From: Malte Poll <1780588+malt3@users.noreply.github.com>
Date: Fri, 22 Dec 2023 11:41:10 +0000 (+0100)
Subject: bubblewrap: try to mount /nix/store readonly
X-Git-Tag: v20~37^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00f15ad1ce95bca70761f14f703a4d265122e85d;p=thirdparty%2Fmkosi.git

bubblewrap: try to mount /nix/store readonly

Similar to most usrmerged systems, NixOS stores all installed
binaries and libraries in /nix/store.
To make mkosi work on NixOS, the nix store should be mounted by default.

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
---

diff --git a/mkosi/bubblewrap.py b/mkosi/bubblewrap.py
index 13f9517b5..7c1550bca 100644
--- a/mkosi/bubblewrap.py
+++ b/mkosi/bubblewrap.py
@@ -79,6 +79,7 @@ def bwrap(
     cmdline: list[PathString] = [
         "bwrap",
         "--ro-bind", "/usr", "/usr",
+        "--ro-bind-try", "/nix/store", "/nix/store",
         "--bind", "/var/tmp", "/var/tmp",
         "--bind", "/tmp", "/tmp",
         "--bind", Path.cwd(), Path.cwd(),