Merge master into staging-next
This commit is contained in:
commit
da44aac0b1
@ -1,11 +1,12 @@
|
|||||||
# darwin.builder {#sec-darwin-builder}
|
# darwin.linux-builder {#sec-darwin-builder}
|
||||||
|
|
||||||
`darwin.builder` provides a way to bootstrap a Linux builder on a macOS machine.
|
`darwin.linux-builder` provides a way to bootstrap a Linux builder on a macOS machine.
|
||||||
|
|
||||||
This requires macOS version 12.4 or later.
|
This requires macOS version 12.4 or later.
|
||||||
|
|
||||||
This also requires that port 22 on your machine is free (since Nix does not
|
The builder runs on host port 31022 by default.
|
||||||
permit specifying a non-default SSH port for builders).
|
You can change it by overriding `virtualisation.darwin-builder.hostPort`.
|
||||||
|
See the [example](#sec-darwin-builder-example-flake).
|
||||||
|
|
||||||
You will also need to be a trusted user for your Nix installation. In other
|
You will also need to be a trusted user for your Nix installation. In other
|
||||||
words, your `/etc/nix/nix.conf` should have something like:
|
words, your `/etc/nix/nix.conf` should have something like:
|
||||||
@ -17,7 +18,7 @@ extra-trusted-users = <your username goes here>
|
|||||||
To launch the builder, run the following flake:
|
To launch the builder, run the following flake:
|
||||||
|
|
||||||
```ShellSession
|
```ShellSession
|
||||||
$ nix run nixpkgs#darwin.builder
|
$ nix run nixpkgs#darwin.linux-builder
|
||||||
```
|
```
|
||||||
|
|
||||||
That will prompt you to enter your `sudo` password:
|
That will prompt you to enter your `sudo` password:
|
||||||
@ -50,12 +51,21 @@ To delegate builds to the remote builder, add the following options to your
|
|||||||
```
|
```
|
||||||
# - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine
|
# - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine
|
||||||
# - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure)
|
# - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure)
|
||||||
builders = ssh-ng://builder@localhost ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo=
|
builders = ssh-ng://builder@linux-builder ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo=
|
||||||
|
|
||||||
# Not strictly necessary, but this will reduce your disk utilization
|
# Not strictly necessary, but this will reduce your disk utilization
|
||||||
builders-use-substitutes = true
|
builders-use-substitutes = true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
To allow Nix to connect to a builder not running on port 22, you will also need to create a new file at `/etc/ssh/ssh_config.d/100-linux-builder.conf`:
|
||||||
|
|
||||||
|
```
|
||||||
|
Host linux-builder
|
||||||
|
Hostname localhost
|
||||||
|
HostKeyAlias linux-builder
|
||||||
|
Port 31022
|
||||||
|
```
|
||||||
|
|
||||||
… and then restart your Nix daemon to apply the change:
|
… and then restart your Nix daemon to apply the change:
|
||||||
|
|
||||||
```ShellSession
|
```ShellSession
|
||||||
|
70
nixos/modules/config/nix-channel.nix
Normal file
70
nixos/modules/config/nix-channel.nix
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
/*
|
||||||
|
Manages the things that are needed for a traditional nix-channel based
|
||||||
|
configuration to work.
|
||||||
|
|
||||||
|
See also
|
||||||
|
- ./nix.nix
|
||||||
|
- ./nix-flakes.nix
|
||||||
|
*/
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib)
|
||||||
|
mkIf
|
||||||
|
mkOption
|
||||||
|
stringAfter
|
||||||
|
types
|
||||||
|
;
|
||||||
|
|
||||||
|
cfg = config.nix;
|
||||||
|
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
nix = {
|
||||||
|
nixPath = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [
|
||||||
|
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
|
||||||
|
"nixos-config=/etc/nixos/configuration.nix"
|
||||||
|
"/nix/var/nix/profiles/per-user/root/channels"
|
||||||
|
];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The default Nix expression search path, used by the Nix
|
||||||
|
evaluator to look up paths enclosed in angle brackets
|
||||||
|
(e.g. `<nixpkgs>`).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
system = {
|
||||||
|
defaultChannel = mkOption {
|
||||||
|
internal = true;
|
||||||
|
type = types.str;
|
||||||
|
default = "https://nixos.org/channels/nixos-unstable";
|
||||||
|
description = lib.mdDoc "Default NixOS channel to which the root user is subscribed.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
environment.extraInit =
|
||||||
|
''
|
||||||
|
if [ -e "$HOME/.nix-defexpr/channels" ]; then
|
||||||
|
export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
|
environment.sessionVariables = {
|
||||||
|
NIX_PATH = cfg.nixPath;
|
||||||
|
};
|
||||||
|
|
||||||
|
system.activationScripts.nix-channel = stringAfter [ "etc" "users" ]
|
||||||
|
''
|
||||||
|
# Subscribe the root user to the NixOS channel by default.
|
||||||
|
if [ ! -e "/root/.nix-channels" ]; then
|
||||||
|
echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
95
nixos/modules/config/nix-flakes.nix
Normal file
95
nixos/modules/config/nix-flakes.nix
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
/*
|
||||||
|
Manages the flake registry.
|
||||||
|
|
||||||
|
See also
|
||||||
|
- ./nix.nix
|
||||||
|
- ./nix-channel.nix
|
||||||
|
*/
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib)
|
||||||
|
filterAttrs
|
||||||
|
literalExpression
|
||||||
|
mapAttrsToList
|
||||||
|
mkDefault
|
||||||
|
mkIf
|
||||||
|
mkOption
|
||||||
|
types
|
||||||
|
;
|
||||||
|
|
||||||
|
cfg = config.nix;
|
||||||
|
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
nix = {
|
||||||
|
registry = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule (
|
||||||
|
let
|
||||||
|
referenceAttrs = with types; attrsOf (oneOf [
|
||||||
|
str
|
||||||
|
int
|
||||||
|
bool
|
||||||
|
path
|
||||||
|
package
|
||||||
|
]);
|
||||||
|
in
|
||||||
|
{ config, name, ... }:
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
from = mkOption {
|
||||||
|
type = referenceAttrs;
|
||||||
|
example = { type = "indirect"; id = "nixpkgs"; };
|
||||||
|
description = lib.mdDoc "The flake reference to be rewritten.";
|
||||||
|
};
|
||||||
|
to = mkOption {
|
||||||
|
type = referenceAttrs;
|
||||||
|
example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; };
|
||||||
|
description = lib.mdDoc "The flake reference {option}`from` is rewritten to.";
|
||||||
|
};
|
||||||
|
flake = mkOption {
|
||||||
|
type = types.nullOr types.attrs;
|
||||||
|
default = null;
|
||||||
|
example = literalExpression "nixpkgs";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The flake input {option}`from` is rewritten to.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
exact = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Whether the {option}`from` reference needs to match exactly. If set,
|
||||||
|
a {option}`from` reference like `nixpkgs` does not
|
||||||
|
match with a reference like `nixpkgs/nixos-20.03`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = {
|
||||||
|
from = mkDefault { type = "indirect"; id = name; };
|
||||||
|
to = mkIf (config.flake != null) (mkDefault (
|
||||||
|
{
|
||||||
|
type = "path";
|
||||||
|
path = config.flake.outPath;
|
||||||
|
} // filterAttrs
|
||||||
|
(n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
|
||||||
|
config.flake
|
||||||
|
));
|
||||||
|
};
|
||||||
|
}
|
||||||
|
));
|
||||||
|
default = { };
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
A system-wide flake registry.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
environment.etc."nix/registry.json".text = builtins.toJSON {
|
||||||
|
version = 2;
|
||||||
|
flakes = mapAttrsToList (n: v: { inherit (v) from to exact; }) cfg.registry;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
226
nixos/modules/config/nix-remote-build.nix
Normal file
226
nixos/modules/config/nix-remote-build.nix
Normal file
@ -0,0 +1,226 @@
|
|||||||
|
/*
|
||||||
|
Manages the remote build configuration, /etc/nix/machines
|
||||||
|
|
||||||
|
See also
|
||||||
|
- ./nix.nix
|
||||||
|
- nixos/modules/services/system/nix-daemon.nix
|
||||||
|
*/
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib)
|
||||||
|
any
|
||||||
|
concatMapStrings
|
||||||
|
concatStringsSep
|
||||||
|
filter
|
||||||
|
getVersion
|
||||||
|
mkIf
|
||||||
|
mkMerge
|
||||||
|
mkOption
|
||||||
|
optional
|
||||||
|
optionalString
|
||||||
|
types
|
||||||
|
versionAtLeast
|
||||||
|
;
|
||||||
|
|
||||||
|
cfg = config.nix;
|
||||||
|
|
||||||
|
nixPackage = cfg.package.out;
|
||||||
|
|
||||||
|
isNixAtLeast = versionAtLeast (getVersion nixPackage);
|
||||||
|
|
||||||
|
buildMachinesText =
|
||||||
|
concatMapStrings
|
||||||
|
(machine:
|
||||||
|
(concatStringsSep " " ([
|
||||||
|
"${optionalString (machine.protocol != null) "${machine.protocol}://"}${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}"
|
||||||
|
(if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-")
|
||||||
|
(if machine.sshKey != null then machine.sshKey else "-")
|
||||||
|
(toString machine.maxJobs)
|
||||||
|
(toString machine.speedFactor)
|
||||||
|
(let res = (machine.supportedFeatures ++ machine.mandatoryFeatures);
|
||||||
|
in if (res == []) then "-" else (concatStringsSep "," res))
|
||||||
|
(let res = machine.mandatoryFeatures;
|
||||||
|
in if (res == []) then "-" else (concatStringsSep "," machine.mandatoryFeatures))
|
||||||
|
]
|
||||||
|
++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-")))
|
||||||
|
+ "\n"
|
||||||
|
)
|
||||||
|
cfg.buildMachines;
|
||||||
|
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
nix = {
|
||||||
|
buildMachines = mkOption {
|
||||||
|
type = types.listOf (types.submodule {
|
||||||
|
options = {
|
||||||
|
hostName = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
example = "nixbuilder.example.org";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The hostname of the build machine.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
protocol = mkOption {
|
||||||
|
type = types.enum [ null "ssh" "ssh-ng" ];
|
||||||
|
default = "ssh";
|
||||||
|
example = "ssh-ng";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The protocol used for communicating with the build machine.
|
||||||
|
Use `ssh-ng` if your remote builder and your
|
||||||
|
local Nix version support that improved protocol.
|
||||||
|
|
||||||
|
Use `null` when trying to change the special localhost builder
|
||||||
|
without a protocol which is for example used by hydra.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
system = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
example = "x86_64-linux";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The system type the build machine can execute derivations on.
|
||||||
|
Either this attribute or {var}`systems` must be
|
||||||
|
present, where {var}`system` takes precedence if
|
||||||
|
both are set.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
systems = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ ];
|
||||||
|
example = [ "x86_64-linux" "aarch64-linux" ];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The system types the build machine can execute derivations on.
|
||||||
|
Either this attribute or {var}`system` must be
|
||||||
|
present, where {var}`system` takes precedence if
|
||||||
|
both are set.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
sshUser = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
example = "builder";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The username to log in as on the remote host. This user must be
|
||||||
|
able to log in and run nix commands non-interactively. It must
|
||||||
|
also be privileged to build derivations, so must be included in
|
||||||
|
{option}`nix.settings.trusted-users`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
sshKey = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
example = "/root/.ssh/id_buildhost_builduser";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The path to the SSH private key with which to authenticate on
|
||||||
|
the build machine. The private key must not have a passphrase.
|
||||||
|
If null, the building user (root on NixOS machines) must have an
|
||||||
|
appropriate ssh configuration to log in non-interactively.
