+70

nixos/modules/config/nix-channel.nix

··· 1 1 + /* 2 2 + Manages the things that are needed for a traditional nix-channel based 3 3 + configuration to work. 4 4 + 5 5 + See also 6 6 + - ./nix.nix 7 7 + - ./nix-flakes.nix 8 8 + */ 9 9 + { config, lib, ... }: 10 10 + let 11 11 + inherit (lib) 12 12 + mkIf 13 13 + mkOption 14 14 + stringAfter 15 15 + types 16 16 + ; 17 17 + 18 18 + cfg = config.nix; 19 19 + 20 20 + in 21 21 + { 22 22 + options = { 23 23 + nix = { 24 24 + nixPath = mkOption { 25 25 + type = types.listOf types.str; 26 26 + default = [ 27 27 + "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" 28 28 + "nixos-config=/etc/nixos/configuration.nix" 29 29 + "/nix/var/nix/profiles/per-user/root/channels" 30 30 + ]; 31 31 + description = lib.mdDoc '' 32 32 + The default Nix expression search path, used by the Nix 33 33 + evaluator to look up paths enclosed in angle brackets 34 34 + (e.g. `<nixpkgs>`). 35 35 + ''; 36 36 + }; 37 37 + }; 38 38 + 39 39 + system = { 40 40 + defaultChannel = mkOption { 41 41 + internal = true; 42 42 + type = types.str; 43 43 + default = "https://nixos.org/channels/nixos-unstable"; 44 44 + description = lib.mdDoc "Default NixOS channel to which the root user is subscribed."; 45 45 + }; 46 46 + }; 47 47 + }; 48 48 + 49 49 + config = mkIf cfg.enable { 50 50 + 51 51 + environment.extraInit = 52 52 + '' 53 53 + if [ -e "$HOME/.nix-defexpr/channels" ]; then 54 54 + export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" 55 55 + fi 56 56 + ''; 57 57 + 58 58 + environment.sessionVariables = { 59 59 + NIX_PATH = cfg.nixPath; 60 60 + }; 61 61 + 62 62 + system.activationScripts.nix-channel = stringAfter [ "etc" "users" ] 63 63 + '' 64 64 + # Subscribe the root user to the NixOS channel by default. 65 65 + if [ ! -e "/root/.nix-channels" ]; then 66 66 + echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels" 67 67 + fi 68 68 + ''; 69 69 + }; 70 70 + }

+95

nixos/modules/config/nix-flakes.nix

··· 1 1 + /* 2 2 + Manages the flake registry. 3 3 + 4 4 + See also 5 5 + - ./nix.nix 6 6 + - ./nix-channel.nix 7 7 + */ 8 8 + { config, lib, ... }: 9 9 + let 10 10 + inherit (lib) 11 11 + filterAttrs 12 12 + literalExpression 13 13 + mapAttrsToList 14 14 + mkDefault 15 15 + mkIf 16 16 + mkOption 17 17 + types 18 18 + ; 19 19 + 20 20 + cfg = config.nix; 21 21 + 22 22 + in 23 23 + { 24 24 + options = { 25 25 + nix = { 26 26 + registry = mkOption { 27 27 + type = types.attrsOf (types.submodule ( 28 28 + let 29 29 + referenceAttrs = with types; attrsOf (oneOf [ 30 30 + str 31 31 + int 32 32 + bool 33 33 + path 34 34 + package 35 35 + ]); 36 36 + in 37 37 + { config, name, ... }: 38 38 + { 39 39 + options = { 40 40 + from = mkOption { 41 41 + type = referenceAttrs; 42 42 + example = { type = "indirect"; id = "nixpkgs"; }; 43 43 + description = lib.mdDoc "The flake reference to be rewritten."; 44 44 + }; 45 45 + to = mkOption { 46 46 + type = referenceAttrs; 47 47 + example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; 48 48 + description = lib.mdDoc "The flake reference {option}`from` is rewritten to."; 49 49 + }; 50 50 + flake = mkOption { 51 51 + type = types.nullOr types.attrs; 52 52 + default = null; 53 53 + example = literalExpression "nixpkgs"; 54 54 + description = lib.mdDoc '' 55 55 + The flake input {option}`from` is rewritten to. 56 56 + ''; 57 57 + }; 58 58 + exact = mkOption { 59 59 + type = types.bool; 60 60 + default = true; 61 61 + description = lib.mdDoc '' 62 62 + Whether the {option}`from` reference needs to match exactly. If set, 63 63 + a {option}`from` reference like `nixpkgs` does not 64 64 + match with a reference like `nixpkgs/nixos-20.03`. 65 65 + ''; 66 66 + }; 67 67 + }; 68 68 + config = { 69 69 + from = mkDefault { type = "indirect"; id = name; }; 70 70 + to = mkIf (config.flake != null) (mkDefault ( 71 71 + { 72 72 + type = "path"; 73 73 + path = config.flake.outPath; 74 74 + } // filterAttrs 75 75 + (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") 76 76 + config.flake 77 77 + )); 78 78 + }; 79 79 + } 80 80 + )); 81 81 + default = { }; 82 82 + description = lib.mdDoc '' 83 83 + A system-wide flake registry. 84 84 + ''; 85 85 + }; 86 86 + }; 87 87 + }; 88 88 + 89 89 + config = mkIf cfg.enable { 90 90 + environment.etc."nix/registry.json".text = builtins.toJSON { 91 91 + version = 2; 92 92 + flakes = mapAttrsToList (n: v: { inherit (v) from to exact; }) cfg.registry; 93 93 + }; 94 94 + }; 95 95 + }

