Nix 2.26.3
Nix, the purely functional package manager; unstable internal interfaces
 
Loading...
Searching...
No Matches
globals.hh
Go to the documentation of this file.
1#pragma once
3
4#include "types.hh"
5#include "config.hh"
8#include "users.hh"
9
10#include <map>
11#include <limits>
12
13#include <sys/types.h>
14
15namespace nix {
16
17typedef enum { smEnabled, smRelaxed, smDisabled } SandboxMode;
18
19struct MaxBuildJobsSetting : public BaseSetting<unsigned int>
20{
21 MaxBuildJobsSetting(Config * options,
22 unsigned int def,
23 const std::string & name,
24 const std::string & description,
25 const std::set<std::string> & aliases = {})
26 : BaseSetting<unsigned int>(def, true, name, description, aliases)
27 {
28 options->addSetting(this);
29 }
30
31 unsigned int parse(const std::string & str) const override;
32};
33
34const uint32_t maxIdsPerBuild =
35 #if __linux__
36 1 << 16
37 #else
38 1
39 #endif
40 ;
41
42class Settings : public Config {
43
44 unsigned int getDefaultCores();
45
46 StringSet getDefaultSystemFeatures();
47
48 StringSet getDefaultExtraPlatforms();
49
50 bool isWSL1();
51
52 Path getDefaultSSLCertFile();
53
54public:
55
56 Settings();
57
58 Path nixPrefix;
59
64
65 Path nixDataDir; /* !!! fix */
66
71
76
81
85 std::vector<Path> nixUserConfFiles;
86
91
92 Setting<std::string> storeUri{this, getEnv("NIX_REMOTE").value_or("auto"), "store",
93 R"(
94 The [URL of the Nix store](@docroot@/store/types/index.md#store-url-format)
95 to use for most operations.
96 See the
97 [Store Types](@docroot@/store/types/index.md)
98 section of the manual for supported store types and settings.
99 )"};
100
101 Setting<bool> keepFailed{this, false, "keep-failed",
102 "Whether to keep temporary directories of failed builds."};
103
104 Setting<bool> keepGoing{this, false, "keep-going",
105 "Whether to keep building derivations when another build fails."};
106
107 Setting<bool> tryFallback{
108 this, false, "fallback",
109 R"(
110 If set to `true`, Nix will fall back to building from source if a
111 binary substitute fails. This is equivalent to the `--fallback`
112 flag. The default is `false`.
113 )",
114 {"build-fallback"}};
115
119 bool verboseBuild = true;
120
121 Setting<size_t> logLines{this, 25, "log-lines",
122 "The number of lines of the tail of "
123 "the log to show if a build fails."};
124
125 MaxBuildJobsSetting maxBuildJobs{
126 this, 1, "max-jobs",
127 R"(
128 Maximum number of jobs that Nix will try to build locally in parallel.
129
130 The special value `auto` causes Nix to use the number of CPUs in your system.
131 Use `0` to disable local builds and directly use the remote machines specified in [`builders`](#conf-builders).
132 This will not affect derivations that have [`preferLocalBuild = true`](@docroot@/language/advanced-attributes.md#adv-attr-preferLocalBuild), which are always built locally.
133
134 > **Note**
135 >
136 > The number of CPU cores to use for each build job is independently determined by the [`cores`](#conf-cores) setting.
137
138 <!-- TODO(@fricklerhandwerk): would be good to have those shorthands for common options as part of the specification -->
139 The setting can be overridden using the `--max-jobs` (`-j`) command line switch.
140 )",
141 {"build-max-jobs"}};
142
143 Setting<unsigned int> maxSubstitutionJobs{
144 this, 16, "max-substitution-jobs",
145 R"(
146 This option defines the maximum number of substitution jobs that Nix
147 will try to run in parallel. The default is `16`. The minimum value
148 one can choose is `1` and lower values will be interpreted as `1`.
149 )",
150 {"substitution-max-jobs"}};
151
152 Setting<unsigned int> buildCores{
153 this,
154 getDefaultCores(),
155 "cores",
156 R"(
157 Sets the value of the `NIX_BUILD_CORES` environment variable in the [invocation of the `builder` executable](@docroot@/language/derivations.md#builder-execution) of a derivation.
