GNU bug report logs - #71071
[PATCH] services: nix: Mount Nix store read only.

Previous Next

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Oleg Pykhalov <go.wigust <at> gmail.com>
Cc: Ludovic Courtès <ludo <at> gnu.org>, 71071 <at> debbugs.gnu.org
Subject: [bug#71071] [PATCH] services: nix: Mount Nix store read only.
Date: Sun, 26 May 2024 21:32:18 -0400

Hi Oleg,

Oleg Pykhalov <go.wigust <at> gmail.com> writes:

> * gnu/services/nix.scm (nix-shepherd-service): Add requirements.
> (%nix-store-directory): New variable.
> (nix-service-type): Add file-system-service-type extension.
>
> Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4

Nitpick: The Change-Id value shouldn't change between revisions of a
change (so it should eb the same as in v1, which was
I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49).

> ---
>  gnu/services/nix.scm | 23 ++++++++++++++++++++---
>  1 file changed, 20 insertions(+), 3 deletions(-)
>
> diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
> index 82853253f6..419e5968fe 100644
> --- a/gnu/services/nix.scm
> +++ b/gnu/services/nix.scm
> @@ -1,5 +1,5 @@
>  ;;; GNU Guix --- Functional package management for GNU
> -;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust <at> gmail.com>
> +;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust <at> gmail.com>
>  ;;; Copyright © 2020 Peng Mei Yu <i <at> pengmeiyu.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
> @@ -26,6 +26,7 @@ (define-module (gnu services nix)
>    #:use-module (gnu services shepherd)
>    #:use-module (gnu services web)
>    #:use-module (gnu services)
> +  #:use-module (gnu system file-systems)
>    #:use-module (gnu system shadow)
>    #:use-module (guix gexp)
>    #:use-module (guix packages)
> @@ -129,6 +130,20 @@ (define nix-service-etc
>                                      '#$build-sandbox-items))
>                      (for-each (cut display <>) '#$extra-config)))))))))))
>  
> +(define %nix-store-directory
> +  "/nix/store")
> +
> +(define %immutable-nix-store
> +  ;; Read-only store to avoid users or daemons accidentally modifying it.
> +  ;; 'nix-daemon' has provisions to remount it read-write in its own name
> +  ;; space.
> +  (list (file-system
> +          (device %nix-store-directory)
> +          (mount-point %nix-store-directory)
> +          (type "none")
> +          (check? #f)
> +          (flags '(read-only bind-mount)))))
> +
>  (define nix-shepherd-service
>    ;; Return a <shepherd-service> for Nix.
>    (match-lambda
> @@ -137,7 +152,7 @@ (define nix-shepherd-service
>        (shepherd-service
>         (provision '(nix-daemon))
>         (documentation "Run nix-daemon.")
> -       (requirement '())
> +       (requirement '(user-processes file-system-/nix/store))
>         (start #~(make-forkexec-constructor
>                   (list (string-append #$package "/bin/nix-daemon")
>                         #$@extra-options)
> @@ -156,7 +171,9 @@ (define nix-service-type
>            (service-extension activation-service-type nix-activation)
>            (service-extension etc-service-type nix-service-etc)
>            (service-extension profile-service-type
> -                             (compose list nix-configuration-package))))
> +                             (compose list nix-configuration-package))
> +          (service-extension file-system-service-type
> +                             (const %immutable-nix-store))))
>     (description "Run the Nix daemon.")
>     (default-value (nix-configuration))))

This LGTM, thanks to Ludo for suggesting this nice improvement in v2.

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.