qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/guix: add declarative substituters option

Browse Source
This commit is contained in:
Gabriel Arazas 2024-03-10 17:24:45 +08:00 committed by Liam Hupfer
parent 7ffd9ae656
commit 7095e0f8c1
3 changed files with 78 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -561,6 +561,11 @@
- `/share/vim-plugins` now only gets linked if `programs.vim.enable` is enabled - `/share/vim-plugins` now only gets linked if `programs.vim.enable` is enabled
- The `services.guix` module now manages trusted substitute servers
declaratively. Instead of `guix archive --authorize`, list keys with
`services.guix.substituters.authorizedKeys`. Default substitute servers can be
set via `services.guix.substituters.urls`.
- The `tracy` package no longer works on X11, since it's moved to Wayland - The `tracy` package no longer works on X11, since it's moved to Wayland
support, which is the intended default behavior by Tracy maintainers. support, which is the intended default behavior by Tracy maintainers.
X11 users have to switch to the new package `tracy-x11`. X11 users have to switch to the new package `tracy-x11`.

76
nixos/modules/services/misc/guix/default.nix
View File

@ -46,6 +46,17 @@ let
GUIX_LOCPATH = "${cfg.stateDir}/guix/profiles/per-user/root/guix-profile/lib/locale"; GUIX_LOCPATH = "${cfg.stateDir}/guix/profiles/per-user/root/guix-profile/lib/locale";
LC_ALL = "C.UTF-8"; LC_ALL = "C.UTF-8";
}; };
# Currently, this is just done the lazy way with the official Guix script. A
# more "formal" way would be creating our own Guix script to handle and
# generate the ACL file ourselves.
aclFile = pkgs.runCommandLocal "guix-acl" { } ''
export GUIX_CONFIGURATION_DIRECTORY=./
for official_server_keys in ${lib.concatStringsSep " " cfg.substituters.authorizedKeys}; do
${lib.getExe' cfg.package "guix"} archive --authorize < "$official_server_keys"
done
install -Dm0600 ./acl "$out"
'';
in in
{ {
meta.maintainers = with lib.maintainers; [ foo-dogsquared ]; meta.maintainers = with lib.maintainers; [ foo-dogsquared ];
@ -118,6 +129,57 @@ in
example = "/gnu/var"; example = "/gnu/var";
}; };
substituters = {
urls = lib.mkOption {
type = with lib.types; listOf str;
default = [
"https://ci.guix.gnu.org"
"https://bordeaux.guix.gnu.org"
"https://berlin.guix.gnu.org"
];
example = lib.literalExpression ''
options.services.guix.substituters.urls.default ++ [
"https://guix.example.com"
"https://guix.example.org"
]
'';
description = ''
A list of substitute servers' URLs for the Guix daemon to download
substitutes from.
'';
};
authorizedKeys = lib.mkOption {
type = with lib.types; listOf path;
default = [
"${cfg.package}/share/guix/ci.guix.gnu.org.pub"
"${cfg.package}/share/guix/bordeaux.guix.gnu.org.pub"
"${cfg.package}/share/guix/berlin.guix.gnu.org.pub"
];
defaultText = ''
The packaged signing keys from {option}`services.guix.package`.
'';
example = lib.literalExpression ''
options.services.guix.substituters.authorizedKeys.default ++ [
(builtins.fetchurl {
url = "https://guix.example.com/signing-key.pub";
})
(builtins.fetchurl {
url = "https://guix.example.org/static/signing-key.pub";
})
]
'';
description = ''
A list of signing keys for each substitute server to be authorized as
a source of substitutes. Without this, the listed substitute servers
from {option}`services.guix.substituters.urls` would be ignored [with
some
exceptions](https://guix.gnu.org/manual/en/html_node/Substitute-Authentication.html).
'';
};
};
publish = { publish = {
enable = mkEnableOption "substitute server for your Guix store directory"; enable = mkEnableOption "substitute server for your Guix store directory";
@ -215,6 +277,8 @@ in
script = '' script = ''
${lib.getExe' package "guix-daemon"} \ ${lib.getExe' package "guix-daemon"} \
--build-users-group=${cfg.group} \ --build-users-group=${cfg.group} \
${lib.optionalString (cfg.substituters.urls != [ ])
"--substitute-urls='${lib.concatStringsSep " " cfg.substituters.urls}'"} \
${lib.escapeShellArgs cfg.extraArgs} ${lib.escapeShellArgs cfg.extraArgs}
''; '';
serviceConfig = { serviceConfig = {
@ -254,11 +318,7 @@ in
# Make transferring files from one store to another easier with the usual # Make transferring files from one store to another easier with the usual
# case being of most substitutes from the official Guix CI instance. # case being of most substitutes from the official Guix CI instance.
system.activationScripts.guix-authorize-keys = '' environment.etc."guix/acl".source = aclFile;
for official_server_keys in ${package}/share/guix/*.pub; do
${lib.getExe' package "guix"} archive --authorize < $official_server_keys
done
'';
# Link the usual Guix profiles to the home directory. This is useful in # Link the usual Guix profiles to the home directory. This is useful in
# ephemeral setups where only certain part of the filesystem is # ephemeral setups where only certain part of the filesystem is
@ -270,8 +330,8 @@ in
in '' in ''
[ -d "${userProfile}" ] && ln -sfn "${userProfile}" "${location}" [ -d "${userProfile}" ] && ln -sfn "${userProfile}" "${location}"
''; '';
linkProfileToPath = acc: profile: location: let linkProfileToPath = acc: profile: location:
in acc + (linkProfile profile location); acc + (linkProfile profile location);
# This should contain export-only Guix user profiles. The rest of it is # This should contain export-only Guix user profiles. The rest of it is
# handled manually in the activation script. # handled manually in the activation script.
@ -387,7 +447,7 @@ in
Type = "oneshot"; Type = "oneshot";
PrivateDevices = true; PrivateDevices = true;
PrivateNetworks = true; PrivateNetwork = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHostname = true; ProtectHostname = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;

10
nixos/tests/guix/publish.nix
View File

@ -47,12 +47,12 @@ in {
services.guix = { services.guix = {
enable = true; enable = true;
extraArgs = [ # Force to only get all substitutes from the local server. We don't
# Force to only get all substitutes from the local server. We don't # have anything in the Guix store directory and we cannot get
# have anything in the Guix store directory and we cannot get # anything from the official substitute servers anyways.
# anything from the official substitute servers anyways. substituters.urls = [ "http://server.local:${toString publishPort}" ];
"--substitute-urls='http://server.local:${toString publishPort}'"
extraArgs = [
# Enable autodiscovery of the substitute servers in the local # Enable autodiscovery of the substitute servers in the local
# network. This machine shouldn't need to import the signing key from # network. This machine shouldn't need to import the signing key from
# the substitute server since it is automatically done anyways. # the substitute server since it is automatically done anyways.