diff options
| author | aszlig <aszlig@nix.build> | 2018-04-03 02:29:28 +0200 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2018-04-03 02:37:27 +0200 |
| commit | 8de4298b5c39ef177cdf33975cccd09c9ea2899c (patch) | |
| tree | 44754332880fd3820f4ca729e3fc14de73740fd4 /lib | |
| parent | 94e4aa0e8b05532da8b988ba4e7212b93270ae1e (diff) | |
call-machine: Allow to work in restrict-eval mode
It's a bit unfortunate that I removed the extraConfig attribute from <vuizvui/machines> back then (49dc58c6f8d72a4e142176f25da52666ef9ae268). Now we could have used this argument to pass the nixpkgs path from release.nix back into call-machine.nix, but introducing that extra argument again would break the configs of all of the systems using Vuizvui. So instead, I've added a function exposed by call-machine called withPkgs, which overrides the whole attribute set returned by callMachine to use nixpkgs from the given argument. This allows us to run in restricted evaluation mode as enforced by Hydra and Nix 2.0 and while we could simply disable restricted eval, it's even better if we comply with it. Unfortunately I lied a bit, because we've been running in restricted eval mode before. This time however it seems that some change in Nix has caused this to be even more restrictive because now Nix search paths are not allowed as well. Relying on those within a Hydra jobset however is discouraged anyway. Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/call-machine.nix | 107 |
1 files changed, 57 insertions, 50 deletions
diff --git a/lib/call-machine.nix b/lib/call-machine.nix index ba38b40c..8c50ce16 100644 --- a/lib/call-machine.nix +++ b/lib/call-machine.nix @@ -1,66 +1,73 @@ path: cfg: let - nixpkgs = import ../nixpkgs-path.nix; + withPkgsPath = nixpkgs: rec { + eval = import "${nixpkgs}/nixos/lib/eval-config.nix" { + modules = [ path cfg ] ++ import ../modules/module-list.nix; + }; - eval = import "${nixpkgs}/nixos/lib/eval-config.nix" { - modules = [ path cfg ] ++ import ../modules/module-list.nix; - }; + build = eval.config.system.build.toplevel; - iso = mkIso "installer/cd-dvd/iso-image.nix" ( - { lib, ... }: let - name = eval.config.networking.hostName; - upperName = lib.toUpper name; - in rec { - isoImage.isoName = "${name}.iso"; - isoImage.volumeID = builtins.substring 0 11 "${upperName}_LIVE"; - isoImage.makeEfiBootable = true; - isoImage.makeUsbBootable = true; - isoImage.appendToMenuLabel = " \"${name}\" Live System"; - } - ); + iso = mkIso "installer/cd-dvd/iso-image.nix" ( + { lib, ... }: let + name = eval.config.networking.hostName; + upperName = lib.toUpper name; + in rec { + isoImage.isoName = "${name}.iso"; + isoImage.volumeID = builtins.substring 0 11 "${upperName}_LIVE"; + isoImage.makeEfiBootable = true; + isoImage.makeUsbBootable = true; + isoImage.appendToMenuLabel = " \"${name}\" Live System"; + } + ); - installerIso = mkIso "installer/cd-dvd/installation-cd-minimal.nix" { - environment.sessionVariables = { - NIX_PATH = [ "vuizvui=${../.}" ]; + installerIso = mkIso "installer/cd-dvd/installation-cd-minimal.nix" { + environment.sessionVariables = { + NIX_PATH = [ "vuizvui=${../.}" ]; + }; }; - }; - mkIso = isoModule: extraConfig: let - wrapIso = { config, pkgs, lib, ... }@attrs: let - isoEval = import "${nixpkgs}/nixos/modules/${isoModule}" attrs; - isoEvalcfg = isoEval.config or {}; - bootcfg = isoEvalcfg.boot or {}; - fscfg = isoEvalcfg.fileSystems or {}; - in { - options = isoEval.options or {}; - imports = (isoEval.imports or []) ++ [ extraConfig ]; - config = isoEvalcfg // { - boot = bootcfg // lib.optionalAttrs (bootcfg ? loader) { - loader = lib.mkForce bootcfg.loader; - }; - fileSystems = lib.mapAttrs (lib.const lib.mkForce) fscfg // { - "/boot" = lib.mkForce (fscfg."/boot" or { - device = "none"; - fsType = "none"; - options = [ "noauto" ]; - }); + mkIso = isoModule: extraConfig: let + wrapIso = { config, pkgs, lib, ... }@attrs: let + isoEval = import "${nixpkgs}/nixos/modules/${isoModule}" attrs; + isoEvalcfg = isoEval.config or {}; + bootcfg = isoEvalcfg.boot or {}; + fscfg = isoEvalcfg.fileSystems or {}; + in { + options = isoEval.options or {}; + imports = (isoEval.imports or []) ++ [ extraConfig ]; + config = isoEvalcfg // { + boot = bootcfg // lib.optionalAttrs (bootcfg ? loader) { + loader = lib.mkForce bootcfg.loader; + }; + fileSystems = lib.mapAttrs (lib.const lib.mkForce) fscfg // { + "/boot" = lib.mkForce (fscfg."/boot" or { + device = "none"; + fsType = "none"; + options = [ "noauto" ]; + }); + }; }; }; + in import "${nixpkgs}/nixos/lib/eval-config.nix" { + modules = [ config wrapIso ]; + }; + + config = { + imports = [ path cfg ] ++ import ../modules/module-list.nix; }; - in import "${nixpkgs}/nixos/lib/eval-config.nix" { - modules = [ config wrapIso ]; - }; - config = { - imports = [ path cfg ] ++ import ../modules/module-list.nix; + vm = (import "${nixpkgs}/nixos" { + configuration = config; + }).vm; }; - vm = (import "${nixpkgs}/nixos" { - configuration = config; - }).vm; +in rec { + inherit (withPkgsPath (import ../nixpkgs-path.nix)) + build config eval iso installerIso vm; -in { - build = eval.config.system.build.toplevel; - inherit config eval iso installerIso vm; + # This is internal only and for use with restricted evaluation mode in Hydra + # to get the path to nixpkgs from the jobset input args instead of + # ../nixpkgs-path.nix. + inherit withPkgsPath; } |