From 8de4298b5c39ef177cdf33975cccd09c9ea2899c Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@nix.build>
Date: Tue, 3 Apr 2018 02:29:28 +0200
Subject: call-machine: Allow to work in restrict-eval mode

It's a bit unfortunate that I removed the extraConfig attribute from
<vuizvui/machines> back then (49dc58c6f8d72a4e142176f25da52666ef9ae268).

Now we could have used this argument to pass the nixpkgs path from
release.nix back into call-machine.nix, but introducing that extra
argument again would break the configs of all of the systems using
Vuizvui.

So instead, I've added a function exposed by call-machine called
withPkgs, which overrides the whole attribute set returned by
callMachine to use nixpkgs from the given argument.

This allows us to run in restricted evaluation mode as enforced by Hydra
and Nix 2.0 and while we could simply disable restricted eval, it's even
better if we comply with it.

Unfortunately I lied a bit, because we've been running in restricted
eval mode before. This time however it seems that some change in Nix has
caused this to be even more restrictive because now Nix search paths are
not allowed as well. Relying on those within a Hydra jobset however is
discouraged anyway.

Signed-off-by: aszlig <aszlig@nix.build>
---
 lib/call-machine.nix | 107 +++++++++++++++++++++++++++------------------------
 1 file changed, 57 insertions(+), 50 deletions(-)

(limited to 'lib')

diff --git a/lib/call-machine.nix b/lib/call-machine.nix
index ba38b40c..8c50ce16 100644
--- a/lib/call-machine.nix
+++ b/lib/call-machine.nix
@@ -1,66 +1,73 @@
 path: cfg:
 
 let
-  nixpkgs = import ../nixpkgs-path.nix;
+  withPkgsPath = nixpkgs: rec {
+    eval = import "${nixpkgs}/nixos/lib/eval-config.nix" {
+      modules = [ path cfg ] ++ import ../modules/module-list.nix;
+    };
 
-  eval = import "${nixpkgs}/nixos/lib/eval-config.nix" {
-    modules = [ path cfg ] ++ import ../modules/module-list.nix;
-  };
+    build = eval.config.system.build.toplevel;
 
-  iso = mkIso "installer/cd-dvd/iso-image.nix" (
-    { lib, ... }: let
-      name = eval.config.networking.hostName;
-      upperName = lib.toUpper name;
-    in rec {
-      isoImage.isoName = "${name}.iso";
-      isoImage.volumeID = builtins.substring 0 11 "${upperName}_LIVE";
-      isoImage.makeEfiBootable = true;
-      isoImage.makeUsbBootable = true;
-      isoImage.appendToMenuLabel = " \"${name}\" Live System";
-    }
-  );
+    iso = mkIso "installer/cd-dvd/iso-image.nix" (
+      { lib, ... }: let
+        name = eval.config.networking.hostName;
+        upperName = lib.toUpper name;
+      in rec {
+        isoImage.isoName = "${name}.iso";
+        isoImage.volumeID = builtins.substring 0 11 "${upperName}_LIVE";
+        isoImage.makeEfiBootable = true;
+        isoImage.makeUsbBootable = true;
+        isoImage.appendToMenuLabel = " \"${name}\" Live System";
+      }
+    );
 
-  installerIso = mkIso "installer/cd-dvd/installation-cd-minimal.nix" {
-    environment.sessionVariables = {
-      NIX_PATH = [ "vuizvui=${../.}" ];
+    installerIso = mkIso "installer/cd-dvd/installation-cd-minimal.nix" {
+      environment.sessionVariables = {
+        NIX_PATH = [ "vuizvui=${../.}" ];
+      };
     };
-  };
 
-  mkIso = isoModule: extraConfig: let
-    wrapIso = { config, pkgs, lib, ... }@attrs: let
-      isoEval = import "${nixpkgs}/nixos/modules/${isoModule}" attrs;
-      isoEvalcfg = isoEval.config or {};
-      bootcfg = isoEvalcfg.boot or {};
-      fscfg = isoEvalcfg.fileSystems or {};
-    in {
-      options = isoEval.options or {};
-      imports = (isoEval.imports or []) ++ [ extraConfig ];
-      config = isoEvalcfg // {
-        boot = bootcfg // lib.optionalAttrs (bootcfg ? loader) {
-          loader = lib.mkForce bootcfg.loader;
-        };
-        fileSystems = lib.mapAttrs (lib.const lib.mkForce) fscfg // {
-          "/boot" = lib.mkForce (fscfg."/boot" or {
-            device = "none";
-            fsType = "none";
-            options = [ "noauto" ];
-          });
+    mkIso = isoModule: extraConfig: let
+      wrapIso = { config, pkgs, lib, ... }@attrs: let
+        isoEval = import "${nixpkgs}/nixos/modules/${isoModule}" attrs;
+        isoEvalcfg = isoEval.config or {};
+        bootcfg = isoEvalcfg.boot or {};
+        fscfg = isoEvalcfg.fileSystems or {};
+      in {
+        options = isoEval.options or {};
+        imports = (isoEval.imports or []) ++ [ extraConfig ];
+        config = isoEvalcfg // {
+          boot = bootcfg // lib.optionalAttrs (bootcfg ? loader) {
+            loader = lib.mkForce bootcfg.loader;
+          };
+          fileSystems = lib.mapAttrs (lib.const lib.mkForce) fscfg // {
+            "/boot" = lib.mkForce (fscfg."/boot" or {
+              device = "none";
+              fsType = "none";
+              options = [ "noauto" ];
+            });
+          };
         };
       };
+    in import "${nixpkgs}/nixos/lib/eval-config.nix" {
+      modules = [ config wrapIso ];
+    };
+
+    config = {
+      imports = [ path cfg ] ++ import ../modules/module-list.nix;
     };
-  in import "${nixpkgs}/nixos/lib/eval-config.nix" {
-    modules = [ config wrapIso ];
-  };
 
-  config = {
-    imports = [ path cfg ] ++ import ../modules/module-list.nix;
+    vm = (import "${nixpkgs}/nixos" {
+      configuration = config;
+    }).vm;
   };
 
-  vm = (import "${nixpkgs}/nixos" {
-    configuration = config;
-  }).vm;
+in rec {
+  inherit (withPkgsPath (import ../nixpkgs-path.nix))
+    build config eval iso installerIso vm;
 
-in {
-  build = eval.config.system.build.toplevel;
-  inherit config eval iso installerIso vm;
+  # This is internal only and for use with restricted evaluation mode in Hydra
+  # to get the path to nixpkgs from the jobset input args instead of
+  # ../nixpkgs-path.nix.
+  inherit withPkgsPath;
 }
-- 
cgit 1.4.1