nixos/nix-serve: Run as a separate user and add a signing key parameter
This commit is contained in:
		
							parent
							
								
									2ae75f3a85
								
							
						
					
					
						commit
						295846a254
					
				| @ -220,6 +220,7 @@ | |||||||
|       grafana = 196; |       grafana = 196; | ||||||
|       skydns = 197; |       skydns = 197; | ||||||
|       ripple-rest = 198; |       ripple-rest = 198; | ||||||
|  |       nix-serve = 199; | ||||||
| 
 | 
 | ||||||
|       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! |       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! | ||||||
| 
 | 
 | ||||||
| @ -418,6 +419,7 @@ | |||||||
|       #grafana = 196; #unused |       #grafana = 196; #unused | ||||||
|       #skydns = 197; #unused |       #skydns = 197; #unused | ||||||
|       #ripple-rest = 198; #unused |       #ripple-rest = 198; #unused | ||||||
|  |       #nix-serve = 199; #unused | ||||||
| 
 | 
 | ||||||
|       # When adding a gid, make sure it doesn't match an existing |       # When adding a gid, make sure it doesn't match an existing | ||||||
|       # uid. Users and groups with the same name should have equal |       # uid. Users and groups with the same name should have equal | ||||||
|  | |||||||
| @ -26,6 +26,14 @@ in | |||||||
|         ''; |         ''; | ||||||
|       }; |       }; | ||||||
| 
 | 
 | ||||||
|  |       secretKeyFile = mkOption { | ||||||
|  |         type = types.nullOr types.str; | ||||||
|  |         default = null; | ||||||
|  |         description = '' | ||||||
|  |           The path to the file used for signing derivation data. | ||||||
|  |         ''; | ||||||
|  |       }; | ||||||
|  | 
 | ||||||
|       extraParams = mkOption { |       extraParams = mkOption { | ||||||
|         type = types.string; |         type = types.string; | ||||||
|         default = ""; |         default = ""; | ||||||
| @ -44,13 +52,19 @@ in | |||||||
| 
 | 
 | ||||||
|       path = [ config.nix.package pkgs.bzip2 ]; |       path = [ config.nix.package pkgs.bzip2 ]; | ||||||
|       environment.NIX_REMOTE = "daemon"; |       environment.NIX_REMOTE = "daemon"; | ||||||
|  |       environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile; | ||||||
| 
 | 
 | ||||||
|       serviceConfig = { |       serviceConfig = { | ||||||
|         ExecStart = "${pkgs.nix-serve}/bin/nix-serve " + |         ExecStart = "${pkgs.nix-serve}/bin/nix-serve " + | ||||||
|           "--port ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}"; |           "--port ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}"; | ||||||
|         User = "nobody"; |         User = "nix-serve"; | ||||||
|         Group = "nogroup"; |         Group = "nogroup"; | ||||||
|       }; |       }; | ||||||
|     }; |     }; | ||||||
|  | 
 | ||||||
|  |     users.extraUsers.nix-serve = { | ||||||
|  |       description = "Nix-serve user"; | ||||||
|  |       uid = config.ids.uids.nix-serve; | ||||||
|  |     }; | ||||||
|   }; |   }; | ||||||
| } | } | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 William A. Kennington III
						William A. Kennington III