Merge pull request #231316 from hercules-ci/nixos-system.checks

pyrox.dev / nixpkgs

fork atom

lol

fork atom

NixOS: add `system.checks`

authored by

Robert Hensing and committed by

GitHub 2 years ago 25f227fc 63695ed2

+33 -7

5 changed files

expand all

nixos

modules

security

wrappers

default.nix

services

databases

postgresql.nix

web-servers

varnish

default.nix

x11

xserver.nix

system

activation

top-level.nix

+1 -1

nixos/modules/security/wrappers/default.nix

··· 283 283 ''; 284 284 285 285 ###### wrappers consistency checks 286 - system.extraDependencies = lib.singleton (pkgs.runCommandLocal 286 + system.checks = lib.singleton (pkgs.runCommandLocal 287 287 "ensure-all-wrappers-paths-exist" { } 288 288 '' 289 289 # make sure we produce output

+1 -1

nixos/modules/services/databases/postgresql.nix

··· 489 489 "/share/postgresql" 490 490 ]; 491 491 492 - system.extraDependencies = lib.optional (cfg.checkConfig && pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) configFileCheck; 492 + system.checks = lib.optional (cfg.checkConfig && pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) configFileCheck; 493 493 494 494 systemd.services.postgresql = 495 495 { description = "PostgreSQL Server";

+1 -1

nixos/modules/services/web-servers/varnish/default.nix

··· 99 99 environment.systemPackages = [ cfg.package ]; 100 100 101 101 # check .vcl syntax at compile time (e.g. before nixops deployment) 102 - system.extraDependencies = mkIf cfg.enableConfigCheck [ 102 + system.checks = mkIf cfg.enableConfigCheck [ 103 103 (pkgs.runCommand "check-varnish-syntax" {} '' 104 104 ${cfg.package}/bin/varnishd -C ${commandLine} 2> $out || (cat $out; exit 1) 105 105 '')

+1 -1

nixos/modules/services/x11/xserver.nix

··· 776 776 xorg.xf86inputevdev.out 777 777 ]; 778 778 779 - system.extraDependencies = singleton (pkgs.runCommand "xkb-validated" { 779 + system.checks = singleton (pkgs.runCommand "xkb-validated" { 780 780 inherit (cfg) xkbModel layout xkbVariant xkbOptions; 781 781 nativeBuildInputs = with pkgs.buildPackages; [ xkbvalidate ]; 782 782 preferLocalBuild = true;

+29 -3

nixos/modules/system/activation/top-level.nix

··· 263 263 default = []; 264 264 description = lib.mdDoc '' 265 265 A list of packages that should be included in the system 266 - closure but not otherwise made available to users. This is 267 - primarily used by the installation tests. 266 + closure but generally not visible to users. 267 + 268 + This option has also been used for build-time checks, but the 269 + `system.checks` option is more appropriate for that purpose as checks 270 + should not leave a trace in the built system configuration. 271 + ''; 272 + }; 273 + 274 + system.checks = mkOption { 275 + type = types.listOf types.package; 276 + default = []; 277 + description = lib.mdDoc '' 278 + Packages that are added as dependencies of the system's build, usually 279 + for the purpose of validating some part of the configuration. 280 + 281 + Unlike `system.extraDependencies`, these store paths do not 282 + become part of the built system configuration. 268 283 ''; 269 284 }; 270 285 ··· 363 378 fi 364 379 ''; 365 380 366 - system.systemBuilderArgs = lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") { 381 + system.systemBuilderArgs = { 382 + # Not actually used in the builder. `passedChecks` is just here to create 383 + # the build dependencies. Checks are similar to build dependencies in the 384 + # sense that if they fail, the system build fails. However, checks do not 385 + # produce any output of value, so they are not used by the system builder. 386 + # In fact, using them runs the risk of accidentally adding unneeded paths 387 + # to the system closure, which defeats the purpose of the `system.checks` 388 + # option, as opposed to `system.extraDependencies`. 389 + passedChecks = concatStringsSep " " config.system.checks; 390 + } 391 + // lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") { 367 392 inherit (config.system) forbiddenDependenciesRegex; 368 393 closureInfo = pkgs.closureInfo { rootPaths = [ 369 394 # override to avoid infinite recursion (and to allow using extraDependencies to add forbidden dependencies) 370 395 (config.system.build.toplevel.overrideAttrs (_: { extraDependencies = []; closureInfo = null; })) 371 396 ]; }; 372 397 }; 398 + 373 399 374 400 system.build.toplevel = if config.system.includeBuildDependencies then systemWithBuildDeps else system; 375 401