From d73da5b868387eea41203a3daba7d9f6ab880b1b Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Wed, 5 Jul 2023 13:11:34 +0200 Subject: [PATCH] nixos/config/nix: Move nix.settings --- nixos/modules/config/nix.nix | 237 ++++++++++++++++++++- nixos/modules/services/misc/nix-daemon.nix | 225 ------------------- 2 files changed, 236 insertions(+), 226 deletions(-) diff --git a/nixos/modules/config/nix.nix b/nixos/modules/config/nix.nix index c740f8ccc32..af2d8678b6c 100644 --- a/nixos/modules/config/nix.nix +++ b/nixos/modules/config/nix.nix @@ -16,12 +16,19 @@ let isInt isList isString + literalExpression mapAttrsToList + mkAfter + mkDefault mkIf + mkOption mkRenamedOptionModuleWith optionalString + optionals strings + systems toPretty + types versionAtLeast ; @@ -46,6 +53,22 @@ let systemFeatures = "system-features"; }; + semanticConfType = with types; + let + confAtom = nullOr + (oneOf [ + bool + int + float + str + path + package + ]) // { + description = "Nix config atom (null, bool, int, float, str, path or package)"; + }; + in + attrsOf (either confAtom (listOf confAtom)); + nixConf = assert isNixAtLeast "2.2"; let @@ -96,7 +119,10 @@ let in { - imports = + imports = [ + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; }) + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; }) + ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModuleWith { @@ -106,7 +132,216 @@ in }) legacyConfMappings; + options = { + nix = { + settings = mkOption { + type = types.submodule { + freeformType = semanticConfType; + + options = { + max-jobs = mkOption { + type = types.either types.int (types.enum [ "auto" ]); + default = "auto"; + example = 64; + description = lib.mdDoc '' + This option defines the maximum number of jobs that Nix will try to + build in parallel. The default is auto, which means it will use all + available logical cores. It is recommend to set it to the total + number of logical cores in your system (e.g., 16 for two CPUs with 4 + cores each and hyper-threading). + ''; + }; + + auto-optimise-store = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + If set to true, Nix automatically detects files in the store that have + identical contents, and replaces them with hard links to a single copy. + This saves disk space. If set to false (the default), you can still run + nix-store --optimise to get rid of duplicate files. + ''; + }; + + cores = mkOption { + type = types.int; + default = 0; + example = 64; + description = lib.mdDoc '' + This option defines the maximum number of concurrent tasks during + one build. It affects, e.g., -j option for make. + The special value 0 means that the builder should use all + available CPU cores in the system. Some builds may become + non-deterministic with this option; use with care! Packages will + only be affected if enableParallelBuilding is set for them. + ''; + }; + + sandbox = mkOption { + type = types.either types.bool (types.enum [ "relaxed" ]); + default = true; + description = lib.mdDoc '' + If set, Nix will perform builds in a sandboxed environment that it + will set up automatically for each build. This prevents impurities + in builds by disallowing access to dependencies outside of the Nix + store by using network and mount namespaces in a chroot environment. + + This is enabled by default even though it has a possible performance + impact due to the initial setup time of a sandbox for each build. It + doesn't affect derivation hashes, so changing this option will not + trigger a rebuild of packages. + + When set to "relaxed", this option permits derivations that set + `__noChroot = true;` to run outside of the sandboxed environment. + Exercise caution when using this mode of operation! It is intended to + be a quick hack when building with packages that are not easily setup + to be built reproducibly. + ''; + }; + + extra-sandbox-paths = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "/dev" "/proc" ]; + description = lib.mdDoc '' + Directories from the host filesystem to be included + in the sandbox. + ''; + }; + + substituters = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + List of binary cache URLs used to obtain pre-built binaries + of Nix packages. + + By default https://cache.nixos.org/ is added. + ''; + }; + + trusted-substituters = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "https://hydra.nixos.org/" ]; + description = lib.mdDoc '' + List of binary cache URLs that non-root users can use (in + addition to those specified using + {option}`nix.settings.substituters`) by passing + `--option binary-caches` to Nix commands. + ''; + }; + + require-sigs = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + If enabled (the default), Nix will only download binaries from binary caches if + they are cryptographically signed with any of the keys listed in + {option}`nix.settings.trusted-public-keys`. If disabled, signatures are neither + required nor checked, so it's strongly recommended that you use only + trustworthy caches and https to prevent man-in-the-middle attacks. + ''; + }; + + trusted-public-keys = mkOption { + type = types.listOf types.str; + example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; + description = lib.mdDoc '' + List of public keys used to sign binary caches. If + {option}`nix.settings.trusted-public-keys` is enabled, + then Nix will use a binary from a binary cache if and only + if it is signed by *any* of the keys + listed here. By default, only the key