158 The `builder` executable can use this variable to control its own maximum amount of parallelism.
159
160 <!--
161 FIXME(@fricklerhandwerk): I don't think this should even be mentioned here.
162 A very generic example using `derivation` and `xargs` may be more appropriate to explain the mechanism.
163 Using `mkDerivation` as an example requires being aware of that there are multiple independent layers that are completely opaque here.
164 -->
165 For instance, in Nixpkgs, if the attribute `enableParallelBuilding` for the `mkDerivation` build helper is set to `true`, it will pass the `-j${NIX_BUILD_CORES}` flag to GNU Make.
166
167 The value `0` means that the `builder` should use all available CPU cores in the system.
168
169 > **Note**
170 >
171 > The number of parallel local Nix build jobs is independently controlled with the [`max-jobs`](#conf-max-jobs) setting.
172 )",
173 {"build-cores"},
174 // Don't document the machine-specific default value
175 false};
176
181 bool readOnlyMode = false;
182
183 Setting<std::string> thisSystem{
184 this, SYSTEM, "system",
185 R"(
186 The system type of the current Nix installation.
187 Nix will only build a given [derivation](@docroot@/language/derivations.md) locally when its `system` attribute equals any of the values specified here or in [`extra-platforms`](#conf-extra-platforms).
188
189 The default value is set when Nix itself is compiled for the system it will run on.
190 The following system types are widely used, as Nix is actively supported on these platforms:
191
192 - `x86_64-linux`
193 - `x86_64-darwin`
194 - `i686-linux`
195 - `aarch64-linux`
196 - `aarch64-darwin`
197 - `armv6l-linux`
198 - `armv7l-linux`
199
200 In general, you do not have to modify this setting.
201 While you can force Nix to run a Darwin-specific `builder` executable on a Linux machine, the result would obviously be wrong.
202
203 This value is available in the Nix language as
204 [`builtins.currentSystem`](@docroot@/language/builtins.md#builtins-currentSystem)
205 if the
206 [`eval-system`](#conf-eval-system)
207 configuration option is set as the empty string.
208 )"};
209
210 Setting<time_t> maxSilentTime{
211 this, 0, "max-silent-time",
212 R"(
213 This option defines the maximum number of seconds that a builder can
214 go without producing any data on standard output or standard error.
215 This is useful (for instance in an automated build system) to catch
216 builds that are stuck in an infinite loop, or to catch remote builds
217 that are hanging due to network problems. It can be overridden using
218 the `--max-silent-time` command line switch.
219
220 The value `0` means that there is no timeout. This is also the
221 default.
222 )",
223 {"build-max-silent-time"}};
224
225 Setting<time_t> buildTimeout{
226 this, 0, "timeout",
227 R"(
228 This option defines the maximum number of seconds that a builder can
229 run. This is useful (for instance in an automated build system) to
230 catch builds that are stuck in an infinite loop but keep writing to
231 their standard output or standard error. It can be overridden using
232 the `--timeout` command line switch.
233
234 The value `0` means that there is no timeout. This is also the
235 default.
236 )",
237 {"build-timeout"}};
238
239 Setting<Strings> buildHook{this, {"nix", "__build-remote"}, "build-hook",
240 R"(
241 The path to the helper program that executes remote builds.
242
243 Nix communicates with the build hook over `stdio` using a custom protocol to request builds that cannot be performed directly by the Nix daemon.
244 The default value is the internal Nix binary that implements remote building.
245
246 > **Important**
247 >
248 > Change this setting only if you really know what you’re doing.
249 )"};
250
251 Setting<std::string> builders{
252 this, "@" + nixConfDir + "/machines", "builders",
253 R"(
254 A semicolon- or newline-separated list of build machines.
255
256 In addition to the [usual ways of setting configuration options](@docroot@/command-ref/conf-file.md), the value can be read from a file by prefixing its absolute path with `@`.
