commit a8eea70935e20e1bfcfba27eb0a884ac8fd1bdb2

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #231113 from Kranzes/harmonia

nixos/harmonia: adjust module and test to upstream, harmonia: 0.6.3 -> 0.6.4

authored by

Ilan Joselevich and committed by

GitHub 2 years ago a8eea709 57445260

+23 -25

4 changed files

expand all

unified split

nixos

modules

services

networking

harmonia.nix

tests

all-tests.nix

harmonia.nix

pkgs

tools

package-management

harmonia

default.nix

+7 -11

nixos/modules/services/networking/harmonia.nix

··· 1 { config, pkgs, lib, ... }: 2 let 3 cfg = config.services.harmonia; 4 - 5 format = pkgs.formats.toml { }; 6 in 7 { ··· 12 signKeyPath = lib.mkOption { 13 type = lib.types.nullOr lib.types.path; 14 default = null; 15 - description = lib.mdDoc "Path to the signing key to use for signing the cache"; 16 }; 17 18 package = lib.mkPackageOptionMD pkgs "harmonia" { }; 19 20 settings = lib.mkOption { 21 inherit (format) type; 22 - description = lib.mdDoc "Settings to merge with the default configuration"; 23 }; 24 }; 25 }; 26 27 config = lib.mkIf cfg.enable { 28 - services.harmonia.settings.bind = lib.mkDefault "[::]:5000"; 29 - 30 systemd.services.harmonia = { 31 description = "harmonia binary cache service"; 32 ··· 45 46 serviceConfig = { 47 ExecStart = lib.getExe cfg.package; 48 - 49 User = "harmonia"; 50 Group = "harmonia"; 51 DynamicUser = true; 52 PrivateUsers = true; 53 DeviceAllow = [ "" ]; 54 UMask = "0066"; 55 - 56 RuntimeDirectory = "harmonia"; 57 - LoadCredential = lib.optional (cfg.signKeyPath != null) "sign-key:${cfg.signKeyPath}"; 58 - 59 SystemCallFilter = [ 60 "@system-service" 61 "~@privileged" ··· 74 ProtectProc = "invisible"; 75 RestrictNamespaces = true; 76 SystemCallArchitectures = "native"; 77 - 78 PrivateNetwork = false; 79 PrivateTmp = true; 80 PrivateDevices = true; ··· 84 ProtectHome = true; 85 LockPersonality = true; 86 RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; 87 - 88 LimitNOFILE = 65536; 89 }; 90 };

··· 1 { config, pkgs, lib, ... }: 2 let 3 cfg = config.services.harmonia; 4 format = pkgs.formats.toml { }; 5 in 6 { ··· 11 signKeyPath = lib.mkOption { 12 type = lib.types.nullOr lib.types.path; 13 default = null; 14 + description = lib.mdDoc "Path to the signing key that will be used for signing the cache"; 15 }; 16 17 package = lib.mkPackageOptionMD pkgs "harmonia" { }; 18 19 settings = lib.mkOption { 20 inherit (format) type; 21 + default = { }; 22 + description = lib.mdDoc '' 23 + Settings to merge with the default configuration. 24 + For the list of the default configuration, see <https://github.com/nix-community/harmonia/tree/master#configuration>. 25 + ''; 26 }; 27 }; 28 }; 29 30 config = lib.mkIf cfg.enable { 31 systemd.services.harmonia = { 32 description = "harmonia binary cache service"; 33 ··· 46 47 serviceConfig = { 48 ExecStart = lib.getExe cfg.package; 49 User = "harmonia"; 50 Group = "harmonia"; 51 DynamicUser = true; 52 PrivateUsers = true; 53 DeviceAllow = [ "" ]; 54 UMask = "0066"; 55 RuntimeDirectory = "harmonia"; 56 + LoadCredential = lib.mkIf (cfg.signKeyPath != null) [ "sign-key:${cfg.signKeyPath}" ]; 57 SystemCallFilter = [ 58 "@system-service" 59 "~@privileged" ··· 72 ProtectProc = "invisible"; 73 RestrictNamespaces = true; 74 SystemCallArchitectures = "native"; 75 PrivateNetwork = false; 76 PrivateTmp = true; 77 PrivateDevices = true; ··· 81 ProtectHome = true; 82 LockPersonality = true; 83 RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; 84 LimitNOFILE = 65536; 85 }; 86 };

+1 -1

nixos/tests/all-tests.nix

··· 297 haste-server = handleTest ./haste-server.nix {}; 298 haproxy = handleTest ./haproxy.nix {}; 299 hardened = handleTest ./hardened.nix {}; 300 - harmonia = handleTest ./harmonia.nix {}; 301 headscale = handleTest ./headscale.nix {}; 302 healthchecks = handleTest ./web-apps/healthchecks.nix {}; 303 hbase2 = handleTest ./hbase.nix { package=pkgs.hbase2; };

