Merge pull request #139075 from polykernel/nix-structural-settings-patch-1
nixos/nix-daemon: use structural settings
This commit is contained in:
commit
1f3b1a9067
|
@ -531,6 +531,29 @@
|
|||
was added.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The configuration portion of the <literal>nix-daemon</literal>
|
||||
module has been reworked and exposed as
|
||||
<link xlink:href="options.html#opt-nix-settings">nix.settings</link>:
|
||||
</para>
|
||||
<itemizedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>
|
||||
Legacy options have been mapped to the corresponding
|
||||
options under under
|
||||
<link xlink:href="options.html#opt-nix.settings">nix.settings</link>
|
||||
but may be deprecated in the future.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="options.html#opt-nix.buildMachines.publicHostKey">nix.buildMachines.publicHostKey</link>
|
||||
has been added.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The
|
||||
|
|
|
@ -453,7 +453,7 @@
|
|||
Allow ad-hoc remote builders for building the new system. This requires
|
||||
the user executing <command>nixos-rebuild</command> (usually root) to be
|
||||
configured as a trusted user in the Nix daemon. This can be achieved by
|
||||
using the <literal>nix.trustedUsers</literal> NixOS option. Examples
|
||||
using the <literal>nix.settings.trusted-users</literal> NixOS option. Examples
|
||||
values for that option are described in the <literal>Remote builds
|
||||
chapter</literal> in the Nix manual, (i.e. <command>--builders
|
||||
"ssh://bigbrother x86_64-linux"</command>). By specifying an empty string
|
||||
|
|
|
@ -183,6 +183,10 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
Similarly [virtualisation.vmVariantWithBootloader](#opt-virtualisation.vmVariantWithBootLoader) was added.
|
||||
|
||||
- The configuration portion of the `nix-daemon` module has been reworked and exposed as [nix.settings](options.html#opt-nix-settings):
|
||||
* Legacy options have been mapped to the corresponding options under under [nix.settings](options.html#opt-nix.settings) but may be deprecated in the future.
|
||||
* [nix.buildMachines.publicHostKey](options.html#opt-nix.buildMachines.publicHostKey) has been added.
|
||||
|
||||
- The `writers.writePyPy2`/`writers.writePyPy3` and corresponding `writers.writePyPy2Bin`/`writers.writePyPy3Bin` convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added.
|
||||
|
||||
- The `influxdb2` package was split into `influxdb2-server` and
|
||||
|
|
|
@ -17,7 +17,7 @@ in
|
|||
description = "Azure NixOS Test User";
|
||||
openssh.authorizedKeys.keys = [ (builtins.readFile ~/.ssh/id_ed25519.pub) ];
|
||||
};
|
||||
nix.trustedUsers = [ username ];
|
||||
nix.settings.trusted-users = [ username ];
|
||||
|
||||
virtualisation.azureImage.diskSize = 2500;
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ with lib;
|
|||
|
||||
installer.cloneConfigExtra = ''
|
||||
# Let demo build as a trusted user.
|
||||
# nix.trustedUsers = [ "demo" ];
|
||||
# nix.settings.trusted-users = [ "demo" ];
|
||||
|
||||
# Mount a VirtualBox shared folder.
|
||||
# This is configurable in the VirtualBox menu at
|
||||
|
|
|
@ -17,7 +17,7 @@ with lib;
|
|||
|
||||
boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
|
||||
|
||||
nix.allowedUsers = mkDefault [ "@users" ];
|
||||
nix.settings.allowed-users = mkDefault [ "@users" ];
|
||||
|
||||
environment.memoryAllocator.provider = mkDefault "scudo";
|
||||
environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
|
||||
|
|
|
@ -123,8 +123,8 @@ with lib;
|
|||
boot.kernel.sysctl."user.max_user_namespaces" = 0;
|
||||
|
||||
assertions = [
|
||||
{ assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
|
||||
message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
|
||||
{ assertion = config.nix.settings.sandbox -> config.security.allowUserNamespaces;
|
||||
message = "`nix.settings.sandbox = true` conflicts with `!security.allowUserNamespaces`.";
|
||||
}
|
||||
];
|
||||
})
|
||||
|
|
|
@ -147,7 +147,7 @@ in
|
|||
concurrent = mkOption {
|
||||
type = types.int;
|
||||
default = 1;
|
||||
example = literalExpression "config.nix.maxJobs";
|
||||
example = literalExpression "config.nix.settings.max-jobs";
|
||||
description = ''
|
||||
Limits how many jobs globally can be run concurrently.
|
||||
The most upper limit of jobs using all defined runners.
|
||||
|
|
|
@ -67,7 +67,7 @@ in
|
|||
|
||||
# Trusted user allows simplified configuration and better performance
|
||||
# when operating in a cluster.
|
||||
nix.trustedUsers = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ];
|
||||
nix.settings.trusted-users = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ];
|
||||
services.hercules-ci-agent = {
|
||||
settings = {
|
||||
nixUserIsTrusted = true;
|
||||
|
|
|
@ -258,8 +258,6 @@ in
|
|||
uid = config.ids.uids.hydra-www;
|
||||
};
|
||||
|
||||
nix.trustedUsers = [ "hydra-queue-runner" ];
|
||||
|
||||
services.hydra.extraConfig =
|
||||
''
|
||||
using_frontend_proxy = 1
|
||||
|
@ -277,16 +275,21 @@ in
|
|||
|
||||
environment.variables = hydraEnv;
|
||||
|
||||
nix.extraOptions = ''
|
||||
keep-outputs = true
|
||||
keep-derivations = true
|
||||
nix.settings = mkMerge [
|
||||
{
|
||||
keep-outputs = true;
|
||||
keep-derivations = true;
|
||||
trusted-users = [ "hydra-queue-runner" ];
|
||||
}
|
||||
|
||||
|
||||
'' + optionalString (versionOlder (getVersion config.nix.package.out) "2.4pre") ''
