diff --git a/flake.nix b/flake.nix index d7800a0..72660e5 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ substituters = [ "https://cache.nixos.org/?priority=1&want-mass-query=true" "https://nix-community.cachix.org/?priority=10&want-mass-query=true" - # "https://attic.nayeonie.com/nix-cache" + "https://attic.nayeonie.com/nix-cache" ]; trusted-substituters = [ "https://cache.nixos.org" diff --git a/modules/update.nix b/modules/update.nix index c31b648..52f9fe1 100644 --- a/modules/update.nix +++ b/modules/update.nix @@ -16,4 +16,19 @@ persistent = true; flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git"; }; + + services.nix-verify = { + daily = { + enable = true; + verify-contents = false; + verify-trust = false; + }; + weekly = { + enable = true; + verify-contents = true; + verify-trust = false; + frequency = "1week"; + randomized-delay-sec = "6hour"; + }; + }; } diff --git a/modules/verify.nix b/modules/verify.nix new file mode 100644 index 0000000..23cba66 --- /dev/null +++ b/modules/verify.nix @@ -0,0 +1,110 @@ +{ + config, + lib, + ... +}: + +let + cfg = config.services.nix-verify; + + verify-type = + with lib.types; + attrsOf ( + submodule ( + { name, ... }: + { + options = { + enable = lib.mkEnableOption "verify status of nix store"; + + service-name = lib.mkOption { + type = lib.types.str; + description = "the name of the systemd service. ${name} by default"; + default = name; + }; + + verify-contents = lib.mkEnableOption "verify contents of nix store"; + + verify-trust = lib.mkEnableOption "verify if each path is trusted"; + + signatures-needed = lib.mkOption { + type = lib.types.int; + description = "number of signatures needed when verifying trust. Not needed if verify-trust is disabled or not set."; + default = -1; + }; + + frequency = lib.mkOption { + type = lib.types.str; + description = "systemd-timer compatible time between pulls"; + default = "1day"; + }; + + randomized-delay-sec = lib.mkOption { + type = lib.types.str; + description = "systemd-timer compatible time randomized delay"; + default = "0"; + }; + }; + } + ) + ); +in +{ + options = { + services.nix-verify = lib.mkOption { + type = verify-type; + default = { }; + }; + }; + + config = + let + verifiers = lib.filterAttrs (_: { enable, ... }: enable) cfg; + in + { + systemd.services = lib.mapAttrs' ( + _: + { + service-name, + verify-contents, + verify-trust, + signatures-needed, + ... + }: + lib.nameValuePair "nix-verifiers@${service-name}" { + requires = [ "multi-user.target" ]; + after = [ "multi-user.target" ]; + description = + "Verify nix store (verify-contents: ${lib.boolToString verify-contents}, verify-trust: " + + "${lib.boolToString verify-trust}, signatures-needed: ${builtins.toString signatures-needed})"; + serviceConfig = { + Type = "oneshot"; + User = "root"; + ExecStart = + "${config.nix.package}/bin/nix store verify --all " + + lib.optionalString (!verify-contents) "--no-contents " + + lib.optionalString (!verify-trust) "--no-trust " + + lib.optionalString (signatures-needed >= 0) "--sigs-needed ${signatures-needed}"; + }; + } + ) verifiers; + + systemd.timers = lib.mapAttrs' ( + _: + { + service-name, + frequency, + randomized-delay-sec, + ... + }: + lib.nameValuePair "nix-verifiers@${service-name}" { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = frequency; + OnUnitActiveSec = frequency; + RandomizedDelaySec = randomized-delay-sec; + Unit = "nix-verifiers@${service-name}.service"; + }; + } + ) verifiers; + }; +}