257
258 > **Example**
259 >
260 > This is the default setting:
261 >
262 > ```
263 > builders = @/etc/nix/machines
264 > ```
265
266 Each machine specification consists of the following elements, separated by spaces.
267 Only the first element is required.
268 To leave a field at its default, set it to `-`.
269
270 1. The URI of the remote store in the format `ssh://[username@]hostname`.
271
272 > **Example**
273 >
274 > `ssh://nix@mac`
275
276 For backward compatibility, `ssh://` may be omitted.
277 The hostname may be an alias defined in `~/.ssh/config`.
278
279 2. A comma-separated list of [Nix system types](@docroot@/development/building.md#system-type).
280 If omitted, this defaults to the local platform type.
281
282 > **Example**
283 >
284 > `aarch64-darwin`
285
286 It is possible for a machine to support multiple platform types.
287
288 > **Example**
289 >
290 > `i686-linux,x86_64-linux`
291
292 3. The SSH identity file to be used to log in to the remote machine.
293 If omitted, SSH will use its regular identities.
294
295 > **Example**
296 >
297 > `/home/user/.ssh/id_mac`
298
299 4. The maximum number of builds that Nix will execute in parallel on the machine.
300 Typically this should be equal to the number of CPU cores.
301
302 5. The “speed factor”, indicating the relative speed of the machine as a positive integer.
303 If there are multiple machines of the right type, Nix will prefer the fastest, taking load into account.
304
305 6. A comma-separated list of supported [system features](#conf-system-features).
306
307 A machine will only be used to build a derivation if all the features in the derivation's [`requiredSystemFeatures`](@docroot@/language/advanced-attributes.html#adv-attr-requiredSystemFeatures) attribute are supported by that machine.
308
309 7. A comma-separated list of required [system features](#conf-system-features).
310
311 A machine will only be used to build a derivation if all of the machine’s required features appear in the derivation’s [`requiredSystemFeatures`](@docroot@/language/advanced-attributes.html#adv-attr-requiredSystemFeatures) attribute.
312
313 8. The (base64-encoded) public host key of the remote machine.
314 If omitted, SSH will use its regular `known_hosts` file.
315
316 The value for this field can be obtained via `base64 -w0`.
317
318 > **Example**
319 >
320 > Multiple builders specified on the command line:
321 >
322 > ```console
323 > --builders 'ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd'
324 > ```
325
326 > **Example**
327 >
328 > This specifies several machines that can perform `i686-linux` builds:
329 >
330 > ```
331 > nix@scratchy.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy 8 1 kvm
332 > nix@itchy.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy 8 2
333 > nix@poochie.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy 1 2 kvm benchmark
334 > ```
335 >
336 > However, `poochie` will only build derivations that have the attribute
337 >
338 > ```nix
339 > requiredSystemFeatures = [ "benchmark" ];
340 > ```
341 >
342 > or
343 >
344 > ```nix
345 > requiredSystemFeatures = [ "benchmark" "kvm" ];
346 > ```
347 >
348 > `itchy` cannot do builds that require `kvm`, but `scratchy` does support such builds.
349 > For regular builds, `itchy` will be preferred over `scratchy` because it has a higher speed factor.
350
351 For Nix to use substituters, the calling user must be in the [`trusted-users`](#conf-trusted-users) list.
352
353 > **Note**
354 >
355 > A build machine must be accessible via SSH and have Nix installed.
356 > `nix` must be available in `$PATH` for the user connecting over SSH.
357
358 > **Warning**
359 >
360 > If you are building via the Nix daemon (default), the Nix daemon user account on the local machine (that is, `root`) requires access to a user account on the remote machine (not necessarily `root`).
361 >
362 > If you can’t or don’t want to configure `root` to be able to access the remote machine, set [`store`](#conf-store) to any [local store](@docroot@/store/types/local-store.html), e.g. by passing `--store /tmp` to the command on the local machine.
363
364 To build only on remote machines and disable local builds, set [`max-jobs`](#conf-max-jobs) to 0.
365
366 If you want the remote machines to use substituters, set [`builders-use-substitutes`](#conf-builders-use-substituters) to `true`.
