From 285f5e858eb204ecf08a60c40a99aee1d2dc7bd1 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Wed, 7 Jun 2023 12:39:27 +1000 Subject: [PATCH 1/4] darwin.builder: use port 31022 by default --- doc/builders/special/darwin-builder.section.md | 14 ++++++++++---- nixos/modules/profiles/macos-builder.nix | 10 +++++----- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/doc/builders/special/darwin-builder.section.md b/doc/builders/special/darwin-builder.section.md index b5b6ab8971e9..7c5c38bf85ee 100644 --- a/doc/builders/special/darwin-builder.section.md +++ b/doc/builders/special/darwin-builder.section.md @@ -4,9 +4,6 @@ This requires macOS version 12.4 or later. -This also requires that port 22 on your machine is free (since Nix does not -permit specifying a non-default SSH port for builders). - You will also need to be a trusted user for your Nix installation. In other words, your `/etc/nix/nix.conf` should have something like: @@ -50,12 +47,21 @@ To delegate builds to the remote builder, add the following options to your ``` # - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine # - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure) -builders = ssh-ng://builder@localhost ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo= +builders = ssh-ng://builder@linux-builder ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo= # Not strictly necessary, but this will reduce your disk utilization builders-use-substitutes = true ``` +To allow Nix to connect to a builder not running on port 22, you will also need to create a new file at `/etc/ssh/ssh_config.d/100-linux-builder.conf`: + +``` +Host linux-builder + Hostname localhost + HostKeyAlias linux-builder + Port 31022 +``` + … and then restart your Nix daemon to apply the change: ```ShellSession diff --git a/nixos/modules/profiles/macos-builder.nix b/nixos/modules/profiles/macos-builder.nix index 768c673e7f37..f1c991d6ffa6 100644 --- a/nixos/modules/profiles/macos-builder.nix +++ b/nixos/modules/profiles/macos-builder.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: let keysDirectory = "/var/keys"; @@ -67,9 +67,9 @@ in ''; }; hostPort = mkOption { - default = 22; + default = 31022; type = types.int; - example = 31022; + example = 22; description = '' The localhost host port to forward TCP to the guest port. ''; @@ -139,13 +139,13 @@ in hostPkgs = config.virtualisation.host.pkgs; - script = hostPkgs.writeShellScriptBin "create-builder" ( + script = hostPkgs.writeShellScriptBin "create-builder" ( # When running as non-interactively as part of a DarwinConfiguration the working directory # must be set to a writeable directory. (if cfg.workingDirectory != "." then '' ${hostPkgs.coreutils}/bin/mkdir --parent "${cfg.workingDirectory}" cd "${cfg.workingDirectory}" - '' else "") + '' + '' else "") + '' KEYS="''${KEYS:-./keys}" ${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}" PRIVATE_KEY="''${KEYS}/${user}_${keyType}" From 98d970bc375c37a2f9c5c276d80ae2a3d8b1e4a5 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Wed, 7 Jun 2023 12:41:59 +1000 Subject: [PATCH 2/4] nixos/qemu-vm: use CA certificates from host --- nixos/modules/profiles/macos-builder.nix | 4 ++++ nixos/modules/security/ca.nix | 6 ++++- nixos/modules/virtualisation/qemu-vm.nix | 28 +++++++++++++++++++++++- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/nixos/modules/profiles/macos-builder.nix b/nixos/modules/profiles/macos-builder.nix index f1c991d6ffa6..7ed68f06476b 100644 --- a/nixos/modules/profiles/macos-builder.nix +++ b/nixos/modules/profiles/macos-builder.nix @@ -234,6 +234,10 @@ in # This ensures that anything built on the guest isn't lost when the guest is # restarted. writableStoreUseTmpfs = false; + + # Pass certificates from host to the guest otherwise when custom CA certificates + # are required we can't use the cached builder. + useHostCerts = true; }; }; } diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index c704e2c1f51c..3cd56bff04d1 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -18,6 +18,10 @@ in { options = { + security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // { + default = true; + internal = true; + }; security.pki.certificateFiles = mkOption { type = types.listOf types.path; @@ -70,7 +74,7 @@ in }; - config = { + config = mkIf cfg.installCACerts { # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 4aac0fa90e8b..d0a5ddd87ccf 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -166,6 +166,16 @@ let # Create a directory for exchanging data with the VM. mkdir -p "$TMPDIR/xchg" + ${lib.optionalString cfg.useHostCerts + '' + mkdir -p "$TMPDIR/certs" + if [ -e "$NIX_SSL_CERT_FILE" ]; then + cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt + else + echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled. + fi + ''} + ${lib.optionalString cfg.useEFIBoot '' # Expose EFI variables, it's useful even when we are not using a bootloader (!). @@ -877,7 +887,6 @@ in ''; }; - virtualisation.bios = mkOption { type = types.nullOr types.package; @@ -890,6 +899,17 @@ in ''; }; + virtualisation.useHostCerts = + mkOption { + type = types.bool; + default = false; + description = + lib.mdDoc '' + If enabled, when `NIX_SSL_CERT_FILE` is set on the host, + pass the CA certificates from the host to the VM. + ''; + }; + }; config = { @@ -1024,8 +1044,14 @@ in source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"''; target = "/tmp/shared"; }; + certs = mkIf cfg.useHostCerts { + source = ''"$TMPDIR"/certs''; + target = "/etc/ssl/certs"; + }; }; + security.pki.installCACerts = mkIf cfg.useHostCerts false; + virtualisation.qemu.networkingOptions = let forwardingOptions = flip concatMapStrings cfg.forwardPorts From 34f6ce2fc2db08bf86022f47975d23e625843d2a Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Wed, 14 Jun 2023 09:16:34 +1000 Subject: [PATCH 3/4] darwin.builder: allow overriding configuration --- nixos/modules/profiles/macos-builder.nix | 2 +- pkgs/top-level/darwin-packages.nix | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nixos/modules/profiles/macos-builder.nix b/nixos/modules/profiles/macos-builder.nix index 7ed68f06476b..554115705b64 100644 --- a/nixos/modules/profiles/macos-builder.nix +++ b/nixos/modules/profiles/macos-builder.nix @@ -157,7 +157,7 @@ in if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then (set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}") fi - KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${config.system.build.vm}/bin/run-nixos-vm + KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${lib.getExe config.system.build.vm} ''); in diff --git a/pkgs/top-level/darwin-packages.nix b/pkgs/top-level/darwin-packages.nix index fa03c385e4f3..a583b84b430d 100644 --- a/pkgs/top-level/darwin-packages.nix +++ b/pkgs/top-level/darwin-packages.nix @@ -229,7 +229,7 @@ impure-cmds // appleSourcePackages // chooseLibs // { discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { }; # See doc/builders/special/darwin-builder.section.md - builder = + builder = lib.makeOverridable ({ modules }: let toGuest = builtins.replaceStrings [ "darwin" ] [ "linux" ]; @@ -237,7 +237,7 @@ impure-cmds // appleSourcePackages // chooseLibs // { configuration = { imports = [ ../../nixos/modules/profiles/macos-builder.nix - ]; + ] ++ modules; virtualisation.host = { inherit pkgs; }; }; @@ -246,5 +246,5 @@ impure-cmds // appleSourcePackages // chooseLibs // { }; in - nixos.config.system.build.macos-builder-installer; + nixos.config.system.build.macos-builder-installer) { modules = [ ]; }; }) From edef4868982e5a1ca3226231fb1a7eb292b4c96a Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Tue, 4 Jul 2023 20:46:42 +1000 Subject: [PATCH 4/4] darwin.linux-builder: rename from `darwin.builder` --- doc/builders/special/darwin-builder.section.md | 10 +++++++--- nixos/modules/profiles/macos-builder.nix | 2 +- pkgs/top-level/darwin-packages.nix | 6 +++++- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/doc/builders/special/darwin-builder.section.md b/doc/builders/special/darwin-builder.section.md index 7c5c38bf85ee..13d01a0e3af8 100644 --- a/doc/builders/special/darwin-builder.section.md +++ b/doc/builders/special/darwin-builder.section.md @@ -1,9 +1,13 @@ -# darwin.builder {#sec-darwin-builder} +# darwin.linux-builder {#sec-darwin-builder} -`darwin.builder` provides a way to bootstrap a Linux builder on a macOS machine. +`darwin.linux-builder` provides a way to bootstrap a Linux builder on a macOS machine. This requires macOS version 12.4 or later. +The builder runs on host port 31022 by default. +You can change it by overriding `virtualisation.darwin-builder.hostPort`. +See the [example](#sec-darwin-builder-example-flake). + You will also need to be a trusted user for your Nix installation. In other words, your `/etc/nix/nix.conf` should have something like: @@ -14,7 +18,7 @@ extra-trusted-users = To launch the builder, run the following flake: ```ShellSession -$ nix run nixpkgs#darwin.builder +$ nix run nixpkgs#darwin.linux-builder ``` That will prompt you to enter your `sudo` password: diff --git a/nixos/modules/profiles/macos-builder.nix b/nixos/modules/profiles/macos-builder.nix index 554115705b64..83a849956182 100644 --- a/nixos/modules/profiles/macos-builder.nix +++ b/nixos/modules/profiles/macos-builder.nix @@ -177,7 +177,7 @@ in Please inspect the trace of the following command to figure out which module has a dependency on stateVersion. - nix-instantiate --attr darwin.builder --show-trace + nix-instantiate --attr darwin.linux-builder --show-trace ''); }; diff --git a/pkgs/top-level/darwin-packages.nix b/pkgs/top-level/darwin-packages.nix index a583b84b430d..f1d48814ebe2 100644 --- a/pkgs/top-level/darwin-packages.nix +++ b/pkgs/top-level/darwin-packages.nix @@ -3,6 +3,7 @@ , generateSplicesForMkScope, makeScopeWithSplicing , stdenv , preLibcCrossHeaders +, config }: let @@ -229,7 +230,7 @@ impure-cmds // appleSourcePackages // chooseLibs // { discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { }; # See doc/builders/special/darwin-builder.section.md - builder = lib.makeOverridable ({ modules }: + linux-builder = lib.makeOverridable ({ modules }: let toGuest = builtins.replaceStrings [ "darwin" ] [ "linux" ]; @@ -247,4 +248,7 @@ impure-cmds // appleSourcePackages // chooseLibs // { in nixos.config.system.build.macos-builder-installer) { modules = [ ]; }; + +} // lib.optionalAttrs config.allowAliases { + builder = throw "'darwin.builder' has been changed and renamed to 'darwin.linux-builder'. The default ssh port is now 31022. Please update your configuration or override the port back to 22. See https://nixos.org/manual/nixpkgs/unstable/#sec-darwin-builder"; # added 2023-07-06 })