commit 262e7272c74914d2e5cfd345e8fbdb91b68fa5e7 · pyrox.dev/nixpkgs

+16 -6

doc/builders/special/darwin-builder.section.md

··· 1 - # darwin.builder {#sec-darwin-builder} 1 + # darwin.linux-builder {#sec-darwin-builder} 2 2 3 - `darwin.builder` provides a way to bootstrap a Linux builder on a macOS machine. 3 + `darwin.linux-builder` provides a way to bootstrap a Linux builder on a macOS machine. 4 4 5 5 This requires macOS version 12.4 or later. 6 6 7 - This also requires that port 22 on your machine is free (since Nix does not 8 - permit specifying a non-default SSH port for builders). 7 + The builder runs on host port 31022 by default. 8 + You can change it by overriding `virtualisation.darwin-builder.hostPort`. 9 + See the [example](#sec-darwin-builder-example-flake). 9 10 10 11 You will also need to be a trusted user for your Nix installation. In other 11 12 words, your `/etc/nix/nix.conf` should have something like: ··· 17 18 To launch the builder, run the following flake: 18 19 19 20 ```ShellSession 20 - $ nix run nixpkgs#darwin.builder 21 + $ nix run nixpkgs#darwin.linux-builder 21 22 ``` 22 23 23 24 That will prompt you to enter your `sudo` password: ··· 50 51 ``` 51 52 # - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine 52 53 # - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure) 53 - builders = ssh-ng://builder@localhost ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo= 54 + builders = ssh-ng://builder@linux-builder ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo= 54 55 55 56 # Not strictly necessary, but this will reduce your disk utilization 56 57 builders-use-substitutes = true 58 + ``` 59 + 60 + To allow Nix to connect to a builder not running on port 22, you will also need to create a new file at `/etc/ssh/ssh_config.d/100-linux-builder.conf`: 61 + 62 + ``` 63 + Host linux-builder 64 + Hostname localhost 65 + HostKeyAlias linux-builder 66 + Port 31022 57 67 ``` 58 68 59 69 … and then restart your Nix daemon to apply the change:

+11 -7

nixos/modules/profiles/macos-builder.nix

··· 1 - { config, lib, pkgs, ... }: 1 + { config, lib, ... }: 2 2 3 3 let 4 4 keysDirectory = "/var/keys"; ··· 67 67 ''; 68 68 }; 69 69 hostPort = mkOption { 70 - default = 22; 70 + default = 31022; 71 71 type = types.int; 72 - example = 31022; 72 + example = 22; 73 73 description = '' 74 74 The localhost host port to forward TCP to the guest port. 75 75 ''; ··· 139 139 140 140 hostPkgs = config.virtualisation.host.pkgs; 141 141 142 - script = hostPkgs.writeShellScriptBin "create-builder" ( 142 + script = hostPkgs.writeShellScriptBin "create-builder" ( 143 143 # When running as non-interactively as part of a DarwinConfiguration the working directory 144 144 # must be set to a writeable directory. 145 145 (if cfg.workingDirectory != "." then '' 146 146 ${hostPkgs.coreutils}/bin/mkdir --parent "${cfg.workingDirectory}" 147 147 cd "${cfg.workingDirectory}" 148 - '' else "") + '' 148 + '' else "") + '' 149 149 KEYS="''${KEYS:-./keys}" 150 150 ${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}" 151 151 PRIVATE_KEY="''${KEYS}/${user}_${keyType}" ··· 157 157 if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then 158 158 (set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}") 159 159 fi 160 - KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${config.system.build.vm}/bin/run-nixos-vm 160 + KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${lib.getExe config.system.build.vm} 161 161 ''); 162 162 163 163 in ··· 177 177 Please inspect the trace of the following command to figure out which module 178 178 has a dependency on stateVersion. 179 179 180 - nix-instantiate --attr darwin.builder --show-trace 180 + nix-instantiate --attr darwin.linux-builder --show-trace 181 181 ''); 182 182 }; 183 183 ··· 234 234 # This ensures that anything built on the guest isn't lost when the guest is 235 235 # restarted. 236 236 writableStoreUseTmpfs = false; 237 + 238 + # Pass certificates from host to the guest otherwise when custom CA certificates 239 + # are required we can't use the cached builder. 240 + useHostCerts = true; 237 241 }; 238 242 }; 239 243 }

