pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #236389 from Enzime/darwin-builder

darwin-builder: use port 31022 by default

authored by Robert Hensing and committed by GitHub 262e7272 065b3903

+66 -18
unified split
+16 -6
doc/builders/special/darwin-builder.section.md
··· 1 - # darwin.builder {#sec-darwin-builder} 2 3 - `darwin.builder` provides a way to bootstrap a Linux builder on a macOS machine. 4 5 This requires macOS version 12.4 or later. 6 7 - This also requires that port 22 on your machine is free (since Nix does not 8 - permit specifying a non-default SSH port for builders). 9 10 You will also need to be a trusted user for your Nix installation. In other 11 words, your `/etc/nix/nix.conf` should have something like: ··· 17 To launch the builder, run the following flake: 18 19 ```ShellSession 20 - $ nix run nixpkgs#darwin.builder 21 ``` 22 23 That will prompt you to enter your `sudo` password: ··· 50 ``` 51 # - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine 52 # - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure) 53 - builders = ssh-ng://builder@localhost ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo= 54 55 # Not strictly necessary, but this will reduce your disk utilization 56 builders-use-substitutes = true 57 ``` 58 59 … and then restart your Nix daemon to apply the change:
··· 1 + # darwin.linux-builder {#sec-darwin-builder} 2 3 + `darwin.linux-builder` provides a way to bootstrap a Linux builder on a macOS machine. 4 5 This requires macOS version 12.4 or later. 6 7 + The builder runs on host port 31022 by default. 8 + You can change it by overriding `virtualisation.darwin-builder.hostPort`. 9 + See the [example](#sec-darwin-builder-example-flake). 10 11 You will also need to be a trusted user for your Nix installation. In other 12 words, your `/etc/nix/nix.conf` should have something like: ··· 18 To launch the builder, run the following flake: 19 20 ```ShellSession 21 + $ nix run nixpkgs#darwin.linux-builder 22 ``` 23 24 That will prompt you to enter your `sudo` password: ··· 51 ``` 52 # - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine 53 # - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure) 54 + builders = ssh-ng://builder@linux-builder ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo= 55 56 # Not strictly necessary, but this will reduce your disk utilization 57 builders-use-substitutes = true 58 + ``` 59 + 60 + To allow Nix to connect to a builder not running on port 22, you will also need to create a new file at `/etc/ssh/ssh_config.d/100-linux-builder.conf`: 61 + 62 + ``` 63 + Host linux-builder 64 + Hostname localhost 65 + HostKeyAlias linux-builder 66 + Port 31022 67 ``` 68 69 … and then restart your Nix daemon to apply the change:
+11 -7
nixos/modules/profiles/macos-builder.nix
··· 1 - { config, lib, pkgs, ... }: 2 3 let 4 keysDirectory = "/var/keys"; ··· 67 ''; 68 }; 69 hostPort = mkOption { 70 - default = 22; 71 type = types.int; 72 - example = 31022; 73 description = '' 74 The localhost host port to forward TCP to the guest port. 75 ''; ··· 139 140 hostPkgs = config.virtualisation.host.pkgs; 141 142 - script = hostPkgs.writeShellScriptBin "create-builder" ( 143 # When running as non-interactively as part of a DarwinConfiguration the working directory 144 # must be set to a writeable directory. 145 (if cfg.workingDirectory != "." then '' 146 ${hostPkgs.coreutils}/bin/mkdir --parent "${cfg.workingDirectory}" 147 cd "${cfg.workingDirectory}" 148 - '' else "") + '' 149 KEYS="''${KEYS:-./keys}" 150 ${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}" 151 PRIVATE_KEY="''${KEYS}/${user}_${keyType}" ··· 157 if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then 158 (set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}") 159 fi 160 - KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${config.system.build.vm}/bin/run-nixos-vm 161 ''); 162 163 in ··· 177 Please inspect the trace of the following command to figure out which module 178 has a dependency on stateVersion. 179 180 - nix-instantiate --attr darwin.builder --show-trace 181 ''); 182 }; 183 ··· 234 # This ensures that anything built on the guest isn't lost when the guest is 235 # restarted. 236 writableStoreUseTmpfs = false; 237 }; 238 }; 239 }
··· 1 + { config, lib, ... }: 2 3 let 4 keysDirectory = "/var/keys"; ··· 67 ''; 68 }; 69 hostPort = mkOption { 70 + default = 31022; 71 type = types.int; 72 + example = 22; 73 description = '' 74 The localhost host port to forward TCP to the guest port. 75 ''; ··· 139 140 hostPkgs = config.virtualisation.host.pkgs; 141 142 + script = hostPkgs.writeShellScriptBin "create-builder" ( 143 # When running as non-interactively as part of a DarwinConfiguration the working directory 144 # must be set to a writeable directory. 145 (if cfg.workingDirectory != "." then '' 146 ${hostPkgs.coreutils}/bin/mkdir --parent "${cfg.workingDirectory}" 147 cd "${cfg.workingDirectory}" 148 + '' else "") + '' 149 KEYS="''${KEYS:-./keys}" 150 ${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}" 151 PRIVATE_KEY="''${KEYS}/${user}_${keyType}" ··· 157 if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then 158 (set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}") 159 fi 160 + KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${lib.getExe config.system.build.vm} 161 ''); 162 163 in ··· 177 Please inspect the trace of the following command to figure out which module 178 has a dependency on stateVersion. 179 180 + nix-instantiate --attr darwin.linux-builder --show-trace 181 ''); 182 }; 183 ··· 234 # This ensures that anything built on the guest isn't lost when the guest is 235 # restarted. 236 writableStoreUseTmpfs = false; 237 + 238 + # Pass certificates from host to the guest otherwise when custom CA certificates 239 + # are required we can't use the cached builder. 240 + useHostCerts = true; 241 }; 242 }; 243 }