367 )",
368 {}, false};
369
370 Setting<bool> alwaysAllowSubstitutes{
371 this, false, "always-allow-substitutes",
372 R"(
373 If set to `true`, Nix will ignore the [`allowSubstitutes`](@docroot@/language/advanced-attributes.md) attribute in derivations and always attempt to use [available substituters](#conf-substituters).
374 )"};
375
376 Setting<bool> buildersUseSubstitutes{
377 this, false, "builders-use-substitutes",
378 R"(
379 If set to `true`, Nix will instruct [remote build machines](#conf-builders) to use their own [`substituters`](#conf-substituters) if available.
380
381 It means that remote build hosts will fetch as many dependencies as possible from their own substituters (e.g, from `cache.nixos.org`) instead of waiting for the local machine to upload them all.
382 This can drastically reduce build times if the network connection between the local machine and the remote build host is slow.
383 )"};
384
385 Setting<off_t> reservedSize{this, 8 * 1024 * 1024, "gc-reserved-space",
386 "Amount of reserved disk space for the garbage collector."};
387
388 Setting<bool> fsyncMetadata{
389 this, true, "fsync-metadata",
390 R"(
391 If set to `true`, changes to the Nix store metadata (in
392 `/nix/var/nix/db`) are synchronously flushed to disk. This improves
393 robustness in case of system crashes, but reduces performance. The
394 default is `true`.
395 )"};
396
397 Setting<bool> fsyncStorePaths{this, false, "fsync-store-paths",
398 R"(
399 Whether to call `fsync()` on store paths before registering them, to
400 flush them to disk. This improves robustness in case of system crashes,
401 but reduces performance. The default is `false`.
402 )"};
403
404 Setting<bool> useSQLiteWAL{this, !isWSL1(), "use-sqlite-wal",
405 "Whether SQLite should use WAL mode."};
406
407#ifndef _WIN32
408 // FIXME: remove this option, `fsync-store-paths` is faster.
409 Setting<bool> syncBeforeRegistering{this, false, "sync-before-registering",
410 "Whether to call `sync()` before registering a path as valid."};
411#endif
412
413 Setting<bool> useSubstitutes{
414 this, true, "substitute",
415 R"(
416 If set to `true` (default), Nix will use binary substitutes if
417 available. This option can be disabled to force building from
418 source.
419 )",
420 {"build-use-substitutes"}};
421
422 Setting<std::string> buildUsersGroup{
423 this, "", "build-users-group",
424 R"(
425 This options specifies the Unix group containing the Nix build user
426 accounts. In multi-user Nix installations, builds should not be
427 performed by the Nix account since that would allow users to
428 arbitrarily modify the Nix store and database by supplying specially
429 crafted builders; and they cannot be performed by the calling user
430 since that would allow him/her to influence the build result.
431
432 Therefore, if this option is non-empty and specifies a valid group,
433 builds will be performed under the user accounts that are a member
434 of the group specified here (as listed in `/etc/group`). Those user
435 accounts should not be used for any other purpose\!
436
437 Nix will never run two builds under the same user account at the
438 same time. This is to prevent an obvious security hole: a malicious
439 user writing a Nix expression that modifies the build result of a
440 legitimate Nix expression being built by another user. Therefore it
441 is good to have as many Nix build user accounts as you can spare.
442 (Remember: uids are cheap.)
443
444 The build users should have permission to create files in the Nix
445 store, but not delete them. Therefore, `/nix/store` should be owned
446 by the Nix account, its group should be the group specified here,
447 and its mode should be `1775`.
448
449 If the build users group is empty, builds will be performed under
450 the uid of the Nix process (that is, the uid of the caller if
451 `NIX_REMOTE` is empty, the uid under which the Nix daemon runs if
452 `NIX_REMOTE` is `daemon`). Obviously, this should not be used
453 with a nix daemon accessible to untrusted clients.
454
455 Defaults to `nixbld` when running as root, *empty* otherwise.
456 )",
457 {}, false};
458
459 Setting<bool> autoAllocateUids{this, false, "auto-allocate-uids",
460 R"(
461 Whether to select UIDs for builds automatically, instead of using the
462 users in `build-users-group`.