|
||||
# The default (`true') slows Nix down a lot since the build farm
|
||||
# has so many GC roots.
|
||||
gc-check-reachability = false
|
||||
'';
|
||||
(mkIf (versionOlder (getVersion config.nix.package.out) "2.4pre")
|
||||
{
|
||||
# The default (`true') slows Nix down a lot since the build farm
|
||||
# has so many GC roots.
|
||||
gc-check-reachability = false;
|
||||
}
|
||||
)
|
||||
];
|
||||
|
||||
systemd.services.hydra-init =
|
||||
{ wantedBy = [ "multi-user.target" ];
|
||||
|
|
|
@ -6,20 +6,20 @@ let
|
|||
|
||||
cfg = config.nix;
|
||||
|
||||
nix = cfg.package.out;
|
||||
nixPackage = cfg.package.out;
|
||||
|
||||
nixVersion = getVersion nix;
|
||||
|
||||
isNix23 = versionAtLeast nixVersion "2.3pre";
|
||||
isNixAtLeast = versionAtLeast (getVersion nixPackage);
|
||||
|
||||
makeNixBuildUser = nr: {
|
||||
name = "nixbld${toString nr}";
|
||||
name = "nixbld${toString nr}";
|
||||
value = {
|
||||
description = "Nix build user ${toString nr}";
|
||||
|
||||
/* For consistency with the setgid(2), setuid(2), and setgroups(2)
|
||||
calls in `libstore/build.cc', don't add any supplementary group
|
||||
here except "nixbld". */
|
||||
/*
|
||||
For consistency with the setgid(2), setuid(2), and setgroups(2)
|
||||
calls in `libstore/build.cc', don't add any supplementary group
|
||||
here except "nixbld".
|
||||
*/
|
||||
uid = builtins.add config.ids.uids.nixbld nr;
|
||||
isSystemUser = true;
|
||||
group = "nixbld";
|
||||
|
@ -30,43 +30,82 @@ let
|
|||
nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers));
|
||||
|
||||
nixConf =
|
||||
assert versionAtLeast nixVersion "2.2";
|
||||
pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } (
|
||||
''
|
||||
cat > $out <<END
|
||||
assert isNixAtLeast "2.2";
|
||||
let
|
||||
|
||||
mkValueString = v:
|
||||
if v == null then ""
|
||||
else if isInt v then toString v
|
||||
else if isBool v then boolToString v
|
||||
else if isFloat v then floatToString v
|
||||
else if isList v then toString v
|
||||
else if isDerivation v then toString v
|
||||
else if builtins.isPath v then toString v
|
||||
else if isString v then v
|
||||
else if isCoercibleToString v then toString v
|
||||
else abort "The nix conf value: ${toPretty {} v} can not be encoded";
|
||||
|
||||
mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}";
|
||||
|
||||
mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs);
|
||||
|
||||
in
|
||||
pkgs.writeTextFile {
|
||||
name = "nix.conf";
|
||||
text = ''
|
||||
# WARNING: this file is generated from the nix.* options in
|
||||
# your NixOS configuration, typically
|
||||
# /etc/nixos/configuration.nix. Do not edit it!
|
||||
build-users-group = nixbld
|
||||
max-jobs = ${toString (cfg.maxJobs)}
|
||||
cores = ${toString (cfg.buildCores)}
|
||||
sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox}
|
||||
extra-sandbox-paths = ${toString cfg.sandboxPaths}
|
||||
substituters = ${toString cfg.binaryCaches}
|
||||
trusted-substituters = ${toString cfg.trustedBinaryCaches}
|
||||
trusted-public-keys = ${toString cfg.binaryCachePublicKeys}
|
||||
auto-optimise-store = ${boolToString cfg.autoOptimiseStore}
|
||||
require-sigs = ${boolToString cfg.requireSignedBinaryCaches}
|
||||
trusted-users = ${toString cfg.trustedUsers}
|
||||
allowed-users = ${toString cfg.allowedUsers}
|
||||
${optionalString (!cfg.distributedBuilds) ''
|
||||
builders =
|
||||
''}
|
||||
system-features = ${toString cfg.systemFeatures}
|
||||
${optionalString isNix23 ''
|
||||
sandbox-fallback = false
|
||||
''}
|
||||
$extraOptions
|
||||
END
|
||||
'' + optionalString cfg.checkConfig (
|
||||
if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
|
||||
echo "Ignore nix.checkConfig when cross-compiling"
|
||||
'' else ''
|
||||
echo "Checking that Nix can read nix.conf..."
