2023-07-06 17:54:57 +00:00
|
|
|
/*
|
|
|
|
Declares what makes the nix-daemon work on systemd.
|
|
|
|
|
|
|
|
See also
|
|
|
|
- nixos/modules/config/nix.nix: the nix.conf
|
|
|
|
- nixos/modules/config/nix-remote-build.nix: the nix.conf
|
|
|
|
*/
|
2014-04-14 14:26:48 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
2009-03-06 12:25:51 +00:00
|
|
|
|
2014-04-14 14:26:48 +00:00
|
|
|
with lib;
|
2009-05-25 17:41:03 +00:00
|
|
|
|
2009-03-06 12:25:51 +00:00
|
|
|
let
|
|
|
|
|
2012-06-19 03:31:07 +00:00
|
|
|
cfg = config.nix;
|
|
|
|
|
2021-11-19 22:36:26 +00:00
|
|
|
nixPackage = cfg.package.out;
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2021-11-19 22:36:26 +00:00
|
|
|
isNixAtLeast = versionAtLeast (getVersion nixPackage);
|
2017-03-03 14:55:27 +00:00
|
|
|
|
2019-09-14 17:51:29 +00:00
|
|
|
makeNixBuildUser = nr: {
|
2021-11-19 22:36:26 +00:00
|
|
|
name = "nixbld${toString nr}";
|
2019-09-14 17:51:29 +00:00
|
|
|
value = {
|
2010-03-11 16:50:08 +00:00
|
|
|
description = "Nix build user ${toString nr}";
|
|
|
|
|
2021-11-19 22:36:26 +00:00
|
|
|
/*
|
|
|
|
For consistency with the setgid(2), setuid(2), and setgroups(2)
|
|
|
|
calls in `libstore/build.cc', don't add any supplementary group
|
|
|
|
here except "nixbld".
|
|
|
|
*/
|
2010-03-11 16:50:08 +00:00
|
|
|
uid = builtins.add config.ids.uids.nixbld nr;
|
2021-03-07 13:54:00 +00:00
|
|
|
isSystemUser = true;
|
2010-03-11 16:50:08 +00:00
|
|
|
group = "nixbld";
|
2010-06-02 21:10:48 +00:00
|
|
|
extraGroups = [ "nixbld" ];
|
2010-03-11 16:50:08 +00:00
|
|
|
};
|
2019-09-14 17:51:29 +00:00
|
|
|
};
|
2009-03-06 12:25:51 +00:00
|
|
|
|
2019-09-14 17:51:29 +00:00
|
|
|
nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers));
|
2015-03-10 01:04:40 +00:00
|
|
|
|
2009-09-17 16:22:26 +00:00
|
|
|
in
|
2009-05-25 17:41:03 +00:00
|
|
|
|
2009-09-17 16:22:26 +00:00
|
|
|
{
|
2019-12-10 01:51:19 +00:00
|
|
|
imports = [
|
2022-03-09 13:43:13 +00:00
|
|
|
(mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; })
|
2022-10-12 12:27:21 +00:00
|
|
|
(mkRenamedOptionModuleWith { sinceRelease = 2211; from = [ "nix" "readOnlyStore" ]; to = [ "boot" "readOnlyNixStore" ]; })
|
2021-11-26 11:53:37 +00:00
|
|
|
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")
|
2023-07-05 10:52:56 +00:00
|
|
|
];
|
2009-05-25 17:41:03 +00:00
|
|
|
|
2009-09-17 16:22:26 +00:00
|
|
|
###### interface
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
2009-03-06 12:25:51 +00:00
|
|
|
nix = {
|
|
|
|
|
2021-04-24 21:02:15 +00:00
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
Whether to enable Nix.
