Move build user options to nix module to improve overlap with NixOS

Also add `config.ids` like in NixOS.
2025-03-13 20:30:02 +00:00 · 2022-08-13 19:18:48 -07:00 · 2022-08-13 19:18:48 -07:00 · 7e74c1c9fb
commit 7e74c1c9fb
parent f88286eda0
7 changed files with 129 additions and 82 deletions
--- a/modules/examples/lnl.nix
+++ b/modules/examples/lnl.nix
@ -357,6 +357,6 @@
  #     path = /etc/per-user/lnl/gitconfig
  # environment.etc."per-user/lnl/gitconfig".text = builtins.readFile "${inputs.dotfiles}/git/gitconfig";

-  users.nix.configureBuildUsers = true;
-  users.nix.nrBuildUsers = 32;
+  nix.configureBuildUsers = true;
+  nix.nrBuildUsers = 32;
 }
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@ -0,0 +1,50 @@
+# Based on: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
+
+# This module defines the global list of uids and gids.  We keep a
+# central list to prevent id collisions.
+
+# IMPORTANT!
+# We only add static uids and gids for services where it is not feasible
+# to change uids/gids on service start, in example a service with a lot of
+# files.
+
+{ lib, ... }:
+
+let
+  inherit (lib) types;
+in
+{
+  options = {
+
+    ids.uids = lib.mkOption {
+      internal = true;
+      description = ''
+        The user IDs used in NixOS.
+      '';
+      type = types.attrsOf types.int;
+    };
+
+    ids.gids = lib.mkOption {
+      internal = true;
+      description = ''
+        The group IDs used in NixOS.
+      '';
+      type = types.attrsOf types.int;
+    };
+
+  };
+
+
+  config = {
+
+    ids.uids = {
+      nixbld = 300;
+    };
+
+    ids.gids = {
+      nixbld = 30000;
+    };
+
+  };
+
+}
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -1,6 +1,7 @@
 [
  ./alias.nix
  ./documentation
+  ./misc/ids.nix
  ./misc/lib.nix
  ./security/pki
  ./security/sandbox
@ -76,5 +77,4 @@
  ./programs/zsh
  ./homebrew.nix
  ./users
-  ./users/nixbld
 ]
--- a/modules/nix/default.nix
+++ b/modules/nix/default.nix
@ -10,6 +10,23 @@ let

  isNixAtLeast = versionAtLeast (getVersion nixPackage);

+  makeNixBuildUser = nr: {
+    name = "_nixbld${toString nr}";
+    value = {
+      description = "Nix build user ${toString nr}";
+
+      /*
+        For consistency with the setgid(2), setuid(2), and setgroups(2)
+        calls in `libstore/build.cc', don't add any supplementary group
+        here except "nixbld".
+      */
+      uid = builtins.add config.ids.uids.nixbld nr;
+      gid = config.ids.gids.nixbld;
+    };
+  };
+
+  nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers));
+
  nixConf =
    assert isNixAtLeast "2.2";
    let
@ -117,6 +134,8 @@ in
  imports = [
    (mkRemovedOptionModule [ "nix" "profile" ] "Use `nix.package` instead.")
    (mkRemovedOptionModule [ "nix" "version" ] "Consider using `nix.package.version` instead.")
+    (mkRenamedOptionModule [ "users" "nix" "configureBuildUsers" ] [ "nix" "configureBuildUsers" ])
+    (mkRenamedOptionModule [ "users" "nix" "nrBuildUsers" ] [ "nix" "nrBuildUsers" ])
  ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings;

  ###### interface
@ -303,6 +322,25 @@ in
        description = "Environment variables used by Nix.";
      };

+      # Not in NixOS module
+      configureBuildUsers = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable configuration for nixbld group and users.
+        '';
+      };
+
+      nrBuildUsers = mkOption {
+        type = types.int;
+        description = ''
+          Number of <literal>nixbld</literal> user accounts created to
+          perform secure concurrent builds.  If you receive an error
+          message saying that “all build users are currently in use”,
+          you should increase this value.
+        '';
+      };
+
      readOnlyStore = mkOption {
        type = types.bool;
        default = true;
@ -592,12 +630,6 @@ in
  ###### implementation

  config = {
-    # Not in NixOS module
-    warnings = [
-      (mkIf (!config.services.activate-system.enable && cfg.distributedBuilds) "services.activate-system is not enabled, a reboot could cause distributed builds to stop working.")
-      (mkIf (!cfg.distributedBuilds && cfg.buildMachines != []) "nix.distributedBuilds is not enabled, build machines won't be configured.")
-    ];
-
    environment.systemPackages =
      [
        nixPackage
@ -641,7 +673,12 @@ in
    };

    assertions =
-      let badMachine = m: m.system == null && m.systems == [ ];
+      let
+        badMachine = m: m.system == null && m.systems == [ ];
+
+        # Not in NixOS module
+        createdGroups = mapAttrsToList (n: v: v.name) config.users.groups;
+        createdUsers = mapAttrsToList (n: v: v.name) config.users.users;
      in
      [
        {
@ -655,8 +692,19 @@ in
            (map (m: m.hostName)
              (filter (badMachine) cfg.buildMachines)));
        }
+
+        # Not in NixOS module
+        { assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; }
+        { assertion = elem "_nixbld1" config.users.knownGroups -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
+        { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
      ];

