doc/using/configuration.xml at 21.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / doc / using / configuration.xml
at 21.11-pre 16 kB view raw
  1<chapter xmlns="http://docbook.org/ns/docbook"
  2         xmlns:xlink="http://www.w3.org/1999/xlink"
  3         xml:id="chap-packageconfig">
  4 <title>Global configuration</title>
  5 <para>
  6  Nix comes with certain defaults about what packages can and cannot be installed, based on a package's metadata. By default, Nix will prevent installation if any of the following criteria are true:
  7 </para>
  8 <itemizedlist>
  9  <listitem>
 10   <para>
 11    The package is thought to be broken, and has had its <literal>meta.broken</literal> set to <literal>true</literal>.
 12   </para>
 13  </listitem>
 14  <listitem>
 15   <para>
 16    The package isn't intended to run on the given system, as none of its <literal>meta.platforms</literal> match the given system.
 17   </para>
 18  </listitem>
 19  <listitem>
 20   <para>
 21    The package's <literal>meta.license</literal> is set to a license which is considered to be unfree.
 22   </para>
 23  </listitem>
 24  <listitem>
 25   <para>
 26    The package has known security vulnerabilities but has not or can not be updated for some reason, and a list of issues has been entered in to the package's <literal>meta.knownVulnerabilities</literal>.
 27   </para>
 28  </listitem>
 29 </itemizedlist>
 30 <para>
 31  Note that all this is checked during evaluation already, and the check includes any package that is evaluated. In particular, all build-time dependencies are checked. <literal>nix-env -qa</literal> will (attempt to) hide any packages that would be refused.
 32 </para>
 33 <para>
 34  Each of these criteria can be altered in the nixpkgs configuration.
 35 </para>
 36 <para>
 37  The nixpkgs configuration for a NixOS system is set in the <literal>configuration.nix</literal>, as in the following example:
 38<programlisting>
 39{
 40  nixpkgs.config = {
 41    allowUnfree = true;
 42  };
 43}
 44</programlisting>
 45  However, this does not allow unfree software for individual users. Their configurations are managed separately.
 46 </para>
 47 <para>
 48  A user's nixpkgs configuration is stored in a user-specific configuration file located at <filename>~/.config/nixpkgs/config.nix</filename>. For example:
 49<programlisting>
 50{
 51  allowUnfree = true;
 52}
 53</programlisting>
 54 </para>
 55 <para>
 56  Note that we are not able to test or build unfree software on Hydra due to policy. Most unfree licenses prohibit us from either executing or distributing the software.
 57 </para>
 58 <section xml:id="sec-allow-broken">
 59  <title>Installing broken packages</title>
 60
 61  <para>
 62   There are two ways to try compiling a package which has been marked as broken.
 63  </para>
 64
 65  <itemizedlist>
 66   <listitem>
 67    <para>
 68     For allowing the build of a broken package once, you can use an environment variable for a single invocation of the nix tools:
 69<screen><prompt>$ </prompt>export NIXPKGS_ALLOW_BROKEN=1</screen>
 70    </para>
 71   </listitem>
 72   <listitem>
 73    <para>
 74     For permanently allowing broken packages to be built, you may add <literal>allowBroken = true;</literal> to your user's configuration file, like this:
 75<programlisting>
 76{
 77  allowBroken = true;
 78}
 79</programlisting>
 80    </para>
 81   </listitem>
 82  </itemizedlist>
 83 </section>
 84 <section xml:id="sec-allow-unsupported-system">
 85  <title>Installing packages on unsupported systems</title>
 86
 87  <para>
 88   There are also two ways to try compiling a package which has been marked as unsupported for the given system.
 89  </para>
 90
 91  <itemizedlist>
 92   <listitem>
 93    <para>
 94     For allowing the build of an unsupported package once, you can use an environment variable for a single invocation of the nix tools:
 95<screen><prompt>$ </prompt>export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1</screen>
 96    </para>
 97   </listitem>
 98   <listitem>
 99    <para>
100     For permanently allowing unsupported packages to be built, you may add <literal>allowUnsupportedSystem = true;</literal> to your user's configuration file, like this:
101<programlisting>
102{
103  allowUnsupportedSystem = true;
104}
105</programlisting>
106    </para>
107   </listitem>
108  </itemizedlist>
109
110  <para>
111   The difference between a package being unsupported on some system and being broken is admittedly a bit fuzzy. If a program <emphasis>ought</emphasis> to work on a certain platform, but doesn't, the platform should be included in <literal>meta.platforms</literal>, but marked as broken with e.g. <literal>meta.broken = !hostPlatform.isWindows</literal>. Of course, this begs the question of what "ought" means exactly. That is left to the package maintainer.