463
464 UIDs are allocated starting at 872415232 (0x34000000) on Linux and 56930 on macOS.
465 )", {}, true, Xp::AutoAllocateUids};
466
467 Setting<uint32_t> startId{this,
468 #if __linux__
469 0x34000000,
470 #else
471 56930,
472 #endif
473 "start-id",
474 "The first UID and GID to use for dynamic ID allocation."};
475
476 Setting<uint32_t> uidCount{this,
477 #if __linux__
478 maxIdsPerBuild * 128,
479 #else
480 128,
481 #endif
482 "id-count",
483 "The number of UIDs/GIDs to use for dynamic ID allocation."};
484
485 #if __linux__
486 Setting<bool> useCgroups{
487 this, false, "use-cgroups",
488 R"(
489 Whether to execute builds inside cgroups.
490 This is only supported on Linux.
491
492 Cgroups are required and enabled automatically for derivations
493 that require the `uid-range` system feature.
494 )"};
495 #endif
496
497 Setting<bool> impersonateLinux26{this, false, "impersonate-linux-26",
498 "Whether to impersonate a Linux 2.6 machine on newer kernels.",
499 {"build-impersonate-linux-26"}};
500
501 Setting<bool> keepLog{
502 this, true, "keep-build-log",
503 R"(
504 If set to `true` (the default), Nix will write the build log of a
505 derivation (i.e. the standard output and error of its builder) to
506 the directory `/nix/var/log/nix/drvs`. The build log can be
507 retrieved using the command `nix-store -l path`.
508 )",
509 {"build-keep-log"}};
510
511 Setting<bool> compressLog{
512 this, true, "compress-build-log",
513 R"(
514 If set to `true` (the default), build logs written to
515 `/nix/var/log/nix/drvs` will be compressed on the fly using bzip2.
516 Otherwise, they will not be compressed.
517 )",
518 {"build-compress-log"}};
519
520 Setting<unsigned long> maxLogSize{
521 this, 0, "max-build-log-size",
522 R"(
523 This option defines the maximum number of bytes that a builder can
524 write to its stdout/stderr. If the builder exceeds this limit, it’s
525 killed. A value of `0` (the default) means that there is no limit.
526 )",
527 {"build-max-log-size"}};
528
529 Setting<unsigned int> pollInterval{this, 5, "build-poll-interval",
530 "How often (in seconds) to poll for locks."};
531
532 Setting<bool> gcKeepOutputs{
533 this, false, "keep-outputs",
534 R"(
535 If `true`, the garbage collector will keep the outputs of
536 non-garbage derivations. If `false` (default), outputs will be
537 deleted unless they are GC roots themselves (or reachable from other
538 roots).
539
540 In general, outputs must be registered as roots separately. However,
541 even if the output of a derivation is registered as a root, the
542 collector will still delete store paths that are used only at build
543 time (e.g., the C compiler, or source tarballs downloaded from the
544 network). To prevent it from doing so, set this option to `true`.
545 )",
546 {"gc-keep-outputs"}};
547
548 Setting<bool> gcKeepDerivations{
549 this, true, "keep-derivations",
550 R"(
551 If `true` (default), the garbage collector will keep the derivations
552 from which non-garbage store paths were built. If `false`, they will
553 be deleted unless explicitly registered as a root (or reachable from
554 other roots).
555
556 Keeping derivation around is useful for querying and traceability
557 (e.g., it allows you to ask with what dependencies or options a
558 store path was built), so by default this option is on. Turn it off
559 to save a bit of disk space (or a lot if `keep-outputs` is also
560 turned on).
561 )",
562 {"gc-keep-derivations"}};
563
564 Setting<bool> autoOptimiseStore{
565 this, false, "auto-optimise-store",
566 R"(
567 If set to `true`, Nix automatically detects files in the store
568 that have identical contents, and replaces them with hard links to
569 a single copy. This saves disk space. If set to `false` (the
570 default), you can still run `nix-store --optimise` to get rid of
571 duplicate files.
572 )"};
573
574 Setting<bool> envKeepDerivations{
575 this, false, "keep-env-derivations",
576 R"(
577 If `false` (default), derivations are not stored in Nix user
578 environments. That is, the derivations of any build-time-only
579 dependencies may be garbage-collected.
