ncps: Add support for the --cache-temp-path flag

(cherry picked from commit 414c23facc)

nixos/modules/services/networking/ncps.nix

@@ -37,6 +37,7 @@ let
       "--cache-hostname='${cfg.cache.hostName}'"
       "--cache-data-path='${cfg.cache.dataPath}'"
       "--cache-database-url='${cfg.cache.databaseURL}'"
+      "--cache-temp-path='${cfg.cache.tempPath}'"
       "--server-addr='${cfg.server.addr}'"
     ]
     ++ (lib.optional cfg.cache.allowDeleteVerb "--cache-allow-delete-verb")
@@ -170,6 +171,14 @@ in
             empty to automatically generate a private/public key.
           '';
         };
+
+        tempPath = lib.mkOption {
+          type = lib.types.str;
+          default = "/tmp";
+          description = ''
+            The path to the temporary directory that is used by the cache to download NAR files
+          '';
+        };
       };
 
       server = {
@@ -219,7 +228,7 @@ in
     };
     users.groups.ncps = { };
 
-    systemd.services.ncps-create-datadirs = {
+    systemd.services.ncps-create-directories = {
       description = "Created required directories by ncps";
       serviceConfig = {
         Type = "oneshot";
@@ -237,6 +246,12 @@ in
             mkdir -p ${dbDir}
             chown ncps:ncps ${dbDir}
           fi
+        '')
+        + (lib.optionalString (cfg.cache.tempPath != "/tmp") ''
+          if ! test -d ${cfg.cache.tempPath}; then
+            mkdir -p ${cfg.cache.tempPath}
+            chown ncps:ncps ${cfg.cache.tempPath}
+          fi
         '');
       wantedBy = [ "ncps.service" ];
       before = [ "ncps.service" ];
@@ -278,6 +293,9 @@ in
         (lib.mkIf (isSqlite && !lib.strings.hasPrefix "/var/lib/ncps" dbDir) {
           ReadWritePaths = [ dbDir ];
         })
+        (lib.mkIf (cfg.cache.tempPath != "/tmp") {
+          ReadWritePaths = [ cfg.cache.tempPath ];
+        })
 
         # Hardening
         {