nixos/top-level.nix: add forbiddenDependenciesRegex option

useful for making sure that there's no dev outputs in the system
This commit is contained in:
Artturin 2022-12-01 18:49:48 +02:00
parent 2abf40d9b5
commit a34d7b67fd
3 changed files with 59 additions and 1 deletions

View file

@ -0,0 +1,27 @@
{ lib
, nixos
, expect
, testers
}:
let
node-forbiddenDependencies-fail = nixos ({ ... }: {
system.forbiddenDependenciesRegex = "-dev$";
environment.etc."dev-dependency" = {
text = "${expect.dev}";
};
documentation.enable = false;
fileSystems."/".device = "ignore-root-device";
boot.loader.grub.enable = false;
});
node-forbiddenDependencies-succeed = nixos ({ ... }: {
system.forbiddenDependenciesRegex = "-dev$";
system.extraDependencies = [ expect.dev ];
documentation.enable = false;
fileSystems."/".device = "ignore-root-device";
boot.loader.grub.enable = false;
});
in
lib.recurseIntoAttrs {
test-forbiddenDependencies-fail = testers.testBuildFailure node-forbiddenDependencies-fail.config.system.build.toplevel;
test-forbiddenDependencies-succeed = node-forbiddenDependencies-succeed.config.system.build.toplevel;
}

View file

@ -77,7 +77,7 @@ let
${config.system.systemBuilderCommands}
echo -n "${toString config.system.extraDependencies}" > $out/extra-dependencies
echo -n "$extraDependencies" > $out/extra-dependencies
${config.system.extraSystemBuilderCmds}
'';
@ -105,6 +105,8 @@ let
dryActivationScript = config.system.dryActivationScript;
nixosLabel = config.system.nixos.label;
inherit (config.system) extraDependencies;
# Needed by switch-to-configuration.
perl = pkgs.perl.withPackages (p: with p; [ ConfigIniFiles FileSlurp ]);
} // config.system.systemBuilderArgs);
@ -223,6 +225,16 @@ in
'';
};
system.forbiddenDependenciesRegex = mkOption {
default = "";
example = "-dev$";
type = types.str;
description = lib.mdDoc ''
A POSIX Extended Regular Expression that matches store paths that
should not appear in the system closure, with the exception of {option}`system.extraDependencies`, which is not checked.
'';
};
system.extraSystemBuilderCmds = mkOption {
type = types.lines;
internal = true;
@ -298,8 +310,26 @@ in
config.system.copySystemConfiguration
''ln -s '${import ../../../lib/from-env.nix "NIXOS_CONFIG" <nixos-config>}' \
"$out/configuration.nix"
'' +
optionalString
(config.system.forbiddenDependenciesRegex != "")
''
if [[ $forbiddenDependenciesRegex != "" && -n $closureInfo ]]; then
if forbiddenPaths="$(grep -E -- "$forbiddenDependenciesRegex" $closureInfo/store-paths)"; then
echo -e "System closure $out contains the following disallowed paths:\n$forbiddenPaths"
exit 1
fi
fi
'';
system.systemBuilderArgs = lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") {
inherit (config.system) forbiddenDependenciesRegex;
closureInfo = pkgs.closureInfo { rootPaths = [
# override to avoid infinite recursion (and to allow using extraDependencies to add forbidden dependencies)
(config.system.build.toplevel.overrideAttrs (_: { extraDependencies = []; closureInfo = null; }))
]; };
};
system.build.toplevel = system;
};

View file

@ -193,6 +193,7 @@ in {
ergo = handleTest ./ergo.nix {};
ergochat = handleTest ./ergochat.nix {};
etc = pkgs.callPackage ../modules/system/etc/test.nix { inherit evalMinimalConfig; };
activation = pkgs.callPackage ../modules/system/activation/test.nix { };
etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {};
etcd-cluster = handleTestOn ["x86_64-linux"] ./etcd-cluster.nix {};
etebase-server = handleTest ./etebase-server.nix {};