580
581 If `true`, when you add a Nix derivation to a user environment, the
582 path of the derivation is stored in the user environment. Thus, the
583 derivation will not be garbage-collected until the user environment
584 generation is deleted (`nix-env --delete-generations`). To prevent
585 build-time-only dependencies from being collected, you should also
586 turn on `keep-outputs`.
587
588 The difference between this option and `keep-derivations` is that
589 this one is “sticky”: it applies to any user environment created
590 while this option was enabled, while `keep-derivations` only applies
591 at the moment the garbage collector is run.
592 )",
593 {"env-keep-derivations"}};
594
595 Setting<SandboxMode> sandboxMode{
596 this,
597 #if __linux__
598 smEnabled
599 #else
600 smDisabled
601 #endif
602 , "sandbox",
603 R"(
604 If set to `true`, builds will be performed in a *sandboxed
605 environment*, i.e., they’re isolated from the normal file system
606 hierarchy and will only see their dependencies in the Nix store,
607 the temporary build directory, private versions of `/proc`,
608 `/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths
609 configured with the `sandbox-paths` option. This is useful to
610 prevent undeclared dependencies on files in directories such as
611 `/usr/bin`. In addition, on Linux, builds run in private PID,
612 mount, network, IPC and UTS namespaces to isolate them from other
613 processes in the system (except that fixed-output derivations do
614 not run in private network namespace to ensure they can access the
615 network).
616
617 Currently, sandboxing only work on Linux and macOS. The use of a
618 sandbox requires that Nix is run as root (so you should use the
619 “build users” feature to perform the actual builds under different
620 users than root).
621
622 If this option is set to `relaxed`, then fixed-output derivations
623 and derivations that have the `__noChroot` attribute set to `true`
624 do not run in sandboxes.
625
626 The default is `true` on Linux and `false` on all other platforms.
627 )",
628 {"build-use-chroot", "build-use-sandbox"}};
629
630 Setting<PathSet> sandboxPaths{
631 this, {}, "sandbox-paths",
632 R"(
633 A list of paths bind-mounted into Nix sandbox environments. You can
634 use the syntax `target=source` to mount a path in a different
635 location in the sandbox; for instance, `/bin=/nix-bin` will mount
636 the path `/nix-bin` as `/bin` inside the sandbox. If *source* is
637 followed by `?`, then it is not an error if *source* does not exist;
638 for example, `/dev/nvidiactl?` specifies that `/dev/nvidiactl` will
639 only be mounted in the sandbox if it exists in the host filesystem.
640
641 If the source is in the Nix store, then its closure will be added to
642 the sandbox as well.
643
644 Depending on how Nix was built, the default value for this option
645 may be empty or provide `/bin/sh` as a bind-mount of `bash`.
646 )",
647 {"build-chroot-dirs", "build-sandbox-paths"}};
648
649 Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
650 "Whether to disable sandboxing when the kernel doesn't allow it."};
651
652#ifndef _WIN32
653 Setting<bool> requireDropSupplementaryGroups{this, isRootUser(), "require-drop-supplementary-groups",
654 R"(
655 Following the principle of least privilege,
656 Nix will attempt to drop supplementary groups when building with sandboxing.
657
658 However this can fail under some circumstances.
659 For example, if the user lacks the `CAP_SETGID` capability.
660 Search `setgroups(2)` for `EPERM` to find more detailed information on this.
661
662 If you encounter such a failure, setting this option to `false` will let you ignore it and continue.
663 But before doing so, you should consider the security implications carefully.
664 Not dropping supplementary groups means the build sandbox will be less restricted than intended.
665
666 This option defaults to `true` when the user is root
667 (since `root` usually has permissions to call setgroups)
668 and `false` otherwise.
669 )"};
670#endif
671
672#if __linux__
673 Setting<std::string> sandboxShmSize{
674 this, "50%", "sandbox-dev-shm-size",
675 R"(
676 *Linux only*
677
678 This option determines the maximum size of the `tmpfs` filesystem
679 mounted on `/dev/shm` in Linux sandboxes. For the format, see the
680 description of the `size` option of `tmpfs` in mount(8). The default
681 is `50%`.