+230

nixos/modules/config/nix-remote-build.nix

··· 1 1 + /* 2 2 + Manages the remote build configuration, /etc/nix/machines 3 3 + 4 4 + See also 5 5 + - ./nix.nix 6 6 + - nixos/modules/services/system/nix-daemon.nix 7 7 + */ 8 8 + { config, lib, ... }: 9 9 + 10 10 + let 11 11 + inherit (lib) 12 12 + any 13 13 + concatMapStrings 14 14 + concatStringsSep 15 15 + filter 16 16 + getVersion 17 17 + mkIf 18 18 + mkMerge 19 19 + mkOption 20 20 + optional 21 21 + optionalString 22 22 + types 23 23 + versionAtLeast 24 24 + ; 25 25 + 26 26 + cfg = config.nix; 27 27 + 28 28 + nixPackage = cfg.package.out; 29 29 + 30 30 + isNixAtLeast = versionAtLeast (getVersion nixPackage); 31 31 + 32 32 + buildMachinesText = 33 33 + concatMapStrings 34 34 + (machine: 35 35 + (concatStringsSep " " ([ 36 36 + "${optionalString (machine.protocol != null) "${machine.protocol}://"}${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}" 37 37 + (if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-") 38 38 + (if machine.sshKey != null then machine.sshKey else "-") 39 39 + (toString machine.maxJobs) 40 40 + (toString machine.speedFactor) 41 41 + (let res = (machine.supportedFeatures ++ machine.mandatoryFeatures); 42 42 + in if (res == []) then "-" else (concatStringsSep "," res)) 43 43 + (let res = machine.mandatoryFeatures; 44 44 + in if (res == []) then "-" else (concatStringsSep "," machine.mandatoryFeatures)) 45 45 + ] 46 46 + ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-"))) 47 47 + + "\n" 48 48 + ) 49 49 + cfg.buildMachines; 50 50 + 51 51 + in 52 52 + { 53 53 + imports = [ 54 54 + ./nix.nix 55 55 + ]; 56 56 + 57 57 + options = { 58 58 + nix = { 59 59 + buildMachines = mkOption { 60 60 + type = types.listOf (types.submodule { 61 61 + options = { 62 62 + hostName = mkOption { 63 63 + type = types.str; 64 64 + example = "nixbuilder.example.org"; 65 65 + description = lib.mdDoc '' 66 66 + The hostname of the build machine. 67 67 + ''; 68 68 + }; 69 69 + protocol = mkOption { 70 70 + type = types.enum [ null "ssh" "ssh-ng" ]; 71 71 + default = "ssh"; 72 72 + example = "ssh-ng"; 73 73 + description = lib.mdDoc '' 74 74 + The protocol used for communicating with the build machine. 75 75 + Use `ssh-ng` if your remote builder and your 76 76 + local Nix version support that improved protocol. 77 77 + 78 78 + Use `null` when trying to change the special localhost builder 79 79 + without a protocol which is for example used by hydra. 80 80 + ''; 81 81 + }; 82 82 + system = mkOption { 83 83 + type = types.nullOr types.str; 84 84 + default = null; 85 85 + example = "x86_64-linux"; 86 86 + description = lib.mdDoc '' 87 87 + The system type the build machine can execute derivations on. 88 88 + Either this attribute or {var}`systems` must be 89 89 + present, where {var}`system` takes precedence if 90 90 + both are set. 91 91 + ''; 92 92 + }; 93 93 + systems = mkOption { 94 94 + type = types.listOf types.str; 95 95 + default = [ ]; 96 96 + example = [ "x86_64-linux" "aarch64-linux" ]; 97 97 + description = lib.mdDoc '' 98 98 + The system types the build machine can execute derivations on. 99 99 + Either this attribute or {var}`system` must be 100 100 + present, where {var}`system` takes precedence if 101 101 + both are set. 102 102 + ''; 103 103 + }; 104 104 + sshUser = mkOption { 105 105 + type = types.nullOr types.str; 106 106 + default = null; 107 107 + example = "builder"; 108 108 + description = lib.mdDoc '' 109 109 + The username to log in as on the remote host. This user must be 110 110 + able to log in and run nix commands non-interactively. It must 111 111 + also be privileged to build derivations, so must be included in 112 112 + {option}`nix.settings.trusted-users`. 113 113 + ''; 114 114 + }; 115 115 + sshKey = mkOption { 116 116 + type = types.nullOr types.str; 117 117 + default = null; 118 118 + example = "/root/.ssh/id_buildhost_builduser"; 119 119 + description = lib.mdDoc '' 120 120 + The path to the SSH private key with which to authenticate on 121 121 + the build machine. The private key must not have a passphrase. 122 122 + If null, the building user (root on NixOS machines) must have an 123 123 + appropriate ssh configuration to log in non-interactively. 124 124 + 125 125 + Note that for security reasons, this path must point to a file 126 126 + in the local filesystem, *not* to the nix store. 127 127 + ''; 128 128 + }; 129 129 + maxJobs = mkOption { 130 130 + type = types.int; 131 131 + default = 1; 132 132 + description = lib.mdDoc '' 133 133 + The number of concurrent jobs the build machine supports. The 134 134 + build machine will enforce its own limits, but this allows hydra 135 135 + to schedule better since there is no work-stealing between build 136 136 + machines. 137 137 + ''; 138 138 + }; 139 139 + speedFactor = mkOption { 140 140 + type = types.int; 141 141 + default = 1; 142 142 + description = lib.mdDoc '' 143 143 + The relative speed of this builder. This is an arbitrary integer 144 144 + that indicates the speed of this builder, relative to other 145 145 + builders. Higher is faster. 146 146 + ''; 147 147 + }; 148 148 + mandatoryFeatures = mkOption { 149 149 + type = types.listOf types.str; 150 150 + default = [ ]; 151 151 + example = [ "big-parallel" ]; 152 152 + description = lib.mdDoc '' 153 153 + A list of features mandatory for this builder. The builder will 154 154 + be ignored for derivations that don't require all features in 155 155 + this list. All mandatory features are automatically included in 156 156 + {var}`supportedFeatures`. 157 157 + ''; 158 158 + }; 159 159 + supportedFeatures = mkOption { 160 160 + type = types.listOf types.str; 161 161 + default = [ ]; 162 162 + example = [ "kvm" "big-parallel" ]; 163 163 + description = lib.mdDoc '' 164 164 + A list of features supported by this builder. The builder will 165 165 + be ignored for derivations that require features not in this 166 166 + list. 167 167 + ''; 168 168 + }; 169 169 + publicHostKey = mkOption { 170 170 + type = types.nullOr types.str; 171 171 + default = null; 172 172 + description = lib.mdDoc '' 173 173 + The (base64-encoded) public host key of this builder. The field 174 174 + is calculated via {command}`base64 -w0 /etc/ssh/ssh_host_type_key.pub`. 175 175 + If null, SSH will use its regular known-hosts file when connecting. 176 176 + ''; 177 177 + }; 178 178 + }; 179 179 + }); 180 180 + default = [ ]; 181 181 + description = lib.mdDoc '' 182 182 + This option lists the machines to be used if distributed builds are 183 183 + enabled (see {option}`nix.distributedBuilds`). 184 184 + Nix will perform derivations on those machines via SSH by copying the 185 185 + inputs to the Nix store on the remote machine, starting the build, 186 186 + then copying the output back to the local Nix store. 187 187 + ''; 188 188 + }; 189 189 + 190 190 + distributedBuilds = mkOption { 191 191 + type = types.bool; 192 192 + default = false; 193 193 + description = lib.mdDoc '' 194 194 + Whether to distribute builds to the machines listed in 195 195 + {option}`nix.buildMachines`. 196 196 + ''; 197 197 + }; 198 198 + }; 199 199 + }; 200 200 + 201 201 + # distributedBuilds does *not* inhibit /etc/machines generation; caller may 202 202 + # override that nix option. 203 203 + config = mkIf cfg.enable { 204 204 + assertions = 205 205 + let badMachine = m: m.system == null && m.systems == [ ]; 206 206 + in 207 207 + [ 208 208 + { 209 209 + assertion = !(any badMachine cfg.buildMachines); 210 210 + message = '' 211 211 + At least one system type (via <varname>system</varname> or 212 212 + <varname>systems</varname>) must be set for every build machine. 213 213 + Invalid machine specifications: 214 214 + '' + " " + 215 215 + (concatStringsSep "\n " 216 216 + (map (m: m.hostName) 217 217 + (filter (badMachine) cfg.buildMachines))); 218 218 + } 219 219 + ]; 220 220 + 221 221 + # List of machines for distributed Nix builds 222 222 + environment.etc."nix/machines" = 223 223 + mkIf (cfg.buildMachines != [ ]) { 224 224 + text = buildMachinesText; 225 225 + }; 226 226 + 227 227 + # Legacy configuration conversion. 228 228 + nix.settings = mkIf (!cfg.distributedBuilds) { builders = null; }; 229 229 + }; 230 230 + }

