ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2025-01-26 12:39:36 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

services: nix: Mount Nix store read only.

Browse source 
* gnu/services/nix.scm (nix-shepherd-service): Add requirements.
(%nix-store-directory): New variable.
(nix-service-type): Add file-system-service-type extension.

Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49
This commit is contained in:
Oleg Pykhalov 2024-05-19 15:19:48 +03:00
parent 542b18709a
commit 797be0ea5c
No known key found for this signature in database
GPG key ID: 167F8EA5001AFA9C
1 changed files with 20 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
gnu/services/nix.scm
View file

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com> ;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com> ;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
@ -26,6 +26,7 @@ (define-module (gnu services nix)
#:use-module (gnu services shepherd) #:use-module (gnu services shepherd)
#:use-module (gnu services web) #:use-module (gnu services web)
#:use-module (gnu services) #:use-module (gnu services)
#:use-module (gnu system file-systems)
#:use-module (gnu system shadow) #:use-module (gnu system shadow)
#:use-module (guix gexp) #:use-module (guix gexp)
#:use-module (guix packages) #:use-module (guix packages)
@ -129,6 +130,20 @@ (define internal-sandbox-paths
'#$build-sandbox-items)) '#$build-sandbox-items))
(for-each (cut display <>) '#$extra-config))))))))))) (for-each (cut display <>) '#$extra-config)))))))))))
(define %nix-store-directory
"/nix/store")
(define %immutable-nix-store
;; Read-only store to avoid users or daemons accidentally modifying it.
;; 'nix-daemon' has provisions to remount it read-write in its own name
;; space.
(list (file-system
(device %nix-store-directory)
(mount-point %nix-store-directory)
(type "none")
(check? #f)
(flags '(read-only bind-mount)))))
(define nix-shepherd-service (define nix-shepherd-service
;; Return a <shepherd-service> for Nix. ;; Return a <shepherd-service> for Nix.
(match-lambda (match-lambda
@ -137,7 +152,7 @@ (define nix-shepherd-service
(shepherd-service (shepherd-service
(provision '(nix-daemon)) (provision '(nix-daemon))
(documentation "Run nix-daemon.") (documentation "Run nix-daemon.")
(requirement '()) (requirement '(user-processes file-system-/nix/store))
(start #~(make-forkexec-constructor (start #~(make-forkexec-constructor
(list (string-append #$package "/bin/nix-daemon") (list (string-append #$package "/bin/nix-daemon")
#$@extra-options) #$@extra-options)
@ -156,7 +171,9 @@ (define nix-service-type
(service-extension activation-service-type nix-activation) (service-extension activation-service-type nix-activation)
(service-extension etc-service-type nix-service-etc) (service-extension etc-service-type nix-service-etc)
(service-extension profile-service-type (service-extension profile-service-type
(compose list nix-configuration-package)))) (compose list nix-configuration-package))
(service-extension file-system-service-type
(const %immutable-nix-store))))
(description "Run the Nix daemon.") (description "Run the Nix daemon.")
(default-value (nix-configuration)))) (default-value (nix-configuration))))