diff --git a/Makefile.am b/Makefile.am index f50cdf19b..c97d0e266 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,6 +1,6 @@ SUBDIRS = src perl scripts corepkgs doc misc tests EXTRA_DIST = substitute.mk nix.spec nix.spec.in bootstrap.sh \ - nix.conf.example NEWS version misc/systemd/nix-worker.service + NEWS version misc/systemd/nix-worker.service pkginclude_HEADERS = config.h @@ -10,10 +10,6 @@ nix.spec: nix.spec.in install-data-local: init-state $(INSTALL) -d $(DESTDIR)$(sysconfdir)/nix - $(INSTALL_DATA) $(srcdir)/nix.conf.example $(DESTDIR)$(sysconfdir)/nix - if ! test -e $(DESTDIR)$(sysconfdir)/nix/nix.conf; then \ - $(INSTALL_DATA) $(srcdir)/nix.conf.example $(DESTDIR)$(sysconfdir)/nix/nix.conf; \ - fi $(INSTALL) -d $(DESTDIR)$(docdir) $(INSTALL_DATA) README $(DESTDIR)$(docdir)/ diff --git a/corepkgs/Makefile.am b/corepkgs/Makefile.am index a8de60165..729d15e7b 100644 --- a/corepkgs/Makefile.am +++ b/corepkgs/Makefile.am @@ -1,6 +1,6 @@ all-local: config.nix -files = nar.nix buildenv.nix buildenv.pl unpack-channel.nix unpack-channel.sh derivation.nix +files = nar.nix buildenv.nix buildenv.pl unpack-channel.nix unpack-channel.sh derivation.nix fetchurl.nix install-exec-local: $(INSTALL) -d $(DESTDIR)$(datadir)/nix/corepkgs diff --git a/corepkgs/config.nix.in b/corepkgs/config.nix.in index 1be4bd090..26e821d0e 100644 --- a/corepkgs/config.nix.in +++ b/corepkgs/config.nix.in @@ -10,5 +10,6 @@ in { xz = "@xz@"; tar = "@tar@"; tr = "@tr@"; + curl = "@curl@"; nixBinDir = fromEnv "NIX_BIN_DIR" "@bindir@"; } diff --git a/corepkgs/fetchurl.nix b/corepkgs/fetchurl.nix new file mode 100644 index 000000000..4a0ae8279 --- /dev/null +++ b/corepkgs/fetchurl.nix @@ -0,0 +1,36 @@ +with import ; + +{system ? builtins.currentSystem, url, outputHash ? "", outputHashAlgo ? "", md5 ? "", sha1 ? "", sha256 ? ""}: + +assert (outputHash != "" && outputHashAlgo != "") + || md5 != "" || sha1 != "" || sha256 != ""; + +let + + builder = builtins.toFile "fetchurl.sh" + '' + echo "downloading $url into $out" + ${curl} --fail --location --max-redirs 20 --insecure "$url" > "$out" + ''; + +in + +derivation { + name = baseNameOf (toString url); + builder = shell; + args = [ "-e" builder ]; + + # New-style output content requirements. + outputHashAlgo = if outputHashAlgo != "" then outputHashAlgo else + if sha256 != "" then "sha256" else if sha1 != "" then "sha1" else "md5"; + outputHash = if outputHash != "" then outputHash else + if sha256 != "" then sha256 else if sha1 != "" then sha1 else md5; + + inherit system url; + + # No need to double the amount of network traffic + preferLocalBuild = true; + + # Don't build in a chroot because Nix's dependencies may not be there. + __noChroot = true; +} diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am index 33cb27e05..42da3c8b0 100644 --- a/doc/manual/Makefile.am +++ b/doc/manual/Makefile.am @@ -21,6 +21,8 @@ man1_MANS = nix-env.1 nix-build.1 nix-store.1 nix-instantiate.1 \ nix-prefetch-url.1 nix-channel.1 \ nix-install-package.1 nix-hash.1 nix-copy-closure.1 +man5_MANS = nix.conf.5 + man8_MANS = nix-worker.8 FIGURES = figures/user-environments.png diff --git a/doc/manual/conf-file.xml b/doc/manual/conf-file.xml index e2890b103..00016b97b 100644 --- a/doc/manual/conf-file.xml +++ b/doc/manual/conf-file.xml @@ -1,27 +1,36 @@ -
+ -Nix configuration file + + nix.conf + 5 + Nix + + + + nix.conf + Nix configuration file + + +Description A number of persistent settings of Nix are stored in the file sysconfdir/nix/nix.conf. This file is a list of name = value pairs, one per line. -Comments start with a # character. An example -configuration file is shown in . - -Nix configuration file +Comments start with a # character. Here is an example +configuration file: gc-keep-outputs = true # Nice for developers gc-keep-derivations = true # Idem env-keep-derivations = false - -The following variables are currently available: +The following settings are currently available: @@ -343,5 +352,6 @@ build-use-chroot = /dev /proc /bin + -
+ diff --git a/doc/manual/manual.xml b/doc/manual/manual.xml index 95fbe7d90..ccff9423c 100644 --- a/doc/manual/manual.xml +++ b/doc/manual/manual.xml @@ -40,7 +40,6 @@ Command Reference -
Main commands @@ -63,6 +62,11 @@
+
+ Files + +
