diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm index 82853253f6..419e5968fe 100644 --- a/gnu/services/nix.scm +++ b/gnu/services/nix.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov +;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov ;;; Copyright © 2020 Peng Mei Yu ;;; ;;; This file is part of GNU Guix. @@ -26,6 +26,7 @@ #:use-module (gnu services shepherd) #:use-module (gnu services web) #:use-module (gnu services) + #:use-module (gnu system file-systems) #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix packages) @@ -129,6 +130,20 @@ GID." '#$build-sandbox-items)) (for-each (cut display <>) '#$extra-config))))))))))) +(define %nix-store-directory + "/nix/store") + +(define %immutable-nix-store + ;; Read-only store to avoid users or daemons accidentally modifying it. + ;; 'nix-daemon' has provisions to remount it read-write in its own name + ;; space. + (list (file-system + (device %nix-store-directory) + (mount-point %nix-store-directory) + (type "none") + (check? #f) + (flags '(read-only bind-mount))))) + (define nix-shepherd-service ;; Return a for Nix. (match-lambda @@ -137,7 +152,7 @@ GID." (shepherd-service (provision '(nix-daemon)) (documentation "Run nix-daemon.") - (requirement '()) + (requirement '(user-processes file-system-/nix/store)) (start #~(make-forkexec-constructor (list (string-append #$package "/bin/nix-daemon") #$@extra-options) @@ -156,7 +171,9 @@ GID." (service-extension activation-service-type nix-activation) (service-extension etc-service-type nix-service-etc) (service-extension profile-service-type - (compose list nix-configuration-package)))) + (compose list nix-configuration-package)) + (service-extension file-system-service-type + (const %immutable-nix-store)))) (description "Run the Nix daemon.") (default-value (nix-configuration))))