From f6c5531461d4f4826e565c3f5d5d7faaa434689e Mon Sep 17 00:00:00 2001 From: nicoo Date: Thu, 12 Dec 2024 18:26:24 +0000 Subject: [PATCH] nixos: Don't set `!allowSubstitutes` (#314664) It is set by `runCommandLocal` and prevents fetching the build output from `cache.nixos.org` or another trusted substituter. --- nixos/modules/programs/fish.nix | 9 +++-- nixos/modules/security/wrappers/default.nix | 6 ++-- .../buildkite-agents.nix | 4 ++- .../modules/services/games/archisteamfarm.nix | 4 ++- .../home-automation/home-assistant.nix | 4 ++- nixos/modules/services/misc/ananicy.nix | 35 +++++++++++-------- nixos/modules/services/monitoring/apcupsd.nix | 7 ++-- .../monitoring/prometheus/default.nix | 7 ++-- .../monitoring/prometheus/exporters/snmp.nix | 3 +- .../modules/services/networking/thelounge.nix | 4 ++- nixos/modules/services/networking/unbound.nix | 4 ++- nixos/modules/services/web-apps/akkoma.nix | 8 +++-- nixos/modules/services/web-apps/nextcloud.nix | 7 ++-- .../services/x11/window-managers/xmonad.nix | 3 +- 14 files changed, 65 insertions(+), 40 deletions(-) diff --git a/nixos/modules/programs/fish.nix b/nixos/modules/programs/fish.nix index 4d1eb6c36d99..5b5f8dd3bd31 100644 --- a/nixos/modules/programs/fish.nix +++ b/nixos/modules/programs/fish.nix @@ -33,7 +33,8 @@ let ''; babelfishTranslate = path: name: - pkgs.runCommandLocal "${name}.fish" { + pkgs.runCommand "${name}.fish" { + preferLocalBuild = true; nativeBuildInputs = [ pkgs.babelfish ]; } "babelfish < ${path} > $out;"; @@ -258,12 +259,14 @@ in preferLocalBuild = true; allowSubstitutes = false; }; - generateCompletions = package: pkgs.runCommandLocal + generateCompletions = package: pkgs.runCommand ( with lib.strings; let storeLength = stringLength storeDir + 34; # Nix' StorePath::HashLen + 2 for the separating slash and dash pathName = substring storeLength (stringLength package - storeLength) package; in (package.name or pathName) + "_fish-completions") - ( { inherit package; } // + ( { inherit package; + preferLocalBuild = true; + } // lib.optionalAttrs (package ? meta.priority) { meta.priority = package.meta.priority; }) '' mkdir -p $out diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 3bfe921673ed..c885c25c2620 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -321,9 +321,9 @@ in }; ###### wrappers consistency checks - system.checks = lib.singleton (pkgs.runCommandLocal - "ensure-all-wrappers-paths-exist" { } - '' + system.checks = lib.singleton (pkgs.runCommand "ensure-all-wrappers-paths-exist" { + preferLocalBuild = true; + } '' # make sure we produce output mkdir -p $out diff --git a/nixos/modules/services/continuous-integration/buildkite-agents.nix b/nixos/modules/services/continuous-integration/buildkite-agents.nix index fc30172c6499..08839fbe31d3 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agents.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agents.nix @@ -9,7 +9,9 @@ let ln --symbolic ${pkgs.writeShellApplication { inherit name text; }}/bin/${name} $out/${name} ''; in - pkgs.runCommandLocal "buildkite-agent-hooks" { } '' + pkgs.runCommand "buildkite-agent-hooks" { + preferLocalBuild = true; + } '' mkdir $out ${lib.concatStringsSep "\n" (lib.mapAttrsToList mkHookEntry hooks)} ''; diff --git a/nixos/modules/services/games/archisteamfarm.nix b/nixos/modules/services/games/archisteamfarm.nix index 744115604f41..b0e5d4e694af 100644 --- a/nixos/modules/services/games/archisteamfarm.nix +++ b/nixos/modules/services/games/archisteamfarm.nix @@ -228,7 +228,9 @@ in preStart = let - createBotsScript = pkgs.runCommandLocal "ASF-bots" { } '' + createBotsScript = pkgs.runCommand "ASF-bots" { + preferLocalBuild = true; + } '' mkdir -p $out # clean potential removed bots rm -rf $out/*.json diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index 599d33724ad3..2e91ee55f95e 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -43,7 +43,9 @@ let # secrets or includes, by naively unquoting strings with leading bangs # and at least one space-separated parameter. # https://www.home-assistant.io/docs/configuration/secrets/ - renderYAMLFile = fn: yaml: pkgs.runCommandLocal fn { } '' + renderYAMLFile = fn: yaml: pkgs.runCommand fn { + preferLocalBuilds = true; + } '' cp ${format.generate fn yaml} $out sed -i -e "s/'\!\([a-z_]\+\) \(.*\)'/\!\1 \2/;s/^\!\!/\!/;" $out ''; diff --git a/nixos/modules/services/misc/ananicy.nix b/nixos/modules/services/misc/ananicy.nix index 5731f93ae50a..bb3e63e2134a 100644 --- a/nixos/modules/services/misc/ananicy.nix +++ b/nixos/modules/services/misc/ananicy.nix @@ -114,22 +114,27 @@ in config = lib.mkIf cfg.enable { environment = { systemPackages = [ finalPackage ]; - etc."ananicy.d".source = pkgs.runCommandLocal "ananicyfiles" { } '' - mkdir -p $out - # ananicy-cpp does not include rules or settings on purpose - if [[ -d "${cfg.rulesProvider}/etc/ananicy.d/00-default" ]]; then - cp -r ${cfg.rulesProvider}/etc/ananicy.d/* $out - else - cp -r ${cfg.rulesProvider}/* $out - fi + etc."ananicy.d".source = + pkgs.runCommand "ananicyfiles" + { + preferLocalBuild = true; + } + '' + mkdir -p $out + # ananicy-cpp does not include rules or settings on purpose + if [[ -d "${cfg.rulesProvider}/etc/ananicy.d/00-default" ]]; then + cp -r ${cfg.rulesProvider}/etc/ananicy.d/* $out + else + cp -r ${cfg.rulesProvider}/* $out + fi - # configured through .setings - rm -f $out/ananicy.conf - cp ${configFile} $out/ananicy.conf - ${lib.optionalString (cfg.extraRules != [ ]) "cp ${extraRules} $out/nixRules.rules"} - ${lib.optionalString (cfg.extraTypes != [ ]) "cp ${extraTypes} $out/nixTypes.types"} - ${lib.optionalString (cfg.extraCgroups != [ ]) "cp ${extraCgroups} $out/nixCgroups.cgroups"} - ''; + # configured through .setings + rm -f $out/ananicy.conf + cp ${configFile} $out/ananicy.conf + ${lib.optionalString (cfg.extraRules != [ ]) "cp ${extraRules} $out/nixRules.rules"} + ${lib.optionalString (cfg.extraTypes != [ ]) "cp ${extraTypes} $out/nixTypes.types"} + ${lib.optionalString (cfg.extraCgroups != [ ]) "cp ${extraCgroups} $out/nixCgroups.cgroups"} + ''; }; # ananicy and ananicy-cpp have different default settings diff --git a/nixos/modules/services/monitoring/apcupsd.nix b/nixos/modules/services/monitoring/apcupsd.nix index 21b27cb3f520..1a1ac838c657 100644 --- a/nixos/modules/services/monitoring/apcupsd.nix +++ b/nixos/modules/services/monitoring/apcupsd.nix @@ -60,9 +60,10 @@ let ); # Ensure the CLI uses our generated configFile - wrappedBinaries = pkgs.runCommandLocal "apcupsd-wrapped-binaries" - { nativeBuildInputs = [ pkgs.makeWrapper ]; } - '' + wrappedBinaries = pkgs.runCommand "apcupsd-wrapped-binaries" { + preferLocalBuild = true; + nativeBuildInputs = [ pkgs.makeWrapper ]; + } '' for p in "${lib.getBin pkgs.apcupsd}/bin/"*; do bname=$(basename "$p") makeWrapper "$p" "$out/bin/$bname" --add-flags "-f ${configFile}" diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index 285b9e96924d..ea2b11e6cf66 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -29,9 +29,10 @@ let # a wrapper that verifies that the configuration is valid promtoolCheck = what: name: file: if checkConfigEnabled then - pkgs.runCommandLocal - "${name}-${replaceStrings [" "] [""] what}-checked" - { nativeBuildInputs = [ cfg.package.cli ]; } '' + pkgs.runCommand "${name}-${replaceStrings [" "] [""] what}-checked" { + preferLocalBuild = true; + nativeBuildInputs = [ cfg.package.cli ]; + } '' ln -s ${file} $out promtool ${what} $out '' else file; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix index c647aba95499..1746ee1d51b3 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix @@ -23,7 +23,8 @@ let '' /. + file); checkConfig = file: - pkgs.runCommandLocal "checked-snmp-exporter-config.yml" { + pkgs.runCommand "checked-snmp-exporter-config.yml" { + preferLocalBuild = true; nativeBuildInputs = [ pkgs.buildPackages.prometheus-snmp-exporter ]; } '' ln -s ${coerceConfigFile file} $out diff --git a/nixos/modules/services/networking/thelounge.nix b/nixos/modules/services/networking/thelounge.nix index 0e064a1c0e00..96fa9a41bf6e 100644 --- a/nixos/modules/services/networking/thelounge.nix +++ b/nixos/modules/services/networking/thelounge.nix @@ -11,7 +11,9 @@ let pluginManifest = { dependencies = builtins.listToAttrs (builtins.map (pkg: { name = getName pkg; value = getVersion pkg; }) cfg.plugins); }; - plugins = pkgs.runCommandLocal "thelounge-plugins" { } '' + plugins = pkgs.runCommand "thelounge-plugins" { + preferLocalBuild = true; + } '' mkdir -p $out/node_modules echo ${escapeShellArg (builtins.toJSON pluginManifest)} >> $out/package.json ${concatMapStringsSep "\n" (pkg: '' diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 66451328dddd..7786f6a8d4d5 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -30,7 +30,9 @@ let ${confServer} ${confNoServer} ''; - confFile = if cfg.checkconf then pkgs.runCommandLocal "unbound-checkconf" { } '' + confFile = if cfg.checkconf then pkgs.runCommand "unbound-checkconf" { + preferLocalBuild = true; + } '' cp ${confFileUnchecked} unbound.conf # fake stateDir which is not accessible in the sandbox diff --git a/nixos/modules/services/web-apps/akkoma.nix b/nixos/modules/services/web-apps/akkoma.nix index a42e96884e96..5f4c11660ded 100644 --- a/nixos/modules/services/web-apps/akkoma.nix +++ b/nixos/modules/services/web-apps/akkoma.nix @@ -336,7 +336,9 @@ let exec "${cfg.package}/bin/$(basename "$0")" "$@" ''; }; - in pkgs.runCommandLocal "akkoma-env" { } '' + in pkgs.runCommand "akkoma-env" { + preferLocalBuild = true; + } '' mkdir -p "$out/bin" ln -r -s ${escapeShellArg script} "$out/bin/pleroma" @@ -379,7 +381,9 @@ let staticDir = ex.":pleroma".":instance".static_dir; uploadDir = ex.":pleroma".":instance".upload_dir; - staticFiles = pkgs.runCommandLocal "akkoma-static" { } '' + staticFiles = pkgs.runCommand "akkoma-static" { + preferLocalBuild = true; + } '' ${concatStringsSep "\n" (mapAttrsToList (key: val: '' mkdir -p $out/frontends/${escapeShellArg val.name}/ ln -s ${escapeShellArg val.package} $out/frontends/${escapeShellArg val.name}/${escapeShellArg val.ref} diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 8cb4b4c439f9..eae005bca545 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -44,10 +44,9 @@ let }; }; - webroot = pkgs.runCommandLocal - "${cfg.package.name or "nextcloud"}-with-apps" - { } - '' + webroot = pkgs.runCommand "${cfg.package.name or "nextcloud"}-with-apps" { + preferLocalBuild = true; + } '' mkdir $out ln -sfv "${cfg.package}"/* "$out" ${concatStrings diff --git a/nixos/modules/services/x11/window-managers/xmonad.nix b/nixos/modules/services/x11/window-managers/xmonad.nix index 7feb3a0b520f..4361dc845153 100644 --- a/nixos/modules/services/x11/window-managers/xmonad.nix +++ b/nixos/modules/services/x11/window-managers/xmonad.nix @@ -24,7 +24,8 @@ let inherit (cfg) ghcArgs; } cfg.config; in - pkgs.runCommandLocal "xmonad" { + pkgs.runCommand "xmonad" { + preferLocalBuild = true; nativeBuildInputs = [ pkgs.makeWrapper ]; } ('' install -D ${xmonadEnv}/share/man/man1/xmonad.1.gz $out/share/man/man1/xmonad.1.gz