|
||||||
|
|
||||||
|
Note that for security reasons, this path must point to a file
|
||||||
|
in the local filesystem, *not* to the nix store.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
maxJobs = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 1;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The number of concurrent jobs the build machine supports. The
|
||||||
|
build machine will enforce its own limits, but this allows hydra
|
||||||
|
to schedule better since there is no work-stealing between build
|
||||||
|
machines.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
speedFactor = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 1;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The relative speed of this builder. This is an arbitrary integer
|
||||||
|
that indicates the speed of this builder, relative to other
|
||||||
|
builders. Higher is faster.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
mandatoryFeatures = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ ];
|
||||||
|
example = [ "big-parallel" ];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
A list of features mandatory for this builder. The builder will
|
||||||
|
be ignored for derivations that don't require all features in
|
||||||
|
this list. All mandatory features are automatically included in
|
||||||
|
{var}`supportedFeatures`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
supportedFeatures = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ ];
|
||||||
|
example = [ "kvm" "big-parallel" ];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
A list of features supported by this builder. The builder will
|
||||||
|
be ignored for derivations that require features not in this
|
||||||
|
list.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
publicHostKey = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The (base64-encoded) public host key of this builder. The field
|
||||||
|
is calculated via {command}`base64 -w0 /etc/ssh/ssh_host_type_key.pub`.
|
||||||
|
If null, SSH will use its regular known-hosts file when connecting.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
default = [ ];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
This option lists the machines to be used if distributed builds are
|
||||||
|
enabled (see {option}`nix.distributedBuilds`).
|
||||||
|
Nix will perform derivations on those machines via SSH by copying the
|
||||||
|
inputs to the Nix store on the remote machine, starting the build,
|
||||||
|
then copying the output back to the local Nix store.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
distributedBuilds = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Whether to distribute builds to the machines listed in
|
||||||
|
{option}`nix.buildMachines`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# distributedBuilds does *not* inhibit /etc/machines generation; caller may
|
||||||
|
# override that nix option.
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
assertions =
|
||||||
|
let badMachine = m: m.system == null && m.systems == [ ];
|
||||||
|
in
|
||||||
|
[
|
||||||
|
{
|
||||||
|
assertion = !(any badMachine cfg.buildMachines);
|
||||||
|
message = ''
|
||||||
|
At least one system type (via <varname>system</varname> or
|
||||||
|
<varname>systems</varname>) must be set for every build machine.
|
||||||
|
Invalid machine specifications:
|
||||||
|
'' + " " +
|
||||||
|
(concatStringsSep "\n "
|
||||||
|
(map (m: m.hostName)
|
||||||
|
(filter (badMachine) cfg.buildMachines)));
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
# List of machines for distributed Nix builds
|
||||||
|
environment.etc."nix/machines" =
|
||||||
|
mkIf (cfg.buildMachines != [ ]) {
|
||||||
|
text = buildMachinesText;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Legacy configuration conversion.
|
||||||
|
nix.settings = mkIf (!cfg.distributedBuilds) { builders = null; };
|
||||||
|
};
|
||||||
|
}
|
379
nixos/modules/config/nix.nix
Normal file
379
nixos/modules/config/nix.nix
Normal file
@ -0,0 +1,379 @@
|
|||||||
|
/*
|
||||||
|
Manages /etc/nix.conf.
|
||||||
|
|
||||||
|
See also
|
||||||
|
- ./nix-channel.nix
|
||||||
|
- ./nix-flakes.nix
|
||||||
|
- ./nix-remote-build.nix
|
||||||
|
- nixos/modules/services/system/nix-daemon.nix
|
||||||
|
*/
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib)
|
||||||
|
concatStringsSep
|
||||||
|
boolToString
|
||||||
|
escape
|
||||||
|
floatToString
|
||||||
|
getVersion
|
||||||
|
isBool
|
||||||
|
isDerivation
|
||||||
|
isFloat
|
||||||
|
isInt
|
||||||
|
isList
|
||||||
|
isString
|
||||||
|
literalExpression
|
||||||
|
mapAttrsToList
|
||||||
|
mkAfter
|
||||||
|
mkDefault
|
||||||
|
mkIf
|
||||||
|
mkOption
|
||||||
|
mkRenamedOptionModuleWith
|
||||||
|
optionalString
|
||||||
|
optionals
|
||||||
|
strings
|
||||||
|
systems
|
||||||
|
toPretty
|
||||||
|
types
|
||||||
|
versionAtLeast
|
||||||
|
;
|
||||||
|
|
||||||
|
cfg = config.nix;
|
||||||
|
|
||||||
|
nixPackage = cfg.package.out;
|
||||||
|
|
||||||
|
isNixAtLeast = versionAtLeast (getVersion nixPackage);
|
||||||
|
|
||||||
|
legacyConfMappings = {
|
||||||
|
useSandbox = "sandbox";
|
||||||
|
buildCores = "cores";
|
||||||
|
maxJobs = "max-jobs";
|
||||||
|
sandboxPaths = "extra-sandbox-paths";
|
||||||
|
binaryCaches = "substituters";
|
||||||
|
trustedBinaryCaches = "trusted-substituters";
|
||||||
|
binaryCachePublicKeys = "trusted-public-keys";
|
||||||
|
autoOptimiseStore = "auto-optimise-store";
|
||||||
|
requireSignedBinaryCaches = "require-sigs";
|
||||||
|
trustedUsers = "trusted-users";
|
||||||
|
allowedUsers = "allowed-users";
|
||||||
|
systemFeatures = "system-features";
|
||||||
|
};
|
||||||
|
|
||||||
|
semanticConfType = with types;
|
||||||
|
let
|
||||||
|
confAtom = nullOr
|
||||||
|
(oneOf [
|
||||||
|
bool
|
||||||
|
int
|
||||||
|
float
|
||||||
|
str
|
||||||
|
path
|
||||||
|
package
|
||||||
|
]) // {
|
||||||
|
description = "Nix config atom (null, bool, int, float, str, path or package)";
|
||||||
|
};
|
||||||
|
in
|
||||||
|
attrsOf (either confAtom (listOf confAtom));
|
||||||
|
|
||||||
|
nixConf =
|
||||||
|
assert isNixAtLeast "2.2";
|
||||||
|
let
|
||||||
|
|
||||||
|
mkValueString = v:
|
||||||
|
if v == null then ""
|
||||||
|
else if isInt v then toString v
|
||||||
|
else if isBool v then boolToString v
|
||||||
|
else if isFloat v then floatToString v
|
||||||
|
else if isList v then toString v
|
||||||
|
else if isDerivation v then toString v
|
||||||
|
else if builtins.isPath v then toString v
|
||||||
|
else if isString v then v
|
||||||
|
else if strings.isConvertibleWithToString v then toString v
|
||||||
|
else abort "The nix conf value: ${toPretty {} v} can not be encoded";
|
||||||
|
|
||||||
|
mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}";
|
||||||
|
|
||||||
|
mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs);
|
||||||
|
|
||||||
|
in
|
||||||
|
pkgs.writeTextFile {
|
||||||
|
name = "nix.conf";
|
||||||
|
text = ''
|
||||||
|
# WARNING: this file is generated from the nix.* options in
|
||||||
|
# your NixOS configuration, typically
|
||||||
|
# /etc/nixos/configuration.nix. Do not edit it!
|
||||||
|
${mkKeyValuePairs cfg.settings}
|
||||||
|
${cfg.extraOptions}
|
||||||
|
'';
|
||||||
|
checkPhase = lib.optionalString cfg.checkConfig (
|
||||||
|
if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
|
||||||
|
echo "Ignoring validation for cross-compilation"
|
||||||
|
''
|
||||||
|
else ''
|
||||||
|
echo "Validating generated nix.conf"
|
||||||
|
ln -s $out ./nix.conf
|
||||||
|
set -e
|
||||||
|
set +o pipefail
|
||||||
|
NIX_CONF_DIR=$PWD \
|
||||||
|
${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \
|
||||||
|
${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \
|
||||||
|
|& sed -e 's/^warning:/error:/' \
|
||||||
|
| (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}')
|
||||||
|
set -o pipefail
|
||||||
|
'');
|
||||||
|
};
|
||||||
|
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
(mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; })
|
||||||
|
(mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; })
|
||||||
|
] ++
|
||||||
|
mapAttrsToList
|
||||||
|
(oldConf: newConf:
|
||||||
|
mkRenamedOptionModuleWith {
|
||||||
|
sinceRelease = 2205;
|
||||||
|
from = [ "nix" oldConf ];
|
||||||
|
to = [ "nix" "settings" newConf ];
|
||||||
|
})
|
||||||
|
legacyConfMappings;
|
||||||
|
|
||||||
|
options = {
|
||||||
|
nix = {
|
||||||
|
checkConfig = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
If enabled, checks that Nix can parse the generated nix.conf.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
checkAllErrors = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
extraOptions = mkOption {
|
||||||
|
type = types.lines;
|
||||||
|
default = "";
|
||||||
|
example = ''
|
||||||
|
keep-outputs = true
|
||||||
|
keep-derivations = true
|
||||||
|
'';
|
||||||
|
description = lib.mdDoc "Additional text appended to {file}`nix.conf`.";
|
||||||
|
};
|
||||||
|
|
||||||
|
settings = mkOption {
|
||||||
|
type = types.submodule {
|
||||||
|
freeformType = semanticConfType;
|
||||||
|
|
||||||
|
options = {
|
||||||
|
max-jobs = mkOption {
|
||||||
|
type = types.either types.int (types.enum [ "auto" ]);
|
||||||
|
default = "auto";
|
||||||
|
example = 64;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
This option defines the maximum number of jobs that Nix will try to
|
||||||
|
build in parallel. The default is auto, which means it will use all
|
||||||
|
available logical cores. It is recommend to set it to the total
|
||||||
|
number of logical cores in your system (e.g., 16 for two CPUs with 4
|
||||||
|
cores each and hyper-threading).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
auto-optimise-store = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
example = true;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
If set to true, Nix automatically detects files in the store that have
|
||||||
|
identical contents, and replaces them with hard links to a single copy.
|
||||||
|
This saves disk space. If set to false (the default), you can still run
|
||||||
|
nix-store --optimise to get rid of duplicate files.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
cores = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 0;
|
||||||
|
example = 64;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
This option defines the maximum number of concurrent tasks during
|
||||||
|
one build. It affects, e.g., -j option for make.
|
||||||
|
The special value 0 means that the builder should use all
|
||||||
|
available CPU cores in the system. Some builds may become
|
||||||
|
non-deterministic with this option; use with care! Packages will
|
||||||
|
only be affected if enableParallelBuilding is set for them.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
sandbox = mkOption {
|
||||||
|
type = types.either types.bool (types.enum [ "relaxed" ]);
|
||||||
|
default = true;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
If set, Nix will perform builds in a sandboxed environment that it
|
||||||
|
will set up automatically for each build. This prevents impurities
|
||||||
|
in builds by disallowing access to dependencies outside of the Nix
|
||||||
|
store by using network and mount namespaces in a chroot environment.
|
||||||
|
|
||||||
|
This is enabled by default even though it has a possible performance
|
||||||
|
impact due to the initial setup time of a sandbox for each build. It
|
||||||
|
doesn't affect derivation hashes, so changing this option will not
|
||||||
|
trigger a rebuild of packages.
|
||||||
|
|
||||||
|
When set to "relaxed", this option permits derivations that set
|
||||||
|
`__noChroot = true;` to run outside of the sandboxed environment.
|
||||||
|
Exercise caution when using this mode of operation! It is intended to
|
||||||
|
be a quick hack when building with packages that are not easily setup
|
||||||
|
to be built reproducibly.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
extra-sandbox-paths = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ ];
|
||||||
|
example = [ "/dev" "/proc" ];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Directories from the host filesystem to be included
|
||||||
|
in the sandbox.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
substituters = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
List of binary cache URLs used to obtain pre-built binaries
|
||||||
|
of Nix packages.
