nixos/nix-serve: Run as a separate user and add a signing key parameter

author: William A. Kennington III <william@wkennington.com> 2015-06-17 19:10:23 -0700
committer: William A. Kennington III <william@wkennington.com> 2015-06-17 19:10:39 -0700
commit: 295846a2545c91567a21f375c181aa5c51da42e2 (patch)
tree: bcdb9202d2b70f6268962da1ae465dcb4dbb4521 /nixos
parent: 2ae75f3a854bd5b37a4e2be63c922177a1701803 (diff)
download: nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar
nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.gz
nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.bz2
nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.lz
nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.xz
nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.zst
nixlib-295846a2545c91567a21f375c181aa5c51da42e2.zip
2 files changed, 17 insertions, 1 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index d283a633734a..ce935915abf6 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -220,6 +220,7 @@
       grafana = 196;
       skydns = 197;
       ripple-rest = 198;
+      nix-serve = 199;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -418,6 +419,7 @@
       #grafana = 196; #unused
       #skydns = 197; #unused
       #ripple-rest = 198; #unused
+      #nix-serve = 199; #unused
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal
diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix
index c2c579c3177e..4f8b9357a828 100644
--- a/nixos/modules/services/networking/nix-serve.nix
+++ b/nixos/modules/services/networking/nix-serve.nix
@@ -26,6 +26,14 @@ in
         '';
       };
 
+      secretKeyFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          The path to the file used for signing derivation data.
+        '';
+      };
+
       extraParams = mkOption {
         type = types.string;
         default = "";
@@ -44,13 +52,19 @@ in
 
       path = [ config.nix.package pkgs.bzip2 ];
       environment.NIX_REMOTE = "daemon";
+      environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile;
 
       serviceConfig = {
         ExecStart = "${pkgs.nix-serve}/bin/nix-serve " +
           "--port ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}";
-        User = "nobody";
+        User = "nix-serve";
         Group = "nogroup";
       };
     };
+
+    users.extraUsers.nix-serve = {
+      description = "Nix-serve user";
+      uid = config.ids.uids.nix-serve;
+    };
   };
 }
author	William A. Kennington III <william@wkennington.com>	2015-06-17 19:10:23 -0700
committer	William A. Kennington III <william@wkennington.com>	2015-06-17 19:10:39 -0700
commit	295846a2545c91567a21f375c181aa5c51da42e2 (patch)
tree	bcdb9202d2b70f6268962da1ae465dcb4dbb4521 /nixos
parent	2ae75f3a854bd5b37a4e2be63c922177a1701803 (diff)
download	nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.gz nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.bz2 nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.lz nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.xz nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.zst nixlib-295846a2545c91567a21f375c181aa5c51da42e2.zip