2025-04-28 17:00:46 -04:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
cfg = config.services.nix-verify;
|
|
|
|
|
|
|
|
|
|
verify-type =
|
|
|
|
|
with lib.types;
|
|
|
|
|
attrsOf (
|
|
|
|
|
submodule (
|
|
|
|
|
{ name, ... }:
|
|
|
|
|
{
|
|
|
|
|
options = {
|
|
|
|
|
enable = lib.mkEnableOption "verify status of nix store";
|
|
|
|
|
|
|
|
|
|
service-name = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
description = "the name of the systemd service. ${name} by default";
|
|
|
|
|
default = name;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
verify-contents = lib.mkEnableOption "verify contents of nix store";
|
|
|
|
|
|
|
|
|
|
verify-trust = lib.mkEnableOption "verify if each path is trusted";
|
|
|
|
|
|
|
|
|
|
signatures-needed = lib.mkOption {
|
|
|
|
|
type = lib.types.int;
|
|
|
|
|
description = "number of signatures needed when verifying trust. Not needed if verify-trust is disabled or not set.";
|
|
|
|
|
default = -1;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
frequency = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
description = "systemd-timer compatible time between pulls";
|
|
|
|
|
default = "1day";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
randomized-delay-sec = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
description = "systemd-timer compatible time randomized delay";
|
|
|
|
|
default = "0";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options = {
|
|
|
|
|
services.nix-verify = lib.mkOption {
|
|
|
|
|
type = verify-type;
|
|
|
|
|
default = { };
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config =
|
|
|
|
|
let
|
|
|
|
|
verifiers = lib.filterAttrs (_: { enable, ... }: enable) cfg;
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
systemd.services = lib.mapAttrs' (
|
|
|
|
|
_:
|
|
|
|
|
{
|
|
|
|
|
service-name,
|
|
|
|
|
verify-contents,
|
|
|
|
|
verify-trust,
|
|
|
|
|
signatures-needed,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
lib.nameValuePair "nix-verifiers@${service-name}" {
|
|
|
|
|
requires = [ "multi-user.target" ];
|
|
|
|
|
after = [ "multi-user.target" ];
|
2025-04-28 17:10:42 -04:00
|
|
|
description =
|
|
|
|
|
"Verify nix store (verify-contents: ${lib.boolToString verify-contents}, verify-trust: "
|
|
|
|
|
+ "${lib.boolToString verify-trust}, signatures-needed: ${builtins.toString signatures-needed})";
|
2025-04-28 17:00:46 -04:00
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
|
|
|
|
User = "root";
|
|
|
|
|
ExecStart =
|
|
|
|
|
"${config.nix.package}/bin/nix store verify --all "
|
|
|
|
|
+ lib.optionalString (!verify-contents) "--no-contents "
|
|
|
|
|
+ lib.optionalString (!verify-trust) "--no-trust "
|
|
|
|
|
+ lib.optionalString (signatures-needed >= 0) "--sigs-needed ${signatures-needed}";
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
) verifiers;
|
|
|
|
|
|
|
|
|
|
systemd.timers = lib.mapAttrs' (
|
|
|
|
|
_:
|
|
|
|
|
{
|
|
|
|
|
service-name,
|
|
|
|
|
frequency,
|
|
|
|
|
randomized-delay-sec,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
lib.nameValuePair "nix-verifiers@${service-name}" {
|
|
|
|
|
wantedBy = [ "timers.target" ];
|
|
|
|
|
timerConfig = {
|
|
|
|
|
OnBootSec = frequency;
|
|
|
|
|
OnUnitActiveSec = frequency;
|
|
|
|
|
RandomizedDelaySec = randomized-delay-sec;
|
|
|
|
|
Unit = "nix-verifiers@${service-name}.service";
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
) verifiers;
|
|
|
|
|
};
|
|
|
|
|
}
|
