mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-24 18:16:21 +03:00
Merge branch 'staging-next' into staging
; Conflicts: ; pkgs/development/python-modules/fakeredis/default.nix
This commit is contained in:
Jan Tojnar
commit
2da5ce4ab3
244 changed files with 2845 additions and 3098 deletions
|
|
@ -25,7 +25,7 @@ with lib;
|
|||
|
||||
installer.cloneConfigExtra = ''
|
||||
# Let demo build as a trusted user.
|
||||
# nix.trustedUsers = [ "demo" ];
|
||||
# nix.settings.trusted-users = [ "demo" ];
|
||||
|
||||
# Mount a VirtualBox shared folder.
|
||||
# This is configurable in the VirtualBox menu at
|
||||
|
|
|
|||
|
|
@ -61,85 +61,17 @@ let
|
|||
in scrubbedEval.options;
|
||||
baseOptionsJSON =
|
||||
let
|
||||
filterIntoStore =
|
||||
filter =
|
||||
builtins.filterSource
|
||||
(n: t:
|
||||
(t == "directory" -> baseNameOf n != "tests")
|
||||
&& (t == "file" -> hasSuffix ".nix" n)
|
||||
);
|
||||
|
||||
# Figure out if Nix runs in pure evaluation mode. May return true in
|
||||
# impure mode, but this is highly unlikely.
|
||||
# We need to know because of https://github.com/NixOS/nix/issues/1888
|
||||
# and https://github.com/NixOS/nix/issues/5868
|
||||
isPureEval = builtins.getEnv "PATH" == "" && builtins.getEnv "_" == "";
|
||||
|
||||
# Return a nixpkgs subpath with minimal copying.
|
||||
#
|
||||
# The sources for the base options json derivation can come in one of
|
||||
# two forms:
|
||||
# - single source: a store path with all of nixpkgs, postfix with
|
||||
# subpaths to access various directories. This has the benefit of
|
||||
# not creating copies of these subtrees in the Nix store, but
|
||||
# can cause unnecessary rebuilds if you update the Nixpkgs `pkgs`
|
||||
# tree often.
|
||||
# - split sources: multiple store paths with subdirectories of
|
||||
# nixpkgs that exclude the bulk of the pkgs directory.
|
||||
# This requires more copying and hashing during evaluation but
|
||||
# requires fewer files to be copied. This method produces fewer
|
||||
# unnecessary rebuilds of the base options json.
|
||||
#
|
||||
# Flake
|
||||
#
|
||||
# Flakes always put a copy of the full nixpkgs sources in the store,
|
||||
# so we can use the "single source" method. This method is ideal
|
||||
# for using nixpkgs as a dependency, as the base options json will be
|
||||
# substitutable from cache.nixos.org.
|
||||
#
|
||||
# This requires that the `self.outPath` is wired into `pkgs` correctly,
|
||||
# which is done for you if `pkgs` comes from the `lib.nixosSystem` or
|
||||
# `legacyPackages` flake attributes.
|
||||
#
|
||||
# Other Nixpkgs invocation
|
||||
#
|
||||
# If you do not use the known-correct flake attributes, but rather
|
||||
# invoke Nixpkgs yourself, set `config.path` to the correct path value,
|
||||
# e.g. `import nixpkgs { config.path = nixpkgs; }`.
|
||||
#
|
||||
# Choosing between single or split source paths
|
||||
#
|
||||
# We make assumptions based on the type and contents of `pkgs.path`.
|
||||
# By passing a different `config.path` to Nixpkgs, you can influence
|
||||
# how your documentation cache is evaluated and rebuilt.
|
||||
#
|
||||
# Single source
|
||||
# - If pkgs.path is a string containing a store path, the code has no
|
||||
# choice but to create this store path, if it hasn't already been.
|
||||
# We assume that the "single source" method is most efficient.
|
||||
# - If pkgs.path is a path value containing that is a store path,
|
||||
# we try to convert it to a string with context without copying.
|
||||
# This occurs for example when nixpkgs was fetched and using its
|
||||
# default `config.path`, which is `./.`.
|
||||
# Nix currently does not allow this conversion when evaluating in
|
||||
# pure mode. If the conversion is not possible, we use the
|
||||
# "split source" method.
|
||||
#
|
||||
# Split source
|
||||
# - If pkgs.path is a path value that is not a store path, we assume
|
||||
# that it's unlikely for all of nixpkgs to end up in the store for
|
||||
# other reasons and try to keep both the copying and rebuilds low.
|
||||
pull =
|
||||
if builtins.typeOf pkgs.path == "string" && isStorePath pkgs.path then
|
||||
dir: "${pkgs.path}/${dir}"
|
||||
else if !isPureEval && isStorePath pkgs.path then
|
||||
dir: "${builtins.storePath pkgs.path}/${dir}"
|
||||
else
|
||||
dir: filterIntoStore "${toString pkgs.path}/${dir}";
|
||||
in
|
||||
pkgs.runCommand "lazy-options.json" {
|
||||
libPath = pull "lib";
|
||||
pkgsLibPath = pull "pkgs/pkgs-lib";
|
||||
nixosPath = pull "nixos";
|
||||
libPath = filter "${toString pkgs.path}/lib";
|
||||
pkgsLibPath = filter "${toString pkgs.path}/pkgs/pkgs-lib";
|
||||
nixosPath = filter "${toString pkgs.path}/nixos";
|
||||
modules = map (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy;
|
||||
} ''
|
||||
export NIX_STORE_DIR=$TMPDIR/store
|
||||
|
|
|
|||
|
|
@ -59,8 +59,6 @@ let
|
|||
inherit (cfg) config overlays localSystem crossSystem;
|
||||
};
|
||||
|
||||
# NOTE: flake.nix assumes that nixpkgs.config is only used with ../../..
|
||||
# as nixpkgs.config.path should be equivalent to ../../..
|
||||
finalPkgs = if opt.pkgs.isDefined then cfg.pkgs.appendOverlays cfg.overlays else defaultPkgs;
|
||||
|
||||
in
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ with lib;
|
|||
|
||||
boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
|
||||
|
||||
nix.allowedUsers = mkDefault [ "@users" ];
|
||||
nix.settings.allowed-users = mkDefault [ "@users" ];
|
||||
|
||||
environment.memoryAllocator.provider = mkDefault "scudo";
|
||||
environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
|
||||
|
|
|
|||
|
|
@ -123,8 +123,8 @@ with lib;
|
|||
boot.kernel.sysctl."user.max_user_namespaces" = 0;
|
||||
|
||||
assertions = [
|
||||
{ assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
|
||||
message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
|
||||
{ assertion = config.nix.settings.sandbox -> config.security.allowUserNamespaces;
|
||||
message = "`nix.settings.sandbox = true` conflicts with `!security.allowUserNamespaces`.";
|
||||
}
|
||||
];
|
||||
})
|
||||
|
|
|
|||
|
|
@ -147,7 +147,7 @@ in
|
|||
concurrent = mkOption {
|
||||
type = types.int;
|
||||
default = 1;
|
||||
example = literalExpression "config.nix.maxJobs";
|
||||
example = literalExpression "config.nix.settings.max-jobs";
|
||||
description = ''
|
||||
Limits how many jobs globally can be run concurrently.
|
||||
The most upper limit of jobs using all defined runners.
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ in
|
|||
|
||||
# Trusted user allows simplified configuration and better performance
|
||||
# when operating in a cluster.
|
||||
nix.trustedUsers = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ];
|
||||
nix.settings.trusted-users = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ];
|
||||
services.hercules-ci-agent = {
|
||||
settings = {
|
||||
nixUserIsTrusted = true;
|
||||
|
|
|
|||
|
|
@ -258,8 +258,6 @@ in
|
|||
uid = config.ids.uids.hydra-www;
|
||||
};
|
||||
|
||||
nix.trustedUsers = [ "hydra-queue-runner" ];
|
||||
|
||||
services.hydra.extraConfig =
|
||||
''
|
||||
using_frontend_proxy = 1
|
||||
|
|
@ -277,16 +275,21 @@ in
|
|||
|
||||
environment.variables = hydraEnv;
|
||||
|
||||
nix.extraOptions = ''
|
||||
keep-outputs = true
|
||||
keep-derivations = true
|
||||
nix.settings = mkMerge [
|
||||
{
|
||||
keep-outputs = true;
|
||||
keep-derivations = true;
|
||||
trusted-users = [ "hydra-queue-runner" ];
|
||||
}
|
||||
|
||||
|
||||
'' + optionalString (versionOlder (getVersion config.nix.package.out) "2.4pre") ''
|
||||
# The default (`true') slows Nix down a lot since the build farm
|
||||
# has so many GC roots.
|
||||
gc-check-reachability = false
|
||||
'';
|
||||
(mkIf (versionOlder (getVersion config.nix.package.out) "2.4pre")
|
||||
{
|
||||
# The default (`true') slows Nix down a lot since the build farm
|
||||
# has so many GC roots.
|
||||
gc-check-reachability = false;
|
||||
}
|
||||
)
|
||||
];
|
||||
|
||||
systemd.services.hydra-init =
|
||||
{ wantedBy = [ "multi-user.target" ];
|
||||
|
|
|
|||
|
|
@ -79,10 +79,7 @@ in {
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.mx-puppet-discord = {
|
||||
description = ''
|
||||
mx-puppet-discord is a discord puppeting bridge for matrix.
|
||||
It handles bridging private and group DMs, as well as Guilds (servers).
|
||||
'';
|
||||
description = "Matrix to Discord puppeting bridge";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
|
||||
|
|
|
|||
|
|
@ -6,20 +6,20 @@ let
|
|||
|
||||
cfg = config.nix;
|
||||
|
||||
nix = cfg.package.out;
|
||||
nixPackage = cfg.package.out;
|
||||
|
||||
nixVersion = getVersion nix;
|
||||
|
||||
isNix23 = versionAtLeast nixVersion "2.3pre";
|
||||
isNixAtLeast = versionAtLeast (getVersion nixPackage);
|
||||
|
||||
makeNixBuildUser = nr: {
|
||||
name = "nixbld${toString nr}";
|
||||
name = "nixbld${toString nr}";
|
||||
value = {
|
||||
description = "Nix build user ${toString nr}";
|
||||
|
||||
/* For consistency with the setgid(2), setuid(2), and setgroups(2)
|
||||
calls in `libstore/build.cc', don't add any supplementary group
|
||||
here except "nixbld". */
|
||||
/*
|
||||
For consistency with the setgid(2), setuid(2), and setgroups(2)
|
||||
calls in `libstore/build.cc', don't add any supplementary group
|
||||
here except "nixbld".
|
||||
*/
|
||||
uid = builtins.add config.ids.uids.nixbld nr;
|
||||
isSystemUser = true;
|
||||
group = "nixbld";
|
||||
|
|
@ -30,43 +30,82 @@ let
|
|||
nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers));
|
||||
|
||||
nixConf =
|
||||
assert versionAtLeast nixVersion "2.2";
|
||||
pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } (
|
||||
''
|
||||
cat > $out <<END
|
||||
assert isNixAtLeast "2.2";
|
||||
let
|
||||
|
||||
mkValueString = v:
|
||||
if v == null then ""
|
||||
else if isInt v then toString v
|
||||
else if isBool v then boolToString v
|
||||
else if isFloat v then floatToString v
|
||||
else if isList v then toString v
|
||||
else if isDerivation v then toString v
|
||||
else if builtins.isPath v then toString v
|
||||
else if isString v then v
|
||||
else if isCoercibleToString v then toString v
|
||||
else abort "The nix conf value: ${toPretty {} v} can not be encoded";
|
||||
|
||||
mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}";
|
||||
|
||||
mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs);
|
||||
|
||||
in
|
||||
pkgs.writeTextFile {
|
||||
name = "nix.conf";
|
||||
text = ''
|
||||
# WARNING: this file is generated from the nix.* options in
|
||||
# your NixOS configuration, typically
|
||||
# /etc/nixos/configuration.nix. Do not edit it!
|
||||
build-users-group = nixbld
|
||||
max-jobs = ${toString (cfg.maxJobs)}
|
||||
cores = ${toString (cfg.buildCores)}
|
||||
sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox}
|
||||
extra-sandbox-paths = ${toString cfg.sandboxPaths}
|
||||
substituters = ${toString cfg.binaryCaches}
|
||||
trusted-substituters = ${toString cfg.trustedBinaryCaches}
|
||||
trusted-public-keys = ${toString cfg.binaryCachePublicKeys}
|
||||
auto-optimise-store = ${boolToString cfg.autoOptimiseStore}
|
||||
require-sigs = ${boolToString cfg.requireSignedBinaryCaches}
|
||||
trusted-users = ${toString cfg.trustedUsers}
|
||||
allowed-users = ${toString cfg.allowedUsers}
|
||||
${optionalString (!cfg.distributedBuilds) ''
|
||||
builders =
|
||||
''}
|
||||
system-features = ${toString cfg.systemFeatures}
|
||||
${optionalString isNix23 ''
|
||||
sandbox-fallback = false
|
||||
''}
|
||||
$extraOptions
|
||||
END
|
||||
'' + optionalString cfg.checkConfig (
|
||||
if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
|
||||
echo "Ignore nix.checkConfig when cross-compiling"
|
||||
'' else ''
|
||||
echo "Checking that Nix can read nix.conf..."