|
||||
ln -s $out ./nix.conf
|
||||
NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config ${optionalString isNix23 "--no-net --option experimental-features nix-command"} >/dev/null
|
||||
'')
|
||||
);
|
||||
${mkKeyValuePairs cfg.settings}
|
||||
${cfg.extraOptions}
|
||||
'';
|
||||
checkPhase =
|
||||
if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
|
||||
echo "Ignoring validation for cross-compilation"
|
||||
''
|
||||
else ''
|
||||
echo "Validating generated nix.conf"
|
||||
ln -s $out ./nix.conf
|
||||
set -e
|
||||
set +o pipefail
|
||||
NIX_CONF_DIR=$PWD \
|
||||
${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net --option experimental-features nix-command"} \
|
||||
|& sed -e 's/^warning:/error:/' \
|
||||
| (! grep '${if cfg.checkConfig then "^error:" else "^error: unknown setting"}')
|
||||
set -o pipefail
|
||||
'';
|
||||
};
|
||||
|
||||
legacyConfMappings = {
|
||||
useSandbox = "sandbox";
|
||||
buildCores = "cores";
|
||||
maxJobs = "max-jobs";
|
||||
sandboxPaths = "extra-sandbox-paths";
|
||||
binaryCaches = "substituters";
|
||||
trustedBinaryCaches = "trusted-substituters";
|
||||
binaryCachePublicKeys = "trusted-public-keys";
|
||||
autoOptimiseStore = "auto-optimise-store";
|
||||
requireSignedBinaryCaches = "require-sigs";
|
||||
trustedUsers = "trusted-users";
|
||||
allowedUsers = "allowed-users";
|
||||
systemFeatures = "system-feature";
|
||||
};
|
||||
|
||||
semanticConfType = with types;
|
||||
let
|
||||
confAtom = nullOr
|
||||
(oneOf [
|
||||
bool
|
||||
int
|
||||
float
|
||||
str
|
||||
path
|
||||
package
|
||||
]) // {
|
||||
description = "Nix config atom (null, bool, int, float, str, path or package)";
|
||||
};
|
||||
in
|
||||
attrsOf (either confAtom (listOf confAtom));
|
||||
|
||||
in
|
||||
|
||||
|
@ -76,7 +115,7 @@ in
|
|||
(mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ])
|
||||
(mkRenamedOptionModule [ "nix" "daemonIONiceLevel" ] [ "nix" "daemonIOSchedPriority" ])
|
||||
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")
|
||||
];
|
||||
] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings;
|
||||
|
||||
###### interface
|
||||
|
||||
|
@ -102,81 +141,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
maxJobs = mkOption {
|
||||
type = types.either types.int (types.enum ["auto"]);
|
||||
default = "auto";
|
||||
example = 64;
|
||||
description = ''
|
||||
This option defines the maximum number of jobs that Nix will try to
|
||||
build in parallel. The default is auto, which means it will use all
|
||||
available logical cores. It is recommend to set it to the total
|
||||
number of logical cores in your system (e.g., 16 for two CPUs with 4
|
||||
cores each and hyper-threading).
|
||||
'';
|
||||
};
|
||||
|
||||
autoOptimiseStore = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
example = true;
|
||||
description = ''
|
||||
If set to true, Nix automatically detects files in the store that have
|
||||
identical contents, and replaces them with hard links to a single copy.
|
||||
This saves disk space. If set to false (the default), you can still run
|
||||
nix-store --optimise to get rid of duplicate files.
|
||||
'';
|
||||
};
|
||||
|
||||
buildCores = mkOption {
|
||||
type = types.int;
|
||||
default = 0;
|
||||
example = 64;
|
||||
description = ''
|
||||
This option defines the maximum number of concurrent tasks during
|
||||
one build. It affects, e.g., -j option for make.
|
||||
The special value 0 means that the builder should use all
|
||||
available CPU cores in the system. Some builds may become
|
||||
non-deterministic with this option; use with care! Packages will
|
||||
only be affected if enableParallelBuilding is set for them.
|
||||
'';
|
||||
};
|
||||
|
||||
useSandbox = mkOption {
|
||||
type = types.either types.bool (types.enum ["relaxed"]);
|
||||
default = true;
|
||||
description = "
|
||||
If set, Nix will perform builds in a sandboxed environment that it
|
||||
will set up automatically for each build. This prevents impurities
|
||||
in builds by disallowing access to dependencies outside of the Nix
|
||||
store by using network and mount namespaces in a chroot environment.
|
||||
This is enabled by default even though it has a possible performance
|
||||
impact due to the initial setup time of a sandbox for each build. It
|
||||
doesn't affect derivation hashes, so changing this option will not
|
||||
trigger a rebuild of packages.
|
||||
";
|
||||
};
|
||||
|
||||
sandboxPaths = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = [ "/dev" "/proc" ];
|
||||
description =
|
||||
''
|
||||
Directories from the host filesystem to be included
|
||||
in the sandbox.
|
||||
'';
|
||||
};
|
||||
|
||||
extraOptions = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
example = ''
|
||||
keep-outputs = true
|
||||
keep-derivations = true
|
||||
'';
|
||||
description = "Additional text appended to <filename>nix.conf</filename>.";
|
||||
};
|
||||
|
||||
distributedBuilds = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
|
@ -187,7 +151,7 @@ in
|
|||
};
|
||||
|
||||
daemonCPUSchedPolicy = mkOption {
|
||||
type = types.enum ["other" "batch" "idle"];
|
||||
type = types.enum [ "other" "batch" "idle" ];
|
||||
default = "other";
|
||||
example = "batch";
|
||||
description = ''
|
||||
|
@ -218,7 +182,7 @@ in
|
|||
};
|
||||
|
||||
daemonIOSchedClass = mkOption {
|
||||
type = types.enum ["best-effort" "idle"];
|
||||
type = types.enum [ "best-effort" "idle" ];
|
||||
default = "best-effort";
|
||||
example = "idle";
|
||||
description = ''
|
||||
|
@ -250,11 +214,11 @@ in
|
|||
scheduling policy: With idle, priorities are not used in scheduling
|
||||
decisions. best-effort supports values in the range 0 (high) to 7
|
||||
(low).
|
||||
'';
|
||||
'';
|
||||
};
|
||||
|
||||
buildMachines = mkOption {
|
||||
type = types.listOf (types.submodule ({
|
||||
type = types.listOf (types.submodule {
|
||||
options = {
|
||||
hostName = mkOption {
|
||||
type = types.str;
|
||||
|
@ -276,7 +240,7 @@ in
|
|||
};
|
||||
systems = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
default = [ ];
|
||||
example = [ "x86_64-linux" "aarch64-linux" ];
|
||||
description = ''
|
||||
The system types the build machine can execute derivations on.
|
||||
|
@ -293,7 +257,7 @@ in
|
|||
The username to log in as on the remote host. This user must be
|
||||
able to log in and run nix commands non-interactively. It must
|
||||
also be privileged to build derivations, so must be included in
|
||||
<option>nix.trustedUsers</option>.