682 )"};
683
684 Setting<Path> sandboxBuildDir{this, "/build", "sandbox-build-dir",
685 R"(
686 *Linux only*
687
688 The build directory inside the sandbox.
689
690 This directory is backed by [`build-dir`](#conf-build-dir) on the host.
691 )"};
692#endif
693
694 Setting<std::optional<Path>> buildDir{this, std::nullopt, "build-dir",
695 R"(
696 The directory on the host, in which derivations' temporary build directories are created.
697
698 If not set, Nix will use the system temporary directory indicated by the `TMPDIR` environment variable.
699 Note that builds are often performed by the Nix daemon, so its `TMPDIR` is used, and not that of the Nix command line interface.
700
701 This is also the location where [`--keep-failed`](@docroot@/command-ref/opt-common.md#opt-keep-failed) leaves its files.
702
703 If Nix runs without sandbox, or if the platform does not support sandboxing with bind mounts (e.g. macOS), then the [`builder`](@docroot@/language/derivations.md#attr-builder)'s environment will contain this directory, instead of the virtual location [`sandbox-build-dir`](#conf-sandbox-build-dir).
704 )"};
705
706 Setting<PathSet> allowedImpureHostPrefixes{this, {}, "allowed-impure-host-deps",
707 "Which prefixes to allow derivations to ask for access to (primarily for Darwin)."};
708
709#if __APPLE__
710 Setting<bool> darwinLogSandboxViolations{this, false, "darwin-log-sandbox-violations",
711 "Whether to log Darwin sandbox access violations to the system log."};
712#endif
713
714 Setting<bool> runDiffHook{
715 this, false, "run-diff-hook",
716 R"(
717 If true, enable the execution of the `diff-hook` program.
718
719 When using the Nix daemon, `run-diff-hook` must be set in the
720 `nix.conf` configuration file, and cannot be passed at the command
721 line.
722 )"};
723
724 OptionalPathSetting diffHook{
725 this, std::nullopt, "diff-hook",
726 R"(
727 Absolute path to an executable capable of diffing build
728 results. The hook is executed if `run-diff-hook` is true, and the
729 output of a build is known to not be the same. This program is not
730 executed to determine if two results are the same.
731
732 The diff hook is executed by the same user and group who ran the
733 build. However, the diff hook does not have write access to the
734 store path just built.
735
736 The diff hook program receives three parameters:
737
738 1. A path to the previous build's results
739
740 2. A path to the current build's results
741
742 3. The path to the build's derivation
743
744 4. The path to the build's scratch directory. This directory will
745 exist only if the build was run with `--keep-failed`.
746
747 The stderr and stdout output from the diff hook will not be
748 displayed to the user. Instead, it will print to the nix-daemon's
749 log.
750
751 When using the Nix daemon, `diff-hook` must be set in the `nix.conf`
752 configuration file, and cannot be passed at the command line.
753 )"};
754
755 Setting<Strings> trustedPublicKeys{
756 this,
757 {"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},
758 "trusted-public-keys",
759 R"(
760 A whitespace-separated list of public keys.
761
762 At least one of the following condition must be met
763 for Nix to accept copying a store object from another
764 Nix store (such as a [substituter](#conf-substituters)):
765
766 - the store object has been signed using a key in the trusted keys list
767 - the [`require-sigs`](#conf-require-sigs) option has been set to `false`
768 - the store URL is configured with `trusted=true`
769 - the store object is [content-addressed](@docroot@/glossary.md#gloss-content-addressed-store-object)
770 )",
771 {"binary-cache-public-keys"}};
772
773 Setting<Strings> secretKeyFiles{
774 this, {}, "secret-key-files",
775 R"(
776 A whitespace-separated list of files containing secret (private)
777 keys. These are used to sign locally-built paths. They can be
778 generated using `nix-store --generate-binary-cache-key`. The
779 corresponding public key can be distributed to other users, who
780 can add it to `trusted-public-keys` in their `nix.conf`.
