mirrors/nix-darwin
1
0
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2024-12-14 11:57:34 +00:00
Code Activity

add nix module

Browse source
This commit is contained in:
Daiderd Jordan 2016-12-15 13:26:22 +01:00
parent 584e64da1a
commit 125dcb48b0
No known key found for this signature in database
GPG key ID: D02435D05B810C96
6 changed files with 379 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
default.nix
View file

@ -16,6 +16,7 @@ let
./modules/system/defaults/trackpad.nix
./modules/system/etc.nix
./modules/system/launchd.nix
./modules/nix
./modules/nix/nix-darwin.nix
./modules/nix/nixpkgs.nix
./modules/environment

13
modules/environment/default.nix
View file

@ -48,7 +48,7 @@ in {
};
environment.variables = mkOption {
type = types.attrsOf (types.loeOf types.str);
type = types.attrsOf (types.either types.str (types.listOf types.str));
default = {};
description = ''
A set of environment variables used in the global environment.
@ -71,6 +71,17 @@ in {
'';
};
environment.extraInit = mkOption {
type = types.lines;
default = "";
description = ''
Shell script code called during global environment initialisation
after all variables and profileVariables have been set.
This code is asumed to be shell-independent, which means you should
stick to pure sh without sh word split.
'';
};
};
config = {

