Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 3ab3614e2be9
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: e8bc181154e3
Choose a head ref
  • 6 commits
  • 4 files changed
  • 1 contributor

Commits on Oct 10, 2019

  1. Don't create /nix/var/nix/{gcroots,per-user}/per-user with 1777 permi… 

    …ssion

In fact, don't create them at all because Nix does that automatically.

Also remove modules/programs/shell.nix because everything it did is
now done automatically by Nix.
    @edolstra
    edolstra committed Oct 10, 2019
    Copy the full SHA
    4e0d6a5 View commit details

  2. nix-daemon.nix: Drop Nix 1.x compatibility 

    Probably didn't work anyway anymore.
    @edolstra
    edolstra committed Oct 10, 2019
    Copy the full SHA
    4b950c4 View commit details

  3. Typo

    @edolstra
    edolstra committed Oct 10, 2019
    Copy the full SHA
    2c97f06 View commit details

  4. nix-daemon.nix: Use 'nix ping-store' to initialize directories

    @edolstra
    edolstra committed Oct 10, 2019
    Copy the full SHA
    27d2857 View commit details

  5. nix-daemon.nix: Shut up warning

    @edolstra
    edolstra committed Oct 10, 2019
    Copy the full SHA
    9d0de0d View commit details

  6. Merge pull request #70874 from edolstra/no-world-writable-per-user 

    [WIP] Don't create /nix/var/nix/{gcroots,per-user}/per-user with 1777 permission
    @edolstra
    edolstra authored Oct 10, 2019
    Copy the full SHA
    e8bc181 View commit details
Showing with 22 additions and 119 deletions.
  1. +0 −1 nixos/modules/module-list.nix
  2. +0 −54 nixos/modules/programs/shell.nix
  3. +21 −63 nixos/modules/services/misc/nix-daemon.nix
  4. +1 −1 nixos/modules/system/boot/stage-2-init.sh
1 change: 0 additions & 1 deletion nixos/modules/module-list.nix
View file
Original file line number Diff line number Diff line change
@@ -142,7 +142,6 @@
./programs/seahorse.nix
./programs/slock.nix
./programs/shadow.nix
./programs/shell.nix
./programs/spacefm.nix
./programs/singularity.nix
./programs/ssh.nix
54 changes: 0 additions & 54 deletions nixos/modules/programs/shell.nix
View file

This file was deleted.

84 changes: 21 additions & 63 deletions nixos/modules/services/misc/nix-daemon.nix
View file
Original file line number Diff line number Diff line change
@@ -10,7 +10,6 @@ let

nixVersion = getVersion nix;

isNix20 = versionAtLeast nixVersion "2.0pre";
isNix23 = versionAtLeast nixVersion "2.3pre";

makeNixBuildUser = nr:
@@ -28,39 +27,26 @@ let
nixbldUsers = map makeNixBuildUser (range 1 cfg.nrBuildUsers);

nixConf =
let
# In Nix < 2.0, If we're using sandbox for builds, then provide
# /bin/sh in the sandbox as a bind-mount to bash. This means we
# also need to include the entire closure of bash. Nix >= 2.0
# provides a /bin/sh by default.
sh = pkgs.runtimeShell;
binshDeps = pkgs.writeReferencesToFile sh;
in
pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } (''
${optionalString (!isNix20) ''
extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done)
''}
assert versionAtLeast nixVersion "2.2";
pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } (
''
cat > $out <<END
# WARNING: this file is generated from the nix.* options in
# your NixOS configuration, typically
# /etc/nixos/configuration.nix. Do not edit it!
build-users-group = nixbld
${if isNix20 then "max-jobs" else "build-max-jobs"} = ${toString (cfg.maxJobs)}
${if isNix20 then "cores" else "build-cores"} = ${toString (cfg.buildCores)}
${if isNix20 then "sandbox" else "build-use-sandbox"} = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox}
${if isNix20 then "extra-sandbox-paths" else "build-sandbox-paths"} = ${toString cfg.sandboxPaths} ${optionalString (!isNix20) "/bin/sh=${sh} $(echo $extraPaths)"}
${if isNix20 then "substituters" else "binary-caches"} = ${toString cfg.binaryCaches}
${if isNix20 then "trusted-substituters" else "trusted-binary-caches"} = ${toString cfg.trustedBinaryCaches}
${if isNix20 then "trusted-public-keys" else "binary-cache-public-keys"} = ${toString cfg.binaryCachePublicKeys}
max-jobs = ${toString (cfg.maxJobs)}
cores = ${toString (cfg.buildCores)}
sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox}
extra-sandbox-paths = ${toString cfg.sandboxPaths}
substituters = ${toString cfg.binaryCaches}
trusted-substituters = ${toString cfg.trustedBinaryCaches}
trusted-public-keys = ${toString cfg.binaryCachePublicKeys}
auto-optimise-store = ${boolToString cfg.autoOptimiseStore}
${if isNix20 then ''
require-sigs = ${if cfg.requireSignedBinaryCaches then "true" else "false"}
'' else ''
signed-binary-caches = ${if cfg.requireSignedBinaryCaches then "*" else ""}
''}
require-sigs = ${if cfg.requireSignedBinaryCaches then "true" else "false"}
trusted-users = ${toString cfg.trustedUsers}
allowed-users = ${toString cfg.allowedUsers}
${optionalString (isNix20 && !cfg.distributedBuilds) ''
${optionalString (!cfg.distributedBuilds) ''
builders =
''}
system-features = ${toString cfg.systemFeatures}
@@ -422,8 +408,7 @@ in

systemd.services.nix-daemon =
{ path = [ nix pkgs.utillinux config.programs.ssh.package ]
++ optionals cfg.distributedBuilds [ pkgs.gzip ]
++ optionals (!isNix20) [ pkgs.openssl.bin ];
++ optionals cfg.distributedBuilds [ pkgs.gzip ];

environment = cfg.envVars
// { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; }
@@ -440,34 +425,13 @@ in
restartTriggers = [ nixConf ];
};

nix.envVars =
optionalAttrs (!isNix20) {
NIX_CONF_DIR = "/etc/nix";

# Enable the copy-from-other-stores substituter, which allows
# builds to be sped up by copying build results from remote
# Nix stores. To do this, mount the remote file system on a
# subdirectory of /run/nix/remote-stores.
NIX_OTHER_STORES = "/run/nix/remote-stores/*/nix";
}

// optionalAttrs (cfg.distributedBuilds && !isNix20) {
NIX_BUILD_HOOK = "${nix}/libexec/nix/build-remote.pl";
};

# Set up the environment variables for running Nix.
environment.sessionVariables = cfg.envVars //
{ NIX_PATH = cfg.nixPath;
};

environment.extraInit = optionalString (!isNix20)
environment.extraInit =
''
# Set up secure multi-user builds: non-root users build through the
# Nix daemon.
if [ "$USER" != root -o ! -w /nix/var/nix/db ]; then
export NIX_REMOTE=daemon
fi
'' + ''
if [ -e "$HOME/.nix-defexpr/channels" ]; then
export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}"
fi
@@ -479,21 +443,15 @@ in

services.xserver.displayManager.hiddenUsers = map ({ name, ... }: name) nixbldUsers;

# FIXME: use systemd-tmpfiles to create Nix directories.
system.activationScripts.nix = stringAfter [ "etc" "users" ]
''
# Nix initialisation.
install -m 0755 -d \
/nix/var/nix/gcroots \
/nix/var/nix/temproots \
/nix/var/nix/userpool \
/nix/var/nix/profiles \
/nix/var/nix/db \
/nix/var/log/nix/drvs
install -m 1777 -d \
/nix/var/nix/gcroots/per-user \
/nix/var/nix/profiles/per-user \
/nix/var/nix/gcroots/tmp
# Create directories in /nix.
${nix}/bin/nix ping-store --no-net
# Subscribe the root user to the NixOS channel by default.
if [ ! -e "/root/.nix-channels" ]; then
echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels"
fi
'';

nix.systemFeatures = mkDefault (
2 changes: 1 addition & 1 deletion nixos/modules/system/boot/stage-2-init.sh
View file
Original file line number Diff line number Diff line change
@@ -142,7 +142,7 @@ fi
# Record the boot configuration.
ln -sfn "$systemConfig" /run/booted-system
# Prevent the booted system form being garbage-collected If it weren't
# Prevent the booted system from being garbage-collected. If it weren't
# a gcroot, if we were running a different kernel, switched system,
# and garbage collected all, we could not load kernel modules anymore.
ln -sfn /run/booted-system /nix/var/nix/gcroots/booted-system