomp $s;
+ my ($keyName, $secretKey) = split ":", $s;
+ die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey;
+ my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
+ my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
+ $res .= "Sig: $keyName:$sig\n";
+ }
+ return [200, ['Content-Type' => 'text/x-nix-narinfo'], [$res]];
+ }
+
+ elsif ($path =~ "/nar/([0-9a-z]+)\.nar.xz") {
+ my $hashPart = $1;
+ my $storePath = queryPathFromHashPart($hashPart);
+ return [404, ['Content-Type' => 'text/plain'], ["No such path.\n"]] unless $storePath;
+ my $fh = new IO::Handle;
+ open $fh, "nix-store --dump '$storePath' | nice -n 19 pxz -0 |";
+ return [200, ['Content-Type' => 'application/x-xz'], $fh];
+ }
+
+ else {
+ return [404, ['Content-Type' => 'text/plain'], ["File not found.\n"]];
+ }
+}