|
||||
<option>nix.settings.trusted-users</option>.
|
||||
'';
|
||||
};
|
||||
sshKey = mkOption {
|
||||
|
@ -331,7 +295,7 @@ in
|
|||
};
|
||||
mandatoryFeatures = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
default = [ ];
|
||||
example = [ "big-parallel" ];
|
||||
description = ''
|
||||
A list of features mandatory for this builder. The builder will
|
||||
|
@ -342,7 +306,7 @@ in
|
|||
};
|
||||
supportedFeatures = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
default = [ ];
|
||||
example = [ "kvm" "big-parallel" ];
|
||||
description = ''
|
||||
A list of features supported by this builder. The builder will
|
||||
|
@ -350,9 +314,18 @@ in
|
|||
list.
|
||||
'';
|
||||
};
|
||||
publicHostKey = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
The (base64-encoded) public host key of this builder. The field
|
||||
is calculated via <command>base64 -w0 /etc/ssh/ssh_host_type_key.pub</command>.
|
||||
If null, SSH will use its regular known-hosts file when connecting.
|
||||
'';
|
||||
};
|
||||
};
|
||||
}));
|
||||
default = [];
|
||||
});
|
||||
default = [ ];
|
||||
description = ''
|
||||
This option lists the machines to be used if distributed builds are
|
||||
enabled (see <option>nix.distributedBuilds</option>).
|
||||
|
@ -366,7 +339,7 @@ in
|
|||
envVars = mkOption {
|
||||
type = types.attrs;
|
||||
internal = true;
|
||||
default = {};
|
||||
default = { };
|
||||
description = "Environment variables used by Nix.";
|
||||
};
|
||||
|
||||
|
@ -391,92 +364,13 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
binaryCaches = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
List of binary cache URLs used to obtain pre-built binaries
|
||||
of Nix packages.
|
||||
|
||||
By default https://cache.nixos.org/ is added,
|
||||
to override it use <literal>lib.mkForce []</literal>.
|
||||
'';
|
||||
};
|
||||
|
||||
trustedBinaryCaches = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "https://hydra.nixos.org/" ];
|
||||
description = ''
|
||||
List of binary cache URLs that non-root users can use (in
|
||||
addition to those specified using
|
||||
<option>nix.binaryCaches</option>) by passing
|
||||
<literal>--option binary-caches</literal> to Nix commands.
|
||||
'';
|
||||
};
|
||||
|
||||
requireSignedBinaryCaches = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If enabled (the default), Nix will only download binaries from binary caches if
|
||||
they are cryptographically signed with any of the keys listed in
|
||||
<option>nix.binaryCachePublicKeys</option>. If disabled, signatures are neither
|
||||
required nor checked, so it's strongly recommended that you use only
|
||||
trustworthy caches and https to prevent man-in-the-middle attacks.
|
||||
'';
|
||||
};
|
||||
|
||||
binaryCachePublicKeys = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
|
||||
description = ''
|
||||
List of public keys used to sign binary caches. If
|
||||
<option>nix.requireSignedBinaryCaches</option> is enabled,
|
||||
then Nix will use a binary from a binary cache if and only
|
||||
if it is signed by <emphasis>any</emphasis> of the keys
|
||||
listed here. By default, only the key for
|
||||
<uri>cache.nixos.org</uri> is included.
|
||||
'';
|
||||
};
|
||||
|
||||
trustedUsers = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "root" ];
|
||||
example = [ "root" "alice" "@wheel" ];
|
||||
description = ''
|
||||
A list of names of users that have additional rights when
|
||||
connecting to the Nix daemon, such as the ability to specify
|
||||
additional binary caches, or to import unsigned NARs. You
|
||||
can also specify groups by prefixing them with
|
||||
<literal>@</literal>; for instance,
|
||||
<literal>@wheel</literal> means all users in the wheel
|
||||
group.
|
||||
'';
|
||||
};
|
||||
|
||||
allowedUsers = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "*" ];
|
||||
example = [ "@wheel" "@builders" "alice" "bob" ];
|
||||
description = ''
|
||||
A list of names of users (separated by whitespace) that are
|
||||
allowed to connect to the Nix daemon. As with
|
||||
<option>nix.trustedUsers</option>, you can specify groups by
|
||||
prefixing them with <literal>@</literal>. Also, you can
|
||||
allow all users by specifying <literal>*</literal>. The
|
||||
default is <literal>*</literal>. Note that trusted users are
|
||||
always allowed to connect.
|
||||
'';
|
||||
};
|
||||
|
||||
nixPath = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default =
|
||||
[
|
||||
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
|
||||
"nixos-config=/etc/nixos/configuration.nix"
|
||||
"/nix/var/nix/profiles/per-user/root/channels"
|
||||
];
|
||||
default = [
|
||||
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
|
||||
"nixos-config=/etc/nixos/configuration.nix"
|
||||
"/nix/var/nix/profiles/per-user/root/channels"
|
||||
];
|
||||
description = ''
|
||||
The default Nix expression search path, used by the Nix
|
||||
evaluator to look up paths enclosed in angle brackets
|
||||
|
@ -484,45 +378,44 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
systemFeatures = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "kvm" "big-parallel" "gccarch-skylake" ];
|
||||
description = ''
|
||||
The supported features of a machine
|
||||
'';
|
||||
};
|
||||
|
||||
checkConfig = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If enabled (the default), checks that Nix can parse the generated nix.conf.
|
||||
If enabled (the default), checks for data type mismatches and that Nix
|
||||
can parse the generated nix.conf.