+5 -1

nixos/modules/security/ca.nix

··· 18 18 { 19 19 20 20 options = { 21 + security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // { 22 + default = true; 23 + internal = true; 24 + }; 21 25 22 26 security.pki.certificateFiles = mkOption { 23 27 type = types.listOf types.path; ··· 70 74 71 75 }; 72 76 73 - config = { 77 + config = mkIf cfg.installCACerts { 74 78 75 79 # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. 76 80 environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;

+27 -1

nixos/modules/virtualisation/qemu-vm.nix

··· 166 166 # Create a directory for exchanging data with the VM. 167 167 mkdir -p "$TMPDIR/xchg" 168 168 169 + ${lib.optionalString cfg.useHostCerts 170 + '' 171 + mkdir -p "$TMPDIR/certs" 172 + if [ -e "$NIX_SSL_CERT_FILE" ]; then 173 + cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt 174 + else 175 + echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled. 176 + fi 177 + ''} 178 + 169 179 ${lib.optionalString cfg.useEFIBoot 170 180 '' 171 181 # Expose EFI variables, it's useful even when we are not using a bootloader (!). ··· 877 887 ''; 878 888 }; 879 889 880 - 881 890 virtualisation.bios = 882 891 mkOption { 883 892 type = types.nullOr types.package; ··· 887 896 An alternate BIOS (such as `qboot`) with which to start the VM. 888 897 Should contain a file named `bios.bin`. 889 898 If `null`, QEMU's builtin SeaBIOS will be used. 899 + ''; 900 + }; 901 + 902 + virtualisation.useHostCerts = 903 + mkOption { 904 + type = types.bool; 905 + default = false; 906 + description = 907 + lib.mdDoc '' 908 + If enabled, when `NIX_SSL_CERT_FILE` is set on the host, 909 + pass the CA certificates from the host to the VM. 890 910 ''; 891 911 }; 892 912 ··· 1024 1044 source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"''; 1025 1045 target = "/tmp/shared"; 1026 1046 }; 1047 + certs = mkIf cfg.useHostCerts { 1048 + source = ''"$TMPDIR"/certs''; 1049 + target = "/etc/ssl/certs"; 1050 + }; 1027 1051 }; 1052 + 1053 + security.pki.installCACerts = mkIf cfg.useHostCerts false; 1028 1054 1029 1055 virtualisation.qemu.networkingOptions = 1030 1056 let

+7 -3

pkgs/top-level/darwin-packages.nix

··· 3 3 , generateSplicesForMkScope, makeScopeWithSplicing 4 4 , stdenv 5 5 , preLibcCrossHeaders 6 + , config 6 7 }: 7 8 8 9 let ··· 229 230 discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { }; 230 231 231 232 # See doc/builders/special/darwin-builder.section.md 232 - builder = 233 + linux-builder = lib.makeOverridable ({ modules }: 233 234 let 234 235 toGuest = builtins.replaceStrings [ "darwin" ] [ "linux" ]; 235 236 ··· 237 238 configuration = { 238 239 imports = [ 239 240 ../../nixos/modules/profiles/macos-builder.nix 240 - ]; 241 + ] ++ modules; 241 242 242 243 virtualisation.host = { inherit pkgs; }; 243 244 }; ··· 246 247 }; 247 248 248 249 in 249 - nixos.config.system.build.macos-builder-installer; 250 + nixos.config.system.build.macos-builder-installer) { modules = [ ]; }; 251 + 252 + } // lib.optionalAttrs config.allowAliases { 253 + builder = throw "'darwin.builder' has been changed and renamed to 'darwin.linux-builder'. The default ssh port is now 31022. Please update your configuration or override the port back to 22. See https://nixos.org/manual/nixpkgs/unstable/#sec-darwin-builder"; # added 2023-07-06 250 254 })