From 4656180d5de1fef2846bea9af27ae509f32376ba Mon Sep 17 00:00:00 2001
From: Oleg Pykhalov <go.wigust@gmail.com>
Date: Wed, 22 Jul 2020 09:47:16 +0300
Subject: services: nix: Fix sandbox.

* gnu/tests/package-management.scm: New file.
* gnu/local.mk: Add this.
* gnu/services/nix.scm (<nix-configuration>): New record.
(nix-activation): Generate Nix config file which fixes sandbox.
(nix-service-type): Add default value.
(nix-shepherd-service): Allow provide Nix package.
* doc/guix.texi (Miscellaneous Services)[Nix service]<nix-configuration>:
Document record.
---
 gnu/services/nix.scm | 91 ++++++++++++++++++++++++++++++++++------------------
 1 file changed, 59 insertions(+), 32 deletions(-)

(limited to 'gnu/services')

diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 3c0065207d..75b2df02dc 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2019, 2020 Oleg Pykhalov <go.wigust@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,7 +31,9 @@
   #:use-module (guix store)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
+  #:use-module (ice-9 match)
   #:use-module (ice-9 format)
+  #:use-module (guix modules)
   #:export (nix-service-type))
 
 ;;; Commentary:
@@ -40,10 +42,17 @@
 ;;;
 ;;; Code:
 
-
-;;;
-;;; Accounts
-;;;
+(define-record-type* <nix-configuration>
+  nix-configuration make-nix-configuration
+  nix-configuration?
+  (package             nix-configuration-package ;package
+                       (default nix))
+  (sandbox             nix-configuration-sandbox ;boolean
+                       (default #t))
+  (build-sandbox-items nix-configuration-build-sandbox-items ;list of strings
+                       (default '()))
+  (extra-config        nix-configuration-extra-options ;list of strings
+                       (default '())))
 
 ;; Copied from gnu/services/base.scm
 (define* (nix-build-accounts count #:key
@@ -74,32 +83,50 @@ GID."
          (id 40000))
         (nix-build-accounts 10 #:group "nixbld")))
 
-(define (nix-activation _)
-  "Return the activation gexp."
-  (with-imported-modules '((guix build utils))
-    #~(begin
-        (use-modules (guix build utils)
-                     (srfi srfi-26))
-        (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
-                                     "/nix/var/nix/gcroots/per-user"
-                                     "/nix/var/nix/profiles/per-user"))
-        (chown "/nix/store"
-               (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
-        (chmod "/nix/store" #o775)
-        (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
-                                         "/nix/var/nix/profiles/per-user")))))
+(define nix-activation
+  ;; Return the activation gexp.
+  (match-lambda
+    (($ <nix-configuration> package sandbox build-sandbox-items extra-config)
+     (with-imported-modules (source-module-closure
+                             '((guix build store-copy)))
+       #~(begin
+           (use-modules (guix build utils)
+                        (ice-9 format)
+                        (srfi srfi-1)
+                        (srfi srfi-26))
+           (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
+                                        "/nix/var/nix/gcroots/per-user"
+                                        "/nix/var/nix/profiles/per-user"))
+           (chown "/nix/store"
+                  (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
+           (chmod "/nix/store" #o775)
+           (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
+                                            "/nix/var/nix/profiles/per-user"))
+           (mkdir-p "/etc/nix")
+           (with-output-to-file "/etc/nix/nix.conf"
+             (lambda _
+               (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
+               ;; config.nix captures store file names.
+               (format #t "build-sandbox-paths = ~{~a ~}~%"
+                       (append (append-map (cut call-with-input-file <> read)
+                                           '#$(map references-file
+                                                   (list package)))
+                               '#$build-sandbox-items))
+               (for-each (cut display <>) '#$extra-config))))))))
 
-(define (nix-shepherd-service _)
-  "Return a <shepherd-service> for Nix."
-  (list
-   (shepherd-service
-    (provision '(nix-daemon))
-    (documentation "Run nix-daemon.")
-    (requirement '())
-    (start #~(make-forkexec-constructor
-              (list (string-append #$nix "/bin/nix-daemon"))))
-    (respawn? #f)
-    (stop #~(make-kill-destructor)))))
+(define nix-shepherd-service
+  ;; Return a <shepherd-service> for Nix.
+  (match-lambda
+    (($ <nix-configuration> package _ ...)
+     (list
+      (shepherd-service
+       (provision '(nix-daemon))
+       (documentation "Run nix-daemon.")
+       (requirement '())
+       (start #~(make-forkexec-constructor
+                 (list (string-append #$package "/bin/nix-daemon"))))
+       (respawn? #f)
+       (stop #~(make-kill-destructor)))))))
 
 (define nix-service-type
   (service-type
@@ -108,7 +135,7 @@ GID."
     (list (service-extension shepherd-root-service-type nix-shepherd-service)
           (service-extension account-service-type nix-accounts)
           (service-extension activation-service-type nix-activation)))
-   (default-value '())
-   (description "Run the Nix daemon.")))
+   (description "Run the Nix daemon.")
+   (default-value (nix-configuration))))
 
 ;;; nix.scm ends here
-- 
cgit v1.2.3