··· 297 haste-server = handleTest ./haste-server.nix {}; 298 haproxy = handleTest ./haproxy.nix {}; 299 hardened = handleTest ./hardened.nix {}; 300 + harmonia = runTest ./harmonia.nix; 301 headscale = handleTest ./headscale.nix {}; 302 healthchecks = handleTest ./web-apps/healthchecks.nix {}; 303 hbase2 = handleTest ./hbase.nix { package=pkgs.hbase2; };

+12 -10

nixos/tests/harmonia.nix

··· 1 - import ./make-test-python.nix ({ pkgs, ... }: 2 { 3 name = "harmonia"; 4 nodes = { 5 harmonia = { 6 services.harmonia = { 7 enable = true; 8 - signKeyPath = pkgs.writeText "cache-key" 9 - "cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg=="; 10 }; 11 12 networking.firewall.allowedTCPPorts = [ 5000 ]; 13 - system.extraDependencies = [ pkgs.hello ]; 14 }; 15 16 - client01 = { lib, ... }: { 17 nix.settings = { 18 substituters = lib.mkForce [ "http://harmonia:5000" ]; 19 trusted-public-keys = lib.mkForce [ "cache.example.com-1:eIGQXcGQpc00x6/XFcyacLEUmC07u4RAEHt5Y8vdglo=" ]; ··· 21 }; 22 }; 23 24 - testScript = '' 25 start_all() 26 27 - client01.wait_until_succeeds("curl -f http://harmonia:5000/version") 28 - client01.succeed("curl -f http://harmonia:5000/nix-cache-info") 29 30 client01.succeed("cat /etc/nix/nix.conf >&2") 31 - client01.wait_until_succeeds("nix-store --realise ${pkgs.hello} --store /root/other-store") 32 ''; 33 - })

··· 1 + { pkgs, lib, ... }: 2 + 3 { 4 name = "harmonia"; 5 + 6 nodes = { 7 harmonia = { 8 services.harmonia = { 9 enable = true; 10 + signKeyPath = pkgs.writeText "cache-key" "cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg=="; 11 }; 12 13 networking.firewall.allowedTCPPorts = [ 5000 ]; 14 + system.extraDependencies = [ pkgs.emptyFile ]; 15 }; 16 17 + client01 = { 18 nix.settings = { 19 substituters = lib.mkForce [ "http://harmonia:5000" ]; 20 trusted-public-keys = lib.mkForce [ "cache.example.com-1:eIGQXcGQpc00x6/XFcyacLEUmC07u4RAEHt5Y8vdglo=" ]; ··· 22 }; 23 }; 24 25 + testScript = { nodes, ... }: '' 26 start_all() 27 28 + harmonia.wait_for_unit("harmonia.service") 29 + client01.wait_until_succeeds("curl -f http://harmonia:5000/nix-cache-info") 30 + client01.succeed("curl -f http://harmonia:5000/version | grep '${nodes.harmonia.services.harmonia.package.version}' >&2") 31 32 client01.succeed("cat /etc/nix/nix.conf >&2") 33 + client01.succeed("nix-store --realise ${pkgs.emptyFile} --store /root/other-store") 34 ''; 35 + }

+3 -3

pkgs/tools/package-management/harmonia/default.nix

··· 11 12 rustPlatform.buildRustPackage rec { 13 pname = "harmonia"; 14 - version = "0.6.3"; 15 16 src = fetchFromGitHub { 17 owner = "nix-community"; 18 repo = pname; 19 rev = "refs/tags/${pname}-v${version}"; 20 - hash = "sha256-erBmPXMyIYxRLbYG35vH67MypJoXomUEFOVu6IhmEWs="; 21 }; 22 23 - cargoHash = "sha256-Gq7U+Uy3psuPVY0wGM90KA5u5Wc2s4hVJma7B11Ag5g="; 24 25 nativeBuildInputs = [ 26 pkg-config nix

··· 11 12 rustPlatform.buildRustPackage rec { 13 pname = "harmonia"; 14 + version = "0.6.4"; 15 16 src = fetchFromGitHub { 17 owner = "nix-community"; 18 repo = pname; 19 rev = "refs/tags/${pname}-v${version}"; 20 + hash = "sha256-JH0tdUCadvovAJclpx7Fn1oD+POFpBFHdullRTcFaVQ="; 21 }; 22 23 + cargoHash = "sha256-Wa+7Vo5VWmx47Uf6YtlzHReoWY44SxdOnscSFu74OSM="; 24 25 nativeBuildInputs = [ 26 pkg-config nix