1
0
Fork 0
mirror of https://github.com/nix-community/home-manager synced 2025-01-08 10:09:49 +01:00
home-manager/modules/services/lorri.nix
Guillaume Girol 7e398b3d76
lorri: unbreak due to too tight sandboxing
lorri needs to be able to write to /run/user/uid for the socket, to its
own cache directory ~/.cache/lorri and to the directory for gc roots.

(cherry picked from commit f06edaf18b)
2024-01-01 10:00:19 +01:00

112 lines
3 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.lorri;
in {
meta.maintainers = [ maintainers.gerschtli ];
options.services.lorri = {
enable = mkEnableOption "lorri build daemon";
enableNotifications = mkEnableOption "lorri build notifications";
package = mkOption {
type = types.package;
default = pkgs.lorri;
defaultText = literalExpression "pkgs.lorri";
description = "Which lorri package to install.";
};
nixPackage = mkOption {
type = types.package;
default = pkgs.nix;
defaultText = literalExpression "pkgs.nix";
example = literalExpression "pkgs.nixVersions.unstable";
description = "Which nix package to use.";
};
};
config = mkIf cfg.enable {
assertions = [
(lib.hm.assertions.assertPlatform "services.lorri" pkgs
lib.platforms.linux)
];
home.packages = [ cfg.package ];
systemd.user = {
services.lorri = {
Unit = {
Description = "lorri build daemon";
Requires = "lorri.socket";
After = "lorri.socket";
RefuseManualStart = true;
};
Service = {
ExecStart = "${cfg.package}/bin/lorri daemon";
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = "read-only";
ReadWritePaths = [
# /run/user/1000 for the socket
"%t"
"/nix/var/nix/gcroots/per-user/%u"
];
CacheDirectory = [ "lorri" ];
Restart = "on-failure";
Environment = let
path = with pkgs;
makeSearchPath "bin" [ cfg.nixPackage gitMinimal gnutar gzip ];
in [ "PATH=${path}" ];
};
};
sockets.lorri = {
Unit = { Description = "Socket for lorri build daemon"; };
Socket = {
ListenStream = "%t/lorri/daemon.socket";
RuntimeDirectory = "lorri";
};
Install = { WantedBy = [ "sockets.target" ]; };
};
services.lorri-notify = mkIf cfg.enableNotifications {
Unit = {
Description = "lorri build notifications";
After = "lorri.service";
Requires = "lorri.service";
};
Service = {
ExecStart = let
jqFile = ''
(
(.Started? | values | "Build starting in \(.nix_file)"),
(.Completed? | values | "Build complete in \(.nix_file)"),
(.Failure? | values | "Build failed in \(.nix_file)")
)
'';
notifyScript = pkgs.writeShellScript "lorri-notify" ''
lorri internal stream-events --kind live \
| jq --unbuffered '${jqFile}' \
| xargs -n 1 notify-send "Lorri Build"
'';
in toString notifyScript;
Restart = "on-failure";
Environment = let
path = makeSearchPath "bin"
(with pkgs; [ bash jq findutils libnotify cfg.package ]);
in "PATH=${path}";
};
};
};
};
}