diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index 9f5279732fe4..8d8d70440e84 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -531,6 +531,29 @@
was added.
+
+
+ The configuration portion of the nix-daemon
+ module has been reworked and exposed as
+ nix.settings:
+
+
+
+
+ Legacy options have been mapped to the corresponding
+ options under under
+ nix.settings
+ but may be deprecated in the future.
+
+
+
+
+ nix.buildMachines.publicHostKey
+ has been added.
+
+
+
+
The
diff --git a/nixos/doc/manual/man-nixos-rebuild.xml b/nixos/doc/manual/man-nixos-rebuild.xml
index 6c7fc57f8d83..ab2a5d83a089 100644
--- a/nixos/doc/manual/man-nixos-rebuild.xml
+++ b/nixos/doc/manual/man-nixos-rebuild.xml
@@ -453,7 +453,7 @@
Allow ad-hoc remote builders for building the new system. This requires
the user executing nixos-rebuild (usually root) to be
configured as a trusted user in the Nix daemon. This can be achieved by
- using the nix.trustedUsers NixOS option. Examples
+ using the nix.settings.trusted-users NixOS option. Examples
values for that option are described in the Remote builds
chapter in the Nix manual, (i.e. --builders
"ssh://bigbrother x86_64-linux"). By specifying an empty string
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 629672259b21..61305fe70d65 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -183,6 +183,10 @@ In addition to numerous new and upgraded packages, this release has the followin
Similarly [virtualisation.vmVariantWithBootloader](#opt-virtualisation.vmVariantWithBootLoader) was added.
+- The configuration portion of the `nix-daemon` module has been reworked and exposed as [nix.settings](options.html#opt-nix-settings):
+ * Legacy options have been mapped to the corresponding options under under [nix.settings](options.html#opt-nix.settings) but may be deprecated in the future.
+ * [nix.buildMachines.publicHostKey](options.html#opt-nix.buildMachines.publicHostKey) has been added.
+
- The `writers.writePyPy2`/`writers.writePyPy3` and corresponding `writers.writePyPy2Bin`/`writers.writePyPy3Bin` convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added.
- The `influxdb2` package was split into `influxdb2-server` and
diff --git a/nixos/maintainers/scripts/azure-new/examples/basic/system.nix b/nixos/maintainers/scripts/azure-new/examples/basic/system.nix
index 855bd3bab719..d283742701d1 100644
--- a/nixos/maintainers/scripts/azure-new/examples/basic/system.nix
+++ b/nixos/maintainers/scripts/azure-new/examples/basic/system.nix
@@ -17,7 +17,7 @@ in
description = "Azure NixOS Test User";
openssh.authorizedKeys.keys = [ (builtins.readFile ~/.ssh/id_ed25519.pub) ];
};
- nix.trustedUsers = [ username ];
+ nix.settings.trusted-users = [ username ];
virtualisation.azureImage.diskSize = 2500;
diff --git a/nixos/modules/installer/virtualbox-demo.nix b/nixos/modules/installer/virtualbox-demo.nix
index 2768e17590b3..27a7651382b2 100644
--- a/nixos/modules/installer/virtualbox-demo.nix
+++ b/nixos/modules/installer/virtualbox-demo.nix
@@ -25,7 +25,7 @@ with lib;
installer.cloneConfigExtra = ''
# Let demo build as a trusted user.
- # nix.trustedUsers = [ "demo" ];
+ # nix.settings.trusted-users = [ "demo" ];
# Mount a VirtualBox shared folder.
# This is configurable in the VirtualBox menu at
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 3f8f78f012a7..856ee480fc0b 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -17,7 +17,7 @@ with lib;
boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
- nix.allowedUsers = mkDefault [ "@users" ];
+ nix.settings.allowed-users = mkDefault [ "@users" ];
environment.memoryAllocator.provider = mkDefault "scudo";
environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
index e7abc1e0d597..c20e067b8cc7 100644
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@@ -123,8 +123,8 @@ with lib;
boot.kernel.sysctl."user.max_user_namespaces" = 0;
assertions = [
- { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
- message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
+ { assertion = config.nix.settings.sandbox -> config.security.allowUserNamespaces;
+ message = "`nix.settings.sandbox = true` conflicts with `!security.allowUserNamespaces`.";
}
];
})
diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix
index d4b8541c6a1b..dc58c6345239 100644
--- a/nixos/modules/services/continuous-integration/gitlab-runner.nix
+++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix
@@ -147,7 +147,7 @@ in
concurrent = mkOption {
type = types.int;
default = 1;
- example = literalExpression "config.nix.maxJobs";
+ example = literalExpression "config.nix.settings.max-jobs";
description = ''
Limits how many jobs globally can be run concurrently.