+5 -1
nixos/modules/security/ca.nix
··· 18 { 19 20 options = { 21 22 security.pki.certificateFiles = mkOption { 23 type = types.listOf types.path; ··· 70 71 }; 72 73 - config = { 74 75 # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. 76 environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
··· 18 { 19 20 options = { 21 + security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // { 22 + default = true; 23 + internal = true; 24 + }; 25 26 security.pki.certificateFiles = mkOption { 27 type = types.listOf types.path; ··· 74 75 }; 76 77 + config = mkIf cfg.installCACerts { 78 79 # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. 80 environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
+27 -1
nixos/modules/virtualisation/qemu-vm.nix
··· 166 # Create a directory for exchanging data with the VM. 167 mkdir -p "$TMPDIR/xchg" 168 169 ${lib.optionalString cfg.useEFIBoot 170 '' 171 # Expose EFI variables, it's useful even when we are not using a bootloader (!). ··· 877 ''; 878 }; 879 880 - 881 virtualisation.bios = 882 mkOption { 883 type = types.nullOr types.package; ··· 887 An alternate BIOS (such as `qboot`) with which to start the VM. 888 Should contain a file named `bios.bin`. 889 If `null`, QEMU's builtin SeaBIOS will be used. 890 ''; 891 }; 892 ··· 1024 source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"''; 1025 target = "/tmp/shared"; 1026 }; 1027 }; 1028 1029 virtualisation.qemu.networkingOptions = 1030 let
··· 166 # Create a directory for exchanging data with the VM. 167 mkdir -p "$TMPDIR/xchg" 168 169 + ${lib.optionalString cfg.useHostCerts 170 + '' 171 + mkdir -p "$TMPDIR/certs" 172 + if [ -e "$NIX_SSL_CERT_FILE" ]; then 173 + cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt 174 + else 175 + echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled. 176 + fi 177 + ''} 178 + 179 ${lib.optionalString cfg.useEFIBoot 180 '' 181 # Expose EFI variables, it's useful even when we are not using a bootloader (!). ··· 887 ''; 888 }; 889 890 virtualisation.bios = 891 mkOption { 892 type = types.nullOr types.package; ··· 896 An alternate BIOS (such as `qboot`) with which to start the VM. 897 Should contain a file named `bios.bin`. 898 If `null`, QEMU's builtin SeaBIOS will be used. 899 + ''; 900 + }; 901 + 902 + virtualisation.useHostCerts = 903 + mkOption { 904 + type = types.bool; 905 + default = false; 906 + description = 907 + lib.mdDoc '' 908 + If enabled, when `NIX_SSL_CERT_FILE` is set on the host, 909 + pass the CA certificates from the host to the VM. 910 ''; 911 }; 912 ··· 1044 source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"''; 1045 target = "/tmp/shared"; 1046 }; 1047 + certs = mkIf cfg.useHostCerts { 1048 + source = ''"$TMPDIR"/certs''; 1049 + target = "/etc/ssl/certs"; 1050 + }; 1051 }; 1052 + 1053 + security.pki.installCACerts = mkIf cfg.useHostCerts false; 1054 1055 virtualisation.qemu.networkingOptions = 1056 let
+7 -3
pkgs/top-level/darwin-packages.nix
··· 3 , generateSplicesForMkScope, makeScopeWithSplicing 4 , stdenv 5 , preLibcCrossHeaders 6 }: 7 8 let ··· 229 discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { }; 230 231 # See doc/builders/special/darwin-builder.section.md 232 - builder = 233 let 234 toGuest = builtins.replaceStrings [ "darwin" ] [ "linux" ]; 235 ··· 237 configuration = { 238 imports = [ 239 ../../nixos/modules/profiles/macos-builder.nix 240 - ]; 241 242 virtualisation.host = { inherit pkgs; }; 243 }; ··· 246 }; 247 248 in 249 - nixos.config.system.build.macos-builder-installer; 250 })
··· 3 , generateSplicesForMkScope, makeScopeWithSplicing 4 , stdenv 5 , preLibcCrossHeaders 6 + , config 7 }: 8 9 let ··· 230 discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { }; 231 232 # See doc/builders/special/darwin-builder.section.md 233 + linux-builder = lib.makeOverridable ({ modules }: 234 let 235 toGuest = builtins.replaceStrings [ "darwin" ] [ "linux" ]; 236 ··· 238 configuration = { 239 imports = [ 240 ../../nixos/modules/profiles/macos-builder.nix 241 + ] ++ modules; 242 243 virtualisation.host = { inherit pkgs; }; 244 }; ··· 247 }; 248 249 in 250 + nixos.config.system.build.macos-builder-installer) { modules = [ ]; }; 251 + 252 + } // lib.optionalAttrs config.allowAliases { 253 + builder = throw "'darwin.builder' has been changed and renamed to 'darwin.linux-builder'. The default ssh port is now 31022. Please update your configuration or override the port back to 22. See https://nixos.org/manual/nixpkgs/unstable/#sec-darwin-builder"; # added 2023-07-06 254 })