|
||||
ln -s $out ./nix.conf
|
||||
NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config ${optionalString isNix23 "--no-net --option experimental-features nix-command"} >/dev/null
|
||||
'')
|
||||
);
|
||||
${mkKeyValuePairs cfg.settings}
|
||||
${cfg.extraOptions}
|
||||
'';
|
||||
checkPhase =
|
||||
if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
|
||||
echo "Ignoring validation for cross-compilation"
|
||||
''
|
||||
else ''
|
||||
echo "Validating generated nix.conf"
|
||||
ln -s $out ./nix.conf
|
||||
set -e
|
||||
set +o pipefail
|
||||
NIX_CONF_DIR=$PWD \
|
||||
${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net --option experimental-features nix-command"} \
|
||||
|& sed -e 's/^warning:/error:/' \
|
||||
| (! grep '${if cfg.checkConfig then "^error:" else "^error: unknown setting"}')
|
||||
set -o pipefail
|
||||
'';
|
||||
};
|
||||
|
||||
legacyConfMappings = {
|
||||
useSandbox = "sandbox";
|
||||
buildCores = "cores";
|
||||
maxJobs = "max-jobs";
|
||||
sandboxPaths = "extra-sandbox-paths";
|
||||
binaryCaches = "substituters";
|
||||
trustedBinaryCaches = "trusted-substituters";
|
||||
binaryCachePublicKeys = "trusted-public-keys";
|
||||
autoOptimiseStore = "auto-optimise-store";
|
||||
requireSignedBinaryCaches = "require-sigs";
|
||||
trustedUsers = "trusted-users";
|
||||
allowedUsers = "allowed-users";
|
||||
systemFeatures = "system-feature";
|
||||
};
|
||||
|
||||
semanticConfType = with types;
|
||||
let
|
||||
confAtom = nullOr
|
||||
(oneOf [
|
||||
bool
|
||||
int
|
||||
float
|
||||
str
|
||||
path
|
||||
package
|
||||
]) // {
|
||||
description = "Nix config atom (null, bool, int, float, str, path or package)";
|
||||
};
|
||||
in
|
||||
attrsOf (either confAtom (listOf confAtom));
|
||||
|
||||
in
|
||||
|
||||
|
|
@ -76,7 +115,7 @@ in
|
|||
(mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ])
|
||||
(mkRenamedOptionModule [ "nix" "daemonIONiceLevel" ] [ "nix" "daemonIOSchedPriority" ])
|
||||
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")
|
||||
];
|
||||
] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings;
|
||||
|
||||
###### interface
|
||||
|
||||
|
|
@ -102,81 +141,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
maxJobs = mkOption {
|
||||
type = types.either types.int (types.enum ["auto"]);
|
||||
default = "auto";
|
||||
example = 64;
|
||||
description = ''
|
||||
This option defines the maximum number of jobs that Nix will try to
|
||||
build in parallel. The default is auto, which means it will use all
|
||||
available logical cores. It is recommend to set it to the total
|
||||
number of logical cores in your system (e.g., 16 for two CPUs with 4
|
||||
cores each and hyper-threading).
|
||||
'';
|
||||
};
|
||||
|
||||
autoOptimiseStore = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
example = true;
|
||||
description = ''
|
||||
If set to true, Nix automatically detects files in the store that have
|
||||
identical contents, and replaces them with hard links to a single copy.
|
||||
This saves disk space. If set to false (the default), you can still run
|
||||
nix-store --optimise to get rid of duplicate files.
|
||||
'';
|
||||
};
|
||||
|
||||
buildCores = mkOption {
|
||||
type = types.int;
|
||||
default = 0;
|
||||
example = 64;
|
||||
description = ''
|
||||
This option defines the maximum number of concurrent tasks during
|
||||
one build. It affects, e.g., -j option for make.
|
||||
The special value 0 means that the builder should use all
|
||||
available CPU cores in the system. Some builds may become
|
||||
non-deterministic with this option; use with care! Packages will
|
||||
only be affected if enableParallelBuilding is set for them.
|
||||
'';
|
||||
};
|
||||
|
||||
useSandbox = mkOption {
|
||||
type = types.either types.bool (types.enum ["relaxed"]);
|
||||
default = true;
|
||||
description = "
|
||||
If set, Nix will perform builds in a sandboxed environment that it
|
||||
will set up automatically for each build. This prevents impurities
|
||||
in builds by disallowing access to dependencies outside of the Nix
|
||||
store by using network and mount namespaces in a chroot environment.
|
||||
This is enabled by default even though it has a possible performance
|
||||
impact due to the initial setup time of a sandbox for each build. It
|
||||
doesn't affect derivation hashes, so changing this option will not
|
||||
trigger a rebuild of packages.
|
||||
";
|
||||
};
|
||||
|
||||
sandboxPaths = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = [ "/dev" "/proc" ];
|
||||
description =
|
||||
''
|
||||
Directories from the host filesystem to be included
|
||||
in the sandbox.
|
||||
'';
|
||||
};
|
||||
|
||||
extraOptions = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
example = ''
|
||||
keep-outputs = true
|
||||
keep-derivations = true
|
||||
'';
|
||||
description = "Additional text appended to <filename>nix.conf</filename>.";
|
||||
};
|
||||
|
||||
distributedBuilds = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
|
|
@ -187,7 +151,7 @@ in
|
|||
};
|
||||
|
||||
daemonCPUSchedPolicy = mkOption {
|
||||
type = types.enum ["other" "batch" "idle"];
|
||||
type = types.enum [ "other" "batch" "idle" ];
|
||||
default = "other";
|
||||
example = "batch";
|
||||
description = ''
|
||||
|
|
@ -218,7 +182,7 @@ in
|
|||
};
|
||||
|
||||
daemonIOSchedClass = mkOption {
|
||||
type = types.enum ["best-effort" "idle"];
|
||||
type = types.enum [ "best-effort" "idle" ];
|
||||
default = "best-effort";
|
||||
example = "idle";
|
||||
description = ''
|
||||
|
|
@ -250,11 +214,11 @@ in
|
|||
scheduling policy: With idle, priorities are not used in scheduling
|
||||
decisions. best-effort supports values in the range 0 (high) to 7
|
||||
(low).
|
||||
'';
|
||||
'';
|
||||
};
|
||||
|
||||
buildMachines = mkOption {
|
||||
type = types.listOf (types.submodule ({
|
||||
type = types.listOf (types.submodule {
|
||||
options = {
|
||||
hostName = mkOption {
|
||||
type = types.str;
|
||||
|
|
@ -276,7 +240,7 @@ in
|
|||
};
|
||||
systems = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
default = [ ];
|
||||
example = [ "x86_64-linux" "aarch64-linux" ];
|
||||
description = ''
|
||||
The system types the build machine can execute derivations on.
|
||||
|
|
@ -293,7 +257,7 @@ in
|
|||
The username to log in as on the remote host. This user must be
|
||||
able to log in and run nix commands non-interactively. It must
|
||||
also be privileged to build derivations, so must be included in
|
||||
<option>nix.trustedUsers</option>.
|
||||
<option>nix.settings.trusted-users</option>.
|
||||
'';
|
||||
};
|
||||
sshKey = mkOption {
|
||||
|
|
@ -331,7 +295,7 @@ in
|
|||
};
|
||||
mandatoryFeatures = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
default = [ ];
|
||||
example = [ "big-parallel" ];
|
||||
description = ''
|
||||
A list of features mandatory for this builder. The builder will
|
||||
|
|
@ -342,7 +306,7 @@ in
|
|||
};
|
||||
supportedFeatures = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
default = [ ];
|
||||
example = [ "kvm" "big-parallel" ];
|
||||
description = ''
|
||||
A list of features supported by this builder. The builder will
|
||||
|
|
@ -350,9 +314,18 @@ in
|
|||
list.
|
||||
'';
|
||||
};
|
||||
publicHostKey = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
The (base64-encoded) public host key of this builder. The field
|
||||
is calculated via <command>base64 -w0 /etc/ssh/ssh_host_type_key.pub</command>.
|
||||
If null, SSH will use its regular known-hosts file when connecting.
|
||||
'';
|
||||
};
|
||||
};
|
||||
}));
|
||||
default = [];
|
||||
});
|
||||
default = [ ];
|
||||
description = ''
|
||||
This option lists the machines to be used if distributed builds are
|
||||
enabled (see <option>nix.distributedBuilds</option>).