The most upper limit of jobs using all defined runners.
diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix
index 968bc8f1e54e..ef1933e12284 100644
--- a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix
+++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix
@@ -67,7 +67,7 @@ in
# Trusted user allows simplified configuration and better performance
# when operating in a cluster.
- nix.trustedUsers = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ];
+ nix.settings.trusted-users = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ];
services.hercules-ci-agent = {
settings = {
nixUserIsTrusted = true;
diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix
index ccb7cc21734e..cc5de97d6d10 100644
--- a/nixos/modules/services/continuous-integration/hydra/default.nix
+++ b/nixos/modules/services/continuous-integration/hydra/default.nix
@@ -258,8 +258,6 @@ in
uid = config.ids.uids.hydra-www;
};
- nix.trustedUsers = [ "hydra-queue-runner" ];
-
services.hydra.extraConfig =
''
using_frontend_proxy = 1
@@ -277,16 +275,21 @@ in
environment.variables = hydraEnv;
- nix.extraOptions = ''
- keep-outputs = true
- keep-derivations = true
+ nix.settings = mkMerge [
+ {
+ keep-outputs = true;
+ keep-derivations = true;
+ trusted-users = [ "hydra-queue-runner" ];
+ }
-
- '' + optionalString (versionOlder (getVersion config.nix.package.out) "2.4pre") ''
- # The default (`true') slows Nix down a lot since the build farm
- # has so many GC roots.
- gc-check-reachability = false
- '';
+ (mkIf (versionOlder (getVersion config.nix.package.out) "2.4pre")
+ {
+ # The default (`true') slows Nix down a lot since the build farm
+ # has so many GC roots.
+ gc-check-reachability = false;
+ }
+ )
+ ];
systemd.services.hydra-init =
{ wantedBy = [ "multi-user.target" ];
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index 869feb05eb7b..10f9a4afb36c 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -6,20 +6,20 @@ let
cfg = config.nix;
- nix = cfg.package.out;
+ nixPackage = cfg.package.out;
- nixVersion = getVersion nix;
-
- isNix23 = versionAtLeast nixVersion "2.3pre";
+ isNixAtLeast = versionAtLeast (getVersion nixPackage);
makeNixBuildUser = nr: {
- name = "nixbld${toString nr}";
+ name = "nixbld${toString nr}";
value = {
description = "Nix build user ${toString nr}";
- /* For consistency with the setgid(2), setuid(2), and setgroups(2)
- calls in `libstore/build.cc', don't add any supplementary group
- here except "nixbld". */
+ /*
+ For consistency with the setgid(2), setuid(2), and setgroups(2)
+ calls in `libstore/build.cc', don't add any supplementary group
+ here except "nixbld".
+ */
uid = builtins.add config.ids.uids.nixbld nr;
isSystemUser = true;
group = "nixbld";
@@ -30,43 +30,82 @@ let
nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers));
nixConf =
- assert versionAtLeast nixVersion "2.2";
- pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } (
- ''
- cat > $out </dev/null
- '')
- );
+ ${mkKeyValuePairs cfg.settings}
+ ${cfg.extraOptions}
+ '';
+ checkPhase =
+ if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
+ echo "Ignoring validation for cross-compilation"
+ ''
+ else ''
+ echo "Validating generated nix.conf"
+ ln -s $out ./nix.conf
+ set -e
+ set +o pipefail
+ NIX_CONF_DIR=$PWD \
+ ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net --option experimental-features nix-command"} \
+ |& sed -e 's/^warning:/error:/' \
+ | (! grep '${if cfg.checkConfig then "^error:" else "^error: unknown setting"}')
+ set -o pipefail
+ '';
+ };
+
+ legacyConfMappings = {
+ useSandbox = "sandbox";
+ buildCores = "cores";
+ maxJobs = "max-jobs";
+ sandboxPaths = "extra-sandbox-paths";
+ binaryCaches = "substituters";
+ trustedBinaryCaches = "trusted-substituters";
+ binaryCachePublicKeys = "trusted-public-keys";
+ autoOptimiseStore = "auto-optimise-store";
+ requireSignedBinaryCaches = "require-sigs";
+ trustedUsers = "trusted-users";
+ allowedUsers = "allowed-users";
+ systemFeatures = "system-feature";
+ };
+
+ semanticConfType = with types;
+ let
+ confAtom = nullOr
+ (oneOf [
+ bool
+ int
+ float
+ str
+ path
+ package
+ ]) // {
+ description = "Nix config atom (null, bool, int, float, str, path or package)";
+ };
+ in
+ attrsOf (either confAtom (listOf confAtom));
in
@@ -76,7 +115,7 @@ in
(mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ])
(mkRenamedOptionModule [ "nix" "daemonIONiceLevel" ] [ "nix" "daemonIOSchedPriority" ])
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")
- ];
+ ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings;
###### interface
@@ -102,81 +141,6 @@ in
'';
};
- maxJobs = mkOption {
- type = types.either types.int (types.enum ["auto"]);
- default = "auto";
- example = 64;
- description = ''
- This option defines the maximum number of jobs that Nix will try to
- build in parallel. The default is auto, which means it will use all
- available logical cores. It is recommend to set it to the total
- number of logical cores in your system (e.g., 16 for two CPUs with 4
- cores each and hyper-threading).