|
||||
'';
|
||||
};
|
||||
|
||||
registry = mkOption {
|
||||
type = types.attrsOf (types.submodule (
|
||||
let
|
||||
inputAttrs = types.attrsOf (types.oneOf [types.str types.int types.bool types.package]);
|
||||
referenceAttrs = with types; attrsOf (oneOf [
|
||||
str
|
||||
int
|
||||
bool
|
||||
package
|
||||
]);
|
||||
in
|
||||
{ config, name, ... }:
|
||||
{ options = {
|
||||
{
|
||||
options = {
|
||||
from = mkOption {
|
||||
type = inputAttrs;
|
||||
type = referenceAttrs;
|
||||
example = { type = "indirect"; id = "nixpkgs"; };
|
||||
description = "The flake reference to be rewritten.";
|
||||
};
|
||||
to = mkOption {
|
||||
type = inputAttrs;
|
||||
type = referenceAttrs;
|
||||
example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; };
|
||||
description = "The flake reference to which <option>from></option> is to be rewritten.";
|
||||
description = "The flake reference <option>from></option> is rewritten to.";
|
||||
};
|
||||
flake = mkOption {
|
||||
type = types.nullOr types.attrs;
|
||||
default = null;
|
||||
example = literalExpression "nixpkgs";
|
||||
description = ''
|
||||
The flake input to which <option>from></option> is to be rewritten.
|
||||
The flake input <option>from></option> is rewritten to.
|
||||
'';
|
||||
};
|
||||
exact = mkOption {
|
||||
|
@ -537,35 +430,232 @@ in
|
|||
};
|
||||
config = {
|
||||
from = mkDefault { type = "indirect"; id = name; };
|
||||
to = mkIf (config.flake != null)
|
||||
({ type = "path";
|
||||
path = config.flake.outPath;
|
||||
} // lib.filterAttrs
|
||||
(n: v: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
|
||||
config.flake);
|
||||
to = mkIf (config.flake != null) (mkDefault
|
||||
{
|
||||
type = "path";
|
||||
path = config.flake.outPath;
|
||||
} // filterAttrs
|
||||
(n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
|
||||
config.flake);
|
||||
};
|
||||
}
|
||||
));
|
||||
default = {};
|
||||
default = { };
|
||||
description = ''
|
||||
A system-wide flake registry.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
extraOptions = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
example = ''
|
||||
keep-outputs = true
|
||||
keep-derivations = true
|
||||
'';
|
||||
description = "Additional text appended to <filename>nix.conf</filename>.";
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type = types.submodule {
|
||||
freeformType = semanticConfType;
|
||||
|
||||
options = {
|
||||
max-jobs = mkOption {
|
||||
type = types.either types.int (types.enum [ "auto" ]);
|
||||
default = "auto";
|
||||
example = 64;
|
||||
description = ''
|
||||
This option defines the maximum number of jobs that Nix will try to
|
||||
build in parallel. The default is auto, which means it will use all
|
||||
available logical cores. It is recommend to set it to the total
|
||||
number of logical cores in your system (e.g., 16 for two CPUs with 4
|
||||
cores each and hyper-threading).
|
||||
'';
|
||||
};
|
||||
|
||||
auto-optimise-store = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
example = true;
|
||||
description = ''
|
||||
If set to true, Nix automatically detects files in the store that have
|
||||
identical contents, and replaces them with hard links to a single copy.
|
||||
This saves disk space. If set to false (the default), you can still run
|
||||
nix-store --optimise to get rid of duplicate files.
|
||||
'';
|
||||
};
|
||||
|
||||
cores = mkOption {
|
||||
type = types.int;
|
||||
default = 0;
|
||||
example = 64;
|
||||
description = ''
|
||||
This option defines the maximum number of concurrent tasks during
|
||||
one build. It affects, e.g., -j option for make.
|
||||
The special value 0 means that the builder should use all
|
||||
available CPU cores in the system. Some builds may become
|
||||
non-deterministic with this option; use with care! Packages will
|
||||
only be affected if enableParallelBuilding is set for them.
|
||||
'';
|
||||
};
|
||||
|
||||
sandbox = mkOption {
|
||||
type = types.either types.bool (types.enum [ "relaxed" ]);
|
||||
default = true;
|
||||
description = ''
|
||||
If set, Nix will perform builds in a sandboxed environment that it
|
||||
will set up automatically for each build. This prevents impurities
|
||||
in builds by disallowing access to dependencies outside of the Nix
|
||||
store by using network and mount namespaces in a chroot environment.
|
||||
This is enabled by default even though it has a possible performance
|
||||
impact due to the initial setup time of a sandbox for each build. It
|
||||
doesn't affect derivation hashes, so changing this option will not
|
||||
trigger a rebuild of packages.
|
||||
'';
|
||||
};
|
||||
|
||||
extra-sandbox-paths = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "/dev" "/proc" ];
|
||||
description = ''
|
||||
Directories from the host filesystem to be included
|
||||
in the sandbox.
|
||||
'';
|
||||
};
|
||||
|
||||
substituters = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
List of binary cache URLs used to obtain pre-built binaries
|
||||
of Nix packages.
|
||||
|
||||
By default https://cache.nixos.org/ is added.
|
||||
'';
|
||||
};
|
||||
|
||||
trusted-substituters = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "https://hydra.nixos.org/" ];
|
||||
description = ''
|
||||
List of binary cache URLs that non-root users can use (in
|
||||
addition to those specified using
|
||||
<option>nix.settings.substituters</option>) by passing
|
||||
<literal>--option binary-caches</literal> to Nix commands.
|
||||
'';
|
||||
};
|
||||
|
||||
require-sigs = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If enabled (the default), Nix will only download binaries from binary caches if
|
||||
they are cryptographically signed with any of the keys listed in
|
||||
<option>nix.settings.trusted-public-keys</option>. If disabled, signatures are neither
|
||||
required nor checked, so it's strongly recommended that you use only
|
||||
trustworthy caches and https to prevent man-in-the-middle attacks.