+    # Not in NixOS module
+    warnings = [
+      (mkIf (!config.services.activate-system.enable && cfg.distributedBuilds) "services.activate-system is not enabled, a reboot could cause distributed builds to stop working.")
+      (mkIf (!cfg.distributedBuilds && cfg.buildMachines != []) "nix.distributedBuilds is not enabled, build machines won't be configured.")
+    ];
+
    # Not in NixOS module
    nix.nixPath = mkMerge [
      (mkIf (config.system.stateVersion < 2) (mkDefault
@ -683,6 +731,25 @@ in
      fi
    '';

+    nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs));
+
+    users.users = mkIf cfg.configureBuildUsers nixbldUsers;
+
+    # Not in NixOS module
+    users.groups.nixbld = mkIf cfg.configureBuildUsers {
+      description = "Nix build group for nix-daemon";
+      gid = config.ids.gids.nixbld;
+      members = attrNames nixbldUsers;
+    };
+    users.knownUsers =
+      let nixbldUserNames = attrNames nixbldUsers;
+      in
+      mkIf cfg.configureBuildUsers (mkMerge [
+        nixbldUserNames
+        (map (removePrefix "_") nixbldUserNames) # delete old style nixbld users
+      ]);
+    users.knownGroups = mkIf cfg.configureBuildUsers [ "nixbld" ];
+
    # Unreladed to use in NixOS module
    system.activationScripts.nix-daemon.text = mkIf cfg.useDaemon ''
      if ! diff /etc/nix/nix.conf /run/current-system/etc/nix/nix.conf &> /dev/null; then
--- a/modules/system/checks.nix
+++ b/modules/system/checks.nix
@ -54,7 +54,7 @@ let
        echo >&2
        echo "or enable to automatically manage the users" >&2
        echo >&2
-        echo "    users.nix.configureBuildUsers = true;" >&2
+        echo "    nix.configureBuildUsers = true;" >&2
        echo >&2
    fi
  '';
--- a/modules/users/nixbld/default.nix
+++ b/modules/users/nixbld/default.nix
@ -1,70 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.users;
-
-  named = xs: listToAttrs (map (x: { name = x.name; value = x; }) xs);
-
-  createdGroups = mapAttrsToList (n: v: v.name) cfg.groups;
-  createdUsers = mapAttrsToList (n: v: v.name) cfg.users;
-
-  mkUsers = f: genList (x: f (x + 1)) cfg.nix.nrBuildUsers;
-
-  buildUsers = mkUsers (i: {
-    name = "_nixbld${toString i}";
-    uid = 300 + i;
-    gid = 300;
-    description = "Nix build user ${toString i}";
-  });
-
-  buildGroups = [{
-    name = "nixbld";
-    gid = 30000;
-    description = "Nix build group for nix-daemon";
-    members = map (v: v.name) buildUsers;
-  }];
-in
-
-{
-  options = {
-    users.nix.configureBuildUsers = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Configuration for nixbld group and users.
-        NOTE: This does not work unless knownGroups/knownUsers is set.
-      '';
-    };
-
-    users.nix.nrBuildUsers = mkOption {
-      type = mkOptionType {
-        name = "integer";
-        check = t: isInt t && t > 1;
-      };
-      default = 32;
-      description = "Number of nixbld user accounts created to perform secure concurrent builds.";
-    };
-  };
-
-  config = {
-
-    assertions = [
-      { assertion = elem "nixbld" cfg.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; }
-      { assertion = elem "_nixbld1" cfg.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
-      { assertion = cfg.groups ? "nixbld" -> cfg.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
-    ];
-
-    users.groups = mkIf cfg.nix.configureBuildUsers (named buildGroups);
-    users.users = mkIf cfg.nix.configureBuildUsers (named buildUsers);
-
-    users.knownGroups = mkIf cfg.nix.configureBuildUsers [ "nixbld" ];
-    users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkMerge [
-      (mkUsers (i: "_nixbld${toString i}"))
-      (mkUsers (i: "nixbld${toString i}"))  # delete old style nixbld users
-    ]);
-
-  };
-}
-
--- a/pkgs/darwin-installer/configuration.nix
+++ b/pkgs/darwin-installer/configuration.nix
@ -5,6 +5,6 @@ with lib;
 {
  imports = [ <user-darwin-config> ./installer.nix ];

-  users.nix.configureBuildUsers = true;
+  nix.configureBuildUsers = true;
  users.knownGroups = [ "nixbld" ];
 }