+379

nixos/modules/config/nix.nix

··· 1 1 + /* 2 2 + Manages /etc/nix.conf. 3 3 + 4 4 + See also 5 5 + - ./nix-channel.nix 6 6 + - ./nix-flakes.nix 7 7 + - ./nix-remote-build.nix 8 8 + - nixos/modules/services/system/nix-daemon.nix 9 9 + */ 10 10 + { config, lib, pkgs, ... }: 11 11 + 12 12 + let 13 13 + inherit (lib) 14 14 + concatStringsSep 15 15 + boolToString 16 16 + escape 17 17 + floatToString 18 18 + getVersion 19 19 + isBool 20 20 + isDerivation 21 21 + isFloat 22 22 + isInt 23 23 + isList 24 24 + isString 25 25 + literalExpression 26 26 + mapAttrsToList 27 27 + mkAfter 28 28 + mkDefault 29 29 + mkIf 30 30 + mkOption 31 31 + mkRenamedOptionModuleWith 32 32 + optionalString 33 33 + optionals 34 34 + strings 35 35 + systems 36 36 + toPretty 37 37 + types 38 38 + versionAtLeast 39 39 + ; 40 40 + 41 41 + cfg = config.nix; 42 42 + 43 43 + nixPackage = cfg.package.out; 44 44 + 45 45 + isNixAtLeast = versionAtLeast (getVersion nixPackage); 46 46 + 47 47 + legacyConfMappings = { 48 48 + useSandbox = "sandbox"; 49 49 + buildCores = "cores"; 50 50 + maxJobs = "max-jobs"; 51 51 + sandboxPaths = "extra-sandbox-paths"; 52 52 + binaryCaches = "substituters"; 53 53 + trustedBinaryCaches = "trusted-substituters"; 54 54 + binaryCachePublicKeys = "trusted-public-keys"; 55 55 + autoOptimiseStore = "auto-optimise-store"; 56 56 + requireSignedBinaryCaches = "require-sigs"; 57 57 + trustedUsers = "trusted-users"; 58 58 + allowedUsers = "allowed-users"; 59 59 + systemFeatures = "system-features"; 60 60 + }; 61 61 + 62 62 + semanticConfType = with types; 63 63 + let 64 64 + confAtom = nullOr 65 65 + (oneOf [ 66 66 + bool 67 67 + int 68 68 + float 69 69 + str 70 70 + path 71 71 + package 72 72 + ]) // { 73 73 + description = "Nix config atom (null, bool, int, float, str, path or package)"; 74 74 + }; 75 75 + in 76 76 + attrsOf (either confAtom (listOf confAtom)); 77 77 + 78 78 + nixConf = 79 79 + assert isNixAtLeast "2.2"; 80 80 + let 81 81 + 82 82 + mkValueString = v: 83 83 + if v == null then "" 84 84 + else if isInt v then toString v 85 85 + else if isBool v then boolToString v 86 86 + else if isFloat v then floatToString v 87 87 + else if isList v then toString v 88 88 + else if isDerivation v then toString v 89 89 + else if builtins.isPath v then toString v 90 90 + else if isString v then v 91 91 + else if strings.isConvertibleWithToString v then toString v 92 92 + else abort "The nix conf value: ${toPretty {} v} can not be encoded"; 93 93 + 94 94 + mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}"; 95 95 + 96 96 + mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); 97 97 + 98 98 + in 99 99 + pkgs.writeTextFile { 100 100 + name = "nix.conf"; 101 101 + text = '' 102 102 + # WARNING: this file is generated from the nix.* options in 103 103 + # your NixOS configuration, typically 104 104 + # /etc/nixos/configuration.nix. Do not edit it! 105 105 + ${mkKeyValuePairs cfg.settings} 106 106 + ${cfg.extraOptions} 107 107 + ''; 108 108 + checkPhase = lib.optionalString cfg.checkConfig ( 109 109 + if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' 110 110 + echo "Ignoring validation for cross-compilation" 111 111 + '' 112 112 + else '' 113 113 + echo "Validating generated nix.conf" 114 114 + ln -s $out ./nix.conf 115 115 + set -e 116 116 + set +o pipefail 117 117 + NIX_CONF_DIR=$PWD \ 118 118 + ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ 119 119 + ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ 120 120 + |& sed -e 's/^warning:/error:/' \ 121 121 + | (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}') 122 122 + set -o pipefail 123 123 + ''); 124 124 + }; 125 125 + 126 126 + in 127 127 + { 128 128 + imports = [ 129 129 + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; }) 130 130 + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; }) 131 131 + ] ++ 132 132 + mapAttrsToList 133 133 + (oldConf: newConf: 134 134 + mkRenamedOptionModuleWith { 135 135 + sinceRelease = 2205; 136 136 + from = [ "nix" oldConf ]; 137 137 + to = [ "nix" "settings" newConf ]; 138 138 + }) 139 139 + legacyConfMappings; 140 140 + 141 141 + options = { 142 142 + nix = { 143 143 + checkConfig = mkOption { 144 144 + type = types.bool; 145 145 + default = true; 146 146 + description = lib.mdDoc '' 147 147 + If enabled, checks that Nix can parse the generated nix.conf. 148 148 + ''; 149 149 + }; 150 150 + 151 151 + checkAllErrors = mkOption { 152 152 + type = types.bool; 153 153 + default = true; 154 154 + description = lib.mdDoc '' 155 155 + If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings. 156 156 + ''; 157 157 + }; 158 158 + 159 159 + extraOptions = mkOption { 160 160 + type = types.lines; 161 161 + default = ""; 162 162 + example = '' 163 163 + keep-outputs = true 164 164 + keep-derivations = true 165 165 + ''; 166 166 + description = lib.mdDoc "Additional text appended to {file}`nix.conf`."; 167 167 + }; 168 168 + 169 169 + settings = mkOption { 170 170 + type = types.submodule { 171 171 + freeformType = semanticConfType; 172 172 + 173 173 + options = { 174 174 + max-jobs = mkOption { 175 175 + type = types.either types.int (types.enum [ "auto" ]); 176 176 + default = "auto"; 177 177 + example = 64; 178 178 + description = lib.mdDoc '' 179 179 + This option defines the maximum number of jobs that Nix will try to 180 180 + build in parallel. The default is auto, which means it will use all 181 181 + available logical cores. It is recommend to set it to the total 182 182 + number of logical cores in your system (e.g., 16 for two CPUs with 4 183 183 + cores each and hyper-threading). 184 184 + ''; 185 185 + }; 186 186 + 187 187 + auto-optimise-store = mkOption { 188 188 + type = types.bool; 189 189 + default = false; 190 190 + example = true; 191 191 + description = lib.mdDoc '' 192 192 + If set to true, Nix automatically detects files in the store that have 193 193 + identical contents, and replaces them with hard links to a single copy. 194 194 + This saves disk space. If set to false (the default), you can still run 195 195 + nix-store --optimise to get rid of duplicate files. 196 196 + ''; 197 197 + }; 198 198 + 199 199 + cores = mkOption { 200 200 + type = types.int; 201 201 + default = 0; 202 202 + example = 64; 203 203 + description = lib.mdDoc '' 204 204 + This option defines the maximum number of concurrent tasks during 205 205 + one build. It affects, e.g., -j option for make. 206 206 + The special value 0 means that the builder should use all 207 207 + available CPU cores in the system. Some builds may become 208 208 + non-deterministic with this option; use with care! Packages will 209 209 + only be affected if enableParallelBuilding is set for them. 210 210 + ''; 211 211 + }; 212 212 + 213 213 + sandbox = mkOption { 214 214 + type = types.either types.bool (types.enum [ "relaxed" ]); 215 215 + default = true; 216 216 + description = lib.mdDoc '' 217 217 + If set, Nix will perform builds in a sandboxed environment that it 218 218 + will set up automatically for each build. This prevents impurities 219 219 + in builds by disallowing access to dependencies outside of the Nix 220 220 + store by using network and mount namespaces in a chroot environment. 221 221 + 222 222 + This is enabled by default even though it has a possible performance 223 223 + impact due to the initial setup time of a sandbox for each build. It 224 224 + doesn't affect derivation hashes, so changing this option will not 225 225 + trigger a rebuild of packages. 226 226 + 227 227 + When set to "relaxed", this option permits derivations that set 228 228 + `__noChroot = true;` to run outside of the sandboxed environment. 229 229 + Exercise caution when using this mode of operation! It is intended to 230 230 + be a quick hack when building with packages that are not easily setup 231 231 + to be built reproducibly. 232 232 + ''; 233 233 + }; 234 234 + 235 235 + extra-sandbox-paths = mkOption { 236 236 + type = types.listOf types.str; 237 237 + default = [ ]; 238 238 + example = [ "/dev" "/proc" ]; 239 239 + description = lib.mdDoc '' 240 240 + Directories from the host filesystem to be included 241 241 + in the sandbox. 242 242 + ''; 243 243 + }; 244 244 + 245 245 + substituters = mkOption { 246 246 + type = types.listOf types.str; 247 247 + description = lib.mdDoc '' 248 248 + List of binary cache URLs used to obtain pre-built binaries 249 249 + of Nix packages. 250 250 + 251 251 + By default https://cache.nixos.org/ is added. 252 252 + ''; 253 253 + }; 254 254 + 255 255 + trusted-substituters = mkOption { 256 256 + type = types.listOf types.str; 257 257 + default = [ ]; 258 258 + example = [ "https://hydra.nixos.org/" ]; 259 259 + description = lib.mdDoc '' 260 260 + List of binary cache URLs that non-root users can use (in 261 261 + addition to those specified using 262 262 + {option}`nix.settings.substituters`) by passing 263 263 + `--option binary-caches` to Nix commands. 264 264 + ''; 265 265 + }; 266 266 + 267 267 + require-sigs = mkOption { 268 268 + type = types.bool; 269 269 + default = true; 270 270 + description = lib.mdDoc '' 271 271 + If enabled (the default), Nix will only download binaries from binary caches if 272 272 + they are cryptographically signed with any of the keys listed in 273 273 + {option}`nix.settings.trusted-public-keys`. If disabled, signatures are neither 274 274 + required nor checked, so it's strongly recommended that you use only 275 275 + trustworthy caches and https to prevent man-in-the-middle attacks. 276 276 + ''; 277 277 + }; 278 278 + 279 279 + trusted-public-keys = mkOption { 280 280 + type = types.listOf types.str; 281 281 + example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; 282 282 + description = lib.mdDoc '' 283 283 + List of public keys used to sign binary caches. If 284 284 + {option}`nix.settings.trusted-public-keys` is enabled, 285 285 + then Nix will use a binary from a binary cache if and only 286 286 + if it is signed by *any* of the keys 287 287 + listed here. By default, only the key for 288 288 + `cache.nixos.org` is included. 289 289 + ''; 290 290 + }; 291 291 + 292 292 + trusted-users = mkOption { 293 293 + type = types.listOf types.str; 294 294 + default = [ "root" ]; 295 295 + example = [ "root" "alice" "@wheel" ]; 296 296 + description = lib.mdDoc '' 297 297 + A list of names of users that have additional rights when 298 298 + connecting to the Nix daemon, such as the ability to specify 299 299 + additional binary caches, or to import unsigned NARs. You 300 300 + can also specify groups by prefixing them with 301 301 + `@`; for instance, 302 302 + `@wheel` means all users in the wheel 303 303 + group. 304 304 + ''; 305 305 + }; 306 306 + 307 307 + system-features = mkOption { 308 308 + type = types.listOf types.str; 309 309 + example = [ "kvm" "big-parallel" "gccarch-skylake" ]; 310 310 + description = lib.mdDoc '' 311 311 + The set of features supported by the machine. Derivations 312 312 + can express dependencies on system features through the 313 313 + `requiredSystemFeatures` attribute. 314 314 + 315 315 + By default, pseudo-features `nixos-test`, `benchmark`, 316 316 + and `big-parallel` used in Nixpkgs are set, `kvm` 317 317 + is also included if it is available. 318 318 + ''; 319 319 + }; 320 320 + 321 321 + allowed-users = mkOption { 322 322 + type = types.listOf types.str; 323 323 + default = [ "*" ]; 324 324 + example = [ "@wheel" "@builders" "alice" "bob" ]; 325 325 + description = lib.mdDoc '' 326 326 + A list of names of users (separated by whitespace) that are 327 327 + allowed to connect to the Nix daemon. As with 328 328 + {option}`nix.settings.trusted-users`, you can specify groups by 329 329 + prefixing them with `@`. Also, you can 330 330 + allow all users by specifying `*`. The 331 331 + default is `*`. Note that trusted users are 332 332 + always allowed to connect. 333 333 + ''; 334 334 + }; 335 335 + }; 336 336 + }; 337 337 + default = { }; 338 338 + example = literalExpression '' 339 339 + { 340 340 + use-sandbox = true; 341 341 + show-trace = true; 342 342 + 343 343 + system-features = [ "big-parallel" "kvm" "recursive-nix" ]; 344 344 + sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; }; 345 345 + } 346 346 + ''; 347 347 + description = lib.mdDoc '' 348 348 + Configuration for Nix, see 349 349 + <https://nixos.org/manual/nix/stable/command-ref/conf-file.html> or 350 350 + {manpage}`nix.conf(5)` for available options. 351 351 + The value declared here will be translated directly to the key-value pairs Nix expects. 352 352 + 353 353 + You can use {command}`nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings` 354 354 + to view the current value. By default it is empty. 355 355 + 356 356 + Nix configurations defined under {option}`nix.*` will be translated and applied to this 357 357 + option. In addition, configuration specified in {option}`nix.extraOptions` will be appended 358 358 + verbatim to the resulting config file. 359 359 + ''; 360 360 + }; 361 361 + }; 362 362 + }; 363 363 + 364 364 + config = mkIf cfg.enable { 365 365 + environment.etc."nix/nix.conf".source = nixConf; 366 366 + nix.settings = { 367 367 + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; 368 368 + substituters = mkAfter [ "https://cache.nixos.org/" ]; 369 369 + system-features = mkDefault ( 370 370 + [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ 371 371 + optionals (pkgs.stdenv.hostPlatform ? gcc.arch) ( 372 372 + # a builder can run code for `gcc.arch` and inferior architectures 373 373 + [ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ] ++ 374 374 + map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or []) 375 375 + ) 376 376 + ); 377 377 + }; 378 378 + }; 379 379 + }

