nixos/modules/config/nix.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / config / nix.nix
at master 12 kB view raw
  1/*
  2  Manages /etc/nix/nix.conf.
  3
  4  See also
  5   - ./nix-channel.nix
  6   - ./nix-flakes.nix
  7   - ./nix-remote-build.nix
  8   - nixos/modules/services/system/nix-daemon.nix
  9*/
 10{
 11  config,
 12  lib,
 13  pkgs,
 14  ...
 15}:
 16
 17let
 18  inherit (lib)
 19    literalExpression
 20    mapAttrsToList
 21    mkAfter
 22    mkIf
 23    mkOption
 24    mkRenamedOptionModuleWith
 25    optionals
 26    systems
 27    types
 28    ;
 29
 30  cfg = config.nix;
 31
 32  nixPackage = cfg.package.out;
 33
 34  defaultSystemFeatures = [
 35    "nixos-test"
 36    "benchmark"
 37    "big-parallel"
 38    "kvm"
 39  ]
 40  ++ optionals (pkgs.stdenv.hostPlatform ? gcc.arch) (
 41    # a builder can run code for `gcc.arch` and inferior architectures
 42    [ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ]
 43    ++ map (x: "gccarch-${x}") (
 44      systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or [ ]
 45    )
 46  );
 47
 48  legacyConfMappings = {
 49    useSandbox = "sandbox";
 50    buildCores = "cores";
 51    maxJobs = "max-jobs";
 52    sandboxPaths = "extra-sandbox-paths";
 53    binaryCaches = "substituters";
 54    trustedBinaryCaches = "trusted-substituters";
 55    binaryCachePublicKeys = "trusted-public-keys";
 56    autoOptimiseStore = "auto-optimise-store";
 57    requireSignedBinaryCaches = "require-sigs";
 58    trustedUsers = "trusted-users";
 59    allowedUsers = "allowed-users";
 60    systemFeatures = "system-features";
 61  };
 62
 63  semanticConfType =
 64    with types;
 65    let
 66      confAtom =
 67        nullOr (oneOf [
 68          bool
 69          int
 70          float
 71          str
 72          path
 73          package
 74        ])
 75        // {
 76          description = "Nix config atom (null, bool, int, float, str, path or package)";
 77        };
 78    in
 79    attrsOf (either confAtom (listOf confAtom));
 80
 81  nixConf =
 82    (pkgs.formats.nixConf {
 83      inherit (cfg)
 84        package
 85        checkAllErrors
 86        checkConfig
 87        extraOptions
 88        ;
 89      inherit (nixPackage) version;
 90    }).generate
 91      "nix.conf"
 92      cfg.settings;
 93
 94in
 95{
 96  imports = [
 97    (mkRenamedOptionModuleWith {
 98      sinceRelease = 2003;
 99      from = [
100        "nix"
101        "useChroot"
102      ];
103      to = [
104        "nix"
105        "useSandbox"
106      ];
107    })
108    (mkRenamedOptionModuleWith {
109      sinceRelease = 2003;
110      from = [
111        "nix"
112        "chrootDirs"
113      ];
114      to = [
115        "nix"
116        "sandboxPaths"
117      ];
118    })
119  ]
120  ++ mapAttrsToList (
121    oldConf: newConf:
122    mkRenamedOptionModuleWith {
123      sinceRelease = 2205;
124      from = [
125        "nix"
126        oldConf
127      ];
128      to = [
129        "nix"
130        "settings"
131        newConf
132      ];
133    }
134  ) legacyConfMappings;
135
136  options = {
137    nix = {
138      checkConfig = mkOption {
139        type = types.bool;
140        default = true;
141        description = ''
142          If enabled, checks that Nix can parse the generated nix.conf.
143        '';
144      };
145
146      checkAllErrors = mkOption {
147        type = types.bool;
148        default = true;
149        description = ''
150          If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings.
151        '';
152      };
153
154      extraOptions = mkOption {
155        type = types.lines;
156        default = "";
157        example = ''
158          keep-outputs = true
159          keep-derivations = true
160        '';
161        description = "Additional text appended to {file}`nix.conf`.";
162      };
163
164      settings = mkOption {
165        type = types.submodule {
166          freeformType = semanticConfType;
167
168          options = {
169            max-jobs = mkOption {
170              type = types.either types.int (types.enum [ "auto" ]);
171              default = "auto";
172              example = 64;
173              description = ''
174                This option defines the maximum number of jobs that Nix will try to
175                build in parallel. The default is auto, which means it will use all
176                available logical cores. It is recommend to set it to the total
177                number of logical cores in your system (e.g., 16 for two CPUs with 4
178                cores each and hyper-threading).
179              '';
180            };
181
182            auto-optimise-store = mkOption {
183              type = types.bool;
184              default = false;
185              example = true;
186              description = ''
187                If set to true, Nix automatically detects files in the store that have
188                identical contents, and replaces them with hard links to a single copy.
189                This saves disk space. If set to false (the default), you can still run
190                nix-store --optimise to get rid of duplicate files.
191              '';
192            };
193
194            cores = mkOption {
195              type = types.int;
196              default = 0;
197              example = 64;
198              description = ''
199                This option defines the maximum number of concurrent tasks during
200                one build. It affects, e.g., -j option for make.
201                The special value 0 means that the builder should use all
202                available CPU cores in the system. Some builds may become
203                non-deterministic with this option; use with care! Packages will
204                only be affected if enableParallelBuilding is set for them.