112  </para>
113 </section>
114 <section xml:id="sec-allow-unfree">
115  <title>Installing unfree packages</title>
116
117  <para>
118   There are several ways to tweak how Nix handles a package which has been marked as unfree.
119  </para>
120
121  <itemizedlist>
122   <listitem>
123    <para>
124     To temporarily allow all unfree packages, you can use an environment variable for a single invocation of the nix tools:
125<screen><prompt>$ </prompt>export NIXPKGS_ALLOW_UNFREE=1</screen>
126    </para>
127   </listitem>
128   <listitem>
129    <para>
130     It is possible to permanently allow individual unfree packages, while still blocking unfree packages by default using the <literal>allowUnfreePredicate</literal> configuration option in the user configuration file.
131    </para>
132    <para>
133     This option is a function which accepts a package as a parameter, and returns a boolean. The following example configuration accepts a package and always returns false:
134<programlisting>
135{
136  allowUnfreePredicate = (pkg: false);
137}
138</programlisting>
139    </para>
140    <para>
141     For a more useful example, try the following. This configuration only allows unfree packages named roon-server and visual studio code:
142<programlisting>
143{
144  allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
145    "roon-server"
146    "vscode"
147  ];
148}
149</programlisting>
150    </para>
151   </listitem>
152   <listitem>
153    <para>
154     It is also possible to allow and block licenses that are specifically acceptable or not acceptable, using <literal>allowlistedLicenses</literal> and <literal>blocklistedLicenses</literal>, respectively.
155    </para>
156    <para>
157     The following example configuration allowlists the licenses <literal>amd</literal> and <literal>wtfpl</literal>:
158<programlisting>
159{
160  allowlistedLicenses = with lib.licenses; [ amd wtfpl ];
161}
162</programlisting>
163    </para>
164    <para>
165     The following example configuration blocklists the <literal>gpl3Only</literal> and <literal>agpl3Only</literal> licenses:
166<programlisting>
167{
168  blocklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ];
169}
170</programlisting>
171    </para>
172    <para>
173     Note that <literal>allowlistedLicenses</literal> only applies to unfree licenses unless <literal>allowUnfree</literal> is enabled. It is not a generic allowlist for all types of licenses. <literal>blocklistedLicenses</literal> applies to all licenses.
174    </para>
175   </listitem>
176  </itemizedlist>
177
178  <para>
179   A complete list of licenses can be found in the file <filename>lib/licenses.nix</filename> of the nixpkgs tree.
180  </para>
181 </section>
182 <section xml:id="sec-allow-insecure">
183  <title>Installing insecure packages</title>
184
185  <para>
186   There are several ways to tweak how Nix handles a package which has been marked as insecure.
187  </para>
188
189  <itemizedlist>
190   <listitem>
191    <para>
192     To temporarily allow all insecure packages, you can use an environment variable for a single invocation of the nix tools:
193<screen><prompt>$ </prompt>export NIXPKGS_ALLOW_INSECURE=1</screen>
194    </para>
195   </listitem>
196   <listitem>
197    <para>
198     It is possible to permanently allow individual insecure packages, while still blocking other insecure packages by default using the <literal>permittedInsecurePackages</literal> configuration option in the user configuration file.
199    </para>
200    <para>
201     The following example configuration permits the installation of the hypothetically insecure package <literal>hello</literal>, version <literal>1.2.3</literal>:
202<programlisting>
203{
204  permittedInsecurePackages = [
205    "hello-1.2.3"
206  ];
207}
208</programlisting>
209    </para>
210   </listitem>
211   <listitem>
212    <para>
213     It is also possible to create a custom policy around which insecure packages to allow and deny, by overriding the <literal>allowInsecurePredicate</literal> configuration option.
214    </para>
215    <para>
216     The <literal>allowInsecurePredicate</literal> option is a function which accepts a package and returns a boolean, much like <literal>allowUnfreePredicate</literal>.
217    </para>
218    <para>
219     The following configuration example only allows insecure packages with very short names:
220<programlisting>
221{
222  allowInsecurePredicate = pkg: builtins.stringLength (lib.getName pkg) &lt;= 5;
223}
224</programlisting>
225    </para>
226    <para>
227     Note that <literal>permittedInsecurePackages</literal> is only checked if <literal>allowInsecurePredicate</literal> is not specified.
228    </para>
229   </listitem>
230  </itemizedlist>
231 </section>
232<!--============================================================-->
233 <section xml:id="sec-modify-via-packageOverrides">
234  <title>Modify packages via <literal>packageOverrides</literal></title>
235
236  <para>
237   You can define a function called <varname>packageOverrides</varname> in your local <filename>~/.config/nixpkgs/config.nix</filename> to override Nix packages. It must be a function that takes pkgs as an argument and returns a modified set of packages.
238<programlisting>
239{
240  packageOverrides = pkgs: rec {
241    foo = pkgs.foo.override { ... };
242  };
243}
244</programlisting>
245  </para>
246 </section>
247 <section xml:id="sec-declarative-package-management">
248  <title>Declarative Package Management</title>
249
250  <section xml:id="sec-building-environment">
251   <title>Build an environment</title>
252
253   <para>
254    Using <literal>packageOverrides</literal>, it is possible to manage packages declaratively. This means that we can list all of our desired packages within a declarative Nix expression. For example, to have <literal>aspell</literal>, <literal>bc</literal>, <literal>ffmpeg</literal>, <literal>coreutils</literal>, <literal>gdb</literal>, <literal>nixUnstable</literal>, <literal>emscripten</literal>, <literal>jq</literal>, <literal>nox</literal>, and <literal>silver-searcher</literal>, we could use the following in <filename>~/.config/nixpkgs/config.nix</filename>:
255   </para>
256
257<screen>
258{
259  packageOverrides = pkgs: with pkgs; {
260    myPackages = pkgs.buildEnv {
261      name = "my-packages";
262      paths = [
263        aspell
264        bc
265        coreutils
266        gdb
267        ffmpeg
268        nixUnstable
269        emscripten
270        jq
271        nox
272        silver-searcher
273      ];
274    };
275  };
276}
277</screen>
278
279   <para>
280    To install it into our environment, you can just run <literal>nix-env -iA nixpkgs.myPackages</literal>. If you want to load the packages to be built from a working copy of <literal>nixpkgs</literal> you just run <literal>nix-env -f. -iA myPackages</literal>. To explore what's been installed, just look through <filename>~/.nix-profile/</filename>. You can see that a lot of stuff has been installed. Some of this stuff is useful some of it isn't. Let's tell Nixpkgs to only link the stuff that we want:
281   </para>
282
283<screen>
284{
285  packageOverrides = pkgs: with pkgs; {
286    myPackages = pkgs.buildEnv {
287      name = "my-packages";
288      paths = [
289        aspell
290        bc
291        coreutils
292        gdb
293        ffmpeg
294        nixUnstable
295        emscripten
296        jq
297        nox
298        silver-searcher
299      ];
300      pathsToLink = [ "/share" "/bin" ];
301    };
302  };
303}
304</screen>
305
306   <para>
307    <literal>pathsToLink</literal> tells Nixpkgs to only link the paths listed which gets rid of the extra stuff in the profile. <filename>/bin</filename> and <filename>/share</filename> are good defaults for a user environment, getting rid of the clutter. If you are running on Nix on MacOS, you may want to add another path as well, <filename>/Applications</filename>, that makes GUI apps available.
308   </para>
309  </section>
310
311  <section xml:id="sec-getting-documentation">
312   <title>Getting documentation</title>
313
314   <para>
315    After building that new environment, look through <filename>~/.nix-profile</filename> to make sure everything is there that we wanted. Discerning readers will note that some files are missing. Look inside <filename>~/.nix-profile/share/man/man1/</filename> to verify this. There are no man pages for any of the Nix tools! This is because some packages like Nix have multiple outputs for things like documentation (see section 4). Let's make Nix install those as well.
