call-machine: Allow to work in restrict-eval mode

It's a bit unfortunate that I removed the extraConfig attribute from
<vuizvui/machines> back then (49dc58c6f8d72a4e142176f25da52666ef9ae268).

Now we could have used this argument to pass the nixpkgs path from
release.nix back into call-machine.nix, but introducing that extra
argument again would break the configs of all of the systems using
Vuizvui.

So instead, I've added a function exposed by call-machine called
withPkgs, which overrides the whole attribute set returned by
callMachine to use nixpkgs from the given argument.

This allows us to run in restricted evaluation mode as enforced by Hydra
and Nix 2.0 and while we could simply disable restricted eval, it's even
better if we comply with it.

Unfortunately I lied a bit, because we've been running in restricted
eval mode before. This time however it seems that some change in Nix has
caused this to be even more restrictive because now Nix search paths are
not allowed as well. Relying on those within a Hydra jobset however is
discouraged anyway.

Signed-off-by: aszlig <aszlig@nix.build>

1 files changed, 4 insertions, 1 deletions

diff --git a/release.nix b/release.nix
index 2b74f2e5..46e1edf2 100644
--- a/release.nix
+++ b/release.nix
@@ -38,7 +38,10 @@ let
   root = import vuizvui { inherit system; };
 
   mpath = if vuizvuiSrc == null then ./machines else "${vuizvui}/machines";
-  allMachines = import mpath;
+
+  allMachines = with pkgsUpstream.lib; let
+    wrapPkgs = machine: machine.withPkgsPath nixpkgs;
+  in mapAttrsRecursiveCond (m: !(m ? eval)) (const wrapPkgs) (import mpath);
 
   allTests = with import ./lib; getVuizvuiTests ({
     inherit system nixpkgs;