pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #301827 from kampka/forbiddenDependenciesRegex

nixos/top-level: Turn `system.forbiddenDependenciesRegex` into a list

Artturin 5ce6ea92 5aa69d78

options
unified split
Changed files
+16 -15
nixos
doc
manual
release-notes
rl-2405.section.md
modules
profiles
perlless.nix
system
activation
test.nix
top-level.nix
+2
nixos/doc/manual/release-notes/rl-2405.section.md 
···

       
282

       
 

       
  "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`


     

       
283

       
 

       
  where the file `secret_file` contains the string `mysecret`.


     

       
284

       
 

       



     

       

       

       
     

       

       

       
     

       
285

       
 

       
- `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading


     

       
286

       
 

       
  to another signature algorithm. However, for the time being it is possible to restore DSA key support using `override` to set `dsaKeysSupport = true`.


     

       
287

       
 

       



     
···

       
282

       
 

       
  "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`


     

       
283

       
 

       
  where the file `secret_file` contains the string `mysecret`.


     

       
284

       
 

       



     

       
285

       
+

       
- The `system.forbiddenDependenciesRegex` option has been renamed to `system.forbiddenDependenciesRegexes` and now has the type of `listOf string` instead of `string` to accept multiple regexes.


     

       
286

       
+

       



     

       
287

       
 

       
- `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading


     

       
288

       
 

       
  to another signature algorithm. However, for the time being it is possible to restore DSA key support using `override` to set `dsaKeysSupport = true`.


     

       
289
+1 -1
nixos/modules/profiles/perlless.nix 
···

       
26

       
 

       



     

       
27

       
 

       
  # Check that the system does not contain a Nix store path that contains the


     

       
28

       
 

       
  # string "perl".


     

       
29

       
-

       
  system.forbiddenDependenciesRegex = "perl";


     

       
30

       
 

       



     

       
31

       
 

       
}


     
···

       
26

       
 

       



     

       
27

       
 

       
  # Check that the system does not contain a Nix store path that contains the


     

       
28

       
 

       
  # string "perl".


     

       
29

       
+

       
  system.forbiddenDependenciesRegexes = ["perl"];


     

       
30

       
 

       



     

       
31

       
 

       
}
+2 -2
nixos/modules/system/activation/test.nix 
···

       
5

       
 

       
}:


     

       
6

       
 

       
let


     

       
7

       
 

       
  node-forbiddenDependencies-fail = nixos ({ ... }: {


     

       
8

       
-

       
    system.forbiddenDependenciesRegex = "-dev$";


     

       
9

       
 

       
    environment.etc."dev-dependency" = {


     

       
10

       
 

       
      text = "${expect.dev}";


     

       
11

       
 

       
    };


     
···

       
14

       
 

       
    boot.loader.grub.enable = false;


     

       
15

       
 

       
  });


     

       
16

       
 

       
  node-forbiddenDependencies-succeed = nixos ({ ... }: {


     

       
17

       
-

       
    system.forbiddenDependenciesRegex = "-dev$";


     

       
18

       
 

       
    system.extraDependencies = [ expect.dev ];


     

       
19

       
 

       
    documentation.enable = false;


     

       
20

       
 

       
    fileSystems."/".device = "ignore-root-device";


     
···

       
5

       
 

       
}:


     

       
6

       
 

       
let


     

       
7

       
 

       
  node-forbiddenDependencies-fail = nixos ({ ... }: {


     

       
8

       
+

       
    system.forbiddenDependenciesRegexes = ["-dev$"];


     

       
9

       
 

       
    environment.etc."dev-dependency" = {


     

       
10

       
 

       
      text = "${expect.dev}";


     

       
11

       
 

       
    };


     
···

       
14

       
 

       
    boot.loader.grub.enable = false;


     

       
15

       
 

       
  });


     

       
16

       
 

       
  node-forbiddenDependencies-succeed = nixos ({ ... }: {


     

       
17

       
+

       
    system.forbiddenDependenciesRegexes = ["-dev$"];


     

       
18

       
 

       
    system.extraDependencies = [ expect.dev ];


     

       
19

       
 

       
    documentation.enable = false;


     

       
20

       
 

       
    fileSystems."/".device = "ignore-root-device";
+11 -12
nixos/modules/system/activation/top-level.nix 
···

       
86

       
 

       
    ../build.nix


     

       
87

       
 

       
    (mkRemovedOptionModule [ "nesting" "clone" ] "Use `specialisation.«name» = { inheritParentConfig = true; configuration = { ... }; }` instead.")


     

       
88

       
 

       
    (mkRemovedOptionModule [ "nesting" "children" ] "Use `specialisation.«name».configuration = { ... }` instead.")


     

       

       

       
     

       
89

       
 

       
  ];


     

       
90

       
 

       



     

       
91

       
 

       
  options = {


     
···

       
160

       
 

       
      '';


     

       
161

       
 

       
    };


     

       
162

       
 

       



     

       
163

       
-

       
    system.forbiddenDependenciesRegex = mkOption {


     

       
164

       
-

       
      default = "";


     

       
165

       
-

       
      example = "-dev$";


     

       
166

       
-

       
      type = types.str;


     

       
167

       
 

       
      description = ''


     

       
168

       
-

       
        A POSIX Extended Regular Expression that matches store paths that


     

       
169

       
 

       
        should not appear in the system closure, with the exception of {option}`system.extraDependencies`, which is not checked.


     

       
170

       
 

       
      '';


     

       
171

       
 

       
    };


     
···

       
289

       
 

       
            "$out/configuration.nix"


     

       
290

       
 

       
        '' +


     

       
291

       
 

       
      optionalString


     

       
292

       
-

       
        (config.system.forbiddenDependenciesRegex != "")


     

       
293

       
-

       
        ''


     

       
294

       
-

       
          if [[ $forbiddenDependenciesRegex != "" && -n $closureInfo ]]; then


     

       
295

       
-

       
            if forbiddenPaths="$(grep -E -- "$forbiddenDependenciesRegex" $closureInfo/store-paths)"; then


     

       
296

       
 

       
              echo -e "System closure $out contains the following disallowed paths:\n$forbiddenPaths"


     

       
297

       
 

       
              exit 1


     

       
298

       
 

       
            fi


     

       
299

       
 

       
          fi


     

       
300

       
-

       
        '';


     

       
301

       
 

       



     

       
302

       
 

       
    system.systemBuilderArgs = {


     

       
303

       
 

       



     
···

       
319

       
 

       
      # option, as opposed to `system.extraDependencies`.


     

       
320

       
 

       
      passedChecks = concatStringsSep " " config.system.checks;


     

       
321

       
 

       
    }


     

       
322

       
-

       
    // lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") {


     

       
323

       
-

       
      inherit (config.system) forbiddenDependenciesRegex;


     

       
324

       
 

       
      closureInfo = pkgs.closureInfo { rootPaths = [


     

       
325

       
 

       
        # override to avoid  infinite recursion (and to allow using extraDependencies to add forbidden dependencies)


     

       
326

       
 

       
        (config.system.build.toplevel.overrideAttrs (_: { extraDependencies = []; closureInfo = null; }))


     
···

       
86

       
 

       
    ../build.nix


     

       
87

       
 

       
    (mkRemovedOptionModule [ "nesting" "clone" ] "Use `specialisation.«name» = { inheritParentConfig = true; configuration = { ... }; }` instead.")


     

       
88

       
 

       
    (mkRemovedOptionModule [ "nesting" "children" ] "Use `specialisation.«name».configuration = { ... }` instead.")


     

       
89

       
+

       
    (mkRenamedOptionModule [ "system" "forbiddenDependenciesRegex" ] [ "system" "forbiddenDependenciesRegexes" ])


     

       
90

       
 

       
  ];


     

       
91

       
 

       



     

       
92

       
 

       
  options = {


     
···

       
161

       
 

       
      '';


     

       
162

       
 

       
    };


     

       
163

       
 

       



     

       
164

       
+

       
    system.forbiddenDependenciesRegexes = mkOption {


     

       
165

       
+

       
      default = [];


     

       
166

       
+

       
      example = ["-dev$"];


     

       
167

       
+

       
      type = types.listOf types.str;


     

       
168

       
 

       
      description = ''


     

       
169

       
+

       
        POSIX Extended Regular Expressions that match store paths that


     

       
170

       
 

       
        should not appear in the system closure, with the exception of {option}`system.extraDependencies`, which is not checked.


     

       
171

       
 

       
      '';


     

       
172

       
 

       
    };


     
···

       
290

       
 

       
            "$out/configuration.nix"


     

       
291

       
 

       
        '' +


     

       
292

       
 

       
      optionalString


     

       
293

       
+

       
        (config.system.forbiddenDependenciesRegexes != []) (lib.concatStringsSep "\n" (map (regex: ''


     

       
294

       
+

       
          if [[ ${regex} != "" && -n $closureInfo ]]; then


     

       
295

       
+

       
            if forbiddenPaths="$(grep -E -- "${regex}" $closureInfo/store-paths)"; then


     

       

       

       
     

       
296

       
 

       
              echo -e "System closure $out contains the following disallowed paths:\n$forbiddenPaths"


     

       
297

       
 

       
              exit 1


     

       
298

       
 

       
            fi


     

       
299

       
 

       
          fi


     

       
300

       
+

       
        '') config.system.forbiddenDependenciesRegexes));


     

       
301

       
 

       



     

       
302

       
 

       
    system.systemBuilderArgs = {


     

       
303

       
 

       



     
···

       
319

       
 

       
      # option, as opposed to `system.extraDependencies`.


     

       
320

       
 

       
      passedChecks = concatStringsSep " " config.system.checks;


     

       
321

       
 

       
    }


     

       
322

       
+

       
    // lib.optionalAttrs (config.system.forbiddenDependenciesRegexes != []) {


     

       

       

       
     

       
323

       
 

       
      closureInfo = pkgs.closureInfo { rootPaths = [


     

       
324

       
 

       
        # override to avoid  infinite recursion (and to allow using extraDependencies to add forbidden dependencies)


     

       
325

       
 

       
        (config.system.build.toplevel.overrideAttrs (_: { extraDependencies = []; closureInfo = null; }))