|
||||||
|
|
||||||
|
By default https://cache.nixos.org/ is added.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
trusted-substituters = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ ];
|
||||||
|
example = [ "https://hydra.nixos.org/" ];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
List of binary cache URLs that non-root users can use (in
|
||||||
|
addition to those specified using
|
||||||
|
{option}`nix.settings.substituters`) by passing
|
||||||
|
`--option binary-caches` to Nix commands.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
require-sigs = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
If enabled (the default), Nix will only download binaries from binary caches if
|
||||||
|
they are cryptographically signed with any of the keys listed in
|
||||||
|
{option}`nix.settings.trusted-public-keys`. If disabled, signatures are neither
|
||||||
|
required nor checked, so it's strongly recommended that you use only
|
||||||
|
trustworthy caches and https to prevent man-in-the-middle attacks.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
trusted-public-keys = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
List of public keys used to sign binary caches. If
|
||||||
|
{option}`nix.settings.trusted-public-keys` is enabled,
|
||||||
|
then Nix will use a binary from a binary cache if and only
|
||||||
|
if it is signed by *any* of the keys
|
||||||
|
listed here. By default, only the key for
|
||||||
|
`cache.nixos.org` is included.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
trusted-users = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ "root" ];
|
||||||
|
example = [ "root" "alice" "@wheel" ];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
A list of names of users that have additional rights when
|
||||||
|
connecting to the Nix daemon, such as the ability to specify
|
||||||
|
additional binary caches, or to import unsigned NARs. You
|
||||||
|
can also specify groups by prefixing them with
|
||||||
|
`@`; for instance,
|
||||||
|
`@wheel` means all users in the wheel
|
||||||
|
group.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
system-features = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
example = [ "kvm" "big-parallel" "gccarch-skylake" ];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The set of features supported by the machine. Derivations
|
||||||
|
can express dependencies on system features through the
|
||||||
|
`requiredSystemFeatures` attribute.
|
||||||
|
|
||||||
|
By default, pseudo-features `nixos-test`, `benchmark`,
|
||||||
|
and `big-parallel` used in Nixpkgs are set, `kvm`
|
||||||
|
is also included if it is available.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
allowed-users = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ "*" ];
|
||||||
|
example = [ "@wheel" "@builders" "alice" "bob" ];
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
A list of names of users (separated by whitespace) that are
|
||||||
|
allowed to connect to the Nix daemon. As with
|
||||||
|
{option}`nix.settings.trusted-users`, you can specify groups by
|
||||||
|
prefixing them with `@`. Also, you can
|
||||||
|
allow all users by specifying `*`. The
|
||||||
|
default is `*`. Note that trusted users are
|
||||||
|
always allowed to connect.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
default = { };
|
||||||
|
example = literalExpression ''
|
||||||
|
{
|
||||||
|
use-sandbox = true;
|
||||||
|
show-trace = true;
|
||||||
|
|
||||||
|
system-features = [ "big-parallel" "kvm" "recursive-nix" ];
|
||||||
|
sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; };
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Configuration for Nix, see
|
||||||
|
<https://nixos.org/manual/nix/stable/command-ref/conf-file.html> or
|
||||||
|
{manpage}`nix.conf(5)` for available options.
|
||||||
|
The value declared here will be translated directly to the key-value pairs Nix expects.
|
||||||
|
|
||||||
|
You can use {command}`nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings`
|
||||||
|
to view the current value. By default it is empty.
|
||||||
|
|
||||||
|
Nix configurations defined under {option}`nix.*` will be translated and applied to this
|
||||||
|
option. In addition, configuration specified in {option}`nix.extraOptions` will be appended
|
||||||
|
verbatim to the resulting config file.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
environment.etc."nix/nix.conf".source = nixConf;
|
||||||
|
nix.settings = {
|
||||||
|
trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
|
||||||
|
substituters = mkAfter [ "https://cache.nixos.org/" ];
|
||||||
|
system-features = mkDefault (
|
||||||
|
[ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
|
||||||
|
optionals (pkgs.stdenv.hostPlatform ? gcc.arch) (
|
||||||
|
# a builder can run code for `gcc.arch` and inferior architectures
|
||||||
|
[ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ] ++
|
||||||
|
map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or [])
|
||||||
|
)
|
||||||
|
);
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -140,13 +140,6 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
defaultChannel = mkOption {
|
|
||||||
internal = true;
|
|
||||||
type = types.str;
|
|
||||||
default = "https://nixos.org/channels/nixos-unstable";
|
|
||||||
description = lib.mdDoc "Default NixOS channel to which the root user is subscribed.";
|
|
||||||
};
|
|
||||||
|
|
||||||
configurationRevision = mkOption {
|
configurationRevision = mkOption {
|
||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
default = null;
|
default = null;
|
||||||
|
@ -16,6 +16,10 @@
|
|||||||
./config/malloc.nix
|
./config/malloc.nix
|
||||||
./config/mysql.nix
|
./config/mysql.nix
|
||||||
./config/networking.nix
|
./config/networking.nix
|
||||||
|
./config/nix.nix
|
||||||
|
./config/nix-channel.nix
|
||||||
|
./config/nix-flakes.nix
|
||||||
|
./config/nix-remote-build.nix
|
||||||
./config/no-x-libs.nix
|
./config/no-x-libs.nix
|
||||||
./config/nsswitch.nix
|
./config/nsswitch.nix
|
||||||
./config/power-management.nix
|
./config/power-management.nix
|
||||||
@ -661,7 +665,6 @@
|
|||||||
./services/misc/moonraker.nix
|
./services/misc/moonraker.nix
|
||||||
./services/misc/n8n.nix
|
./services/misc/n8n.nix
|
||||||
./services/misc/nitter.nix
|
./services/misc/nitter.nix
|
||||||
./services/misc/nix-daemon.nix
|
|
||||||
./services/misc/nix-gc.nix
|
./services/misc/nix-gc.nix
|
||||||
./services/misc/nix-optimise.nix
|
./services/misc/nix-optimise.nix
|
||||||
./services/misc/nix-ssh-serve.nix
|
./services/misc/nix-ssh-serve.nix
|
||||||
@ -1143,6 +1146,7 @@
|
|||||||
./services/system/earlyoom.nix
|
./services/system/earlyoom.nix
|
||||||
./services/system/kerberos/default.nix
|
./services/system/kerberos/default.nix
|
||||||
./services/system/localtimed.nix
|
./services/system/localtimed.nix
|
||||||
|
./services/system/nix-daemon.nix
|
||||||
./services/system/nscd.nix
|
./services/system/nscd.nix
|
||||||
./services/system/saslauthd.nix
|
./services/system/saslauthd.nix
|
||||||
./services/system/self-deploy.nix
|
./services/system/self-deploy.nix
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
keysDirectory = "/var/keys";
|
keysDirectory = "/var/keys";
|
||||||
@ -67,9 +67,9 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
hostPort = mkOption {
|
hostPort = mkOption {
|
||||||
default = 22;
|
default = 31022;
|
||||||
type = types.int;
|
type = types.int;
|
||||||
example = 31022;
|
example = 22;
|
||||||
description = ''
|
description = ''
|
||||||
The localhost host port to forward TCP to the guest port.
|
The localhost host port to forward TCP to the guest port.
|
||||||
'';
|
'';
|
||||||
@ -139,13 +139,13 @@ in
|
|||||||
|
|
||||||
hostPkgs = config.virtualisation.host.pkgs;
|
hostPkgs = config.virtualisation.host.pkgs;
|
||||||
|
|
||||||
script = hostPkgs.writeShellScriptBin "create-builder" (
|
script = hostPkgs.writeShellScriptBin "create-builder" (
|
||||||
# When running as non-interactively as part of a DarwinConfiguration the working directory
|
# When running as non-interactively as part of a DarwinConfiguration the working directory
|
||||||
# must be set to a writeable directory.
|
# must be set to a writeable directory.
|
||||||
(if cfg.workingDirectory != "." then ''
|
(if cfg.workingDirectory != "." then ''
|
||||||
${hostPkgs.coreutils}/bin/mkdir --parent "${cfg.workingDirectory}"
|
${hostPkgs.coreutils}/bin/mkdir --parent "${cfg.workingDirectory}"
|
||||||
cd "${cfg.workingDirectory}"
|
cd "${cfg.workingDirectory}"
|
||||||
'' else "") + ''
|
'' else "") + ''
|
||||||
KEYS="''${KEYS:-./keys}"
|
KEYS="''${KEYS:-./keys}"
|
||||||
${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}"
|
${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}"
|
||||||
PRIVATE_KEY="''${KEYS}/${user}_${keyType}"
|
PRIVATE_KEY="''${KEYS}/${user}_${keyType}"
|
||||||
@ -157,7 +157,7 @@ in
|
|||||||
if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then
|
if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then
|
||||||
(set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}")
|
(set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}")
|
||||||
fi
|
fi
|
||||||
KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${config.system.build.vm}/bin/run-nixos-vm
|
KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${lib.getExe config.system.build.vm}
|
||||||
'');
|
'');
|
||||||
|
|
||||||
in
|
in
|
||||||
@ -177,7 +177,7 @@ in
|
|||||||
Please inspect the trace of the following command to figure out which module
|
Please inspect the trace of the following command to figure out which module
|
||||||
has a dependency on stateVersion.
|
has a dependency on stateVersion.
|
||||||
|
|
||||||
nix-instantiate --attr darwin.builder --show-trace
|
nix-instantiate --attr darwin.linux-builder --show-trace
|
||||||
'');
|
'');
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -234,6 +234,10 @@ in
|
|||||||
# This ensures that anything built on the guest isn't lost when the guest is
|
# This ensures that anything built on the guest isn't lost when the guest is
|
||||||
# restarted.
|
# restarted.
|
||||||
writableStoreUseTmpfs = false;
|
writableStoreUseTmpfs = false;
|
||||||
|
|
||||||
|
# Pass certificates from host to the guest otherwise when custom CA certificates
|
||||||
|
# are required we can't use the cached builder.
|
||||||
|
useHostCerts = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -18,6 +18,10 @@ in
|
|||||||
{
|
{
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
|
security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // {
|
||||||
|
default = true;
|
||||||
|
internal = true;
|
||||||
|
};
|
||||||
|
|
||||||
security.pki.certificateFiles = mkOption {
|
security.pki.certificateFiles = mkOption {
|
||||||
type = types.listOf types.path;
|
type = types.listOf types.path;
|
||||||
@ -70,7 +74,7 @@ in
|
|||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = mkIf cfg.installCACerts {
|
||||||
|
|
||||||
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
|
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
|
||||||
environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
|
environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
|
||||||
|
@ -1,844 +0,0 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
|
||||||
|
|
||||||
cfg = config.nix;
|
|
||||||
|
|
||||||
nixPackage = cfg.package.out;
|
|
||||||
|
|
||||||
isNixAtLeast = versionAtLeast (getVersion nixPackage);
|
|
||||||
|
|
||||||
makeNixBuildUser = nr: {
|
|
||||||
name = "nixbld${toString nr}";
|
|
||||||
value = {
|
|
||||||
description = "Nix build user ${toString nr}";
|
|
||||||
|
|
||||||
/*
|
|
||||||
For consistency with the setgid(2), setuid(2), and setgroups(2)
|
|
||||||
calls in `libstore/build.cc', don't add any supplementary group
|
|
||||||
here except "nixbld".