|
||||
'';
|
||||
};
|
||||
|
||||
trusted-public-keys = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
|
||||
description = ''
|
||||
List of public keys used to sign binary caches. If
|
||||
<option>nix.settings.trusted-public-keys</option> is enabled,
|
||||
then Nix will use a binary from a binary cache if and only
|
||||
if it is signed by <emphasis>any</emphasis> of the keys
|
||||
listed here. By default, only the key for
|
||||
<uri>cache.nixos.org</uri> is included.
|
||||
'';
|
||||
};
|
||||
|
||||
trusted-users = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "root" ];
|
||||
example = [ "root" "alice" "@wheel" ];
|
||||
description = ''
|
||||
A list of names of users that have additional rights when
|
||||
connecting to the Nix daemon, such as the ability to specify
|
||||
additional binary caches, or to import unsigned NARs. You
|
||||
can also specify groups by prefixing them with
|
||||
<literal>@</literal>; for instance,
|
||||
<literal>@wheel</literal> means all users in the wheel
|
||||
group.
|
||||
'';
|
||||
};
|
||||
|
||||
system-features = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "kvm" "big-parallel" "gccarch-skylake" ];
|
||||
description = ''
|
||||
The set of features supported by the machine. Derivations
|
||||
can express dependencies on system features through the
|
||||
<literal>requiredSystemFeatures</literal> attribute.
|
||||
|
||||
By default, pseudo-features <literal>nixos-test</literal>, <literal>benchmark</literal>,
|
||||
and <literal>big-parallel</literal> used in Nixpkgs are set, <literal>kvm</literal>
|
||||
is also included in it is avaliable.
|
||||
'';
|
||||
};
|
||||
|
||||
allowed-users = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "*" ];
|
||||
example = [ "@wheel" "@builders" "alice" "bob" ];
|
||||
description = ''
|
||||
A list of names of users (separated by whitespace) that are
|
||||
allowed to connect to the Nix daemon. As with
|
||||
<option>nix.settings.trusted-users</option>, you can specify groups by
|
||||
prefixing them with <literal>@</literal>. Also, you can
|
||||
allow all users by specifying <literal>*</literal>. The
|
||||
default is <literal>*</literal>. Note that trusted users are
|
||||
always allowed to connect.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
default = { };
|
||||
example = literalExpression ''
|
||||
{
|
||||
use-sandbox = true;
|
||||
show-trace = true;
|
||||
|
||||
system-features = [ "big-parallel" "kvm" "recursive-nix" ];
|
||||
sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; };
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Configuration for Nix, see
|
||||
<link xlink:href="https://nixos.org/manual/nix/stable/#sec-conf-file"/> or
|
||||
<citerefentry>
|
||||
<refentrytitle>nix.conf</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</citerefentry> for avalaible options.
|
||||
The value declared here will be translated directly to the key-value pairs Nix expects.
|
||||
</para>
|
||||
<para>
|
||||
You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings</command>
|
||||
to view the current value. By default it is empty.
|
||||
</para>
|
||||
<para>
|
||||
Nix configurations defined under <option>nix.*</option> will be translated and applied to this
|
||||
option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended
|
||||
verbatim to the resulting config file.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
|
||||
nix.binaryCaches = [ "https://cache.nixos.org/" ];
|
||||
|
||||
environment.systemPackages =
|
||||
[ nix
|
||||
[
|
||||
nixPackage
|
||||
pkgs.nix-info
|
||||
]
|
||||
++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions;
|
||||
|
@ -579,44 +669,49 @@ in
|
|||
|
||||
# List of machines for distributed Nix builds in the format
|
||||
# expected by build-remote.pl.
|
||||
environment.etc."nix/machines" =
|
||||
{ enable = cfg.buildMachines != [];
|
||||
text =
|
||||
concatMapStrings (machine:
|
||||
"${if machine.sshUser != null then "${machine.sshUser}@" else ""}${machine.hostName} "
|
||||
+ (if machine.system != null then machine.system else concatStringsSep "," machine.systems)
|
||||
+ " ${if machine.sshKey != null then machine.sshKey else "-"} ${toString machine.maxJobs} "
|
||||
+ toString (machine.speedFactor)
|
||||
+ " "
|
||||
+ concatStringsSep "," (machine.mandatoryFeatures ++ machine.supportedFeatures)
|
||||
+ " "
|
||||
+ concatStringsSep "," machine.mandatoryFeatures
|
||||
environment.etc."nix/machines" = mkIf (cfg.buildMachines != [ ]) {
|
||||
text =
|
||||
concatMapStrings
|
||||
(machine:
|
||||
(concatStringsSep " " [
|
||||
"${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}"
|
||||
(if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-")
|
||||
(if machine.sshKey != null then machine.sshKey else "-")
|
||||
(toString machine.maxJobs)
|
||||
(toString machine.speedFactor)
|
||||
(concatStringsSep "," machine.supportedFeatures)
|
||||
(concatStringsSep "," machine.mandatoryFeatures)
|
||||
]
|
||||
++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-"))
|
||||
+ "\n"
|
||||
) cfg.buildMachines;
|
||||
};
|
||||
)
|
||||
cfg.buildMachines;
|
||||
};
|
||||
|
||||
assertions =
|
||||
let badMachine = m: m.system == null && m.systems == [];
|
||||
in [
|
||||
let badMachine = m: m.system == null && m.systems == [ ];
|
||||
in
|
||||
[
|
||||
{
|
||||
assertion = !(builtins.any badMachine cfg.buildMachines);
|
||||
assertion = !(any badMachine cfg.buildMachines);
|
||||
message = ''
|
||||
At least one system type (via <varname>system</varname> or
|
||||
<varname>systems</varname>) must be set for every build machine.
