add initial nixos modules

2026-02-26 19:11:53 +01:00 · 2026-02-26 19:11:53 +01:00 · 07bd576628
commit 07bd576628
parent 164a8e9aa9
3 changed files with 123 additions and 0 deletions
--- a/nixos-module-server.nix
+++ b/nixos-module-server.nix
@ -0,0 +1,49 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.nix-cache-login-server;
+in
+{
+  options.services.nix-cache-login-server = {
+    enable = lib.mkEnableOption "nix-cache-login service-account token refresh";
+    package = lib.mkOption {
+      type = lib.types.package;
+      description = "The nix-cache-login package to use.";
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        Path to the nix-cache-login config.toml file. Must include
+        client_secret_file pointing to a readable credentials file.
+      '';
+      example = "/etc/nix-cache-login/config.toml";
+    };
+    refreshInterval = lib.mkOption {
+      type = lib.types.str;
+      default = "15min";
+      description = ''
+        Interval between token refresh attempts, as a systemd time span.
+        On failure the service logs an error and the timer retries on schedule.
+      '';
+      example = "1h";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.nix-cache-login = {
+      description = "Nix cache login - service account token refresh";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${cfg.package}/bin/nix-cache-login --config ${cfg.configFile} service-account";
+      };
+    };
+
+    systemd.timers.nix-cache-login = {
+      description = "Nix cache login - periodic service account token refresh";
+      timerConfig = {
+        OnBootSec = "2min";
+        OnUnitActiveSec = cfg.refreshInterval;
+      };
+      wantedBy = [ "timers.target" ];
+    };
+  };
+}