|
|
||||||
*/
|
|
||||||
uid = builtins.add config.ids.uids.nixbld nr;
|
|
||||||
isSystemUser = true;
|
|
||||||
group = "nixbld";
|
|
||||||
extraGroups = [ "nixbld" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers));
|
|
||||||
|
|
||||||
nixConf =
|
|
||||||
assert isNixAtLeast "2.2";
|
|
||||||
let
|
|
||||||
|
|
||||||
mkValueString = v:
|
|
||||||
if v == null then ""
|
|
||||||
else if isInt v then toString v
|
|
||||||
else if isBool v then boolToString v
|
|
||||||
else if isFloat v then floatToString v
|
|
||||||
else if isList v then toString v
|
|
||||||
else if isDerivation v then toString v
|
|
||||||
else if builtins.isPath v then toString v
|
|
||||||
else if isString v then v
|
|
||||||
else if strings.isConvertibleWithToString v then toString v
|
|
||||||
else abort "The nix conf value: ${toPretty {} v} can not be encoded";
|
|
||||||
|
|
||||||
mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}";
|
|
||||||
|
|
||||||
mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs);
|
|
||||||
|
|
||||||
in
|
|
||||||
pkgs.writeTextFile {
|
|
||||||
name = "nix.conf";
|
|
||||||
text = ''
|
|
||||||
# WARNING: this file is generated from the nix.* options in
|
|
||||||
# your NixOS configuration, typically
|
|
||||||
# /etc/nixos/configuration.nix. Do not edit it!
|
|
||||||
${mkKeyValuePairs cfg.settings}
|
|
||||||
${cfg.extraOptions}
|
|
||||||
'';
|
|
||||||
checkPhase = lib.optionalString cfg.checkConfig (
|
|
||||||
if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
|
|
||||||
echo "Ignoring validation for cross-compilation"
|
|
||||||
''
|
|
||||||
else ''
|
|
||||||
echo "Validating generated nix.conf"
|
|
||||||
ln -s $out ./nix.conf
|
|
||||||
set -e
|
|
||||||
set +o pipefail
|
|
||||||
NIX_CONF_DIR=$PWD \
|
|
||||||
${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \
|
|
||||||
${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \
|
|
||||||
|& sed -e 's/^warning:/error:/' \
|
|
||||||
| (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}')
|
|
||||||
set -o pipefail
|
|
||||||
'');
|
|
||||||
};
|
|
||||||
|
|
||||||
legacyConfMappings = {
|
|
||||||
useSandbox = "sandbox";
|
|
||||||
buildCores = "cores";
|
|
||||||
maxJobs = "max-jobs";
|
|
||||||
sandboxPaths = "extra-sandbox-paths";
|
|
||||||
binaryCaches = "substituters";
|
|
||||||
trustedBinaryCaches = "trusted-substituters";
|
|
||||||
binaryCachePublicKeys = "trusted-public-keys";
|
|
||||||
autoOptimiseStore = "auto-optimise-store";
|
|
||||||
requireSignedBinaryCaches = "require-sigs";
|
|
||||||
trustedUsers = "trusted-users";
|
|
||||||
allowedUsers = "allowed-users";
|
|
||||||
systemFeatures = "system-features";
|
|
||||||
};
|
|
||||||
|
|
||||||
semanticConfType = with types;
|
|
||||||
let
|
|
||||||
confAtom = nullOr
|
|
||||||
(oneOf [
|
|
||||||
bool
|
|
||||||
int
|
|
||||||
float
|
|
||||||
str
|
|
||||||
path
|
|
||||||
package
|
|
||||||
]) // {
|
|
||||||
description = "Nix config atom (null, bool, int, float, str, path or package)";
|
|
||||||
};
|
|
||||||
in
|
|
||||||
attrsOf (either confAtom (listOf confAtom));
|
|
||||||
|
|
||||||
in
|
|
||||||
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
(mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; })
|
|
||||||
(mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; })
|
|
||||||
(mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; })
|
|
||||||
(mkRenamedOptionModuleWith { sinceRelease = 2211; from = [ "nix" "readOnlyStore" ]; to = [ "boot" "readOnlyNixStore" ]; })
|
|
||||||
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")
|
|
||||||
] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" oldConf ]; to = [ "nix" "settings" newConf ]; }) legacyConfMappings;
|
|
||||||
|
|
||||||
###### interface
|
|
||||||
|
|
||||||
options = {
|
|
||||||
|
|
||||||
nix = {
|
|
||||||
|
|
||||||
enable = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Whether to enable Nix.
|
|
||||||
Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
package = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
default = pkgs.nix;
|
|
||||||
defaultText = literalExpression "pkgs.nix";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
This option specifies the Nix package instance to use throughout the system.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
distributedBuilds = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Whether to distribute builds to the machines listed in
|
|
||||||
{option}`nix.buildMachines`.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
daemonCPUSchedPolicy = mkOption {
|
|
||||||
type = types.enum [ "other" "batch" "idle" ];
|
|
||||||
default = "other";
|
|
||||||
example = "batch";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Nix daemon process CPU scheduling policy. This policy propagates to
|
|
||||||
build processes. `other` is the default scheduling
|
|
||||||
policy for regular tasks. The `batch` policy is
|
|
||||||
similar to `other`, but optimised for
|
|
||||||
non-interactive tasks. `idle` is for extremely
|
|
||||||
low-priority tasks that should only be run when no other task
|
|
||||||
requires CPU time.
|
|
||||||
|
|
||||||
Please note that while using the `idle` policy may
|
|
||||||
greatly improve responsiveness of a system performing expensive
|
|
||||||
builds, it may also slow down and potentially starve crucial
|
|
||||||
configuration updates during load.
|
|
||||||
|
|
||||||
`idle` may therefore be a sensible policy for
|
|
||||||
systems that experience only intermittent phases of high CPU load,
|
|
||||||
such as desktop or portable computers used interactively. Other
|
|
||||||
systems should use the `other` or
|
|
||||||
`batch` policy instead.
|
|
||||||
|
|
||||||
For more fine-grained resource control, please refer to
|
|
||||||
{manpage}`systemd.resource-control(5)` and adjust
|
|
||||||
{option}`systemd.services.nix-daemon` directly.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
daemonIOSchedClass = mkOption {
|
|
||||||
type = types.enum [ "best-effort" "idle" ];
|
|
||||||
default = "best-effort";
|
|
||||||
example = "idle";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Nix daemon process I/O scheduling class. This class propagates to
|
|
||||||
build processes. `best-effort` is the default
|
|
||||||
class for regular tasks. The `idle` class is for
|
|
||||||
extremely low-priority tasks that should only perform I/O when no
|
|
||||||
other task does.
|
|
||||||
|
|
||||||
Please note that while using the `idle` scheduling
|
|
||||||
class can improve responsiveness of a system performing expensive
|
|
||||||
builds, it might also slow down or starve crucial configuration
|
|
||||||
updates during load.
|
|
||||||
|
|
||||||
`idle` may therefore be a sensible class for
|
|
||||||
systems that experience only intermittent phases of high I/O load,
|
|
||||||
such as desktop or portable computers used interactively. Other
|
|
||||||
systems should use the `best-effort` class.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
daemonIOSchedPriority = mkOption {
|
|
||||||
type = types.int;
|
|
||||||
default = 4;
|
|
||||||
example = 1;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Nix daemon process I/O scheduling priority. This priority propagates
|
|
||||||
to build processes. The supported priorities depend on the
|
|
||||||
scheduling policy: With idle, priorities are not used in scheduling
|
|
||||||
decisions. best-effort supports values in the range 0 (high) to 7
|
|
||||||
(low).
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
buildMachines = mkOption {
|
|
||||||
type = types.listOf (types.submodule {
|
|
||||||
options = {
|
|
||||||
hostName = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
example = "nixbuilder.example.org";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The hostname of the build machine.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
protocol = mkOption {
|
|
||||||
type = types.enum [ null "ssh" "ssh-ng" ];
|
|
||||||
default = "ssh";
|
|
||||||
example = "ssh-ng";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The protocol used for communicating with the build machine.
|
|
||||||
Use `ssh-ng` if your remote builder and your
|
|
||||||
local Nix version support that improved protocol.
|
|
||||||
|
|
||||||
Use `null` when trying to change the special localhost builder
|
|
||||||
without a protocol which is for example used by hydra.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
system = mkOption {
|
|
||||||
type = types.nullOr types.str;
|
|
||||||
default = null;
|
|
||||||
example = "x86_64-linux";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The system type the build machine can execute derivations on.
|
|
||||||
Either this attribute or {var}`systems` must be
|
|
||||||
present, where {var}`system` takes precedence if
|
|
||||||
both are set.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
systems = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ ];
|
|
||||||
example = [ "x86_64-linux" "aarch64-linux" ];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The system types the build machine can execute derivations on.
|
|
||||||
Either this attribute or {var}`system` must be
|
|
||||||
present, where {var}`system` takes precedence if
|
|
||||||
both are set.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
sshUser = mkOption {
|
|
||||||
type = types.nullOr types.str;
|
|
||||||
default = null;
|
|
||||||
example = "builder";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The username to log in as on the remote host. This user must be
|
|
||||||
able to log in and run nix commands non-interactively. It must
|
|
||||||
also be privileged to build derivations, so must be included in
|
|
||||||
{option}`nix.settings.trusted-users`.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
sshKey = mkOption {
|
|
||||||
type = types.nullOr types.str;
|
|
||||||
default = null;
|
|
||||||
example = "/root/.ssh/id_buildhost_builduser";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The path to the SSH private key with which to authenticate on
|
|
||||||
the build machine. The private key must not have a passphrase.
|
|
||||||
If null, the building user (root on NixOS machines) must have an
|
|
||||||
appropriate ssh configuration to log in non-interactively.
|
|
||||||
|
|
||||||
Note that for security reasons, this path must point to a file
|
|
||||||
in the local filesystem, *not* to the nix store.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
maxJobs = mkOption {
|
|
||||||
type = types.int;
|
|
||||||
default = 1;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The number of concurrent jobs the build machine supports. The
|
|
||||||
build machine will enforce its own limits, but this allows hydra
|
|
||||||
to schedule better since there is no work-stealing between build
|
|
||||||
machines.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
speedFactor = mkOption {
|
|
||||||
type = types.int;
|
|
||||||
default = 1;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The relative speed of this builder. This is an arbitrary integer
|
|
||||||
that indicates the speed of this builder, relative to other
|
|
||||||
builders. Higher is faster.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
mandatoryFeatures = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ ];
|
|
||||||
example = [ "big-parallel" ];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
A list of features mandatory for this builder. The builder will
|
|
||||||
be ignored for derivations that don't require all features in
|
|
||||||
this list. All mandatory features are automatically included in
|
|
||||||
{var}`supportedFeatures`.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
supportedFeatures = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ ];
|
|
||||||
example = [ "kvm" "big-parallel" ];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
A list of features supported by this builder. The builder will
|
|
||||||
be ignored for derivations that require features not in this
|
|
||||||
list.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
publicHostKey = mkOption {
|
|
||||||
type = types.nullOr types.str;
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The (base64-encoded) public host key of this builder. The field
|
|
||||||
is calculated via {command}`base64 -w0 /etc/ssh/ssh_host_type_key.pub`.
|
|
||||||
If null, SSH will use its regular known-hosts file when connecting.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
default = [ ];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
This option lists the machines to be used if distributed builds are
|
|
||||||
enabled (see {option}`nix.distributedBuilds`).
|
|
||||||
Nix will perform derivations on those machines via SSH by copying the
|
|
||||||
inputs to the Nix store on the remote machine, starting the build,
|
|
||||||
then copying the output back to the local Nix store.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
# Environment variables for running Nix.
|
|
||||||
envVars = mkOption {
|
|
||||||
type = types.attrs;
|
|
||||||
internal = true;
|
|
||||||
default = { };
|
|
||||||
description = lib.mdDoc "Environment variables used by Nix.";
|
|
||||||
};
|
|
||||||
|
|
||||||
nrBuildUsers = mkOption {
|
|
||||||
type = types.int;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Number of `nixbld` user accounts created to
|
|
||||||
perform secure concurrent builds. If you receive an error
|
|
||||||
message saying that “all build users are currently in use”,
|
|
||||||
you should increase this value.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
nixPath = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [
|
|
||||||
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
|
|
||||||
"nixos-config=/etc/nixos/configuration.nix"
|
|
||||||
"/nix/var/nix/profiles/per-user/root/channels"
|
|
||||||
];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The default Nix expression search path, used by the Nix
|
|
||||||
evaluator to look up paths enclosed in angle brackets
|
|
||||||
(e.g. `<nixpkgs>`).
