init nix-racer substituter proxy

This commit is contained in:
2026-02-24 16:50:17 +08:00
parent f4b3db924f
commit 0207a9cf3e
7 changed files with 2509 additions and 10 deletions
+85 -10
View File
@@ -32,19 +32,94 @@ in
nh
];
environment.etc = lib.mapAttrs' (name: value: {
name = "nix/path/${name}";
value.source = value.flake;
}) config.nix.registry;
environment.etc =
(lib.mapAttrs' (name: value: {
name = "nix/path/${name}";
value.source = value.flake;
}) config.nix.registry)
// {
"nix/nix-racer.toml".source = (pkgs.formats.toml { }).generate "nix-racer.toml" {
listen = "127.0.0.1:2048";
substituters = [
{
penalty = 0;
url = "https://mirror.sjtu.edu.cn/nix-channels/store";
}
{
penalty = 50;
url = "https://mirrors.ustc.edu.cn/nix-channels/store";
}
{
penalty = 0;
url = "https://nix-community.cachix.org";
}
{
penalty = 0;
url = "https://cache.garnix.io";
}
{
penalty = 100;
url = "https://cache.nixos.org";
}
];
};
};
systemd.services.nix-racer = {
description = "Nix substituter proxy with parallel cache queries and latency-aware selection";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${lib.getExe (pkgs.callPackage ./nix-racer/_package.nix { })}";
Restart = "on-failure";
RestartSec = 5;
DynamicUser = true;
CapabilityBoundingSet = [ "" ];
DeviceAllow = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
"~@privileged"
];
UMask = "0077";
};
};
nix.settings = {
experimental-features = "nix-command flakes pipe-operators";
substituters = [
"https://mirrors.ustc.edu.cn/nix-channels/store"
"https://mirrors.sjtug.sjtu.edu.cn/nix-channels/store"
"https://mirror.sjtu.edu.cn/nix-channels/store"
"https://nix-community.cachix.org"
"https://cache.garnix.io"
substituters = lib.mkForce [
"http://127.0.0.1:2048"
# "https://mirrors.ustc.edu.cn/nix-channels/store"
# "https://mirrors.sjtug.sjtu.edu.cn/nix-channels/store"
# "https://mirror.sjtu.edu.cn/nix-channels/store"
# "https://nix-community.cachix.org"
# "https://cache.garnix.io"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="