-7

nixos/modules/misc/version.nix

··· 140 140 ''; 141 141 }; 142 142 143 143 - defaultChannel = mkOption { 144 144 - internal = true; 145 145 - type = types.str; 146 146 - default = "https://nixos.org/channels/nixos-unstable"; 147 147 - description = lib.mdDoc "Default NixOS channel to which the root user is subscribed."; 148 148 - }; 149 149 - 150 143 configurationRevision = mkOption { 151 144 type = types.nullOr types.str; 152 145 default = null;

+5 -1

nixos/modules/module-list.nix

··· 16 16 ./config/malloc.nix 17 17 ./config/mysql.nix 18 18 ./config/networking.nix 19 19 + ./config/nix.nix 20 20 + ./config/nix-channel.nix 21 21 + ./config/nix-flakes.nix 22 22 + ./config/nix-remote-build.nix 19 23 ./config/no-x-libs.nix 20 24 ./config/nsswitch.nix 21 25 ./config/power-management.nix ··· 661 665 ./services/misc/moonraker.nix 662 666 ./services/misc/n8n.nix 663 667 ./services/misc/nitter.nix 664 664 - ./services/misc/nix-daemon.nix 665 668 ./services/misc/nix-gc.nix 666 669 ./services/misc/nix-optimise.nix 667 670 ./services/misc/nix-ssh-serve.nix ··· 1143 1146 ./services/system/earlyoom.nix 1144 1147 ./services/system/kerberos/default.nix 1145 1148 ./services/system/localtimed.nix 1149 1149 + ./services/system/nix-daemon.nix 1146 1150 ./services/system/nscd.nix 1147 1151 ./services/system/saslauthd.nix 1148 1152 ./services/system/self-deploy.nix