+ diff --git a/nix.conf.example b/nix.conf.example deleted file mode 100644 index 3c55b570e..000000000 --- a/nix.conf.example +++ /dev/null @@ -1,181 +0,0 @@ -### Option `gc-keep-outputs' -# -# If `true', the garbage collector will keep the outputs of -# non-garbage derivations. If `false' (default), outputs will be -# deleted unless they are GC roots themselves (or reachable from other -# roots). -# -# In general, outputs must be registered as roots separately. -# However, even if the output of a derivation is registered as a root, -# the collector will still delete store paths that are used only at -# build time (e.g., the C compiler, or source tarballs downloaded from -# the network). To prevent it from doing so, set this option to -# `true'. -#gc-keep-outputs = false - - -### Option `gc-keep-derivations' -# -# If `true' (default), the garbage collector will keep the derivations -# from which non-garbage store paths were built. If `false', they -# will be deleted unless explicitly registered as a root (or reachable -# from other roots). -# -# Keeping derivation around is useful for querying and traceability -# (e.g., it allows you to ask with what dependencies or options a -# store path was built), so by default this option is on. Turn it off -# to safe a bit of disk space (or a lot if `gc-keep-outputs' is also -# turned on). -#gc-keep-derivations = true - - -### Option `env-keep-derivations' -# -# If `false' (default), derivations are not stored in Nix user -# environments. That is, the derivation any build-time-only -# dependencies may be garbage-collected. -# -# If `true', when you add a Nix derivation to a user environment, the -# path of the derivation is stored in the user environment. Thus, the -# derivation will not be garbage-collected until the user environment -# generation is deleted (`nix-env --delete-generations'). To prevent -# build-time-only dependencies from being collected, you should also -# turn on `gc-keep-outputs'. -# -# The difference between this option and `gc-keep-derivations' is that -# this one is `sticky': it applies to any user environment created -# while this option was enabled, while `gc-keep-derivations' only -# applies at the moment the garbage collector is run. -#env-keep-derivations = false - - -### Option `build-max-jobs' -# -# This option defines the maximum number of jobs that Nix will try to -# build in parallel. The default is 1. You should generally set it -# to the number of CPUs in your system (e.g., 2 on a Athlon 64 X2). -# It can be overriden using the `--max-jobs' / `-j' command line -# switch. -#build-max-jobs = 1 - - -### Option `build-cores' -# -# This option defines the number of CPU cores to utilize in parallel -# within a build job, i.e. by passing an appropriate `-jN' flag to GNU -# Make. The default is 1, meaning that parallel building within jobs -# is disabled. Passing the special value `0' causes Nix to try and -# auto-detect the number of available cores on the local host. This -# setting can be overridden using the `--cores' command line switch. -#build-cores = 1 - - -### Option `build-max-silent-time' -# -# This option defines the maximum number of seconds that a builder can -# go without producing any data on standard output or standard error. -# This is useful (for instance in a automated build system) to catch -# builds that are stuck in an infinite loop, or to catch remote builds -# that are hanging due to network problems. It can be overriden using -# the `--max-silent-time' command line switch. -# -# The value 0 means that there is no timeout. This is also the -# default. -# -# Example: -# build-max-silent-time = 600 # = 10 minutes -#build-max-silent-time = 0 - - -### Option `build-users-group' -# -# This options specifies the Unix group containing the Nix build user -# accounts. In multi-user Nix installations, builds should not -# be performed by the Nix account since that would allow users to -# arbitrarily modify the Nix store and database by supplying specially -# crafted builders; and they cannot be performed by the calling user -# since that would allow him/her to influence the build result. -# -# Therefore, if this option is non-empty and specifies a valid group, -# builds will be performed under the user accounts that are a member -# of the group specified here (as listed in /etc/group). Those user -# accounts should not be used for any other purpose! -# -# Nix will never run two builds under the same user account at the -# same time. This is to prevent an obvious security hole: a malicious -# user writing a Nix expression that modifies the build result of a -# legitimate Nix expression being built by another user. Therefore it -# is good to have as many Nix build user accounts as you can spare. -# (Remember: uids are cheap.) -# -# The build users should have permission to create files in the Nix -# store, but not delete them. Therefore, /nix/store should be owned -# by the Nix account, its group should be the group specified here, -# and its mode should be 1775. -# -# If the build users group is empty, builds will be performed under -# the uid of the Nix process (that is, the uid of the caller if -# $NIX_REMOTE