tjh.dev
1<chapter xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xml:id="chap-packageconfig">
4 <title>Global configuration</title>
5 <para>
6 Nix comes with certain defaults about what packages can and cannot be installed, based on a package's metadata. By default, Nix will prevent installation if any of the following criteria are true:
7 </para>
8 <itemizedlist>
9 <listitem>
10 <para>
11 The package is thought to be broken, and has had its <literal>meta.broken</literal> set to <literal>true</literal>.
12 </para>
13 </listitem>
14 <listitem>
15 <para>
16 The package isn't intended to run on the given system, as none of its <literal>meta.platforms</literal> match the given system.
17 </para>
18 </listitem>
19 <listitem>
20 <para>
21 The package's <literal>meta.license</literal> is set to a license which is considered to be unfree.
22 </para>
23 </listitem>
24 <listitem>
25 <para>
26 The package has known security vulnerabilities but has not or can not be updated for some reason, and a list of issues has been entered in to the package's <literal>meta.knownVulnerabilities</literal>.
27 </para>
28 </listitem>
29 </itemizedlist>
30 <para>
31 Note that all this is checked during evaluation already, and the check includes any package that is evaluated. In particular, all build-time dependencies are checked. <literal>nix-env -qa</literal> will (attempt to) hide any packages that would be refused.
32 </para>
33 <para>
34 Each of these criteria can be altered in the nixpkgs configuration.
35 </para>
36 <para>
37 The nixpkgs configuration for a NixOS system is set in the <literal>configuration.nix</literal>, as in the following example:
38<programlisting>
39{
40 nixpkgs.config = {
41 allowUnfree = true;
42 };
43}
44</programlisting>
45 However, this does not allow unfree software for individual users. Their configurations are managed separately.
46 </para>
47 <para>
48 A user's nixpkgs configuration is stored in a user-specific configuration file located at <filename>~/.config/nixpkgs/config.nix</filename>. For example:
49<programlisting>
50{
51 allowUnfree = true;
52}
53</programlisting>
54 </para>
55 <para>
56 Note that we are not able to test or build unfree software on Hydra due to policy. Most unfree licenses prohibit us from either executing or distributing the software.
57 </para>
58 <section xml:id="sec-allow-broken">
59 <title>Installing broken packages</title>
60
61 <para>
62 There are two ways to try compiling a package which has been marked as broken.
63 </para>
64
65 <itemizedlist>
66 <listitem>
67 <para>
68 For allowing the build of a broken package once, you can use an environment variable for a single invocation of the nix tools:
69<programlisting>$ export NIXPKGS_ALLOW_BROKEN=1</programlisting>
70 </para>
71 </listitem>
72 <listitem>
73 <para>
74 For permanently allowing broken packages to be built, you may add <literal>allowBroken = true;</literal> to your user's configuration file, like this:
75<programlisting>
76{
77 allowBroken = true;
78}
79</programlisting>
80 </para>
81 </listitem>
82 </itemizedlist>
83 </section>
84 <section xml:id="sec-allow-unsupported-system">
85 <title>Installing packages on unsupported systems</title>
86
87 <para>
88 There are also two ways to try compiling a package which has been marked as unsupported for the given system.
89 </para>
90
91 <itemizedlist>
92 <listitem>
93 <para>
94 For allowing the build of an unsupported package once, you can use an environment variable for a single invocation of the nix tools:
95<programlisting>$ export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1</programlisting>
96 </para>
97 </listitem>
98 <listitem>
99 <para>
100 For permanently allowing unsupported packages to be built, you may add <literal>allowUnsupportedSystem = true;</literal> to your user's configuration file, like this:
101<programlisting>
102{
103 allowUnsupportedSystem = true;
104}
105</programlisting>
106 </para>
107 </listitem>
108 </itemizedlist>
109
110 <para>
111 The difference between a package being unsupported on some system and being broken is admittedly a bit fuzzy. If a program <emphasis>ought</emphasis> to work on a certain platform, but doesn't, the platform should be included in <literal>meta.platforms</literal>, but marked as broken with e.g. <literal>meta.broken = !hostPlatform.isWindows</literal>. Of course, this begs the question of what "ought" means exactly. That is left to the package maintainer.
112 </para>
113 </section>
114 <section xml:id="sec-allow-unfree">
115 <title>Installing unfree packages</title>
116
117 <para>
118 There are several ways to tweak how Nix handles a package which has been marked as unfree.
119 </para>
120
121 <itemizedlist>
122 <listitem>
123 <para>
124 To temporarily allow all unfree packages, you can use an environment variable for a single invocation of the nix tools:
125<programlisting>$ export NIXPKGS_ALLOW_UNFREE=1</programlisting>
126 </para>
127 </listitem>
128 <listitem>
129 <para>
130 It is possible to permanently allow individual unfree packages, while still blocking unfree packages by default using the <literal>allowUnfreePredicate</literal> configuration option in the user configuration file.
131 </para>
132 <para>
133 This option is a function which accepts a package as a parameter, and returns a boolean. The following example configuration accepts a package and always returns false:
134<programlisting>
135{
136 allowUnfreePredicate = (pkg: false);
137}
138</programlisting>
139 </para>
140 <para>
141 For a more useful example, try the following. This configuration only allows unfree packages named flash player and visual studio code:
142<programlisting>
143{
144 allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
145 "flashplayer"
146 "vscode"
147 ];
148}
149</programlisting>
150 </para>
151 </listitem>
152 <listitem>
153 <para>
154 It is also possible to whitelist and blacklist licenses that are specifically acceptable or not acceptable, using <literal>whitelistedLicenses</literal> and <literal>blacklistedLicenses</literal>, respectively.
155 </para>
156 <para>
157 The following example configuration whitelists the licenses <literal>amd</literal> and <literal>wtfpl</literal>:
158<programlisting>
159{
160 whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ];
161}
162</programlisting>
163 </para>
164 <para>
165 The following example configuration blacklists the <literal>gpl3Only</literal> and <literal>agpl3Only</literal> licenses:
166<programlisting>
167{
168 blacklistedLicenses = with stdenv.lib.licenses; [ agpl3Only gpl3Only ];
169}
170</programlisting>
171 </para>
172 </listitem>
173 </itemizedlist>
174
175 <para>
176 A complete list of licenses can be found in the file <filename>lib/licenses.nix</filename> of the nixpkgs tree.
177 </para>
178 </section>
179 <section xml:id="sec-allow-insecure">
180 <title>Installing insecure packages</title>
181
182 <para>
183 There are several ways to tweak how Nix handles a package which has been marked as insecure.
184 </para>
185
186 <itemizedlist>
187 <listitem>
188 <para>
189 To temporarily allow all insecure packages, you can use an environment variable for a single invocation of the nix tools:
190<programlisting>$ export NIXPKGS_ALLOW_INSECURE=1</programlisting>
191 </para>
192 </listitem>
193 <listitem>
194 <para>
195 It is possible to permanently allow individual insecure packages, while still blocking other insecure packages by default using the <literal>permittedInsecurePackages</literal> configuration option in the user configuration file.
196 </para>
197 <para>
198 The following example configuration permits the installation of the hypothetically insecure package <literal>hello</literal>, version <literal>1.2.3</literal>:
199<programlisting>
200{
201 permittedInsecurePackages = [
202 "hello-1.2.3"
203 ];
204}
205</programlisting>
206 </para>
207 </listitem>
208 <listitem>
209 <para>
210 It is also possible to create a custom policy around which insecure packages to allow and deny, by overriding the <literal>allowInsecurePredicate</literal> configuration option.
211 </para>
212 <para>
213 The <literal>allowInsecurePredicate</literal> option is a function which accepts a package and returns a boolean, much like <literal>allowUnfreePredicate</literal>.
