From c5fb4177b85844c34148c4a881ed82e9beedd64e Mon Sep 17 00:00:00 2001 From: Moises Nessim Date: Thu, 11 Jul 2019 15:42:36 -0500 Subject: [PATCH] Add hostStoreAsReadOnly option to service host-store. Make /nix/store and /run/system read-only when hostStoreAsReadOnly == true. --- src/nix/modules/service/host-store.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/nix/modules/service/host-store.nix b/src/nix/modules/service/host-store.nix index 9ec06fc..e8fa9ee 100644 --- a/src/nix/modules/service/host-store.nix +++ b/src/nix/modules/service/host-store.nix @@ -17,6 +17,11 @@ in default = false; description = "Bind mounts the host store if enabled, avoiding copying."; }; + service.hostStoreAsReadOnly = mkOption { + type = types.bool; + default = false; + description = "Adds a ':ro' (read-only) access mode to the host nix store bind mount."; + }; service.useHostNixDaemon = mkOption { type = types.bool; default = false; @@ -29,8 +34,8 @@ in service.build.context = "${../../../arion-image}"; service.environment.NIX_REMOTE = lib.optionalString config.service.useHostNixDaemon "daemon"; service.volumes = [ - "${config.host.nixStorePrefix}/nix/store:/nix/store" - "${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system" + "${config.host.nixStorePrefix}/nix/store:/nix/store${lib.optionalString config.service.hostStoreAsReadOnly ":ro"}" + "${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system${lib.optionalString config.service.hostStoreAsReadOnly ":ro"}" ] ++ lib.optional config.service.useHostNixDaemon "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket"; service.command = lib.mkDefault (map escape (config.image.rawConfig.Cmd or [])); };