316   </para>
317
318<screen>
319{
320  packageOverrides = pkgs: with pkgs; {
321    myPackages = pkgs.buildEnv {
322      name = "my-packages";
323      paths = [
324        aspell
325        bc
326        coreutils
327        ffmpeg
328        nixUnstable
329        emscripten
330        jq
331        nox
332        silver-searcher
333      ];
334      pathsToLink = [ "/share/man" "/share/doc" "/bin" ];
335      extraOutputsToInstall = [ "man" "doc" ];
336    };
337  };
338}
339</screen>
340
341   <para>
342    This provides us with some useful documentation for using our packages. However, if we actually want those manpages to be detected by man, we need to set up our environment. This can also be managed within Nix expressions.
343   </para>
344
345<screen>
346{
347  packageOverrides = pkgs: with pkgs; rec {
348    myProfile = writeText "my-profile" ''
349      export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
350      export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
351    '';
352    myPackages = pkgs.buildEnv {
353      name = "my-packages";
354      paths = [
355        (runCommand "profile" {} ''
356          mkdir -p $out/etc/profile.d
357          cp ${myProfile} $out/etc/profile.d/my-profile.sh
358        '')
359        aspell
360        bc
361        coreutils
362        ffmpeg
363        man
364        nixUnstable
365        emscripten
366        jq
367        nox
368        silver-searcher
369      ];
370      pathsToLink = [ "/share/man" "/share/doc" "/bin" "/etc" ];
371      extraOutputsToInstall = [ "man" "doc" ];
372    };
373  };
374}
375</screen>
376
377   <para>
378    For this to work fully, you must also have this script sourced when you are logged in. Try adding something like this to your <filename>~/.profile</filename> file:
379   </para>
380
381<screen>
382#!/bin/sh
383if [ -d $HOME/.nix-profile/etc/profile.d ]; then
384  for i in $HOME/.nix-profile/etc/profile.d/*.sh; do
385    if [ -r $i ]; then
386      . $i
387    fi
388  done
389fi
390</screen>
391
392   <para>
393    Now just run <literal>source $HOME/.profile</literal> and you can starting loading man pages from your environment.
394   </para>
395  </section>
396
397  <section xml:id="sec-gnu-info-setup">
398   <title>GNU info setup</title>
399
400   <para>
401    Configuring GNU info is a little bit trickier than man pages. To work correctly, info needs a database to be generated. This can be done with some small modifications to our environment scripts.
402   </para>
403
404<screen>
405{
406  packageOverrides = pkgs: with pkgs; rec {
407    myProfile = writeText "my-profile" ''
408      export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
409      export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
410      export INFOPATH=$HOME/.nix-profile/share/info:/nix/var/nix/profiles/default/share/info:/usr/share/info
411    '';
412    myPackages = pkgs.buildEnv {
413      name = "my-packages";
414      paths = [
415        (runCommand "profile" {} ''
416          mkdir -p $out/etc/profile.d
417          cp ${myProfile} $out/etc/profile.d/my-profile.sh
418        '')
419        aspell
420        bc
421        coreutils
422        ffmpeg
423        man
424        nixUnstable
425        emscripten
426        jq
427        nox
428        silver-searcher
429        texinfoInteractive
430      ];
431      pathsToLink = [ "/share/man" "/share/doc" "/share/info" "/bin" "/etc" ];
432      extraOutputsToInstall = [ "man" "doc" "info" ];
433      postBuild = ''
434        if [ -x $out/bin/install-info -a -w $out/share/info ]; then
435          shopt -s nullglob
436          for i in $out/share/info/*.info $out/share/info/*.info.gz; do
437              $out/bin/install-info $i $out/share/info/dir
438          done
439        fi
440      '';
441    };
442  };
443}
444</screen>
445
446   <para>
447    <literal>postBuild</literal> tells Nixpkgs to run a command after building the environment. In this case, <literal>install-info</literal> adds the installed info pages to <literal>dir</literal> which is GNU info's default root node. Note that <literal>texinfoInteractive</literal> is added to the environment to give the <literal>install-info</literal> command.
448   </para>
449  </section>
450 </section>
451</chapter>