diff mbox series

[bug#71071] services: nix: Mount Nix store read only.

Message ID 13d78de1d27742605cf51fc0ed91b832cb5027c9.1716439103.git.go.wigust@gmail.com
State New
Headers show
Series [bug#71071] services: nix: Mount Nix store read only. | expand

Commit Message

Oleg Pykhalov May 23, 2024, 4:38 a.m. UTC 
* gnu/services/nix.scm (nix-shepherd-service): Add requirements.
(%nix-store-directory): New variable.
(nix-service-type): Add file-system-service-type extension.

Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4
---
 gnu/services/nix.scm | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)


base-commit: dd03be186adb64bdb77265dfd0ad53fe50ec016e

Comments

Maxim Cournoyer May 27, 2024, 1:32 a.m. UTC | #1 
Hi Oleg,

Oleg Pykhalov <go.wigust@gmail.com> writes:

> * gnu/services/nix.scm (nix-shepherd-service): Add requirements.
> (%nix-store-directory): New variable.
> (nix-service-type): Add file-system-service-type extension.
>
> Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4

Nitpick: The Change-Id value shouldn't change between revisions of a
change (so it should eb the same as in v1, which was
I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49).

> ---
>  gnu/services/nix.scm | 23 ++++++++++++++++++++---
>  1 file changed, 20 insertions(+), 3 deletions(-)
>
> diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
> index 82853253f6..419e5968fe 100644
> --- a/gnu/services/nix.scm
> +++ b/gnu/services/nix.scm
> @@ -1,5 +1,5 @@
>  ;;; GNU Guix --- Functional package management for GNU
> -;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
> +;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com>
>  ;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
> @@ -26,6 +26,7 @@ (define-module (gnu services nix)
>    #:use-module (gnu services shepherd)
>    #:use-module (gnu services web)
>    #:use-module (gnu services)
> +  #:use-module (gnu system file-systems)
>    #:use-module (gnu system shadow)
>    #:use-module (guix gexp)
>    #:use-module (guix packages)
> @@ -129,6 +130,20 @@ (define nix-service-etc
>                                      '#$build-sandbox-items))
>                      (for-each (cut display <>) '#$extra-config)))))))))))
>  
> +(define %nix-store-directory
> +  "/nix/store")
> +
> +(define %immutable-nix-store
> +  ;; Read-only store to avoid users or daemons accidentally modifying it.
> +  ;; 'nix-daemon' has provisions to remount it read-write in its own name
> +  ;; space.
> +  (list (file-system
> +          (device %nix-store-directory)
> +          (mount-point %nix-store-directory)
> +          (type "none")
> +          (check? #f)
> +          (flags '(read-only bind-mount)))))
> +
>  (define nix-shepherd-service
>    ;; Return a <shepherd-service> for Nix.
>    (match-lambda
> @@ -137,7 +152,7 @@ (define nix-shepherd-service
>        (shepherd-service
>         (provision '(nix-daemon))
>         (documentation "Run nix-daemon.")
> -       (requirement '())
> +       (requirement '(user-processes file-system-/nix/store))
>         (start #~(make-forkexec-constructor
>                   (list (string-append #$package "/bin/nix-daemon")
>                         #$@extra-options)
> @@ -156,7 +171,9 @@ (define nix-service-type
>            (service-extension activation-service-type nix-activation)
>            (service-extension etc-service-type nix-service-etc)
>            (service-extension profile-service-type
> -                             (compose list nix-configuration-package))))
> +                             (compose list nix-configuration-package))
> +          (service-extension file-system-service-type
> +                             (const %immutable-nix-store))))
>     (description "Run the Nix daemon.")
>     (default-value (nix-configuration))))

This LGTM, thanks to Ludo for suggesting this nice improvement in v2.
Oleg Pykhalov May 29, 2024, 3:32 a.m. UTC | #2 
Hello Maxim and Ludovic.

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

>> * gnu/services/nix.scm (nix-shepherd-service): Add requirements.
>> (%nix-store-directory): New variable.
>> (nix-service-type): Add file-system-service-type extension.
>>
>> Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4
>
> Nitpick: The Change-Id value shouldn't change between revisions of a
> change (so it should eb the same as in v1, which was
> I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49).

Oh, I wasn't aware of that. Thanks for pointing it out. I've updated the
Change-Id and pushed the commit as
797be0ea5c3703ad96acd32c98dca5f946cf5c95.

[…]

> This LGTM, thanks to Ludo for suggesting this nice improvement in v2.

Yes, thanks for the suggestions. All of them have been implemented.


Regards,
Oleg.
diff mbox series

Patch

diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 82853253f6..419e5968fe 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -1,5 +1,5 @@ 
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -26,6 +26,7 @@  (define-module (gnu services nix)
   #:use-module (gnu services shepherd)
   #:use-module (gnu services web)
   #:use-module (gnu services)
+  #:use-module (gnu system file-systems)
   #:use-module (gnu system shadow)
   #:use-module (guix gexp)
   #:use-module (guix packages)
@@ -129,6 +130,20 @@  (define nix-service-etc
                                     '#$build-sandbox-items))
                     (for-each (cut display <>) '#$extra-config)))))))))))
 
+(define %nix-store-directory
+  "/nix/store")
+
+(define %immutable-nix-store
+  ;; Read-only store to avoid users or daemons accidentally modifying it.
+  ;; 'nix-daemon' has provisions to remount it read-write in its own name
+  ;; space.
+  (list (file-system
+          (device %nix-store-directory)
+          (mount-point %nix-store-directory)
+          (type "none")
+          (check? #f)
+          (flags '(read-only bind-mount)))))
+
 (define nix-shepherd-service
   ;; Return a <shepherd-service> for Nix.
   (match-lambda
@@ -137,7 +152,7 @@  (define nix-shepherd-service
       (shepherd-service
        (provision '(nix-daemon))
        (documentation "Run nix-daemon.")
-       (requirement '())
+       (requirement '(user-processes file-system-/nix/store))
        (start #~(make-forkexec-constructor
                  (list (string-append #$package "/bin/nix-daemon")
                        #$@extra-options)
@@ -156,7 +171,9 @@  (define nix-service-type
           (service-extension activation-service-type nix-activation)
           (service-extension etc-service-type nix-service-etc)
           (service-extension profile-service-type
-                             (compose list nix-configuration-package))))
+                             (compose list nix-configuration-package))
+          (service-extension file-system-service-type
+                             (const %immutable-nix-store))))
    (description "Run the Nix daemon.")
    (default-value (nix-configuration))))