New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow nix.conf options to be set in flake.nix #4189
Conversation
This makes it possible to have per-project configuration in flake.nix, e.g. binary caches and other stuff: nixConfig.bash-prompt-suffix = "�[1;35mngi# �[0m"; nixConfig.substituters = [ "https://cache.ngi0.nixos.org/" ];
How would that work with dependencies? Like if I depend on a flake |
Currently it only uses options from the top-level flake. Since dependencies are fetched lazily that's really the only option, unless we propagate options into the lock file. |
How useful is substituters without the "trusted-public-keys" setting? Without setting that, I think you just get an error when a new substituter is enabled (unless you happen to have it allowed in your global config). Of course allowing trusted-public-keys per-project is probably a security concern. It would be nice UX to prompt users if no trusted key matches, asking if they trust the cache URL. If not, it would get on a list of "untrusted-public-keys" so we would avoid trying it in the future. |
@@ -223,10 +228,41 @@ static Flake getFlake( | |||
} else | |||
throw Error("flake '%s' lacks attribute 'outputs'", lockedRef); | |||
|
|||
auto sNixConfig = state.symbols.create("nixConfig"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can safely rename this to only config
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, that would be ambiguous with config
used in the NixOS module system.
Allowing to specify custom binary cache at the project level is worth all this trouble. That would mean no need to explain to your users / coworkers to add a binary cache. And I'm not alone by saying that this is not the easiest thing to do in Nix.
I assume that @edolstra didn't add it to the list of possible options exactly because of the security concern. But it is also true that without it wouldn't pull binaries from the cache. I can only agree with @matthewbauer that we need to prompt users in cache no trusted key matches. Here are some my ideas / questions / concerns, without thinking about implementation, but trying to put myself in the user and try to meet expectations:
This is what I have so far, but I'm really happy with this coming to Nix. |
|
I like the idea of having per-project configuration. In the past I had to use some weird hacks with direnv to get my nix CLI use a slightly different configuration for some customer project. Not being able to set a public key is reasonable but I wonder what the value in this is if we can't use our own caches? We would still need system-wide (or if trusted, user local) configuration of trusted signing keys. How many binary caches are there that someone would be using in a project/company to warrant that not being configured the same time you configure the public keys? The given example of an SSH substituters might be the only one I really see as "complete" here. At least with SSH it is common to configure authenticaiton outside of what Nix can do (right now). As long as we keep the number of supported settings as restrictive as proposed in this PR this is probably fine. If we ever expand it further (e.g. allowing users to set |
if (name != "bash-prompt-suffix" && | ||
name != "bash-prompt" && | ||
name != "substituters" && | ||
name != "extra-substituters") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
netrc-file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe if it's relative to the flake directory, otherwise it's probably not very useful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess to make netrc-file useful we’d also need extra-sandbox-paths?
Btw. I wonder why the path of netrc-file is not automatically added to sandbox? Is there any use of setting this option without adding the path to sandbox?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
netrc-file should only be read by the Nix builtin fetchers which aren't subject to sandboxing rules.
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
@edolstra no netrc-file or public keys support? That really limits the use of binary caches for flakes. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/tweag-nix-dev-update-5/10560/1 |
I want to link to a nascent community project with certain scope overlap. I furthermore suggest and encourage, as far as I'm conceded to do so, to explore any so opportunity for collusion and thought entanglement https://github.com/numtide/devshell |
For those who like me, wonder where to add the {
description = "...";
nixConfig.bash-prompt = "\[nix-develop\]$ ";
...
} |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
This makes it possible to have per-project configuration in
flake.nix
, e.g. binary caches and other stuff:@garbas