From 797be0ea5c3703ad96acd32c98dca5f946cf5c95 Mon Sep 17 00:00:00 2001 From: Oleg Pykhalov Date: Sun, 19 May 2024 15:19:48 +0300 Subject: services: nix: Mount Nix store read only. * gnu/services/nix.scm (nix-shepherd-service): Add requirements. (%nix-store-directory): New variable. (nix-service-type): Add file-system-service-type extension. Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49 --- gnu/services/nix.scm | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm index 82853253f6..419e5968fe 100644 --- a/gnu/services/nix.scm +++ b/gnu/services/nix.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov +;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov ;;; Copyright © 2020 Peng Mei Yu ;;; ;;; This file is part of GNU Guix. @@ -26,6 +26,7 @@ (define-module (gnu services nix) #:use-module (gnu services shepherd) #:use-module (gnu services web) #:use-module (gnu services) + #:use-module (gnu system file-systems) #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix packages) @@ -129,6 +130,20 @@ (define internal-sandbox-paths '#$build-sandbox-items)) (for-each (cut display <>) '#$extra-config))))))))))) +(define %nix-store-directory + "/nix/store") + +(define %immutable-nix-store + ;; Read-only store to avoid users or daemons accidentally modifying it. + ;; 'nix-daemon' has provisions to remount it read-write in its own name + ;; space. + (list (file-system + (device %nix-store-directory) + (mount-point %nix-store-directory) + (type "none") + (check? #f) + (flags '(read-only bind-mount))))) + (define nix-shepherd-service ;; Return a for Nix. (match-lambda @@ -137,7 +152,7 @@ (define nix-shepherd-service (shepherd-service (provision '(nix-daemon)) (documentation "Run nix-daemon.") - (requirement '()) + (requirement '(user-processes file-system-/nix/store)) (start #~(make-forkexec-constructor (list (string-append #$package "/bin/nix-daemon") #$@extra-options) @@ -156,7 +171,9 @@ (define nix-service-type (service-extension activation-service-type nix-activation) (service-extension etc-service-type nix-service-etc) (service-extension profile-service-type - (compose list nix-configuration-package)))) + (compose list nix-configuration-package)) + (service-extension file-system-service-type + (const %immutable-nix-store)))) (description "Run the Nix daemon.") (default-value (nix-configuration)))) -- cgit v1.2.3