349
modules/nix/default.nix Normal file
View file

@ -0,0 +1,349 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.nix;
nixbldUsers = map makeNixBuildUser (range 1 cfg.nrBuildUsers);
nixConf =
let
# If we're using sandbox for builds, then provide /bin/sh in
# the sandbox as a bind-mount to bash. This means we also need to
# include the entire closure of bash.
sh = pkgs.stdenv.shell;
binshDeps = pkgs.writeReferencesToFile sh;
in
pkgs.runCommand "nix.conf" { extraOptions = cfg.extraOptions; } ''
extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done)
cat > $out <<END
# WARNING: this file is generated from the nix.* options in
# your NixOS configuration, typically
# /etc/nixos/configuration.nix. Do not edit it!
build-users-group = nixbld
build-max-jobs = ${toString (cfg.maxJobs)}
build-cores = ${toString (cfg.buildCores)}
build-use-sandbox = ${if (builtins.isBool cfg.useSandbox) then (if cfg.useSandbox then "true" else "false") else cfg.useSandbox}
build-sandbox-paths = ${toString cfg.sandboxPaths} /bin/sh=${sh} $(echo $extraPaths)
binary-caches = ${toString cfg.binaryCaches}
trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys}
${optionalString cfg.requireSignedBinaryCaches ''
signed-binary-caches = *
''}
trusted-users = ${toString cfg.trustedUsers}
allowed-users = ${toString cfg.allowedUsers}
$extraOptions
END
'';
in
{
options = {
nix = {
package = mkOption {
type = types.path;
default = "/nix/var/nix/profiles/default";
defaultText = "pkgs.nix";
description = ''
This option specifies the profile or Nix package instance to use throughout the system.
'';
};
maxJobs = mkOption {
type = types.int;
default = 1;
example = 64;
description = ''
This option defines the maximum number of jobs that Nix will try
to build in parallel. The default is 1. You should generally
set it to the total number of logical cores in your system (e.g., 16
for two CPUs with 4 cores each and hyper-threading).
'';
};
buildCores = mkOption {
type = types.int;
default = 1;
example = 64;
description = ''
This option defines the maximum number of concurrent tasks during
one build. It affects, e.g., -j option for make. The default is 1.
The special value 0 means that the builder should use all
available CPU cores in the system. Some builds may become
non-deterministic with this option; use with care! Packages will
only be affected if enableParallelBuilding is set for them.
'';
};
useSandbox = mkOption {
type = types.either types.bool (types.enum ["relaxed"]);
default = false;
description = "
If set, Nix will perform builds in a sandboxed environment that it
will set up automatically for each build. This prevents
impurities in builds by disallowing access to dependencies
outside of the Nix store.
";
};
sandboxPaths = mkOption {
type = types.listOf types.str;
default = [];
example = [ "/dev" "/proc" ];
description =
''
Directories from the host filesystem to be included
in the sandbox.
'';
};
extraOptions = mkOption {
type = types.lines;
default = "";
example = ''
gc-keep-outputs = true
gc-keep-derivations = true
'';
description = "Additional text appended to <filename>nix.conf</filename>.";
};
distributedBuilds = mkOption {
type = types.bool;
default = false;
description = ''
Whether to distribute builds to the machines listed in
<option>nix.buildMachines</option>.
'';
};
daemonNiceLevel = mkOption {
type = types.int;
default = 0;
description = ''
Nix daemon process priority. This priority propagates to build processes.
0 is the default Unix process priority, 19 is the lowest.
'';
};
daemonIONice = mkOption {
type = types.bool;
default = false;
description = ''
Whether the Nix daemon process should considered to be low priority when
doing file system I/O.
'';
};
buildMachines = mkOption {
type = types.listOf types.attrs;
default = [];
example = [
{ hostName = "voila.labs.cs.uu.nl";
sshUser = "nix";
sshKey = "/root/.ssh/id_buildfarm";
system = "powerpc-darwin";
maxJobs = 1;
}
{ hostName = "linux64.example.org";
sshUser = "buildfarm";
sshKey = "/root/.ssh/id_buildfarm";
system = "x86_64-linux";
maxJobs = 2;
supportedFeatures = [ "kvm" ];
mandatoryFeatures = [ "perf" ];
}
];
description = ''
This option lists the machines to be used if distributed
builds are enabled (see
<option>nix.distributedBuilds</option>). Nix will perform
derivations on those machines via SSH by copying the inputs
to the Nix store on the remote machine, starting the build,
then copying the output back to the local Nix store. Each
element of the list should be an attribute set containing
the machine's host name (<varname>hostname</varname>), the
user name to be used for the SSH connection
(<varname>sshUser</varname>), the Nix system type
(<varname>system</varname>, e.g.,
<literal>"i686-linux"</literal>), the maximum number of
jobs to be run in parallel on that machine
(<varname>maxJobs</varname>), the path to the SSH private
key to be used to connect (<varname>sshKey</varname>), a
list of supported features of the machine
(<varname>supportedFeatures</varname>) and a list of
mandatory features of the machine
(<varname>mandatoryFeatures</varname>). The SSH private key
should not have a passphrase, and the corresponding public
key should be added to
<filename>~<replaceable>sshUser</replaceable>/authorized_keys</filename>
on the remote machine.
'';
};
# Environment variables for running Nix.
envVars = mkOption {
type = types.attrs;
internal = true;
default = {};
description = "Environment variables used by Nix.";
};
readOnlyStore = mkOption {
type = types.bool;
default = true;
description = ''
If set, NixOS will enforce the immutability of the Nix store
by making <filename>/nix/store</filename> a read-only bind
mount. Nix will automatically make the store writable when
needed.
'';
};
binaryCaches = mkOption {
type = types.listOf types.str;
default = [ https://cache.nixos.org/ ];
description = ''
List of binary cache URLs used to obtain pre-built binaries
of Nix packages.
'';
};
trustedBinaryCaches = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ http://hydra.nixos.org/ ];
description = ''
List of binary cache URLs that non-root users can use (in
addition to those specified using
<option>nix.binaryCaches</option>) by passing
<literal>--option binary-caches</literal> to Nix commands.
'';
};
requireSignedBinaryCaches = mkOption {
type = types.bool;
default = true;
description = ''
If enabled (the default), Nix will only download binaries from binary caches if
they are cryptographically signed with any of the keys listed in
<option>nix.binaryCachePublicKeys</option>. If disabled, signatures are neither
required nor checked, so it's strongly recommended that you use only
trustworthy caches and https to prevent man-in-the-middle attacks.
'';
};
binaryCachePublicKeys = mkOption {
type = types.listOf types.str;
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
description = ''
List of public keys used to sign binary caches. If
<option>nix.requireSignedBinaryCaches</option> is enabled,
then Nix will use a binary from a binary cache if and only
if it is signed by <emphasis>any</emphasis> of the keys
listed here. By default, only the key for
<uri>cache.nixos.org</uri> is included.
'';
};
trustedUsers = mkOption {
type = types.listOf types.str;
default = [ "root" ];
example = [ "root" "alice" "@wheel" ];
description = ''
A list of names of users that have additional rights when
connecting to the Nix daemon, such as the ability to specify
additional binary caches, or to import unsigned NARs. You
can also specify groups by prefixing them with
<literal>@</literal>; for instance,
<literal>@wheel</literal> means all users in the wheel
group.
'';
};
allowedUsers = mkOption {
type = types.listOf types.str;
default = [ "*" ];
example = [ "@wheel" "@builders" "alice" "bob" ];
description = ''
A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon. As with
<option>nix.trustedUsers</option>, you can specify groups by
prefixing them with <literal>@</literal>. Also, you can
allow all users by specifying <literal>*</literal>. The
default is <literal>*</literal>. Note that trusted users are
always allowed to connect.
'';
};
nixPath = mkOption {
type = types.listOf types.str;
default =
[ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixpkgs"
"/nix/var/nix/profiles/per-user/root/channels"
"darwin=$HOME/.nix-defexpr/darwin"
"darwin-config=$HOME/.nixpkgs/darwin-configuration.nix"
];
description = ''
The default Nix expression search path, used by the Nix
evaluator to look up paths enclosed in angle brackets
(e.g. <literal>&lt;nixpkgs&gt;</literal>).
'';
};
};
};
config = {
nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
environment.etc."nix/nix.conf".source = nixConf;
# List of machines for distributed Nix builds in the format
# expected by build-remote.pl.
environment.etc."nix/machines" =
{ enable = cfg.buildMachines != [];
text =
concatMapStrings (machine:
"${if machine ? sshUser then "${machine.sshUser}@" else ""}${machine.hostName} "
+ machine.system or (concatStringsSep "," machine.systems)
+ " ${machine.sshKey or "-"} ${toString machine.maxJobs or 1} "
+ toString (machine.speedFactor or 1)
+ " "
+ concatStringsSep "," (machine.mandatoryFeatures or [] ++ machine.supportedFeatures or [])
+ " "
+ concatStringsSep "," machine.mandatoryFeatures or []
+ "\n"
) cfg.buildMachines;
};
nix.envVars =
{ NIX_CONF_DIR = "/etc/nix";
# Enable the copy-from-other-stores substituter, which allows
# builds to be sped up by copying build results from remote
# Nix stores. To do this, mount the remote file system on a
# subdirectory of /run/nix/remote-stores.
NIX_OTHER_STORES = "/run/nix/remote-stores/*/nix";
}
// optionalAttrs cfg.distributedBuilds {
NIX_BUILD_HOOK = "${cfg.package}/libexec/nix/build-remote.pl";
NIX_REMOTE_SYSTEMS = "/etc/nix/machines";
NIX_CURRENT_LOAD = "/run/nix/current-load";
};
# Set up the environment variables for running Nix.
environment.variables = cfg.envVars //
{ NIX_PATH = concatStringsSep ":" cfg.nixPath;
};
};
}

