mirrors/nix-darwin
1
0
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2024-12-14 11:57:34 +00:00
Code Activity

Update nix.settings def and implementation to match NixOS module

Browse source
This commit is contained in:
Malo Bourgon 2022-08-13 15:11:58 -07:00
parent 5f141365af
commit a00b3836a5
1 changed files with 273 additions and 161 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

434
modules/nix/default.nix
View file

@ -8,40 +8,55 @@ let
nixPackage = cfg.package.out;
isNixAtLeast = versionAtLeast (getVersion nixPackage);
nixConf =
assert isNixAtLeast "2.2";
let
# If we're using sandbox for builds, then provide /bin/sh in
# the sandbox as a bind-mount to bash. This means we also need to
# include the entire closure of bash.
sh = pkgs.stdenv.shell;
binshDeps = pkgs.writeReferencesToFile sh;
mkValueString = v:
if v == null then ""
else if isInt v then toString v
else if isBool v then boolToString v
else if isFloat v then floatToString v
else if isList v then toString v
else if isDerivation v then toString v
else if builtins.isPath v then toString v
else if isString v then v
else if isCoercibleToString v then toString v
else abort "The nix conf value: ${toPretty {} v} can not be encoded";
mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}";
mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs);
in
pkgs.runCommandNoCC "nix.conf"
{ preferLocalBuild = true; extraOptions = cfg.extraOptions; }
pkgs.writeTextFile {
name = "nix.conf";
text = ''
# WARNING: this file is generated from the nix.* options in
# your NixOS configuration, typically
# /etc/nixos/configuration.nix. Do not edit it!
${mkKeyValuePairs cfg.settings}
${cfg.extraOptions}
'';
checkPhase =
if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
echo "Ignoring validation for cross-compilation"
''
cat > $out <<END
# WARNING: this file is generated from the nix.* options in
# your NixOS configuration, typically
# /etc/nixos/configuration.nix. Do not edit it!
${optionalString cfg.useDaemon ''
build-users-group = nixbld
''}
max-jobs = ${toString cfg.settings.max-jobs}
auto-optimise-store = ${if cfg.settings.auto-optimise-store then "true" else "false"}
cores = ${toString cfg.settings.cores}
sandbox = ${if (builtins.isBool cfg.settings.sandbox) then boolToString cfg.settings.sandbox else cfg.settings.sandbox}
${optionalString (cfg.settings.extra-sandbox-paths != []) ''
extra-sandbox-paths = ${toString cfg.settings.extra-sandbox-paths}
''}
substituters = ${toString cfg.settings.substituters}
trusted-substituters = ${toString cfg.settings.trusted-substituters}
trusted-public-keys = ${toString cfg.settings.trusted-public-keys}
require-sigs = ${if cfg.settings.require-sigs then "true" else "false"}
trusted-users = ${toString cfg.settings.trusted-users}
allowed-users = ${toString cfg.settings.allowed-users}
$extraOptions
END
else ''
echo "Validating generated nix.conf"
ln -s $out ./nix.conf
set -e
set +o pipefail
NIX_CONF_DIR=$PWD \
${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \
${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \
|& sed -e 's/^warning:/error:/' \
| (! grep '${if cfg.checkConfig then "^error:" else "^error: unknown setting"}')
set -o pipefail
'';
};
legacyConfMappings = {
useSandbox = "sandbox";
@ -58,6 +73,22 @@ let
# systemFeatures = "system-features";
};
semanticConfType = with types;
let
confAtom = nullOr
(oneOf [
bool
int
float
str
path
package
]) // {
description = "Nix config atom (null, bool, int, float, str, path or package)";
};
in
attrsOf (either confAtom (listOf confAtom));
in
{
@ -231,6 +262,15 @@ in
'';
};
checkConfig = mkOption {
type = types.bool;
default = true;
description = ''
If enabled (the default), checks for data type mismatches and that Nix
can parse the generated nix.conf.
'';
};
registry = mkOption {
type = types.attrsOf (types.submodule (
let
@ -293,147 +333,196 @@ in
description = "Additional text appended to <filename>nix.conf</filename>.";
};
settings = {
max-jobs = mkOption {
type = types.either types.int (types.enum [ "auto" ]);
default = "auto";
example = 64;
description = ''
This option defines the maximum number of jobs that Nix will try to
build in parallel. The default is auto, which means it will use all
available logical cores. It is recommend to set it to the total
number of logical cores in your system (e.g., 16 for two CPUs with 4
cores each and hyper-threading).
'';
};
settings = mkOption {
type = types.submodule {
freeformType = semanticConfType;
auto-optimise-store = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
If set to true, Nix automatically detects files in the store that have
identical contents, and replaces them with hard links to a single copy.
This saves disk space. If set to false (the default), you can still run
nix-store --optimise to get rid of duplicate files.
'';
};
options = {
max-jobs = mkOption {
type = types.either types.int (types.enum [ "auto" ]);
default = "auto";
example = 64;
description = ''
This option defines the maximum number of jobs that Nix will try to
build in parallel. The default is auto, which means it will use all
available logical cores. It is recommend to set it to the total
number of logical cores in your system (e.g., 16 for two CPUs with 4
cores each and hyper-threading).
'';
};
cores = mkOption {
type = types.int;
default = 0;
example = 64;
description = ''
This option defines the maximum number of concurrent tasks during
one build. It affects, e.g., -j option for make.
The special value 0 means that the builder should use all
available CPU cores in the system. Some builds may become
non-deterministic with this option; use with care! Packages will
only be affected if enableParallelBuilding is set for them.
'';
};
auto-optimise-store = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
If set to true, Nix automatically detects files in the store that have
identical contents, and replaces them with hard links to a single copy.
This saves disk space. If set to false (the default), you can still run
nix-store --optimise to get rid of duplicate files.
'';
};
sandbox = mkOption {
type = types.either types.bool (types.enum [ "relaxed" ]);
default = false;
description = ''
If set, Nix will perform builds in a sandboxed environment that it
will set up automatically for each build. This prevents impurities
in builds by disallowing access to dependencies outside of the Nix
store by using network and mount namespaces in a chroot environment.
This is enabled by default even though it has a possible performance
impact due to the initial setup time of a sandbox for each build. It
doesn't affect derivation hashes, so changing this option will not
trigger a rebuild of packages.
'';
};
cores = mkOption {
type = types.int;
default = 0;
example = 64;
description = ''
This option defines the maximum number of concurrent tasks during
one build. It affects, e.g., -j option for make.
The special value 0 means that the builder should use all
available CPU cores in the system. Some builds may become
non-deterministic with this option; use with care! Packages will
only be affected if enableParallelBuilding is set for them.
'';
};
extra-sandbox-paths = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "/dev" "/proc" ];
description = ''
Directories from the host filesystem to be included
in the sandbox.
'';
};
sandbox = mkOption {
type = types.either types.bool (types.enum [ "relaxed" ]);
default = false;
description = ''
If set, Nix will perform builds in a sandboxed environment that it
will set up automatically for each build. This prevents impurities
in builds by disallowing access to dependencies outside of the Nix
store by using network and mount namespaces in a chroot environment.
This is enabled by default even though it has a possible performance
impact due to the initial setup time of a sandbox for each build. It
doesn't affect derivation hashes, so changing this option will not
trigger a rebuild of packages.
'';
};
substituters = mkOption {
type = types.listOf types.str;
description = ''
List of binary cache URLs used to obtain pre-built binaries
of Nix packages.
extra-sandbox-paths = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "/dev" "/proc" ];
description = ''
Directories from the host filesystem to be included
in the sandbox.
'';
};
By default https://cache.nixos.org/ is added.
'';
};
substituters = mkOption {
type = types.listOf types.str;
description = ''
List of binary cache URLs used to obtain pre-built binaries
of Nix packages.
trusted-substituters = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "https://hydra.nixos.org/" ];
description = ''
List of binary cache URLs that non-root users can use (in
addition to those specified using
<option>nix.settings.substituters</option>) by passing
<literal>--option binary-caches</literal> to Nix commands.
'';
};
By default https://cache.nixos.org/ is added.
'';
};
require-sigs = mkOption {
type = types.bool;
default = true;
description = ''
If enabled (the default), Nix will only download binaries from binary caches if
they are cryptographically signed with any of the keys listed in
<option>nix.settings.trusted-public-keys</option>. If disabled, signatures are neither
required nor checked, so it's strongly recommended that you use only
trustworthy caches and https to prevent man-in-the-middle attacks.
'';
};
trusted-substituters = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "https://hydra.nixos.org/" ];
description = ''
List of binary cache URLs that non-root users can use (in
addition to those specified using
<option>nix.settings.substituters</option>) by passing
<literal>--option binary-caches</literal> to Nix commands.
'';
};
trusted-public-keys = mkOption {
type = types.listOf types.str;
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
description = ''
List of public keys used to sign binary caches. If
<option>nix.settings.trusted-public-keys</option> is enabled,
then Nix will use a binary from a binary cache if and only
if it is signed by <emphasis>any</emphasis> of the keys
listed here. By default, only the key for
<uri>cache.nixos.org</uri> is included.
'';
};
require-sigs = mkOption {
type = types.bool;
default = true;
description = ''
If enabled (the default), Nix will only download binaries from binary caches if
they are cryptographically signed with any of the keys listed in
<option>nix.settings.trusted-public-keys</option>. If disabled, signatures are neither
required nor checked, so it's strongly recommended that you use only
trustworthy caches and https to prevent man-in-the-middle attacks.
