nix-helpers: ca56331fa3e22739fc27c1dc46353752ac45cce1

     1: # Augment the environment for a derivation by allowing Nix commands to be
     2: # called inside the build process
     3: 
     4: { isBroken, lib, nix
     5: , nix-daemon-tunnel-socket ? "/var/lib/nix-daemon-tunnel/socket", runCommand }:
     6: 
     7: with builtins;
     8: with lib;
     9: with import ./util.nix { inherit lib; };
    10: with rec {
    11:   # Our Nix 2.x workaround won't work unless the user creates the needed socket,
    12:   # either manually or by enabling a service, so we warn them in two ways:
    13:   #  - We check, during evaluation, whether the socket exists. If not, we write
    14:   #    this warning to stderr using 'trace'.
    15:   #  - We also add this warning to the environment variables we return, so that
    16:   #    it's likely to be found by users debugging a broken build.
    17:   warn = with rec {
    18:     default = "/nix/var/nix/daemon-socket/socket";
    19:     warning = evalTime: ''
    20:       WARNING: Nix 2.x disabled recursive Nix, so we're using a hacky
    21:       workaround where recursive connections to nix-daemon (i.e. those coming
    22:       from nixbld users) are sent to a different socket instead, and an SSH
    23:       tunnel passes them on to the real nix-daemon socket as a different user.
    24: 
    25:       This tunnel socket should be at the path '${nix-daemon-tunnel-socket}',
    26:       which can be overridden by defining 'nix-daemon-tunnel-socket' in your
    27:       Nix config (overlays, packageOverrides, etc.). You are seeing this
    28:       message because ${
    29:         if evalTime then ''
    30:           the 'withNix' Nix expression checked for the existence of this
    31:           socket during evaluation and it didn't exist.
    32:         '' else ''
    33:           this build environment was defined using 'withNix', and hence may
    34:           need this socket to be created in order for the build to succeed.
    35:         ''
    36:       }
    37: 
    38:       There are two ways you can make this extra socket. To just make a
    39:       one-off socket you can run a command like the following from your normal
    40:       user account (assuming that nix-daemon is using a socket at ${default}):
    41: 
    42:         ssh -nNT -L "${nix-daemon-tunnel-socket}":${default} "$USER"@localhost
    43:         chmod 0666 "${nix-daemon-tunnel-socket}"
    44: 
    45:       You may need to use 'sudo' to create and chmod this file. Keep this
    46:       tunnel running while you perform Nix commands that need 'withNix'. Note
    47:       that it's using SSH to log in as yourself, so it assumes that (a) your
    48:       system/user can initiate SSH connections and (b) your user is able to
    49:       log in via SSH.
    50: 
    51:       The alternative, which is more automated but potentially more invasive,
    52:       is to provide this socket via a NixOS system service. The nix-config
    53:       project at http://chriswarbo.net/git/nix-config provides such a service
    54:       in its nixos/modules/nix-daemon-tunnel.nix file (if it's no longer
    55:       there, try looking in the project's git history; it may be that the
    56:       workaround is no longer needed, and Nix versions which require it are
    57:       now obsolete).
    58: 
    59:       If you use the system service, note that the tunnel won't be available
    60:       the first time you use 'nixos-rebuild' to evaluate and build the new
    61:       system configuration. If your configuration relies on 'withNix', e.g.
    62:       for building a system package, you can use the "manual" commands above
    63:       to make the rebuild work then kill those commands in favour of the
    64:       system service.
    65:     '';
    66:   }; {
    67:     WITH_NIX_WARNING = if pathExists nix-daemon-tunnel-socket then
    68:       warning false
    69:     else
    70:       trace (warning true) warning false;
    71:   };
    72: 
    73:   # Calculate what value to use for the NIX_REMOTE env var, and also add the
    74:   # above warning to the environment if needed.
    75:   remote = with rec {
    76:     daemon = elem (getEnv "NIX_REMOTE") [ "" "daemon" ];
    77:     tunnel = daemon && needWorkaround;
    78:   };
    79:     (if tunnel then warn else { }) // {
    80:       NIX_REMOTE = if tunnel then
    81:         "unix://${nix-daemon-tunnel-socket}"
    82:       else if daemon then
    83:         "daemon"
    84:       else
    85:         getEnv "NIX_REMOTE";
    86:     };
    87: 
    88:   vars = remote // {
    89:     NIX_PATH = if getEnv "NIX_PATH" == "" then
    90:       "nixpkgs=${<nixpkgs>}"
    91:     else
    92:       getEnv "NIX_PATH";
    93:   };
    94: };
    95: attrs:
    96: vars // attrs // {
    97:   buildInputs = (attrs.buildInputs or [ ]) ++ [ (nix.out or nix) ];
    98: 
    99:   # We need to access the tunnel file
   100:   __noChroot = true;
   101: }