-844

nixos/modules/services/misc/nix-daemon.nix

··· 1 1 - { config, lib, pkgs, ... }: 2 2 - 3 3 - with lib; 4 4 - 5 5 - let 6 6 - 7 7 - cfg = config.nix; 8 8 - 9 9 - nixPackage = cfg.package.out; 10 10 - 11 11 - isNixAtLeast = versionAtLeast (getVersion nixPackage); 12 12 - 13 13 - makeNixBuildUser = nr: { 14 14 - name = "nixbld${toString nr}"; 15 15 - value = { 16 16 - description = "Nix build user ${toString nr}"; 17 17 - 18 18 - /* 19 19 - For consistency with the setgid(2), setuid(2), and setgroups(2) 20 20 - calls in `libstore/build.cc', don't add any supplementary group 21 21 - here except "nixbld". 22 22 - */ 23 23 - uid = builtins.add config.ids.uids.nixbld nr; 24 24 - isSystemUser = true; 25 25 - group = "nixbld"; 26 26 - extraGroups = [ "nixbld" ]; 27 27 - }; 28 28 - }; 29 29 - 30 30 - nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers)); 31 31 - 32 32 - nixConf = 33 33 - assert isNixAtLeast "2.2"; 34 34 - let 35 35 - 36 36 - mkValueString = v: 37 37 - if v == null then "" 38 38 - else if isInt v then toString v 39 39 - else if isBool v then boolToString v 40 40 - else if isFloat v then floatToString v 41 41 - else if isList v then toString v 42 42 - else if isDerivation v then toString v 43 43 - else if builtins.isPath v then toString v 44 44 - else if isString v then v 45 45 - else if strings.isConvertibleWithToString v then toString v 46 46 - else abort "The nix conf value: ${toPretty {} v} can not be encoded"; 47 47 - 48 48 - mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}"; 49 49 - 50 50 - mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); 51 51 - 52 52 - in 53 53 - pkgs.writeTextFile { 54 54 - name = "nix.conf"; 55 55 - text = '' 56 56 - # WARNING: this file is generated from the nix.* options in 57 57 - # your NixOS configuration, typically 58 58 - # /etc/nixos/configuration.nix. Do not edit it! 59 59 - ${mkKeyValuePairs cfg.settings} 60 60 - ${cfg.extraOptions} 61 61 - ''; 62 62 - checkPhase = lib.optionalString cfg.checkConfig ( 63 63 - if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' 64 64 - echo "Ignoring validation for cross-compilation" 65 65 - '' 66 66 - else '' 67 67 - echo "Validating generated nix.conf" 68 68 - ln -s $out ./nix.conf 69 69 - set -e 70 70 - set +o pipefail 71 71 - NIX_CONF_DIR=$PWD \ 72 72 - ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ 73 73 - ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ 74 74 - |& sed -e 's/^warning:/error:/' \ 75 75 - | (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}') 76 76 - set -o pipefail 77 77 - ''); 78 78 - }; 79 79 - 80 80 - legacyConfMappings = { 81 81 - useSandbox = "sandbox"; 82 82 - buildCores = "cores"; 83 83 - maxJobs = "max-jobs"; 84 84 - sandboxPaths = "extra-sandbox-paths"; 85 85 - binaryCaches = "substituters"; 86 86 - trustedBinaryCaches = "trusted-substituters"; 87 87 - binaryCachePublicKeys = "trusted-public-keys"; 88 88 - autoOptimiseStore = "auto-optimise-store"; 89 89 - requireSignedBinaryCaches = "require-sigs"; 90 90 - trustedUsers = "trusted-users"; 91 91 - allowedUsers = "allowed-users"; 92 92 - systemFeatures = "system-features"; 93 93 - }; 94 94 - 95 95 - semanticConfType = with types; 96 96 - let 97 97 - confAtom = nullOr 98 98 - (oneOf [ 99 99 - bool 100 100 - int 101 101 - float 102 102 - str 103 103 - path 104 104 - package 105 105 - ]) // { 106 106 - description = "Nix config atom (null, bool, int, float, str, path or package)"; 107 107 - }; 108 108 - in 109 109 - attrsOf (either confAtom (listOf confAtom)); 110 110 - 111 111 - in 112 112 - 113 113 - { 114 114 - imports = [ 115 115 - (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; }) 116 116 - (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; }) 117 117 - (mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; }) 118 118 - (mkRenamedOptionModuleWith { sinceRelease = 2211; from = [ "nix" "readOnlyStore" ]; to = [ "boot" "readOnlyNixStore" ]; }) 119 119 - (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") 120 120 - ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" oldConf ]; to = [ "nix" "settings" newConf ]; }) legacyConfMappings; 121 121 - 122 122 - ###### interface 123 123 - 124 124 - options = { 125 125 - 126 126 - nix = { 127 127 - 128 128 - enable = mkOption { 129 129 - type = types.bool; 130 130 - default = true; 131 131 - description = lib.mdDoc '' 132 132 - Whether to enable Nix. 133 133 - Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself. 134 134 - ''; 135 135 - }; 136 136 - 137 137 - package = mkOption { 138 138 - type = types.package; 139 139 - default = pkgs.nix; 140 140 - defaultText = literalExpression "pkgs.nix"; 141 141 - description = lib.mdDoc '' 142 142 - This option specifies the Nix package instance to use throughout the system. 143 143 - ''; 144 144 - }; 145 145 - 146 146 - distributedBuilds = mkOption { 147 147 - type = types.bool; 148 148 - default = false; 149 149 - description = lib.mdDoc '' 150 150 - Whether to distribute builds to the machines listed in 151 151 - {option}`nix.buildMachines`. 152 152 - ''; 153 153 - }; 154 154 - 155 155 - daemonCPUSchedPolicy = mkOption { 156 156 - type = types.enum [ "other" "batch" "idle" ]; 157 157 - default = "other"; 158 158 - example = "batch"; 159 159 - description = lib.mdDoc '' 160 160 - Nix daemon process CPU scheduling policy. This policy propagates to 161 161 - build processes. `other` is the default scheduling 162 162 - policy for regular tasks. The `batch` policy is 163 163 - similar to `other`, but optimised for 164 164 - non-interactive tasks. `idle` is for extremely 165 165 - low-priority tasks that should only be run when no other task 166 166 - requires CPU time. 167 167 - 168 168 - Please note that while using the `idle` policy may 169 169 - greatly improve responsiveness of a system performing expensive 170 170 - builds, it may also slow down and potentially starve crucial 171 171 - configuration updates during load. 172 172 - 173 173 - `idle` may therefore be a sensible policy for 174 174 - systems that experience only intermittent phases of high CPU load, 175 175 - such as desktop or portable computers used interactively. Other 176 176 - systems should use the `other` or 177 177 - `batch` policy instead. 178 178 - 179 179 - For more fine-grained resource control, please refer to 180 180 - {manpage}`systemd.resource-control(5)` and adjust 181 181 - {option}`systemd.services.nix-daemon` directly. 182 182 - ''; 183 183 - }; 184 184 - 185 185 - daemonIOSchedClass = mkOption { 186 186 - type = types.enum [ "best-effort" "idle" ]; 187 187 - default = "best-effort"; 188 188 - example = "idle"; 189 189 - description = lib.mdDoc '' 190 190 - Nix daemon process I/O scheduling class. This class propagates to 191 191 - build processes. `best-effort` is the default 192 192 - class for regular tasks. The `idle` class is for 193 193 - extremely low-priority tasks that should only perform I/O when no 194 194 - other task does. 195 195 - 196 196 - Please note that while using the `idle` scheduling 197 197 - class can improve responsiveness of a system performing expensive 198 198 - builds, it might also slow down or starve crucial configuration 199 199 - updates during load. 200 200 - 201 201 - `idle` may therefore be a sensible class for 202 202 - systems that experience only intermittent phases of high I/O load, 203 203 - such as desktop or portable computers used interactively. Other 204 204 - systems should use the `best-effort` class. 205 205 - ''; 206 206 - }; 207 207 - 208 208 - daemonIOSchedPriority = mkOption { 209 209 - type = types.int; 210 210 - default = 4; 211 211 - example = 1; 212 212 - description = lib.mdDoc '' 213 213 - Nix daemon process I/O scheduling priority. This priority propagates 214 214 - to build processes. The supported priorities depend on the 215 215 - scheduling policy: With idle, priorities are not used in scheduling 216 216 - decisions. best-effort supports values in the range 0 (high) to 7 217 217 - (low). 218 218 - ''; 219 219 - }; 220 220 - 221 221 - buildMachines = mkOption { 222 222 - type = types.listOf (types.submodule { 223 223 - options = { 224 224 - hostName = mkOption { 225 225 - type = types.str; 226 226 - example = "nixbuilder.example.org"; 227 227 - description = lib.mdDoc '' 228 228 - The hostname of the build machine. 229 229 - ''; 230 230 - }; 231 231 - protocol = mkOption { 232 232 - type = types.enum [ null "ssh" "ssh-ng" ]; 233 233 - default = "ssh"; 234 234 - example = "ssh-ng"; 235 235 - description = lib.mdDoc '' 236 236 - The protocol used for communicating with the build machine. 237 237 - Use `ssh-ng` if your remote builder and your 238 238 - local Nix version support that improved protocol. 239 239 - 240 240 - Use `null` when trying to change the special localhost builder 241 241 - without a protocol which is for example used by hydra. 242 242 - ''; 243 243 - }; 244 244 - system = mkOption { 245 245 - type = types.nullOr types.str; 246 246 - default = null; 247 247 - example = "x86_64-linux"; 248 248 - description = lib.mdDoc '' 249 249 - The system type the build machine can execute derivations on. 250 250 - Either this attribute or {var}`systems` must be 251 251 - present, where {var}`system` takes precedence if 252 252 - both are set. 253 253 - ''; 254 254 - }; 255 255 - systems = mkOption { 256 256 - type = types.listOf types.str; 257 257 - default = [ ]; 258 258 - example = [ "x86_64-linux" "aarch64-linux" ]; 259 259 - description = lib.mdDoc '' 260 260 - The system types the build machine can execute derivations on. 261 261 - Either this attribute or {var}`system` must be 262 262 - present, where {var}`system` takes precedence if 263 263 - both are set. 264 264 - ''; 265 265 - }; 266 266 - sshUser = mkOption { 267 267 - type = types.nullOr types.str; 268 268 - default = null; 269 269 - example = "builder"; 270 270 - description = lib.mdDoc '' 271 271 - The username to log in as on the remote host. This user must be 272 272 - able to log in and run nix commands non-interactively. It must 273 273 - also be privileged to build derivations, so must be included in 274 274 - {option}`nix.settings.trusted-users`. 275 275 - ''; 276 276 - }; 277 277 - sshKey = mkOption { 278 278 - type = types.nullOr types.str; 279 279 - default = null; 280 280 - example = "/root/.ssh/id_buildhost_builduser"; 281 281 - description = lib.mdDoc '' 282 282 - The path to the SSH private key with which to authenticate on 283 283 - the build machine. The private key must not have a passphrase. 284 284 - If null, the building user (root on NixOS machines) must have an 285 285 - appropriate ssh configuration to log in non-interactively. 286 286 - 287 287 - Note that for security reasons, this path must point to a file 288 288 - in the local filesystem, *not* to the nix store. 289 289 - ''; 290 290 - }; 291 291 - maxJobs = mkOption { 292 292 - type = types.int; 293 293 - default = 1; 294 294 - description = lib.mdDoc '' 295 295 - The number of concurrent jobs the build machine supports. The 296 296 - build machine will enforce its own limits, but this allows hydra 297 297 - to schedule better since there is no work-stealing between build 298 298 - machines. 299 299 - ''; 300 300 - }; 301 301 - speedFactor = mkOption { 302 302 - type = types.int; 303 303 - default = 1; 304 304 - description = lib.mdDoc '' 305 305 - The relative speed of this builder. This is an arbitrary integer 306 306 - that indicates the speed of this builder, relative to other 307 307 - builders. Higher is faster. 308 308 - ''; 309 309 - }; 310 310 - mandatoryFeatures = mkOption { 311 311 - type = types.listOf types.str; 312 312 - default = [ ]; 313 313 - example = [ "big-parallel" ]; 314 314 - description = lib.mdDoc '' 315 315 - A list of features mandatory for this builder. The builder will 316 316 - be ignored for derivations that don't require all features in 317 317 - this list. All mandatory features are automatically included in 318 318 - {var}`supportedFeatures`. 319 319 - ''; 320 320 - }; 321 321 - supportedFeatures = mkOption { 322 322 - type = types.listOf types.str; 323 323 - default = [ ]; 324 324 - example = [ "kvm" "big-parallel" ]; 325 325 - description = lib.mdDoc '' 326 326 - A list of features supported by this builder. The builder will 327 327 - be ignored for derivations that require features not in this 328 328 - list. 329 329 - ''; 330 330 - }; 331 331 - publicHostKey = mkOption { 332 332 - type = types.nullOr types.str; 333 333 - default = null; 334 334 - description = lib.mdDoc '' 335 335 - The (base64-encoded) public host key of this builder. The field 336 336 - is calculated via {command}`base64 -w0 /etc/ssh/ssh_host_type_key.pub`. 337 337 - If null, SSH will use its regular known-hosts file when connecting. 338 338 - ''; 339 339 - }; 340 340 - }; 341 341 - }); 342 342 - default = [ ]; 343 343 - description = lib.mdDoc '' 344 344 - This option lists the machines to be used if distributed builds are 345 345 - enabled (see {option}`nix.distributedBuilds`). 346 346 - Nix will perform derivations on those machines via SSH by copying the 347 347 - inputs to the Nix store on the remote machine, starting the build, 348 348 - then copying the output back to the local Nix store. 349 349 - ''; 350 350 - }; 351 351 - 352 352 - # Environment variables for running Nix. 353 353 - envVars = mkOption { 354 354 - type = types.attrs; 355 355 - internal = true; 356 356 - default = { }; 357 357 - description = lib.mdDoc "Environment variables used by Nix."; 358 358 - }; 359 359 - 360 360 - nrBuildUsers = mkOption { 361 361 - type = types.int; 362 362 - description = lib.mdDoc '' 363 363 - Number of `nixbld` user accounts created to 364 364 - perform secure concurrent builds. If you receive an error 365 365 - message saying that “all build users are currently in use”, 366 366 - you should increase this value. 367 367 - ''; 368 368 - }; 369 369 - 370 370 - nixPath = mkOption { 371 371 - type = types.listOf types.str; 372 372 - default = [ 373 373 - "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" 374 374 - "nixos-config=/etc/nixos/configuration.nix" 375 375 - "/nix/var/nix/profiles/per-user/root/channels" 376 376 - ]; 377 377 - description = lib.mdDoc '' 378 378 - The default Nix expression search path, used by the Nix 379 379 - evaluator to look up paths enclosed in angle brackets 380 380 - (e.g. `<nixpkgs>`). 381 381 - ''; 382 382 - }; 383 383 - 384 384 - checkConfig = mkOption { 385 385 - type = types.bool; 386 386 - default = true; 387 387 - description = lib.mdDoc '' 388 388 - If enabled, checks that Nix can parse the generated nix.conf. 389 389 - ''; 390 390 - }; 391 391 - 392 392 - checkAllErrors = mkOption { 393 393 - type = types.bool; 394 394 - default = true; 395 395 - description = lib.mdDoc '' 396 396 - If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings. 397 397 - ''; 398 398 - }; 399 399 - 400 400 - registry = mkOption { 401 401 - type = types.attrsOf (types.submodule ( 402 402 - let 403 403 - referenceAttrs = with types; attrsOf (oneOf [ 404 404 - str 405 405 - int 406 406 - bool 407 407 - path 408 408 - package 409 409 - ]); 410 410 - in 411 411 - { config, name, ... }: 412 412 - { 413 413 - options = { 414 414 - from = mkOption { 415 415 - type = referenceAttrs; 416 416 - example = { type = "indirect"; id = "nixpkgs"; }; 417 417 - description = lib.mdDoc "The flake reference to be rewritten."; 418 418 - }; 419 419 - to = mkOption { 420 420 - type = referenceAttrs; 421 421 - example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; 422 422 - description = lib.mdDoc "The flake reference {option}`from` is rewritten to."; 423 423 - }; 424 424 - flake = mkOption { 425 425 - type = types.nullOr types.attrs; 426 426 - default = null; 427 427 - example = literalExpression "nixpkgs"; 428 428 - description = lib.mdDoc '' 429 429 - The flake input {option}`from` is rewritten to. 430 430 - ''; 431 431 - }; 432 432 - exact = mkOption { 433 433 - type = types.bool; 434 434 - default = true; 435 435 - description = lib.mdDoc '' 436 436 - Whether the {option}`from` reference needs to match exactly. If set, 437 437 - a {option}`from` reference like `nixpkgs` does not 438 438 - match with a reference like `nixpkgs/nixos-20.03`. 439 439 - ''; 440 440 - }; 441 441 - }; 442 442 - config = { 443 443 - from = mkDefault { type = "indirect"; id = name; }; 444 444 - to = mkIf (config.flake != null) (mkDefault ( 445 445 - { 446 446 - type = "path"; 447 447 - path = config.flake.outPath; 448 448 - } // filterAttrs 449 449 - (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") 450 450 - config.flake 451 451 - )); 452 452 - }; 453 453 - } 454 454 - )); 455 455 - default = { }; 456 456 - description = lib.mdDoc '' 457 457 - A system-wide flake registry. 458 458 - ''; 459 459 - }; 460 460 - 461 461 - extraOptions = mkOption { 462 462 - type = types.lines; 463 463 - default = ""; 464 464 - example = '' 465 465 - keep-outputs = true 466 466 - keep-derivations = true 467 467 - ''; 468 468 - description = lib.mdDoc "Additional text appended to {file}`nix.conf`."; 469 469 - }; 470 470 - 471 471 - settings = mkOption { 472 472 - type = types.submodule { 473 473 - freeformType = semanticConfType; 474 474 - 475 475 - options = { 476 476 - max-jobs = mkOption { 477 477 - type = types.either types.int (types.enum [ "auto" ]); 478 478 - default = "auto"; 479 479 - example = 64; 480 480 - description = lib.mdDoc '' 481 481 - This option defines the maximum number of jobs that Nix will try to 482 482 - build in parallel. The default is auto, which means it will use all 483 483 - available logical cores. It is recommend to set it to the total 484 484 - number of logical cores in your system (e.g., 16 for two CPUs with 4 485 485 - cores each and hyper-threading). 486 486 - ''; 487 487 - }; 488 488 - 489 489 - auto-optimise-store = mkOption { 490 490 - type = types.bool; 491 491 - default = false; 492 492 - example = true; 493 493 - description = lib.mdDoc '' 494 494 - If set to true, Nix automatically detects files in the store that have 495 495 - identical contents, and replaces them with hard links to a single copy. 496 496 - This saves disk space. If set to false (the default), you can still run 497 497 - nix-store --optimise to get rid of duplicate files. 498 498 - ''; 499 499 - }; 500 500 - 501 501 - cores = mkOption { 502 502 - type = types.int; 503 503 - default = 0; 504 504 - example = 64; 505 505 - description = lib.mdDoc '' 506 506 - This option defines the maximum number of concurrent tasks during 507 507 - one build. It affects, e.g., -j option for make. 508 508 - The special value 0 means that the builder should use all 509 509 - available CPU cores in the system. Some builds may become 510 510 - non-deterministic with this option; use with care! Packages will 511 511 - only be affected if enableParallelBuilding is set for them. 512 512 - ''; 513 513 - }; 514 514 - 515 515 - sandbox = mkOption { 516 516 - type = types.either types.bool (types.enum [ "relaxed" ]); 517 517 - default = true; 518 518 - description = lib.mdDoc '' 519 519 - If set, Nix will perform builds in a sandboxed environment that it 520 520 - will set up automatically for each build. This prevents impurities 521 521 - in builds by disallowing access to dependencies outside of the Nix 522 522 - store by using network and mount namespaces in a chroot environment. 523 523 - 524 524 - This is enabled by default even though it has a possible performance 525 525 - impact due to the initial setup time of a sandbox for each build. It 526 526 - doesn't affect derivation hashes, so changing this option will not 527 527 - trigger a rebuild of packages. 528 528 - 529 529 - When set to "relaxed", this option permits derivations that set 530 530 - `__noChroot = true;` to run outside of the sandboxed environment. 531 531 - Exercise caution when using this mode of operation! It is intended to 532 532 - be a quick hack when building with packages that are not easily setup 533 533 - to be built reproducibly. 534 534 - ''; 535 535 - }; 536 536 - 537 537 - extra-sandbox-paths = mkOption { 538 538 - type = types.listOf types.str; 539 539 - default = [ ]; 540 540 - example = [ "/dev" "/proc" ]; 541 541 - description = lib.mdDoc '' 542 542 - Directories from the host filesystem to be included 543 543 - in the sandbox. 544 544 - ''; 545 545 - }; 546 546 - 547 547 - substituters = mkOption { 548 548 - type = types.listOf types.str; 549 549 - description = lib.mdDoc '' 550 550 - List of binary cache URLs used to obtain pre-built binaries 551 551 - of Nix packages. 552 552 - 553 553 - By default https://cache.nixos.org/ is added. 554 554 - ''; 555 555 - }; 556 556 - 557 557 - trusted-substituters = mkOption { 558 558 - type = types.listOf types.str; 559 559 - default = [ ]; 560 560 - example = [ "https://hydra.nixos.org/" ]; 561 561 - description = lib.mdDoc '' 562 562 - List of binary cache URLs that non-root users can use (in 563 563 - addition to those specified using 564 564 - {option}`nix.settings.substituters`) by passing 565 565 - `--option binary-caches` to Nix commands. 566 566 - ''; 567 567 - }; 568 568 - 569 569 - require-sigs = mkOption { 570 570 - type = types.bool; 571 571 - default = true; 572 572 - description = lib.mdDoc '' 573 573 - If enabled (the default), Nix will only download binaries from binary caches if 574 574 - they are cryptographically signed with any of the keys listed in 575 575 - {option}`nix.settings.trusted-public-keys`. If disabled, signatures are neither 576 576 - required nor checked, so it's strongly recommended that you use only 577 577 - trustworthy caches and https to prevent man-in-the-middle attacks. 578 578 - ''; 579 579 - }; 580 580 - 581 581 - trusted-public-keys = mkOption { 582 582 - type = types.listOf types.str; 583 583 - example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; 584 584 - description = lib.mdDoc '' 585 585 - List of public keys used to sign binary caches. If 586 586 - {option}`nix.settings.trusted-public-keys` is enabled, 587 587 - then Nix will use a binary from a binary cache if and only 588 588 - if it is signed by *any* of the keys 589 589 - listed here. By default, only the key for 590 590 - `cache.nixos.org` is included. 591 591 - ''; 592 592 - }; 593 593 - 594 594 - trusted-users = mkOption { 595 595 - type = types.listOf types.str; 596 596 - default = [ "root" ]; 597 597 - example = [ "root" "alice" "@wheel" ]; 598 598 - description = lib.mdDoc '' 599 599 - A list of names of users that have additional rights when 600 600 - connecting to the Nix daemon, such as the ability to specify 601 601 - additional binary caches, or to import unsigned NARs. You 602 602 - can also specify groups by prefixing them with 603 603 - `@`; for instance, 604 604 - `@wheel` means all users in the wheel 605 605 - group. 606 606 - ''; 607 607 - }; 608 608 - 609 609 - system-features = mkOption { 610 610 - type = types.listOf types.str; 611 611 - example = [ "kvm" "big-parallel" "gccarch-skylake" ]; 612 612 - description = lib.mdDoc '' 613 613 - The set of features supported by the machine. Derivations 614 614 - can express dependencies on system features through the 615 615 - `requiredSystemFeatures` attribute. 616 616 - 617 617 - By default, pseudo-features `nixos-test`, `benchmark`, 618 618 - and `big-parallel` used in Nixpkgs are set, `kvm` 619 619 - is also included if it is available. 620 620 - ''; 621 621 - }; 622 622 - 623 623 - allowed-users = mkOption { 624 624 - type = types.listOf types.str; 625 625 - default = [ "*" ]; 626 626 - example = [ "@wheel" "@builders" "alice" "bob" ]; 627 627 - description = lib.mdDoc '' 628 628 - A list of names of users (separated by whitespace) that are 629 629 - allowed to connect to the Nix daemon. As with 630 630 - {option}`nix.settings.trusted-users`, you can specify groups by 631 631 - prefixing them with `@`. Also, you can 632 632 - allow all users by specifying `*`. The 633 633 - default is `*`. Note that trusted users are 634 634 - always allowed to connect. 635 635 - ''; 636 636 - }; 637 637 - }; 638 638 - }; 639 639 - default = { }; 640 640 - example = literalExpression '' 641 641 - { 642 642 - use-sandbox = true; 643 643 - show-trace = true; 644 644 - 645 645 - system-features = [ "big-parallel" "kvm" "recursive-nix" ]; 646 646 - sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; }; 647 647 - } 648 648 - ''; 649 649 - description = lib.mdDoc '' 650 650 - Configuration for Nix, see 651 651 - <https://nixos.org/manual/nix/stable/command-ref/conf-file.html> or 652 652 - {manpage}`nix.conf(5)` for available options. 653 653 - The value declared here will be translated directly to the key-value pairs Nix expects. 654 654 - 655 655 - You can use {command}`nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings` 656 656 - to view the current value. By default it is empty. 657 657 - 658 658 - Nix configurations defined under {option}`nix.*` will be translated and applied to this 659 659 - option. In addition, configuration specified in {option}`nix.extraOptions` will be appended 660 660 - verbatim to the resulting config file. 661 661 - ''; 662 662 - }; 663 663 - }; 664 664 - }; 665 665 - 666 666 - 667 667 - ###### implementation 668 668 - 669 669 - config = mkIf cfg.enable { 670 670 - environment.systemPackages = 671 671 - [ 672 672 - nixPackage 673 673 - pkgs.nix-info 674 674 - ] 675 675 - ++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions; 676 676 - 677 677 - environment.etc."nix/nix.conf".source = nixConf; 678 678 - 679 679 - environment.etc."nix/registry.json".text = builtins.toJSON { 680 680 - version = 2; 681 681 - flakes = mapAttrsToList (n: v: { inherit (v) from to exact; }) cfg.registry; 682 682 - }; 683 683 - 684 684 - # List of machines for distributed Nix builds in the format 685 685 - # expected by build-remote.pl. 686 686 - environment.etc."nix/machines" = mkIf (cfg.buildMachines != [ ]) { 687 687 - text = 688 688 - concatMapStrings 689 689 - (machine: 690 690 - (concatStringsSep " " ([ 691 691 - "${optionalString (machine.protocol != null) "${machine.protocol}://"}${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}" 692 692 - (if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-") 693 693 - (if machine.sshKey != null then machine.sshKey else "-") 694 694 - (toString machine.maxJobs) 695 695 - (toString machine.speedFactor) 696 696 - (let res = (machine.supportedFeatures ++ machine.mandatoryFeatures); 697 697 - in if (res == []) then "-" else (concatStringsSep "," res)) 698 698 - (let res = machine.mandatoryFeatures; 699 699 - in if (res == []) then "-" else (concatStringsSep "," machine.mandatoryFeatures)) 700 700 - ] 701 701 - ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-"))) 702 702 - + "\n" 703 703 - ) 704 704 - cfg.buildMachines; 705 705 - }; 706 706 - 707 707 - assertions = 708 708 - let badMachine = m: m.system == null && m.systems == [ ]; 709 709 - in 710 710 - [ 711 711 - { 712 712 - assertion = !(any badMachine cfg.buildMachines); 713 713 - message = '' 714 714 - At least one system type (via <varname>system</varname> or 715 715 - <varname>systems</varname>) must be set for every build machine. 716 716 - Invalid machine specifications: 717 717 - '' + " " + 718 718 - (concatStringsSep "\n " 719 719 - (map (m: m.hostName) 720 720 - (filter (badMachine) cfg.buildMachines))); 721 721 - } 722 722 - ]; 723 723 - 724 724 - systemd.packages = [ nixPackage ]; 725 725 - 726 726 - # Will only work once https://github.com/NixOS/nix/pull/6285 is merged 727 727 - # systemd.tmpfiles.packages = [ nixPackage ]; 728 728 - 729 729 - # Can be dropped for Nix > https://github.com/NixOS/nix/pull/6285 730 730 - systemd.tmpfiles.rules = [ 731 731 - "d /nix/var/nix/daemon-socket 0755 root root - -" 732 732 - ]; 733 733 - 734 734 - systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; 735 735 - 736 736 - systemd.services.nix-daemon = 737 737 - { 738 738 - path = [ nixPackage pkgs.util-linux config.programs.ssh.package ] 739 739 - ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; 740 740 - 741 741 - environment = cfg.envVars 742 742 - // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; } 743 743 - // config.networking.proxy.envVars; 744 744 - 745 745 - unitConfig.RequiresMountsFor = "/nix/store"; 746 746 - 747 747 - serviceConfig = 748 748 - { 749 749 - CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; 750 750 - IOSchedulingClass = cfg.daemonIOSchedClass; 751 751 - IOSchedulingPriority = cfg.daemonIOSchedPriority; 752 752 - LimitNOFILE = 1048576; 753 753 - }; 754 754 - 755 755 - restartTriggers = [ nixConf ]; 756 756 - 757 757 - # `stopIfChanged = false` changes to switch behavior 758 758 - # from stop -> update units -> start 759 759 - # to update units -> restart 760 760 - # 761 761 - # The `stopIfChanged` setting therefore controls a trade-off between a 762 762 - # more predictable lifecycle, which runs the correct "version" of 763 763 - # the `ExecStop` line, and on the other hand the availability of 764 764 - # sockets during the switch, as the effectiveness of the stop operation 765 765 - # depends on the socket being stopped as well. 766 766 - # 767 767 - # As `nix-daemon.service` does not make use of `ExecStop`, we prefer 768 768 - # to keep the socket up and available. This is important for machines 769 769 - # that run Nix-based services, such as automated build, test, and deploy 770 770 - # services, that expect the daemon socket to be available at all times. 771 771 - # 772 772 - # Notably, the Nix client does not retry on failure to connect to the 773 773 - # daemon socket, and the in-process RemoteStore instance will disable 774 774 - # itself. This makes retries infeasible even for services that are 775 775 - # aware of the issue. Failure to connect can affect not only new client 776 776 - # processes, but also new RemoteStore instances in existing processes, 777 777 - # as well as existing RemoteStore instances that have not saturated 778 778 - # their connection pool. 779 779 - # 780 780 - # Also note that `stopIfChanged = true` does not kill existing 781 781 - # connection handling daemons, as one might wish to happen before a 782 782 - # breaking Nix upgrade (which is rare). The daemon forks that handle 783 783 - # the individual connections split off into their own sessions, causing 784 784 - # them not to be stopped by systemd. 785 785 - # If a Nix upgrade does require all existing daemon processes to stop, 786 786 - # nix-daemon must do so on its own accord, and only when the new version 787 787 - # starts and detects that Nix's persistent state needs an upgrade. 788 788 - stopIfChanged = false; 789 789 - 790 790 - }; 791 791 - 792 792 - # Set up the environment variables for running Nix. 793 793 - environment.sessionVariables = cfg.envVars // { NIX_PATH = cfg.nixPath; }; 794 794 - 795 795 - environment.extraInit = 796 796 - '' 797 797 - if [ -e "$HOME/.nix-defexpr/channels" ]; then 798 798 - export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" 799 799 - fi 800 800 - ''; 801 801 - 802 802 - nix.nrBuildUsers = mkDefault ( 803 803 - if cfg.settings.auto-allocate-uids or false then 0 804 804 - else max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs) 805 805 - ); 806 806 - 807 807 - users.users = nixbldUsers; 808 808 - 809 809 - services.xserver.displayManager.hiddenUsers = attrNames nixbldUsers; 810 810 - 811 811 - system.activationScripts.nix = stringAfter [ "etc" "users" ] 812 812 - '' 813 813 - install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user 814 814 - 815 815 - # Subscribe the root user to the NixOS channel by default. 816 816 - if [ ! -e "/root/.nix-channels" ]; then 817 817 - echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels" 818 818 - fi 819 819 - ''; 820 820 - 821 821 - # Legacy configuration conversion. 822 822 - nix.settings = mkMerge [ 823 823 - { 824 824 - trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; 825 825 - substituters = mkAfter [ "https://cache.nixos.org/" ]; 826 826 - 827 827 - system-features = mkDefault ( 828 828 - [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ 829 829 - optionals (pkgs.stdenv.hostPlatform ? gcc.arch) ( 830 830 - # a builder can run code for `gcc.arch` and inferior architectures 831 831 - [ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ] ++ 832 832 - map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or []) 833 833 - ) 834 834 - ); 835 835 - } 836 836 - 837 837 - (mkIf (!cfg.distributedBuilds) { builders = null; }) 838 838 - 839 839 - (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) 840 840 - ]; 841 841 - 842 842 - }; 843 843 - 844 844 - }

+263

nixos/modules/services/system/nix-daemon.nix

··· 1 1 + /* 2 2 + Declares what makes the nix-daemon work on systemd. 3 3 + 4 4 + See also 5 5 + - nixos/modules/config/nix.nix: the nix.conf 6 6 + - nixos/modules/config/nix-remote-build.nix: the nix.conf 7 7 + */ 8 8 + { config, lib, pkgs, ... }: 9 9 + 10 10 + with lib; 11 11 + 12 12 + let 13 13 + 14 14 + cfg = config.nix; 15 15 + 16 16 + nixPackage = cfg.package.out; 17 17 + 18 18 + isNixAtLeast = versionAtLeast (getVersion nixPackage); 19 19 + 20 20 + makeNixBuildUser = nr: { 21 21 + name = "nixbld${toString nr}"; 22 22 + value = { 23 23 + description = "Nix build user ${toString nr}"; 24 24 + 25 25 + /* 26 26 + For consistency with the setgid(2), setuid(2), and setgroups(2) 27 27 + calls in `libstore/build.cc', don't add any supplementary group 28 28 + here except "nixbld". 29 29 + */ 30 30 + uid = builtins.add config.ids.uids.nixbld nr; 31 31 + isSystemUser = true; 32 32 + group = "nixbld"; 33 33 + extraGroups = [ "nixbld" ]; 34 34 + }; 35 35 + }; 36 36 + 37 37 + nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers)); 38 38 + 39 39 + in 40 40 + 41 41 + { 42 42 + imports = [ 43 43 + ../../config/nix.nix 44 44 + 45 45 + (mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; }) 46 46 + (mkRenamedOptionModuleWith { sinceRelease = 2211; from = [ "nix" "readOnlyStore" ]; to = [ "boot" "readOnlyNixStore" ]; }) 47 47 + (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") 48 48 + ]; 49 49 + 50 50 + ###### interface 51 51 + 52 52 + options = { 53 53 + 54 54 + nix = { 55 55 + 56 56 + enable = mkOption { 57 57 + type = types.bool; 58 58 + default = true; 59 59 + description = lib.mdDoc '' 60 60 + Whether to enable Nix. 61 61 + Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself. 62 62 + ''; 63 63 + }; 64 64 + 65 65 + package = mkOption { 66 66 + type = types.package; 67 67 + default = pkgs.nix; 68 68 + defaultText = literalExpression "pkgs.nix"; 69 69 + description = lib.mdDoc '' 70 70 + This option specifies the Nix package instance to use throughout the system. 71 71 + ''; 72 72 + }; 73 73 + 74 74 + daemonCPUSchedPolicy = mkOption { 75 75 + type = types.enum [ "other" "batch" "idle" ]; 76 76 + default = "other"; 77 77 + example = "batch"; 78 78 + description = lib.mdDoc '' 79 79 + Nix daemon process CPU scheduling policy. This policy propagates to 80 80 + build processes. `other` is the default scheduling 81 81 + policy for regular tasks. The `batch` policy is 82 82 + similar to `other`, but optimised for 83 83 + non-interactive tasks. `idle` is for extremely 84 84 + low-priority tasks that should only be run when no other task 85 85 + requires CPU time. 86 86 + 87 87 + Please note that while using the `idle` policy may 88 88 + greatly improve responsiveness of a system performing expensive 89 89 + builds, it may also slow down and potentially starve crucial 90 90 + configuration updates during load. 91 91 + 92 92 + `idle` may therefore be a sensible policy for 93 93 + systems that experience only intermittent phases of high CPU load, 94 94 + such as desktop or portable computers used interactively. Other 95 95 + systems should use the `other` or 96 96 + `batch` policy instead. 97 97 + 98 98 + For more fine-grained resource control, please refer to 99 99 + {manpage}`systemd.resource-control(5)` and adjust 100 100 + {option}`systemd.services.nix-daemon` directly. 101 101 + ''; 102 102 + }; 103 103 + 104 104 + daemonIOSchedClass = mkOption { 105 105 + type = types.enum [ "best-effort" "idle" ]; 106 106 + default = "best-effort"; 107 107 + example = "idle"; 108 108 + description = lib.mdDoc '' 109 109 + Nix daemon process I/O scheduling class. This class propagates to 110 110 + build processes. `best-effort` is the default 111 111 + class for regular tasks. The `idle` class is for 112 112 + extremely low-priority tasks that should only perform I/O when no 113 113 + other task does. 114 114 + 115 115 + Please note that while using the `idle` scheduling 116 116 + class can improve responsiveness of a system performing expensive 117 117 + builds, it might also slow down or starve crucial configuration 118 118 + updates during load. 119 119 + 120 120 + `idle` may therefore be a sensible class for 121 121 + systems that experience only intermittent phases of high I/O load, 122 122 + such as desktop or portable computers used interactively. Other 123 123 + systems should use the `best-effort` class. 124 124 + ''; 125 125 + }; 126 126 + 127 127 + daemonIOSchedPriority = mkOption { 128 128 + type = types.int; 129 129 + default = 4; 130 130 + example = 1; 131 131 + description = lib.mdDoc '' 132 132 + Nix daemon process I/O scheduling priority. This priority propagates 133 133 + to build processes. The supported priorities depend on the 134 134 + scheduling policy: With idle, priorities are not used in scheduling 135 135 + decisions. best-effort supports values in the range 0 (high) to 7 136 136 + (low). 137 137 + ''; 138 138 + }; 139 139 + 140 140 + # Environment variables for running Nix. 141 141 + envVars = mkOption { 142 142 + type = types.attrs; 143 143 + internal = true; 144 144 + default = { }; 145 145 + description = lib.mdDoc "Environment variables used by Nix."; 146 146 + }; 147 147 + 148 148 + nrBuildUsers = mkOption { 149 149 + type = types.int; 150 150 + description = lib.mdDoc '' 151 151 + Number of `nixbld` user accounts created to 152 152 + perform secure concurrent builds. If you receive an error 153 153 + message saying that “all build users are currently in use”, 154 154 + you should increase this value. 155 155 + ''; 156 156 + }; 157 157 + }; 158 158 + }; 159 159 + 160 160 + 161 161 + ###### implementation 162 162 + 163 163 + config = mkIf cfg.enable { 164 164 + environment.systemPackages = 165 165 + [ 166 166 + nixPackage 167 167 + pkgs.nix-info 168 168 + ] 169 169 + ++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions; 170 170 + 171 171 + systemd.packages = [ nixPackage ]; 172 172 + 173 173 + # Will only work once https://github.com/NixOS/nix/pull/6285 is merged 174 174 + # systemd.tmpfiles.packages = [ nixPackage ]; 175 175 + 176 176 + # Can be dropped for Nix > https://github.com/NixOS/nix/pull/6285 177 177 + systemd.tmpfiles.rules = [ 178 178 + "d /nix/var/nix/daemon-socket 0755 root root - -" 179 179 + ]; 180 180 + 181 181 + systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; 182 182 + 183 183 + systemd.services.nix-daemon = 184 184 + { 185 185 + path = [ nixPackage pkgs.util-linux config.programs.ssh.package ] 186 186 + ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; 187 187 + 188 188 + environment = cfg.envVars 189 189 + // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; } 190 190 + // config.networking.proxy.envVars; 191 191 + 192 192 + unitConfig.RequiresMountsFor = "/nix/store"; 193 193 + 194 194 + serviceConfig = 195 195 + { 196 196 + CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; 197 197 + IOSchedulingClass = cfg.daemonIOSchedClass; 198 198 + IOSchedulingPriority = cfg.daemonIOSchedPriority; 199 199 + LimitNOFILE = 1048576; 200 200 + }; 201 201 + 202 202 + restartTriggers = [ config.environment.etc."nix/nix.conf".source ]; 203 203 + 204 204 + # `stopIfChanged = false` changes to switch behavior 205 205 + # from stop -> update units -> start 206 206 + # to update units -> restart 207 207 + # 208 208 + # The `stopIfChanged` setting therefore controls a trade-off between a 209 209 + # more predictable lifecycle, which runs the correct "version" of 210 210 + # the `ExecStop` line, and on the other hand the availability of 211 211 + # sockets during the switch, as the effectiveness of the stop operation 212 212 + # depends on the socket being stopped as well. 213 213 + # 214 214 + # As `nix-daemon.service` does not make use of `ExecStop`, we prefer 215 215 + # to keep the socket up and available. This is important for machines 216 216 + # that run Nix-based services, such as automated build, test, and deploy 217 217 + # services, that expect the daemon socket to be available at all times. 218 218 + # 219 219 + # Notably, the Nix client does not retry on failure to connect to the 220 220 + # daemon socket, and the in-process RemoteStore instance will disable 221 221 + # itself. This makes retries infeasible even for services that are 222 222 + # aware of the issue. Failure to connect can affect not only new client 223 223 + # processes, but also new RemoteStore instances in existing processes, 224 224 + # as well as existing RemoteStore instances that have not saturated 225 225 + # their connection pool. 226 226 + # 227 227 + # Also note that `stopIfChanged = true` does not kill existing 228 228 + # connection handling daemons, as one might wish to happen before a 229 229 + # breaking Nix upgrade (which is rare). The daemon forks that handle 230 230 + # the individual connections split off into their own sessions, causing 231 231 + # them not to be stopped by systemd. 232 232 + # If a Nix upgrade does require all existing daemon processes to stop, 233 233 + # nix-daemon must do so on its own accord, and only when the new version 234 234 + # starts and detects that Nix's persistent state needs an upgrade. 235 235 + stopIfChanged = false; 236 236 + 237 237 + }; 238 238 + 239 239 + # Set up the environment variables for running Nix. 240 240 + environment.sessionVariables = cfg.envVars; 241 241 + 242 242 + nix.nrBuildUsers = mkDefault ( 243 243 + if cfg.settings.auto-allocate-uids or false then 0 244 244 + else max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs) 245 245 + ); 246 246 + 247 247 + users.users = nixbldUsers; 248 248 + 249 249 + services.xserver.displayManager.hiddenUsers = attrNames nixbldUsers; 250 250 + 251 251 + system.activationScripts.nix = stringAfter [ "etc" "users" ] 252 252 + '' 253 253 + install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user 254 254 + ''; 255 255 + 256 256 + # Legacy configuration conversion. 257 257 + nix.settings = mkMerge [ 258 258 + (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) 259 259 + ]; 260 260 + 261 261 + }; 262 262 + 263 263 + }