From c5fb4177b85844c34148c4a881ed82e9beedd64e Mon Sep 17 00:00:00 2001
From: Moises Nessim <moises.nessim@topmanage.com>
Date: Thu, 11 Jul 2019 15:42:36 -0500
Subject: [PATCH 1/2] Add hostStoreAsReadOnly option to service host-store.
 Make /nix/store and /run/system read-only when hostStoreAsReadOnly == true.

---
 src/nix/modules/service/host-store.nix | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/nix/modules/service/host-store.nix b/src/nix/modules/service/host-store.nix
index 9ec06fc..e8fa9ee 100644
--- a/src/nix/modules/service/host-store.nix
+++ b/src/nix/modules/service/host-store.nix
@@ -17,6 +17,11 @@ in
       default = false;
       description = "Bind mounts the host store if enabled, avoiding copying.";
     };
+    service.hostStoreAsReadOnly = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Adds a ':ro' (read-only) access mode to the host nix store bind mount.";
+    };
     service.useHostNixDaemon = mkOption {
       type = types.bool;
       default = false;
@@ -29,8 +34,8 @@ in
     service.build.context = "${../../../arion-image}";
     service.environment.NIX_REMOTE = lib.optionalString config.service.useHostNixDaemon "daemon";
     service.volumes = [
-      "${config.host.nixStorePrefix}/nix/store:/nix/store"
-      "${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system"
+      "${config.host.nixStorePrefix}/nix/store:/nix/store${lib.optionalString config.service.hostStoreAsReadOnly ":ro"}"
+      "${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system${lib.optionalString config.service.hostStoreAsReadOnly ":ro"}"
       ] ++ lib.optional config.service.useHostNixDaemon "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket";
     service.command = lib.mkDefault (map escape (config.image.rawConfig.Cmd or []));
   };

From 662042a2bf857b68efeb29eb11ee38eb6c974823 Mon Sep 17 00:00:00 2001
From: moinessim <47434700+moinessim@users.noreply.github.com>
Date: Tue, 23 Jul 2019 10:09:15 -0500
Subject: [PATCH 2/2] Make hostStoreAsReadOnly true by default.

Co-Authored-By: Robert Hensing <roberth@users.noreply.github.com>
---
 src/nix/modules/service/host-store.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/nix/modules/service/host-store.nix b/src/nix/modules/service/host-store.nix
index e8fa9ee..63a77c1 100644
--- a/src/nix/modules/service/host-store.nix
+++ b/src/nix/modules/service/host-store.nix
@@ -19,7 +19,7 @@ in
     };
     service.hostStoreAsReadOnly = mkOption {
       type = types.bool;
-      default = false;
+      default = true;
       description = "Adds a ':ro' (read-only) access mode to the host nix store bind mount.";
     };
     service.useHostNixDaemon = mkOption {