diff options
-rw-r--r-- | guix/forge/tissue.scm | 48 |
1 files changed, 26 insertions, 22 deletions
diff --git a/guix/forge/tissue.scm b/guix/forge/tissue.scm index ab86a11..e34e656 100644 --- a/guix/forge/tissue.scm +++ b/guix/forge/tissue.scm @@ -20,6 +20,7 @@ (define-module (forge tissue) #:use-module (srfi srfi-1) #:use-module (forge socket) + #:use-module (gnu build linux-container) #:use-module ((gnu packages admin) #:select (shadow)) #:use-module ((gnu packages autotools) #:select (autoconf automake)) #:use-module ((gnu packages gettext) #:select (gnu-gettext)) @@ -28,9 +29,11 @@ #:use-module ((gnu packages skribilo) #:select (skribilo) #:prefix guix:) #:use-module (gnu services) #:use-module (gnu services shepherd) + #:use-module (gnu system file-systems) #:use-module (gnu system shadow) #:use-module (guix build-system gnu) #:use-module (guix gexp) + #:use-module (guix least-authority) #:use-module (guix modules) #:use-module (guix git-download) #:use-module ((guix licenses) #:prefix license:) @@ -245,32 +248,33 @@ available both as a command-line program and as a web server.") (documentation "Run tissue web server.") (provision '(tissue)) (requirement '(networking)) - (modules '((gnu build shepherd) - (gnu system file-systems))) (start - (with-imported-modules (source-module-closure '((gnu build shepherd) - (gnu system file-systems))) - #~(make-forkexec-constructor/container - (list #$(file-append (tissue-configuration-package config) - "/bin/tissue") + (let ((tissue-conf (computed-file "tissue.conf" (tissue-conf-gexp config)))) + #~(make-forkexec-constructor + (list #$(least-authority-wrapper + (file-append (tissue-configuration-package config) + "/bin/tissue") + #:name "tissue" + #:mappings (cons* (file-system-mapping + (source tissue-conf) + (target source)) + (file-system-mapping + (source state-directory) + (target source)) + (if (forge-unix-socket? socket) + (list (file-system-mapping + (source (dirname (forge-unix-socket-path socket))) + (target source) + (writable? #t))) + (list))) + ;; TODO: If socket is a Unix socket, run in a + ;; network namespace. We can't do this yet due to + ;; https://yhetil.org/guix/m1ilknoi5r.fsf@fastmail.net/ + #:namespaces (delq 'net %namespaces)) "web" - (string-append "--config=" #$(computed-file "tissue.conf" - (tissue-conf-gexp config)))) + (string-append "--config=" #$tissue-conf)) #:user "tissue" #:group "tissue" - #:mappings (append (list (file-system-mapping - (source #$state-directory) - (target source)) - (file-system-mapping - (source "/var/log/tissue.log") - (target source) - (writable? #t))) - (if #$(forge-unix-socket? socket) - (list (file-system-mapping - (source #$(dirname (forge-unix-socket-path socket))) - (target source) - (writable? #t))) - (list))) #:log-file "/var/log/tissue.log"))) (stop #~(make-kill-destructor))))) |