Hello,
I recently discovered that guix-configuration offers a way to set the
permission and owner of the directory containing the daemon socket.
My plan was to create a new group "guix" and only allow users of this
group to use the daemon.
I added this to my services:
(simple-service 'guix-group
account-service-type
(list (user-group (name "guix")
(system? #t))))
(modify-services %desktop-services
(guix-service-type
config => (guix-configuration
(inherit config)
;; Restrict access to the daemon socket to
;; members of the guix group
(socket-directory-permissions #o750)
(socket-directory-user #f)
(socket-directory-group "guix"))))
And then also added my normal user to the guix group.
The setup works great for a regular user but I had some issues with the
guix-publish service as the guix-publish user also needs access to the
daemon.
I forced the guix-publish user to the guix group by providing a second
entry with the additional group manually overwriting the automatic
account from the service.
However guix-publish still was not able to connect to the socket.
Is there a way I can do this without giving up on guix-publish?
Any help would be appreciated.
Dariqq