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
checkConfig = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
If enabled, checks that Nix can parse the generated nix.conf.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
checkAllErrors = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
registry = mkOption {
|
|
||||||
type = types.attrsOf (types.submodule (
|
|
||||||
let
|
|
||||||
referenceAttrs = with types; attrsOf (oneOf [
|
|
||||||
str
|
|
||||||
int
|
|
||||||
bool
|
|
||||||
path
|
|
||||||
package
|
|
||||||
]);
|
|
||||||
in
|
|
||||||
{ config, name, ... }:
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
from = mkOption {
|
|
||||||
type = referenceAttrs;
|
|
||||||
example = { type = "indirect"; id = "nixpkgs"; };
|
|
||||||
description = lib.mdDoc "The flake reference to be rewritten.";
|
|
||||||
};
|
|
||||||
to = mkOption {
|
|
||||||
type = referenceAttrs;
|
|
||||||
example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; };
|
|
||||||
description = lib.mdDoc "The flake reference {option}`from` is rewritten to.";
|
|
||||||
};
|
|
||||||
flake = mkOption {
|
|
||||||
type = types.nullOr types.attrs;
|
|
||||||
default = null;
|
|
||||||
example = literalExpression "nixpkgs";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The flake input {option}`from` is rewritten to.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
exact = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Whether the {option}`from` reference needs to match exactly. If set,
|
|
||||||
a {option}`from` reference like `nixpkgs` does not
|
|
||||||
match with a reference like `nixpkgs/nixos-20.03`.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
config = {
|
|
||||||
from = mkDefault { type = "indirect"; id = name; };
|
|
||||||
to = mkIf (config.flake != null) (mkDefault (
|
|
||||||
{
|
|
||||||
type = "path";
|
|
||||||
path = config.flake.outPath;
|
|
||||||
} // filterAttrs
|
|
||||||
(n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
|
|
||||||
config.flake
|
|
||||||
));
|
|
||||||
};
|
|
||||||
}
|
|
||||||
));
|
|
||||||
default = { };
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
A system-wide flake registry.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
extraOptions = mkOption {
|
|
||||||
type = types.lines;
|
|
||||||
default = "";
|
|
||||||
example = ''
|
|
||||||
keep-outputs = true
|
|
||||||
keep-derivations = true
|
|
||||||
'';
|
|
||||||
description = lib.mdDoc "Additional text appended to {file}`nix.conf`.";
|
|
||||||
};
|
|
||||||
|
|
||||||
settings = mkOption {
|
|
||||||
type = types.submodule {
|
|
||||||
freeformType = semanticConfType;
|
|
||||||
|
|
||||||
options = {
|
|
||||||
max-jobs = mkOption {
|
|
||||||
type = types.either types.int (types.enum [ "auto" ]);
|
|
||||||
default = "auto";
|
|
||||||
example = 64;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
This option defines the maximum number of jobs that Nix will try to
|
|
||||||
build in parallel. The default is auto, which means it will use all
|
|
||||||
available logical cores. It is recommend to set it to the total
|
|
||||||
number of logical cores in your system (e.g., 16 for two CPUs with 4
|
|
||||||
cores each and hyper-threading).
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
auto-optimise-store = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
example = true;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
If set to true, Nix automatically detects files in the store that have
|
|
||||||
identical contents, and replaces them with hard links to a single copy.
|
|
||||||
This saves disk space. If set to false (the default), you can still run
|
|
||||||
nix-store --optimise to get rid of duplicate files.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
cores = mkOption {
|
|
||||||
type = types.int;
|
|
||||||
default = 0;
|
|
||||||
example = 64;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
This option defines the maximum number of concurrent tasks during
|
|
||||||
one build. It affects, e.g., -j option for make.
|
|
||||||
The special value 0 means that the builder should use all
|
|
||||||
available CPU cores in the system. Some builds may become
|
|
||||||
non-deterministic with this option; use with care! Packages will
|
|
||||||
only be affected if enableParallelBuilding is set for them.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
sandbox = mkOption {
|
|
||||||
type = types.either types.bool (types.enum [ "relaxed" ]);
|
|
||||||
default = true;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
If set, Nix will perform builds in a sandboxed environment that it
|
|
||||||
will set up automatically for each build. This prevents impurities
|
|
||||||
in builds by disallowing access to dependencies outside of the Nix
|
|
||||||
store by using network and mount namespaces in a chroot environment.
|
|
||||||
|
|
||||||
This is enabled by default even though it has a possible performance
|
|
||||||
impact due to the initial setup time of a sandbox for each build. It
|
|
||||||
doesn't affect derivation hashes, so changing this option will not
|
|
||||||
trigger a rebuild of packages.
|
|
||||||
|
|
||||||
When set to "relaxed", this option permits derivations that set
|
|
||||||
`__noChroot = true;` to run outside of the sandboxed environment.
|
|
||||||
Exercise caution when using this mode of operation! It is intended to
|
|
||||||
be a quick hack when building with packages that are not easily setup
|
|
||||||
to be built reproducibly.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
extra-sandbox-paths = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ ];
|
|
||||||
example = [ "/dev" "/proc" ];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Directories from the host filesystem to be included
|
|
||||||
in the sandbox.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
substituters = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
List of binary cache URLs used to obtain pre-built binaries
|
|
||||||
of Nix packages.
|
|
||||||
|
|
||||||
By default https://cache.nixos.org/ is added.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
trusted-substituters = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ ];
|
|
||||||
example = [ "https://hydra.nixos.org/" ];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
List of binary cache URLs that non-root users can use (in
|
|
||||||
addition to those specified using
|
|
||||||
{option}`nix.settings.substituters`) by passing
|
|
||||||
`--option binary-caches` to Nix commands.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
require-sigs = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
If enabled (the default), Nix will only download binaries from binary caches if
|
|
||||||
they are cryptographically signed with any of the keys listed in
|
|
||||||
{option}`nix.settings.trusted-public-keys`. If disabled, signatures are neither
|
|
||||||
required nor checked, so it's strongly recommended that you use only
|
|
||||||
trustworthy caches and https to prevent man-in-the-middle attacks.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
trusted-public-keys = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
List of public keys used to sign binary caches. If
|
|
||||||
{option}`nix.settings.trusted-public-keys` is enabled,
|
|
||||||
then Nix will use a binary from a binary cache if and only
|
|
||||||
if it is signed by *any* of the keys
|
|
||||||
listed here. By default, only the key for
|
|
||||||
`cache.nixos.org` is included.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
trusted-users = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ "root" ];
|
|
||||||
example = [ "root" "alice" "@wheel" ];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
A list of names of users that have additional rights when
|
|
||||||
connecting to the Nix daemon, such as the ability to specify
|
|
||||||
additional binary caches, or to import unsigned NARs. You
|
|
||||||
can also specify groups by prefixing them with
|
|
||||||
`@`; for instance,
|
|
||||||
`@wheel` means all users in the wheel
|
|
||||||
group.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
system-features = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
example = [ "kvm" "big-parallel" "gccarch-skylake" ];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
The set of features supported by the machine. Derivations
|
|
||||||
can express dependencies on system features through the
|
|
||||||
`requiredSystemFeatures` attribute.
|
|
||||||
|
|
||||||
By default, pseudo-features `nixos-test`, `benchmark`,
|
|
||||||
and `big-parallel` used in Nixpkgs are set, `kvm`
|
|
||||||
is also included if it is available.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
allowed-users = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ "*" ];
|
|
||||||
example = [ "@wheel" "@builders" "alice" "bob" ];
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
A list of names of users (separated by whitespace) that are
|
|
||||||
allowed to connect to the Nix daemon. As with
|
|
||||||
{option}`nix.settings.trusted-users`, you can specify groups by
|
|
||||||
prefixing them with `@`. Also, you can
|
|
||||||
allow all users by specifying `*`. The
|
|
||||||
default is `*`. Note that trusted users are
|
|
||||||
always allowed to connect.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
default = { };
|
|
||||||
example = literalExpression ''
|
|
||||||
{
|
|
||||||
use-sandbox = true;
|
|
||||||
show-trace = true;
|
|
||||||
|
|
||||||
system-features = [ "big-parallel" "kvm" "recursive-nix" ];
|
|
||||||
sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; };
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Configuration for Nix, see
|
|
||||||
<https://nixos.org/manual/nix/stable/command-ref/conf-file.html> or
|
|
||||||
{manpage}`nix.conf(5)` for available options.
|
|
||||||
The value declared here will be translated directly to the key-value pairs Nix expects.
|
|
||||||
|
|
||||||
You can use {command}`nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings`
|
|
||||||
to view the current value. By default it is empty.
|
|
||||||
|
|
||||||
Nix configurations defined under {option}`nix.*` will be translated and applied to this
|
|
||||||
option. In addition, configuration specified in {option}`nix.extraOptions` will be appended
|
|
||||||
verbatim to the resulting config file.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
###### implementation
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
environment.systemPackages =
|
|
||||||
[
|
|
||||||
nixPackage
|
|
||||||
pkgs.nix-info
|
|
||||||
]
|
|
||||||
++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions;
|
|
||||||
|
|
||||||
environment.etc."nix/nix.conf".source = nixConf;
|
|
||||||
|
|
||||||
environment.etc."nix/registry.json".text = builtins.toJSON {
|
|
||||||
version = 2;
|
|
||||||
flakes = mapAttrsToList (n: v: { inherit (v) from to exact; }) cfg.registry;
|
|
||||||
};
|
|
||||||
|
|
||||||
# List of machines for distributed Nix builds in the format
|
|
||||||
# expected by build-remote.pl.
|
|
||||||
environment.etc."nix/machines" = mkIf (cfg.buildMachines != [ ]) {
|
|
||||||
text =
|
|
||||||
concatMapStrings
|
|
||||||
(machine:
|
|
||||||
(concatStringsSep " " ([
|
|
||||||
"${optionalString (machine.protocol != null) "${machine.protocol}://"}${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}"
|
|
||||||
(if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-")
|
|
||||||
(if machine.sshKey != null then machine.sshKey else "-")
|
|
||||||
(toString machine.maxJobs)
|
|
||||||
(toString machine.speedFactor)
|
|
||||||
(let res = (machine.supportedFeatures ++ machine.mandatoryFeatures);
|
|
||||||
in if (res == []) then "-" else (concatStringsSep "," res))
|
|
||||||
(let res = machine.mandatoryFeatures;
|
|
||||||
in if (res == []) then "-" else (concatStringsSep "," machine.mandatoryFeatures))
|
|
||||||
]
|
|
||||||
++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-")))
|
|
||||||
+ "\n"
|
|
||||||
)
|
|
||||||
cfg.buildMachines;
|
|
||||||
};
|
|
||||||
|
|
||||||
assertions =
|
|
||||||
let badMachine = m: m.system == null && m.systems == [ ];
|
|
||||||
in
|
|
||||||
[
|
|
||||||
{
|
|
||||||
assertion = !(any badMachine cfg.buildMachines);
|
|
||||||
message = ''
|
|
||||||
At least one system type (via <varname>system</varname> or
|
|
||||||
<varname>systems</varname>) must be set for every build machine.
|
|
||||||
Invalid machine specifications:
|
|
||||||
'' + " " +
|
|
||||||
(concatStringsSep "\n "
|
|
||||||
(map (m: m.hostName)
|
|
||||||
(filter (badMachine) cfg.buildMachines)));
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
systemd.packages = [ nixPackage ];
|
|
||||||
|
|
||||||
# Will only work once https://github.com/NixOS/nix/pull/6285 is merged
|
|
||||||
# systemd.tmpfiles.packages = [ nixPackage ];
|
|
||||||
|
|
||||||
# Can be dropped for Nix > https://github.com/NixOS/nix/pull/6285
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d /nix/var/nix/daemon-socket 0755 root root - -"
|
|
||||||
];
|
|
||||||
|
|
||||||
systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ];
|
|
||||||
|
|
||||||
systemd.services.nix-daemon =
|
|
||||||
{
|
|
||||||
path = [ nixPackage pkgs.util-linux config.programs.ssh.package ]
|
|
||||||
++ optionals cfg.distributedBuilds [ pkgs.gzip ];
|
|
||||||
|
|
||||||
environment = cfg.envVars
|
|
||||||
// { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; }
|
|
||||||
// config.networking.proxy.envVars;
|
|
||||||
|
|
||||||
unitConfig.RequiresMountsFor = "/nix/store";
|
|
||||||
|
|
||||||
serviceConfig =
|
|
||||||
{
|
|
||||||
CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy;
|
|
||||||
IOSchedulingClass = cfg.daemonIOSchedClass;
|
|
||||||
IOSchedulingPriority = cfg.daemonIOSchedPriority;
|
|
||||||
LimitNOFILE = 1048576;
|
|
||||||
};
|
|
||||||
|
|
||||||
restartTriggers = [ nixConf ];