|
||||
|
|
@ -366,7 +339,7 @@ in
|
|||
envVars = mkOption {
|
||||
type = types.attrs;
|
||||
internal = true;
|
||||
default = {};
|
||||
default = { };
|
||||
description = "Environment variables used by Nix.";
|
||||
};
|
||||
|
||||
|
|
@ -391,92 +364,13 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
binaryCaches = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
List of binary cache URLs used to obtain pre-built binaries
|
||||
of Nix packages.
|
||||
|
||||
By default https://cache.nixos.org/ is added,
|
||||
to override it use <literal>lib.mkForce []</literal>.
|
||||
'';
|
||||
};
|
||||
|
||||
trustedBinaryCaches = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "https://hydra.nixos.org/" ];
|
||||
description = ''
|
||||
List of binary cache URLs that non-root users can use (in
|
||||
addition to those specified using
|
||||
<option>nix.binaryCaches</option>) by passing
|
||||
<literal>--option binary-caches</literal> to Nix commands.
|
||||
'';
|
||||
};
|
||||
|
||||
requireSignedBinaryCaches = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If enabled (the default), Nix will only download binaries from binary caches if
|
||||
they are cryptographically signed with any of the keys listed in
|
||||
<option>nix.binaryCachePublicKeys</option>. If disabled, signatures are neither
|
||||
required nor checked, so it's strongly recommended that you use only
|
||||
trustworthy caches and https to prevent man-in-the-middle attacks.
|
||||
'';
|
||||
};
|
||||
|
||||
binaryCachePublicKeys = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
|
||||
description = ''
|
||||
List of public keys used to sign binary caches. If
|
||||
<option>nix.requireSignedBinaryCaches</option> is enabled,
|
||||
then Nix will use a binary from a binary cache if and only
|
||||
if it is signed by <emphasis>any</emphasis> of the keys
|
||||
listed here. By default, only the key for
|
||||
<uri>cache.nixos.org</uri> is included.
|
||||
'';
|
||||
};
|
||||
|
||||
trustedUsers = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "root" ];
|
||||
example = [ "root" "alice" "@wheel" ];
|
||||
description = ''
|
||||
A list of names of users that have additional rights when
|
||||
connecting to the Nix daemon, such as the ability to specify
|
||||
additional binary caches, or to import unsigned NARs. You
|
||||
can also specify groups by prefixing them with
|
||||
<literal>@</literal>; for instance,
|
||||
<literal>@wheel</literal> means all users in the wheel
|
||||
group.
|
||||
'';
|
||||
};
|
||||
|
||||
allowedUsers = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "*" ];
|
||||
example = [ "@wheel" "@builders" "alice" "bob" ];
|
||||
description = ''
|
||||
A list of names of users (separated by whitespace) that are
|
||||
allowed to connect to the Nix daemon. As with
|
||||
<option>nix.trustedUsers</option>, you can specify groups by
|
||||
prefixing them with <literal>@</literal>. Also, you can
|
||||
allow all users by specifying <literal>*</literal>. The
|
||||
default is <literal>*</literal>. Note that trusted users are
|
||||
always allowed to connect.
|
||||
'';
|
||||
};
|
||||
|
||||
nixPath = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default =
|
||||
[
|
||||
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
|
||||
"nixos-config=/etc/nixos/configuration.nix"
|
||||
"/nix/var/nix/profiles/per-user/root/channels"
|
||||
];
|
||||
default = [
|
||||
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
|
||||
"nixos-config=/etc/nixos/configuration.nix"
|
||||
"/nix/var/nix/profiles/per-user/root/channels"
|
||||
];
|
||||
description = ''
|
||||
The default Nix expression search path, used by the Nix
|
||||
evaluator to look up paths enclosed in angle brackets
|
||||
|
|
@ -484,45 +378,44 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
systemFeatures = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "kvm" "big-parallel" "gccarch-skylake" ];
|
||||
description = ''
|
||||
The supported features of a machine
|
||||
'';
|
||||
};
|
||||
|
||||
checkConfig = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If enabled (the default), checks that Nix can parse the generated nix.conf.
|
||||
If enabled (the default), checks for data type mismatches and that Nix
|
||||
can parse the generated nix.conf.
|
||||
'';
|
||||
};
|
||||
|
||||
registry = mkOption {
|
||||
type = types.attrsOf (types.submodule (
|
||||
let
|
||||
inputAttrs = types.attrsOf (types.oneOf [types.str types.int types.bool types.package]);
|
||||
referenceAttrs = with types; attrsOf (oneOf [
|
||||
str
|
||||
int
|
||||
bool
|
||||
package
|
||||
]);
|
||||
in
|
||||
{ config, name, ... }:
|
||||
{ options = {
|
||||
{
|
||||
options = {
|
||||
from = mkOption {
|
||||
type = inputAttrs;
|
||||
type = referenceAttrs;
|
||||
example = { type = "indirect"; id = "nixpkgs"; };
|
||||
description = "The flake reference to be rewritten.";
|
||||
};
|
||||
to = mkOption {
|
||||
type = inputAttrs;
|
||||
type = referenceAttrs;
|
||||
example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; };
|
||||
description = "The flake reference to which <option>from></option> is to be rewritten.";
|
||||
description = "The flake reference <option>from></option> is rewritten to.";
|
||||
};
|
||||
flake = mkOption {
|
||||
type = types.nullOr types.attrs;
|
||||
default = null;
|
||||
example = literalExpression "nixpkgs";
|
||||
description = ''
|
||||
The flake input to which <option>from></option> is to be rewritten.
|
||||
The flake input <option>from></option> is rewritten to.
|
||||
'';
|
||||
};
|
||||
exact = mkOption {
|
||||
|
|
@ -537,35 +430,232 @@ in
|
|||
};
|
||||
config = {
|
||||
from = mkDefault { type = "indirect"; id = name; };
|
||||
to = mkIf (config.flake != null)
|
||||
({ type = "path";
|
||||
path = config.flake.outPath;
|
||||
} // lib.filterAttrs
|
||||
(n: v: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
|
||||
config.flake);
|
||||
to = mkIf (config.flake != null) (mkDefault
|
||||
{
|
||||
type = "path";
|
||||
path = config.flake.outPath;
|
||||
} // filterAttrs
|
||||
(n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
|
||||
config.flake);
|
||||
};
|
||||
}
|
||||
));
|
||||
default = {};
|
||||
default = { };
|
||||
description = ''
|
||||
A system-wide flake registry.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
extraOptions = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
example = ''
|
||||
keep-outputs = true
|
||||
keep-derivations = true
|
||||
'';
|
||||
description = "Additional text appended to <filename>nix.conf</filename>.";
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type = types.submodule {
|
||||
freeformType = semanticConfType;
|
||||
|
||||
options = {
|
||||
max-jobs = mkOption {
|
||||
type = types.either types.int (types.enum [ "auto" ]);
|
||||
default = "auto";
|
||||
example = 64;
|
||||
description = ''
|
||||
This option defines the maximum number of jobs that Nix will try to
|
||||
build in parallel. The default is auto, which means it will use all
|
||||
available logical cores. It is recommend to set it to the total
|
||||
number of logical cores in your system (e.g., 16 for two CPUs with 4
|
||||
cores each and hyper-threading).
|
||||
'';
|
||||
};
|
||||
|
||||
auto-optimise-store = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
example = true;
|
||||
description = ''
|
||||
If set to true, Nix automatically detects files in the store that have
|
||||
identical contents, and replaces them with hard links to a single copy.
|
||||
This saves disk space. If set to false (the default), you can still run
|
||||
nix-store --optimise to get rid of duplicate files.
|
||||
'';
|
||||
};
|
||||
|
||||
cores = mkOption {
|
||||
type = types.int;
|
||||
default = 0;
|
||||
example = 64;
|
||||
description = ''
|
||||
This option defines the maximum number of concurrent tasks during
|
||||
one build. It affects, e.g., -j option for make.
|
||||
The special value 0 means that the builder should use all
|
||||
available CPU cores in the system. Some builds may become
|
||||
non-deterministic with this option; use with care! Packages will
|
||||
only be affected if enableParallelBuilding is set for them.
|
||||
'';
|
||||
};
|
||||
|
||||
sandbox = mkOption {
|
||||
type = types.either types.bool (types.enum [ "relaxed" ]);
|
||||
default = true;
|
||||
description = ''
|
||||
If set, Nix will perform builds in a sandboxed environment that it
|
||||
will set up automatically for each build. This prevents impurities
|
||||
in builds by disallowing access to dependencies outside of the Nix
|
||||
store by using network and mount namespaces in a chroot environment.
|
||||
This is enabled by default even though it has a possible performance
|
||||
impact due to the initial setup time of a sandbox for each build. It
|
||||
doesn't affect derivation hashes, so changing this option will not
|
||||
trigger a rebuild of packages.
|
||||
'';
|
||||
};
|
||||
|
||||
extra-sandbox-paths = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "/dev" "/proc" ];
|
||||
description = ''
|
||||
Directories from the host filesystem to be included
|
||||
in the sandbox.
|
||||
'';
|
||||
};
|
||||
|
||||
substituters = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
List of binary cache URLs used to obtain pre-built binaries
|
||||
of Nix packages.
|
||||
|
||||
By default https://cache.nixos.org/ is added.
|
||||
'';
|
||||
};
|
||||
|
||||
trusted-substituters = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "https://hydra.nixos.org/" ];
|
||||
description = ''
|
||||
List of binary cache URLs that non-root users can use (in
|
||||
addition to those specified using
|
||||
<option>nix.settings.substituters</option>) by passing
|
||||
<literal>--option binary-caches</literal> to Nix commands.
|
||||
'';
|
||||
};
|
||||
|
||||
require-sigs = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If enabled (the default), Nix will only download binaries from binary caches if
|
||||
they are cryptographically signed with any of the keys listed in
|
||||
<option>nix.settings.trusted-public-keys</option>. If disabled, signatures are neither
|
||||
required nor checked, so it's strongly recommended that you use only
|
||||
trustworthy caches and https to prevent man-in-the-middle attacks.
|
||||
'';
|
||||
};
|
||||
|
||||
trusted-public-keys = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
|
||||
description = ''
|
||||
List of public keys used to sign binary caches. If
|
||||
<option>nix.settings.trusted-public-keys</option> is enabled,
|
||||
then Nix will use a binary from a binary cache if and only
|
||||
if it is signed by <emphasis>any</emphasis> of the keys
|
||||
listed here. By default, only the key for
|
||||
<uri>cache.nixos.org</uri> is included.
|
||||
'';
|
||||
};
|
||||
|
||||
trusted-users = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "root" ];
|
||||
example = [ "root" "alice" "@wheel" ];
|
||||
description = ''
|
||||
A list of names of users that have additional rights when
|
||||
connecting to the Nix daemon, such as the ability to specify
|
||||
additional binary caches, or to import unsigned NARs. You
|
||||
can also specify groups by prefixing them with
|
||||
<literal>@</literal>; for instance,
|
||||
<literal>@wheel</literal> means all users in the wheel
|
||||
group.
|
||||
'';
|
||||
};
|
||||
|
||||
system-features = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "kvm" "big-parallel" "gccarch-skylake" ];
|
||||
description = ''
|
||||
The set of features supported by the machine. Derivations
|
||||
can express dependencies on system features through the
|
||||
<literal>requiredSystemFeatures</literal> attribute.
|
||||
|
||||
By default, pseudo-features <literal>nixos-test</literal>, <literal>benchmark</literal>,
|
||||
and <literal>big-parallel</literal> used in Nixpkgs are set, <literal>kvm</literal>
|
||||
is also included in it is avaliable.
|
||||
'';
|
||||
};
|
||||
|
||||
allowed-users = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "*" ];
|
||||
example = [ "@wheel" "@builders" "alice" "bob" ];
|
||||
description = ''
|
||||
A list of names of users (separated by whitespace) that are
|
||||
allowed to connect to the Nix daemon. As with
|
||||
<option>nix.settings.trusted-users</option>, you can specify groups by
|
||||
prefixing them with <literal>@</literal>. Also, you can
|
||||
allow all users by specifying <literal>*</literal>. The
|
||||
default is <literal>*</literal>. Note that trusted users are
|
||||
always allowed to connect.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
default = { };
|
||||
example = literalExpression ''
|
||||
{
|
||||
use-sandbox = true;
|
||||
show-trace = true;
|
||||
|
||||
system-features = [ "big-parallel" "kvm" "recursive-nix" ];
|
||||
sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; };
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Configuration for Nix, see
|
||||
<link xlink:href="https://nixos.org/manual/nix/stable/#sec-conf-file"/> or
|
||||
<citerefentry>
|
||||
<refentrytitle>nix.conf</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</citerefentry> for avalaible options.
|
||||
The value declared here will be translated directly to the key-value pairs Nix expects.
|
||||
</para>
|
||||
<para>
|
||||
You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings</command>
|
||||
to view the current value. By default it is empty.
|
||||
</para>
|
||||
<para>
|
||||
Nix configurations defined under <option>nix.*</option> will be translated and applied to this
|
||||
option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended
|
||||
verbatim to the resulting config file.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
|
||||
nix.binaryCaches = [ "https://cache.nixos.org/" ];
|
||||
|
||||
environment.systemPackages =
|
||||
[ nix
|
||||
[
|
||||
nixPackage
|
||||
pkgs.nix-info
|
||||
]
|
||||
++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions;
|
||||
|
|
@ -579,44 +669,49 @@ in
|
|||
|
||||
# List of machines for distributed Nix builds in the format
|
||||
# expected by build-remote.pl.
|
||||
environment.etc."nix/machines" =
|
||||
{ enable = cfg.buildMachines != [];
|
||||
text =
|
||||
concatMapStrings (machine:
|
||||
"${if machine.sshUser != null then "${machine.sshUser}@" else ""}${machine.hostName} "
|
||||
+ (if machine.system != null then machine.system else concatStringsSep "," machine.systems)
|
||||
+ " ${if machine.sshKey != null then machine.sshKey else "-"} ${toString machine.maxJobs} "
|
||||
+ toString (machine.speedFactor)
|
||||
+ " "
|
||||
+ concatStringsSep "," (machine.mandatoryFeatures ++ machine.supportedFeatures)
|
||||
+ " "
|
||||
+ concatStringsSep "," machine.mandatoryFeatures
|
||||
environment.etc."nix/machines" = mkIf (cfg.buildMachines != [ ]) {
|
||||
text =
|
||||
concatMapStrings
|
||||
(machine:
|
||||
(concatStringsSep " " ([
|
||||
"${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}"
|
||||
(if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-")
|
||||
(if machine.sshKey != null then machine.sshKey else "-")
|
||||
(toString machine.maxJobs)
|
||||
(toString machine.speedFactor)
|
||||
(concatStringsSep "," machine.supportedFeatures)
|
||||
(concatStringsSep "," machine.mandatoryFeatures)
|
||||
]
|
||||
++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-")))
|
||||
+ "\n"
|
||||
) cfg.buildMachines;
|
||||
};
|
||||
)
|
||||
cfg.buildMachines;
|
||||
};
|
||||
|
||||
assertions =
|
||||
let badMachine = m: m.system == null && m.systems == [];
|
||||
in [
|
||||
let badMachine = m: m.system == null && m.systems == [ ];
|
||||
in
|
||||
[
|
||||
{
|
||||
assertion = !(builtins.any badMachine cfg.buildMachines);
|
||||
assertion = !(any badMachine cfg.buildMachines);
|
||||
message = ''
|
||||
At least one system type (via <varname>system</varname> or
|
||||
<varname>systems</varname>) must be set for every build machine.
|
||||
Invalid machine specifications:
|
||||
'' + " " +
|
||||
(builtins.concatStringsSep "\n "
|
||||
(builtins.map (m: m.hostName)
|
||||
(builtins.filter (badMachine) cfg.buildMachines)));
|
||||
(concatStringsSep "\n "
|
||||
(map (m: m.hostName)
|
||||
(filter (badMachine) cfg.buildMachines)));
|
||||
}
|
||||
];
|
||||
|
||||
|
||||
systemd.packages = [ nix ];
|
||||
systemd.packages = [ nixPackage ];
|
||||
|
||||
systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ];
|
||||
|
||||
systemd.services.nix-daemon =
|
||||
{ path = [ nix pkgs.util-linux config.programs.ssh.package ]
|
||||
{
|
||||
path = [ nixPackage pkgs.util-linux config.programs.ssh.package ]
|
||||
++ optionals cfg.distributedBuilds [ pkgs.gzip ];
|
||||
|
||||
environment = cfg.envVars
|
||||
|
|
@ -626,7 +721,8 @@ in
|
|||
unitConfig.RequiresMountsFor = "/nix/store";
|
||||
|
||||
serviceConfig =
|
||||
{ CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy;
|
||||
{
|
||||
CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy;
|
||||
IOSchedulingClass = cfg.daemonIOSchedClass;
|
||||
IOSchedulingPriority = cfg.daemonIOSchedPriority;
|
||||
LimitNOFILE = 4096;
|
||||
|
|
@ -636,9 +732,7 @@ in
|
|||
};
|
||||
|
||||
# Set up the environment variables for running Nix.
|
||||
environment.sessionVariables = cfg.envVars //
|
||||
{ NIX_PATH = cfg.nixPath;
|
||||
};
|
||||
environment.sessionVariables = cfg.envVars // { NIX_PATH = cfg.nixPath; };
|
||||
|
||||
environment.extraInit =
|
||||
''
|
||||
|
|
@ -647,7 +741,7 @@ in
|
|||
fi
|
||||
'';
|
||||
|
||||
nix.nrBuildUsers = mkDefault (lib.max 32 (if cfg.maxJobs == "auto" then 0 else cfg.maxJobs));
|
||||
nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs));
|
||||
|
||||
users.users = nixbldUsers;
|
||||
|
||||
|
|
@ -663,14 +757,26 @@ in
|
|||
fi
|
||||
'';
|
||||
|
||||
nix.systemFeatures = mkDefault (
|
||||
[ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
|
||||
optionals (pkgs.hostPlatform ? gcc.arch) (
|
||||
# a builder can run code for `gcc.arch` and inferior architectures
|
||||
[ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++
|
||||
map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch}
|
||||
)
|
||||
);
|
||||
# Legacy configuration conversion.
|
||||
nix.settings = mkMerge [
|
||||
{
|
||||
trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
|
||||
substituters = [ "https://cache.nixos.org/" ];
|
||||
|
||||
system-features = mkDefault (
|
||||
[ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
|
||||
optionals (pkgs.hostPlatform ? gcc.arch) (
|
||||
# a builder can run code for `gcc.arch` and inferior architectures
|
||||
[ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++
|
||||
map (x: "gccarch-${x}") systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch}
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
(mkIf (!cfg.distributedBuilds) { builders = null; })
|
||||
|
||||
(mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ in {
|
|||
write = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the nix.trustedUsers option in most use cases, such as allowing remote building of derivations.";
|
||||
description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the <option>nix.settings.trusted-users</option> option in most use cases, such as allowing remote building of derivations.";
|
||||
};
|
||||
|
||||
keys = mkOption {
|
||||
|
|
|
|||
|
|
@ -25,7 +25,8 @@ in {
|
|||
[ "/dev/sda", "/dev/nvme0n1" ];
|
||||
'';
|
||||
description = ''
|
||||
Paths to disks that will be monitored.
|
||||
Paths to the disks that will be monitored. Will autodiscover
|
||||
all disks if none given.
|
||||
'';
|
||||
};
|
||||
maxInterval = mkOption {
|
||||
|
|
@ -41,13 +42,23 @@ in {
|
|||
serviceOpts = {
|
||||
serviceConfig = {
|
||||
AmbientCapabilities = [
|
||||
"CAP_RAW_SYSIO"
|
||||
"CAP_SYS_ADMIN"
|
||||
];
|
||||
CapabilityBoundingSet = [
|
||||
"CAP_RAW_SYSIO"
|
||||
"CAP_SYS_ADMIN"
|
||||
];
|
||||
DevicePolicy = "closed";
|
||||
DeviceAllow = lib.mkForce cfg.devices;
|
||||
DeviceAllow = lib.mkOverride 100 (
|
||||
if cfg.devices != [] then
|
||||
cfg.devices
|
||||
else [
|
||||
"block-blkext rw"
|
||||
"block-sd rw"
|
||||
"char-nvme rw"
|
||||
]
|
||||
);
|
||||
ExecStart = ''
|
||||
${pkgs.prometheus-smartctl-exporter}/bin/smartctl_exporter -config ${configFile}
|
||||
'';
|
||||
|
|
|
|||
|
|
@ -599,6 +599,8 @@ in {
|
|||
timerConfig.Unit = "nextcloud-cron.service";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = ["d ${cfg.home} 0750 nextcloud nextcloud"];
|
||||
|
||||
systemd.services = {
|
||||
# When upgrading the Nextcloud package, Nextcloud can report errors such as
|
||||
# "The files of the app [all apps in /var/lib/nextcloud/apps] were not replaced correctly"
|
||||
|
|
@ -720,8 +722,6 @@ in {
|
|||
before = [ "phpfpm-nextcloud.service" ];
|
||||
path = [ occ ];
|
||||
script = ''
|
||||
chmod og+x ${cfg.home}
|
||||
|
||||
${optionalString (c.dbpassFile != null) ''
|
||||
if [ ! -r "${c.dbpassFile}" ]; then
|
||||
echo "dbpassFile ${c.dbpassFile} is not readable by nextcloud:nextcloud! Aborting..."
|
||||
|
|
@ -814,7 +814,6 @@ in {
|
|||
users.users.nextcloud = {
|
||||
home = "${cfg.home}";
|
||||
group = "nextcloud";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ];
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
use strict;
|
||||
use warnings;
|
||||
use Config::IniFiles;
|
||||
use File::Path qw(make_path);
|
||||
use File::Basename;
|
||||
use File::Slurp;
|
||||
|
|
@ -113,26 +114,77 @@ sub parseFstab {
|
|||
return ($fss, $swaps);
|
||||
}
|
||||
|
||||
sub parseUnit {
|
||||
my ($filename) = @_;
|
||||
my $info = {};
|
||||
parseKeyValues($info, read_file($filename)) if -f $filename;
|
||||
parseKeyValues($info, read_file("${filename}.d/overrides.conf")) if -f "${filename}.d/overrides.conf";
|
||||
return $info;
|
||||
}
|
||||
# This subroutine takes a single ini file that specified systemd configuration
|
||||
# like unit configuration and parses it into a hash where the keys are the sections
|
||||
# of the unit file and the values are hashes themselves. These hashes have the unit file
|
||||
# keys as their keys (left side of =) and an array of all values that were set as their
|
||||
# values. If a value is empty (for example `ExecStart=`), then all current definitions are
|
||||
# removed.
|
||||
#
|
||||
# Instead of returning the hash, this subroutine takes a hashref to return the data in. This
|
||||
# allows calling the subroutine multiple times with the same hash to parse override files.
|
||||
sub parseSystemdIni {
|
||||
my ($unitContents, $path) = @_;
|
||||
# Tie the ini file to a hash for easier access
|
||||
my %fileContents;
|
||||
tie %fileContents, "Config::IniFiles", (-file => $path, -allowempty => 1, -allowcontinue => 1);
|
||||
|
||||
sub parseKeyValues {
|
||||
my $info = shift;
|
||||
foreach my $line (@_) {
|
||||
# FIXME: not quite correct.
|
||||
$line =~ /^([^=]+)=(.*)$/ or next;
|
||||
$info->{$1} = $2;
|
||||
# Copy over all sections
|
||||
foreach my $sectionName (keys %fileContents) {
|
||||
# Copy over all keys
|
||||
foreach my $iniKey (keys %{$fileContents{$sectionName}}) {
|
||||
# Ensure the value is an array so it's easier to work with
|
||||
my $iniValue = $fileContents{$sectionName}{$iniKey};
|
||||
my @iniValues;
|
||||
if (ref($iniValue) eq "ARRAY") {
|
||||
@iniValues = @{$iniValue};
|
||||
} else {
|
||||
@iniValues = $iniValue;
|
||||
}
|
||||
# Go over all values
|
||||
for my $iniValue (@iniValues) {
|
||||
# If a value is empty, it's an override that tells us to clean the value
|
||||
if ($iniValue eq "") {
|
||||
delete $unitContents->{$sectionName}->{$iniKey};
|
||||
next;
|
||||
}
|
||||
push(@{$unitContents->{$sectionName}->{$iniKey}}, $iniValue);
|
||||
}
|
||||
}
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
sub boolIsTrue {
|
||||
my ($s) = @_;
|
||||
return $s eq "yes" || $s eq "true";
|
||||
# This subroutine takes the path to a systemd configuration file (like a unit configuration),
|
||||
# parses it, and returns a hash that contains the contents. The contents of this hash are
|
||||
# explained in the `parseSystemdIni` subroutine. Neither the sections nor the keys inside
|
||||
# the sections are consistently sorted.
|
||||
#
|
||||
# If a directory with the same basename ending in .d exists next to the unit file, it will be
|
||||
# assumed to contain override files which will be parsed as well and handled properly.
|
||||
sub parseUnit {
|
||||
my ($unitPath) = @_;
|
||||
|
||||
# Parse the main unit and all overrides
|
||||
my %unitData;
|
||||
parseSystemdIni(\%unitData, $_) for glob("${unitPath}{,.d/*.conf}");
|
||||
return %unitData;
|
||||
}
|
||||
|
||||
# Checks whether a specified boolean in a systemd unit is true
|
||||
# or false, with a default that is applied when the value is not set.
|
||||
sub parseSystemdBool {
|
||||
my ($unitConfig, $sectionName, $boolName, $default) = @_;
|
||||
|
||||
my @values = @{$unitConfig->{$sectionName}{$boolName} // []};
|
||||
# Return default if value is not set
|
||||
if (scalar @values lt 1 || not defined $values[-1]) {
|
||||
return $default;
|
||||
}
|
||||
# If value is defined multiple times, use the last definition
|
||||
my $last = $values[-1];
|
||||
# These are valid values as of systemd.syntax(7)
|
||||
return $last eq "1" || $last eq "yes" || $last eq "true" || $last eq "on";
|
||||
}
|
||||
|
||||
sub recordUnit {
|
||||
|
|
@ -167,17 +219,17 @@ sub handleModifiedUnit {
|
|||
# Revert of the attempt: https://github.com/NixOS/nixpkgs/pull/147609
|
||||
# More details: https://github.com/NixOS/nixpkgs/issues/74899#issuecomment-981142430
|
||||
} else {
|
||||
my $unitInfo = parseUnit($newUnitFile);
|
||||
if (boolIsTrue($unitInfo->{'X-ReloadIfChanged'} // "no")) {
|
||||
my %unitInfo = parseUnit($newUnitFile);
|
||||
if (parseSystemdBool(\%unitInfo, "Service", "X-ReloadIfChanged", 0)) {
|
||||
$unitsToReload->{$unit} = 1;
|
||||
recordUnit($reloadListFile, $unit);
|
||||
}
|
||||
elsif (!boolIsTrue($unitInfo->{'X-RestartIfChanged'} // "yes") || boolIsTrue($unitInfo->{'RefuseManualStop'} // "no") || boolIsTrue($unitInfo->{'X-OnlyManualStart'} // "no")) {
|
||||
elsif (!parseSystemdBool(\%unitInfo, "Service", "X-RestartIfChanged", 1) || parseSystemdBool(\%unitInfo, "Unit", "RefuseManualStop", 0) || parseSystemdBool(\%unitInfo, "Unit", "X-OnlyManualStart", 0)) {
|
||||
$unitsToSkip->{$unit} = 1;
|
||||
} else {
|
||||
# It doesn't make sense to stop and start non-services because
|
||||
# they can't have ExecStop=
|
||||
if (!boolIsTrue($unitInfo->{'X-StopIfChanged'} // "yes") || $unit !~ /\.service$/) {
|
||||
if (!parseSystemdBool(\%unitInfo, "Service", "X-StopIfChanged", 1) || $unit !~ /\.service$/) {
|
||||
# This unit should be restarted instead of
|
||||
# stopped and started.
|
||||
$unitsToRestart->{$unit} = 1;
|
||||
|
|
@ -188,7 +240,7 @@ sub handleModifiedUnit {
|
|||
# socket(s) instead of the service.
|
||||
my $socketActivated = 0;
|
||||
if ($unit =~ /\.service$/) {
|
||||
my @sockets = split / /, ($unitInfo->{Sockets} // "");
|
||||
my @sockets = split(/ /, join(" ", @{$unitInfo{Service}{Sockets} // []}));
|
||||
if (scalar @sockets == 0) {
|
||||
@sockets = ("$baseName.socket");
|
||||
}
|
||||
|
|
@ -254,12 +306,12 @@ while (my ($unit, $state) = each %{$activePrev}) {
|
|||
|
||||
if (-e $prevUnitFile && ($state->{state} eq "active" || $state->{state} eq "activating")) {
|
||||
if (! -e $newUnitFile || abs_path($newUnitFile) eq "/dev/null") {
|
||||
my $unitInfo = parseUnit($prevUnitFile);
|
||||
$unitsToStop{$unit} = 1 if boolIsTrue($unitInfo->{'X-StopOnRemoval'} // "yes");
|
||||
my %unitInfo = parseUnit($prevUnitFile);
|
||||
$unitsToStop{$unit} = 1 if parseSystemdBool(\%unitInfo, "Unit", "X-StopOnRemoval", 1);
|
||||
}
|
||||
|
||||
elsif ($unit =~ /\.target$/) {
|
||||
my $unitInfo = parseUnit($newUnitFile);
|
||||
my %unitInfo = parseUnit($newUnitFile);
|
||||
|
||||
# Cause all active target units to be restarted below.
|
||||
# This should start most changed units we stop here as
|
||||
|
|
@ -268,7 +320,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
|
|||
# active after the system has resumed, which probably
|
||||
# should not be the case. Just ignore it.
|
||||
if ($unit ne "suspend.target" && $unit ne "hibernate.target" && $unit ne "hybrid-sleep.target") {
|
||||
unless (boolIsTrue($unitInfo->{'RefuseManualStart'} // "no") || boolIsTrue($unitInfo->{'X-OnlyManualStart'} // "no")) {
|
||||
unless (parseSystemdBool(\%unitInfo, "Unit", "RefuseManualStart", 0) || parseSystemdBool(\%unitInfo, "Unit", "X-OnlyManualStart", 0)) {
|
||||
$unitsToStart{$unit} = 1;
|
||||
recordUnit($startListFile, $unit);
|
||||
# Don't spam the user with target units that always get started.
|
||||
|
|
@ -287,7 +339,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
|
|||
# Stopping a target generally has no effect on other units
|
||||
# (unless there is a PartOf dependency), so this is just a
|
||||
# bookkeeping thing to get systemd to do the right thing.
|
||||
if (boolIsTrue($unitInfo->{'X-StopOnReconfiguration'} // "no")) {
|
||||
if (parseSystemdBool(\%unitInfo, "Unit", "X-StopOnReconfiguration", 0)) {
|
||||
$unitsToStop{$unit} = 1;
|
||||
}
|
||||
}
|
||||
|
|
@ -546,33 +598,36 @@ my $activeNew = getActiveUnits;
|
|||
while (my ($unit, $state) = each %{$activeNew}) {
|
||||
if ($state->{state} eq "failed") {
|
||||
push @failed, $unit;
|
||||
next;
|
||||
}
|
||||
elsif ($state->{state} eq "auto-restart") {
|
||||
# A unit in auto-restart state is a failure *if* it previously failed to start
|
||||
my $lines = `@systemd@/bin/systemctl show '$unit'`;
|
||||
my $info = {};
|
||||
parseKeyValues($info, split("\n", $lines));
|
||||
|
||||
if ($info->{ExecMainStatus} ne '0') {
|
||||
if ($state->{substate} eq "auto-restart") {
|
||||
# A unit in auto-restart substate is a failure *if* it previously failed to start
|
||||
my $main_status = `@systemd@/bin/systemctl show --value --property=ExecMainStatus '$unit'`;
|
||||
chomp($main_status);
|
||||
|
||||
if ($main_status ne "0") {
|
||||
push @failed, $unit;
|
||||
next;
|
||||
}
|
||||
}
|
||||
|
||||
# Ignore scopes since they are not managed by this script but rather
|
||||
# created and managed by third-party services via the systemd dbus API.
|
||||
elsif ($state->{state} ne "failed" && !defined $activePrev->{$unit} && $unit !~ /\.scope$/) {
|
||||
# This only lists units that are not failed (including ones that are in auto-restart but have not failed previously)
|
||||
if ($state->{state} ne "failed" && !defined $activePrev->{$unit} && $unit !~ /\.scope$/msx) {
|
||||
push @new, $unit;
|
||||
}
|
||||
}
|
||||
|
||||
print STDERR "the following new units were started: ", join(", ", sort(@new)), "\n"
|
||||
if scalar @new > 0;
|
||||
if (scalar @new > 0) {
|
||||
print STDERR "the following new units were started: ", join(", ", sort(@new)), "\n"
|
||||
}
|
||||
|
||||
if (scalar @failed > 0) {
|
||||
print STDERR "warning: the following units failed: ", join(", ", sort(@failed)), "\n";
|
||||
foreach my $unit (@failed) {
|
||||
print STDERR "\n";
|
||||
system("COLUMNS=1000 @systemd@/bin/systemctl status --no-pager '$unit' >&2");
|
||||
}
|
||||
my @failed_sorted = sort @failed;
|
||||
print STDERR "warning: the following units failed: ", join(", ", @failed_sorted), "\n\n";
|
||||
system "@systemd@/bin/systemctl status --no-pager --full '" . join("' '", @failed_sorted) . "' >&2";
|
||||
$res = 4;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -117,7 +117,7 @@ let
|
|||
configurationName = config.boot.loader.grub.configurationName;
|
||||
|
||||
# Needed by switch-to-configuration.
|
||||
perl = pkgs.perl.withPackages (p: with p; [ FileSlurp NetDBus XMLParser XMLTwig ]);
|
||||
perl = pkgs.perl.withPackages (p: with p; [ FileSlurp NetDBus XMLParser XMLTwig ConfigIniFiles ]);
|
||||
};
|
||||
|
||||
# Handle assertions and warnings
|
||||
|
|
@ -156,7 +156,7 @@ in
|
|||
|
||||
specialisation = mkOption {
|
||||
default = {};
|
||||
example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.buildCores = 0; nix.maxJobs = 1; }; }";
|
||||
example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.settings = { core = 0; max-jobs = 1; }; }";
|
||||
description = ''
|
||||
Additional configurations to build. If
|
||||
<literal>inheritParentConfig</literal> is true, the system
|
||||
|
|
|
|||
|
|
@ -300,18 +300,15 @@ in {
|
|||
interpreterSandboxPath = dirOf (dirOf interpreterReg);
|
||||
} // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}"));
|
||||
}) cfg.emulatedSystems);
|
||||
# TODO: add a nix.extraPlatforms option to NixOS!
|
||||
nix.extraOptions = lib.mkIf (cfg.emulatedSystems != []) ''
|
||||
extra-platforms = ${toString (cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux")}
|
||||
'';
|
||||
nix.sandboxPaths = lib.mkIf (cfg.emulatedSystems != []) (
|
||||
let
|
||||
nix.settings = lib.mkIf (cfg.emulatedSystems != []) {
|
||||
extra-platforms = cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux";
|
||||
extra-sandbox-paths = let
|
||||
ruleFor = system: cfg.registrations.${system};
|
||||
hasWrappedRule = lib.any (system: (ruleFor system).wrapInterpreterInShell) cfg.emulatedSystems;
|
||||
in [ "/run/binfmt" ]
|
||||
++ lib.optional hasWrappedRule "${pkgs.bash}"
|
||||
++ (map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems)
|
||||
);
|
||||
++ (map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems);
|
||||
};
|
||||
|
||||
environment.etc."binfmt.d/nixos.conf".source = builtins.toFile "binfmt_nixos.conf"
|
||||
(lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine config.boot.binfmt.registrations));
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue