Compare commits
4 Commits
9532d7a770
...
22994e1c83
| Author | SHA1 | Date | |
|---|---|---|---|
| 22994e1c83 | |||
| fc961578bc | |||
| 7ddbf55e5a | |||
| 36219546b5 |
@ -5,7 +5,7 @@
|
||||
substituters = [
|
||||
"https://cache.nixos.org/?priority=1&want-mass-query=true"
|
||||
"https://nix-community.cachix.org/?priority=10&want-mass-query=true"
|
||||
# "https://attic.nayeonie.com/nix-cache"
|
||||
"https://attic.nayeonie.com/nix-cache"
|
||||
];
|
||||
trusted-substituters = [
|
||||
"https://cache.nixos.org"
|
||||
|
||||
@ -16,4 +16,19 @@
|
||||
persistent = true;
|
||||
flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git";
|
||||
};
|
||||
|
||||
services.nix-verify = {
|
||||
daily = {
|
||||
enable = true;
|
||||
verify-contents = false;
|
||||
verify-trust = false;
|
||||
};
|
||||
weekly = {
|
||||
enable = true;
|
||||
verify-contents = true;
|
||||
verify-trust = false;
|
||||
frequency = "1week";
|
||||
randomized-delay-sec = "6hour";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
110
modules/verify.nix
Normal file
110
modules/verify.nix
Normal file
@ -0,0 +1,110 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.services.nix-verify;
|
||||
|
||||
verify-type =
|
||||
with lib.types;
|
||||
attrsOf (
|
||||
submodule (
|
||||
{ name, ... }:
|
||||
{
|
||||
options = {
|
||||
enable = lib.mkEnableOption "verify status of nix store";
|
||||
|
||||
service-name = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "the name of the systemd service. ${name} by default";
|
||||
default = name;
|
||||
};
|
||||
|
||||
verify-contents = lib.mkEnableOption "verify contents of nix store";
|
||||
|
||||
verify-trust = lib.mkEnableOption "verify if each path is trusted";
|
||||
|
||||
signatures-needed = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
description = "number of signatures needed when verifying trust. Not needed if verify-trust is disabled or not set.";
|
||||
default = -1;
|
||||
};
|
||||
|
||||
frequency = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "systemd-timer compatible time between pulls";
|
||||
default = "1day";
|
||||
};
|
||||
|
||||
randomized-delay-sec = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "systemd-timer compatible time randomized delay";
|
||||
default = "0";
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
);
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.nix-verify = lib.mkOption {
|
||||
type = verify-type;
|
||||
default = { };
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
let
|
||||
verifiers = lib.filterAttrs (_: { enable, ... }: enable) cfg;
|
||||
in
|
||||
{
|
||||
systemd.services = lib.mapAttrs' (
|
||||
_:
|
||||
{
|
||||
service-name,
|
||||
verify-contents,
|
||||
verify-trust,
|
||||
signatures-needed,
|
||||
...
|
||||
}:
|
||||
lib.nameValuePair "nix-verifiers@${service-name}" {
|
||||
requires = [ "multi-user.target" ];
|
||||
after = [ "multi-user.target" ];
|
||||
description =
|
||||
"Verify nix store (verify-contents: ${lib.boolToString verify-contents}, verify-trust: "
|
||||
+ "${lib.boolToString verify-trust}, signatures-needed: ${builtins.toString signatures-needed})";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
ExecStart =
|
||||
"${config.nix.package}/bin/nix store verify --all "
|
||||
+ lib.optionalString (!verify-contents) "--no-contents "
|
||||
+ lib.optionalString (!verify-trust) "--no-trust "
|
||||
+ lib.optionalString (signatures-needed >= 0) "--sigs-needed ${signatures-needed}";
|
||||
};
|
||||
}
|
||||
) verifiers;
|
||||
|
||||
systemd.timers = lib.mapAttrs' (
|
||||
_:
|
||||
{
|
||||
service-name,
|
||||
frequency,
|
||||
randomized-delay-sec,
|
||||
...
|
||||
}:
|
||||
lib.nameValuePair "nix-verifiers@${service-name}" {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = frequency;
|
||||
OnUnitActiveSec = frequency;
|
||||
RandomizedDelaySec = randomized-delay-sec;
|
||||
Unit = "nix-verifiers@${service-name}.service";
|
||||
};
|
||||
}
|
||||
) verifiers;
|
||||
};
|
||||
}
|
||||
@ -19,6 +19,9 @@ in
|
||||
enable = true;
|
||||
enableJIT = true;
|
||||
package = pkgs.postgresql_16;
|
||||
configurePgStatStatements = true;
|
||||
enableAllPreloadedLibraries = true;
|
||||
preloadAllExtensions = true;
|
||||
identMap = ''
|
||||
# ArbitraryMapName systemUser DBUser
|
||||
superuser_map root postgres
|
||||
@ -68,7 +71,7 @@ in
|
||||
#random_page_cost = 1.25; # speed of random disk access relative to sequential access (1.0);
|
||||
|
||||
# Monitoring;
|
||||
shared_preload_libraries = "pg_stat_statements,auto_explain"; # per statement resource usage stats & log explain statements for slow queries
|
||||
#shared_preload_libraries = "pg_stat_statements,auto_explain"; # per statement resource usage stats & log explain statements for slow queries
|
||||
track_io_timing = "on"; # measure exact block IO times;
|
||||
track_functions = "pl"; # track execution times of pl-language procedures if any;
|
||||
# Replication;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user