nixos/nix-daemon: Add enable option

Don't worry, it's is true by default. But I think this is important to have because NixOS indeed shouldn't need Nix at run time when the installation is not being modified, and now we can verify that. NixOS images that cannot "self-modify" are a legitamate use-case that this supports more minimally. One should be able to e.g. do a sshfs mount and use `nixos-install` to modify them remotely, or just discard them and build fresh ones if they are run VMs or something. The next step would be to make generations optional, allowing just baking `/etc` and friends rather than using activation scripts. But that's more involved so I'm leaving it out.
2021-04-24 21:02:15 +00:00 · 2021-04-24 21:02:15 +00:00 · cc3f2432d0
commit cc3f2432d0
parent 1d88d6faed
3 changed files with 34 additions and 1 deletions
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -82,6 +82,15 @@ in

    nix = {

+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to enable Nix.
+          Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself.
+        '';
+      };
+
      package = mkOption {
        type = types.package;
        default = pkgs.nix;
@ -499,7 +508,7 @@ in

  ###### implementation

-  config = {
+  config = mkIf cfg.enable {

    nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
    nix.binaryCaches = [ "https://cache.nixos.org/" ];
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -478,6 +478,7 @@ in
  wasabibackend = handleTest ./wasabibackend.nix {};
  wiki-js = handleTest ./wiki-js.nix {};
  wireguard = handleTest ./wireguard {};
+  without-nix = handleTest ./without-nix.nix {};
  wmderland = handleTest ./wmderland.nix {};
  wpa_supplicant = handleTest ./wpa_supplicant.nix {};
  wordpress = handleTest ./wordpress.nix {};
--- a/nixos/tests/without-nix.nix
+++ b/nixos/tests/without-nix.nix
@ -0,0 +1,23 @@
+import ./make-test-python.nix ({ lib, ... }: {
+  name = "without-nix";
+  meta = with lib.maintainers; {
+    maintainers = [ ericson2314 ];
+  };
+
+  nixpkgs.overlays = [
+    (self: super: {
+      nix = throw "don't want to use this";
+    })
+  ];
+
+  nodes.machine = { ... }: {
+    nix.enable = false;
+  };
+
+  testScript = ''
+    start_all()
+
+    machine.succeed("which which")
+    machine.fail("which nix")
+  '';
+})