- '';
- };
-
- autoOptimiseStore = mkOption {
- type = types.bool;
- default = false;
- example = true;
- description = ''
- If set to true, Nix automatically detects files in the store that have
- identical contents, and replaces them with hard links to a single copy.
- This saves disk space. If set to false (the default), you can still run
- nix-store --optimise to get rid of duplicate files.
- '';
- };
-
- buildCores = mkOption {
- type = types.int;
- default = 0;
- example = 64;
- description = ''
- This option defines the maximum number of concurrent tasks during
- one build. It affects, e.g., -j option for make.
- The special value 0 means that the builder should use all
- available CPU cores in the system. Some builds may become
- non-deterministic with this option; use with care! Packages will
- only be affected if enableParallelBuilding is set for them.
- '';
- };
-
- useSandbox = mkOption {
- type = types.either types.bool (types.enum ["relaxed"]);
- default = true;
- description = "
- If set, Nix will perform builds in a sandboxed environment that it
- will set up automatically for each build. This prevents impurities
- in builds by disallowing access to dependencies outside of the Nix
- store by using network and mount namespaces in a chroot environment.
- This is enabled by default even though it has a possible performance
- impact due to the initial setup time of a sandbox for each build. It
- doesn't affect derivation hashes, so changing this option will not
- trigger a rebuild of packages.
- ";
- };
-
- sandboxPaths = mkOption {
- type = types.listOf types.str;
- default = [];
- example = [ "/dev" "/proc" ];
- description =
- ''
- Directories from the host filesystem to be included
- in the sandbox.
- '';
- };
-
- extraOptions = mkOption {
- type = types.lines;
- default = "";
- example = ''
- keep-outputs = true
- keep-derivations = true
- '';
- description = "Additional text appended to nix.conf.";
- };
-
distributedBuilds = mkOption {
type = types.bool;
default = false;
@@ -187,7 +151,7 @@ in
};
daemonCPUSchedPolicy = mkOption {
- type = types.enum ["other" "batch" "idle"];
+ type = types.enum [ "other" "batch" "idle" ];
default = "other";
example = "batch";
description = ''
@@ -218,7 +182,7 @@ in
};
daemonIOSchedClass = mkOption {
- type = types.enum ["best-effort" "idle"];
+ type = types.enum [ "best-effort" "idle" ];
default = "best-effort";
example = "idle";
description = ''
@@ -250,11 +214,11 @@ in
scheduling policy: With idle, priorities are not used in scheduling
decisions. best-effort supports values in the range 0 (high) to 7
(low).
- '';
+ '';
};
buildMachines = mkOption {
- type = types.listOf (types.submodule ({
+ type = types.listOf (types.submodule {
options = {
hostName = mkOption {
type = types.str;
@@ -276,7 +240,7 @@ in
};
systems = mkOption {
type = types.listOf types.str;
- default = [];
+ default = [ ];
example = [ "x86_64-linux" "aarch64-linux" ];
description = ''
The system types the build machine can execute derivations on.
@@ -293,7 +257,7 @@ in
The username to log in as on the remote host. This user must be
able to log in and run nix commands non-interactively. It must
also be privileged to build derivations, so must be included in
- .
+ .
'';
};
sshKey = mkOption {
@@ -331,7 +295,7 @@ in
};
mandatoryFeatures = mkOption {
type = types.listOf types.str;
- default = [];
+ default = [ ];
example = [ "big-parallel" ];
description = ''
A list of features mandatory for this builder. The builder will
@@ -342,7 +306,7 @@ in
};
supportedFeatures = mkOption {
type = types.listOf types.str;
- default = [];
+ default = [ ];
example = [ "kvm" "big-parallel" ];
description = ''
A list of features supported by this builder. The builder will
@@ -350,9 +314,18 @@ in
list.
'';
};
+ publicHostKey = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ description = ''
+ The (base64-encoded) public host key of this builder. The field
+ is calculated via base64 -w0 /etc/ssh/ssh_host_type_key.pub.
+ If null, SSH will use its regular known-hosts file when connecting.
+ '';
+ };
};
- }));
- default = [];
+ });
+ default = [ ];
description = ''
This option lists the machines to be used if distributed builds are
enabled (see ).
@@ -366,7 +339,7 @@ in
envVars = mkOption {
type = types.attrs;
internal = true;
- default = {};
+ default = { };
description = "Environment variables used by Nix.";
};
@@ -391,92 +364,13 @@ in
'';
};
- binaryCaches = mkOption {
- type = types.listOf types.str;
- description = ''
- List of binary cache URLs used to obtain pre-built binaries
- of Nix packages.
-
- By default https://cache.nixos.org/ is added,
- to override it use lib.mkForce [].