for + `cache.nixos.org` is included. + ''; + }; + + trusted-users = mkOption { + type = types.listOf types.str; + default = [ "root" ]; + example = [ "root" "alice" "@wheel" ]; + description = lib.mdDoc '' + A list of names of users that have additional rights when + connecting to the Nix daemon, such as the ability to specify + additional binary caches, or to import unsigned NARs. You + can also specify groups by prefixing them with + `@`; for instance, + `@wheel` means all users in the wheel + group. + ''; + }; + + system-features = mkOption { + type = types.listOf types.str; + example = [ "kvm" "big-parallel" "gccarch-skylake" ]; + description = lib.mdDoc '' + The set of features supported by the machine. Derivations + can express dependencies on system features through the + `requiredSystemFeatures` attribute. + + By default, pseudo-features `nixos-test`, `benchmark`, + and `big-parallel` used in Nixpkgs are set, `kvm` + is also included if it is available. + ''; + }; + + allowed-users = mkOption { + type = types.listOf types.str; + default = [ "*" ]; + example = [ "@wheel" "@builders" "alice" "bob" ]; + description = lib.mdDoc '' + A list of names of users (separated by whitespace) that are + allowed to connect to the Nix daemon. As with + {option}`nix.settings.trusted-users`, you can specify groups by + prefixing them with `@`. Also, you can + allow all users by specifying `*`. The + default is `*`. Note that trusted users are + always allowed to connect. + ''; + }; + }; + }; + default = { }; + example = literalExpression '' + { + use-sandbox = true; + show-trace = true; + + system-features = [ "big-parallel" "kvm" "recursive-nix" ]; + sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; }; + } + ''; + description = lib.mdDoc '' + Configuration for Nix, see + or + {manpage}`nix.conf(5)` for available options. + The value declared here will be translated directly to the key-value pairs Nix expects. + + You can use {command}`nix-instantiate --eval --strict '' -A config.nix.settings` + to view the current value. By default it is empty. + + Nix configurations defined under {option}`nix.*` will be translated and applied to this + option. In addition, configuration specified in {option}`nix.extraOptions` will be appended + verbatim to the resulting config file. + ''; + }; + }; + }; + config = mkIf cfg.enable { environment.etc."nix/nix.conf".source = nixConf; + nix.settings = { + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + substituters = mkAfter [ "https://cache.nixos.org/" ]; + system-features = mkDefault ( + [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ + optionals (pkgs.stdenv.hostPlatform ? gcc.arch) ( + # a builder can run code for `gcc.arch` and inferior architectures + [ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ] ++ + map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or []) + ) + ); + }; }; } diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index b4b909a48d5..c6adfec04fd 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -29,28 +29,10 @@ let nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers)); - semanticConfType = with types; - let - confAtom = nullOr - (oneOf [ - bool - int - float - str - path - package - ]) // { - description = "Nix config atom (null, bool, int, float, str, path or package)"; - }; - in - attrsOf (either confAtom (listOf confAtom)); - in { imports = [ - (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; }) - (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; }) (mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; }) (mkRenamedOptionModuleWith { sinceRelease = 2211; from = [ "nix" "readOnlyStore" ]; to = [ "boot" "readOnlyNixStore" ]; }) (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") @@ -404,199 +386,6 @@ in ''; description = lib.mdDoc "Additional text appended to {file}`nix.conf`."; }; - - settings = mkOption { - type = types.submodule { - freeformType = semanticConfType; - - options = { - max-jobs = mkOption { - type = types.either types.int (types.enum [ "auto" ]); - default = "auto"; - example = 64; - description = lib.mdDoc '' - This option defines the maximum number of jobs that Nix will try to - build in parallel. The default is auto, which means it will use all - available logical cores. It is recommend to set it to the total - number of logical cores in your system (e.g., 16 for two CPUs with 4 - cores each and hyper-threading). - ''; - }; - - auto-optimise-store = mkOption { - type = types.bool; - default = false; - example = true; - description = lib.mdDoc '' - If set to true, Nix automatically detects files in the store that have - identical contents, and replaces them with hard links to a single copy. - This saves disk space. If set to false (the default), you can still run - nix-store --optimise to get rid of duplicate files. - ''; - }; - - cores = mkOption { - type = types.int; - default = 0; - example = 64; - description = lib.mdDoc '' - This option defines the maximum number of concurrent tasks during - one build. It affects, e.g., -j option for make. - The special value 0 means that the builder should use all - available CPU cores in the system. Some builds may become - non-deterministic with this option; use with care! Packages will - only be affected if enableParallelBuilding is set for them. - ''; - }; - - sandbox = mkOption { - type = types.either types.bool (types.enum [ "relaxed" ]); - default = true; - description = lib.mdDoc '' - If set, Nix