diff --git a/CHANGELOG b/CHANGELOG index 1675b3e0..b4f5cb10 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,26 @@ +2022-08-14 +- nix module updated to bring it back in sync with it's NixOS counterpart + It should now be much more fiesable to share code for this module between + `nix-darwin` and NixOS configs. + + `nix-darwin` now requires Nix >= 2.2. + + `nix.package` can no longer be a path to a profile. + + `nix.version` option has been removed. Use `nix.package.version` if you want + to reference the version Nix installed/used by your config. + + Many options moved/renamed from `nix.*` to `nix.settings.*`. For example + `nix.binaryCaches` is now `nix.settings.substituters`. + + You can use `nix.settings` to set any option in `nix.conf`. + + `users.nix.*` options moved to `nix.*`. + + `nix.daemonIONice` was renamed to `nix.daemonIOLowPriority`, and + `nix.daemonNiceLevel` was removed in favor a new option + `nix.nix.daemonProcessType`. + 2021-01-16 - Added `homebrew` module, to manage formulas installed by Homebrew via `brew bundle`. diff --git a/modules/alias.nix b/modules/alias.nix index d495d2fe..cd7140fd 100644 --- a/modules/alias.nix +++ b/modules/alias.nix @@ -10,7 +10,6 @@ in options = { networking.networkservices = mkOption { internal = true; default = null; }; - nix.profile = mkOption { internal = true; default = null; }; security.enableAccessibilityAccess = mkOption { internal = true; default = null; }; security.accessibilityPrograms = mkOption { internal = true; default = null; }; @@ -19,8 +18,7 @@ in config = { assertions = - [ { assertion = config.nix.profile == null; message = "nix.profile was renamed to nix.package"; } - { assertion = config.security.enableAccessibilityAccess == null; message = "security.enableAccessibilityAccess was removed, it's broken since 10.12 because of SIP"; } + [ { assertion = config.security.enableAccessibilityAccess == null; message = "security.enableAccessibilityAccess was removed, it's broken since 10.12 because of SIP"; } { assertion = config.system.activationScripts.extraPostActivation.text == ""; message = "system.activationScripts.extraPostActivation was renamed to system.activationScripts.postActivation"; } { assertion = config.system.activationScripts.extraUserPostActivation.text == ""; message = "system.activationScripts.extraUserPostActivation was renamed to system.activationScripts.postUserActivation"; } ]; @@ -31,8 +29,6 @@ in networking.knownNetworkServices = mkIf (config.networking.networkservices != null) config.networking.networkservices; - nix.package = mkIf (config.nix.profile != null) config.nix.profile; - system.activationScripts.extraPostActivation.text = mkDefault ""; system.activationScripts.extraUserPostActivation.text = mkDefault ""; diff --git a/modules/examples/hydra.nix b/modules/examples/hydra.nix index ddd9a638..15808d92 100644 --- a/modules/examples/hydra.nix +++ b/modules/examples/hydra.nix @@ -19,10 +19,10 @@ in services.nix-daemon.enable = true; - nix.binaryCaches = [ http://cache1 ]; - nix.binaryCachePublicKeys = [ "cache.daiderd.com-1:R8KOWZ8lDaLojqD+v9dzXAqGn29gEzPTTbr/GIpCTrI=" ]; + nix.settings.substituters = [ http://cache1 ]; + nix.settings.trusted-public-keys = [ "cache.daiderd.com-1:R8KOWZ8lDaLojqD+v9dzXAqGn29gEzPTTbr/GIpCTrI=" ]; - nix.trustedUsers = [ "@admin" "@hydra" ]; + nix.settings.trusted-users = [ "@admin" "@hydra" ]; nix.extraOptions = '' pre-build-hook = diff --git a/modules/examples/lnl.nix b/modules/examples/lnl.nix index 281347c7..dac393ff 100644 --- a/modules/examples/lnl.nix +++ b/modules/examples/lnl.nix @@ -93,11 +93,11 @@ log-lines = 128 ''; - nix.binaryCachePublicKeys = [ "cache.daiderd.com-1:R8KOWZ8lDaLojqD+v9dzXAqGn29gEzPTTbr/GIpCTrI=" ]; - nix.trustedBinaryCaches = [ https://d3i7ezr9vxxsfy.cloudfront.net ]; + nix.settings.trusted-public-keys = [ "cache.daiderd.com-1:R8KOWZ8lDaLojqD+v9dzXAqGn29gEzPTTbr/GIpCTrI=" ]; + nix.settings.trusted-substituters = [ https://d3i7ezr9vxxsfy.cloudfront.net ]; - nix.useSandbox = true; - nix.sandboxPaths = [ "/private/tmp" "/private/var/tmp" "/usr/bin/env" ]; + nix.settings.sandbox = true; + nix.settings.extra-sandbox-paths = [ "/private/tmp" "/private/var/tmp" "/usr/bin/env" ]; programs.nix-index.enable = true; @@ -357,6 +357,6 @@ # path = /etc/per-user/lnl/gitconfig # environment.etc."per-user/lnl/gitconfig".text = builtins.readFile "${inputs.dotfiles}/git/gitconfig"; - users.nix.configureBuildUsers = true; - users.nix.nrBuildUsers = 32; + nix.configureBuildUsers = true; + nix.nrBuildUsers = 32; } diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix new file mode 100644 index 00000000..07f1240b --- /dev/null +++ b/modules/misc/ids.nix @@ -0,0 +1,50 @@ +# Based on: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix + +# This module defines the global list of uids and gids. We keep a +# central list to prevent id collisions. + +# IMPORTANT! +# We only add static uids and gids for services where it is not feasible +# to change uids/gids on service start, in example a service with a lot of +# files. + +{ lib, ... }: + +let + inherit (lib) types; +in +{ + options = { + + ids.uids = lib.mkOption { + internal = true; + description = '' + The user IDs used in NixOS. + ''; + type = types.attrsOf types.int; + }; + + ids.gids = lib.mkOption { + internal = true; + description = '' + The group IDs used in NixOS. + ''; + type = types.attrsOf types.int; + }; + + }; + + + config = { + + ids.uids = { + nixbld = 300; + }; + + ids.gids = { + nixbld = 30000; + }; + + }; + +} diff --git a/modules/module-list.nix b/modules/module-list.nix index d4c1b35b..fc27ff05 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -1,6 +1,7 @@ [ ./alias.nix ./documentation + ./misc/ids.nix ./misc/lib.nix ./security/pki ./security/sandbox @@ -34,7 +35,6 @@ ./networking ./nix ./nix/nix-darwin.nix - ./nix/nix-info.nix ./nix/nixpkgs.nix ./environment ./fonts @@ -77,5 +77,4 @@ ./programs/zsh ./homebrew.nix ./users - ./users/nixbld ] diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 40bd58b5..2588d3be 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -1,438 +1,665 @@ +# Based off: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/nix-daemon.nix +# When making changes please try to keep it in sync and keep the diff NixOS module clean. { config, lib, pkgs, ... }: with lib; let + cfg = config.nix; - isNix20 = versionAtLeast (cfg.version or "") "1.12pre"; + nixPackage = cfg.package.out; - nixConf = - let - # If we're using sandbox for builds, then provide /bin/sh in - # the sandbox as a bind-mount to bash. This means we also need to - # include the entire closure of bash. - sh = pkgs.stdenv.shell; - binshDeps = pkgs.writeReferencesToFile sh; - in - pkgs.runCommandNoCC "nix.conf" - { preferLocalBuild = true; extraOptions = cfg.extraOptions; } - '' - cat > $out <nix.buildMachines. - - NOTE: This requires services.nix-daemon.enable for a - multi-user install. - ''; - }; - - nix.daemonNiceLevel = mkOption { - type = types.int; - default = 0; - description = '' - Nix daemon process priority. This priority propagates to build processes. - 0 is the default Unix process priority, 19 is the lowest. - ''; - }; - - nix.daemonIONice = mkOption { - type = types.bool; - default = false; - description = '' - Whether the Nix daemon process should considered to be low priority when - doing file system I/O. - ''; - }; - - nix.buildMachines = mkOption { - type = types.listOf types.attrs; - default = []; - example = [ - { hostName = "voila.labs.cs.uu.nl"; - sshUser = "nix"; - sshKey = "/root/.ssh/id_buildfarm"; - system = "powerpc-darwin"; - maxJobs = 1; - } - { hostName = "linux64.example.org"; - sshUser = "buildfarm"; - sshKey = "/root/.ssh/id_buildfarm"; - system = "x86_64-linux"; - maxJobs = 2; - supportedFeatures = [ "kvm" ]; - mandatoryFeatures = [ "perf" ]; - } - ]; - description = '' - This option lists the machines to be used if distributed - builds are enabled (see - ). Nix will perform - derivations on those machines via SSH by copying the inputs - to the Nix store on the remote machine, starting the build, - then copying the output back to the local Nix store. Each - element of the list should be an attribute set containing - the machine's host name (hostname), the - user name to be used for the SSH connection - (sshUser), the Nix system type - (system, e.g., - "i686-linux"), the maximum number of - jobs to be run in parallel on that machine - (maxJobs), the path to the SSH private - key to be used to connect (sshKey), a - list of supported features of the machine - (supportedFeatures) and a list of - mandatory features of the machine - (mandatoryFeatures). The SSH private key - should not have a passphrase, and the corresponding public - key should be added to - ~sshUser/authorized_keys - on the remote machine. - ''; - }; - - # Environment variables for running Nix. - nix.envVars = mkOption { - type = types.attrs; - internal = true; - default = {}; - description = "Environment variables used by Nix."; - }; - - nix.readOnlyStore = mkOption { - type = types.bool; - default = true; - description = '' - If set, NixOS will enforce the immutability of the Nix store - by making /nix/store a read-only bind - mount. Nix will automatically make the store writable when - needed. - ''; - }; - - nix.binaryCaches = mkOption { - type = types.listOf types.str; - example = [ https://cache.example.org/ ]; - description = '' - List of binary cache URLs used to obtain pre-built binaries - of Nix packages. - ''; - }; - - nix.trustedBinaryCaches = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ https://hydra.example.org/ ]; - description = '' - List of binary cache URLs that non-root users can use (in - addition to those specified using - ) by passing - --option binary-caches to Nix commands. - ''; - }; - - nix.requireSignedBinaryCaches = mkOption { - type = types.bool; - default = true; - description = '' - If enabled (the default), Nix will only download binaries from binary caches if - they are cryptographically signed with any of the keys listed in - . If disabled, signatures are neither - required nor checked, so it's strongly recommended that you use only - trustworthy caches and https to prevent man-in-the-middle attacks. - ''; - }; - - nix.binaryCachePublicKeys = mkOption { - type = types.listOf types.str; - example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; - description = '' - List of public keys used to sign binary caches. If - is enabled, - then Nix will use a binary from a binary cache if and only - if it is signed by any of the keys - listed here. By default, only the key for - cache.nixos.org is included. - ''; - }; - - nix.trustedUsers = mkOption { - type = types.listOf types.str; - default = [ "root" ]; - example = [ "root" "alice" "@wheel" ]; - description = '' - A list of names of users that have additional rights when - connecting to the Nix daemon, such as the ability to specify - additional binary caches, or to import unsigned NARs. You - can also specify groups by prefixing them with - @; for instance, - @wheel means all users in the wheel - group. - ''; - }; - - nix.allowedUsers = mkOption { - type = types.listOf types.str; - default = [ "*" ]; - example = [ "@wheel" "@builders" "alice" "bob" ]; - description = '' - A list of names of users (separated by whitespace) that are - allowed to connect to the Nix daemon. As with - , you can specify groups by - prefixing them with @. Also, you can - allow all users by specifying *. The - default is *. Note that trusted users are - always allowed to connect. - ''; - }; - - nix.nixPath = mkOption { - type = mkOptionType { - name = "nix path"; - merge = loc: defs: - let - values = flatten (map (def: - (map (x: - if isAttrs x then (mapAttrsToList nameValuePair x) - else if isString x then x - else throw "The option value `${showOption loc}` in `${def.file}` is not a attset or string.") - (if isList def.value then def.value else [def.value]))) defs); - - namedPaths = mapAttrsToList (n: v: "${n}=${(head v).value}") - (zipAttrs - (map (x: { "${x.name}" = { inherit (x) value; }; }) - (filter isAttrs values))); - - searchPaths = unique - (filter isString values); - in - namedPaths ++ searchPaths; - }; - default = - [ # Include default path . - { darwin-config = "${config.environment.darwinConfig}"; } - "/nix/var/nix/profiles/per-user/root/channels" - "$HOME/.nix-defexpr/channels" - ]; - example = - [ { trunk = "/src/nixpkgs"; } - ]; - description = '' - The default Nix expression search path, used by the Nix - evaluator to look up paths enclosed in angle brackets - (e.g. <nixpkgs>). - - Named entries can be specified using an attribute set, if an - entry is configured multiple times the value with the lowest - ordering will be used. - ''; - }; - - nix.registry = mkOption { - type = types.attrsOf (types.submodule ( - let - inputAttrs = types.attrsOf (types.oneOf [types.str types.int types.bool types.package]); - in - { config, name, ... }: - { options = { - from = mkOption { - type = inputAttrs; - example = { type = "indirect"; id = "nixpkgs"; }; - description = "The flake reference to be rewritten."; - }; - to = mkOption { - type = inputAttrs; - example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; - description = "The flake reference to which is to be rewritten."; - }; - flake = mkOption { - type = types.unspecified; - default = null; - example = literalExpression "nixpkgs"; - description = '' - The flake input to which is to be rewritten. - ''; - }; - exact = mkOption { - type = types.bool; - default = true; - description = '' - Whether the reference needs to match exactly. If set, - a reference like nixpkgs does not - match with a reference like nixpkgs/nixos-20.03. - ''; - }; - }; - config = { - from = mkDefault { type = "indirect"; id = name; }; - to = mkIf (config.flake != null) - ({ type = "path"; - path = config.flake.outPath; - } // lib.filterAttrs - (n: v: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") - config.flake); - }; - } - )); - default = {}; - description = '' - A system-wide flake registry. - ''; + /* + For consistency with the setgid(2), setuid(2), and setgroups(2) + calls in `libstore/build.cc', don't add any supplementary group + here except "nixbld". + */ + uid = builtins.add config.ids.uids.nixbld nr; + gid = config.ids.gids.nixbld; }; }; + nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers)); + + nixConf = + assert isNixAtLeast "2.2"; + let + + mkValueString = v: + if v == null then "" + else if isInt v then toString v + else if isBool v then boolToString v + else if isFloat v then floatToString v + else if isList v then toString v + else if isDerivation v then toString v + else if builtins.isPath v then toString v + else if isString v then v + else if isCoercibleToString v then toString v + else abort "The nix conf value: ${toPretty {} v} can not be encoded"; + + mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}"; + + mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); + + in + pkgs.writeTextFile { + name = "nix.conf"; + text = '' + # WARNING: this file is generated from the nix.* options in + # your nix-darwin configuration. Do not edit it! + ${mkKeyValuePairs cfg.settings} + ${cfg.extraOptions} + ''; + checkPhase = + if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' + echo "Ignoring validation for cross-compilation" + '' + else '' + echo "Validating generated nix.conf" + ln -s $out ./nix.conf + set -e + set +o pipefail + NIX_CONF_DIR=$PWD \ + ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ + ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ + |& sed -e 's/^warning:/error:/' \ + | (! grep '${if cfg.checkConfig then "^error:" else "^error: unknown setting"}') + set -o pipefail + ''; + }; + + legacyConfMappings = { + useSandbox = "sandbox"; + buildCores = "cores"; + maxJobs = "max-jobs"; + sandboxPaths = "extra-sandbox-paths"; + binaryCaches = "substituters"; + trustedBinaryCaches = "trusted-substituters"; + binaryCachePublicKeys = "trusted-public-keys"; + autoOptimiseStore = "auto-optimise-store"; + requireSignedBinaryCaches = "require-sigs"; + trustedUsers = "trusted-users"; + allowedUsers = "allowed-users"; + # systemFeatures = "system-features"; + }; + + semanticConfType = with types; + let + confAtom = nullOr + (oneOf [ + bool + int + float + str + path + package + ]) // { + description = "Nix config atom (null, bool, int, float, str, path or package)"; + }; + in + attrsOf (either confAtom (listOf confAtom)); + + # Not in NixOS module + nixPathType = mkOptionType { + name = "nix path"; + merge = loc: defs: + let + values = flatten (map (def: + (map (x: + if isAttrs x then (mapAttrsToList nameValuePair x) + else if isString x then x + else throw "The option value `${showOption loc}` in `${def.file}` is not a attset or string.") + (if isList def.value then def.value else [def.value]))) defs); + + namedPaths = mapAttrsToList (n: v: "${n}=${(head v).value}") + (zipAttrs + (map (x: { "${x.name}" = { inherit (x) value; }; }) + (filter isAttrs values))); + + searchPaths = unique + (filter isString values); + in + namedPaths ++ searchPaths; + }; + +in + +{ + imports = + let + altOption = alt: "No `nix-darwin` equivilant to this NixOS option, consider using `${alt}` instead."; + consider = alt: "Consider using `${alt}` instead."; + in + [ + # Only ever in NixOS + (mkRemovedOptionModule [ "nix" "enable" ] "No `nix-darwin` equivilant to this NixOS option.") + (mkRemovedOptionModule [ "nix" "daemonCPUSchedPolicy" ] (altOption "nix.daemonProcessType")) + (mkRemovedOptionModule [ "nix" "daemonIOSchedClass" ] (altOption "nix.daemonProcessType")) + (mkRemovedOptionModule [ "nix" "daemonIOSchedPriority" ] (altOption "nix.daemonIOLowPriority")) + + # Option changes in `nix-darwin` + (mkRemovedOptionModule [ "nix" "profile" ] "Use `nix.package` instead.") + (mkRemovedOptionModule [ "nix" "version" ] (consider "nix.package.version")) + (mkRenamedOptionModule [ "users" "nix" "configureBuildUsers" ] [ "nix" "configureBuildUsers" ]) + (mkRenamedOptionModule [ "users" "nix" "nrBuildUsers" ] [ "nix" "nrBuildUsers" ]) + (mkRenamedOptionModule [ "nix" "daemonIONice" ] [ "nix" "daemonIOLowPriority" ]) + (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] (consider "nix.daemonProcessType")) + ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings; + + ###### interface + + options = { + + nix = { + + package = mkOption { + type = types.package; + default = pkgs.nix; + defaultText = literalExpression "pkgs.nix"; + description = '' + This option specifies the Nix package instance to use throughout the system. + ''; + }; + + # Not in NixOS module + useDaemon = mkOption { + type = types.bool; + default = false; + description = " + If set, Nix will use the daemon to perform operations. + Use this instead of services.nix-daemon.enable if you don't wan't the + daemon service to be managed for you. + "; + }; + + distributedBuilds = mkOption { + type = types.bool; + default = false; + description = '' + Whether to distribute builds to the machines listed in + . + + NOTE: This requires services.nix-daemon.enable for a + multi-user install. + ''; + }; + + # Not in NixOS module + daemonProcessType = mkOption { + type = types.enum [ "Background" "Standard" "Adaptive" "Interactive" ]; + default = "Standard"; + description = '' + Nix daemon process resource limits class. These limits propagate to + build processes. Standard is the default process type + and will apply light resource limits, throttling its CPU usage and I/O + bandwidth. + + See man launchd.plist for explanation of other + process types. + ''; + }; + + # Not in NixOS module + daemonIOLowPriority = mkOption { + type = types.bool; + default = false; + description = '' + Whether the Nix daemon process should considered to be low priority when + doing file system I/O. + ''; + }; + + buildMachines = mkOption { + type = types.listOf (types.submodule { + options = { + hostName = mkOption { + type = types.str; + example = "nixbuilder.example.org"; + description = '' + The hostname of the build machine. + ''; + }; + system = mkOption { + type = types.nullOr types.str; + default = null; + example = "x86_64-linux"; + description = '' + The system type the build machine can execute derivations on. + Either this attribute or systems must be + present, where system takes precedence if + both are set. + ''; + }; + systems = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "x86_64-linux" "aarch64-linux" ]; + description = '' + The system types the build machine can execute derivations on. + Either this attribute or system must be + present, where system takes precedence if + both are set. + ''; + }; + sshUser = mkOption { + type = types.nullOr types.str; + default = null; + example = "builder"; + description = '' + The username to log in as on the remote host. This user must be + able to log in and run nix commands non-interactively. It must + also be privileged to build derivations, so must be included in + . + ''; + }; + sshKey = mkOption { + type = types.nullOr types.str; + default = null; + example = "/root/.ssh/id_buildhost_builduser"; + description = '' + The path to the SSH private key with which to authenticate on + the build machine. The private key must not have a passphrase. + If null, the building user (root on NixOS machines) must have an + appropriate ssh configuration to log in non-interactively. + + Note that for security reasons, this path must point to a file + in the local filesystem, *not* to the nix store. + ''; + }; + maxJobs = mkOption { + type = types.int; + default = 1; + description = '' + The number of concurrent jobs the build machine supports. The + build machine will enforce its own limits, but this allows hydra + to schedule better since there is no work-stealing between build + machines. + ''; + }; + speedFactor = mkOption { + type = types.int; + default = 1; + description = '' + The relative speed of this builder. This is an arbitrary integer + that indicates the speed of this builder, relative to other + builders. Higher is faster. + ''; + }; + mandatoryFeatures = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "big-parallel" ]; + description = '' + A list of features mandatory for this builder. The builder will + be ignored for derivations that don't require all features in + this list. All mandatory features are automatically included in + supportedFeatures. + ''; + }; + supportedFeatures = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "kvm" "big-parallel" ]; + description = '' + A list of features supported by this builder. The builder will + be ignored for derivations that require features not in this + list. + ''; + }; + publicHostKey = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The (base64-encoded) public host key of this builder. The field + is calculated via base64 -w0 /etc/ssh/ssh_host_type_key.pub. + If null, SSH will use its regular known-hosts file when connecting. + ''; + }; + }; + }); + default = [ ]; + description = '' + This option lists the machines to be used if distributed builds are + enabled (see ). + Nix will perform derivations on those machines via SSH by copying the + inputs to the Nix store on the remote machine, starting the build, + then copying the output back to the local Nix store. + ''; + }; + + # Environment variables for running Nix. + envVars = mkOption { + type = types.attrs; + internal = true; + default = { }; + description = "Environment variables used by Nix."; + }; + + # Not in NixOS module + configureBuildUsers = mkOption { + type = types.bool; + default = false; + description = '' + Enable configuration for nixbld group and users. + ''; + }; + + nrBuildUsers = mkOption { + type = types.int; + description = '' + Number of nixbld user accounts created to + perform secure concurrent builds. If you receive an error + message saying that “all build users are currently in use”, + you should increase this value. + ''; + }; + + readOnlyStore = mkOption { + type = types.bool; + default = true; + description = '' + If set, Nix will enforce the immutability of the Nix store + by making /nix/store a read-only bind + mount. Nix will automatically make the store writable when + needed. + ''; + }; + + # Definition differs substantially from NixOS module + nixPath = mkOption { + type = nixPathType; + default = [ + # Include default path . + { darwin-config = "${config.environment.darwinConfig}"; } + "/nix/var/nix/profiles/per-user/root/channels" + ]; + description = '' + The default Nix expression search path, used by the Nix + evaluator to look up paths enclosed in angle brackets + (e.g. <nixpkgs>). + + Named entries can be specified using an attribute set, if an + entry is configured multiple times the value with the lowest + ordering will be used. + ''; + }; + + checkConfig = mkOption { + type = types.bool; + default = true; + description = '' + If enabled (the default), checks for data type mismatches and that Nix + can parse the generated nix.conf. + ''; + }; + + registry = mkOption { + type = types.attrsOf (types.submodule ( + let + referenceAttrs = with types; attrsOf (oneOf [ + str + int + bool + package + ]); + in + { config, name, ... }: + { + options = { + from = mkOption { + type = referenceAttrs; + example = { type = "indirect"; id = "nixpkgs"; }; + description = "The flake reference to be rewritten."; + }; + to = mkOption { + type = referenceAttrs; + example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; + description = "The flake reference is rewritten to."; + }; + flake = mkOption { + type = types.nullOr types.attrs; + default = null; + example = literalExpression "nixpkgs"; + description = '' + The flake input is rewritten to. + ''; + }; + exact = mkOption { + type = types.bool; + default = true; + description = '' + Whether the reference needs to match exactly. If set, + a reference like nixpkgs does not + match with a reference like nixpkgs/nixos-20.03. + ''; + }; + }; + config = { + from = mkDefault { type = "indirect"; id = name; }; + to = mkIf (config.flake != null) (mkDefault + { + type = "path"; + path = config.flake.outPath; + } // filterAttrs + (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") + config.flake); + }; + } + )); + default = { }; + description = '' + A system-wide flake registry. + ''; + }; + + extraOptions = mkOption { + type = types.lines; + default = ""; + example = '' + keep-outputs = true + keep-derivations = true + ''; + description = "Additional text appended to nix.conf."; + }; + + settings = mkOption { + type = types.submodule { + freeformType = semanticConfType; + + options = { + max-jobs = mkOption { + type = types.either types.int (types.enum [ "auto" ]); + default = "auto"; + example = 64; + description = '' + This option defines the maximum number of jobs that Nix will try to + build in parallel. The default is auto, which means it will use all + available logical cores. It is recommend to set it to the total + number of logical cores in your system (e.g., 16 for two CPUs with 4 + cores each and hyper-threading). + ''; + }; + + auto-optimise-store = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + If set to true, Nix automatically detects files in the store that have + identical contents, and replaces them with hard links to a single copy. + This saves disk space. If set to false (the default), you can still run + nix-store --optimise to get rid of duplicate files. + ''; + }; + + cores = mkOption { + type = types.int; + default = 0; + example = 64; + description = '' + This option defines the maximum number of concurrent tasks during + one build. It affects, e.g., -j option for make. + The special value 0 means that the builder should use all + available CPU cores in the system. Some builds may become + non-deterministic with this option; use with care! Packages will + only be affected if enableParallelBuilding is set for them. + ''; + }; + + sandbox = mkOption { + type = types.either types.bool (types.enum [ "relaxed" ]); + default = false; + description = '' + If set, Nix will perform builds in a sandboxed environment that it + will set up automatically for each build. This prevents impurities + in builds by disallowing access to dependencies outside of the Nix + store by using network and mount namespaces in a chroot environment. It + doesn't affect derivation hashes, so changing this option will not + trigger a rebuild of packages. + ''; + }; + + extra-sandbox-paths = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "/dev" "/proc" ]; + description = '' + Directories from the host filesystem to be included + in the sandbox. + ''; + }; + + substituters = mkOption { + type = types.listOf types.str; + description = '' + List of binary cache URLs used to obtain pre-built binaries + of Nix packages. + + By default https://cache.nixos.org/ is added. + ''; + }; + + trusted-substituters = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "https://hydra.nixos.org/" ]; + description = '' + List of binary cache URLs that non-root users can use (in + addition to those specified using + ) by passing + --option binary-caches to Nix commands. + ''; + }; + + require-sigs = mkOption { + type = types.bool; + default = true; + description = '' + If enabled (the default), Nix will only download binaries from binary caches if + they are cryptographically signed with any of the keys listed in + . If disabled, signatures are neither + required nor checked, so it's strongly recommended that you use only + trustworthy caches and https to prevent man-in-the-middle attacks. + ''; + }; + + trusted-public-keys = mkOption { + type = types.listOf types.str; + example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; + description = '' + List of public keys used to sign binary caches. If + is enabled, + then Nix will use a binary from a binary cache if and only + if it is signed by any of the keys + listed here. By default, only the key for + cache.nixos.org is included. + ''; + }; + + trusted-users = mkOption { + type = types.listOf types.str; + default = [ "root" ]; + example = [ "root" "alice" "@admin" ]; + description = '' + A list of names of users that have additional rights when + connecting to the Nix daemon, such as the ability to specify + additional binary caches, or to import unsigned NARs. You + can also specify groups by prefixing them with + @; for instance, + @admin means all users in the wheel + group. + ''; + }; + + # Not implemented yet + # system-features = mkOption { + # type = types.listOf types.str; + # example = [ "kvm" "big-parallel" "gccarch-skylake" ]; + # description = '' + # The set of features supported by the machine. Derivations + # can express dependencies on system features through the + # requiredSystemFeatures attribute. + + # By default, pseudo-features nixos-test, benchmark, + # and big-parallel used in Nixpkgs are set, kvm + # is also included in it is avaliable. + # ''; + # }; + + allowed-users = mkOption { + type = types.listOf types.str; + default = [ "*" ]; + example = [ "@admin" "@builders" "alice" "bob" ]; + description = '' + A list of names of users (separated by whitespace) that are + allowed to connect to the Nix daemon. As with + , you can specify groups by + prefixing them with @. Also, you can + allow all users by specifying *. The + default is *. Note that trusted users are + always allowed to connect. + ''; + }; + }; + }; + default = { }; + description = '' + Configuration for Nix, see + + for avalaible options. + The value declared here will be translated directly to the key-value pairs Nix expects. + + + Nix configurations defined under will be translated and applied to this + option. In addition, configuration specified in which will be appended + verbatim to the resulting config file. + ''; + }; + }; + }; + + + ###### implementation + config = { - - warnings = [ - (mkIf (!config.services.activate-system.enable && cfg.distributedBuilds) "services.activate-system is not enabled, a reboot could cause distributed builds to stop working.") - (mkIf (!cfg.distributedBuilds && cfg.buildMachines != []) "nix.distributedBuilds is not enabled, build machines won't be configured.") - ]; - - nix.binaryCaches = mkAfter [ https://cache.nixos.org/ ]; - nix.binaryCachePublicKeys = mkAfter [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; - - nix.nixPath = mkMerge [ - (mkIf (config.system.stateVersion < 2) (mkDefault - [ "darwin=$HOME/.nix-defexpr/darwin" - "darwin-config=$HOME/.nixpkgs/darwin-configuration.nix" - "/nix/var/nix/profiles/per-user/root/channels" - ])) - (mkIf (config.system.stateVersion > 3) (mkOrder 1200 - [ { darwin-config = "${config.environment.darwinConfig}"; } - "/nix/var/nix/profiles/per-user/root/channels" - "$HOME/.nix-defexpr/channels" - ])) - ]; - - - nix.package = mkIf (config.system.stateVersion < 3) - (mkDefault "/nix/var/nix/profiles/default"); - - nix.version = mkIf (isDerivation cfg.package) cfg.package.version or ""; - - environment.systemPackages = mkIf (isDerivation cfg.package) - [ cfg.package ]; + environment.systemPackages = + [ + nixPackage + pkgs.nix-info + ] + ++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions; environment.etc."nix/nix.conf".source = nixConf; + # Not in NixOS module environment.etc."nix/nix.conf".knownSha256Hashes = [ "7c2d80499b39256b03ee9abd3d6258343718306aca8d472c26ac32c9b0949093" # nix installer "19299897fa312d9d32b3c968c2872dd143085aa727140cec51f57c59083e93b9" @@ -445,36 +672,110 @@ in }; # List of machines for distributed Nix builds in the format - # expected by build-remote. - environment.etc."nix/machines" = - { enable = cfg.buildMachines != []; - text = - concatMapStrings (machine: - "${if machine ? sshUser then "${machine.sshUser}@" else ""}${machine.hostName} " - + machine.system or (concatStringsSep "," machine.systems) - + " ${machine.sshKey or "-"} ${toString machine.maxJobs or 1} " - + toString (machine.speedFactor or 1) - + " " - + concatStringsSep "," (machine.mandatoryFeatures or [] ++ machine.supportedFeatures or []) - + " " - + concatStringsSep "," machine.mandatoryFeatures or [] + # expected by build-remote.pl. + environment.etc."nix/machines" = mkIf (cfg.buildMachines != [ ]) { + text = + concatMapStrings + (machine: + (concatStringsSep " " ([ + "${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}" + (if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-") + (if machine.sshKey != null then machine.sshKey else "-") + (toString machine.maxJobs) + (toString machine.speedFactor) + (concatStringsSep "," (machine.supportedFeatures ++ machine.mandatoryFeatures)) + (concatStringsSep "," machine.mandatoryFeatures) + ] + ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-"))) + "\n" - ) cfg.buildMachines; - }; + ) + cfg.buildMachines; + }; - environment.extraInit = '' - # Set up secure multi-user builds: non-root users build through the - # Nix daemon. - if [ ! -w /nix/var/nix/db ]; then - export NIX_REMOTE=daemon - fi - ''; + assertions = + let + badMachine = m: m.system == null && m.systems == [ ]; + + # Not in NixOS module + createdGroups = mapAttrsToList (n: v: v.name) config.users.groups; + createdUsers = mapAttrsToList (n: v: v.name) config.users.users; + in + [ + { + assertion = !(any badMachine cfg.buildMachines); + message = '' + At least one system type (via system or + systems) must be set for every build machine. + Invalid machine specifications: + '' + " " + + (concatStringsSep "\n " + (map (m: m.hostName) + (filter (badMachine) cfg.buildMachines))); + } + + # Not in NixOS module + { assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; } + { assertion = elem "_nixbld1" config.users.knownGroups -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } + { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; } + ]; + + # Not in NixOS module + warnings = [ + (mkIf (!config.services.activate-system.enable && cfg.distributedBuilds) "services.activate-system is not enabled, a reboot could cause distributed builds to stop working.") + (mkIf (!cfg.distributedBuilds && cfg.buildMachines != []) "nix.distributedBuilds is not enabled, build machines won't be configured.") + ]; + + # Not in NixOS module + nix.nixPath = mkMerge [ + (mkIf (config.system.stateVersion < 2) (mkDefault + [ "darwin=$HOME/.nix-defexpr/darwin" + "darwin-config=$HOME/.nixpkgs/darwin-configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ])) + (mkIf (config.system.stateVersion > 3) (mkOrder 1200 + [ { darwin-config = "${config.environment.darwinConfig}"; } + "/nix/var/nix/profiles/per-user/root/channels" + ])) + ]; # Set up the environment variables for running Nix. - environment.variables = cfg.envVars // - { NIX_PATH = concatStringsSep ":" cfg.nixPath; - }; + environment.variables = cfg.envVars // { NIX_PATH = cfg.nixPath; }; + environment.extraInit = + '' + if [ -e "$HOME/.nix-defexpr/channels" ]; then + export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" + fi + '' + + # Not in NixOS module + '' + # Set up secure multi-user builds: non-root users build through the + # Nix daemon. + if [ ! -w /nix/var/nix/db ]; then + export NIX_REMOTE=daemon + fi + ''; + + nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)); + + users.users = mkIf cfg.configureBuildUsers nixbldUsers; + + # Not in NixOS module + users.groups.nixbld = mkIf cfg.configureBuildUsers { + description = "Nix build group for nix-daemon"; + gid = config.ids.gids.nixbld; + members = attrNames nixbldUsers; + }; + users.knownUsers = + let nixbldUserNames = attrNames nixbldUsers; + in + mkIf cfg.configureBuildUsers (mkMerge [ + nixbldUserNames + (map (removePrefix "_") nixbldUserNames) # delete old style nixbld users + ]); + users.knownGroups = mkIf cfg.configureBuildUsers [ "nixbld" ]; + + # Unreladed to use in NixOS module system.activationScripts.nix-daemon.text = mkIf cfg.useDaemon '' if ! diff /etc/nix/nix.conf /run/current-system/etc/nix/nix.conf &> /dev/null; then echo "reloading nix-daemon..." >&2 @@ -486,5 +787,31 @@ in done ''; + # Legacy configuration conversion. + nix.settings = mkMerge [ + { + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + substituters = mkAfter [ "https://cache.nixos.org/" ]; + + # Not implemented yet + # system-features = mkDefault ( + # [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ + # optionals (pkgs.hostPlatform ? gcc.arch) ( + # # a builder can run code for `gcc.arch` and inferior architectures + # [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++ + # map (x: "gccarch-${x}") systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} + # ) + # ); + } + + (mkIf (!cfg.distributedBuilds) { builders = null; }) + + (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) + + # Not in NixOS module + (mkIf cfg.useDaemon { build-users-group = "nixbld"; }) + ]; + }; + } diff --git a/modules/nix/nix-info.nix b/modules/nix/nix-info.nix deleted file mode 100644 index 146a08c0..00000000 --- a/modules/nix/nix-info.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - nix-info = pkgs.nix-info or null; -in - -{ - config = { - - environment.systemPackages = mkIf (nix-info != null) [ nix-info ]; - - }; -} diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix index 735d92c9..5e87e513 100644 --- a/modules/services/nix-daemon.nix +++ b/modules/services/nix-daemon.nix @@ -48,9 +48,8 @@ in "/bin/sh" "-c" "/bin/wait4path ${config.nix.package}/bin/nix-daemon && exec ${config.nix.package}/bin/nix-daemon" ]; - serviceConfig.ProcessType = mkDefault "Interactive"; - serviceConfig.LowPriorityIO = config.nix.daemonIONice; - serviceConfig.Nice = config.nix.daemonNiceLevel; + serviceConfig.ProcessType = config.nix.daemonProcessType; + serviceConfig.LowPriorityIO = config.nix.daemonIOLowPriority; serviceConfig.Label = "org.nixos.nix-daemon"; # must match daemon installed by Nix regardless of the launchd label Prefix serviceConfig.SoftResourceLimits.NumberOfFiles = mkDefault 4096; serviceConfig.StandardErrorPath = cfg.logFile; diff --git a/modules/services/nix-gc/default.nix b/modules/services/nix-gc/default.nix index 57b3e22d..fca68037 100644 --- a/modules/services/nix-gc/default.nix +++ b/modules/services/nix-gc/default.nix @@ -1,4 +1,6 @@ -{ config, lib, pkgs, ... }: +# Based off: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/nix-gc.nix +# When making changes please try to keep it in sync. +{ config, lib, ... }: with lib; @@ -7,36 +9,54 @@ let in { + imports = [ + (mkRemovedOptionModule [ "nix" "gc" "dates" ] "Use `nix.gc.interval` instead.") + (mkRemovedOptionModule [ "nix" "gc" "randomizedDelaySec" ] "No `nix-darwin` equivilant to this NixOS option.") + (mkRemovedOptionModule [ "nix" "gc" "persistent" ] "No `nix-darwin` equivilant to this NixOS option.") + ]; + + ###### interface + options = { - nix.gc.automatic = mkOption { - type = types.bool; - default = false; - description = "Automatically run the garbage collector at a specific time."; + + nix.gc = { + + automatic = mkOption { + default = false; + type = types.bool; + description = "Automatically run the garbage collector at a specific time."; + }; + + # Not in NixOS module + user = mkOption { + type = types.nullOr types.str; + default = null; + description = "User that runs the garbage collector."; + }; + + interval = mkOption { + type = types.attrs; + default = { Hour = 3; Minute = 15; }; + description = "The time interval at which the garbage collector will run."; + }; + + options = mkOption { + default = ""; + example = "--max-freed $((64 * 1024**3))"; + type = types.str; + description = '' + Options given to nix-collect-garbage when the + garbage collector is run automatically. + ''; + }; + }; - nix.gc.user = mkOption { - type = types.nullOr types.str; - default = null; - description = "User that runs the garbage collector."; - }; - - nix.gc.interval = mkOption { - type = types.attrs; - default = { Hour = 3; Minute = 15; }; - description = "The time interval at which the garbage collector will run."; - }; - - nix.gc.options = mkOption { - type = types.str; - default = ""; - example = "--max-freed $((64 * 1024**3))"; - description = '' - Options given to nix-collect-garbage when the - garbage collector is run automatically. - ''; - }; }; + + ###### implementation + config = mkIf cfg.automatic { launchd.daemons.nix-gc = { diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 3500e913..4ce69912 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -54,7 +54,7 @@ let echo >&2 echo "or enable to automatically manage the users" >&2 echo >&2 - echo " users.nix.configureBuildUsers = true;" >&2 + echo " nix.configureBuildUsers = true;" >&2 echo >&2 fi ''; @@ -125,7 +125,9 @@ let ''; nixPath = '' - darwinConfig=$(NIX_PATH=${concatStringsSep ":" config.nix.nixPath} nix-instantiate --find-file darwin-config) || true + nixPath=${concatStringsSep ":" config.nix.nixPath}:$HOME/.nix-defexpr/channels + + darwinConfig=$(NIX_PATH=$nixPath nix-instantiate --find-file darwin-config) || true if ! test -e "$darwinConfig"; then echo "error: Changed but target does not exist, aborting activation" >&2 echo "Create ''${darwinConfig:-~/.nixpkgs/darwin-configuration.nix} or set environment.darwinConfig:" >&2 @@ -139,7 +141,7 @@ let exit 2 fi - darwinPath=$(NIX_PATH=${concatStringsSep ":" config.nix.nixPath} nix-instantiate --find-file darwin) || true + darwinPath=$(NIX_PATH=$nixPath nix-instantiate --find-file darwin) || true if ! test -e "$darwinPath"; then echo "error: Changed but target does not exist, aborting activation" >&2 echo "Add the darwin repo as a channel or set nix.nixPath:" >&2 @@ -153,7 +155,7 @@ let exit 2 fi - nixpkgsPath=$(NIX_PATH=${concatStringsSep ":" config.nix.nixPath} nix-instantiate --find-file nixpkgs) || true + nixpkgsPath=$(NIX_PATH=$nixPath nix-instantiate --find-file nixpkgs) || true if ! test -e "$nixpkgsPath"; then echo "error: Changed but target does not exist, aborting activation" >&2 echo "Add a nixpkgs channel or set nix.nixPath:" >&2 diff --git a/modules/users/nixbld/default.nix b/modules/users/nixbld/default.nix deleted file mode 100644 index 8dadd562..00000000 --- a/modules/users/nixbld/default.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.users; - - named = xs: listToAttrs (map (x: { name = x.name; value = x; }) xs); - - createdGroups = mapAttrsToList (n: v: v.name) cfg.groups; - createdUsers = mapAttrsToList (n: v: v.name) cfg.users; - - mkUsers = f: genList (x: f (x + 1)) cfg.nix.nrBuildUsers; - - buildUsers = mkUsers (i: { - name = "_nixbld${toString i}"; - uid = 300 + i; - gid = 300; - description = "Nix build user ${toString i}"; - }); - - buildGroups = [{ - name = "nixbld"; - gid = 30000; - description = "Nix build group for nix-daemon"; - members = map (v: v.name) buildUsers; - }]; -in - -{ - options = { - users.nix.configureBuildUsers = mkOption { - type = types.bool; - default = false; - description = '' - Configuration for nixbld group and users. - NOTE: This does not work unless knownGroups/knownUsers is set. - ''; - }; - - users.nix.nrBuildUsers = mkOption { - type = mkOptionType { - name = "integer"; - check = t: isInt t && t > 1; - }; - default = 32; - description = "Number of nixbld user accounts created to perform secure concurrent builds."; - }; - }; - - config = { - - assertions = [ - { assertion = elem "nixbld" cfg.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; } - { assertion = elem "_nixbld1" cfg.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } - { assertion = cfg.groups ? "nixbld" -> cfg.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; } - ]; - - users.groups = mkIf cfg.nix.configureBuildUsers (named buildGroups); - users.users = mkIf cfg.nix.configureBuildUsers (named buildUsers); - - users.knownGroups = mkIf cfg.nix.configureBuildUsers [ "nixbld" ]; - users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkMerge [ - (mkUsers (i: "_nixbld${toString i}")) - (mkUsers (i: "nixbld${toString i}")) # delete old style nixbld users - ]); - - }; -} - diff --git a/pkgs/darwin-installer/configuration.nix b/pkgs/darwin-installer/configuration.nix index 7aafbfd4..a0e58a16 100644 --- a/pkgs/darwin-installer/configuration.nix +++ b/pkgs/darwin-installer/configuration.nix @@ -5,6 +5,6 @@ with lib; { imports = [ ./installer.nix ]; - users.nix.configureBuildUsers = true; + nix.configureBuildUsers = true; users.knownGroups = [ "nixbld" ]; } diff --git a/pkgs/darwin-installer/default.nix b/pkgs/darwin-installer/default.nix index cf1c7058..496aa4f0 100644 --- a/pkgs/darwin-installer/default.nix +++ b/pkgs/darwin-installer/default.nix @@ -145,13 +145,13 @@ stdenv.mkDerivation { env -i USER=john HOME=/Users/john bash -li -c 'echo $PATH' env -i USER=john HOME=/Users/john bash -li -c 'echo $PATH' | grep /Users/john/.nix-profile/bin:/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin:/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin env -i USER=john HOME=/Users/john bash -li -c 'echo $NIX_PATH' - env -i USER=john HOME=/Users/john bash -li -c 'echo $NIX_PATH' | grep darwin-config=/Users/john/.nixpkgs/darwin-configuration.nix:/nix/var/nix/profiles/per-user/root/channels:/Users/john/.nix-defexpr/channels + env -i USER=john HOME=/Users/john bash -li -c 'echo $NIX_PATH' | grep darwin-config=/Users/john/.nixpkgs/darwin-configuration.nix:/nix/var/nix/profiles/per-user/root/channels echo >&2 "checking zsh environment" env -i USER=john HOME=/Users/john zsh -l -c 'echo $PATH' env -i USER=john HOME=/Users/john zsh -l -c 'echo $PATH' | grep /Users/john/.nix-profile/bin:/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin:/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin - env -i USER=john HOME=/Users/john zsh -l -c 'echo $NIX_PATH' | grep darwin-config=/Users/john/.nixpkgs/darwin-configuration.nix:/nix/var/nix/profiles/per-user/root/channels:/Users/john/.nix-defexpr/channels env -i USER=john HOME=/Users/john zsh -l -c 'echo $NIX_PATH' + env -i USER=john HOME=/Users/john zsh -l -c 'echo $NIX_PATH' | grep darwin-config=/Users/john/.nixpkgs/darwin-configuration.nix:/nix/var/nix/profiles/per-user/root/channels echo >&2 ok exit diff --git a/tests/checks-nix-gc.nix b/tests/checks-nix-gc.nix index fde6211e..75700ccb 100644 --- a/tests/checks-nix-gc.nix +++ b/tests/checks-nix-gc.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: let - nix = pkgs.runCommand "nix-0.0.0" {} "mkdir -p $out"; + nix = pkgs.runCommand "nix-2.2" {} "mkdir -p $out"; in { diff --git a/tests/services-nix-daemon.nix b/tests/services-nix-daemon.nix index 6c972df2..5405d01f 100644 --- a/tests/services-nix-daemon.nix +++ b/tests/services-nix-daemon.nix @@ -2,7 +2,7 @@ let cacert = pkgs.runCommand "cacert-0.0.0" {} "mkdir -p $out"; - nix = pkgs.runCommand "nix-0.0.0" { version = "1.11.6"; } "mkdir -p $out"; + nix = pkgs.runCommand "nix-2.2" {} "mkdir -p $out"; in { diff --git a/tests/services-nix-gc.nix b/tests/services-nix-gc.nix index 915d1622..e28c3df2 100644 --- a/tests/services-nix-gc.nix +++ b/tests/services-nix-gc.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: let - nix = pkgs.runCommand "nix-0.0.0" {} "mkdir -p $out"; + nix = pkgs.runCommand "nix-2.2" {} "mkdir -p $out"; in { diff --git a/tests/sockets-nix-daemon.nix b/tests/sockets-nix-daemon.nix index d1b2827b..0eb09a77 100644 --- a/tests/sockets-nix-daemon.nix +++ b/tests/sockets-nix-daemon.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: let - nix = pkgs.runCommand "nix-0.0.0" {} "mkdir -p $out"; + nix = pkgs.runCommand "nix-2.2" {} "mkdir -p $out"; in {