- '';
- };
-
- trustedBinaryCaches = mkOption {
- type = types.listOf types.str;
- default = [ ];
- example = [ "https://hydra.nixos.org/" ];
- description = ''
- List of binary cache URLs that non-root users can use (in
- addition to those specified using
- ) by passing
- --option binary-caches to Nix commands.
- '';
- };
-
- requireSignedBinaryCaches = mkOption {
- type = types.bool;
- default = true;
- description = ''
- If enabled (the default), Nix will only download binaries from binary caches if
- they are cryptographically signed with any of the keys listed in
- . If disabled, signatures are neither
- required nor checked, so it's strongly recommended that you use only
- trustworthy caches and https to prevent man-in-the-middle attacks.
- '';
- };
-
- binaryCachePublicKeys = mkOption {
- type = types.listOf types.str;
- example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
- description = ''
- List of public keys used to sign binary caches. If
- is enabled,
- then Nix will use a binary from a binary cache if and only
- if it is signed by any of the keys
- listed here. By default, only the key for
- cache.nixos.org is included.
- '';
- };
-
- trustedUsers = mkOption {
- type = types.listOf types.str;
- default = [ "root" ];
- example = [ "root" "alice" "@wheel" ];
- description = ''
- A list of names of users that have additional rights when
- connecting to the Nix daemon, such as the ability to specify
- additional binary caches, or to import unsigned NARs. You
- can also specify groups by prefixing them with
- @; for instance,
- @wheel means all users in the wheel
- group.
- '';
- };
-
- allowedUsers = mkOption {
- type = types.listOf types.str;
- default = [ "*" ];
- example = [ "@wheel" "@builders" "alice" "bob" ];
- description = ''
- A list of names of users (separated by whitespace) that are
- allowed to connect to the Nix daemon. As with
- , you can specify groups by
- prefixing them with @. Also, you can
- allow all users by specifying *. The
- default is *. Note that trusted users are
- always allowed to connect.
- '';
- };
-
nixPath = mkOption {
type = types.listOf types.str;
- default =
- [
- "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
- "nixos-config=/etc/nixos/configuration.nix"
- "/nix/var/nix/profiles/per-user/root/channels"
- ];
+ default = [
+ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
+ "nixos-config=/etc/nixos/configuration.nix"
+ "/nix/var/nix/profiles/per-user/root/channels"
+ ];
description = ''
The default Nix expression search path, used by the Nix
evaluator to look up paths enclosed in angle brackets
@@ -484,45 +378,44 @@ in
'';
};
- systemFeatures = mkOption {
- type = types.listOf types.str;
- example = [ "kvm" "big-parallel" "gccarch-skylake" ];
- description = ''
- The supported features of a machine
- '';
- };
-
checkConfig = mkOption {
type = types.bool;
default = true;
description = ''
- If enabled (the default), checks that Nix can parse the generated nix.conf.
+ If enabled (the default), checks for data type mismatches and that Nix
+ can parse the generated nix.conf.
'';
};
registry = mkOption {
type = types.attrsOf (types.submodule (
let
- inputAttrs = types.attrsOf (types.oneOf [types.str types.int types.bool types.package]);
+ referenceAttrs = with types; attrsOf (oneOf [
+ str
+ int
+ bool
+ package
+ ]);
in
{ config, name, ... }:
- { options = {
+ {
+ options = {
from = mkOption {
- type = inputAttrs;
+ type = referenceAttrs;
example = { type = "indirect"; id = "nixpkgs"; };
description = "The flake reference to be rewritten.";
};
to = mkOption {
- type = inputAttrs;
+ type = referenceAttrs;
example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; };
- description = "The flake reference to which is to be rewritten.";
+ description = "The flake reference is rewritten to.";
};
flake = mkOption {
type = types.nullOr types.attrs;
default = null;
example = literalExpression "nixpkgs";
description = ''
- The flake input to which is to be rewritten.
+ The flake input is rewritten to.
'';
};
exact = mkOption {
@@ -537,35 +430,232 @@ in
};
config = {
from = mkDefault { type = "indirect"; id = name; };
- to = mkIf (config.flake != null)
- ({ type = "path";
- path = config.flake.outPath;
- } // lib.filterAttrs
- (n: v: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
- config.flake);
+ to = mkIf (config.flake != null) (mkDefault
+ {
+ type = "path";
+ path = config.flake.outPath;
+ } // filterAttrs
+ (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
+ config.flake);
};
}
));
- default = {};
+ default = { };
description = ''
A system-wide flake registry.
'';
};
- };
+ extraOptions = mkOption {
+ type = types.lines;
+ default = "";
+ example = ''
+ keep-outputs = true
+ keep-derivations = true
+ '';
+ description = "Additional text appended to nix.conf.";
+ };
+ settings = mkOption {
+ type = types.submodule {
+ freeformType = semanticConfType;
+
+ options = {
+ max-jobs = mkOption {
+ type = types.either types.int (types.enum [ "auto" ]);
+ default = "auto";
+ example = 64;
+ description = ''
+ This option defines the maximum number of jobs that Nix will try to
+ build in parallel. The default is auto, which means it will use all
+ available logical cores. It is recommend to set it to the total
+ number of logical cores in your system (e.g., 16 for two CPUs with 4
+ cores each and hyper-threading).