|
|
||||||
|
|
||||||
# `stopIfChanged = false` changes to switch behavior
|
|
||||||
# from stop -> update units -> start
|
|
||||||
# to update units -> restart
|
|
||||||
#
|
|
||||||
# The `stopIfChanged` setting therefore controls a trade-off between a
|
|
||||||
# more predictable lifecycle, which runs the correct "version" of
|
|
||||||
# the `ExecStop` line, and on the other hand the availability of
|
|
||||||
# sockets during the switch, as the effectiveness of the stop operation
|
|
||||||
# depends on the socket being stopped as well.
|
|
||||||
#
|
|
||||||
# As `nix-daemon.service` does not make use of `ExecStop`, we prefer
|
|
||||||
# to keep the socket up and available. This is important for machines
|
|
||||||
# that run Nix-based services, such as automated build, test, and deploy
|
|
||||||
# services, that expect the daemon socket to be available at all times.
|
|
||||||
#
|
|
||||||
# Notably, the Nix client does not retry on failure to connect to the
|
|
||||||
# daemon socket, and the in-process RemoteStore instance will disable
|
|
||||||
# itself. This makes retries infeasible even for services that are
|
|
||||||
# aware of the issue. Failure to connect can affect not only new client
|
|
||||||
# processes, but also new RemoteStore instances in existing processes,
|
|
||||||
# as well as existing RemoteStore instances that have not saturated
|
|
||||||
# their connection pool.
|
|
||||||
#
|
|
||||||
# Also note that `stopIfChanged = true` does not kill existing
|
|
||||||
# connection handling daemons, as one might wish to happen before a
|
|
||||||
# breaking Nix upgrade (which is rare). The daemon forks that handle
|
|
||||||
# the individual connections split off into their own sessions, causing
|
|
||||||
# them not to be stopped by systemd.
|
|
||||||
# If a Nix upgrade does require all existing daemon processes to stop,
|
|
||||||
# nix-daemon must do so on its own accord, and only when the new version
|
|
||||||
# starts and detects that Nix's persistent state needs an upgrade.
|
|
||||||
stopIfChanged = false;
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
# Set up the environment variables for running Nix.
|
|
||||||
environment.sessionVariables = cfg.envVars // { NIX_PATH = cfg.nixPath; };
|
|
||||||
|
|
||||||
environment.extraInit =
|
|
||||||
''
|
|
||||||
if [ -e "$HOME/.nix-defexpr/channels" ]; then
|
|
||||||
export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}"
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
|
|
||||||
nix.nrBuildUsers = mkDefault (
|
|
||||||
if cfg.settings.auto-allocate-uids or false then 0
|
|
||||||
else max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)
|
|
||||||
);
|
|
||||||
|
|
||||||
users.users = nixbldUsers;
|
|
||||||
|
|
||||||
services.xserver.displayManager.hiddenUsers = attrNames nixbldUsers;
|
|
||||||
|
|
||||||
system.activationScripts.nix = stringAfter [ "etc" "users" ]
|
|
||||||
''
|
|
||||||
install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user
|
|
||||||
|
|
||||||
# Subscribe the root user to the NixOS channel by default.
|
|
||||||
if [ ! -e "/root/.nix-channels" ]; then
|
|
||||||
echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels"
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Legacy configuration conversion.
|
|
||||||
nix.settings = mkMerge [
|
|
||||||
{
|
|
||||||
trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
|
|
||||||
substituters = mkAfter [ "https://cache.nixos.org/" ];
|
|
||||||
|
|
||||||
system-features = mkDefault (
|
|
||||||
[ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
|
|
||||||
optionals (pkgs.stdenv.hostPlatform ? gcc.arch) (
|
|
||||||
# a builder can run code for `gcc.arch` and inferior architectures
|
|
||||||
[ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ] ++
|
|
||||||
map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or [])
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
(mkIf (!cfg.distributedBuilds) { builders = null; })
|
|
||||||
|
|
||||||
(mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })
|
|
||||||
];
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
|
261
nixos/modules/services/system/nix-daemon.nix
Normal file
261
nixos/modules/services/system/nix-daemon.nix
Normal file
@ -0,0 +1,261 @@
|
|||||||
|
/*
|
||||||
|
Declares what makes the nix-daemon work on systemd.
|
||||||
|
|
||||||
|
See also
|
||||||
|
- nixos/modules/config/nix.nix: the nix.conf
|
||||||
|
- nixos/modules/config/nix-remote-build.nix: the nix.conf
|
||||||
|
*/
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
|
||||||
|
cfg = config.nix;
|
||||||
|
|
||||||
|
nixPackage = cfg.package.out;
|
||||||
|
|
||||||
|
isNixAtLeast = versionAtLeast (getVersion nixPackage);
|
||||||
|
|
||||||
|
makeNixBuildUser = nr: {
|
||||||
|
name = "nixbld${toString nr}";
|
||||||
|
value = {
|
||||||
|
description = "Nix build user ${toString nr}";
|
||||||
|
|
||||||
|
/*
|
||||||
|
For consistency with the setgid(2), setuid(2), and setgroups(2)
|
||||||
|
calls in `libstore/build.cc', don't add any supplementary group
|
||||||
|
here except "nixbld".
|
||||||
|
*/
|
||||||
|
uid = builtins.add config.ids.uids.nixbld nr;
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "nixbld";
|
||||||
|
extraGroups = [ "nixbld" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers));
|
||||||
|
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
(mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; })
|
||||||
|
(mkRenamedOptionModuleWith { sinceRelease = 2211; from = [ "nix" "readOnlyStore" ]; to = [ "boot" "readOnlyNixStore" ]; })
|
||||||
|
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")
|
||||||
|
];
|
||||||
|
|
||||||
|
###### interface
|
||||||
|
|
||||||
|
options = {
|
||||||
|
|
||||||
|
nix = {
|
||||||
|
|
||||||
|
enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Whether to enable Nix.
|
||||||
|
Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
package = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = pkgs.nix;
|
||||||
|
defaultText = literalExpression "pkgs.nix";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
This option specifies the Nix package instance to use throughout the system.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
daemonCPUSchedPolicy = mkOption {
|
||||||
|
type = types.enum [ "other" "batch" "idle" ];
|
||||||
|
default = "other";
|
||||||
|
example = "batch";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Nix daemon process CPU scheduling policy. This policy propagates to
|
||||||
|
build processes. `other` is the default scheduling
|
||||||
|
policy for regular tasks. The `batch` policy is
|
||||||
|
similar to `other`, but optimised for
|
||||||
|
non-interactive tasks. `idle` is for extremely
|
||||||
|
low-priority tasks that should only be run when no other task
|
||||||
|
requires CPU time.
|
||||||
|
|
||||||
|
Please note that while using the `idle` policy may
|
||||||
|
greatly improve responsiveness of a system performing expensive
|
||||||
|
builds, it may also slow down and potentially starve crucial
|
||||||
|
configuration updates during load.
|
||||||
|
|
||||||
|
`idle` may therefore be a sensible policy for
|
||||||
|
systems that experience only intermittent phases of high CPU load,
|
||||||
|
such as desktop or portable computers used interactively. Other
|
||||||
|
systems should use the `other` or
|
||||||
|
`batch` policy instead.
|
||||||
|
|
||||||
|
For more fine-grained resource control, please refer to
|
||||||
|
{manpage}`systemd.resource-control(5)` and adjust
|
||||||
|
{option}`systemd.services.nix-daemon` directly.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
daemonIOSchedClass = mkOption {
|
||||||
|
type = types.enum [ "best-effort" "idle" ];
|
||||||
|
default = "best-effort";
|
||||||
|
example = "idle";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Nix daemon process I/O scheduling class. This class propagates to
|
||||||
|
build processes. `best-effort` is the default
|
||||||
|
class for regular tasks. The `idle` class is for
|
||||||
|
extremely low-priority tasks that should only perform I/O when no
|
||||||
|
other task does.
|
||||||
|
|
||||||
|
Please note that while using the `idle` scheduling
|
||||||
|
class can improve responsiveness of a system performing expensive
|
||||||
|
builds, it might also slow down or starve crucial configuration
|
||||||
|
updates during load.
|
||||||
|
|
||||||
|
`idle` may therefore be a sensible class for
|
||||||
|
systems that experience only intermittent phases of high I/O load,
|
||||||
|
such as desktop or portable computers used interactively. Other
|
||||||
|
systems should use the `best-effort` class.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
daemonIOSchedPriority = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 4;
|
||||||
|
example = 1;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Nix daemon process I/O scheduling priority. This priority propagates
|
||||||
|
to build processes. The supported priorities depend on the
|
||||||
|
scheduling policy: With idle, priorities are not used in scheduling
|
||||||
|
decisions. best-effort supports values in the range 0 (high) to 7
|
||||||
|
(low).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Environment variables for running Nix.
|
||||||
|
envVars = mkOption {
|
||||||
|
type = types.attrs;
|
||||||
|
internal = true;
|
||||||
|
default = { };
|
||||||
|
description = lib.mdDoc "Environment variables used by Nix.";
|
||||||
|
};
|
||||||
|
|
||||||
|
nrBuildUsers = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Number of `nixbld` user accounts created to
|
||||||
|
perform secure concurrent builds. If you receive an error
|
||||||
|
message saying that “all build users are currently in use”,
|
||||||
|
you should increase this value.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
###### implementation
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
environment.systemPackages =
|
||||||
|
[
|
||||||
|
nixPackage
|
||||||
|
pkgs.nix-info
|
||||||
|
]
|
||||||
|
++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions;
|
||||||
|
|
||||||
|
systemd.packages = [ nixPackage ];
|
||||||
|
|
||||||
|
# Will only work once https://github.com/NixOS/nix/pull/6285 is merged
|
||||||
|
# systemd.tmpfiles.packages = [ nixPackage ];
|
||||||
|
|
||||||
|
# Can be dropped for Nix > https://github.com/NixOS/nix/pull/6285
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /nix/var/nix/daemon-socket 0755 root root - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ];
|
||||||
|
|
||||||
|
systemd.services.nix-daemon =
|
||||||
|
{
|
||||||
|
path = [ nixPackage pkgs.util-linux config.programs.ssh.package ]
|
||||||
|
++ optionals cfg.distributedBuilds [ pkgs.gzip ];
|
||||||
|
|
||||||
|
environment = cfg.envVars
|
||||||
|
// { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; }
|
||||||
|
// config.networking.proxy.envVars;
|
||||||
|
|
||||||
|
unitConfig.RequiresMountsFor = "/nix/store";
|
||||||
|
|
||||||
|
serviceConfig =
|
||||||
|
{
|
||||||
|
CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy;
|
||||||
|
IOSchedulingClass = cfg.daemonIOSchedClass;
|
||||||
|
IOSchedulingPriority = cfg.daemonIOSchedPriority;
|
||||||
|
LimitNOFILE = 1048576;
|
||||||
|
};
|
||||||
|
|
||||||
|
restartTriggers = [ config.environment.etc."nix/nix.conf".source ];
|
||||||
|
|
||||||
|
# `stopIfChanged = false` changes to switch behavior
|
||||||
|
# from stop -> update units -> start
|
||||||
|
# to update units -> restart
|
||||||
|
#
|
||||||
|
# The `stopIfChanged` setting therefore controls a trade-off between a
|
||||||
|
# more predictable lifecycle, which runs the correct "version" of
|
||||||
|
# the `ExecStop` line, and on the other hand the availability of
|
||||||
|
# sockets during the switch, as the effectiveness of the stop operation
|
||||||
|
# depends on the socket being stopped as well.
|
||||||
|
#
|
||||||
|
# As `nix-daemon.service` does not make use of `ExecStop`, we prefer
|
||||||
|
# to keep the socket up and available. This is important for machines
|
||||||
|
# that run Nix-based services, such as automated build, test, and deploy
|
||||||
|
# services, that expect the daemon socket to be available at all times.
|
||||||
|
#
|
||||||
|
# Notably, the Nix client does not retry on failure to connect to the
|
||||||
|
# daemon socket, and the in-process RemoteStore instance will disable
|
||||||
|
# itself. This makes retries infeasible even for services that are
|
||||||
|
# aware of the issue. Failure to connect can affect not only new client
|
||||||
|
# processes, but also new RemoteStore instances in existing processes,
|
||||||
|
# as well as existing RemoteStore instances that have not saturated
|
||||||
|
# their connection pool.
|
||||||
|
#
|
||||||
|
# Also note that `stopIfChanged = true` does not kill existing
|
||||||
|
# connection handling daemons, as one might wish to happen before a
|
||||||
|
# breaking Nix upgrade (which is rare). The daemon forks that handle
|
||||||
|
# the individual connections split off into their own sessions, causing
|
||||||
|
# them not to be stopped by systemd.
|
||||||
|
# If a Nix upgrade does require all existing daemon processes to stop,
|
||||||
|
# nix-daemon must do so on its own accord, and only when the new version
|
||||||
|
# starts and detects that Nix's persistent state needs an upgrade.
|
||||||
|
stopIfChanged = false;
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
# Set up the environment variables for running Nix.
|
||||||
|
environment.sessionVariables = cfg.envVars;
|
||||||
|
|
||||||
|
nix.nrBuildUsers = mkDefault (
|
||||||
|
if cfg.settings.auto-allocate-uids or false then 0
|
||||||
|
else max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)
|
||||||
|
);
|
||||||
|
|
||||||
|
users.users = nixbldUsers;
|
||||||
|
|
||||||
|
services.xserver.displayManager.hiddenUsers = attrNames nixbldUsers;
|
||||||
|
|
||||||
|
system.activationScripts.nix = stringAfter [ "etc" "users" ]
|
||||||
|
''
|
||||||
|
install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Legacy configuration conversion.
