From d465e92647470759177cb63914fd3571cea7a8a4 Mon Sep 17 00:00:00 2001
From: Ryan Schanzenbacher <ryan@rschanz.org>
Date: Tue, 1 Apr 2025 11:26:04 -0400
Subject: Using Zen, added nix update to be upstreamed

---
 modules/ryan-services/nix.scm | 182 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 182 insertions(+)
 create mode 100644 modules/ryan-services/nix.scm

(limited to 'modules/ryan-services')

diff --git a/modules/ryan-services/nix.scm b/modules/ryan-services/nix.scm
new file mode 100644
index 0000000..75c9082
--- /dev/null
+++ b/modules/ryan-services/nix.scm
@@ -0,0 +1,182 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (ryan-services nix)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu packages bash)
+  #:use-module (gnu packages package-management)
+  #:use-module (gnu services base)
+  #:use-module (gnu services configuration)
+  #:use-module (gnu services shepherd)
+  #:use-module (gnu services web)
+  #:use-module (gnu services)
+  #:use-module (gnu system file-systems)
+  #:use-module (gnu system shadow)
+  #:use-module (guix gexp)
+  #:use-module (guix packages)
+  #:use-module (guix records)
+  #:use-module (guix store)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26)
+  #:use-module (ice-9 match)
+  #:use-module (ice-9 format)
+  #:use-module (guix modules)
+  #:export (nix-service-type
+
+            nix-configuration
+            nix-configuration?))
+
+;;; Commentary:
+;;;
+;;; This module provides a service definition for the Nix daemon.
+;;;
+;;; Code:
+
+(define-record-type* <nix-configuration>
+  nix-configuration make-nix-configuration
+  nix-configuration?
+  (package             nix-configuration-package ;file-like
+                       (default nix))
+  (sandbox             nix-configuration-sandbox ;boolean
+                       (default #t))
+  (build-directory     nix-configuration-build-directory ;string
+                       (default "/tmp"))
+  (build-sandbox-items nix-configuration-build-sandbox-items ;list of strings
+                       (default '()))
+  (extra-config        nix-configuration-extra-config ;list of strings
+                       (default '()))
+  (extra-options       nix-configuration-extra-options ;list of strings
+                       (default '())))
+
+;; Copied from gnu/services/base.scm
+(define* (nix-build-accounts count #:key
+                             (group "nixbld")
+                             (shadow shadow))
+  "Return a list of COUNT user accounts for Nix build users with the given
+GID."
+  (unfold (cut > <> count)
+          (lambda (n)
+            (user-account
+             (name (format #f "nixbld~2,'0d" n))
+             (system? #t)
+             (group group)
+             (supplementary-groups (list group "kvm"))
+             (comment (format #f "Nix Build User ~2d" n))
+             (home-directory "/var/empty")
+             (shell (file-append shadow "/sbin/nologin"))))
+          1+
+          1))
+(define (nix-accounts _)
+  "Return the user accounts and user groups."
+  (cons (user-group
+         (name "nixbld")
+         (system? #t)
+
+         ;; Use a fixed GID so that we can create the store with the right
+         ;; owner.
+         (id 40000))
+        (nix-build-accounts 10 #:group "nixbld")))
+
+(define (nix-activation _)
+  ;; Return the activation gexp.
+  #~(begin
+      (use-modules (guix build utils)
+                   (srfi srfi-26))
+      (for-each (cut mkdir-p <>) '("/nix/var/log"
+                                   "/nix/var/nix/gcroots/per-user"
+                                   "/nix/var/nix/profiles/per-user"))
+      (unless (file-exists? #$%nix-store-directory)
+        (mkdir-p #$%nix-store-directory)
+        (chown #$%nix-store-directory
+               (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
+        (chmod #$%nix-store-directory #o775))
+      (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
+                                       "/nix/var/nix/profiles/per-user"))))
+
+(define nix-service-etc
+  (match-lambda
+    (($ <nix-configuration> package sandbox build-directory build-sandbox-items extra-config)
+     (let ((ref-file (references-file package)))
+       `(("nix/nix.conf"
+          ,(computed-file
+            "nix.conf"
+            #~(begin
+                (use-modules (srfi srfi-26)
+                             (ice-9 format))
+                (with-output-to-file #$output
+                  (lambda _
+                    (define internal-sandbox-paths
+                      (call-with-input-file #$ref-file read))
+
+                    (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
+                    ;; config.nix captures store file names.
+                    (format #t "sandbox-paths = ~{~a ~}~%"
+                            (append (list (string-append "/bin/sh=" #$bash-minimal "/bin/bash"))
+                                    internal-sandbox-paths
+                                    '#$build-sandbox-items))
+                    (for-each (cut display <>) '#$extra-config)))))))))))
+
+(define %nix-store-directory
+  "/nix/store")
+
+(define %immutable-nix-store
+  ;; Read-only store to avoid users or daemons accidentally modifying it.
+  ;; 'nix-daemon' has provisions to remount it read-write in its own name
+  ;; space.
+  (list (file-system
+          (device %nix-store-directory)
+          (mount-point %nix-store-directory)
+          (type "none")
+          (check? #f)
+          (flags '(read-only bind-mount)))))
+
+(define nix-shepherd-service
+  ;; Return a <shepherd-service> for Nix.
+  (match-lambda
+    (($ <nix-configuration> package _ build-directory _ _ extra-options)
+     (list
+      (shepherd-service
+       (provision '(nix-daemon))
+       (documentation "Run nix-daemon.")
+       (requirement '(user-processes file-system-/nix/store))
+       (start #~(make-forkexec-constructor
+                 (list (string-append #$package "/bin/nix-daemon")
+                       #$@extra-options)
+                 #:environment-variables
+                 (list (string-append "TMPDIR=" #$build-directory)
+                       "PATH=/run/current-system/profile/bin")))
+       (respawn? #f)
+       (stop #~(make-kill-destructor)))))))
+
+(define nix-service-type
+  (service-type
+   (name 'nix)
+   (extensions
+    (list (service-extension shepherd-root-service-type nix-shepherd-service)
+          (service-extension account-service-type nix-accounts)
+          (service-extension activation-service-type nix-activation)
+          (service-extension etc-service-type nix-service-etc)
+          (service-extension profile-service-type
+                             (compose list nix-configuration-package))
+          (service-extension file-system-service-type
+                             (const %immutable-nix-store))))
+   (description "Run the Nix daemon.")
+   (default-value (nix-configuration))))
+
+;;; nix.scm ends here
-- 
cgit v1.2.3