diff options
| author | Oleg Pykhalov <go.wigust@gmail.com> | 2024-05-19 15:19:48 +0300 |
|---|---|---|
| committer | Oleg Pykhalov <go.wigust@gmail.com> | 2024-05-29 06:16:24 +0300 |
| commit | 797be0ea5c3703ad96acd32c98dca5f946cf5c95 (patch) | |
| tree | 94bbcdfc3c60f58c3ed4115e0ea525f7409e49e8 | |
| parent | 542b18709a46e361de8f25e3fece29860532743c (diff) | |
| download | guix-797be0ea5c3703ad96acd32c98dca5f946cf5c95.tar guix-797be0ea5c3703ad96acd32c98dca5f946cf5c95.tar.gz | |
services: nix: Mount Nix store read only.
* gnu/services/nix.scm (nix-shepherd-service): Add requirements.
(%nix-store-directory): New variable.
(nix-service-type): Add file-system-service-type extension.
Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49
| -rw-r--r-- | gnu/services/nix.scm | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm index 82853253f6..419e5968fe 100644 --- a/gnu/services/nix.scm +++ b/gnu/services/nix.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com> +;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com> ;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com> ;;; ;;; This file is part of GNU Guix. @@ -26,6 +26,7 @@ #:use-module (gnu services shepherd) #:use-module (gnu services web) #:use-module (gnu services) + #:use-module (gnu system file-systems) #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix packages) @@ -129,6 +130,20 @@ GID." '#$build-sandbox-items)) (for-each (cut display <>) '#$extra-config))))))))))) +(define %nix-store-directory + "/nix/store") + +(define %immutable-nix-store + ;; Read-only store to avoid users or daemons accidentally modifying it. + ;; 'nix-daemon' has provisions to remount it read-write in its own name + ;; space. + (list (file-system + (device %nix-store-directory) + (mount-point %nix-store-directory) + (type "none") + (check? #f) + (flags '(read-only bind-mount))))) + (define nix-shepherd-service ;; Return a <shepherd-service> for Nix. (match-lambda @@ -137,7 +152,7 @@ GID." (shepherd-service (provision '(nix-daemon)) (documentation "Run nix-daemon.") - (requirement '()) + (requirement '(user-processes file-system-/nix/store)) (start #~(make-forkexec-constructor (list (string-append #$package "/bin/nix-daemon") #$@extra-options) @@ -156,7 +171,9 @@ GID." (service-extension activation-service-type nix-activation) (service-extension etc-service-type nix-service-etc) (service-extension profile-service-type - (compose list nix-configuration-package)))) + (compose list nix-configuration-package)) + (service-extension file-system-service-type + (const %immutable-nix-store)))) (description "Run the Nix daemon.") (default-value (nix-configuration)))) |