|
||||||
|
nix.settings = mkMerge [
|
||||||
|
(mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })
|
||||||
|
];
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
@ -166,6 +166,16 @@ let
|
|||||||
# Create a directory for exchanging data with the VM.
|
# Create a directory for exchanging data with the VM.
|
||||||
mkdir -p "$TMPDIR/xchg"
|
mkdir -p "$TMPDIR/xchg"
|
||||||
|
|
||||||
|
${lib.optionalString cfg.useHostCerts
|
||||||
|
''
|
||||||
|
mkdir -p "$TMPDIR/certs"
|
||||||
|
if [ -e "$NIX_SSL_CERT_FILE" ]; then
|
||||||
|
cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt
|
||||||
|
else
|
||||||
|
echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled.
|
||||||
|
fi
|
||||||
|
''}
|
||||||
|
|
||||||
${lib.optionalString cfg.useEFIBoot
|
${lib.optionalString cfg.useEFIBoot
|
||||||
''
|
''
|
||||||
# Expose EFI variables, it's useful even when we are not using a bootloader (!).
|
# Expose EFI variables, it's useful even when we are not using a bootloader (!).
|
||||||
@ -877,7 +887,6 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
virtualisation.bios =
|
virtualisation.bios =
|
||||||
mkOption {
|
mkOption {
|
||||||
type = types.nullOr types.package;
|
type = types.nullOr types.package;
|
||||||
@ -890,6 +899,17 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
virtualisation.useHostCerts =
|
||||||
|
mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description =
|
||||||
|
lib.mdDoc ''
|
||||||
|
If enabled, when `NIX_SSL_CERT_FILE` is set on the host,
|
||||||
|
pass the CA certificates from the host to the VM.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
@ -1024,8 +1044,14 @@ in
|
|||||||
source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"'';
|
source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"'';
|
||||||
target = "/tmp/shared";
|
target = "/tmp/shared";
|
||||||
};
|
};
|
||||||
|
certs = mkIf cfg.useHostCerts {
|
||||||
|
source = ''"$TMPDIR"/certs'';
|
||||||
|
target = "/etc/ssl/certs";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.pki.installCACerts = mkIf cfg.useHostCerts false;
|
||||||
|
|
||||||
virtualisation.qemu.networkingOptions =
|
virtualisation.qemu.networkingOptions =
|
||||||
let
|
let
|
||||||
forwardingOptions = flip concatMapStrings cfg.forwardPorts
|
forwardingOptions = flip concatMapStrings cfg.forwardPorts
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
, kguiaddons, ki18n, kitemmodels, kitemviews, kwindowsystem
|
, kguiaddons, ki18n, kitemmodels, kitemviews, kwindowsystem
|
||||||
, kio, kcrash, breeze-icons
|
, kio, kcrash, breeze-icons
|
||||||
, boost, libraw, fftw, eigen, exiv2, libheif, lcms2, gsl, openexr, giflib, libjxl
|
, boost, libraw, fftw, eigen, exiv2, libheif, lcms2, gsl, openexr, giflib, libjxl
|
||||||
, openjpeg, opencolorio_1, xsimd, poppler, curl, ilmbase, libmypaint, libwebp
|
, openjpeg, opencolorio, xsimd, poppler, curl, ilmbase, libmypaint, libwebp
|
||||||
, qtmultimedia, qtx11extras, quazip
|
, qtmultimedia, qtx11extras, quazip
|
||||||
, python3Packages
|
, python3Packages
|
||||||
, version
|
, version
|
||||||
@ -27,7 +27,7 @@ mkDerivation rec {
|
|||||||
karchive kconfig kwidgetsaddons kcompletion kcoreaddons kguiaddons
|
karchive kconfig kwidgetsaddons kcompletion kcoreaddons kguiaddons
|
||||||
ki18n kitemmodels kitemviews kwindowsystem kio kcrash breeze-icons
|
ki18n kitemmodels kitemviews kwindowsystem kio kcrash breeze-icons
|
||||||
boost libraw fftw eigen exiv2 lcms2 gsl openexr libheif giflib libjxl
|
boost libraw fftw eigen exiv2 lcms2 gsl openexr libheif giflib libjxl
|
||||||
openjpeg opencolorio_1 poppler curl ilmbase libmypaint libwebp
|
openjpeg opencolorio poppler curl ilmbase libmypaint libwebp
|
||||||
qtmultimedia qtx11extras quazip
|
qtmultimedia qtx11extras quazip
|
||||||
python3Packages.pyqt5
|
python3Packages.pyqt5
|
||||||
xsimd
|
xsimd
|
||||||
|
@ -8,7 +8,10 @@
|
|||||||
, nix-update-script
|
, nix-update-script
|
||||||
}:
|
}:
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation (finalAttrs: let
|
||||||
|
inherit (finalAttrs) pname version src appimageContents;
|
||||||
|
|
||||||
|
in {
|
||||||
pname = "logseq";
|
pname = "logseq";
|
||||||
version = "0.9.10";
|
version = "0.9.10";
|
||||||
|
|
||||||
@ -69,4 +72,4 @@ stdenv.mkDerivation rec {
|
|||||||
maintainers = with maintainers; [ ];
|
maintainers = with maintainers; [ ];
|
||||||
platforms = [ "x86_64-linux" ];
|
platforms = [ "x86_64-linux" ];
|
||||||
};
|
};
|
||||||
}
|
})
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
buildKodiAddon rec {
|
buildKodiAddon rec {
|
||||||
pname = "requests";
|
pname = "requests";
|
||||||
namespace = "script.module.requests";
|
namespace = "script.module.requests";
|
||||||
version = "2.27.1+matrix.1";
|
version = "2.31.0";
|
||||||
|
|
||||||
src = fetchzip {
|
src = fetchzip {
|
||||||
url = "https://mirrors.kodi.tv/addons/nexus/${namespace}/${namespace}-${version}.zip";
|
url = "https://mirrors.kodi.tv/addons/nexus/${namespace}/${namespace}-${version}.zip";
|
||||||
sha256 = "sha256-QxxVT6XaEYQtAFkZde8EaTXzGO7cjG2pApQZcA32xA0=";
|
sha256 = "sha256-05BSD5aoN2CTnjqaSKYMb93j5nIfLvpJHyeQsK++sTw=";
|
||||||
};
|
};
|
||||||
|
|
||||||
propagatedBuildInputs = [
|
propagatedBuildInputs = [
|
||||||
|
@ -51,13 +51,13 @@
|
|||||||
|
|
||||||
stdenv.mkDerivation (finalAttrs: {
|
stdenv.mkDerivation (finalAttrs: {
|
||||||
pname = "mutter";
|
pname = "mutter";
|
||||||
version = "43.6";
|
version = "43.7";
|
||||||
|
|
||||||
outputs = [ "out" "dev" "man" "devdoc" ];
|
outputs = [ "out" "dev" "man" "devdoc" ];
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
url = "mirror://gnome/sources/mutter/${lib.versions.major finalAttrs.version}/mutter-${finalAttrs.version}.tar.xz";
|
url = "mirror://gnome/sources/mutter/${lib.versions.major finalAttrs.version}/mutter-${finalAttrs.version}.tar.xz";
|
||||||
sha256 = "F1oiDSFv8Z8YLWeqc89eUaJVIL6bruaCAA4QRECkciU=";
|
sha256 = "NBrLmwNUyytflewz32aZtKAHaNydIi1rYAtW4kKGlmc=";
|
||||||
};
|
};
|
||||||
|
|
||||||
patches = [
|
patches = [
|
||||||
|
@ -26,13 +26,13 @@
|
|||||||
|
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
pname = "gala";
|
pname = "gala";
|
||||||
version = "7.1.0";
|
version = "7.1.1";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "elementary";
|
owner = "elementary";
|
||||||
repo = pname;
|
repo = pname;
|
||||||
rev = version;
|
rev = version;
|
||||||
sha256 = "sha256-x0EIah/iTluJk7P3k0g23cQldx++W58FbjnHNlF31AQ=";
|
sha256 = "sha256-s63znprGrMvitefAKlbL3r1s0kbo7NA9bhrNH8w0h2o=";
|
||||||
};
|
};
|
||||||
|
|
||||||
patches = [
|
patches = [
|
||||||
|
@ -15,14 +15,14 @@
|
|||||||
|
|
||||||
buildPythonPackage rec {
|
buildPythonPackage rec {
|
||||||
pname = "google-cloud-datastore";
|
pname = "google-cloud-datastore";
|
||||||
version = "2.16.0";
|
version = "2.16.1";
|
||||||
format = "setuptools";
|
format = "setuptools";
|
||||||
|
|
||||||
disabled = pythonOlder "3.7";
|
disabled = pythonOlder "3.7";
|
||||||
|
|
||||||
src = fetchPypi {
|
src = fetchPypi {
|
||||||
inherit pname version;
|
inherit pname version;
|
||||||
hash = "sha256-70n9jgOvR5OYWBPKSR50E1ST/60uGzlbsiYXCkJNo18=";
|
hash = "sha256-cQ7yfr37UDQPRnHFMq1MFSVmWYXpQhmE/81rlrV+NLs=";
|
||||||
};
|
};
|
||||||
|
|
||||||
propagatedBuildInputs = [
|
propagatedBuildInputs = [
|
||||||
|
@ -13,14 +13,14 @@
|
|||||||
|
|
||||||
buildPythonPackage rec {
|
buildPythonPackage rec {
|
||||||
pname = "google-cloud-videointelligence";
|
pname = "google-cloud-videointelligence";
|
||||||
version = "2.11.2";
|
version = "2.11.3";
|
||||||
format = "setuptools";
|
format = "setuptools";
|
||||||
|
|
||||||
disabled = pythonOlder "3.7";
|
disabled = pythonOlder "3.7";
|
||||||
|
|
||||||
src = fetchPypi {
|
src = fetchPypi {
|
||||||
inherit pname version;
|
inherit pname version;
|
||||||
hash = "sha256-WlBpQ234J1rCA1jpPPCxUa+k6+DAKivZV6kLknnUArw=";
|
hash = "sha256-qWpj8ATCcGj0WyJ6ZidfimqMPs0Gu1gfkvppiX1bF5c=";
|
||||||
};
|
};
|
||||||
|
|
||||||
propagatedBuildInputs = [
|
propagatedBuildInputs = [
|
||||||
|
@ -6,11 +6,11 @@
|
|||||||
|
|
||||||
buildPythonPackage rec {
|
buildPythonPackage rec {
|
||||||
pname = "hg-evolve";
|
pname = "hg-evolve";
|
||||||
version = "11.0.1";
|
version = "11.0.2";
|
||||||
|
|
||||||
src = fetchPypi {
|
src = fetchPypi {
|
||||||
inherit pname version;
|
inherit pname version;
|
||||||
hash = "sha256-gupC35pLQOJgSmXiBp+KxqWuMX3iKSX9xDUtEaB/wFQ=";
|
hash = "sha256-qDURFcDm7zvDEv1Z+aoXtFfbilul6q6KlkjBvhkeYkM=";
|
||||||
};
|
};
|
||||||
|
|
||||||
nativeCheckInputs = [
|
nativeCheckInputs = [
|
||||||
|
@ -8,14 +8,14 @@
|
|||||||
|
|
||||||
buildPythonPackage rec {
|
buildPythonPackage rec {
|
||||||
pname = "mypy-boto3-s3";
|
pname = "mypy-boto3-s3";
|
||||||
version = "1.26.163";
|
version = "1.28.0";
|
||||||
format = "setuptools";
|
format = "setuptools";
|
||||||
|
|
||||||
disabled = pythonOlder "3.7";
|
disabled = pythonOlder "3.7";
|
||||||
|
|
||||||
src = fetchPypi {
|
