diff options
Diffstat (limited to 'nixos')
24 files changed, 471 insertions, 338 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 9f5279732fe..8d8d70440e8 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -533,6 +533,29 @@ </listitem> <listitem> <para> + The configuration portion of the <literal>nix-daemon</literal> + module has been reworked and exposed as + <link xlink:href="options.html#opt-nix-settings">nix.settings</link>: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Legacy options have been mapped to the corresponding + options under under + <link xlink:href="options.html#opt-nix.settings">nix.settings</link> + but may be deprecated in the future. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-nix.buildMachines.publicHostKey">nix.buildMachines.publicHostKey</link> + has been added. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> The <literal>writers.writePyPy2</literal>/<literal>writers.writePyPy3</literal> and corresponding diff --git a/nixos/doc/manual/man-nixos-rebuild.xml b/nixos/doc/manual/man-nixos-rebuild.xml index 6c7fc57f8d8..ab2a5d83a08 100644 --- a/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixos/doc/manual/man-nixos-rebuild.xml @@ -453,7 +453,7 @@ Allow ad-hoc remote builders for building the new system. This requires the user executing <command>nixos-rebuild</command> (usually root) to be configured as a trusted user in the Nix daemon. This can be achieved by - using the <literal>nix.trustedUsers</literal> NixOS option. Examples + using the <literal>nix.settings.trusted-users</literal> NixOS option. Examples values for that option are described in the <literal>Remote builds chapter</literal> in the Nix manual, (i.e. <command>--builders "ssh://bigbrother x86_64-linux"</command>). By specifying an empty string diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 629672259b2..61305fe70d6 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -183,6 +183,10 @@ In addition to numerous new and upgraded packages, this release has the followin Similarly [virtualisation.vmVariantWithBootloader](#opt-virtualisation.vmVariantWithBootLoader) was added. +- The configuration portion of the `nix-daemon` module has been reworked and exposed as [nix.settings](options.html#opt-nix-settings): + * Legacy options have been mapped to the corresponding options under under [nix.settings](options.html#opt-nix.settings) but may be deprecated in the future. + * [nix.buildMachines.publicHostKey](options.html#opt-nix.buildMachines.publicHostKey) has been added. + - The `writers.writePyPy2`/`writers.writePyPy3` and corresponding `writers.writePyPy2Bin`/`writers.writePyPy3Bin` convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added. - The `influxdb2` package was split into `influxdb2-server` and diff --git a/nixos/maintainers/scripts/azure-new/examples/basic/system.nix b/nixos/maintainers/scripts/azure-new/examples/basic/system.nix index 855bd3bab71..d283742701d 100644 --- a/nixos/maintainers/scripts/azure-new/examples/basic/system.nix +++ b/nixos/maintainers/scripts/azure-new/examples/basic/system.nix @@ -17,7 +17,7 @@ in description = "Azure NixOS Test User"; openssh.authorizedKeys.keys = [ (builtins.readFile ~/.ssh/id_ed25519.pub) ]; }; - nix.trustedUsers = [ username ]; + nix.settings.trusted-users = [ username ]; virtualisation.azureImage.diskSize = 2500; diff --git a/nixos/modules/installer/virtualbox-demo.nix b/nixos/modules/installer/virtualbox-demo.nix index 2768e17590b..27a7651382b 100644 --- a/nixos/modules/installer/virtualbox-demo.nix +++ b/nixos/modules/installer/virtualbox-demo.nix @@ -25,7 +25,7 @@ with lib; installer.cloneConfigExtra = '' # Let demo build as a trusted user. - # nix.trustedUsers = [ "demo" ]; + # nix.settings.trusted-users = [ "demo" ]; # Mount a VirtualBox shared folder. # This is configurable in the VirtualBox menu at diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 3f8f78f012a..856ee480fc0 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -17,7 +17,7 @@ with lib; boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; - nix.allowedUsers = mkDefault [ "@users" ]; + nix.settings.allowed-users = mkDefault [ "@users" ]; environment.memoryAllocator.provider = mkDefault "scudo"; environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index e7abc1e0d59..c20e067b8cc 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -123,8 +123,8 @@ with lib; boot.kernel.sysctl."user.max_user_namespaces" = 0; assertions = [ - { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; - message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; + { assertion = config.nix.settings.sandbox -> config.security.allowUserNamespaces; + message = "`nix.settings.sandbox = true` conflicts with `!security.allowUserNamespaces`."; } ]; }) diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index d4b8541c6a1..dc58c634523 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -147,7 +147,7 @@ in concurrent = mkOption { type = types.int; default = 1; - example = literalExpression "config.nix.maxJobs"; + example = literalExpression "config.nix.settings.max-jobs"; description = '' Limits how many jobs globally can be run concurrently. The most upper limit of jobs using all defined runners. diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix index 968bc8f1e54..ef1933e1228 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix @@ -67,7 +67,7 @@ in # Trusted user allows simplified configuration and better performance # when operating in a cluster. - nix.trustedUsers = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ]; + nix.settings.trusted-users = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ]; services.hercules-ci-agent = { settings = { nixUserIsTrusted = true; diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index ccb7cc21734..cc5de97d6d1 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -258,8 +258,6 @@ in uid = config.ids.uids.hydra-www; }; - nix.trustedUsers = [ "hydra-queue-runner" ]; - services.hydra.extraConfig = '' using_frontend_proxy = 1 @@ -277,16 +275,21 @@ in environment.variables = hydraEnv; - nix.extraOptions = '' - keep-outputs = true - keep-derivations = true - - - '' + optionalString (versionOlder (getVersion config.nix.package.out) "2.4pre") '' - # The default (`true') slows Nix down a lot since the build farm - # has so many GC roots. - gc-check-reachability = false - ''; + nix.settings = mkMerge [ + { + keep-outputs = true; + keep-derivations = true; + trusted-users = [ "hydra-queue-runner" ]; + } + + (mkIf (versionOlder (getVersion config.nix.package.out) "2.4pre") + { + # The default (`true') slows Nix down a lot since the build farm + # has so many GC roots. + gc-check-reachability = false; + } + ) + ]; systemd.services.hydra-init = { wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 869feb05eb7..10f9a4afb36 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -6,20 +6,20 @@ let cfg = config.nix; - nix = cfg.package.out; + nixPackage = cfg.package.out; - nixVersion = getVersion nix; - - isNix23 = versionAtLeast nixVersion "2.3pre"; + isNixAtLeast = versionAtLeast (getVersion nixPackage); makeNixBuildUser = nr: { - name = "nixbld${toString nr}"; + name = "nixbld${toString nr}"; value = { description = "Nix build user ${toString nr}"; - /* For consistency with the setgid(2), setuid(2), and setgroups(2) - calls in `libstore/build.cc', don't add any supplementary group - here except "nixbld". */ + /* + For consistency with the setgid(2), setuid(2), and setgroups(2) + calls in `libstore/build.cc', don't add any supplementary group + here except "nixbld". + */ uid = builtins.add config.ids.uids.nixbld nr; isSystemUser = true; group = "nixbld"; @@ -30,43 +30,82 @@ let nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers)); nixConf = - assert versionAtLeast nixVersion "2.2"; - pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } ( - '' - cat > $out <<END + assert isNixAtLeast "2.2"; + let + + mkValueString = v: + if v == null then "" + else if isInt v then toString v + else if isBool v then boolToString v + else if isFloat v then floatToString v + else if isList v then toString v + else if isDerivation v then toString v + else if builtins.isPath v then toString v + else if isString v then v + else if isCoercibleToString v then toString v + else abort "The nix conf value: ${toPretty {} v} can not be encoded"; + + mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}"; + + mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); + + in + pkgs.writeTextFile { + name = "nix.conf"; + text = '' # WARNING: this file is generated from the nix.* options in # your NixOS configuration, typically # /etc/nixos/configuration.nix. Do not edit it! - build-users-group = nixbld - max-jobs = ${toString (cfg.maxJobs)} - cores = ${toString (cfg.buildCores)} - sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox} - extra-sandbox-paths = ${toString cfg.sandboxPaths} - substituters = ${toString cfg.binaryCaches} - trusted-substituters = ${toString cfg.trustedBinaryCaches} - trusted-public-keys = ${toString cfg.binaryCachePublicKeys} - auto-optimise-store = ${boolToString cfg.autoOptimiseStore} - require-sigs = ${boolToString cfg.requireSignedBinaryCaches} - trusted-users = ${toString cfg.trustedUsers} - allowed-users = ${toString cfg.allowedUsers} - ${optionalString (!cfg.distributedBuilds) '' - builders = - ''} - system-features = ${toString cfg.systemFeatures} - ${optionalString isNix23 '' - sandbox-fallback = false - ''} - $extraOptions - END - '' + optionalString cfg.checkConfig ( - if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' - echo "Ignore nix.checkConfig when cross-compiling" - '' else '' - echo "Checking that Nix can read nix.conf..." - ln -s $out ./nix.conf - NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config ${optionalString isNix23 "--no-net --option experimental-features nix-command"} >/dev/null - '') - ); + ${mkKeyValuePairs cfg.settings} + ${cfg.extraOptions} + ''; + checkPhase = + if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' + echo "Ignoring validation for cross-compilation" + '' + else '' + echo "Validating generated nix.conf" + ln -s $out ./nix.conf + set -e + set +o pipefail + NIX_CONF_DIR=$PWD \ + ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net --option experimental-features nix-command"} \ + |& sed -e 's/^warning:/error:/' \ + | (! grep '${if cfg.checkConfig then "^error:" else "^error: unknown setting"}') + set -o pipefail + ''; + }; + + legacyConfMappings = { + useSandbox = "sandbox"; + buildCores = "cores"; + maxJobs = "max-jobs"; + sandboxPaths = "extra-sandbox-paths"; + binaryCaches = "substituters"; + trustedBinaryCaches = "trusted-substituters"; + binaryCachePublicKeys = "trusted-public-keys"; + autoOptimiseStore = "auto-optimise-store"; + requireSignedBinaryCaches = "require-sigs"; + trustedUsers = "trusted-users"; + allowedUsers = "allowed-users"; + systemFeatures = "system-feature"; + }; + + semanticConfType = with types; + let + confAtom = nullOr + (oneOf [ + bool + int + float + str + path + package + ]) // { + description = "Nix config atom (null, bool, int, float, str, path or package)"; + }; + in + attrsOf (either confAtom (listOf confAtom)); in @@ -76,7 +115,7 @@ in (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) (mkRenamedOptionModule [ "nix" "daemonIONiceLevel" ] [ "nix" "daemonIOSchedPriority" ]) (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") - ]; + ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings; ###### interface @@ -102,81 +141,6 @@ in ''; }; - maxJobs = mkOption { - type = types.either types.int (types.enum ["auto"]); - default = "auto"; - example = 64; - description = '' - This option defines the maximum number of jobs that Nix will try to - build in parallel. The default is auto, which means it will use all - available logical cores. It is recommend to set it to the total - number of logical cores in your system (e.g., 16 for two CPUs with 4 - cores each and hyper-threading). - ''; - }; - - autoOptimiseStore = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - If set to true, Nix automatically detects files in the store that have - identical contents, and replaces them with hard links to a single copy. - This saves disk space. If set to false (the default), you can still run - nix-store --optimise to get rid of duplicate files. - ''; - }; - - buildCores = mkOption { - type = types.int; - default = 0; - example = 64; - description = '' - This option defines the maximum number of concurrent tasks during - one build. It affects, e.g., -j option for make. - The special value 0 means that the builder should use all - available CPU cores in the system. Some builds may become - non-deterministic with this option; use with care! Packages will - only be affected if enableParallelBuilding is set for them. - ''; - }; - - useSandbox = mkOption { - type = types.either types.bool (types.enum ["relaxed"]); - default = true; - description = " - If set, Nix will perform builds in a sandboxed environment that it - will set up automatically for each build. This prevents impurities - in builds by disallowing access to dependencies outside of the Nix - store by using network and mount namespaces in a chroot environment. - This is enabled by default even though it has a possible performance - impact due to the initial setup time of a sandbox for each build. It - doesn't affect derivation hashes, so changing this option will not - trigger a rebuild of packages. - "; - }; - - sandboxPaths = mkOption { - type = types.listOf types.str; - default = []; - example = [ "/dev" "/proc" ]; - description = - '' - Directories from the host filesystem to be included - in the sandbox. - ''; - }; - - extraOptions = mkOption { - type = types.lines; - default = ""; - example = '' - keep-outputs = true - keep-derivations = true - ''; - description = "Additional text appended to <filename>nix.conf</filename>."; - }; - distributedBuilds = mkOption { type = types.bool; default = false; @@ -187,7 +151,7 @@ in }; daemonCPUSchedPolicy = mkOption { - type = types.enum ["other" "batch" "idle"]; + type = types.enum [ "other" "batch" "idle" ]; default = "other"; example = "batch"; description = '' @@ -218,7 +182,7 @@ in }; daemonIOSchedClass = mkOption { - type = types.enum ["best-effort" "idle"]; + type = types.enum [ "best-effort" "idle" ]; default = "best-effort"; example = "idle"; description = '' @@ -250,11 +214,11 @@ in scheduling policy: With idle, priorities are not used in scheduling decisions. best-effort supports values in the range 0 (high) to 7 (low). - ''; + ''; }; buildMachines = mkOption { - type = types.listOf (types.submodule ({ + type = types.listOf (types.submodule { options = { hostName = mkOption { type = types.str; @@ -276,7 +240,7 @@ in }; systems = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "x86_64-linux" "aarch64-linux" ]; description = '' The system types the build machine can execute derivations on. @@ -293,7 +257,7 @@ in The username to log in as on the remote host. This user must be able to log in and run nix commands non-interactively. It must also be privileged to build derivations, so must be included in - <option>nix.trustedUsers</option>. + <option>nix.settings.trusted-users</option>. ''; }; sshKey = mkOption { @@ -331,7 +295,7 @@ in }; mandatoryFeatures = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "big-parallel" ]; description = '' A list of features mandatory for this builder. The builder will @@ -342,7 +306,7 @@ in }; supportedFeatures = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "kvm" "big-parallel" ]; description = '' A list of features supported by this builder. The builder will @@ -350,9 +314,18 @@ in list. ''; }; + publicHostKey = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The (base64-encoded) public host key of this builder. The field + is calculated via <command>base64 -w0 /etc/ssh/ssh_host_type_key.pub</command>. + If null, SSH will use its regular known-hosts file when connecting. + ''; + }; }; - })); - default = []; + }); + default = [ ]; description = '' This option lists the machines to be used if distributed builds are enabled (see <option>nix.distributedBuilds</option>). @@ -366,7 +339,7 @@ in envVars = mkOption { type = types.attrs; internal = true; - default = {}; + default = { }; description = "Environment variables used by Nix."; }; @@ -391,92 +364,13 @@ in ''; }; - binaryCaches = mkOption { - type = types.listOf types.str; - description = '' - List of binary cache URLs used to obtain pre-built binaries - of Nix packages. - - By default https://cache.nixos.org/ is added, - to override it use <literal>lib.mkForce []</literal>. - ''; - }; - - trustedBinaryCaches = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "https://hydra.nixos.org/" ]; - description = '' - List of binary cache URLs that non-root users can use (in - addition to those specified using - <option>nix.binaryCaches</option>) by passing - <literal>--option binary-caches</literal> to Nix commands. - ''; - }; - - requireSignedBinaryCaches = mkOption { - type = types.bool; - default = true; - description = '' - If enabled (the default), Nix will only download binaries from binary caches if - they are cryptographically signed with any of the keys listed in - <option>nix.binaryCachePublicKeys</option>. If disabled, signatures are neither - required nor checked, so it's strongly recommended that you use only - trustworthy caches and https to prevent man-in-the-middle attacks. - ''; - }; - - binaryCachePublicKeys = mkOption { - type = types.listOf types.str; - example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; - description = '' - List of public keys used to sign binary caches. If - <option>nix.requireSignedBinaryCaches</option> is enabled, - then Nix will use a binary from a binary cache if and only - if it is signed by <emphasis>any</emphasis> of the keys - listed here. By default, only the key for - <uri>cache.nixos.org</uri> is included. - ''; - }; - - trustedUsers = mkOption { - type = types.listOf types.str; - default = [ "root" ]; - example = [ "root" "alice" "@wheel" ]; - description = '' - A list of names of users that have additional rights when - connecting to the Nix daemon, such as the ability to specify - additional binary caches, or to import unsigned NARs. You - can also specify groups by prefixing them with - <literal>@</literal>; for instance, - <literal>@wheel</literal> means all users in the wheel - group. - ''; - }; - - allowedUsers = mkOption { - type = types.listOf types.str; - default = [ "*" ]; - example = [ "@wheel" "@builders" "alice" "bob" ]; - description = '' - A list of names of users (separated by whitespace) that are - allowed to connect to the Nix daemon. As with - <option>nix.trustedUsers</option>, you can specify groups by - prefixing them with <literal>@</literal>. Also, you can - allow all users by specifying <literal>*</literal>. The - default is <literal>*</literal>. Note that trusted users are - always allowed to connect. - ''; - }; - nixPath = mkOption { type = types.listOf types.str; - default = - [ - "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" - "nixos-config=/etc/nixos/configuration.nix" - "/nix/var/nix/profiles/per-user/root/channels" - ]; + default = [ + "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; description = '' The default Nix expression search path, used by the Nix evaluator to look up paths enclosed in angle brackets @@ -484,45 +378,44 @@ in ''; }; - systemFeatures = mkOption { - type = types.listOf types.str; - example = [ "kvm" "big-parallel" "gccarch-skylake" ]; - description = '' - The supported features of a machine - ''; - }; - checkConfig = mkOption { type = types.bool; default = true; description = '' - If enabled (the default), checks that Nix can parse the generated nix.conf. + If enabled (the default), checks for data type mismatches and that Nix + can parse the generated nix.conf. ''; }; registry = mkOption { type = types.attrsOf (types.submodule ( let - inputAttrs = types.attrsOf (types.oneOf [types.str types.int types.bool types.package]); + referenceAttrs = with types; attrsOf (oneOf [ + str + int + bool + package + ]); in { config, name, ... }: - { options = { + { + options = { from = mkOption { - type = inputAttrs; + type = referenceAttrs; example = { type = "indirect"; id = "nixpkgs"; }; description = "The flake reference to be rewritten."; }; to = mkOption { - type = inputAttrs; + type = referenceAttrs; example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; - description = "The flake reference to which <option>from></option> is to be rewritten."; + description = "The flake reference <option>from></option> is rewritten to."; }; flake = mkOption { type = types.nullOr types.attrs; default = null; example = literalExpression "nixpkgs"; description = '' - The flake input to which <option>from></option> is to be rewritten. + The flake input <option>from></option> is rewritten to. ''; }; exact = mkOption { @@ -537,35 +430,232 @@ in }; config = { from = mkDefault { type = "indirect"; id = name; }; - to = mkIf (config.flake != null) - ({ type = "path"; - path = config.flake.outPath; - } // lib.filterAttrs - (n: v: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") - config.flake); + to = mkIf (config.flake != null) (mkDefault + { + type = "path"; + path = config.flake.outPath; + } // filterAttrs + (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") + config.flake); }; } )); - default = {}; + default = { }; description = '' A system-wide flake registry. ''; }; - }; + extraOptions = mkOption { + type = types.lines; + default = ""; + example = '' + keep-outputs = true + keep-derivations = true + ''; + description = "Additional text appended to <filename>nix.conf</filename>."; + }; + + settings = mkOption { + type = types.submodule { + freeformType = semanticConfType; + + options = { + max-jobs = mkOption { + type = types.either types.int (types.enum [ "auto" ]); + default = "auto"; + example = 64; + description = '' + This option defines the maximum number of jobs that Nix will try to + build in parallel. The default is auto, which means it will use all + available logical cores. It is recommend to set it to the total + number of logical cores in your system (e.g., 16 for two CPUs with 4 + cores each and hyper-threading). + ''; + }; + + auto-optimise-store = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + If set to true, Nix automatically detects files in the store that have + identical contents, and replaces them with hard links to a single copy. + This saves disk space. If set to false (the default), you can still run + nix-store --optimise to get rid of duplicate files. + ''; + }; + cores = mkOption { + type = types.int; + default = 0; + example = 64; + description = '' + This option defines the maximum number of concurrent tasks during + one build. It affects, e.g., -j option for make. + The special value 0 means that the builder should use all + available CPU cores in the system. Some builds may become + non-deterministic with this option; use with care! Packages will + only be affected if enableParallelBuilding is set for them. + ''; + }; + + sandbox = mkOption { + type = types.either types.bool (types.enum [ "relaxed" ]); + default = true; + description = '' + If set, Nix will perform builds in a sandboxed environment that it + will set up automatically for each build. This prevents impurities + in builds by disallowing access to dependencies outside of the Nix + store by using network and mount namespaces in a chroot environment. + This is enabled by default even though it has a possible performance + impact due to the initial setup time of a sandbox for each build. It + doesn't affect derivation hashes, so changing this option will not + trigger a rebuild of packages. + ''; + }; + + extra-sandbox-paths = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "/dev" "/proc" ]; + description = '' + Directories from the host filesystem to be included + in the sandbox. + ''; + }; + + substituters = mkOption { + type = types.listOf types.str; + description = '' + List of binary cache URLs used to obtain pre-built binaries + of Nix packages. + + By default https://cache.nixos.org/ is added. + ''; + }; + + trusted-substituters = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "https://hydra.nixos.org/" ]; + description = '' + List of binary cache URLs that non-root users can use (in + addition to those specified using + <option>nix.settings.substituters</option>) by passing + <literal>--option binary-caches</literal> to Nix commands. + ''; + }; + + require-sigs = mkOption { + type = types.bool; + default = true; + description = '' + If enabled (the default), Nix will only download binaries from binary caches if + they are cryptographically signed with any of the keys listed in + <option>nix.settings.trusted-public-keys</option>. If disabled, signatures are neither + required nor checked, so it's strongly recommended that you use only + trustworthy caches and https to prevent man-in-the-middle attacks. + ''; + }; + + trusted-public-keys = mkOption { + type = types.listOf types.str; + example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; + description = '' + List of public keys used to sign binary caches. If + <option>nix.settings.trusted-public-keys</option> is enabled, + then Nix will use a binary from a binary cache if and only + if it is signed by <emphasis>any</emphasis> of the keys + listed here. By default, only the key for + <uri>cache.nixos.org</uri> is included. + ''; + }; + + trusted-users = mkOption { + type = types.listOf types.str; + default = [ "root" ]; + example = [ "root" "alice" "@wheel" ]; + description = '' + A list of names of users that have additional rights when + connecting to the Nix daemon, such as the ability to specify + additional binary caches, or to import unsigned NARs. You + can also specify groups by prefixing them with + <literal>@</literal>; for instance, + <literal>@wheel</literal> means all users in the wheel + group. + ''; + }; + + system-features = mkOption { + type = types.listOf types.str; + example = [ "kvm" "big-parallel" "gccarch-skylake" ]; + description = '' + The set of features supported by the machine. Derivations + can express dependencies on system features through the + <literal>requiredSystemFeatures</literal> attribute. + + By default, pseudo-features <literal>nixos-test</literal>, <literal>benchmark</literal>, + and <literal>big-parallel</literal> used in Nixpkgs are set, <literal>kvm</literal> + is also included in it is avaliable. + ''; + }; + + allowed-users = mkOption { + type = types.listOf types.str; + default = [ "*" ]; + example = [ "@wheel" "@builders" "alice" "bob" ]; + description = '' + A list of names of users (separated by whitespace) that are + allowed to connect to the Nix daemon. As with + <option>nix.settings.trusted-users</option>, you can specify groups by + prefixing them with <literal>@</literal>. Also, you can + allow all users by specifying <literal>*</literal>. The + default is <literal>*</literal>. Note that trusted users are + always allowed to connect. + ''; + }; + }; + }; + default = { }; + example = literalExpression '' + { + use-sandbox = true; + show-trace = true; + + system-features = [ "big-parallel" "kvm" "recursive-nix" ]; + sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; }; + } + ''; + description = '' + Configuration for Nix, see + <link xlink:href="https://nixos.org/manual/nix/stable/#sec-conf-file"/> or + <citerefentry> + <refentrytitle>nix.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> for avalaible options. + The value declared here will be translated directly to the key-value pairs Nix expects. + </para> + <para> + You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings</command> + to view the current value. By default it is empty. + </para> + <para> + Nix configurations defined under <option>nix.*</option> will be translated and applied to this + option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended + verbatim to the resulting config file. + ''; + }; + }; }; ###### implementation config = mkIf cfg.enable { - - nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; - nix.binaryCaches = [ "https://cache.nixos.org/" ]; - environment.systemPackages = - [ nix + [ + nixPackage pkgs.nix-info ] ++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions; @@ -579,44 +669,49 @@ in # List of machines for distributed Nix builds in the format # expected by build-remote.pl. - environment.etc."nix/machines" = - { enable = cfg.buildMachines != []; - text = - concatMapStrings (machine: - "${if machine.sshUser != null then "${machine.sshUser}@" else ""}${machine.hostName} " - + (if machine.system != null then machine.system else concatStringsSep "," machine.systems) - + " ${if machine.sshKey != null then machine.sshKey else "-"} ${toString machine.maxJobs} " - + toString (machine.speedFactor) - + " " - + concatStringsSep "," (machine.mandatoryFeatures ++ machine.supportedFeatures) - + " " - + concatStringsSep "," machine.mandatoryFeatures + environment.etc."nix/machines" = mkIf (cfg.buildMachines != [ ]) { + text = + concatMapStrings + (machine: + (concatStringsSep " " [ + "${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}" + (if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-") + (if machine.sshKey != null then machine.sshKey else "-") + (toString machine.maxJobs) + (toString machine.speedFactor) + (concatStringsSep "," machine.supportedFeatures) + (concatStringsSep "," machine.mandatoryFeatures) + ] + ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-")) + "\n" - ) cfg.buildMachines; - }; + ) + cfg.buildMachines; + }; + assertions = - let badMachine = m: m.system == null && m.systems == []; - in [ + let badMachine = m: m.system == null && m.systems == [ ]; + in + [ { - assertion = !(builtins.any badMachine cfg.buildMachines); + assertion = !(any badMachine cfg.buildMachines); message = '' At least one system type (via <varname>system</varname> or <varname>systems</varname>) must be set for every build machine. Invalid machine specifications: '' + " " + - (builtins.concatStringsSep "\n " - (builtins.map (m: m.hostName) - (builtins.filter (badMachine) cfg.buildMachines))); + (concatStringsSep "\n " + (map (m: m.hostName) + (filter (badMachine) cfg.buildMachines))); } ]; - - systemd.packages = [ nix ]; + systemd.packages = [ nixPackage ]; systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; systemd.services.nix-daemon = - { path = [ nix pkgs.util-linux config.programs.ssh.package ] + { + path = [ nixPackage pkgs.util-linux config.programs.ssh.package ] ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; environment = cfg.envVars @@ -626,7 +721,8 @@ in unitConfig.RequiresMountsFor = "/nix/store"; serviceConfig = - { CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; + { + CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; IOSchedulingClass = cfg.daemonIOSchedClass; IOSchedulingPriority = cfg.daemonIOSchedPriority; LimitNOFILE = 4096; @@ -636,9 +732,7 @@ in }; # Set up the environment variables for running Nix. - environment.sessionVariables = cfg.envVars // - { NIX_PATH = cfg.nixPath; - }; + environment.sessionVariables = cfg.envVars // { NIX_PATH = cfg.nixPath; }; environment.extraInit = '' @@ -647,7 +741,7 @@ in fi ''; - nix.nrBuildUsers = mkDefault (lib.max 32 (if cfg.maxJobs == "auto" then 0 else cfg.maxJobs)); + nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)); users.users = nixbldUsers; @@ -663,14 +757,26 @@ in fi ''; - nix.systemFeatures = mkDefault ( - [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ - optionals (pkgs.hostPlatform ? gcc.arch) ( - # a builder can run code for `gcc.arch` and inferior architectures - [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++ - map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} - ) - ); + # Legacy configuration conversion. + nix.settings = mkMerge [ + { + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + substituters = [ "https://cache.nixos.org/" ]; + + system-features = mkDefault ( + [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ + optionals (pkgs.hostPlatform ? gcc.arch) ( + # a builder can run code for `gcc.arch` and inferior architectures + [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++ + map (x: "gccarch-${x}") systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} + ) + ); + } + + (mkIf (!cfg.distributedBuilds) { builders = null; }) + + (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) + ]; }; diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index d5c64fdb264..355fad5db46 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -20,7 +20,7 @@ in { write = mkOption { type = types.bool; default = false; - description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the nix.trustedUsers option in most use cases, such as allowing remote building of derivations."; + description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the <option>nix.settings.trusted-users</option> option in most use cases, such as allowing remote building of derivations."; }; keys = mkOption { diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 18ac717f5dd..40afa551c7f 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -156,7 +156,7 @@ in specialisation = mkOption { default = {}; - example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.buildCores = 0; nix.maxJobs = 1; }; }"; + example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.settings = { core = 0; max-jobs = 1; }; }"; description = '' Additional configurations to build. If <literal>inheritParentConfig</literal> is true, the system diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index 5bc603530f7..33748358e45 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -300,18 +300,15 @@ in { interpreterSandboxPath = dirOf (dirOf interpreterReg); } // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}")); }) cfg.emulatedSystems); - # TODO: add a nix.extraPlatforms option to NixOS! - nix.extraOptions = lib.mkIf (cfg.emulatedSystems != []) '' - extra-platforms = ${toString (cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux")} - ''; - nix.sandboxPaths = lib.mkIf (cfg.emulatedSystems != []) ( - let + nix.settings = lib.mkIf (cfg.emulatedSystems != []) { + extra-platforms = cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux"; + extra-sandbox-paths = let ruleFor = system: cfg.registrations.${system}; hasWrappedRule = lib.any (system: (ruleFor system).wrapInterpreterInShell) cfg.emulatedSystems; in [ "/run/binfmt" ] ++ lib.optional hasWrappedRule "${pkgs.bash}" - ++ (map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems) - ); + ++ (map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems); + }; environment.etc."binfmt.d/nixos.conf".source = builtins.toFile "binfmt_nixos.conf" (lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine config.boot.binfmt.registrations)); diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index a126a5480c0..14001657bee 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -10,8 +10,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { # XXX: Sandbox setup fails while trying to hardlink files from the host's # store file system into the prepared chroot directory. - nix.useSandbox = false; - nix.binaryCaches = []; # don't try to access cache.nixos.org + nix.settings.sandbox = false; + nix.settings.substituters = []; # don't try to access cache.nixos.org virtualisation.writableStore = true; # Make sure we always have all the required dependencies for creating a diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index da7e0972e13..dc455f971f5 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -11,7 +11,7 @@ import ./make-test-python.nix ({ pkgs, ... } : { users.users.sybil = { isNormalUser = true; group = "wheel"; }; imports = [ ../modules/profiles/hardened.nix ]; environment.memoryAllocator.provider = "graphene-hardened"; - nix.useSandbox = false; + nix.settings.sandbox = false; virtualisation.emptyDiskImages = [ 4096 ]; boot.initrd.postDeviceCommands = '' ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb diff --git a/nixos/tests/hibernate.nix b/nixos/tests/hibernate.nix index 4f05b99a5a1..3880f1649bd 100644 --- a/nixos/tests/hibernate.nix +++ b/nixos/tests/hibernate.nix @@ -45,11 +45,11 @@ in makeTest { ../modules/profiles/base.nix ]; - nix.binaryCaches = mkForce [ ]; - nix.extraOptions = '' - hashed-mirrors = - connect-timeout = 1 - ''; + nix.settings = { + substituters = mkForce []; + hashed-mirrors = null; + connect-timeout = 1; + }; virtualisation.diskSize = 8 * 1024; virtualisation.emptyDiskImages = [ diff --git a/nixos/tests/hydra/common.nix b/nixos/tests/hydra/common.nix index 1a3a4d8fb3d..fdf2b2c6f6d 100644 --- a/nixos/tests/hydra/common.nix +++ b/nixos/tests/hydra/common.nix @@ -42,7 +42,7 @@ hostName = "localhost"; systems = [ system ]; }]; - binaryCaches = []; + settings.substituters = []; }; }; } diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 7c7eb004e55..761020571fa 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -334,11 +334,11 @@ let (pkgs.grub2_efi.override { inherit zfsSupport; }) ]); - nix.binaryCaches = mkForce [ ]; - nix.extraOptions = '' - hashed-mirrors = - connect-timeout = 1 - ''; + nix.settings = { + substituters = mkForce []; + hashed-mirrors = null; + connect-timeout = 1; + }; }; }; diff --git a/nixos/tests/iscsi-multipath-root.nix b/nixos/tests/iscsi-multipath-root.nix index a26fea503b6..92ae9990c94 100644 --- a/nixos/tests/iscsi-multipath-root.nix +++ b/nixos/tests/iscsi-multipath-root.nix @@ -111,11 +111,11 @@ import ./make-test-python.nix ( environment.etc."initiator-root-disk-closure".source = nodes.initiatorRootDisk.config.system.build.toplevel; - nix.binaryCaches = lib.mkForce [ ]; - nix.extraOptions = '' - hashed-mirrors = - connect-timeout = 1 - ''; + nix.settings = { + substituters = lib.mkForce [ ]; + hashed-mirrors = null; + connect-timeout = 1; + }; }; initiatorRootDisk = { config, pkgs, modulesPath, lib, ... }: { diff --git a/nixos/tests/iscsi-root.nix b/nixos/tests/iscsi-root.nix index bda51d2c2e4..eb0719edc37 100644 --- a/nixos/tests/iscsi-root.nix +++ b/nixos/tests/iscsi-root.nix @@ -95,11 +95,11 @@ import ./make-test-python.nix ( system.extraDependencies = [ nodes.initiatorRootDisk.config.system.build.toplevel ]; - nix.binaryCaches = lib.mkForce []; - nix.extraOptions = '' - hashed-mirrors = - connect-timeout = 1 - ''; + nix.settings = { + substituters = lib.mkForce []; + hashed-mirrors = null; + connect-timeout = 1; + }; }; initiatorRootDisk = { config, pkgs, modulesPath, lib, ... }: { diff --git a/nixos/tests/nixops/default.nix b/nixos/tests/nixops/default.nix index ec3d028aaba..b25fc95f4b3 100644 --- a/nixos/tests/nixops/default.nix +++ b/nixos/tests/nixops/default.nix @@ -23,7 +23,7 @@ let deployer = { config, lib, nodes, pkgs, ... }: { imports = [ ../../modules/installer/cd-dvd/channel.nix ]; environment.systemPackages = [ nixopsPkg ]; - nix.binaryCaches = lib.mkForce [ ]; + nix.settings.substituters = lib.mkForce [ ]; users.users.person.isNormalUser = true; virtualisation.writableStore = true; virtualisation.additionalPaths = [ diff --git a/nixos/tests/nixops/legacy/base-configuration.nix b/nixos/tests/nixops/legacy/base-configuration.nix index dba960f595c..7f1c07a5c4a 100644 --- a/nixos/tests/nixops/legacy/base-configuration.nix +++ b/nixos/tests/nixops/legacy/base-configuration.nix @@ -16,7 +16,7 @@ in (modulesPath + "/testing/test-instrumentation.nix") ]; virtualisation.writableStore = true; - nix.binaryCaches = lib.mkForce [ ]; + nix.settings.substituters = lib.mkForce [ ]; virtualisation.graphics = false; documentation.enable = false; services.qemuGuest.enable = true; diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix index c1e29b0f68b..90375450fe1 100644 --- a/nixos/tests/os-prober.nix +++ b/nixos/tests/os-prober.nix @@ -43,11 +43,11 @@ let # vda is a filesystem without partition table forceInstall = true; }; - nix.binaryCaches = lib.mkForce [ ]; - nix.extraOptions = '' - hashed-mirrors = - connect-timeout = 1 - ''; + nix.settings = { + substituters = lib.mkForce []; + hashed-mirrors = null; + connect-timeout = 1; + }; # save some memory documentation.enable = false; }; |