|
|
|
|
Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2013-10-28 15:28:04 +00:00
|
|
|
package = mkOption {
|
2014-02-27 12:22:04 +00:00
|
|
|
type = types.package;
|
2016-04-24 11:01:40 +00:00
|
|
|
default = pkgs.nix;
|
2021-10-03 16:06:03 +00:00
|
|
|
defaultText = literalExpression "pkgs.nix";
|
2013-10-28 15:28:04 +00:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
This option specifies the Nix package instance to use throughout the system.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2021-09-20 18:38:35 +00:00
|
|
|
daemonCPUSchedPolicy = mkOption {
|
2021-11-19 22:36:26 +00:00
|
|
|
type = types.enum [ "other" "batch" "idle" ];
|
2021-09-20 18:38:35 +00:00
|
|
|
default = "other";
|
|
|
|
example = "batch";
|
2013-10-30 16:37:45 +00:00
|
|
|
description = lib.mdDoc ''
|
2021-09-20 18:38:35 +00:00
|
|
|
Nix daemon process CPU scheduling policy. This policy propagates to
|
2021-12-10 10:30:51 +00:00
|
|
|
build processes. `other` is the default scheduling
|
|
|
|
policy for regular tasks. The `batch` policy is
|
|
|
|
similar to `other`, but optimised for
|
|
|
|
non-interactive tasks. `idle` is for extremely
|
|
|
|
low-priority tasks that should only be run when no other task
|
|
|
|
requires CPU time.
|
|
|
|
|
|
|
|
Please note that while using the `idle` policy may
|
|
|
|
greatly improve responsiveness of a system performing expensive
|
|
|
|
builds, it may also slow down and potentially starve crucial
|
|
|
|
configuration updates during load.
|
|
|
|
|
|
|
|
`idle` may therefore be a sensible policy for
|
|
|
|
systems that experience only intermittent phases of high CPU load,
|
|
|
|
such as desktop or portable computers used interactively. Other
|
|
|
|
systems should use the `other` or
|
|
|
|
`batch` policy instead.
|
|
|
|
|
|
|
|
For more fine-grained resource control, please refer to
|
|
|
|
{manpage}`systemd.resource-control(5)` and adjust
|
|
|
|
{option}`systemd.services.nix-daemon` directly.
|
2021-09-20 18:38:35 +00:00
|
|
|
'';
|
2009-07-18 16:14:03 +00:00
|
|
|
};
|
|
|
|
|
2021-09-20 18:38:35 +00:00
|
|
|
daemonIOSchedClass = mkOption {
|
2021-11-19 22:36:26 +00:00
|
|
|
type = types.enum [ "best-effort" "idle" ];
|
2021-09-20 18:38:35 +00:00
|
|
|
default = "best-effort";
|
|
|
|
example = "idle";
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
Nix daemon process I/O scheduling class. This class propagates to
|
2021-12-10 10:30:51 +00:00
|
|
|
build processes. `best-effort` is the default
|
|
|
|
class for regular tasks. The `idle` class is for
|
|
|
|
extremely low-priority tasks that should only perform I/O when no
|
|
|
|
other task does.
|
|
|
|
|
|
|
|
Please note that while using the `idle` scheduling
|
|
|
|
class can improve responsiveness of a system performing expensive
|
|
|
|
builds, it might also slow down or starve crucial configuration
|
|
|
|
updates during load.
|
2021-09-20 18:38:35 +00:00
|
|
|
|
2021-12-10 10:30:51 +00:00
|
|
|
`idle` may therefore be a sensible class for
|
|
|
|
systems that experience only intermittent phases of high I/O load,
|
|
|
|
such as desktop or portable computers used interactively. Other
|
|
|
|
systems should use the `best-effort` class.
|
2021-09-20 18:38:35 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
daemonIOSchedPriority = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
type = types.int;
|
2022-11-04 18:41:36 +00:00
|
|
|
default = 4;
|
2021-09-20 18:38:35 +00:00
|
|
|
example = 1;
|
2013-10-30 16:37:45 +00:00
|
|
|
description = lib.mdDoc ''
|
2021-09-20 18:38:35 +00:00
|
|
|
Nix daemon process I/O scheduling priority. This priority propagates
|
|
|
|
to build processes. The supported priorities depend on the
|
|
|
|
scheduling policy: With idle, priorities are not used in scheduling
|
|
|
|
decisions. best-effort supports values in the range 0 (high) to 7
|
|
|
|
(low).
