From 5bdf63819b383c47aad629ec3fe404b77a6b58a3 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Thu, 9 Dec 2021 10:47:26 +0000 Subject: [PATCH 1/2] nixos/top-level.nix: Add system.checks Note that this does not add to the `forbiddenDependenciesRegex` code because that code check should be unaffected as it only checks output dependencies, not build dependencies. Build deps are added after that check, if those are enabled in the first place. --- nixos/modules/system/activation/top-level.nix | 32 +++++++++++++++++-- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index f2e74135478..c28e530cdc7 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -263,8 +263,23 @@ in default = []; description = lib.mdDoc '' A list of packages that should be included in the system - closure but not otherwise made available to users. This is - primarily used by the installation tests. + closure but generally not visible to users. + + This option has also been used for build-time checks, but the + `system.checks` option is more appropriate for that purpose as checks + should not leave a trace in the built system configuration. + ''; + }; + + system.checks = mkOption { + type = types.listOf types.package; + default = []; + description = lib.mdDoc '' + Packages that are added as dependencies of the system's build, usually + for the purpose of validating some part of the configuration. + + Unlike `system.extraDependencies`, these store paths do not + become part of the built system configuration. ''; }; @@ -363,7 +378,17 @@ in fi ''; - system.systemBuilderArgs = lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") { + system.systemBuilderArgs = { + # Not actually used in the builder. `passedChecks` is just here to create + # the build dependencies. Checks are similar to build dependencies in the + # sense that if they fail, the system build fails. However, checks do not + # produce any output of value, so they are not used by the system builder. + # In fact, using them runs the risk of accidentally adding unneeded paths + # to the system closure, which defeats the purpose of the `system.checks` + # option, as opposed to `system.extraDependencies`. + passedChecks = concatStringsSep " " config.system.checks; + } + // lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") { inherit (config.system) forbiddenDependenciesRegex; closureInfo = pkgs.closureInfo { rootPaths = [ # override to avoid infinite recursion (and to allow using extraDependencies to add forbidden dependencies) @@ -371,6 +396,7 @@ in ]; }; }; + system.build.toplevel = if config.system.includeBuildDependencies then systemWithBuildDeps else system; }; From 2e2f0d28ea8e3873f57aec6ed517dab8f6494c11 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Thu, 11 May 2023 18:42:17 +0200 Subject: [PATCH 2/2] nixos: Use checks instead of extraDependencies ... as appropriate. This drops a few unnecessary store paths from the system closure. --- nixos/modules/security/wrappers/default.nix | 2 +- nixos/modules/services/databases/postgresql.nix | 2 +- nixos/modules/services/web-servers/varnish/default.nix | 2 +- nixos/modules/services/x11/xserver.nix | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 4b62abd658a..12255d8392f 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -283,7 +283,7 @@ in ''; ###### wrappers consistency checks - system.extraDependencies = lib.singleton (pkgs.runCommandLocal + system.checks = lib.singleton (pkgs.runCommandLocal "ensure-all-wrappers-paths-exist" { } '' # make sure we produce output diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 3d55995aba0..a7016bbee3a 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -489,7 +489,7 @@ in "/share/postgresql" ]; - system.extraDependencies = lib.optional (cfg.checkConfig && pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) configFileCheck; + system.checks = lib.optional (cfg.checkConfig && pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) configFileCheck; systemd.services.postgresql = { description = "PostgreSQL Server"; diff --git a/nixos/modules/services/web-servers/varnish/default.nix b/nixos/modules/services/web-servers/varnish/default.nix index e34c22d2868..d7f19be0cec 100644 --- a/nixos/modules/services/web-servers/varnish/default.nix +++ b/nixos/modules/services/web-servers/varnish/default.nix @@ -99,7 +99,7 @@ in environment.systemPackages = [ cfg.package ]; # check .vcl syntax at compile time (e.g. before nixops deployment) - system.extraDependencies = mkIf cfg.enableConfigCheck [ + system.checks = mkIf cfg.enableConfigCheck [ (pkgs.runCommand "check-varnish-syntax" {} '' ${cfg.package}/bin/varnishd -C ${commandLine} 2> $out || (cat $out; exit 1) '') diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index c0051a2ce38..6d2321be8ef 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -776,7 +776,7 @@ in xorg.xf86inputevdev.out ]; - system.extraDependencies = singleton (pkgs.runCommand "xkb-validated" { + system.checks = singleton (pkgs.runCommand "xkb-validated" { inherit (cfg) xkbModel layout xkbVariant xkbOptions; nativeBuildInputs = with pkgs.buildPackages; [ xkbvalidate ]; preferLocalBuild = true;