|
||||
Invalid machine specifications:
|
||||
'' + " " +
|
||||
(builtins.concatStringsSep "\n "
|
||||
(builtins.map (m: m.hostName)
|
||||
(builtins.filter (badMachine) cfg.buildMachines)));
|
||||
(concatStringsSep "\n "
|
||||
(map (m: m.hostName)
|
||||
(filter (badMachine) cfg.buildMachines)));
|
||||
}
|
||||
];
|
||||
|
||||
|
||||
systemd.packages = [ nix ];
|
||||
systemd.packages = [ nixPackage ];
|
||||
|
||||
systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ];
|
||||
|
||||
systemd.services.nix-daemon =
|
||||
{ path = [ nix pkgs.util-linux config.programs.ssh.package ]
|
||||
{
|
||||
path = [ nixPackage pkgs.util-linux config.programs.ssh.package ]
|
||||
++ optionals cfg.distributedBuilds [ pkgs.gzip ];
|
||||
|
||||
environment = cfg.envVars
|
||||
|
@ -626,7 +721,8 @@ in
|
|||
unitConfig.RequiresMountsFor = "/nix/store";
|
||||
|
||||
serviceConfig =
|
||||
{ CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy;
|
||||
{
|
||||
CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy;
|
||||
IOSchedulingClass = cfg.daemonIOSchedClass;
|
||||
IOSchedulingPriority = cfg.daemonIOSchedPriority;
|
||||
LimitNOFILE = 4096;
|
||||
|
@ -636,9 +732,7 @@ in
|
|||
};
|
||||
|
||||
# Set up the environment variables for running Nix.
|
||||
environment.sessionVariables = cfg.envVars //
|
||||
{ NIX_PATH = cfg.nixPath;
|
||||
};
|
||||
environment.sessionVariables = cfg.envVars // { NIX_PATH = cfg.nixPath; };
|
||||
|
||||
environment.extraInit =
|
||||
''
|
||||
|
@ -647,7 +741,7 @@ in
|
|||
fi
|
||||
'';
|
||||
|
||||
nix.nrBuildUsers = mkDefault (lib.max 32 (if cfg.maxJobs == "auto" then 0 else cfg.maxJobs));
|
||||
nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs));
|
||||
|
||||
users.users = nixbldUsers;
|
||||
|
||||
|
@ -663,14 +757,26 @@ in
|
|||
fi
|
||||
'';
|
||||
|
||||
nix.systemFeatures = mkDefault (
|
||||
[ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
|
||||
optionals (pkgs.hostPlatform ? gcc.arch) (
|
||||
# a builder can run code for `gcc.arch` and inferior architectures
|
||||
[ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++
|
||||
map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch}
|
||||
)
|
||||
);
|
||||
# Legacy configuration conversion.
|
||||
nix.settings = mkMerge [
|
||||
{
|
||||
trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
|
||||
substituters = [ "https://cache.nixos.org/" ];
|
||||
|
||||
system-features = mkDefault (
|
||||
[ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
|
||||
optionals (pkgs.hostPlatform ? gcc.arch) (
|
||||
# a builder can run code for `gcc.arch` and inferior architectures
|
||||
[ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++
|
||||
map (x: "gccarch-${x}") systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch}
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
(mkIf (!cfg.distributedBuilds) { builders = null; })
|
||||
|
||||
(mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ in {
|
|||
write = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the nix.trustedUsers option in most use cases, such as allowing remote building of derivations.";
|
||||
description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the <option>nix.settings.trusted-users</option> option in most use cases, such as allowing remote building of derivations.";
|
||||
};
|
||||
|
||||
keys = mkOption {
|
||||
|
|
|
@ -156,7 +156,7 @@ in
|
|||
|
||||
specialisation = mkOption {
|
||||
default = {};
|
||||
example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.buildCores = 0; nix.maxJobs = 1; }; }";
|
||||
example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.settings = { core = 0; max-jobs = 1; }; }";
|
||||
description = ''
|
||||
Additional configurations to build. If
|
||||
<literal>inheritParentConfig</literal> is true, the system
|
||||
|
|
|
@ -300,18 +300,15 @@ in {
|
|||
interpreterSandboxPath = dirOf (dirOf interpreterReg);
|
||||
} // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}"));
|
||||
}) cfg.emulatedSystems);
|
||||
# TODO: add a nix.extraPlatforms option to NixOS!
|
||||
nix.extraOptions = lib.mkIf (cfg.emulatedSystems != []) ''
|
||||
extra-platforms = ${toString (cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux")}
|
||||
'';
|
||||
nix.sandboxPaths = lib.mkIf (cfg.emulatedSystems != []) (
|
||||
let
|
||||
nix.settings = lib.mkIf (cfg.emulatedSystems != []) {
|
||||
extra-platforms = cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux";
|
||||
extra-sandbox-paths = let
|
||||
ruleFor = system: cfg.registrations.${system};
|
||||
hasWrappedRule = lib.any (system: (ruleFor system).wrapInterpreterInShell) cfg.emulatedSystems;
|
||||
in [ "/run/binfmt" ]
|
||||
++ lib.optional hasWrappedRule "${pkgs.bash}"
|
||||
++ (map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems)
|
||||
);
|
||||
++ (map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems);
|
||||
};
|
||||
|
||||
environment.etc."binfmt.d/nixos.conf".source = builtins.toFile "binfmt_nixos.conf"
|
||||
(lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine config.boot.binfmt.registrations));
