mirrors/nix-darwin
mirrors/nix-darwin
1
0
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2025-03-31 04:04:45 +00:00
Code Activity

Update nix module to use settings sub options like in NixOS module

Browse source 
Also update option definitions to match those in `nixpkgs` where it
makes sense.
This commit is contained in:
Malo Bourgon 2022-08-13 12:09:24 -07:00
parent 80871c71ed
commit f729a09a28
3 changed files with 85 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
modules/examples/hydra.nix
View file

@ -19,10 +19,10 @@ in
services.nix-daemon.enable = true; services.nix-daemon.enable = true;
nix.binaryCaches = [ http://cache1 ]; nix.settings.substituters = [ http://cache1 ];
nix.binaryCachePublicKeys = [ "cache.daiderd.com-1:R8KOWZ8lDaLojqD+v9dzXAqGn29gEzPTTbr/GIpCTrI=" ]; nix.settings.trusted-public-keys = [ "cache.daiderd.com-1:R8KOWZ8lDaLojqD+v9dzXAqGn29gEzPTTbr/GIpCTrI=" ];
nix.trustedUsers = [ "@admin" "@hydra" ]; nix.settings.trusted-users = [ "@admin" "@hydra" ];
nix.extraOptions = '' nix.extraOptions = ''
pre-build-hook = pre-build-hook =

8
modules/examples/lnl.nix
View file

@ -93,11 +93,11 @@
log-lines = 128 log-lines = 128
''; '';
nix.binaryCachePublicKeys = [ "cache.daiderd.com-1:R8KOWZ8lDaLojqD+v9dzXAqGn29gEzPTTbr/GIpCTrI=" ]; nix.settings.trusted-public-keys = [ "cache.daiderd.com-1:R8KOWZ8lDaLojqD+v9dzXAqGn29gEzPTTbr/GIpCTrI=" ];
nix.trustedBinaryCaches = [ https://d3i7ezr9vxxsfy.cloudfront.net ]; nix.settings.trusted-substituters = [ https://d3i7ezr9vxxsfy.cloudfront.net ];
nix.useSandbox = true; nix.settings.sandbox = true;
nix.sandboxPaths = [ "/private/tmp" "/private/var/tmp" "/usr/bin/env" ]; nix.settings.extra-sandbox-paths = [ "/private/tmp" "/private/var/tmp" "/usr/bin/env" ];
programs.nix-index.enable = true; programs.nix-index.enable = true;

108
modules/nix/default.nix
View file

@ -25,24 +25,44 @@ let
${optionalString cfg.useDaemon '' ${optionalString cfg.useDaemon ''
build-users-group = nixbld build-users-group = nixbld
''} ''}
max-jobs = ${toString (cfg.maxJobs)} max-jobs = ${toString cfg.settings.max-jobs}
cores = ${toString (cfg.buildCores)} auto-optimise-store = ${if cfg.settings.auto-optimise-store then "true" else "false"}
sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox} cores = ${toString cfg.settings.cores}
${optionalString (cfg.sandboxPaths != []) '' sandbox = ${if (builtins.isBool cfg.settings.sandbox) then boolToString cfg.settings.sandbox else cfg.settings.sandbox}
extra-sandbox-paths = ${toString cfg.sandboxPaths} ${optionalString (cfg.settings.extra-sandbox-paths != []) ''
extra-sandbox-paths = ${toString cfg.settings.extra-sandbox-paths}
''} ''}
substituters = ${toString cfg.binaryCaches} substituters = ${toString cfg.settings.substituters}
trusted-substituters = ${toString cfg.trustedBinaryCaches} trusted-substituters = ${toString cfg.settings.trusted-substituters}
trusted-public-keys = ${toString cfg.binaryCachePublicKeys} trusted-public-keys = ${toString cfg.settings.trusted-public-keys}
require-sigs = ${if cfg.requireSignedBinaryCaches then "true" else "false"} require-sigs = ${if cfg.settings.require-sigs then "true" else "false"}
trusted-users = ${toString cfg.trustedUsers} trusted-users = ${toString cfg.settings.trusted-users}
allowed-users = ${toString cfg.allowedUsers} allowed-users = ${toString cfg.settings.allowed-users}
$extraOptions $extraOptions
END END
''; '';
legacyConfMappings = {
useSandbox = "sandbox";
buildCores = "cores";
maxJobs = "max-jobs";
sandboxPaths = "extra-sandbox-paths";
binaryCaches = "substituters";
trustedBinaryCaches = "trusted-substituters";
binaryCachePublicKeys = "trusted-public-keys";
autoOptimiseStore = "auto-optimise-store";
requireSignedBinaryCaches = "require-sigs";
trustedUsers = "trusted-users";
allowedUsers = "allowed-users";
# systemFeatures = "system-features";
};
in in
{ {
imports = mapAttrsToList (oldConf: newConf:
mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]
) legacyConfMappings;
options = { options = {
nix.package = mkOption { nix.package = mkOption {
type = types.either types.package types.path; type = types.either types.package types.path;
@ -74,7 +94,7 @@ in
"; ";
}; };
nix.maxJobs = mkOption { nix.settings.max-jobs = mkOption {
type = types.either types.int (types.enum [ "auto" ]); type = types.either types.int (types.enum [ "auto" ]);
default = "auto"; default = "auto";
example = 64; example = 64;
@ -87,7 +107,19 @@ in
''; '';
}; };
nix.buildCores = mkOption { nix.settings.auto-optimise-store = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
If set to true, Nix automatically detects files in the store that have
identical contents, and replaces them with hard links to a single copy.
This saves disk space. If set to false (the default), you can still run
nix-store --optimise to get rid of duplicate files.
'';
};
nix.settings.cores = mkOption {
type = types.int; type = types.int;
default = 0; default = 0;
example = 64; example = 64;
@ -101,23 +133,26 @@ in
''; '';
}; };
nix.useSandbox = mkOption { nix.settings.sandbox = mkOption {
type = types.either types.bool (types.enum [ "relaxed" ]); type = types.either types.bool (types.enum [ "relaxed" ]);
default = false; default = false;
description = " description = ''
If set, Nix will perform builds in a sandboxed environment that it If set, Nix will perform builds in a sandboxed environment that it
will set up automatically for each build. This prevents will set up automatically for each build. This prevents impurities
impurities in builds by disallowing access to dependencies in builds by disallowing access to dependencies outside of the Nix
outside of the Nix store. store by using network and mount namespaces in a chroot environment.
"; This is enabled by default even though it has a possible performance
impact due to the initial setup time of a sandbox for each build. It
doesn't affect derivation hashes, so changing this option will not
trigger a rebuild of packages.
'';
}; };
nix.sandboxPaths = mkOption { nix.settings.extra-sandbox-paths = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [ ];
example = [ "/dev" "/proc" ]; example = [ "/dev" "/proc" ];
description = description = ''
''
Directories from the host filesystem to be included Directories from the host filesystem to be included
in the sandbox. in the sandbox.
''; '';
@ -228,45 +263,46 @@ in
''; '';
}; };
nix.binaryCaches = mkOption { nix.settings.substituters = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
example = [ https://cache.example.org/ ];
description = '' description = ''
List of binary cache URLs used to obtain pre-built binaries List of binary cache URLs used to obtain pre-built binaries
of Nix packages. of Nix packages.
By default https://cache.nixos.org/ is added.
''; '';
}; };
nix.trustedBinaryCaches = mkOption { nix.settings.trusted-substituters = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [ ];
example = [ https://hydra.example.org/ ]; example = [ "https://hydra.nixos.org/" ];
description = '' description = ''
List of binary cache URLs that non-root users can use (in List of binary cache URLs that non-root users can use (in
addition to those specified using addition to those specified using
<option>nix.binaryCaches</option>) by passing <option>nix.settings.substituters</option>) by passing
<literal>--option binary-caches</literal> to Nix commands. <literal>--option binary-caches</literal> to Nix commands.
''; '';
}; };
nix.requireSignedBinaryCaches = mkOption { nix.settings.require-sigs = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = '' description = ''
If enabled (the default), Nix will only download binaries from binary caches if If enabled (the default), Nix will only download binaries from binary caches if
they are cryptographically signed with any of the keys listed in they are cryptographically signed with any of the keys listed in
<option>nix.binaryCachePublicKeys</option>. If disabled, signatures are neither <option>nix.settings.trusted-public-keys</option>. If disabled, signatures are neither
required nor checked, so it's strongly recommended that you use only required nor checked, so it's strongly recommended that you use only
trustworthy caches and https to prevent man-in-the-middle attacks. trustworthy caches and https to prevent man-in-the-middle attacks.
''; '';
}; };
nix.binaryCachePublicKeys = mkOption { nix.settings.trusted-public-keys = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
description = '' description = ''
List of public keys used to sign binary caches. If List of public keys used to sign binary caches. If
<option>nix.requireSignedBinaryCaches</option> is enabled, <option>nix.settings.trusted-public-keys</option> is enabled,
then Nix will use a binary from a binary cache if and only then Nix will use a binary from a binary cache if and only
if it is signed by <emphasis>any</emphasis> of the keys if it is signed by <emphasis>any</emphasis> of the keys
listed here. By default, only the key for listed here. By default, only the key for
@ -274,7 +310,7 @@ in
''; '';
}; };
nix.trustedUsers = mkOption { nix.settings.trusted-users = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ "root" ]; default = [ "root" ];
example = [ "root" "alice" "@wheel" ]; example = [ "root" "alice" "@wheel" ];
@ -289,14 +325,14 @@ in
''; '';
}; };
nix.allowedUsers = mkOption { nix.settings.allowed-users = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ "*" ]; default = [ "*" ];
example = [ "@wheel" "@builders" "alice" "bob" ]; example = [ "@wheel" "@builders" "alice" "bob" ];
description = '' description = ''
A list of names of users (separated by whitespace) that are A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon. As with allowed to connect to the Nix daemon. As with
<option>nix.trustedUsers</option>, you can specify groups by <option>nix.settings.trusted-users</option>, you can specify groups by
prefixing them with <literal>@</literal>. Also, you can prefixing them with <literal>@</literal>. Also, you can
allow all users by specifying <literal>*</literal>. The allow all users by specifying <literal>*</literal>. The
default is <literal>*</literal>. Note that trusted users are default is <literal>*</literal>. Note that trusted users are
@ -406,8 +442,8 @@ in
(mkIf (!cfg.distributedBuilds && cfg.buildMachines != []) "nix.distributedBuilds is not enabled, build machines won't be configured.") (mkIf (!cfg.distributedBuilds && cfg.buildMachines != []) "nix.distributedBuilds is not enabled, build machines won't be configured.")
]; ];
nix.binaryCaches = mkAfter [ https://cache.nixos.org/ ]; nix.settings.substituters = mkAfter [ https://cache.nixos.org/ ];
nix.binaryCachePublicKeys = mkAfter [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; nix.settings.trusted-public-keys = mkAfter [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
nix.nixPath = mkMerge [ nix.nixPath = mkMerge [
(mkIf (config.system.stateVersion < 2) (mkDefault (mkIf (config.system.stateVersion < 2) (mkDefault