tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / doc / using / configuration.chapter.md
at gcc-offload 369 lines 13 kB view raw view rendered
1# Global configuration {#chap-packageconfig} 2 3Nix comes with certain defaults about which packages can and cannot be installed, based on a package's metadata. 4By default, Nix will prevent installation if any of the following criteria are true: 5 6- The package is thought to be broken, and has had its `meta.broken` set to `true`. 7 8- The package isn't intended to run on the given system, as none of its `meta.platforms` match the given system. 9 10- The package's `meta.license` is set to a license which is considered to be unfree. 11 12- The package has known security vulnerabilities but has not or can not be updated for some reason, and a list of issues has been entered in to the package's `meta.knownVulnerabilities`. 13 14Each of these criteria can be altered in the Nixpkgs configuration. 15 16:::{.note} 17All this is checked during evaluation already, and the check includes any package that is evaluated. 18In particular, all build-time dependencies are checked. 19::: 20 21A user's Nixpkgs configuration is stored in a user-specific configuration file located at `~/.config/nixpkgs/config.nix`. For example: 22 23```nix 24{ 25 allowUnfree = true; 26} 27``` 28 29:::{.caution} 30Unfree software is not tested or built in Nixpkgs continuous integration, and therefore not cached. 31Most unfree licenses prohibit either executing or distributing the software. 32::: 33 34## Installing broken packages {#sec-allow-broken} 35 36There are two ways to try compiling a package which has been marked as broken. 37 38- For allowing the build of a broken package once, you can use an environment variable for a single invocation of the nix tools: 39 40 ```ShellSession 41 $ export NIXPKGS_ALLOW_BROKEN=1 42 ``` 43 44- For permanently allowing broken packages to be built, you may add `allowBroken = true;` to your user's configuration file, like this: 45 46 ```nix 47 { 48 allowBroken = true; 49 } 50 ``` 51 52 53## Installing packages on unsupported systems {#sec-allow-unsupported-system} 54 55There are also two ways to try compiling a package which has been marked as unsupported for the given system. 56 57- For allowing the build of an unsupported package once, you can use an environment variable for a single invocation of the nix tools: 58 59 ```ShellSession 60 $ export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 61 ``` 62 63- For permanently allowing unsupported packages to be built, you may add `allowUnsupportedSystem = true;` to your user's configuration file, like this: 64 65 ```nix 66 { 67 allowUnsupportedSystem = true; 68 } 69 ``` 70 71The difference between a package being unsupported on some system and being broken is admittedly a bit fuzzy. If a program *ought* to work on a certain platform, but doesn't, the platform should be included in `meta.platforms`, but marked as broken with e.g. `meta.broken = !hostPlatform.isWindows`. Of course, this begs the question of what "ought" means exactly. That is left to the package maintainer. 72 73## Installing unfree packages {#sec-allow-unfree} 74 75All users of Nixpkgs are free software users, and many users (and developers) of Nixpkgs want to limit and tightly control their exposure to unfree software. 76At the same time, many users need (or want) to run some specific pieces of proprietary software. 77Nixpkgs includes some expressions for unfree software packages. 78By default unfree software cannot be installed and doesn’t show up in searches. 79 80There are several ways to tweak how Nix handles a package which has been marked as unfree. 81 82- To temporarily allow all unfree packages, you can use an environment variable for a single invocation of the nix tools: 83 84 ```ShellSession 85 $ export NIXPKGS_ALLOW_UNFREE=1 86 ``` 87 88- It is possible to permanently allow individual unfree packages, while still blocking unfree packages by default using the `allowUnfreePredicate` configuration option in the user configuration file. 89 90 This option is a function which accepts a package as a parameter, and returns a boolean. The following example configuration accepts a package and always returns false: 91 92 ```nix 93 { 94 allowUnfreePredicate = (pkg: false); 95 } 96 ``` 97 98 For a more useful example, try the following. This configuration only allows unfree packages named roon-server and visual studio code: 99 100 ```nix 101 { 102 allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ 103 "roon-server" 104 "vscode" 105 ]; 106 } 107 ``` 108 109- It is also possible to allow and block licenses that are specifically acceptable or not acceptable, using `allowlistedLicenses` and `blocklistedLicenses`, respectively. 110 111 The following example configuration allowlists the licenses `amd` and `wtfpl`: 112 113 ```nix 114 { 115 allowlistedLicenses = with lib.licenses; [ amd wtfpl ]; 116 } 117 ``` 118 119 The following example configuration blocklists the `gpl3Only` and `agpl3Only` licenses: 120 121 ```nix 122 { 123 blocklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ]; 124 } 125 ``` 126 127 Note that `allowlistedLicenses` only applies to unfree licenses unless `allowUnfree` is enabled. It is not a generic allowlist for all types of licenses. `blocklistedLicenses` applies to all licenses. 128 129A complete list of licenses can be found in the file `lib/licenses.nix` of the nixpkgs tree. 130 131## Installing insecure packages {#sec-allow-insecure} 132 133There are several ways to tweak how Nix handles a package which has been marked as insecure. 134 135- To temporarily allow all insecure packages, you can use an environment variable for a single invocation of the nix tools: 136 137 ```ShellSession 138 $ export NIXPKGS_ALLOW_INSECURE=1 139 ``` 140 141- It is possible to permanently allow individual insecure packages, while still blocking other insecure packages by default using the `permittedInsecurePackages` configuration option in the user configuration file. 142 143 The following example configuration permits the installation of the hypothetically insecure package `hello`, version `1.2.3`: 144 145 ```nix 146 { 147 permittedInsecurePackages = [ 148 "hello-1.2.3" 149 ]; 150 } 151 ``` 152 153- It is also possible to create a custom policy around which insecure packages to allow and deny, by overriding the `allowInsecurePredicate` configuration option. 154 155 The `allowInsecurePredicate` option is a function which accepts a package and returns a boolean, much like `allowUnfreePredicate`. 156 157 The following configuration example allows any version of the `ovftool` package: 158 159 ```nix 160 { 161 allowInsecurePredicate = pkg: builtins.elem (lib.getName pkg) [ 162 "ovftool" 163 ]; 164 } 165 ``` 166 167 Note that `permittedInsecurePackages` is only checked if `allowInsecurePredicate` is not specified. 168 169## Modify packages via `packageOverrides` {#sec-modify-via-packageOverrides} 170 171You can define a function called `packageOverrides` in your local `~/.config/nixpkgs/config.nix` to override Nix packages. It must be a function that takes pkgs as an argument and returns a modified set of packages. 172 173```nix 174{ 175 packageOverrides = pkgs: rec { 176 foo = pkgs.foo.override { /* ... */ }; 177 }; 178} 179``` 180 181## `config` Options Reference {#sec-config-options-reference} 182 183The following attributes can be passed in [`config`](#chap-packageconfig). 184 185```{=include=} options 186id-prefix: opt- 187list-id: configuration-variable-list 188source: ../config-options.json 189``` 190 191 192## Declarative Package Management {#sec-declarative-package-management} 193 194### Build an environment {#sec-building-environment} 195 196Using `packageOverrides`, it is possible to manage packages declaratively. This means that we can list all of our desired packages within a declarative Nix expression. For example, to have `aspell`, `bc`, `ffmpeg`, `coreutils`, `gdb`, `nixUnstable`, `emscripten`, `jq`, `nox`, and `silver-searcher`, we could use the following in `~/.config/nixpkgs/config.nix`: 197 198```nix 199{ 200 packageOverrides = pkgs: with pkgs; { 201 myPackages = pkgs.buildEnv { 202 name = "my-packages"; 203 paths = [ 204 aspell 205 bc 206 coreutils 207 gdb 208 ffmpeg 209 nixUnstable 210 emscripten 211 jq 212 nox 213 silver-searcher 214 ]; 215 }; 216 }; 217} 218``` 219 220To install it into our environment, you can just run `nix-env -iA nixpkgs.myPackages`. If you want to load the packages to be built from a working copy of `nixpkgs` you just run `nix-env -f. -iA myPackages`. To explore what's been installed, just look through `~/.nix-profile/`. You can see that a lot of stuff has been installed. Some of this stuff is useful some of it isn't. Let's tell Nixpkgs to only link the stuff that we want: 221 222```nix 223{ 224 packageOverrides = pkgs: with pkgs; { 225 myPackages = pkgs.buildEnv { 226 name = "my-packages"; 227 paths = [ 228 aspell 229 bc 230 coreutils 231 gdb 232 ffmpeg 233 nixUnstable 234 emscripten 235 jq 236 nox 237 silver-searcher 238 ]; 239 pathsToLink = [ "/share" "/bin" ]; 240 }; 241 }; 242} 243``` 244 245`pathsToLink` tells Nixpkgs to only link the paths listed which gets rid of the extra stuff in the profile. `/bin` and `/share` are good defaults for a user environment, getting rid of the clutter. If you are running on Nix on MacOS, you may want to add another path as well, `/Applications`, that makes GUI apps available. 