src = fetchPypi {
|
||||||
inherit pname version;
|
inherit pname version;
|
||||||
hash = "sha256-R9NjnNCXqhQtyspDtDH6en7vtW4Vluv/Yl9XHxa9diM=";
|
hash = "sha256-J4Z8oyWoRXAKAI8/yplQBrMvLg0Yr+Z2NStJRT9HfWk=";
|
||||||
};
|
};
|
||||||
|
|
||||||
propagatedBuildInputs = [
|
propagatedBuildInputs = [
|
||||||
|
@ -11,12 +11,12 @@
|
|||||||
|
|
||||||
buildPythonPackage rec {
|
buildPythonPackage rec {
|
||||||
pname = "pytools";
|
pname = "pytools";
|
||||||
version = "2022.1.14";
|
version = "2023.1";
|
||||||
disabled = pythonOlder "3.6";
|
disabled = pythonOlder "3.6";
|
||||||
|
|
||||||
src = fetchPypi {
|
src = fetchPypi {
|
||||||
inherit pname version;
|
inherit pname version;
|
||||||
hash = "sha256-QQFzcWELsqA2hVl8UoUgXmWXx/F3OD2VyLhxJEsSwU4=";
|
hash = "sha256-8Q5CUiCu+h/5JTQrZY/wLcM1l8IfuI16Y/lEG/LnpQ4=";
|
||||||
};
|
};
|
||||||
|
|
||||||
propagatedBuildInputs = [
|
propagatedBuildInputs = [
|
||||||
|
@ -6,11 +6,11 @@ else
|
|||||||
|
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
pname = "dune";
|
pname = "dune";
|
||||||
version = "3.9.0";
|
version = "3.9.1";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
url = "https://github.com/ocaml/dune/releases/download/${version}/dune-${version}.tbz";
|
url = "https://github.com/ocaml/dune/releases/download/${version}/dune-${version}.tbz";
|
||||||
hash = "sha256-xIJaneRUrt9FDC2yWsNTAz4x0yap0bS3os1yYGOb1UQ=";
|
hash = "sha256-8MPOSfNsczuK7nJhHxB88G3mvEI75yYqqxuz8DwFqHg=";
|
||||||
};
|
};
|
||||||
|
|
||||||
nativeBuildInputs = [ ocaml findlib ];
|
nativeBuildInputs = [ ocaml findlib ];
|
||||||
|
@ -26,13 +26,13 @@ let
|
|||||||
stdenv.mkDerivation (rec {
|
stdenv.mkDerivation (rec {
|
||||||
|
|
||||||
pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
|
pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
|
||||||
version = "2.8";
|
version = "2.9.0";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "ARM-software";
|
owner = "ARM-software";
|
||||||
repo = "arm-trusted-firmware";
|
repo = "arm-trusted-firmware";
|
||||||
rev = "v${version}";
|
rev = "v${version}";
|
||||||
hash = "sha256-WDJMMIWZHNqxxAKeHiZDxtPjfsfQAWsbYv+0o0PiJQs=";
|
hash = "sha256-F7RNYNLh0ORzl5PmzRX9wGK8dZgUQVLKQg1M9oNd0pk=";
|
||||||
};
|
};
|
||||||
|
|
||||||
patches = lib.optionals deleteHDCPBlobBeforeBuild [
|
patches = lib.optionals deleteHDCPBlobBeforeBuild [
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
|
|
||||||
stdenvNoCC.mkDerivation rec {
|
stdenvNoCC.mkDerivation rec {
|
||||||
pname = "mediawiki";
|
pname = "mediawiki";
|
||||||
version = "1.39.3";
|
version = "1.40.0";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
url = "https://releases.wikimedia.org/mediawiki/${lib.versions.majorMinor version}/mediawiki-${version}.tar.gz";
|
url = "https://releases.wikimedia.org/mediawiki/${lib.versions.majorMinor version}/mediawiki-${version}.tar.gz";
|
||||||
hash = "sha256-41dpNDh2r0JJbaQ64vRyJPuMd5uPRXBcQUfG/zUizB0=";
|
hash = "sha256-6cSHdxhpjwgtgJbYqdFs2a6yHuGYKj2LRgOvfP0VitQ=";
|
||||||
};
|
};
|
||||||
|
|
||||||
postPatch = ''
|
postPatch = ''
|
||||||
|
@ -18,14 +18,14 @@ let
|
|||||||
in
|
in
|
||||||
with py.pkgs; buildPythonApplication rec {
|
with py.pkgs; buildPythonApplication rec {
|
||||||
pname = "awscli2";
|
pname = "awscli2";
|
||||||
version = "2.12.6"; # N.B: if you change this, check if overrides are still up-to-date
|
version = "2.12.7"; # N.B: if you change this, check if overrides are still up-to-date
|
||||||
format = "pyproject";
|
format = "pyproject";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "aws";
|
owner = "aws";
|
||||||
repo = "aws-cli";
|
repo = "aws-cli";
|
||||||
rev = version;
|
rev = version;
|
||||||
hash = "sha256-pvgIXQzL3v4a9Nw+qyXTdVwJxIk2qWw5nVsxu7gGwEg=";
|
hash = "sha256-XVJ+qiM+iQZjFJNgybb2AzvYJTKlWOLR+4Pm03QrpGo=";
|
||||||
};
|
};
|
||||||
|
|
||||||
postPatch = ''
|
postPatch = ''
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
, generateSplicesForMkScope, makeScopeWithSplicing
|
, generateSplicesForMkScope, makeScopeWithSplicing
|
||||||
, stdenv
|
, stdenv
|
||||||
, preLibcCrossHeaders
|
, preLibcCrossHeaders
|
||||||
|
, config
|
||||||
}:
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
@ -229,7 +230,7 @@ impure-cmds // appleSourcePackages // chooseLibs // {
|
|||||||
discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { };
|
discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { };
|
||||||
|
|
||||||
# See doc/builders/special/darwin-builder.section.md
|
# See doc/builders/special/darwin-builder.section.md
|
||||||
builder =
|
linux-builder = lib.makeOverridable ({ modules }:
|
||||||
let
|
let
|
||||||
toGuest = builtins.replaceStrings [ "darwin" ] [ "linux" ];
|
toGuest = builtins.replaceStrings [ "darwin" ] [ "linux" ];
|
||||||
|
|
||||||
@ -237,7 +238,7 @@ impure-cmds // appleSourcePackages // chooseLibs // {
|
|||||||
configuration = {
|
configuration = {
|
||||||
imports = [
|
imports = [
|
||||||
../../nixos/modules/profiles/macos-builder.nix
|
../../nixos/modules/profiles/macos-builder.nix
|
||||||
];
|
] ++ modules;
|
||||||
|
|
||||||
virtualisation.host = { inherit pkgs; };
|
virtualisation.host = { inherit pkgs; };
|
||||||
};
|
};
|
||||||
@ -246,5 +247,8 @@ impure-cmds // appleSourcePackages // chooseLibs // {
|
|||||||
};
|
};
|
||||||
|
|
||||||
in
|
in
|
||||||
nixos.config.system.build.macos-builder-installer;
|
nixos.config.system.build.macos-builder-installer) { modules = [ ]; };
|
||||||
|
|
||||||
|
} // lib.optionalAttrs config.allowAliases {
|
||||||
|
builder = throw "'darwin.builder' has been changed and renamed to 'darwin.linux-builder'. The default ssh port is now 31022. Please update your configuration or override the port back to 22. See https://nixos.org/manual/nixpkgs/unstable/#sec-darwin-builder"; # added 2023-07-06
|
||||||
})
|
})
|
||||||
|
@ -203,7 +203,20 @@ lib.makeScope pkgs.newScope (self: with self; {
|
|||||||
# This is a set of PHP extensions meant to be used in php.buildEnv
|
# This is a set of PHP extensions meant to be used in php.buildEnv
|
||||||
# or php.withExtensions to extend the functionality of the PHP
|
# or php.withExtensions to extend the functionality of the PHP
|
||||||
# interpreter.
|
# interpreter.
|
||||||
extensions = {
|
# The extensions attributes is composed of three sections:
|
||||||
|
# 1. The contrib conditional extensions, which are only available on specific versions or system
|
||||||
|
# 2. The contrib extensions available
|
||||||
|
# 3. The core extensions
|
||||||
|
extensions =
|
||||||
|
# Contrib conditional extensions
|
||||||
|
lib.optionalAttrs (!(lib.versionAtLeast php.version "8.3")) {
|
||||||
|
blackfire = callPackage ../development/tools/misc/blackfire/php-probe.nix { inherit php; };
|
||||||
|
} // lib.optionalAttrs (!stdenv.isDarwin) {
|
||||||
|
# Only available on Linux: https://www.php.net/manual/en/inotify.requirements.php
|
||||||
|
inotify = callPackage ../development/php-packages/inotify { };
|
||||||
|
} //
|
||||||
|
# Contrib extensions
|
||||||
|
{
|
||||||
amqp = callPackage ../development/php-packages/amqp { };
|
amqp = callPackage ../development/php-packages/amqp { };
|
||||||
|
|
||||||
apcu = callPackage ../development/php-packages/apcu { };
|
apcu = callPackage ../development/php-packages/apcu { };
|
||||||
@ -226,8 +239,6 @@ lib.makeScope pkgs.newScope (self: with self; {
|
|||||||
|
|
||||||
imagick = callPackage ../development/php-packages/imagick { };
|
imagick = callPackage ../development/php-packages/imagick { };
|
||||||
|
|
||||||
inotify = callPackage ../development/php-packages/inotify { };
|
|
||||||
|
|
||||||
mailparse = callPackage ../development/php-packages/mailparse { };
|
mailparse = callPackage ../development/php-packages/mailparse { };
|
||||||
|
|
||||||
maxminddb = callPackage ../development/php-packages/maxminddb { };
|
maxminddb = callPackage ../development/php-packages/maxminddb { };
|
||||||
@ -292,6 +303,7 @@ lib.makeScope pkgs.newScope (self: with self; {
|
|||||||
|
|
||||||
yaml = callPackage ../development/php-packages/yaml { };
|
yaml = callPackage ../development/php-packages/yaml { };
|
||||||
} // (
|
} // (
|
||||||
|
# Core extensions
|
||||||
let
|
let
|
||||||
# This list contains build instructions for different modules that one may
|
# This list contains build instructions for different modules that one may
|
||||||
# want to build.
|
# want to build.
|
||||||
@ -637,7 +649,5 @@ lib.makeScope pkgs.newScope (self: with self; {
|
|||||||
# Produce the final attribute set of all extensions defined.
|
# Produce the final attribute set of all extensions defined.
|
||||||
in
|
in
|
||||||
builtins.listToAttrs namedExtensions
|
builtins.listToAttrs namedExtensions
|
||||||
) // lib.optionalAttrs (!(lib.versionAtLeast php.version "8.3")) {
|
);
|
||||||
blackfire = callPackage ../development/tools/misc/blackfire/php-probe.nix { inherit php; };
|
|
||||||
};
|
|
||||||
})
|
})
|
||||||
|
Loading…
Reference in New Issue
Block a user