Created
May 22, 2019 09:38
-
-
Save roberth/31255d8d50ca8e74cc1a0f1ab7062515 to your computer and use it in GitHub Desktop.
arion draft private nix store daemon service
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Import this module from an arion service to enable the nix daemon. | |
| { pkgs, lib, ... }: | |
| { | |
| # ENABLING THIS WILL MOST LIKELY DAMAGE THE HOST. | |
| # You're probably looking for service.useHostNixDaemon instead of this module. | |
| service.useHostStore = lib.mkForce false; # DID YOU READ THE COMMENT? | |
| nixos.configuration = { pkgs, lib, ...}: { | |
| boot.postBootCommands = '' | |
| # Assert dominance, so nix-daemon can mount procfs for the sandbox | |
| # Background: https://kinvolk.io/blog/2018/04/towards-unprivileged-container-builds/#the-exception-of-procfs-and-sysfs | |
| # Code: https://serverfault.com/a/897476 | |
| for dir in $(${pkgs.gawk}/bin/awk '/\/proc\// { print $5; }' /proc/1/mountinfo); do | |
| echo "Exposing $dir" | |
| umount "$dir"; | |
| done | |
| ''; | |
| systemd.sockets.nix-daemon.enable = true; | |
| systemd.services.nix-daemon.enable = true; | |
| # Use a non-default range in order to decrease the likelyhood of getting killed by the host nix-daemon | |
| ids.uids.nixbld = 9000; | |
| }; | |
| service.devices = [ "/dev/kvm" ]; | |
| service.capabilities.SYS_ADMIN = true; | |
| build.service.security_opt = [ "seccomp=unconfined" ]; # pivot_root for nix sandbox | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment