BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #236389 from Enzime/darwin-builder

Browse source 
darwin-builder: use port 31022 by default
This commit is contained in:
Robert Hensing 2023-07-07 10:24:48 +02:00 committed by GitHub
commit 262e7272c7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 66 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
doc/builders/special/darwin-builder.section.md
View file

@ -1,11 +1,12 @@
# darwin.builder {#sec-darwin-builder} # darwin.linux-builder {#sec-darwin-builder}
`darwin.builder` provides a way to bootstrap a Linux builder on a macOS machine. `darwin.linux-builder` provides a way to bootstrap a Linux builder on a macOS machine.
This requires macOS version 12.4 or later. This requires macOS version 12.4 or later.
This also requires that port 22 on your machine is free (since Nix does not The builder runs on host port 31022 by default.
permit specifying a non-default SSH port for builders). You can change it by overriding `virtualisation.darwin-builder.hostPort`.
See the [example](#sec-darwin-builder-example-flake).
You will also need to be a trusted user for your Nix installation. In other You will also need to be a trusted user for your Nix installation. In other
words, your `/etc/nix/nix.conf` should have something like: words, your `/etc/nix/nix.conf` should have something like:
@ -17,7 +18,7 @@ extra-trusted-users = <your username goes here>
To launch the builder, run the following flake: To launch the builder, run the following flake:
```ShellSession ```ShellSession
$ nix run nixpkgs#darwin.builder $ nix run nixpkgs#darwin.linux-builder
``` ```
That will prompt you to enter your `sudo` password: That will prompt you to enter your `sudo` password:
@ -50,12 +51,21 @@ To delegate builds to the remote builder, add the following options to your
``` ```
# - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine # - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine
# - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure) # - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure)
builders = ssh-ng://builder@localhost ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo= builders = ssh-ng://builder@linux-builder ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo=
# Not strictly necessary, but this will reduce your disk utilization # Not strictly necessary, but this will reduce your disk utilization
builders-use-substitutes = true builders-use-substitutes = true
``` ```
To allow Nix to connect to a builder not running on port 22, you will also need to create a new file at `/etc/ssh/ssh_config.d/100-linux-builder.conf`:
```
Host linux-builder
Hostname localhost
HostKeyAlias linux-builder
Port 31022
```
… and then restart your Nix daemon to apply the change: … and then restart your Nix daemon to apply the change:
```ShellSession ```ShellSession

18
nixos/modules/profiles/macos-builder.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
let let
keysDirectory = "/var/keys"; keysDirectory = "/var/keys";
@ -67,9 +67,9 @@ in
''; '';
}; };
hostPort = mkOption { hostPort = mkOption {
default = 22; default = 31022;
type = types.int; type = types.int;
example = 31022; example = 22;
description = '' description = ''
The localhost host port to forward TCP to the guest port. The localhost host port to forward TCP to the guest port.
''; '';
@ -139,13 +139,13 @@ in
hostPkgs = config.virtualisation.host.pkgs; hostPkgs = config.virtualisation.host.pkgs;
script = hostPkgs.writeShellScriptBin "create-builder" ( script = hostPkgs.writeShellScriptBin "create-builder" (
# When running as non-interactively as part of a DarwinConfiguration the working directory # When running as non-interactively as part of a DarwinConfiguration the working directory
# must be set to a writeable directory. # must be set to a writeable directory.
(if cfg.workingDirectory != "." then '' (if cfg.workingDirectory != "." then ''
${hostPkgs.coreutils}/bin/mkdir --parent "${cfg.workingDirectory}" ${hostPkgs.coreutils}/bin/mkdir --parent "${cfg.workingDirectory}"
cd "${cfg.workingDirectory}" cd "${cfg.workingDirectory}"
'' else "") + '' '' else "") + ''
KEYS="''${KEYS:-./keys}" KEYS="''${KEYS:-./keys}"
${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}" ${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}"
PRIVATE_KEY="''${KEYS}/${user}_${keyType}" PRIVATE_KEY="''${KEYS}/${user}_${keyType}"
@ -157,7 +157,7 @@ in
if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then
(set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}") (set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}")
fi fi
KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${config.system.build.vm}/bin/run-nixos-vm KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${lib.getExe config.system.build.vm}
''); '');
in in
@ -177,7 +177,7 @@ in
Please inspect the trace of the following command to figure out which module Please inspect the trace of the following command to figure out which module
has a dependency on stateVersion. has a dependency on stateVersion.
nix-instantiate --attr darwin.builder --show-trace nix-instantiate --attr darwin.linux-builder --show-trace
''); '');
}; };
@ -234,6 +234,10 @@ in
# This ensures that anything built on the guest isn't lost when the guest is # This ensures that anything built on the guest isn't lost when the guest is
# restarted. # restarted.
writableStoreUseTmpfs = false; writableStoreUseTmpfs = false;
# Pass certificates from host to the guest otherwise when custom CA certificates
# are required we can't use the cached builder.
useHostCerts = true;
}; };
}; };
} }

6
nixos/modules/security/ca.nix
View file

@ -18,6 +18,10 @@ in
{ {
options = { options = {
security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // {
default = true;
internal = true;
};
security.pki.certificateFiles = mkOption { security.pki.certificateFiles = mkOption {
type = types.listOf types.path; type = types.listOf types.path;
@ -70,7 +74,7 @@ in
}; };
config = { config = mkIf cfg.installCACerts {
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;

28
nixos/modules/virtualisation/qemu-vm.nix
View file

@ -166,6 +166,16 @@ let
# Create a directory for exchanging data with the VM. # Create a directory for exchanging data with the VM.
mkdir -p "$TMPDIR/xchg" mkdir -p "$TMPDIR/xchg"
${lib.optionalString cfg.useHostCerts
''
mkdir -p "$TMPDIR/certs"
if [ -e "$NIX_SSL_CERT_FILE" ]; then
cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt
else
echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled.
fi
''}
${lib.optionalString cfg.useEFIBoot ${lib.optionalString cfg.useEFIBoot
'' ''
# Expose EFI variables, it's useful even when we are not using a bootloader (!). # Expose EFI variables, it's useful even when we are not using a bootloader (!).
@ -877,7 +887,6 @@ in
''; '';
}; };
virtualisation.bios = virtualisation.bios =
mkOption { mkOption {
type = types.nullOr types.package; type = types.nullOr types.package;
@ -890,6 +899,17 @@ in
''; '';
}; };
virtualisation.useHostCerts =
mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc ''
If enabled, when `NIX_SSL_CERT_FILE` is set on the host,
pass the CA certificates from the host to the VM.
'';
};
}; };
config = { config = {
@ -1024,8 +1044,14 @@ in
source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"''; source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"'';
target = "/tmp/shared"; target = "/tmp/shared";
}; };
certs = mkIf cfg.useHostCerts {
source = ''"$TMPDIR"/certs'';
target = "/etc/ssl/certs";
};
}; };
security.pki.installCACerts = mkIf cfg.useHostCerts false;
virtualisation.qemu.networkingOptions = virtualisation.qemu.networkingOptions =
let let
forwardingOptions = flip concatMapStrings cfg.forwardPorts forwardingOptions = flip concatMapStrings cfg.forwardPorts

10
pkgs/top-level/darwin-packages.nix
View file

@ -3,6 +3,7 @@
, generateSplicesForMkScope, makeScopeWithSplicing , generateSplicesForMkScope, makeScopeWithSplicing
, stdenv , stdenv
, preLibcCrossHeaders , preLibcCrossHeaders
, config
}: }:
let let
@ -229,7 +230,7 @@ impure-cmds // appleSourcePackages // chooseLibs // {
discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { }; discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { };
# See doc/builders/special/darwin-builder.section.md # See doc/builders/special/darwin-builder.section.md
builder = linux-builder = lib.makeOverridable ({ modules }:
let let
toGuest = builtins.replaceStrings [ "darwin" ] [ "linux" ]; toGuest = builtins.replaceStrings [ "darwin" ] [ "linux" ];
@ -237,7 +238,7 @@ impure-cmds // appleSourcePackages // chooseLibs // {
configuration = { configuration = {
imports = [ imports = [
../../nixos/modules/profiles/macos-builder.nix ../../nixos/modules/profiles/macos-builder.nix
]; ] ++ modules;
virtualisation.host = { inherit pkgs; }; virtualisation.host = { inherit pkgs; };
}; };
@ -246,5 +247,8 @@ impure-cmds // appleSourcePackages // chooseLibs // {
}; };
in in
nixos.config.system.build.macos-builder-installer; nixos.config.system.build.macos-builder-installer) { modules = [ ]; };
} // lib.optionalAttrs config.allowAliases {
builder = throw "'darwin.builder' has been changed and renamed to 'darwin.linux-builder'. The default ssh port is now 31022. Please update your configuration or override the port back to 22. See https://nixos.org/manual/nixpkgs/unstable/#sec-darwin-builder"; # added 2023-07-06
}) })