|
2021-11-19 22:36:26 +00:00
|
|
|
'';
|
2009-10-15 11:25:15 +00:00
|
|
|
};
|
|
|
|
|
2013-09-18 03:18:34 +00:00
|
|
|
# Environment variables for running Nix.
|
2009-03-06 12:25:51 +00:00
|
|
|
envVars = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
type = types.attrs;
|
2009-03-06 12:25:51 +00:00
|
|
|
internal = true;
|
2021-11-19 22:36:26 +00:00
|
|
|
default = { };
|
2012-06-19 03:31:07 +00:00
|
|
|
description = lib.mdDoc "Environment variables used by Nix.";
|
2009-03-06 12:25:51 +00:00
|
|
|
};
|
2010-03-11 16:50:08 +00:00
|
|
|
|
|
|
|
nrBuildUsers = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
type = types.int;
|
2010-03-11 16:50:08 +00:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
Number of `nixbld` user accounts created to
|
|
|
|
perform secure concurrent builds. If you receive an error
|
|
|
|
message saying that “all build users are currently in use”,
|
|
|
|
you should increase this value.
|
|
|
|
'';
|
|
|
|
};
|
2021-11-19 22:36:26 +00:00
|
|
|
};
|
2009-03-06 12:25:51 +00:00
|
|
|
};
|
2009-05-28 12:56:56 +00:00
|
|
|
|
2009-03-06 12:25:51 +00:00
|
|
|
|
2009-09-17 16:22:26 +00:00
|
|
|
###### implementation
|
2009-03-06 12:25:51 +00:00
|
|
|
|
2021-04-24 21:02:15 +00:00
|
|
|
config = mkIf cfg.enable {
|
2020-06-04 12:18:18 +00:00
|
|
|
environment.systemPackages =
|
2021-11-19 22:36:26 +00:00
|
|
|
[
|
|
|
|
nixPackage
|
2020-06-04 12:18:18 +00:00
|
|
|
pkgs.nix-info
|
|
|
|
]
|
2021-11-26 07:16:08 +00:00
|
|
|
++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions;
|
2020-06-04 12:18:18 +00:00
|
|
|
|
2021-11-19 22:36:26 +00:00
|
|
|
systemd.packages = [ nixPackage ];
|
2009-09-17 16:22:26 +00:00
|
|
|
|
2022-03-18 15:22:38 +00:00
|
|
|
# Will only work once https://github.com/NixOS/nix/pull/6285 is merged
|
|
|
|
# systemd.tmpfiles.packages = [ nixPackage ];
|
|
|
|
|
|
|
|
# Can be dropped for Nix > https://github.com/NixOS/nix/pull/6285
|
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
"d /nix/var/nix/daemon-socket 0755 root root - -"
|
|
|
|
];
|
|
|
|
|
2014-04-18 12:47:02 +00:00
|
|
|
systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ];
|
|
|
|
|
2014-04-17 16:52:31 +00:00
|
|
|
systemd.services.nix-daemon =
|
2021-11-19 22:36:26 +00:00
|
|
|
{
|
|
|
|
path = [ nixPackage pkgs.util-linux config.programs.ssh.package ]
|
2019-10-09 18:27:11 +00:00
|
|
|
++ optionals cfg.distributedBuilds [ pkgs.gzip ];
|
2011-11-25 16:32:54 +00:00
|
|
|
|
2014-11-29 19:53:13 +00:00
|
|
|
environment = cfg.envVars
|
2020-04-19 13:03:37 +00:00
|
|
|
// { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; }
|
2014-11-29 19:53:13 +00:00
|
|
|
// config.networking.proxy.envVars;
|
2009-03-06 12:25:51 +00:00
|
|
|
|
2015-10-22 17:50:12 +00:00
|
|
|
unitConfig.RequiresMountsFor = "/nix/store";
|
|
|
|
|
2012-06-19 03:31:07 +00:00
|
|
|
serviceConfig =
|
2021-11-19 22:36:26 +00:00
|
|
|
{
|
|
|
|
CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy;
|
2021-09-20 18:38:35 +00:00
|
|
|
IOSchedulingClass = cfg.daemonIOSchedClass;
|
|
|
|
IOSchedulingPriority = cfg.daemonIOSchedPriority;
|
2022-06-06 14:20:14 +00:00
|
|
|
LimitNOFILE = 1048576;
|
2012-10-01 20:27:42 +00:00
|
|
|
};
|
2013-02-26 02:15:29 +00:00
|
|
|
|
2023-07-05 11:03:32 +00:00
|
|
|
restartTriggers = [ config.environment.etc."nix/nix.conf".source ];
|
2022-02-20 12:44:13 +00:00
|
|
|
|
|
|
|
# `stopIfChanged = false` changes to switch behavior
|
|
|
|
# from stop -> update units -> start
|
|
|
|
# to update units -> restart
|
|
|
|
#
|
|
|
|
# The `stopIfChanged` setting therefore controls a trade-off between a
|
|
|
|
# more predictable lifecycle, which runs the correct "version" of
|
|
|
|
# the `ExecStop` line, and on the other hand the availability of
|
|
|
|
# sockets during the switch, as the effectiveness of the stop operation
|
|
|
|
# depends on the socket being stopped as well.
|
|
|
|
#
|
|
|
|
# As `nix-daemon.service` does not make use of `ExecStop`, we prefer
|
|
|
|
# to keep the socket up and available. This is important for machines
|
|
|
|
# that run Nix-based services, such as automated build, test, and deploy
|
|
|
|
# services, that expect the daemon socket to be available at all times.
|
|
|
|
#
|
|
|
|
# Notably, the Nix client does not retry on failure to connect to the
|
|
|
|
# daemon socket, and the in-process RemoteStore instance will disable
|
|
|
|
# itself. This makes retries infeasible even for services that are
|
|
|
|
# aware of the issue. Failure to connect can affect not only new client
|
|
|
|
# processes, but also new RemoteStore instances in existing processes,
|
|
|
|
# as well as existing RemoteStore instances that have not saturated
|
|
|
|
# their connection pool.
|
|
|
|
#
|
|
|
|
# Also note that `stopIfChanged = true` does not kill existing
|
|
|
|
# connection handling daemons, as one might wish to happen before a
|
|
|
|
# breaking Nix upgrade (which is rare). The daemon forks that handle
|
|
|
|
# the individual connections split off into their own sessions, causing
|
|
|
|
# them not to be stopped by systemd.
|
|
|
|
# If a Nix upgrade does require all existing daemon processes to stop,
|
|
|
|
# nix-daemon must do so on its own accord, and only when the new version
|
|
|
|
# starts and detects that Nix's persistent state needs an upgrade.
|
|
|
|
stopIfChanged = false;
|
|
|
|
|
2009-09-17 16:22:26 +00:00
|
|
|
};
|
2012-10-01 20:27:42 +00:00
|
|
|
|
2013-09-18 03:18:34 +00:00
|
|
|
# Set up the environment variables for running Nix.
|
2023-07-05 12:05:41 +00:00
|
|
|
environment.sessionVariables = cfg.envVars;
|
2009-09-17 16:22:26 +00:00
|
|
|
|
2022-12-13 16:16:30 +00:00
|
|
|
nix.nrBuildUsers = mkDefault (
|
|
|
|
if cfg.settings.auto-allocate-uids or false then 0
|
|
|
|
else max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)
|
|
|
|
);
|
2015-02-16 10:57:36 +00:00
|
|
|
|
2018-06-29 23:58:35 +00:00
|
|
|
users.users = nixbldUsers;
|
2015-03-10 01:04:40 +00:00
|
|
|
|
2019-09-14 17:51:29 +00:00
|
|
|
services.xserver.displayManager.hiddenUsers = attrNames nixbldUsers;
|
2010-03-11 16:50:08 +00:00
|
|
|
|
2010-09-13 15:41:38 +00:00
|
|
|
system.activationScripts.nix = stringAfter [ "etc" "users" ]
|
|
|
|
''
|
2020-05-07 10:38:12 +00:00
|
|
|
install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user
|
2010-09-13 15:41:38 +00:00
|
|
|
'';
|
|
|
|
|
2021-11-19 22:36:26 +00:00
|
|
|
# Legacy configuration conversion.
|
|
|
|
nix.settings = mkMerge [
|
|
|
|
(mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })
|
|
|
|
];
|
2019-04-21 17:06:50 +00:00
|
|
|
|
2009-09-17 16:22:26 +00:00
|
|
|
};
|
2009-05-28 12:56:56 +00:00
|
|
|
|
2009-03-06 12:25:51 +00:00
|
|
|
}
|