'';
};
trusted-users = mkOption {
type = types.listOf types.str;
default = [ "root" ];
example = [ "root" "alice" "@wheel" ];
description = ''
A list of names of users that have additional rights when
connecting to the Nix daemon, such as the ability to specify
additional binary caches, or to import unsigned NARs. You
can also specify groups by prefixing them with
<literal>@</literal>; for instance,
<literal>@wheel</literal> means all users in the wheel
group.
'';
};
trusted-public-keys = mkOption {
type = types.listOf types.str;
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
description = ''
List of public keys used to sign binary caches. If
<option>nix.settings.trusted-public-keys</option> is enabled,
then Nix will use a binary from a binary cache if and only
if it is signed by <emphasis>any</emphasis> of the keys
listed here. By default, only the key for
<uri>cache.nixos.org</uri> is included.
'';
};
allowed-users = mkOption {
type = types.listOf types.str;
default = [ "*" ];
example = [ "@wheel" "@builders" "alice" "bob" ];
description = ''
A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon. As with
<option>nix.settings.trusted-users</option>, you can specify groups by
prefixing them with <literal>@</literal>. Also, you can
allow all users by specifying <literal>*</literal>. The
default is <literal>*</literal>. Note that trusted users are
always allowed to connect.
'';
trusted-users = mkOption {
type = types.listOf types.str;
default = [ "root" ];
example = [ "root" "alice" "@wheel" ];
description = ''
A list of names of users that have additional rights when
connecting to the Nix daemon, such as the ability to specify
additional binary caches, or to import unsigned NARs. You
can also specify groups by prefixing them with
<literal>@</literal>; for instance,
<literal>@wheel</literal> means all users in the wheel
group.
'';
};
# Not implemented yet
# system-features = mkOption {
# type = types.listOf types.str;
# example = [ "kvm" "big-parallel" "gccarch-skylake" ];
# description = ''
# The set of features supported by the machine. Derivations
# can express dependencies on system features through the
# <literal>requiredSystemFeatures</literal> attribute.
# By default, pseudo-features <literal>nixos-test</literal>, <literal>benchmark</literal>,
# and <literal>big-parallel</literal> used in Nixpkgs are set, <literal>kvm</literal>
# is also included in it is avaliable.
# '';
# };
allowed-users = mkOption {
type = types.listOf types.str;
default = [ "*" ];
example = [ "@wheel" "@builders" "alice" "bob" ];
description = ''
A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon. As with
<option>nix.settings.trusted-users</option>, you can specify groups by
prefixing them with <literal>@</literal>. Also, you can
allow all users by specifying <literal>*</literal>. The
default is <literal>*</literal>. Note that trusted users are
always allowed to connect.
'';
};
};
};
default = { };
example = literalExpression ''
{
use-sandbox = true;
show-trace = true;
system-features = [ "big-parallel" "kvm" "recursive-nix" ];
sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; };
}
'';
description = ''
Configuration for Nix, see
<link xlink:href="https://nixos.org/manual/nix/stable/#sec-conf-file"/> or
<citerefentry>
<refentrytitle>nix.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for avalaible options.
The value declared here will be translated directly to the key-value pairs Nix expects.
</para>
<para>
You can use <command>nix-instantiate --eval --strict '&lt;nixpkgs/nixos&gt;' -A config.nix.settings</command>
to view the current value. By default it is empty.
</para>
<para>
Nix configurations defined under <option>nix.*</option> will be translated and applied to this
option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended
verbatim to the resulting config file.
'';
};
};
};
@ -448,9 +537,6 @@ in
(mkIf (!cfg.distributedBuilds && cfg.buildMachines != []) "nix.distributedBuilds is not enabled, build machines won't be configured.")
];
nix.settings.substituters = mkAfter [ https://cache.nixos.org/ ];
nix.settings.trusted-public-keys = mkAfter [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
nix.nixPath = mkMerge [
(mkIf (config.system.stateVersion < 2) (mkDefault
[ "darwin=$HOME/.nix-defexpr/darwin"
@ -473,6 +559,7 @@ in
environment.etc."nix/nix.conf".source = nixConf;
# Not in NixOS module
environment.etc."nix/nix.conf".knownSha256Hashes = [
"7c2d80499b39256b03ee9abd3d6258343718306aca8d472c26ac32c9b0949093" # nix installer
"19299897fa312d9d32b3c968c2872dd143085aa727140cec51f57c59083e93b9"
@ -526,6 +613,31 @@ in
done
'';
# Legacy configuration conversion.
nix.settings = mkMerge [
{
trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
substituters = mkAfter [ "https://cache.nixos.org/" ];
# Not implemented yet
# system-features = mkDefault (
# [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
# optionals (pkgs.hostPlatform ? gcc.arch) (
# # a builder can run code for `gcc.arch` and inferior architectures
# [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++
# map (x: "gccarch-${x}") systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch}
# )
# );
}
(mkIf (!cfg.distributedBuilds) { builders = null; })
(mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })
# Not in NixOS module
(mkIf cfg.useDaemon { build-users-group = "nixbld"; })
];
};
}