246 247### Getting documentation {#sec-getting-documentation} 248 249After building that new environment, look through `~/.nix-profile` to make sure everything is there that we wanted. Discerning readers will note that some files are missing. Look inside `~/.nix-profile/share/man/man1/` to verify this. There are no man pages for any of the Nix tools! This is because some packages like Nix have multiple outputs for things like documentation (see section 4). Let's make Nix install those as well. 250 251```nix 252{ 253 packageOverrides = pkgs: with pkgs; { 254 myPackages = pkgs.buildEnv { 255 name = "my-packages"; 256 paths = [ 257 aspell 258 bc 259 coreutils 260 ffmpeg 261 nixUnstable 262 emscripten 263 jq 264 nox 265 silver-searcher 266 ]; 267 pathsToLink = [ "/share/man" "/share/doc" "/bin" ]; 268 extraOutputsToInstall = [ "man" "doc" ]; 269 }; 270 }; 271} 272``` 273 274This provides us with some useful documentation for using our packages. However, if we actually want those manpages to be detected by man, we need to set up our environment. This can also be managed within Nix expressions. 275 276```nix 277{ 278 packageOverrides = pkgs: with pkgs; rec { 279 myProfile = writeText "my-profile" '' 280 export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin 281 export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man 282 ''; 283 myPackages = pkgs.buildEnv { 284 name = "my-packages"; 285 paths = [ 286 (runCommand "profile" {} '' 287 mkdir -p $out/etc/profile.d 288 cp ${myProfile} $out/etc/profile.d/my-profile.sh 289 '') 290 aspell 291 bc 292 coreutils 293 ffmpeg 294 man 295 nixUnstable 296 emscripten 297 jq 298 nox 299 silver-searcher 300 ]; 301 pathsToLink = [ "/share/man" "/share/doc" "/bin" "/etc" ]; 302 extraOutputsToInstall = [ "man" "doc" ]; 303 }; 304 }; 305} 306``` 307 308For this to work fully, you must also have this script sourced when you are logged in. Try adding something like this to your `~/.profile` file: 309 310```ShellSession 311#!/bin/sh 312if [ -d "${HOME}/.nix-profile/etc/profile.d" ]; then 313 for i in "${HOME}/.nix-profile/etc/profile.d/"*.sh; do 314 if [ -r "$i" ]; then 315 . "$i" 316 fi 317 done 318fi 319``` 320 321Now just run `. "${HOME}/.profile"` and you can start loading man pages from your environment. 322 323### GNU info setup {#sec-gnu-info-setup} 324 325Configuring GNU info is a little bit trickier than man pages. To work correctly, info needs a database to be generated. This can be done with some small modifications to our environment scripts. 326 327```nix 328{ 329 packageOverrides = pkgs: with pkgs; rec { 330 myProfile = writeText "my-profile" '' 331 export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin 332 export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man 333 export INFOPATH=$HOME/.nix-profile/share/info:/nix/var/nix/profiles/default/share/info:/usr/share/info 334 ''; 335 myPackages = pkgs.buildEnv { 336 name = "my-packages"; 337 paths = [ 338 (runCommand "profile" {} '' 339 mkdir -p $out/etc/profile.d 340 cp ${myProfile} $out/etc/profile.d/my-profile.sh 341 '') 342 aspell 343 bc 344 coreutils 345 ffmpeg 346 man 347 nixUnstable 348 emscripten 349 jq 350 nox 351 silver-searcher 352 texinfoInteractive 353 ]; 354 pathsToLink = [ "/share/man" "/share/doc" "/share/info" "/bin" "/etc" ]; 355 extraOutputsToInstall = [ "man" "doc" "info" ]; 356 postBuild = '' 357 if [ -x $out/bin/install-info -a -w $out/share/info ]; then 358 shopt -s nullglob 359 for i in $out/share/info/*.info $out/share/info/*.info.gz; do 360 $out/bin/install-info $i $out/share/info/dir 361 done 362 fi 363 ''; 364 }; 365 }; 366} 367``` 368 369`postBuild` tells Nixpkgs to run a command after building the environment. In this case, `install-info` adds the installed info pages to `dir` which is GNU info's default root node. Note that `texinfoInteractive` is added to the environment to give the `install-info` command.