2014-04-14 16:26:48 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
2009-03-06 13:25:51 +01:00
|
|
|
|
2014-04-14 16:26:48 +02:00
|
|
|
with lib;
|
2009-05-25 19:41:03 +02:00
|
|
|
|
2009-03-06 13:25:51 +01:00
|
|
|
let
|
|
|
|
|
2012-06-19 05:31:07 +02:00
|
|
|
cfg = config.nix;
|
|
|
|
|
2016-04-24 13:06:04 +02:00
|
|
|
nix = cfg.package.out;
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2019-08-27 21:17:20 +02:00
|
|
|
nixVersion = getVersion nix;
|
|
|
|
|
|
|
|
isNix20 = versionAtLeast nixVersion "2.0pre";
|
2019-09-28 16:49:53 +02:00
|
|
|
isNix23 = versionAtLeast nixVersion "2.3pre";
|
2017-03-03 15:55:27 +01:00
|
|
|
|
2010-03-11 17:50:08 +01:00
|
|
|
makeNixBuildUser = nr:
|
|
|
|
{ name = "nixbld${toString nr}";
|
|
|
|
description = "Nix build user ${toString nr}";
|
|
|
|
|
|
|
|
/* For consistency with the setgid(2), setuid(2), and setgroups(2)
|
|
|
|
calls in `libstore/build.cc', don't add any supplementary group
|
2010-06-02 23:10:48 +02:00
|
|
|
here except "nixbld". */
|
2010-03-11 17:50:08 +01:00
|
|
|
uid = builtins.add config.ids.uids.nixbld nr;
|
|
|
|
group = "nixbld";
|
2010-06-02 23:10:48 +02:00
|
|
|
extraGroups = [ "nixbld" ];
|
2010-03-11 17:50:08 +01:00
|
|
|
};
|
2009-03-06 13:25:51 +01:00
|
|
|
|
2015-03-10 02:04:40 +01:00
|
|
|
nixbldUsers = map makeNixBuildUser (range 1 cfg.nrBuildUsers);
|
|
|
|
|
2013-02-26 03:15:29 +01:00
|
|
|
nixConf =
|
|
|
|
let
|
2018-01-31 22:20:39 +01:00
|
|
|
# In Nix < 2.0, If we're using sandbox for builds, then provide
|
|
|
|
# /bin/sh in the sandbox as a bind-mount to bash. This means we
|
|
|
|
# also need to include the entire closure of bash. Nix >= 2.0
|
|
|
|
# provides a /bin/sh by default.
|
2018-03-01 20:38:53 +01:00
|
|
|
sh = pkgs.runtimeShell;
|
2014-08-04 16:45:05 +02:00
|
|
|
binshDeps = pkgs.writeReferencesToFile sh;
|
2013-02-26 03:15:29 +01:00
|
|
|
in
|
2018-11-08 11:59:03 +01:00
|
|
|
pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } (''
|
2018-01-31 22:20:39 +01:00
|
|
|
${optionalString (!isNix20) ''
|
2018-02-27 20:03:12 +01:00
|
|
|
extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done)
|
2018-01-31 22:20:39 +01:00
|
|
|
''}
|
2013-02-26 03:15:29 +01:00
|
|
|
cat > $out <<END
|
2013-08-26 12:11:17 +02:00
|
|
|
# WARNING: this file is generated from the nix.* options in
|
|
|
|
# your NixOS configuration, typically
|
|
|
|
# /etc/nixos/configuration.nix. Do not edit it!
|
2013-02-26 03:15:29 +01:00
|
|
|
build-users-group = nixbld
|
2018-01-31 22:20:39 +01:00
|
|
|
${if isNix20 then "max-jobs" else "build-max-jobs"} = ${toString (cfg.maxJobs)}
|
|
|
|
${if isNix20 then "cores" else "build-cores"} = ${toString (cfg.buildCores)}
|
|
|
|
${if isNix20 then "sandbox" else "build-use-sandbox"} = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox}
|
|
|
|
${if isNix20 then "extra-sandbox-paths" else "build-sandbox-paths"} = ${toString cfg.sandboxPaths} ${optionalString (!isNix20) "/bin/sh=${sh} $(echo $extraPaths)"}
|
|
|
|
${if isNix20 then "substituters" else "binary-caches"} = ${toString cfg.binaryCaches}
|
|
|
|
${if isNix20 then "trusted-substituters" else "trusted-binary-caches"} = ${toString cfg.trustedBinaryCaches}
|
|
|
|
${if isNix20 then "trusted-public-keys" else "binary-cache-public-keys"} = ${toString cfg.binaryCachePublicKeys}
|
2017-04-11 18:08:51 +02:00
|
|
|
auto-optimise-store = ${boolToString cfg.autoOptimiseStore}
|
2018-01-31 22:20:39 +01:00
|
|
|
${if isNix20 then ''
|
|
|
|
require-sigs = ${if cfg.requireSignedBinaryCaches then "true" else "false"}
|
|
|
|
'' else ''
|
|
|
|
signed-binary-caches = ${if cfg.requireSignedBinaryCaches then "*" else ""}
|
2015-02-19 14:15:02 +01:00
|
|
|
''}
|
2015-06-26 18:33:01 +02:00
|
|
|
trusted-users = ${toString cfg.trustedUsers}
|
|
|
|
allowed-users = ${toString cfg.allowedUsers}
|
2018-01-31 22:20:39 +01:00
|
|
|
${optionalString (isNix20 && !cfg.distributedBuilds) ''
|
|
|
|
builders =
|
|
|
|
''}
|
2019-04-21 19:06:50 +02:00
|
|
|
system-features = ${toString cfg.systemFeatures}
|
2019-09-28 16:49:53 +02:00
|
|
|
${optionalString isNix23 ''
|
2019-08-27 21:17:20 +02:00
|
|
|
sandbox-fallback = false
|
|
|
|
''}
|
2013-02-26 03:15:29 +01:00
|
|
|
$extraOptions
|
|
|
|
END
|
2018-11-10 02:18:06 +01:00
|
|
|
'' + optionalString cfg.checkConfig (
|
|
|
|
if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
|
|
|
|
echo "Ignore nix.checkConfig when cross-compiling"
|
|
|
|
'' else ''
|
|
|
|
echo "Checking that Nix can read nix.conf..."
|
|
|
|
ln -s $out ./nix.conf
|
2019-09-28 16:49:53 +02:00
|
|
|
NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config ${optionalString isNix23 "--no-net"} >/dev/null
|
2018-11-10 02:18:06 +01:00
|
|
|
'')
|
|
|
|
);
|
2013-02-26 03:15:29 +01:00
|
|
|
|
2009-09-17 18:22:26 +02:00
|
|
|
in
|
2009-05-25 19:41:03 +02:00
|
|
|
|
2009-09-17 18:22:26 +02:00
|
|
|
{
|
2009-05-25 19:41:03 +02:00
|
|
|
|
2009-09-17 18:22:26 +02:00
|
|
|
###### interface
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
2009-03-06 13:25:51 +01:00
|
|
|
nix = {
|
|
|
|
|
2013-10-28 16:28:04 +01:00
|
|
|
package = mkOption {
|
2014-02-27 13:22:04 +01:00
|
|
|
type = types.package;
|
2016-04-24 13:01:40 +02:00
|
|
|
default = pkgs.nix;
|
|
|
|
defaultText = "pkgs.nix";
|
2013-10-28 16:28:04 +01:00
|
|
|
description = ''
|
|
|
|
This option specifies the Nix package instance to use throughout the system.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2009-03-06 13:25:51 +01:00
|
|
|
maxJobs = mkOption {
|
2018-08-18 13:45:12 +02:00
|
|
|
type = types.either types.int (types.enum ["auto"]);
|
2009-03-06 13:25:51 +01:00
|
|
|
default = 1;
|
2013-10-30 17:37:45 +01:00
|
|
|
example = 64;
|
2015-02-16 11:57:36 +01:00
|
|
|
description = ''
|
2009-03-06 13:25:51 +01:00
|
|
|
This option defines the maximum number of jobs that Nix will try
|
|
|
|
to build in parallel. The default is 1. You should generally
|
2015-07-30 18:57:52 +02:00
|
|
|
set it to the total number of logical cores in your system (e.g., 16
|
|
|
|
for two CPUs with 4 cores each and hyper-threading).
|
2015-02-16 11:57:36 +01:00
|
|
|
'';
|
2009-03-06 13:25:51 +01:00
|
|
|
};
|
|
|
|
|
2017-03-20 19:06:16 +01:00
|
|
|
autoOptimiseStore = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
example = true;
|
|
|
|
description = ''
|
|
|
|
If set to true, Nix automatically detects files in the store that have
|
|
|
|
identical contents, and replaces them with hard links to a single copy.
|
|
|
|
This saves disk space. If set to false (the default), you can still run
|
|
|
|
nix-store --optimise to get rid of duplicate files.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2014-10-31 13:49:18 +01:00
|
|
|
buildCores = mkOption {
|
|
|
|
type = types.int;
|
2018-11-16 01:39:27 +01:00
|
|
|
default = 0;
|
2014-10-31 13:49:18 +01:00
|
|
|
example = 64;
|
|
|
|
description = ''
|
|
|
|
This option defines the maximum number of concurrent tasks during
|
2018-11-16 01:39:27 +01:00
|
|
|
one build. It affects, e.g., -j option for make.
|
2015-01-05 15:38:08 +01:00
|
|
|
The special value 0 means that the builder should use all
|
|
|
|
available CPU cores in the system. Some builds may become
|
|
|
|
non-deterministic with this option; use with care! Packages will
|
|
|
|
only be affected if enableParallelBuilding is set for them.
|
2014-10-31 13:49:18 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2016-04-25 11:00:26 +02:00
|
|
|
useSandbox = mkOption {
|
2016-03-25 13:47:09 +01:00
|
|
|
type = types.either types.bool (types.enum ["relaxed"]);
|
2018-07-29 11:01:55 +02:00
|
|
|
default = true;
|
2009-03-06 13:25:51 +01:00
|
|
|
description = "
|
2016-04-25 11:00:26 +02:00
|
|
|
If set, Nix will perform builds in a sandboxed environment that it
|
2018-06-07 22:43:52 +02:00
|
|
|
will set up automatically for each build. This prevents impurities
|
2018-06-30 01:58:35 +02:00
|
|
|
in builds by disallowing access to dependencies outside of the Nix
|
|
|
|
store by using network and mount namespaces in a chroot environment.
|
2018-07-29 11:01:55 +02:00
|
|
|
This is enabled by default even though it has a possible performance
|
|
|
|
impact due to the initial setup time of a sandbox for each build. It
|
|
|
|
doesn't affect derivation hashes, so changing this option will not
|
|
|
|
trigger a rebuild of packages.
|
2009-03-06 13:25:51 +01:00
|
|
|
";
|
|
|
|
};
|
|
|
|
|
2016-04-25 11:00:26 +02:00
|
|
|
sandboxPaths = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.listOf types.str;
|
2011-03-07 09:20:24 +01:00
|
|
|
default = [];
|
2011-03-07 09:21:39 +01:00
|
|
|
example = [ "/dev" "/proc" ];
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
Directories from the host filesystem to be included
|
2016-04-25 11:00:26 +02:00
|
|
|
in the sandbox.
|
2011-03-07 09:21:39 +01:00
|
|
|
'';
|
2011-03-07 09:20:24 +01:00
|
|
|
};
|
|
|
|
|
2009-03-06 13:25:51 +01:00
|
|
|
extraOptions = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.lines;
|
2009-03-06 13:25:51 +01:00
|
|
|
default = "";
|
2013-10-29 17:29:37 +01:00
|
|
|
example = ''
|
2009-03-06 13:25:51 +01:00
|
|
|
gc-keep-outputs = true
|
|
|
|
gc-keep-derivations = true
|
2013-10-29 17:29:37 +01:00
|
|
|
'';
|
2012-07-20 20:58:15 +02:00
|
|
|
description = "Additional text appended to <filename>nix.conf</filename>.";
|
2009-03-06 13:25:51 +01:00
|
|
|
};
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2009-03-06 13:25:51 +01:00
|
|
|
distributedBuilds = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.bool;
|
2009-03-06 13:25:51 +01:00
|
|
|
default = false;
|
2013-10-16 10:53:23 +02:00
|
|
|
description = ''
|
2009-03-06 13:25:51 +01:00
|
|
|
Whether to distribute builds to the machines listed in
|
|
|
|
<option>nix.buildMachines</option>.
|
2013-10-16 10:53:23 +02:00
|
|
|
'';
|
2010-02-19 10:48:24 +01:00
|
|
|
};
|
|
|
|
|
2009-07-18 18:14:03 +02:00
|
|
|
daemonNiceLevel = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.int;
|
2013-08-06 18:32:31 +02:00
|
|
|
default = 0;
|
2013-10-30 17:37:45 +01:00
|
|
|
description = ''
|
2009-07-24 01:25:50 +02:00
|
|
|
Nix daemon process priority. This priority propagates to build processes.
|
2015-07-07 09:48:29 +02:00
|
|
|
0 is the default Unix process priority, 19 is the lowest.
|
2013-10-30 17:37:45 +01:00
|
|
|
'';
|
2009-07-18 18:14:03 +02:00
|
|
|
};
|
|
|
|
|
2009-10-15 13:25:15 +02:00
|
|
|
daemonIONiceLevel = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.int;
|
2013-08-06 18:32:31 +02:00
|
|
|
default = 0;
|
2013-10-30 17:37:45 +01:00
|
|
|
description = ''
|
2011-09-14 20:20:50 +02:00
|
|
|
Nix daemon process I/O priority. This priority propagates to build processes.
|
2009-10-15 13:25:15 +02:00
|
|
|
0 is the default Unix process I/O priority, 7 is the lowest.
|
2013-10-30 17:37:45 +01:00
|
|
|
'';
|
2009-10-15 13:25:15 +02:00
|
|
|
};
|
|
|
|
|
2009-03-06 13:25:51 +01:00
|
|
|
buildMachines = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.listOf types.attrs;
|
2013-10-16 10:53:23 +02:00
|
|
|
default = [];
|
2017-03-05 14:04:47 +01:00
|
|
|
example = literalExample ''
|
|
|
|
[ { hostName = "voila.labs.cs.uu.nl";
|
|
|
|
sshUser = "nix";
|
|
|
|
sshKey = "/root/.ssh/id_buildfarm";
|
|
|
|
system = "powerpc-darwin";
|
|
|
|
maxJobs = 1;
|
|
|
|
}
|
|
|
|
{ hostName = "linux64.example.org";
|
|
|
|
sshUser = "buildfarm";
|
|
|
|
sshKey = "/root/.ssh/id_buildfarm";
|
|
|
|
system = "x86_64-linux";
|
|
|
|
maxJobs = 2;
|
2017-10-10 15:07:35 +02:00
|
|
|
speedFactor = 2;
|
2017-03-05 14:04:47 +01:00
|
|
|
supportedFeatures = [ "kvm" ];
|
|
|
|
mandatoryFeatures = [ "perf" ];
|
|
|
|
}
|
|
|
|
]
|
|
|
|
'';
|
2013-10-16 10:53:23 +02:00
|
|
|
description = ''
|
2009-03-06 13:25:51 +01:00
|
|
|
This option lists the machines to be used if distributed
|
|
|
|
builds are enabled (see
|
|
|
|
<option>nix.distributedBuilds</option>). Nix will perform
|
2013-08-10 23:07:13 +02:00
|
|
|
derivations on those machines via SSH by copying the inputs
|
2013-07-26 05:39:44 +02:00
|
|
|
to the Nix store on the remote machine, starting the build,
|
|
|
|
then copying the output back to the local Nix store. Each
|
|
|
|
element of the list should be an attribute set containing
|
|
|
|
the machine's host name (<varname>hostname</varname>), the
|
|
|
|
user name to be used for the SSH connection
|
2009-03-06 13:25:51 +01:00
|
|
|
(<varname>sshUser</varname>), the Nix system type
|
|
|
|
(<varname>system</varname>, e.g.,
|
2013-10-28 13:36:45 +01:00
|
|
|
<literal>"i686-linux"</literal>), the maximum number of
|
2013-07-26 05:39:44 +02:00
|
|
|
jobs to be run in parallel on that machine
|
|
|
|
(<varname>maxJobs</varname>), the path to the SSH private
|
|
|
|
key to be used to connect (<varname>sshKey</varname>), a
|
|
|
|
list of supported features of the machine
|
|
|
|
(<varname>supportedFeatures</varname>) and a list of
|
|
|
|
mandatory features of the machine
|
|
|
|
(<varname>mandatoryFeatures</varname>). The SSH private key
|
|
|
|
should not have a passphrase, and the corresponding public
|
|
|
|
key should be added to
|
2009-03-06 13:25:51 +01:00
|
|
|
<filename>~<replaceable>sshUser</replaceable>/authorized_keys</filename>
|
|
|
|
on the remote machine.
|
2013-10-16 10:53:23 +02:00
|
|
|
'';
|
2009-03-06 13:25:51 +01:00
|
|
|
};
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2013-09-18 05:18:34 +02:00
|
|
|
# Environment variables for running Nix.
|
2009-03-06 13:25:51 +01:00
|
|
|
envVars = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.attrs;
|
2009-03-06 13:25:51 +01:00
|
|
|
internal = true;
|
2012-06-19 05:31:07 +02:00
|
|
|
default = {};
|
|
|
|
description = "Environment variables used by Nix.";
|
2009-03-06 13:25:51 +01:00
|
|
|
};
|
2010-03-11 17:50:08 +01:00
|
|
|
|
|
|
|
nrBuildUsers = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.int;
|
2010-03-11 17:50:08 +01:00
|
|
|
description = ''
|
|
|
|
Number of <literal>nixbld</literal> user accounts created to
|
|
|
|
perform secure concurrent builds. If you receive an error
|
|
|
|
message saying that “all build users are currently in use”,
|
|
|
|
you should increase this value.
|
|
|
|
'';
|
|
|
|
};
|
2012-09-25 22:33:21 +02:00
|
|
|
|
|
|
|
readOnlyStore = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.bool;
|
2013-01-24 13:09:31 +01:00
|
|
|
default = true;
|
2012-09-25 22:33:21 +02:00
|
|
|
description = ''
|
|
|
|
If set, NixOS will enforce the immutability of the Nix store
|
|
|
|
by making <filename>/nix/store</filename> a read-only bind
|
|
|
|
mount. Nix will automatically make the store writable when
|
|
|
|
needed.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2012-11-22 11:49:47 +01:00
|
|
|
binaryCaches = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.listOf types.str;
|
2012-11-22 11:49:47 +01:00
|
|
|
description = ''
|
|
|
|
List of binary cache URLs used to obtain pre-built binaries
|
|
|
|
of Nix packages.
|
2019-06-26 14:30:56 +02:00
|
|
|
|
|
|
|
By default https://cache.nixos.org/ is added,
|
|
|
|
to override it use <literal>lib.mkForce []</literal>.
|
2012-11-22 11:49:47 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
trustedBinaryCaches = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.listOf types.str;
|
2012-11-22 11:49:47 +01:00
|
|
|
default = [ ];
|
|
|
|
example = [ http://hydra.nixos.org/ ];
|
|
|
|
description = ''
|
|
|
|
List of binary cache URLs that non-root users can use (in
|
|
|
|
addition to those specified using
|
2016-08-23 12:59:17 +02:00
|
|
|
<option>nix.binaryCaches</option>) by passing
|
2012-11-22 11:49:47 +01:00
|
|
|
<literal>--option binary-caches</literal> to Nix commands.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2015-02-19 14:15:02 +01:00
|
|
|
requireSignedBinaryCaches = mkOption {
|
|
|
|
type = types.bool;
|
2015-07-27 19:28:41 +02:00
|
|
|
default = true;
|
2015-02-19 14:15:02 +01:00
|
|
|
description = ''
|
2016-03-07 20:48:14 +01:00
|
|
|
If enabled (the default), Nix will only download binaries from binary caches if
|
|
|
|
they are cryptographically signed with any of the keys listed in
|
|
|
|
<option>nix.binaryCachePublicKeys</option>. If disabled, signatures are neither
|
|
|
|
required nor checked, so it's strongly recommended that you use only
|
|
|
|
trustworthy caches and https to prevent man-in-the-middle attacks.
|
2015-02-19 14:15:02 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
binaryCachePublicKeys = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
|
|
|
|
description = ''
|
|
|
|
List of public keys used to sign binary caches. If
|
|
|
|
<option>nix.requireSignedBinaryCaches</option> is enabled,
|
|
|
|
then Nix will use a binary from a binary cache if and only
|
|
|
|
if it is signed by <emphasis>any</emphasis> of the keys
|
|
|
|
listed here. By default, only the key for
|
|
|
|
<uri>cache.nixos.org</uri> is included.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2015-06-26 18:33:01 +02:00
|
|
|
trustedUsers = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [ "root" ];
|
|
|
|
example = [ "root" "alice" "@wheel" ];
|
|
|
|
description = ''
|
|
|
|
A list of names of users that have additional rights when
|
|
|
|
connecting to the Nix daemon, such as the ability to specify
|
|
|
|
additional binary caches, or to import unsigned NARs. You
|
|
|
|
can also specify groups by prefixing them with
|
|
|
|
<literal>@</literal>; for instance,
|
|
|
|
<literal>@wheel</literal> means all users in the wheel
|
|
|
|
group.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
allowedUsers = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [ "*" ];
|
|
|
|
example = [ "@wheel" "@builders" "alice" "bob" ];
|
|
|
|
description = ''
|
|
|
|
A list of names of users (separated by whitespace) that are
|
|
|
|
allowed to connect to the Nix daemon. As with
|
|
|
|
<option>nix.trustedUsers</option>, you can specify groups by
|
|
|
|
prefixing them with <literal>@</literal>. Also, you can
|
|
|
|
allow all users by specifying <literal>*</literal>. The
|
|
|
|
default is <literal>*</literal>. Note that trusted users are
|
|
|
|
always allowed to connect.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2015-08-05 12:03:19 +02:00
|
|
|
nixPath = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default =
|
2018-04-02 21:02:43 +02:00
|
|
|
[
|
2018-05-21 22:41:03 +02:00
|
|
|
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
|
2015-08-05 12:03:19 +02:00
|
|
|
"nixos-config=/etc/nixos/configuration.nix"
|
|
|
|
"/nix/var/nix/profiles/per-user/root/channels"
|
|
|
|
];
|
|
|
|
description = ''
|
|
|
|
The default Nix expression search path, used by the Nix
|
|
|
|
evaluator to look up paths enclosed in angle brackets
|
|
|
|
(e.g. <literal><nixpkgs></literal>).
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2019-04-21 19:06:50 +02:00
|
|
|
systemFeatures = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
example = [ "kvm" "big-parallel" "gccarch-skylake" ];
|
|
|
|
description = ''
|
|
|
|
The supported features of a machine
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2018-04-24 16:19:45 +02:00
|
|
|
checkConfig = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
If enabled (the default), checks that Nix can parse the generated nix.conf.
|
|
|
|
'';
|
|
|
|
};
|
2009-03-06 13:25:51 +01:00
|
|
|
};
|
2012-11-22 11:49:47 +01:00
|
|
|
|
2009-03-06 13:25:51 +01:00
|
|
|
};
|
2009-05-28 14:56:56 +02:00
|
|
|
|
2009-03-06 13:25:51 +01:00
|
|
|
|
2009-09-17 18:22:26 +02:00
|
|
|
###### implementation
|
2009-03-06 13:25:51 +01:00
|
|
|
|
2009-09-17 18:22:26 +02:00
|
|
|
config = {
|
2009-03-06 13:25:51 +01:00
|
|
|
|
2015-02-19 14:15:02 +01:00
|
|
|
nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
|
2019-06-26 14:30:56 +02:00
|
|
|
nix.binaryCaches = [ "https://cache.nixos.org/" ];
|
2015-02-19 14:15:02 +01:00
|
|
|
|
2013-02-26 03:15:29 +01:00
|
|
|
environment.etc."nix/nix.conf".source = nixConf;
|
|
|
|
|
|
|
|
# List of machines for distributed Nix builds in the format
|
|
|
|
# expected by build-remote.pl.
|
2013-10-16 10:57:25 +02:00
|
|
|
environment.etc."nix/machines" =
|
2013-10-16 10:53:23 +02:00
|
|
|
{ enable = cfg.buildMachines != [];
|
2013-02-26 03:15:29 +01:00
|
|
|
text =
|
|
|
|
concatMapStrings (machine:
|
2015-06-26 18:12:47 +02:00
|
|
|
"${if machine ? sshUser then "${machine.sshUser}@" else ""}${machine.hostName} "
|
2015-06-30 00:50:01 +02:00
|
|
|
+ machine.system or (concatStringsSep "," machine.systems)
|
|
|
|
+ " ${machine.sshKey or "-"} ${toString machine.maxJobs or 1} "
|
|
|
|
+ toString (machine.speedFactor or 1)
|
2013-07-26 05:39:44 +02:00
|
|
|
+ " "
|
2015-06-30 00:50:01 +02:00
|
|
|
+ concatStringsSep "," (machine.mandatoryFeatures or [] ++ machine.supportedFeatures or [])
|
2013-07-26 05:39:44 +02:00
|
|
|
+ " "
|
2015-06-30 00:50:01 +02:00
|
|
|
+ concatStringsSep "," machine.mandatoryFeatures or []
|
2013-02-26 03:15:29 +01:00
|
|
|
+ "\n"
|
|
|
|
) cfg.buildMachines;
|
|
|
|
};
|
2009-09-17 18:22:26 +02:00
|
|
|
|
2014-04-17 18:52:31 +02:00
|
|
|
systemd.packages = [ nix ];
|
2009-09-17 18:22:26 +02:00
|
|
|
|
2014-04-18 14:47:02 +02:00
|
|
|
systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ];
|
|
|
|
|
2014-04-17 18:52:31 +02:00
|
|
|
systemd.services.nix-daemon =
|
2018-09-04 14:22:20 +02:00
|
|
|
{ path = [ nix pkgs.utillinux config.programs.ssh.package ]
|
|
|
|
++ optionals cfg.distributedBuilds [ pkgs.gzip ]
|
2018-01-31 22:20:39 +01:00
|
|
|
++ optionals (!isNix20) [ pkgs.openssl.bin ];
|
2011-11-25 17:32:54 +01:00
|
|
|
|
2014-11-29 20:53:13 +01:00
|
|
|
environment = cfg.envVars
|
2016-01-29 02:32:05 +01:00
|
|
|
// { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; }
|
2014-11-29 20:53:13 +01:00
|
|
|
// config.networking.proxy.envVars;
|
2009-03-06 13:25:51 +01:00
|
|
|
|
2015-10-22 19:50:12 +02:00
|
|
|
unitConfig.RequiresMountsFor = "/nix/store";
|
|
|
|
|
2012-06-19 05:31:07 +02:00
|
|
|
serviceConfig =
|
2014-04-17 18:52:31 +02:00
|
|
|
{ Nice = cfg.daemonNiceLevel;
|
2012-10-01 22:27:42 +02:00
|
|
|
IOSchedulingPriority = cfg.daemonIONiceLevel;
|
|
|
|
LimitNOFILE = 4096;
|
|
|
|
};
|
2013-02-26 03:15:29 +01:00
|
|
|
|
|
|
|
restartTriggers = [ nixConf ];
|
2009-09-17 18:22:26 +02:00
|
|
|
};
|
2012-10-01 22:27:42 +02:00
|
|
|
|
2012-06-19 05:31:07 +02:00
|
|
|
nix.envVars =
|
2018-01-31 22:20:39 +01:00
|
|
|
optionalAttrs (!isNix20) {
|
|
|
|
NIX_CONF_DIR = "/etc/nix";
|
2012-06-19 05:31:07 +02:00
|
|
|
|
2013-10-16 10:57:25 +02:00
|
|
|
# Enable the copy-from-other-stores substituter, which allows
|
|
|
|
# builds to be sped up by copying build results from remote
|
|
|
|
# Nix stores. To do this, mount the remote file system on a
|
|
|
|
# subdirectory of /run/nix/remote-stores.
|
|
|
|
NIX_OTHER_STORES = "/run/nix/remote-stores/*/nix";
|
2012-06-19 05:31:07 +02:00
|
|
|
}
|
|
|
|
|
2018-01-31 22:20:39 +01:00
|
|
|
// optionalAttrs (cfg.distributedBuilds && !isNix20) {
|
|
|
|
NIX_BUILD_HOOK = "${nix}/libexec/nix/build-remote.pl";
|
2012-06-19 05:31:07 +02:00
|
|
|
};
|
2009-07-16 16:51:49 +02:00
|
|
|
|
2013-09-18 05:18:34 +02:00
|
|
|
# Set up the environment variables for running Nix.
|
2015-08-05 12:03:19 +02:00
|
|
|
environment.sessionVariables = cfg.envVars //
|
2018-08-15 05:10:15 +02:00
|
|
|
{ NIX_PATH = cfg.nixPath;
|
2015-08-05 12:03:19 +02:00
|
|
|
};
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2018-01-31 22:20:39 +01:00
|
|
|
environment.extraInit = optionalString (!isNix20)
|
2013-09-18 05:18:34 +02:00
|
|
|
''
|
2009-09-17 18:22:26 +02:00
|
|
|
# Set up secure multi-user builds: non-root users build through the
|
|
|
|
# Nix daemon.
|
2013-11-27 12:41:43 +01:00
|
|
|
if [ "$USER" != root -o ! -w /nix/var/nix/db ]; then
|
2009-09-17 18:22:26 +02:00
|
|
|
export NIX_REMOTE=daemon
|
|
|
|
fi
|
2018-08-15 05:10:15 +02:00
|
|
|
'' + ''
|
2018-09-28 21:53:04 +02:00
|
|
|
if [ -e "$HOME/.nix-defexpr/channels" ]; then
|
|
|
|
export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}"
|
|
|
|
fi
|
2009-09-17 18:22:26 +02:00
|
|
|
'';
|
|
|
|
|
2019-08-01 07:54:28 +02:00
|
|
|
nix.nrBuildUsers = mkDefault (lib.max 32 (if cfg.maxJobs == "auto" then 0 else cfg.maxJobs));
|
2015-02-16 11:57:36 +01:00
|
|
|
|
2018-06-30 01:58:35 +02:00
|
|
|
users.users = nixbldUsers;
|
2015-03-10 02:04:40 +01:00
|
|
|
|
|
|
|
services.xserver.displayManager.hiddenUsers = map ({ name, ... }: name) nixbldUsers;
|
2010-03-11 17:50:08 +01:00
|
|
|
|
2010-09-13 17:41:38 +02:00
|
|
|
system.activationScripts.nix = stringAfter [ "etc" "users" ]
|
|
|
|
''
|
2019-10-09 20:11:51 +02:00
|
|
|
install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user
|
|
|
|
|
|
|
|
# Subscribe the root user to the NixOS channel by default.
|
|
|
|
if [ ! -e "/root/.nix-channels" ]; then
|
|
|
|
echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels"
|
|
|
|
fi
|
2010-09-13 17:41:38 +02:00
|
|
|
'';
|
|
|
|
|
2019-04-30 18:28:21 +02:00
|
|
|
nix.systemFeatures = mkDefault (
|
|
|
|
[ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
|
|
|
|
optionals (pkgs.stdenv.isx86_64 && pkgs.hostPlatform.platform ? gcc.arch) (
|
|
|
|
# a x86_64 builder can run code for `platform.gcc.arch` and minor architectures:
|
|
|
|
[ "gccarch-${pkgs.hostPlatform.platform.gcc.arch}" ] ++ {
|
2019-08-13 23:52:01 +02:00
|
|
|
sandybridge = [ "gccarch-westmere" ];
|
|
|
|
ivybridge = [ "gccarch-westmere" "gccarch-sandybridge" ];
|
|
|
|
haswell = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" ];
|
|
|
|
broadwell = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" ];
|
|
|
|
skylake = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" ];
|
|
|
|
skylake-avx512 = [ "gccarch-westmere" "gccarch-sandybridge" "gccarch-ivybridge" "gccarch-haswell" "gccarch-broadwell" "gccarch-skylake" ];
|
2019-05-06 00:14:24 +02:00
|
|
|
}.${pkgs.hostPlatform.platform.gcc.arch} or []
|
2019-04-21 19:06:50 +02:00
|
|
|
)
|
|
|
|
);
|
|
|
|
|
2009-09-17 18:22:26 +02:00
|
|
|
};
|
2009-05-28 14:56:56 +02:00
|
|
|
|
2009-03-06 13:25:51 +01:00
|
|
|
}
|