+ '';
+ };
+
+ auto-optimise-store = mkOption {
+ type = types.bool;
+ default = false;
+ example = true;
+ description = ''
+ If set to true, Nix automatically detects files in the store that have
+ identical contents, and replaces them with hard links to a single copy.
+ This saves disk space. If set to false (the default), you can still run
+ nix-store --optimise to get rid of duplicate files.
+ '';
+ };
+
+ cores = mkOption {
+ type = types.int;
+ default = 0;
+ example = 64;
+ description = ''
+ This option defines the maximum number of concurrent tasks during
+ one build. It affects, e.g., -j option for make.
+ The special value 0 means that the builder should use all
+ available CPU cores in the system. Some builds may become
+ non-deterministic with this option; use with care! Packages will
+ only be affected if enableParallelBuilding is set for them.
+ '';
+ };
+
+ sandbox = mkOption {
+ type = types.either types.bool (types.enum [ "relaxed" ]);
+ default = true;
+ description = ''
+ If set, Nix will perform builds in a sandboxed environment that it
+ will set up automatically for each build. This prevents impurities
+ in builds by disallowing access to dependencies outside of the Nix
+ store by using network and mount namespaces in a chroot environment.
+ This is enabled by default even though it has a possible performance
+ impact due to the initial setup time of a sandbox for each build. It
+ doesn't affect derivation hashes, so changing this option will not
+ trigger a rebuild of packages.
+ '';
+ };
+
+ extra-sandbox-paths = mkOption {
+ type = types.listOf types.str;
+ default = [ ];
+ example = [ "/dev" "/proc" ];
+ description = ''
+ Directories from the host filesystem to be included
+ in the sandbox.
+ '';
+ };
+
+ substituters = mkOption {
+ type = types.listOf types.str;
+ description = ''
+ List of binary cache URLs used to obtain pre-built binaries
+ of Nix packages.
+
+ By default https://cache.nixos.org/ is added.
+ '';
+ };
+
+ trusted-substituters = mkOption {
+ type = types.listOf types.str;
+ default = [ ];
+ example = [ "https://hydra.nixos.org/" ];
+ description = ''
+ List of binary cache URLs that non-root users can use (in
+ addition to those specified using
+ ) by passing
+ --option binary-caches to Nix commands.
+ '';
+ };
+
+ require-sigs = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ If enabled (the default), Nix will only download binaries from binary caches if
+ they are cryptographically signed with any of the keys listed in
+ . If disabled, signatures are neither
+ required nor checked, so it's strongly recommended that you use only
+ trustworthy caches and https to prevent man-in-the-middle attacks.
+ '';
+ };
+
+ trusted-public-keys = mkOption {
+ type = types.listOf types.str;
+ example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
+ description = ''
+ List of public keys used to sign binary caches. If
+ is enabled,
+ then Nix will use a binary from a binary cache if and only
+ if it is signed by any of the keys
+ listed here. By default, only the key for
+ cache.nixos.org is included.
+ '';
+ };
+
+ trusted-users = mkOption {
+ type = types.listOf types.str;
+ default = [ "root" ];
+ example = [ "root" "alice" "@wheel" ];
+ description = ''
+ A list of names of users that have additional rights when
+ connecting to the Nix daemon, such as the ability to specify
+ additional binary caches, or to import unsigned NARs. You
+ can also specify groups by prefixing them with
+ @; for instance,
+ @wheel means all users in the wheel
+ group.
+ '';
+ };
+
+ system-features = mkOption {
+ type = types.listOf types.str;
+ example = [ "kvm" "big-parallel" "gccarch-skylake" ];
+ description = ''
+ The set of features supported by the machine. Derivations
+ can express dependencies on system features through the
+ requiredSystemFeatures attribute.
+
+ By default, pseudo-features nixos-test, benchmark,
+ and big-parallel used in Nixpkgs are set, kvm
+ is also included in it is avaliable.
+ '';
+ };
+
+ allowed-users = mkOption {
+ type = types.listOf types.str;
+ default = [ "*" ];
+ example = [ "@wheel" "@builders" "alice" "bob" ];
+ description = ''
+ A list of names of users (separated by whitespace) that are
+ allowed to connect to the Nix daemon. As with
+ , you can specify groups by
+ prefixing them with @. Also, you can
+ allow all users by specifying *. The
+ default is *. Note that trusted users are
+ always allowed to connect.