214 </para>
215 <para>
216 The following configuration example only allows insecure packages with very short names:
217<programlisting>
218{
219 allowInsecurePredicate = pkg: builtins.stringLength (lib.getName pkg) <= 5;
220}
221</programlisting>
222 </para>
223 <para>
224 Note that <literal>permittedInsecurePackages</literal> is only checked if <literal>allowInsecurePredicate</literal> is not specified.
225 </para>
226 </listitem>
227 </itemizedlist>
228 </section>
229<!--============================================================-->
230 <section xml:id="sec-modify-via-packageOverrides">
231 <title>Modify packages via <literal>packageOverrides</literal></title>
232
233 <para>
234 You can define a function called <varname>packageOverrides</varname> in your local <filename>~/.config/nixpkgs/config.nix</filename> to override Nix packages. It must be a function that takes pkgs as an argument and returns a modified set of packages.
235<programlisting>
236{
237 packageOverrides = pkgs: rec {
238 foo = pkgs.foo.override { ... };
239 };
240}
241</programlisting>
242 </para>
243 </section>
244 <section xml:id="sec-declarative-package-management">
245 <title>Declarative Package Management</title>
246
247 <section xml:id="sec-building-environment">
248 <title>Build an environment</title>
249
250 <para>
251 Using <literal>packageOverrides</literal>, it is possible to manage packages declaratively. This means that we can list all of our desired packages within a declarative Nix expression. For example, to have <literal>aspell</literal>, <literal>bc</literal>, <literal>ffmpeg</literal>, <literal>coreutils</literal>, <literal>gdb</literal>, <literal>nixUnstable</literal>, <literal>emscripten</literal>, <literal>jq</literal>, <literal>nox</literal>, and <literal>silver-searcher</literal>, we could use the following in <filename>~/.config/nixpkgs/config.nix</filename>:
252 </para>
253
254<screen>
255{
256 packageOverrides = pkgs: with pkgs; {
257 myPackages = pkgs.buildEnv {
258 name = "my-packages";
259 paths = [
260 aspell
261 bc
262 coreutils
263 gdb
264 ffmpeg
265 nixUnstable
266 emscripten
267 jq
268 nox
269 silver-searcher
270 ];
271 };
272 };
273}
274</screen>
275
276 <para>
277 To install it into our environment, you can just run <literal>nix-env -iA nixpkgs.myPackages</literal>. If you want to load the packages to be built from a working copy of <literal>nixpkgs</literal> you just run <literal>nix-env -f. -iA myPackages</literal>. To explore what's been installed, just look through <filename>~/.nix-profile/</filename>. You can see that a lot of stuff has been installed. Some of this stuff is useful some of it isn't. Let's tell Nixpkgs to only link the stuff that we want:
278 </para>
279
280<screen>
281{
282 packageOverrides = pkgs: with pkgs; {
283 myPackages = pkgs.buildEnv {
284 name = "my-packages";
285 paths = [
286 aspell
287 bc
288 coreutils
289 gdb
290 ffmpeg
291 nixUnstable
292 emscripten
293 jq
294 nox
295 silver-searcher
296 ];
297 pathsToLink = [ "/share" "/bin" ];
298 };
299 };
300}
301</screen>
302
303 <para>
304 <literal>pathsToLink</literal> tells Nixpkgs to only link the paths listed which gets rid of the extra stuff in the profile. <filename>/bin</filename> and <filename>/share</filename> are good defaults for a user environment, getting rid of the clutter. If you are running on Nix on MacOS, you may want to add another path as well, <filename>/Applications</filename>, that makes GUI apps available.
305 </para>
306 </section>
307
308 <section xml:id="sec-getting-documentation">
309 <title>Getting documentation</title>
310
311 <para>
312 After building that new environment, look through <filename>~/.nix-profile</filename> to make sure everything is there that we wanted. Discerning readers will note that some files are missing. Look inside <filename>~/.nix-profile/share/man/man1/</filename> to verify this. There are no man pages for any of the Nix tools! This is because some packages like Nix have multiple outputs for things like documentation (see section 4). Let's make Nix install those as well.
