Evaluation Checks
When configuration problems are detectable in a module, it is a good idea to
write a check for catching it early. Doing so can provide clear feedback to
the user and can prevent errors before the build.
Although Nix has the abort and
builtins.trace
functions
to perform such tasks generally, they are not ideally suited for NixOS
modules. Instead of these functions, you can declare your evaluation checks
using the NixOS module system.
Defining Checks
Checks can be defined using the option.
Each check needs an attribute name, under which you can define a trigger
assertion using and a
message using .
For the message, you can add
options to the module arguments and use
${options.path.to.option} to print a context-aware string
representation of an option path. Here is an example showing how this can be
done.
{ config, options, ... }: {
_module.checks.gpgSshAgent = {
check = config.programs.gnupg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;
message = "If you have ${options.programs.gnupg.agent.enableSSHSupport} enabled,"
+ " you can't enable ${options.programs.ssh.startAgent} as well!";
};
_module.checks.grafanaPassword = {
check = config.services.grafana.database.password == "";
message = "The grafana password defined with ${options.services.grafana.database.password}"
+ " will be stored as plaintext in the Nix store!";
# This is a non-fatal warning
type = "warning";
};
}
Ignoring Checks
Sometimes you can get failing checks that don't apply to your specific case
and you wish to ignore them, or at least make errors non-fatal. You can do so
for all checks defined using by
using the attribute name of the definition, which is conveniently printed
using [...] when the check is triggered. For above
example, the evaluation output when the checks are triggered looks as
follows:
trace: warning: [grafanaPassword] The grafana password defined with
services.grafana.database.password will be stored as plaintext in the Nix store!
error: Failed checks:
- [gpgSshAgent] If you have programs.gnupg.agent.enableSSHSupport
enabled, you can't enable programs.ssh.startAgent as well!
The [grafanaPassword] and [gpgSshAgent]
strings tell you that these were defined under the grafanaPassword
and gpgSshAgent attributes of
respectively. With this knowledge
you can adjust them to your liking:
{
# Change the error into a non-fatal warning
_module.checks.gpgSshAgent.type = "warning";
# We don't care about this warning, disable it
_module.checks.grafanaPassword.enable = false;
}
Checks in Submodules
Evaluation checks can be defined within submodules in the same way. Here is an example:
{ lib, ... }: {
options.myServices = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ config, options, ... }: {
options.port = lib.mkOption {};
config._module.checks.portConflict = {
check = config.port != 80;
message = "Port ${toString config.port} defined using"
+ " ${options.port} is usually used for HTTP";
type = "warning";
};
}));
};
}
When this check is triggered, it shows both the submodule path along with
the check attribute within that submodule, joined by a
/. Note also how ${options.port}
correctly shows the context of the option.
trace: warning: [myServices.foo/portConflict] Port 80 defined using
myServices.foo.port is usually used for HTTP
Therefore to disable such a check, you can do so by changing the
option within the
myServices.foo submodule:
{
myServices.foo._module.checks.portConflict.enable = false;
}
Checks defined in submodules under types.listOf can't be
ignored, since there's no way to change previously defined list items.