aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--guix/forge/tissue.scm48
1 files changed, 26 insertions, 22 deletions
diff --git a/guix/forge/tissue.scm b/guix/forge/tissue.scm
index ab86a11..e34e656 100644
--- a/guix/forge/tissue.scm
+++ b/guix/forge/tissue.scm
@@ -20,6 +20,7 @@
(define-module (forge tissue)
#:use-module (srfi srfi-1)
#:use-module (forge socket)
+ #:use-module (gnu build linux-container)
#:use-module ((gnu packages admin) #:select (shadow))
#:use-module ((gnu packages autotools) #:select (autoconf automake))
#:use-module ((gnu packages gettext) #:select (gnu-gettext))
@@ -28,9 +29,11 @@
#:use-module ((gnu packages skribilo) #:select (skribilo) #:prefix guix:)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
+ #:use-module (gnu system file-systems)
#:use-module (gnu system shadow)
#:use-module (guix build-system gnu)
#:use-module (guix gexp)
+ #:use-module (guix least-authority)
#:use-module (guix modules)
#:use-module (guix git-download)
#:use-module ((guix licenses) #:prefix license:)
@@ -245,32 +248,33 @@ available both as a command-line program and as a web server.")
(documentation "Run tissue web server.")
(provision '(tissue))
(requirement '(networking))
- (modules '((gnu build shepherd)
- (gnu system file-systems)))
(start
- (with-imported-modules (source-module-closure '((gnu build shepherd)
- (gnu system file-systems)))
- #~(make-forkexec-constructor/container
- (list #$(file-append (tissue-configuration-package config)
- "/bin/tissue")
+ (let ((tissue-conf (computed-file "tissue.conf" (tissue-conf-gexp config))))
+ #~(make-forkexec-constructor
+ (list #$(least-authority-wrapper
+ (file-append (tissue-configuration-package config)
+ "/bin/tissue")
+ #:name "tissue"
+ #:mappings (cons* (file-system-mapping
+ (source tissue-conf)
+ (target source))
+ (file-system-mapping
+ (source state-directory)
+ (target source))
+ (if (forge-unix-socket? socket)
+ (list (file-system-mapping
+ (source (dirname (forge-unix-socket-path socket)))
+ (target source)
+ (writable? #t)))
+ (list)))
+ ;; TODO: If socket is a Unix socket, run in a
+ ;; network namespace. We can't do this yet due to
+ ;; https://yhetil.org/guix/m1ilknoi5r.fsf@fastmail.net/
+ #:namespaces (delq 'net %namespaces))
"web"
- (string-append "--config=" #$(computed-file "tissue.conf"
- (tissue-conf-gexp config))))
+ (string-append "--config=" #$tissue-conf))
#:user "tissue"
#:group "tissue"
- #:mappings (append (list (file-system-mapping
- (source #$state-directory)
- (target source))
- (file-system-mapping
- (source "/var/log/tissue.log")
- (target source)
- (writable? #t)))
- (if #$(forge-unix-socket? socket)
- (list (file-system-mapping
- (source #$(dirname (forge-unix-socket-path socket)))
- (target source)
- (writable? #t)))
- (list)))
#:log-file "/var/log/tissue.log")))
(stop #~(make-kill-destructor)))))