+ '';
+ };
+ };
+ };
+ default = { };
+ example = literalExpression ''
+ {
+ use-sandbox = true;
+ show-trace = true;
+
+ system-features = [ "big-parallel" "kvm" "recursive-nix" ];
+ sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; };
+ }
+ '';
+ description = ''
+ Configuration for Nix, see
+ or
+
+ nix.conf
+ 5
+ for avalaible options.
+ The value declared here will be translated directly to the key-value pairs Nix expects.
+
+
+ You can use nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings
+ to view the current value. By default it is empty.
+
+
+ Nix configurations defined under will be translated and applied to this
+ option. In addition, configuration specified in which will be appended
+ verbatim to the resulting config file.
+ '';
+ };
+ };
};
###### implementation
config = mkIf cfg.enable {
-
- nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
- nix.binaryCaches = [ "https://cache.nixos.org/" ];
-
environment.systemPackages =
- [ nix
+ [
+ nixPackage
pkgs.nix-info
]
++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions;
@@ -579,44 +669,49 @@ in
# List of machines for distributed Nix builds in the format
# expected by build-remote.pl.
- environment.etc."nix/machines" =
- { enable = cfg.buildMachines != [];
- text =
- concatMapStrings (machine:
- "${if machine.sshUser != null then "${machine.sshUser}@" else ""}${machine.hostName} "
- + (if machine.system != null then machine.system else concatStringsSep "," machine.systems)
- + " ${if machine.sshKey != null then machine.sshKey else "-"} ${toString machine.maxJobs} "
- + toString (machine.speedFactor)
- + " "
- + concatStringsSep "," (machine.mandatoryFeatures ++ machine.supportedFeatures)
- + " "
- + concatStringsSep "," machine.mandatoryFeatures
+ environment.etc."nix/machines" = mkIf (cfg.buildMachines != [ ]) {
+ text =
+ concatMapStrings
+ (machine:
+ (concatStringsSep " " [
+ "${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}"
+ (if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-")
+ (if machine.sshKey != null then machine.sshKey else "-")
+ (toString machine.maxJobs)
+ (toString machine.speedFactor)
+ (concatStringsSep "," machine.supportedFeatures)
+ (concatStringsSep "," machine.mandatoryFeatures)
+ ]
+ ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-"))
+ "\n"
- ) cfg.buildMachines;
- };
+ )
+ cfg.buildMachines;
+ };
+
assertions =
- let badMachine = m: m.system == null && m.systems == [];
- in [
+ let badMachine = m: m.system == null && m.systems == [ ];
+ in
+ [
{
- assertion = !(builtins.any badMachine cfg.buildMachines);
+ assertion = !(any badMachine cfg.buildMachines);
message = ''
At least one system type (via system or
systems) must be set for every build machine.
Invalid machine specifications:
'' + " " +
- (builtins.concatStringsSep "\n "
- (builtins.map (m: m.hostName)
- (builtins.filter (badMachine) cfg.buildMachines)));
+ (concatStringsSep "\n "
+ (map (m: m.hostName)
+ (filter (badMachine) cfg.buildMachines)));
}
];
-
- systemd.packages = [ nix ];
+ systemd.packages = [ nixPackage ];
systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ];
systemd.services.nix-daemon =
- { path = [ nix pkgs.util-linux config.programs.ssh.package ]
+ {
+ path = [ nixPackage pkgs.util-linux config.programs.ssh.package ]
++ optionals cfg.distributedBuilds [ pkgs.gzip ];
environment = cfg.envVars
@@ -626,7 +721,8 @@ in
unitConfig.RequiresMountsFor = "/nix/store";
serviceConfig =
- { CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy;
+ {
+ CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy;
IOSchedulingClass = cfg.daemonIOSchedClass;
IOSchedulingPriority = cfg.daemonIOSchedPriority;
LimitNOFILE = 4096;
@@ -636,9 +732,7 @@ in
};
# Set up the environment variables for running Nix.
- environment.sessionVariables = cfg.envVars //
- { NIX_PATH = cfg.nixPath;
- };
+ environment.sessionVariables = cfg.envVars // { NIX_PATH = cfg.nixPath; };
environment.extraInit =
''
@@ -647,7 +741,7 @@ in
fi
'';
- nix.nrBuildUsers = mkDefault (lib.max 32 (if cfg.maxJobs == "auto" then 0 else cfg.maxJobs));
+ nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs));
users.users = nixbldUsers;
@@ -663,14 +757,26 @@ in
fi
'';
- nix.systemFeatures = mkDefault (
- [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
- optionals (pkgs.hostPlatform ? gcc.arch) (
- # a builder can run code for `gcc.arch` and inferior architectures
- [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++
- map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch}
- )
- );
+ # Legacy configuration conversion.
