nixos/nix-serve: Run as a separate user and add a signing key parameter

nixos/modules/misc/ids.nix

@@ -220,6 +220,7 @@
       grafana = 196;
       skydns = 197;
       ripple-rest = 198;
+      nix-serve = 199;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -418,6 +419,7 @@
       #grafana = 196; #unused
       #skydns = 197; #unused
       #ripple-rest = 198; #unused
+      #nix-serve = 199; #unused
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/services/networking/nix-serve.nix

@@ -26,6 +26,14 @@ in
         '';
       };
 
+      secretKeyFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          The path to the file used for signing derivation data.
+        '';
+      };
+
       extraParams = mkOption {
         type = types.string;
         default = "";
@@ -44,13 +52,19 @@ in
 
       path = [ config.nix.package pkgs.bzip2 ];
       environment.NIX_REMOTE = "daemon";
+      environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile;
 
       serviceConfig = {
         ExecStart = "${pkgs.nix-serve}/bin/nix-serve " +
           "--port ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}";
-        User = "nobody";
+        User = "nix-serve";
         Group = "nogroup";
       };
     };
+
+    users.extraUsers.nix-serve = {
+      description = "Nix-serve user";
+      uid = config.ids.uids.nix-serve;
+    };
   };
 }