1
modules/programs/bash.nix
View file

@ -68,6 +68,7 @@ in
${config.system.build.setAliases}
${cfg.interactiveShellInit}
${config.environment.extraInit}
# Read system-wide modifications.
if test -f /etc/bash.local; then

1
modules/programs/zsh.nix
View file

@ -117,6 +117,7 @@ in
${config.system.build.setAliases}
${cfg.interactiveShellInit}
${config.environment.extraInit}
# Read system-wide modifications.
if test -f /etc/zshrc.local; then

34
modules/services/nix-daemon.nix
View file

@ -18,18 +18,6 @@ in
description = "Whether to activate system at boot time.";
};
profile = mkOption {
type = types.path;
default = "/nix/var/nix/profiles/default";
description = "Profile to use for nix and cacert.";
};
buildMachinesFile = mkOption {
type = types.path;
default = "/etc/nix/machines";
description = "File containing build machines.";
};
tempDir = mkOption {
type = types.path;
default = "/tmp";
@ -41,17 +29,25 @@ in
config = mkIf cfg.enable {
environment.extraInit = ''
# Set up secure multi-user builds: non-root users build through the
# Nix daemon.
if [ "$USER" != root -o ! -w /nix/var/nix/db ]; then
export NIX_REMOTE=daemon
fi
'';
launchd.daemons.nix-daemon = {
serviceConfig.Program = "${cfg.profile}/bin/nix-daemon";
serviceConfig.Program = "${config.nix.package}/bin/nix-daemon";
serviceConfig.KeepAlive = true;
serviceConfig.ProcessType = "Background";
serviceConfig.LowPriorityIO = config.nix.daemonIONice;
serviceConfig.Nice = config.nix.daemonNiceLevel;
serviceConfig.SoftResourceLimits.NumberOfFiles = 4096;
serviceConfig.EnvironmentVariables.TMPDIR = "${cfg.tempDir}";
serviceConfig.EnvironmentVariables.SSL_CERT_FILE = "${cfg.profile}/etc/ssl/certs/ca-bundle.crt";
serviceConfig.EnvironmentVariables.NIX_BUILD_HOOK="${cfg.profile}/libexec/nix/build-remote.pl";
serviceConfig.EnvironmentVariables.NIX_CURRENT_LOAD="${cfg.tempDir}/current-load";
serviceConfig.EnvironmentVariables.NIX_REMOTE_SYSTEMS="${cfg.buildMachinesFile}";
};
serviceConfig.EnvironmentVariables = config.nix.envVars
// { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; }
// { TMPDIR = "${cfg.tempDir}"; };
};
};
}