313 </para>
314
315<screen>
316{
317 packageOverrides = pkgs: with pkgs; {
318 myPackages = pkgs.buildEnv {
319 name = "my-packages";
320 paths = [
321 aspell
322 bc
323 coreutils
324 ffmpeg
325 nixUnstable
326 emscripten
327 jq
328 nox
329 silver-searcher
330 ];
331 pathsToLink = [ "/share/man" "/share/doc" "/bin" ];
332 extraOutputsToInstall = [ "man" "doc" ];
333 };
334 };
335}
336</screen>
337
338 <para>
339 This provides us with some useful documentation for using our packages. However, if we actually want those manpages to be detected by man, we need to set up our environment. This can also be managed within Nix expressions.
340 </para>
341
342<screen>
343{
344 packageOverrides = pkgs: with pkgs; rec {
345 myProfile = writeText "my-profile" ''
346 export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
347 export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
348 '';
349 myPackages = pkgs.buildEnv {
350 name = "my-packages";
351 paths = [
352 (runCommand "profile" {} ''
353 mkdir -p $out/etc/profile.d
354 cp ${myProfile} $out/etc/profile.d/my-profile.sh
355 '')
356 aspell
357 bc
358 coreutils
359 ffmpeg
360 man
361 nixUnstable
362 emscripten
363 jq
364 nox
365 silver-searcher
366 ];
367 pathsToLink = [ "/share/man" "/share/doc" "/bin" "/etc" ];
368 extraOutputsToInstall = [ "man" "doc" ];
369 };
370 };
371}
372</screen>
373
374 <para>
375 For this to work fully, you must also have this script sourced when you are logged in. Try adding something like this to your <filename>~/.profile</filename> file:
376 </para>
377
378<screen>
379#!/bin/sh
380if [ -d $HOME/.nix-profile/etc/profile.d ]; then
381 for i in $HOME/.nix-profile/etc/profile.d/*.sh; do
382 if [ -r $i ]; then
383 . $i
384 fi
385 done
386fi
387</screen>
388
389 <para>
390 Now just run <literal>source $HOME/.profile</literal> and you can starting loading man pages from your environment.
391 </para>
392 </section>
393
394 <section xml:id="sec-gnu-info-setup">
395 <title>GNU info setup</title>
396
397 <para>
398 Configuring GNU info is a little bit trickier than man pages. To work correctly, info needs a database to be generated. This can be done with some small modifications to our environment scripts.
399 </para>
400
401<screen>
402{
403 packageOverrides = pkgs: with pkgs; rec {
404 myProfile = writeText "my-profile" ''
405 export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
406 export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
407 export INFOPATH=$HOME/.nix-profile/share/info:/nix/var/nix/profiles/default/share/info:/usr/share/info
408 '';
409 myPackages = pkgs.buildEnv {
410 name = "my-packages";
411 paths = [
412 (runCommand "profile" {} ''
413 mkdir -p $out/etc/profile.d
414 cp ${myProfile} $out/etc/profile.d/my-profile.sh
415 '')
416 aspell
417 bc
418 coreutils
419 ffmpeg
420 man
421 nixUnstable
422 emscripten
423 jq
424 nox
425 silver-searcher
426 texinfoInteractive
427 ];
428 pathsToLink = [ "/share/man" "/share/doc" "/share/info" "/bin" "/etc" ];
429 extraOutputsToInstall = [ "man" "doc" "info" ];
430 postBuild = ''
431 if [ -x $out/bin/install-info -a -w $out/share/info ]; then
432 shopt -s nullglob
433 for i in $out/share/info/*.info $out/share/info/*.info.gz; do
434 $out/bin/install-info $i $out/share/info/dir
435 done
436 fi
437 '';
438 };
439 };
440}
441</screen>
442
443 <para>
444 <literal>postBuild</literal> tells Nixpkgs to run a command after building the environment. In this case, <literal>install-info</literal> adds the installed info pages to <literal>dir</literal> which is GNU info's default root node. Note that <literal>texinfoInteractive</literal> is added to the environment to give the <literal>install-info</literal> command.
445 </para>
446 </section>
447 </section>
448</chapter>