is empty, the uid under which the Nix daemon runs if -# $NIX_REMOTE is `daemon', or the uid that owns the setuid nix-worker -# program if $NIX_REMOTE is `slave'). Obviously, this should not be -# used in multi-user settings with untrusted users. -# -# The default is empty. -# -# Example: -# build-users-group = nix-builders -#build-users-group = - - -### Option `build-use-chroot' -# -# If set to `true', builds will be performed in a chroot environment, -# i.e., the build will be isolated from the normal file system -# hierarchy and will only see the Nix store, the temporary build -# directory, and the directories configured with the -# `build-chroot-dirs' option (such as /proc and /dev). This is useful -# to prevent undeclared dependencies on files in directories such as -# /usr/bin. -# -# The use of a chroot requires that Nix is run as root (but you can -# still use the "build users" feature to perform builds under -# different users than root). Currently, chroot builds only work on -# Linux because Nix uses "bind mounts" to make the Nix store and other -# directories available inside the chroot. -# -# The default is `false'. -# -# Example: -# build-use-chroot = true -#build-use-chroot = false - - -### Option `build-chroot-dirs' -# -# When builds are performed in a chroot environment, Nix will mount -# (using `mount --bind' on Linux) some directories from the normal -# file system hierarchy inside the chroot. These are the Nix store, -# the temporary build directory (usually /tmp/nix--) and -# the directories listed here. The default is "/dev /dev/pts /proc". -# Files in /dev (such as /dev/null) are needed by many builds, and -# some files in /proc may also be needed occasionally. -# -# Example: -# build-use-chroot = /dev /proc /bin -#build-chroot-dirs = /dev /dev/pts /proc - - -### Option `build-cache-failure' -# -# If this option is enabled, Nix will do negative caching; that is, it -# will remember failed builds, and won't attempt to try to build them -# again if you ask for it. Negative caching is disabled by default -# because Nix cannot distinguish between permanent build errors (e.g., -# a syntax error in a source file) and transient build errors (e.g., a -# full disk), as they both cause the builder to return a non-zero exit -# code. You can clear the cache by doing `rm -f -# /nix/var/nix/db/failed/*'. -# -# Example: -# build-cache-failure = true -#build-cache-failure = false diff --git a/nix.spec.in b/nix.spec.in index 44ea8d7c9..8b1ea8a54 100644 --- a/nix.spec.in +++ b/nix.spec.in @@ -121,10 +121,7 @@ ln -sf %{_libdir}/nix/libNixStore.so.0 Store.so popd # Specify build users group -sed -i "s|#build-users-group =$|build-users-group = %{nixbld_group}|" \ - $RPM_BUILD_ROOT%{_sysconfdir}/nix/nix.conf -# ... and delete the example configuration -rm $RPM_BUILD_ROOT%{_sysconfdir}/nix/nix.conf.example +echo "build-users-group = %{nixbld_group}" > $RPM_BUILD_ROOT%{_sysconfdir}/nix/nix.conf # make per-user directories for d in profiles gcroots; @@ -192,8 +189,9 @@ systemctl start nix-worker.service %endif %{_datadir}/emacs/site-lisp/nix-mode.el %{_datadir}/nix -%{_mandir}/man1/nix-*.1* -%{_mandir}/man8/nix-*.8* +%{_mandir}/man1/*.1* +%{_mandir}/man5/*.5* +%{_mandir}/man8/*.8* %config(noreplace) %{_sysconfdir}/profile.d/nix.sh /nix %dir %{_sysconfdir}/nix diff --git a/tests/Makefile.am b/tests/Makefile.am index f44caa4b3..517c382b1 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -9,7 +9,7 @@ TESTS = init.sh hash.sh lang.sh add.sh simple.sh dependencies.sh \ gc-runtime.sh install-package.sh check-refs.sh filter-source.sh \ remote-store.sh export.sh export-graph.sh negative-caching.sh \ binary-patching.sh timeout.sh secure-drv-outputs.sh nix-channel.sh \ - multiple-outputs.sh import-derivation.sh + multiple-outputs.sh import-derivation.sh fetchurl.sh XFAIL_TESTS = @@ -38,6 +38,7 @@ EXTRA_DIST = $(TESTS) \ secure-drv-outputs.nix \ multiple-outputs.nix \ import-derivation.nix \ + fetchurl.nix \ $(wildcard lang/*.nix) $(wildcard lang/*.exp) $(wildcard lang/*.exp.xml) $(wildcard lang/*.flags) $(wildcard lang/dir*/*.nix) \ common.sh.in diff --git a/tests/fetchurl.nix b/tests/fetchurl.nix new file mode 100644 index 000000000..2abcc039a --- /dev/null +++ b/tests/fetchurl.nix @@ -0,0 +1,6 @@ +{ filename, sha256 }: + +import { + url = "file://${filename}"; + inherit sha256; +} diff --git a/tests/fetchurl.sh b/tests/fetchurl.sh new file mode 100644 index 000000000..bb6180ca3 --- /dev/null +++ b/tests/fetchurl.sh @@ -0,0 +1,9 @@ +source common.sh + +clearStore + +hash=$(nix-hash --flat --type sha256 ./fetchurl.nix) + +outPath=$(nix-build ./fetchurl.nix --argstr filename $(pwd)/fetchurl.nix --argstr sha256 $hash) + +cmp $outPath fetchurl.nix