+ nix.settings = mkMerge [
+ {
+ trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
+ substituters = [ "https://cache.nixos.org/" ];
+
+ system-features = mkDefault (
+ [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
+ optionals (pkgs.hostPlatform ? gcc.arch) (
+ # a builder can run code for `gcc.arch` and inferior architectures
+ [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++
+ map (x: "gccarch-${x}") systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch}
+ )
+ );
+ }
+
+ (mkIf (!cfg.distributedBuilds) { builders = null; })
+
+ (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })
+ ];
};
diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix
index d5c64fdb2647..355fad5db468 100644
--- a/nixos/modules/services/misc/nix-ssh-serve.nix
+++ b/nixos/modules/services/misc/nix-ssh-serve.nix
@@ -20,7 +20,7 @@ in {
write = mkOption {
type = types.bool;
default = false;
- description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the nix.trustedUsers option in most use cases, such as allowing remote building of derivations.";
+ description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the option in most use cases, such as allowing remote building of derivations.";
};
keys = mkOption {
diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix
index 18ac717f5dd6..40afa551c7fc 100644
--- a/nixos/modules/system/activation/top-level.nix
+++ b/nixos/modules/system/activation/top-level.nix
@@ -156,7 +156,7 @@ in
specialisation = mkOption {
default = {};
- example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.buildCores = 0; nix.maxJobs = 1; }; }";
+ example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.settings = { core = 0; max-jobs = 1; }; }";
description = ''
Additional configurations to build. If
inheritParentConfig is true, the system
diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix
index 5bc603530f7e..33748358e45b 100644
--- a/nixos/modules/system/boot/binfmt.nix
+++ b/nixos/modules/system/boot/binfmt.nix
@@ -300,18 +300,15 @@ in {
interpreterSandboxPath = dirOf (dirOf interpreterReg);
} // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}"));
}) cfg.emulatedSystems);
- # TODO: add a nix.extraPlatforms option to NixOS!
- nix.extraOptions = lib.mkIf (cfg.emulatedSystems != []) ''
- extra-platforms = ${toString (cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux")}
- '';
- nix.sandboxPaths = lib.mkIf (cfg.emulatedSystems != []) (
- let
+ nix.settings = lib.mkIf (cfg.emulatedSystems != []) {
+ extra-platforms = cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux";
+ extra-sandbox-paths = let
ruleFor = system: cfg.registrations.${system};
hasWrappedRule = lib.any (system: (ruleFor system).wrapInterpreterInShell) cfg.emulatedSystems;
in [ "/run/binfmt" ]
++ lib.optional hasWrappedRule "${pkgs.bash}"
- ++ (map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems)
- );
+ ++ (map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems);
+ };
environment.etc."binfmt.d/nixos.conf".source = builtins.toFile "binfmt_nixos.conf"
(lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine config.boot.binfmt.registrations));
diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix
index a126a5480c03..14001657bee0 100644
--- a/nixos/tests/containers-imperative.nix
+++ b/nixos/tests/containers-imperative.nix
@@ -10,8 +10,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
# XXX: Sandbox setup fails while trying to hardlink files from the host's
# store file system into the prepared chroot directory.
- nix.useSandbox = false;
- nix.binaryCaches = []; # don't try to access cache.nixos.org
+ nix.settings.sandbox = false;
+ nix.settings.substituters = []; # don't try to access cache.nixos.org
virtualisation.writableStore = true;
# Make sure we always have all the required dependencies for creating a
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
index da7e0972e131..dc455f971f5c 100644
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@@ -11,7 +11,7 @@ import ./make-test-python.nix ({ pkgs, ... } : {
users.users.sybil = { isNormalUser = true; group = "wheel"; };
imports = [ ../modules/profiles/hardened.nix ];
environment.memoryAllocator.provider = "graphene-hardened";
- nix.useSandbox = false;
+ nix.settings.sandbox = false;
virtualisation.emptyDiskImages = [ 4096 ];
boot.initrd.postDeviceCommands = ''
${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
diff --git a/nixos/tests/hibernate.nix b/nixos/tests/hibernate.nix
index 4f05b99a5a11..3880f1649bd3 100644
--- a/nixos/tests/hibernate.nix
+++ b/nixos/tests/hibernate.nix
@@ -45,11 +45,11 @@ in makeTest {
