New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accept strings with Nix paths as proper shells #24786
Conversation
@abbradar, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @ericsagnes and @nbp to be potential reviewers. |
@abbradar , I am not sure to understand the use case, can you provide an example. |
@nbp More elaborated, it doesn't work now because:
|
Would the following work: |
It should but |
I actually have a similar use case in one of my configuration files: users.extraUsers.git = {
uid = config.ids.uids.git;
group = "git";
description = "Git User";
home = "/home/git";
createHome = true;
shell = pkgs.git + "/bin/git-shell";
openssh.authorizedKeys.keyFiles = [ ...
./nicolas.computer.pub
];
}; |
I think the proper reviewer for these changes should be @zimbatm |
Hm, it's interesting that it works for your configuration without those patches. I'll look into this, maybe there's something deeper going on... |
The types.either types.shellPackage types.path; Thus in my case, I get a nix-store path which is validated by the I see that multiple locations have the same type with either a shellPackage or a path. 2 things we can do:
|
the path type was to preserve legacy usage. if you have a better approach I'm all for it |
@nbp Ah, I get it now, I'm for option (2) -- I'll look at implementing it somewhere this week. |
Option (2) is just a clean-up, and not a solution, it would not solve the problem you are facing. Option (1) is from what I understand the proper way to fix this issue. |
Hm, this seems a wrong place to fix the problem to me because I feel that |
having a |
@nbp That's okay, what I mean is that either the type should be |
So, do we agree that |
Yes the |
nixos/lib/utils.nix
Outdated
@@ -21,8 +21,8 @@ rec { | |||
toShellPath = shell: | |||
if types.shellPackage.check shell then | |||
"/run/current-system/sw${shell.shellPath}" | |||
else if types.package.check shell then | |||
throw "${shell} is not a shell package" | |||
else if isString shell && types.path.check shell then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need isString
when we have types.path.check
here? Also, the type of the shell option is either shellPackage path
, so we know that both test are correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
path
accepts not only strings, but also derivations. Here we have already filtered derivations with shellPath
defined (shellPackage.check shell == true
), so now we want to handle strings that are also valid paths (start with /
), but not derivations. We'll then throw on them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that I think of it the proper way here might be to refine the type instead so that it accepts only string paths or shellPackage
s.
I've made a new version; we now have a separate type |
I'm working on a third version of this patch and wonder -- why do we need to install shells globally? What is the downside of using direct Nix store paths? |
It comes from |
Ah, then it means that using shells which are not installed in system environment is a bad idea anyway! Then this PR is a bad idea as it is too -- let's close it. I'll document that shells need stable paths somewhere in comments later. |
Motivation for this change
I have a special user account on a server for the sole purpose of playing NetHack. It's forced (via SSH's
ForceCommand
andextraUsers.*.shell
) to run special script (writeScript
) whichexec
s the game, so the only thing one can do after he/she logs in to the account is to play the game. Without this patch you can't use any such custom script as the shell because it detects that it's in Nix store, "reverses" derivation from it and fails to find needed attributes. This makesshellPackage
to require a derivation and fixestoShellPath
so that such paths are accepted.Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)