205              '';
206            };
207
208            sandbox = mkOption {
209              type = types.either types.bool (types.enum [ "relaxed" ]);
210              default = true;
211              description = ''
212                If set, Nix will perform builds in a sandboxed environment that it
213                will set up automatically for each build. This prevents impurities
214                in builds by disallowing access to dependencies outside of the Nix
215                store by using network and mount namespaces in a chroot environment.
216
217                This is enabled by default even though it has a possible performance
218                impact due to the initial setup time of a sandbox for each build. It
219                doesn't affect derivation hashes, so changing this option will not
220                trigger a rebuild of packages.
221
222                When set to "relaxed", this option permits derivations that set
223                `__noChroot = true;` to run outside of the sandboxed environment.
224                Exercise caution when using this mode of operation! It is intended to
225                be a quick hack when building with packages that are not easily setup
226                to be built reproducibly.
227              '';
228            };
229
230            extra-sandbox-paths = mkOption {
231              type = types.listOf types.str;
232              default = [ ];
233              example = [
234                "/dev"
235                "/proc"
236              ];
237              description = ''
238                Directories from the host filesystem to be included
239                in the sandbox.
240              '';
241            };
242
243            substituters = mkOption {
244              type = types.listOf types.str;
245              description = ''
246                List of binary cache URLs used to obtain pre-built binaries
247                of Nix packages.
248
249                By default https://cache.nixos.org/ is added.
250              '';
251            };
252
253            trusted-substituters = mkOption {
254              type = types.listOf types.str;
255              default = [ ];
256              example = [ "https://hydra.nixos.org/" ];
257              description = ''
258                List of binary cache URLs that non-root users can use (in
259                addition to those specified using
260                {option}`nix.settings.substituters`) by passing
261                `--option binary-caches` to Nix commands.
262              '';
263            };
264
265            require-sigs = mkOption {
266              type = types.bool;
267              default = true;
268              description = ''
269                If enabled (the default), Nix will only download binaries from binary caches if
270                they are cryptographically signed with any of the keys listed in
271                {option}`nix.settings.trusted-public-keys`. If disabled, signatures are neither
272                required nor checked, so it's strongly recommended that you use only
273                trustworthy caches and https to prevent man-in-the-middle attacks.
274              '';
275            };
276
277            trusted-public-keys = mkOption {
278              type = types.listOf types.str;
279              example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
280              description = ''
281                List of public keys used to sign binary caches. If
282                {option}`nix.settings.trusted-public-keys` is enabled,
283                then Nix will use a binary from a binary cache if and only
284                if it is signed by *any* of the keys
285                listed here. By default, only the key for
286                `cache.nixos.org` is included.
287              '';
288            };
289
290            trusted-users = mkOption {
291              type = types.listOf types.str;
292              example = [
293                "root"
294                "alice"
295                "@wheel"
296              ];
297              description = ''
298                A list of names of users that have additional rights when
299                connecting to the Nix daemon, such as the ability to specify
300                additional binary caches, or to import unsigned NARs. You
301                can also specify groups by prefixing them with
302                `@`; for instance,
303                `@wheel` means all users in the wheel
304                group.
305              '';
306            };
307
308            system-features = mkOption {
309              type = types.listOf types.str;
310              # We expose system-featuers here and in config below.
311              # This allows users to access the default value via `options.nix.settings.system-features`
312              default = defaultSystemFeatures;
313              defaultText = literalExpression ''[ "nixos-test" "benchmark" "big-parallel" "kvm" "gccarch-<arch>" ]'';
314              description = ''
315                The set of features supported by the machine. Derivations
316                can express dependencies on system features through the
317                `requiredSystemFeatures` attribute.
318              '';
319            };
320
321            allowed-users = mkOption {
322              type = types.listOf types.str;
323              default = [ "*" ];
324              example = [
325                "@wheel"
326                "@builders"
327                "alice"
328                "bob"
329              ];
330              description = ''
331                A list of names of users (separated by whitespace) that are
332                allowed to connect to the Nix daemon. As with
333                {option}`nix.settings.trusted-users`, you can specify groups by
334                prefixing them with `@`. Also, you can
335                allow all users by specifying `*`. The
336                default is `*`. Note that trusted users are
337                always allowed to connect.
338              '';
339            };
340          };
341        };
342        default = { };
343        example = literalExpression ''
344          {
345            use-sandbox = true;
346            show-trace = true;
347
348            sandbox-paths = [ "/bin/sh=''${pkgs.busybox-sandbox-shell.out}/bin/busybox" ];
349          }
350        '';
351        description = ''
352          Configuration for Nix, see
353          <https://nixos.org/manual/nix/stable/command-ref/conf-file.html> or
354          {manpage}`nix.conf(5)` for available options.
355          The value declared here will be translated directly to the key-value pairs Nix expects.
356
357          You can use {command}`nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings`
358          to view the current value. By default it is empty.
359
360          Nix configurations defined under {option}`nix.*` will be translated and applied to this
361          option. In addition, configuration specified in {option}`nix.extraOptions` will be appended
362          verbatim to the resulting config file.
363        '';
364      };
365    };
366  };
367
368  config = mkIf cfg.enable {
369    environment.etc."nix/nix.conf".source = nixConf;
370    nix.settings = {
371      trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
372      trusted-users = [ "root" ];
373      substituters = mkAfter [ "https://cache.nixos.org/" ];
374      system-features = defaultSystemFeatures;
375    };
376  };
377}