will perform builds in a sandboxed environment that it - will set up automatically for each build. This prevents impurities - in builds by disallowing access to dependencies outside of the Nix - store by using network and mount namespaces in a chroot environment. - - This is enabled by default even though it has a possible performance - impact due to the initial setup time of a sandbox for each build. It - doesn't affect derivation hashes, so changing this option will not - trigger a rebuild of packages. - - When set to "relaxed", this option permits derivations that set - `__noChroot = true;` to run outside of the sandboxed environment. - Exercise caution when using this mode of operation! It is intended to - be a quick hack when building with packages that are not easily setup - to be built reproducibly. - ''; - }; - - extra-sandbox-paths = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "/dev" "/proc" ]; - description = lib.mdDoc '' - Directories from the host filesystem to be included - in the sandbox. - ''; - }; - - substituters = mkOption { - type = types.listOf types.str; - description = lib.mdDoc '' - List of binary cache URLs used to obtain pre-built binaries - of Nix packages. - - By default https://cache.nixos.org/ is added. - ''; - }; - - trusted-substituters = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "https://hydra.nixos.org/" ]; - description = lib.mdDoc '' - List of binary cache URLs that non-root users can use (in - addition to those specified using - {option}`nix.settings.substituters`) by passing - `--option binary-caches` to Nix commands. - ''; - }; - - require-sigs = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - If enabled (the default), Nix will only download binaries from binary caches if - they are cryptographically signed with any of the keys listed in - {option}`nix.settings.trusted-public-keys`. If disabled, signatures are neither - required nor checked, so it's strongly recommended that you use only - trustworthy caches and https to prevent man-in-the-middle attacks. - ''; - }; - - trusted-public-keys = mkOption { - type = types.listOf types.str; - example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; - description = lib.mdDoc '' - List of public keys used to sign binary caches. If - {option}`nix.settings.trusted-public-keys` is enabled, - then Nix will use a binary from a binary cache if and only - if it is signed by *any* of the keys - listed here. By default, only the key for - `cache.nixos.org` is included. - ''; - }; - - trusted-users = mkOption { - type = types.listOf types.str; - default = [ "root" ]; - example = [ "root" "alice" "@wheel" ]; - description = lib.mdDoc '' - A list of names of users that have additional rights when - connecting to the Nix daemon, such as the ability to specify - additional binary caches, or to import unsigned NARs. You - can also specify groups by prefixing them with - `@`; for instance, - `@wheel` means all users in the wheel - group. - ''; - }; - - system-features = mkOption { - type = types.listOf types.str; - example = [ "kvm" "big-parallel" "gccarch-skylake" ]; - description = lib.mdDoc '' - The set of features supported by the machine. Derivations - can express dependencies on system features through the - `requiredSystemFeatures` attribute. - - By default, pseudo-features `nixos-test`, `benchmark`, - and `big-parallel` used in Nixpkgs are set, `kvm` - is also included if it is available. - ''; - }; - - allowed-users = mkOption { - type = types.listOf types.str; - default = [ "*" ]; - example = [ "@wheel" "@builders" "alice" "bob" ]; - description = lib.mdDoc '' - A list of names of users (separated by whitespace) that are - allowed to connect to the Nix daemon. As with - {option}`nix.settings.trusted-users`, you can specify groups by - prefixing them with `@`. Also, you can - allow all users by specifying `*`. The - default is `*`. Note that trusted users are - always allowed to connect. - ''; - }; - }; - }; - default = { }; - example = literalExpression '' - { - use-sandbox = true; - show-trace = true; - - system-features = [ "big-parallel" "kvm" "recursive-nix" ]; - sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; }; - } - ''; - description = lib.mdDoc '' - Configuration for Nix, see - or - {manpage}`nix.conf(5)` for available options. - The value declared here will be translated directly to the key-value pairs Nix expects. - - You can use {command}`nix-instantiate --eval --strict '' -A config.nix.settings` - to view the current value. By default it is empty. - - Nix configurations defined under {option}`nix.*` will be translated and applied to this - option. In addition, configuration specified in {option}`nix.extraOptions` will be appended - verbatim to the resulting config file. - ''; - }; }; }; @@ -755,20 +544,6 @@ in # Legacy configuration conversion. nix.settings = mkMerge [ - { - trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; - substituters = mkAfter [ "https://cache.nixos.org/" ]; - - system-features = mkDefault ( - [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ - optionals (pkgs.stdenv.hostPlatform ? gcc.arch) ( - # a builder can run code for `gcc.arch` and inferior architectures - [ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ] ++ - map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or []) - ) - ); - } - (mkIf (!cfg.distributedBuilds) { builders = null; }) (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })