Merge pull request #62 from moinessim/Add-read-only-access-mode-to-nix-store-volume

Add hostStoreAsReadOnly option to service host-store.
This commit is contained in:
Robert Hensing 2019-07-29 15:56:40 +02:00 committed by GitHub
commit a356daaa86
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -17,6 +17,11 @@ in
default = false;
description = "Bind mounts the host store if enabled, avoiding copying.";
};
service.hostStoreAsReadOnly = mkOption {
type = types.bool;
default = true;
description = "Adds a ':ro' (read-only) access mode to the host nix store bind mount.";
};
service.useHostNixDaemon = mkOption {
type = types.bool;
default = false;
@ -29,8 +34,8 @@ in
service.build.context = "${../../../arion-image}";
service.environment.NIX_REMOTE = lib.optionalString config.service.useHostNixDaemon "daemon";
service.volumes = [
"${config.host.nixStorePrefix}/nix/store:/nix/store"
"${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system"
"${config.host.nixStorePrefix}/nix/store:/nix/store${lib.optionalString config.service.hostStoreAsReadOnly ":ro"}"
"${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system${lib.optionalString config.service.hostStoreAsReadOnly ":ro"}"
] ++ lib.optional config.service.useHostNixDaemon "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket";
service.command = lib.mkDefault (map escape (config.image.rawConfig.Cmd or []));
};