[bug#71071] services: nix: Mount Nix store read only.
Commit Message
* gnu/services/nix.scm (nix-shepherd-service): Add requirements.
(%nix-store-directory): New variable.
(nix-service-type): Add file-system-service-type extension.
Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4
---
gnu/services/nix.scm | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
base-commit: dd03be186adb64bdb77265dfd0ad53fe50ec016e
Comments
Hi Oleg,
Oleg Pykhalov <go.wigust@gmail.com> writes:
> * gnu/services/nix.scm (nix-shepherd-service): Add requirements.
> (%nix-store-directory): New variable.
> (nix-service-type): Add file-system-service-type extension.
>
> Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4
Nitpick: The Change-Id value shouldn't change between revisions of a
change (so it should eb the same as in v1, which was
I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49).
> ---
> gnu/services/nix.scm | 23 ++++++++++++++++++++---
> 1 file changed, 20 insertions(+), 3 deletions(-)
>
> diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
> index 82853253f6..419e5968fe 100644
> --- a/gnu/services/nix.scm
> +++ b/gnu/services/nix.scm
> @@ -1,5 +1,5 @@
> ;;; GNU Guix --- Functional package management for GNU
> -;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
> +;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com>
> ;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
> ;;;
> ;;; This file is part of GNU Guix.
> @@ -26,6 +26,7 @@ (define-module (gnu services nix)
> #:use-module (gnu services shepherd)
> #:use-module (gnu services web)
> #:use-module (gnu services)
> + #:use-module (gnu system file-systems)
> #:use-module (gnu system shadow)
> #:use-module (guix gexp)
> #:use-module (guix packages)
> @@ -129,6 +130,20 @@ (define nix-service-etc
> '#$build-sandbox-items))
> (for-each (cut display <>) '#$extra-config)))))))))))
>
> +(define %nix-store-directory
> + "/nix/store")
> +
> +(define %immutable-nix-store
> + ;; Read-only store to avoid users or daemons accidentally modifying it.
> + ;; 'nix-daemon' has provisions to remount it read-write in its own name
> + ;; space.
> + (list (file-system
> + (device %nix-store-directory)
> + (mount-point %nix-store-directory)
> + (type "none")
> + (check? #f)
> + (flags '(read-only bind-mount)))))
> +
> (define nix-shepherd-service
> ;; Return a <shepherd-service> for Nix.
> (match-lambda
> @@ -137,7 +152,7 @@ (define nix-shepherd-service
> (shepherd-service
> (provision '(nix-daemon))
> (documentation "Run nix-daemon.")
> - (requirement '())
> + (requirement '(user-processes file-system-/nix/store))
> (start #~(make-forkexec-constructor
> (list (string-append #$package "/bin/nix-daemon")
> #$@extra-options)
> @@ -156,7 +171,9 @@ (define nix-service-type
> (service-extension activation-service-type nix-activation)
> (service-extension etc-service-type nix-service-etc)
> (service-extension profile-service-type
> - (compose list nix-configuration-package))))
> + (compose list nix-configuration-package))
> + (service-extension file-system-service-type
> + (const %immutable-nix-store))))
> (description "Run the Nix daemon.")
> (default-value (nix-configuration))))
This LGTM, thanks to Ludo for suggesting this nice improvement in v2.
Hello Maxim and Ludovic.
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
>> * gnu/services/nix.scm (nix-shepherd-service): Add requirements.
>> (%nix-store-directory): New variable.
>> (nix-service-type): Add file-system-service-type extension.
>>
>> Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4
>
> Nitpick: The Change-Id value shouldn't change between revisions of a
> change (so it should eb the same as in v1, which was
> I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49).
Oh, I wasn't aware of that. Thanks for pointing it out. I've updated the
Change-Id and pushed the commit as
797be0ea5c3703ad96acd32c98dca5f946cf5c95.
[…]
> This LGTM, thanks to Ludo for suggesting this nice improvement in v2.
Yes, thanks for the suggestions. All of them have been implemented.
Regards,
Oleg.
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
;;;
;;; This file is part of GNU Guix.
@@ -26,6 +26,7 @@ (define-module (gnu services nix)
#:use-module (gnu services shepherd)
#:use-module (gnu services web)
#:use-module (gnu services)
+ #:use-module (gnu system file-systems)
#:use-module (gnu system shadow)
#:use-module (guix gexp)
#:use-module (guix packages)
@@ -129,6 +130,20 @@ (define nix-service-etc
'#$build-sandbox-items))
(for-each (cut display <>) '#$extra-config)))))))))))
+(define %nix-store-directory
+ "/nix/store")
+
+(define %immutable-nix-store
+ ;; Read-only store to avoid users or daemons accidentally modifying it.
+ ;; 'nix-daemon' has provisions to remount it read-write in its own name
+ ;; space.
+ (list (file-system
+ (device %nix-store-directory)
+ (mount-point %nix-store-directory)
+ (type "none")
+ (check? #f)
+ (flags '(read-only bind-mount)))))
+
(define nix-shepherd-service
;; Return a <shepherd-service> for Nix.
(match-lambda
@@ -137,7 +152,7 @@ (define nix-shepherd-service
(shepherd-service
(provision '(nix-daemon))
(documentation "Run nix-daemon.")
- (requirement '())
+ (requirement '(user-processes file-system-/nix/store))
(start #~(make-forkexec-constructor
(list (string-append #$package "/bin/nix-daemon")
#$@extra-options)
@@ -156,7 +171,9 @@ (define nix-service-type
(service-extension activation-service-type nix-activation)
(service-extension etc-service-type nix-service-etc)
(service-extension profile-service-type
- (compose list nix-configuration-package))))
+ (compose list nix-configuration-package))
+ (service-extension file-system-service-type
+ (const %immutable-nix-store))))
(description "Run the Nix daemon.")
(default-value (nix-configuration))))