diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 80 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/misc/guix/default.nix | 394 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/guix/basic.nix | 38 | ||||
| -rw-r--r-- | nixos/tests/guix/default.nix | 8 | ||||
| -rw-r--r-- | nixos/tests/guix/publish.nix | 95 | ||||
| -rw-r--r-- | nixos/tests/guix/scripts/add-existing-files-to-store.scm | 52 | ||||
| -rw-r--r-- | nixos/tests/guix/scripts/create-file-to-store.scm | 8 |
9 files changed, 637 insertions, 40 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 8491a3d50b826..4992e2b8af45b 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -20,7 +20,7 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 - [Breaking Changes](#sec-release-23.11-nixos-breaking-changes) - [New Services](#sec-release-23.11-nixos-new-services) - [Other Notable Changes](#sec-release-23.11-nixos-notable-changes) -- [Nixpkgs Library Changes](#sec-release-23.11-nixpkgs-lib) +- [Nixpkgs Library](#sec-release-23.11-nixpkgs-lib) - [Breaking Changes](#sec-release-23.11-lib-breaking) - [Additions and Improvements](#sec-release-23.11-lib-additions-improvements) - [Deprecations](#sec-release-23.11-lib-deprecations) @@ -1296,14 +1296,14 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 ### Breaking Changes {#sec-release-23.11-lib-breaking} -- [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.foldl-prime) +- [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime) now always evaluates the initial accumulator argument first. If you depend on the lazier behavior, consider using - [`lib.lists.foldl`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.foldl) + [`lib.lists.foldl`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl) or [`builtins.foldl'`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-foldl') instead. -- [`lib.attrsets.foldlAttrs`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.foldlAttrs) +- [`lib.attrsets.foldlAttrs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.foldlAttrs) now always evaluates the initial accumulator argument first. - Now that the internal NixOS transition to Markdown documentation is complete, `lib.options.literalDocBook` has been removed after deprecation in 22.11. @@ -1311,7 +1311,7 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 ### Additions and Improvements {#sec-release-23.11-lib-additions-improvements} -- [`lib.fileset`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-fileset): +- [`lib.fileset`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-fileset): A new sub-library to select local files to use for sources, designed to be easy and safe to use. @@ -1320,7 +1320,7 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 post](https://www.tweag.io/blog/2023-11-28-file-sets/) or [the tutorial](https://nix.dev/tutorials/file-sets). -- [`lib.gvariant`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-gvariant): +- [`lib.gvariant`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-gvariant): A partial and basic implementation of GVariant formatted strings. See [GVariant Format Strings](https://docs.gtk.org/glib/gvariant-format-strings.html) for details. @@ -1330,58 +1330,58 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 change in backwards incompatible ways without prior notice. ::: -- [`lib.asserts`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-asserts): +- [`lib.asserts`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-asserts): New function: - [`assertEachOneOf`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.asserts.assertEachOneOf). -- [`lib.attrsets`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-attrsets): + [`assertEachOneOf`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.asserts.assertEachOneOf). +- [`lib.attrsets`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-attrsets): New function: - [`attrsToList`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.attrsToList). -- [`lib.customisation`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-customisation): + [`attrsToList`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.attrsToList). +- [`lib.customisation`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-customisation): New function: - [`makeScopeWithSplicing'`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.customisation.makeScopeWithSplicing-prime). -- [`lib.fixedPoints`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-fixedPoints): + [`makeScopeWithSplicing'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.customisation.makeScopeWithSplicing-prime). +- [`lib.fixedPoints`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-fixedPoints): Documentation improvements for - [`lib.fixedPoints.fix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.fixedPoints.fix). + [`lib.fixedPoints.fix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.fixedPoints.fix). - `lib.generators`: New functions: - [`mkDconfKeyValue`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.generators.mkDconfKeyValue), - [`toDconfINI`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.generators.toDconfINI). + [`mkDconfKeyValue`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.generators.mkDconfKeyValue), + [`toDconfINI`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.generators.toDconfINI). `lib.generators.toKeyValue` now supports the `indent` attribute in its first argument. -- [`lib.lists`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-lists): +- [`lib.lists`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-lists): New functions: - [`findFirstIndex`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.findFirstIndex), - [`hasPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.hasPrefix), - [`removePrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.removePrefix), - [`commonPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.commonPrefix), - [`allUnique`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.allUnique). + [`findFirstIndex`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.findFirstIndex), + [`hasPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.hasPrefix), + [`removePrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.removePrefix), + [`commonPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.commonPrefix), + [`allUnique`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.allUnique). Documentation improvements for - [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.foldl-prime). -- [`lib.meta`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-meta): + [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime). +- [`lib.meta`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-meta): Documentation of functions now gets rendered -- [`lib.path`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-path): +- [`lib.path`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-path): New functions: - [`hasPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.hasPrefix), - [`removePrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.removePrefix), - [`splitRoot`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.splitRoot), - [`subpath.components`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.subpath.components). -- [`lib.strings`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-strings): + [`hasPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.hasPrefix), + [`removePrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.removePrefix), + [`splitRoot`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.splitRoot), + [`subpath.components`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.subpath.components). +- [`lib.strings`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-strings): New functions: - [`replicate`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.replicate), - [`cmakeOptionType`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.cmakeOptionType), - [`cmakeBool`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.cmakeBool), - [`cmakeFeature`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.cmakeFeature). -- [`lib.trivial`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-trivial): + [`replicate`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.replicate), + [`cmakeOptionType`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeOptionType), + [`cmakeBool`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeBool), + [`cmakeFeature`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeFeature). +- [`lib.trivial`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-trivial): New function: - [`mirrorFunctionArgs`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.trivial.mirrorFunctionArgs). + [`mirrorFunctionArgs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.trivial.mirrorFunctionArgs). - `lib.systems`: New function: - [`equals`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.systems.equals). -- [`lib.options`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-options): + [`equals`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.systems.equals). +- [`lib.options`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-options): Improved documentation for - [`mkPackageOption`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOption). + [`mkPackageOption`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.options.mkPackageOption). - [`mkPackageOption`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOption). + [`mkPackageOption`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.options.mkPackageOption). now also supports the `pkgsText` attribute. Module system: diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index fe2e0aed24842..0cc80f2906b3e 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -677,6 +677,7 @@ ./services/misc/gollum.nix ./services/misc/gpsd.nix ./services/misc/greenclip.nix + ./services/misc/guix ./services/misc/headphones.nix ./services/misc/heisenbridge.nix ./services/misc/homepage-dashboard.nix diff --git a/nixos/modules/services/misc/guix/default.nix b/nixos/modules/services/misc/guix/default.nix new file mode 100644 index 0000000000000..00e84dc745541 --- /dev/null +++ b/nixos/modules/services/misc/guix/default.nix @@ -0,0 +1,394 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.services.guix; + + package = cfg.package.override { inherit (cfg) stateDir storeDir; }; + + guixBuildUser = id: { + name = "guixbuilder${toString id}"; + group = cfg.group; + extraGroups = [ cfg.group ]; + createHome = false; + description = "Guix build user ${toString id}"; + isSystemUser = true; + }; + + guixBuildUsers = numberOfUsers: + builtins.listToAttrs (map + (user: { + name = user.name; + value = user; + }) + (builtins.genList guixBuildUser numberOfUsers)); + + # A set of Guix user profiles to be linked at activation. + guixUserProfiles = { + # The current Guix profile that is created through `guix pull`. + "current-guix" = "\${XDG_CONFIG_HOME}/guix/current"; + + # The default Guix profile similar to $HOME/.nix-profile from Nix. + "guix-profile" = "$HOME/.guix-profile"; + }; + + # All of the Guix profiles to be used. + guixProfiles = lib.attrValues guixUserProfiles; + + serviceEnv = { + GUIX_LOCPATH = "${cfg.stateDir}/guix/profiles/per-user/root/guix-profile/lib/locale"; + LC_ALL = "C.UTF-8"; + }; +in +{ + meta.maintainers = with lib.maintainers; [ foo-dogsquared ]; + + options.services.guix = with lib; { + enable = mkEnableOption "Guix build daemon service"; + + group = mkOption { + type = types.str; + default = "guixbuild"; + example = "guixbuild"; + description = '' + The group of the Guix build user pool. + ''; + }; + + nrBuildUsers = mkOption { + type = types.ints.unsigned; + description = '' + Number of Guix build users to be used in the build pool. + ''; + default = 10; + example = 20; + }; + + extraArgs = mkOption { + type = with types; listOf str; + default = [ ]; + example = [ "--max-jobs=4" "--debug" ]; + description = '' + Extra flags to pass to the Guix daemon service. + ''; + }; + + package = mkPackageOption pkgs "guix" { + extraDescription = '' + It should contain {command}`guix-daemon` and {command}`guix` + executable. + ''; + }; + + storeDir = mkOption { + type = types.path; + default = "/gnu/store"; + description = '' + The store directory where the Guix service will serve to/from. Take + note Guix cannot take advantage of substitutes if you set it something + other than {file}`/gnu/store` since most of the cached builds are + assumed to be in there. + + ::: {.warning} + This will also recompile all packages because the normal cache no + longer applies. + ::: + ''; + }; + + stateDir = mkOption { + type = types.path; + default = "/var"; + description = '' + The state directory where Guix service will store its data such as its + user-specific profiles, cache, and state files. + + ::: {.warning} + Changing it to something other than the default will rebuild the + package. + ::: + ''; + example = "/gnu/var"; + }; + + publish = { + enable = mkEnableOption "substitute server for your Guix store directory"; + + generateKeyPair = mkOption { + type = types.bool; + description = '' + Whether to generate signing keys in {file}`/etc/guix` which are + required to initialize a substitute server. Otherwise, + `--public-key=$FILE` and `--private-key=$FILE` can be passed in + {option}`services.guix.publish.extraArgs`. + ''; + default = true; + example = false; + }; + + port = mkOption { + type = types.port; + default = 8181; + example = 8200; + description = '' + Port of the substitute server to listen on. + ''; + }; + + user = mkOption { + type = types.str; + default = "guix-publish"; + description = '' + Name of the user to change once the server is up. + ''; + }; + + extraArgs = mkOption { + type = with types; listOf str; + description = '' + Extra flags to pass to the substitute server. + ''; + default = []; + example = [ + "--compression=zstd:6" + "--discover=no" + ]; + }; + }; + + gc = { + enable = mkEnableOption "automatic garbage collection service for Guix"; + + extraArgs = mkOption { + type = with types; listOf str; + default = [ ]; + description = '' + List of arguments to be passed to {command}`guix gc`. + + When given no option, it will try to collect all garbage which is + often inconvenient so it is recommended to set [some + options](https://guix.gnu.org/en/manual/en/html_node/Invoking-guix-gc.html). + ''; + example = [ + "--delete-generations=1m" + "--free-space=10G" + "--optimize" + ]; + }; + + dates = lib.mkOption { + type = types.str; + default = "03:15"; + example = "weekly"; + description = '' + How often the garbage collection occurs. This takes the time format + from {manpage}`systemd.time(7)`. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + environment.systemPackages = [ package ]; + + users.users = guixBuildUsers cfg.nrBuildUsers; + users.groups.${cfg.group} = { }; + + # Guix uses Avahi (through guile-avahi) both for the auto-discovering and + # advertising substitute servers in the local network. + services.avahi.enable = lib.mkDefault true; + services.avahi.publish.enable = lib.mkDefault true; + services.avahi.publish.userServices = lib.mkDefault true; + + # It's similar to Nix daemon so there's no question whether or not this + # should be sandboxed. + systemd.services.guix-daemon = { + environment = serviceEnv; + script = '' + ${lib.getExe' package "guix-daemon"} \ + --build-users-group=${cfg.group} \ + ${lib.escapeShellArgs cfg.extraArgs} + ''; + serviceConfig = { + OOMPolicy = "continue"; + RemainAfterExit = "yes"; + Restart = "always"; + TasksMax = 8192; + }; + unitConfig.RequiresMountsFor = [ + cfg.storeDir + cfg.stateDir + ]; + wantedBy = [ "multi-user.target" ]; + }; + + # This is based from Nix daemon socket unit from upstream Nix package. + # Guix build daemon has support for systemd-style socket activation. + systemd.sockets.guix-daemon = { + description = "Guix daemon socket"; + before = [ "multi-user.target" ]; + listenStreams = [ "${cfg.stateDir}/guix/daemon-socket/socket" ]; + unitConfig = { + RequiresMountsFor = [ + cfg.storeDir + cfg.stateDir + ]; + ConditionPathIsReadWrite = "${cfg.stateDir}/guix/daemon-socket"; + }; + wantedBy = [ "socket.target" ]; + }; + + systemd.mounts = [{ + description = "Guix read-only store directory"; + before = [ "guix-daemon.service" ]; + what = cfg.storeDir; + where = cfg.storeDir; + type = "none"; + options = "bind,ro"; + + unitConfig.DefaultDependencies = false; + wantedBy = [ "guix-daemon.service" ]; + }]; + + # Make transferring files from one store to another easier with the usual + # case being of most substitutes from the official Guix CI instance. + system.activationScripts.guix-authorize-keys = '' + for official_server_keys in ${package}/share/guix/*.pub; do + ${lib.getExe' package "guix"} archive --authorize < $official_server_keys + done + ''; + + # Link the usual Guix profiles to the home directory. This is useful in + # ephemeral setups where only certain part of the filesystem is + # persistent (e.g., "Erase my darlings"-type of setup). + system.userActivationScripts.guix-activate-user-profiles.text = let + linkProfileToPath = acc: profile: location: let + guixProfile = "${cfg.stateDir}/guix/profiles/per-user/\${USER}/${profile}"; + in acc + '' + [ -d "${guixProfile}" ] && ln -sf "${guixProfile}" "${location}" + ''; + + activationScript = lib.foldlAttrs linkProfileToPath "" guixUserProfiles; + in '' + # Don't export this please! It is only expected to be used for this + # activation script and nothing else. + XDG_CONFIG_HOME=''${XDG_CONFIG_HOME:-$HOME/.config} + + # Linking the usual Guix profiles into the home directory. + ${activationScript} + ''; + + # GUIX_LOCPATH is basically LOCPATH but for Guix libc which in turn used by + # virtually every Guix-built packages. This is so that Guix-installed + # applications wouldn't use incompatible locale data and not touch its host + # system. + environment.sessionVariables.GUIX_LOCPATH = lib.makeSearchPath "lib/locale" guixProfiles; + + # What Guix profiles export is very similar to Nix profiles so it is + # acceptable to list it here. Also, it is more likely that the user would + # want to use packages explicitly installed from Guix so we're putting it + # first. + environment.profiles = lib.mkBefore guixProfiles; + } + + (lib.mkIf cfg.publish.enable { + systemd.services.guix-publish = { + description = "Guix remote store"; + environment = serviceEnv; + + # Mounts will be required by the daemon service anyways so there's no + # need add RequiresMountsFor= or something similar. + requires = [ "guix-daemon.service" ]; + after = [ "guix-daemon.service" ]; + partOf = [ "guix-daemon.service" ]; + + preStart = lib.mkIf cfg.publish.generateKeyPair '' + # Generate the keypair if it's missing. + [ -f "/etc/guix/signing-key.sec" ] && [ -f "/etc/guix/signing-key.pub" ] || \ + ${lib.getExe' package "guix"} archive --generate-key || { + rm /etc/guix/signing-key.*; + ${lib.getExe' package "guix"} archive --generate-key; + } + ''; + script = '' + ${lib.getExe' package "guix"} publish \ + --user=${cfg.publish.user} --port=${builtins.toString cfg.publish.port} \ + ${lib.escapeShellArgs cfg.publish.extraArgs} + ''; + + serviceConfig = { + Restart = "always"; + RestartSec = 10; + + ProtectClock = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + SystemCallFilter = [ + "@system-service" + "@debug" + "@setuid" + ]; + + RestrictNamespaces = true; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + + # While the permissions can be set, it is assumed to be taken by Guix + # daemon service which it has already done the setup. + ConfigurationDirectory = "guix"; + + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + "CAP_SETUID" + "CAP_SETGID" + ]; + }; + wantedBy = [ "multi-user.target" ]; + }; + + users.users.guix-publish = lib.mkIf (cfg.publish.user == "guix-publish") { + description = "Guix publish user"; + group = config.users.groups.guix-publish.name; + isSystemUser = true; + }; + users.groups.guix-publish = {}; + }) + + (lib.mkIf cfg.gc.enable { + # This service should be handled by root to collect all garbage by all + # users. + systemd.services.guix-gc = { + description = "Guix garbage collection"; + startAt = cfg.gc.dates; + script = '' + ${lib.getExe' package "guix"} gc ${lib.escapeShellArgs cfg.gc.extraArgs} + ''; + + serviceConfig = { + Type = "oneshot"; + + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateNetworks = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelTunables = true; + SystemCallFilter = [ + "@default" + "@file-system" + "@basic-io" + "@system-service" + ]; + }; + }; + + systemd.timers.guix-gc.timerConfig.Persistent = true; + }) + ]); +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 44e99203856d5..69c3ad9fe0cc5 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -354,6 +354,7 @@ in { grow-partition = runTest ./grow-partition.nix; grub = handleTest ./grub.nix {}; guacamole-server = handleTest ./guacamole-server.nix {}; + guix = handleTest ./guix {}; gvisor = handleTest ./gvisor.nix {}; hadoop = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop; }; hadoop_3_2 = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop_3_2; }; diff --git a/nixos/tests/guix/basic.nix b/nixos/tests/guix/basic.nix new file mode 100644 index 0000000000000..7f90bdeeb1e0f --- /dev/null +++ b/nixos/tests/guix/basic.nix @@ -0,0 +1,38 @@ +# Take note the Guix store directory is empty. Also, we're trying to prevent +# Guix from trying to downloading substitutes because of the restricted +# access (assuming it's in a sandboxed environment). +# +# So this test is what it is: a basic test while trying to use Guix as much as +# we possibly can (including the API) without triggering its download alarm. + +import ../make-test-python.nix ({ lib, pkgs, ... }: { + name = "guix-basic"; + meta.maintainers = with lib.maintainers; [ foo-dogsquared ]; + + nodes.machine = { config, ... }: { + environment.etc."guix/scripts".source = ./scripts; + services.guix.enable = true; + }; + + testScript = '' + import pathlib + + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("guix-daemon.service") + + # Can't do much here since the environment has restricted network access. + with subtest("Guix basic package management"): + machine.succeed("guix build --dry-run --verbosity=0 hello") + machine.succeed("guix show hello") + + # This is to see if the Guix API is usable and mostly working. + with subtest("Guix API scripting"): + scripts_dir = pathlib.Path("/etc/guix/scripts") + + text_msg = "Hello there, NixOS!" + text_store_file = machine.succeed(f"guix repl -- {scripts_dir}/create-file-to-store.scm '{text_msg}'") + assert machine.succeed(f"cat {text_store_file}") == text_msg + + machine.succeed(f"guix repl -- {scripts_dir}/add-existing-files-to-store.scm {scripts_dir}") + ''; +}) diff --git a/nixos/tests/guix/default.nix b/nixos/tests/guix/default.nix new file mode 100644 index 0000000000000..a017668c05a75 --- /dev/null +++ b/nixos/tests/guix/default.nix @@ -0,0 +1,8 @@ +{ system ? builtins.currentSystem +, pkgs ? import ../../.. { inherit system; } +}: + +{ + basic = import ./basic.nix { inherit system pkgs; }; + publish = import ./publish.nix { inherit system pkgs; }; +} diff --git a/nixos/tests/guix/publish.nix b/nixos/tests/guix/publish.nix new file mode 100644 index 0000000000000..6dbe8f99ebd68 --- /dev/null +++ b/nixos/tests/guix/publish.nix @@ -0,0 +1,95 @@ +# Testing out the substitute server with two machines in a local network. As a +# bonus, we'll also test a feature of the substitute server being able to +# advertise its service to the local network with Avahi. + +import ../make-test-python.nix ({ pkgs, lib, ... }: let + publishPort = 8181; + inherit (builtins) toString; +in { + name = "guix-publish"; + + meta.maintainers = with lib.maintainers; [ foo-dogsquared ]; + + nodes = let + commonConfig = { config, ... }: { + # We'll be using '--advertise' flag with the + # substitute server which requires Avahi. + services.avahi = { + enable = true; + nssmdns = true; + publish = { + enable = true; + userServices = true; + }; + }; + }; + in { + server = { config, lib, pkgs, ... }: { + imports = [ commonConfig ]; + + services.guix = { + enable = true; + publish = { + enable = true; + port = publishPort; + + generateKeyPair = true; + extraArgs = [ "--advertise" ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ publishPort ]; + }; + + client = { config, lib, pkgs, ... }: { + imports = [ commonConfig ]; + + services.guix = { + enable = true; + + extraArgs = [ + # Force to only get all substitutes from the local server. We don't + # have anything in the Guix store directory and we cannot get + # anything from the official substitute servers anyways. + "--substitute-urls='http://server.local:${toString publishPort}'" + + # Enable autodiscovery of the substitute servers in the local + # network. This machine shouldn't need to import the signing key from + # the substitute server since it is automatically done anyways. + "--discover=yes" + ]; + }; + }; + }; + + testScript = '' + import pathlib + + start_all() + + scripts_dir = pathlib.Path("/etc/guix/scripts") + + for machine in machines: + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("guix-daemon.service") + machine.wait_for_unit("avahi-daemon.service") + + server.wait_for_unit("guix-publish.service") + server.wait_for_open_port(${toString publishPort}) + server.succeed("curl http://localhost:${toString publishPort}/") + + # Now it's the client turn to make use of it. + substitute_server = "http://server.local:${toString publishPort}" + client.wait_for_unit("network-online.target") + response = client.succeed(f"curl {substitute_server}") + assert "Guix Substitute Server" in response + + # Authorizing the server to be used as a substitute server. + client.succeed(f"curl -O {substitute_server}/signing-key.pub") + client.succeed("guix archive --authorize < ./signing-key.pub") + + # Since we're using the substitute server with the `--advertise` flag, we + # might as well check it. + client.succeed("avahi-browse --resolve --terminate _guix_publish._tcp | grep '_guix_publish._tcp'") + ''; +}) diff --git a/nixos/tests/guix/scripts/add-existing-files-to-store.scm b/nixos/tests/guix/scripts/add-existing-files-to-store.scm new file mode 100644 index 0000000000000..fa47320b6a511 --- /dev/null +++ b/nixos/tests/guix/scripts/add-existing-files-to-store.scm @@ -0,0 +1,52 @@ +;; A simple script that adds each file given from the command-line into the +;; store and checks them if it's the same. +(use-modules (guix) + (srfi srfi-1) + (ice-9 ftw) + (rnrs io ports)) + +;; This is based from tests/derivations.scm from Guix source code. +(define* (directory-contents dir #:optional (slurp get-bytevector-all)) + "Return an alist representing the contents of DIR" + (define prefix-len (string-length dir)) + (sort (file-system-fold (const #t) + (lambda (path stat result) + (alist-cons (string-drop path prefix-len) + (call-with-input-file path slurp) + result)) + (lambda (path stat result) result) + (lambda (path stat result) result) + (lambda (path stat result) result) + (lambda (path stat errno result) result) + '() + dir) + (lambda (e1 e2) + (string<? (car e1) (car e2))))) + +(define* (check-if-same store drv path) + "Check if the given path and its store item are the same" + (let* ((filetype (stat:type (stat drv)))) + (case filetype + ((regular) + (and (valid-path? store drv) + (equal? (call-with-input-file path get-bytevector-all) + (call-with-input-file drv get-bytevector-all)))) + ((directory) + (and (valid-path? store drv) + (equal? (directory-contents path) + (directory-contents drv)))) + (else #f)))) + +(define* (add-and-check-item-to-store store path) + "Add PATH to STORE and check if the contents are the same" + (let* ((store-item (add-to-store store + (basename path) + #t "sha256" path)) + (is-same (check-if-same store store-item path))) + (if (not is-same) + (exit 1)))) + +(with-store store + (map (lambda (path) + (add-and-check-item-to-store store (readlink* path))) + (cdr (command-line)))) diff --git a/nixos/tests/guix/scripts/create-file-to-store.scm b/nixos/tests/guix/scripts/create-file-to-store.scm new file mode 100644 index 0000000000000..467e4c4fd53f2 --- /dev/null +++ b/nixos/tests/guix/scripts/create-file-to-store.scm @@ -0,0 +1,8 @@ +;; A script that creates a store item with the given text and prints the +;; resulting store item path. +(use-modules (guix)) + +(with-store store + (display (add-text-to-store store "guix-basic-test-text" + (string-join + (cdr (command-line)))))) |