|
||||
|
|
|
@ -10,8 +10,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
|
|||
|
||||
# XXX: Sandbox setup fails while trying to hardlink files from the host's
|
||||
# store file system into the prepared chroot directory.
|
||||
nix.useSandbox = false;
|
||||
nix.binaryCaches = []; # don't try to access cache.nixos.org
|
||||
nix.settings.sandbox = false;
|
||||
nix.settings.substituters = []; # don't try to access cache.nixos.org
|
||||
|
||||
virtualisation.writableStore = true;
|
||||
# Make sure we always have all the required dependencies for creating a
|
||||
|
|
|
@ -11,7 +11,7 @@ import ./make-test-python.nix ({ pkgs, ... } : {
|
|||
users.users.sybil = { isNormalUser = true; group = "wheel"; };
|
||||
imports = [ ../modules/profiles/hardened.nix ];
|
||||
environment.memoryAllocator.provider = "graphene-hardened";
|
||||
nix.useSandbox = false;
|
||||
nix.settings.sandbox = false;
|
||||
virtualisation.emptyDiskImages = [ 4096 ];
|
||||
boot.initrd.postDeviceCommands = ''
|
||||
${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
|
||||
|
|
|
@ -45,11 +45,11 @@ in makeTest {
|
|||
../modules/profiles/base.nix
|
||||
];
|
||||
|
||||
nix.binaryCaches = mkForce [ ];
|
||||
nix.extraOptions = ''
|
||||
hashed-mirrors =
|
||||
connect-timeout = 1
|
||||
'';
|
||||
nix.settings = {
|
||||
substituters = mkForce [];
|
||||
hashed-mirrors = null;
|
||||
connect-timeout = 1;
|
||||
};
|
||||
|
||||
virtualisation.diskSize = 8 * 1024;
|
||||
virtualisation.emptyDiskImages = [
|
||||
|
|
|
@ -42,7 +42,7 @@
|
|||
hostName = "localhost";
|
||||
systems = [ system ];
|
||||
}];
|
||||
binaryCaches = [];
|
||||
settings.substituters = [];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -334,11 +334,11 @@ let
|
|||
(pkgs.grub2_efi.override { inherit zfsSupport; })
|
||||
]);
|
||||
|
||||
nix.binaryCaches = mkForce [ ];
|
||||
nix.extraOptions = ''
|
||||
hashed-mirrors =
|
||||
connect-timeout = 1
|
||||
'';
|
||||
nix.settings = {
|
||||
substituters = mkForce [];
|
||||
hashed-mirrors = null;
|
||||
connect-timeout = 1;
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
|
|
@ -111,11 +111,11 @@ import ./make-test-python.nix (
|
|||
|
||||
environment.etc."initiator-root-disk-closure".source = nodes.initiatorRootDisk.config.system.build.toplevel;
|
||||
|
||||
nix.binaryCaches = lib.mkForce [ ];
|
||||
nix.extraOptions = ''
|
||||
hashed-mirrors =
|
||||
connect-timeout = 1
|
||||
'';
|
||||
nix.settings = {
|
||||
substituters = lib.mkForce [ ];
|
||||
hashed-mirrors = null;
|
||||
connect-timeout = 1;
|
||||
};
|
||||
};
|
||||
|
||||
initiatorRootDisk = { config, pkgs, modulesPath, lib, ... }: {
|
||||
|
|
|
@ -95,11 +95,11 @@ import ./make-test-python.nix (
|
|||
|
||||
system.extraDependencies = [ nodes.initiatorRootDisk.config.system.build.toplevel ];
|
||||
|
||||
nix.binaryCaches = lib.mkForce [];
|
||||
nix.extraOptions = ''
|
||||
hashed-mirrors =
|
||||
connect-timeout = 1
|
||||
'';
|
||||
nix.settings = {
|
||||
substituters = lib.mkForce [];
|
||||
hashed-mirrors = null;
|
||||
connect-timeout = 1;
|
||||
};
|
||||
};
|
||||
|
||||
initiatorRootDisk = { config, pkgs, modulesPath, lib, ... }: {
|
||||
|
|
|
@ -23,7 +23,7 @@ let
|
|||
deployer = { config, lib, nodes, pkgs, ... }: {
|
||||
imports = [ ../../modules/installer/cd-dvd/channel.nix ];
|
||||
environment.systemPackages = [ nixopsPkg ];
|
||||
nix.binaryCaches = lib.mkForce [ ];
|
||||
nix.settings.substituters = lib.mkForce [ ];
|
||||
users.users.person.isNormalUser = true;
|
||||
virtualisation.writableStore = true;
|
||||
virtualisation.additionalPaths = [
|
||||
|
|
|
@ -16,7 +16,7 @@ in
|
|||
(modulesPath + "/testing/test-instrumentation.nix")
|
||||
];
|
||||
virtualisation.writableStore = true;
|
||||
nix.binaryCaches = lib.mkForce [ ];
|
||||
nix.settings.substituters = lib.mkForce [ ];
|
||||
virtualisation.graphics = false;
|
||||
documentation.enable = false;
|
||||
services.qemuGuest.enable = true;
|
||||
|
|
|
@ -43,11 +43,11 @@ let
|
|||
# vda is a filesystem without partition table
|
||||
forceInstall = true;
|
||||
};
|
||||
nix.binaryCaches = lib.mkForce [ ];
|
||||
nix.extraOptions = ''
|
||||
hashed-mirrors =
|
||||
connect-timeout = 1
|
||||
'';
|
||||
nix.settings = {
|
||||
substituters = lib.mkForce [];
|
||||
hashed-mirrors = null;
|
||||
connect-timeout = 1;
|
||||
};
|
||||
# save some memory
|
||||
documentation.enable = false;
|
||||
};
|
||||
|
|
|
@ -28,7 +28,7 @@ nixosTest {
|
|||
virtualisation.writableStore = true;
|
||||
|
||||
# Test runs without network, so we don't substitute and prepare our deps
|
||||
nix.binaryCaches = lib.mkForce [];
|
||||
nix.settings.substituters = lib.mkForce [];
|
||||
environment.etc."pre-built-paths".source = writeText "pre-built-paths" (
|
||||
builtins.toJSON [hello figlet stdenvNoCC]
|
||||
);
|
||||
|
|
Loading…
Reference in New Issue
Block a user