../modules/profiles/base.nix
];
- nix.binaryCaches = mkForce [ ];
- nix.extraOptions = ''
- hashed-mirrors =
- connect-timeout = 1
- '';
+ nix.settings = {
+ substituters = mkForce [];
+ hashed-mirrors = null;
+ connect-timeout = 1;
+ };
virtualisation.diskSize = 8 * 1024;
virtualisation.emptyDiskImages = [
diff --git a/nixos/tests/hydra/common.nix b/nixos/tests/hydra/common.nix
index 1a3a4d8fb3d4..fdf2b2c6f6dc 100644
--- a/nixos/tests/hydra/common.nix
+++ b/nixos/tests/hydra/common.nix
@@ -42,7 +42,7 @@
hostName = "localhost";
systems = [ system ];
}];
- binaryCaches = [];
+ settings.substituters = [];
};
};
}
diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix
index 7c7eb004e550..761020571fa6 100644
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@@ -334,11 +334,11 @@ let
(pkgs.grub2_efi.override { inherit zfsSupport; })
]);
- nix.binaryCaches = mkForce [ ];
- nix.extraOptions = ''
- hashed-mirrors =
- connect-timeout = 1
- '';
+ nix.settings = {
+ substituters = mkForce [];
+ hashed-mirrors = null;
+ connect-timeout = 1;
+ };
};
};
diff --git a/nixos/tests/iscsi-multipath-root.nix b/nixos/tests/iscsi-multipath-root.nix
index a26fea503b62..92ae9990c947 100644
--- a/nixos/tests/iscsi-multipath-root.nix
+++ b/nixos/tests/iscsi-multipath-root.nix
@@ -111,11 +111,11 @@ import ./make-test-python.nix (
environment.etc."initiator-root-disk-closure".source = nodes.initiatorRootDisk.config.system.build.toplevel;
- nix.binaryCaches = lib.mkForce [ ];
- nix.extraOptions = ''
- hashed-mirrors =
- connect-timeout = 1
- '';
+ nix.settings = {
+ substituters = lib.mkForce [ ];
+ hashed-mirrors = null;
+ connect-timeout = 1;
+ };
};
initiatorRootDisk = { config, pkgs, modulesPath, lib, ... }: {
diff --git a/nixos/tests/iscsi-root.nix b/nixos/tests/iscsi-root.nix
index bda51d2c2e42..eb0719edc379 100644
--- a/nixos/tests/iscsi-root.nix
+++ b/nixos/tests/iscsi-root.nix
@@ -95,11 +95,11 @@ import ./make-test-python.nix (
system.extraDependencies = [ nodes.initiatorRootDisk.config.system.build.toplevel ];
- nix.binaryCaches = lib.mkForce [];
- nix.extraOptions = ''
- hashed-mirrors =
- connect-timeout = 1
- '';
+ nix.settings = {
+ substituters = lib.mkForce [];
+ hashed-mirrors = null;
+ connect-timeout = 1;
+ };
};
initiatorRootDisk = { config, pkgs, modulesPath, lib, ... }: {
diff --git a/nixos/tests/nixops/default.nix b/nixos/tests/nixops/default.nix
index ec3d028aabae..b25fc95f4b30 100644
--- a/nixos/tests/nixops/default.nix
+++ b/nixos/tests/nixops/default.nix
@@ -23,7 +23,7 @@ let
deployer = { config, lib, nodes, pkgs, ... }: {
imports = [ ../../modules/installer/cd-dvd/channel.nix ];
environment.systemPackages = [ nixopsPkg ];
- nix.binaryCaches = lib.mkForce [ ];
+ nix.settings.substituters = lib.mkForce [ ];
users.users.person.isNormalUser = true;
virtualisation.writableStore = true;
virtualisation.additionalPaths = [
diff --git a/nixos/tests/nixops/legacy/base-configuration.nix b/nixos/tests/nixops/legacy/base-configuration.nix
index dba960f595c2..7f1c07a5c4a9 100644
--- a/nixos/tests/nixops/legacy/base-configuration.nix
+++ b/nixos/tests/nixops/legacy/base-configuration.nix
@@ -16,7 +16,7 @@ in
(modulesPath + "/testing/test-instrumentation.nix")
];
virtualisation.writableStore = true;
- nix.binaryCaches = lib.mkForce [ ];
+ nix.settings.substituters = lib.mkForce [ ];
virtualisation.graphics = false;
documentation.enable = false;
services.qemuGuest.enable = true;
diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix
index c1e29b0f68b4..90375450fe1b 100644
--- a/nixos/tests/os-prober.nix
+++ b/nixos/tests/os-prober.nix
@@ -43,11 +43,11 @@ let
# vda is a filesystem without partition table
forceInstall = true;
};
- nix.binaryCaches = lib.mkForce [ ];
- nix.extraOptions = ''
- hashed-mirrors =
- connect-timeout = 1
- '';
+ nix.settings = {
+ substituters = lib.mkForce [];
+ hashed-mirrors = null;
+ connect-timeout = 1;
+ };
# save some memory
documentation.enable = false;
};
diff --git a/pkgs/build-support/trivial-builders/test/references.nix b/pkgs/build-support/trivial-builders/test/references.nix
index a2bee51b13e7..989722121cb0 100644
--- a/pkgs/build-support/trivial-builders/test/references.nix
+++ b/pkgs/build-support/trivial-builders/test/references.nix
@@ -28,7 +28,7 @@ nixosTest {
virtualisation.writableStore = true;
# Test runs without network, so we don't substitute and prepare our deps
- nix.binaryCaches = lib.mkForce [];
+ nix.settings.substituters = lib.mkForce [];
environment.etc."pre-built-paths".source = writeText "pre-built-paths" (
builtins.toJSON [hello figlet stdenvNoCC]
);