nix-dotfiles/modules/verify.nix

{
  config,
  lib,
  ...
}:

let
  cfg = config.services.nix-verify;

  verify-type =
    with lib.types;
    attrsOf (
      submodule (
        { name, ... }:
        {
          options = {
            enable = lib.mkEnableOption "verify status of nix store";

            service-name = lib.mkOption {
              type = lib.types.str;
              description = "the name of the systemd service. ${name} by default";
              default = name;
            };

            verify-contents = lib.mkEnableOption "verify contents of nix store";

            verify-trust = lib.mkEnableOption "verify if each path is trusted";

            signatures-needed = lib.mkOption {
              type = lib.types.int;
              description = "number of signatures needed when verifying trust. Not needed if verify-trust is disabled or not set.";
              default = -1;
            };

            frequency = lib.mkOption {
              type = lib.types.str;
              description = "systemd-timer compatible time between pulls";
              default = "1day";
            };

            randomized-delay-sec = lib.mkOption {
              type = lib.types.str;
              description = "systemd-timer compatible time randomized delay";
              default = "0";
            };
          };
        }
      )
    );
in
{
  options = {
    services.nix-verify = lib.mkOption {
      type = verify-type;
      default = { };
    };
  };

  config =
    let
      verifiers = lib.filterAttrs (_: { enable, ... }: enable) cfg;
    in
    {
      systemd.services = lib.mapAttrs' (
        _:
        {
          service-name,
          verify-contents,
          verify-trust,
          signatures-needed,
          ...
        }:
        lib.nameValuePair "nix-verifiers@${service-name}" {
          requires = [ "multi-user.target" ];
          after = [ "multi-user.target" ];
          description =
            "Verify nix store (verify-contents: ${lib.boolToString verify-contents}, verify-trust: "
            + "${lib.boolToString verify-trust}, signatures-needed: ${builtins.toString signatures-needed})";
          serviceConfig = {
            Type = "oneshot";
            User = "root";
            ExecStart =
              "${config.nix.package}/bin/nix store verify --all "
              + lib.optionalString (!verify-contents) "--no-contents "
              + lib.optionalString (!verify-trust) "--no-trust "
              + lib.optionalString (signatures-needed >= 0) "--sigs-needed ${signatures-needed}";
          };
        }
      ) verifiers;

      systemd.timers = lib.mapAttrs' (
        _:
        {
          service-name,
          frequency,
          randomized-delay-sec,
          ...
        }:
        lib.nameValuePair "nix-verifiers@${service-name}" {
          wantedBy = [ "timers.target" ];
          timerConfig = {
            OnBootSec = frequency;
            OnUnitActiveSec = frequency;
            RandomizedDelaySec = randomized-delay-sec;
            Unit = "nix-verifiers@${service-name}.service";
          };
        }
      ) verifiers;
    };
}