etc: Add a systemd unit to bind-mount @storedir@ read-only.

* etc/gnu-store.mount.in: New file. * nix/local.mk (nodist_systemdservice_DATA): Add it. (etc/%.mount): New rule for it. * etc/guix-install.sh (sys_enable_guix_daemon): Install it. * doc/guix.texi (Binary Installation): Document it. * .gitignore: Ignore changes to it.
2020-05-14 15:13:12 +02:00 · 2020-05-14 15:13:12 +02:00 · 1a1faa78b0
parent 0fe654ebcd
commit 1a1faa78b0
5 changed files with 38 additions and 6 deletions
--- a/.gitignore
+++ b/.gitignore
@ -66,6 +66,7 @@
 /doc/stamp-vti
 /doc/version.texi
 /doc/version-*.texi
+/etc/gnu-store.mount
 /etc/guix-daemon.cil
 /etc/guix-daemon.conf
 /etc/guix-daemon.service
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -659,9 +659,10 @@ with these commands:
@c https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html

@example
-# cp ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \
+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
+     ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \
     /etc/systemd/system/
-# systemctl enable --now guix-daemon
+# systemctl enable --now gnu-store.mount guix-daemon
@end example

 If your host distro uses the Upstart init system:
--- a/etc/gnu-store.mount.in
+++ b/etc/gnu-store.mount.in
@ -0,0 +1,14 @@
+[Unit]
+Description=Read-only @storedir@ for GNU Guix
+DefaultDependencies=no
+ConditionPathExists=@storedir@
+Before=guix-daemon.service
+
+[Install]
+WantedBy=guix-daemon.service
+
+[Mount]
+What=@storedir@
+Where=@storedir@
+Type=none
+Options=bind,ro
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@ -342,7 +342,13 @@ sys_enable_guix_daemon()
                _msg "${PAS}enabled Guix daemon via upstart"
            ;;
        systemd)
-            { cp "${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service" \
+            { # systemd .mount units must be named after the target directory.
+              # Here we assume a hard-coded name of /gnu/store.
+              cp "${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount" \
+                 /etc/systemd/system/;
+              chmod 664 /etc/systemd/system/gnu-store.mount;
+
+              cp "${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service" \
                 /etc/systemd/system/;
              chmod 664 /etc/systemd/system/guix-daemon.service;

@ -357,8 +363,8 @@ sys_enable_guix_daemon()
 	      fi;

              systemctl daemon-reload &&
-                  systemctl start guix-daemon &&
-                  systemctl enable guix-daemon; } &&
+                  systemctl start  gnu-store.mount guix-daemon &&
+                  systemctl enable gnu-store.mount guix-daemon; } &&
                _msg "${PAS}enabled Guix daemon via systemd"
            ;;
        sysv-init)
--- a/nix/local.mk
+++ b/nix/local.mk
@ -155,7 +155,17 @@ noinst_HEADERS =						\

 # The '.service' files for systemd.
 systemdservicedir = $(libdir)/systemd/system
-nodist_systemdservice_DATA = etc/guix-daemon.service etc/guix-publish.service
+nodist_systemdservice_DATA =			\
+  etc/gnu-store.mount				\
+  etc/guix-daemon.service			\
+  etc/guix-publish.service
+
+etc/%.mount: etc/%.mount.in	\
+			 $(top_builddir)/config.status
+	$(AM_V_GEN)$(MKDIR_P) "`dirname $@`";	\
+	$(SED) -e 's|@''storedir''@|$(storedir)|' <	\
+	       "$<" > "$@.tmp";		\
+	mv "$@.tmp" "$@"

 etc/guix-%.service: etc/guix-%.service.in	\
 			 $(top_builddir)/config.status