diff options
author | William A. Kennington III <william@wkennington.com> | 2015-06-17 19:10:23 -0700 |
---|---|---|
committer | William A. Kennington III <william@wkennington.com> | 2015-06-17 19:10:39 -0700 |
commit | 295846a2545c91567a21f375c181aa5c51da42e2 (patch) | |
tree | bcdb9202d2b70f6268962da1ae465dcb4dbb4521 /nixos | |
parent | 2ae75f3a854bd5b37a4e2be63c922177a1701803 (diff) | |
download | nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.gz nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.bz2 nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.lz nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.xz nixlib-295846a2545c91567a21f375c181aa5c51da42e2.tar.zst nixlib-295846a2545c91567a21f375c181aa5c51da42e2.zip |
nixos/nix-serve: Run as a separate user and add a signing key parameter
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/nix-serve.nix | 16 |
2 files changed, 17 insertions, 1 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index d283a633734a..ce935915abf6 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -220,6 +220,7 @@ grafana = 196; skydns = 197; ripple-rest = 198; + nix-serve = 199; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -418,6 +419,7 @@ #grafana = 196; #unused #skydns = 197; #unused #ripple-rest = 198; #unused + #nix-serve = 199; #unused # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index c2c579c3177e..4f8b9357a828 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -26,6 +26,14 @@ in ''; }; + secretKeyFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The path to the file used for signing derivation data. + ''; + }; + extraParams = mkOption { type = types.string; default = ""; @@ -44,13 +52,19 @@ in path = [ config.nix.package pkgs.bzip2 ]; environment.NIX_REMOTE = "daemon"; + environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile; serviceConfig = { ExecStart = "${pkgs.nix-serve}/bin/nix-serve " + "--port ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}"; - User = "nobody"; + User = "nix-serve"; Group = "nogroup"; }; }; + + users.extraUsers.nix-serve = { + description = "Nix-serve user"; + uid = config.ids.uids.nix-serve; + }; }; } |