781 )"};
782
783 Setting<unsigned int> tarballTtl{
784 this, 60 * 60, "tarball-ttl",
785 R"(
786 The number of seconds a downloaded tarball is considered fresh. If
787 the cached tarball is stale, Nix will check whether it is still up
788 to date using the ETag header. Nix will download a new version if
789 the ETag header is unsupported, or the cached ETag doesn't match.
790
791 Setting the TTL to `0` forces Nix to always check if the tarball is
792 up to date.
793
794 Nix caches tarballs in `$XDG_CACHE_HOME/nix/tarballs`.
795
796 Files fetched via `NIX_PATH`, `fetchGit`, `fetchMercurial`,
797 `fetchTarball`, and `fetchurl` respect this TTL.
798 )"};
799
800 Setting<bool> requireSigs{
801 this, true, "require-sigs",
802 R"(
803 If set to `true` (the default), any non-content-addressed path added
804 or copied to the Nix store (e.g. when substituting from a binary
805 cache) must have a signature by a trusted key. A trusted key is one
806 listed in `trusted-public-keys`, or a public key counterpart to a
807 private key stored in a file listed in `secret-key-files`.
808
809 Set to `false` to disable signature checking and trust all
810 non-content-addressed paths unconditionally.
811
812 (Content-addressed paths are inherently trustworthy and thus
813 unaffected by this configuration option.)
814 )"};
815
816 Setting<StringSet> extraPlatforms{
817 this,
818 getDefaultExtraPlatforms(),
819 "extra-platforms",
820 R"(
821 System types of executables that can be run on this machine.
822
823 Nix will only build a given [derivation](@docroot@/language/derivations.md) locally when its `system` attribute equals any of the values specified here or in the [`system` option](#conf-system).
824
825 Setting this can be useful to build derivations locally on compatible machines:
826 - `i686-linux` executables can be run on `x86_64-linux` machines (set by default)
827 - `x86_64-darwin` executables can be run on macOS `aarch64-darwin` with Rosetta 2 (set by default where applicable)
828 - `armv6` and `armv5tel` executables can be run on `armv7`
829 - some `aarch64` machines can also natively run 32-bit ARM code
830 - `qemu-user` may be used to support non-native platforms (though this
831 may be slow and buggy)
832
833 Build systems will usually detect the target platform to be the current physical system and therefore produce machine code incompatible with what may be intended in the derivation.
834 You should design your derivation's `builder` accordingly and cross-check the results when using this option against natively-built versions of your derivation.
835 )",
836 {},
837 // Don't document the machine-specific default value
838 false};
839
840 Setting<StringSet> systemFeatures{
841 this,
842 getDefaultSystemFeatures(),
843 "system-features",
844 R"(
845 A set of system “features” supported by this machine.
846
847 This complements the [`system`](#conf-system) and [`extra-platforms`](#conf-extra-platforms) configuration options and the corresponding [`system`](@docroot@/language/derivations.md#attr-system) attribute on derivations.
848
849 A derivation can require system features in the [`requiredSystemFeatures` attribute](@docroot@/language/advanced-attributes.md#adv-attr-requiredSystemFeatures), and the machine to build the derivation must have them.
850
851 System features are user-defined, but Nix sets the following defaults:
852
853 - `apple-virt`
854
855 Included on Darwin if virtualization is available.
856
857 - `kvm`
858
859 Included on Linux if `/dev/kvm` is accessible.
860
861 - `nixos-test`, `benchmark`, `big-parallel`
862
863 These historical pseudo-features are always enabled for backwards compatibility, as they are used in Nixpkgs to route Hydra builds to specific machines.
864
865 - `ca-derivations`
866
867 Included by default if the [`ca-derivations` experimental feature](@docroot@/development/experimental-features.md#xp-feature-ca-derivations) is enabled.
868
869 This system feature is implicitly required by derivations with the [`__contentAddressed` attribute](@docroot@/language/advanced-attributes.md#adv-attr-__contentAddressed).
870
871 - `recursive-nix`
872
873 Included by default if the [`recursive-nix` experimental feature](@docroot@/development/experimental-features.md#xp-feature-recursive-nix) is enabled.
874
875 - `uid-range`
876
877 On Linux, Nix can run builds in a user namespace where they run as root (UID 0) and have 65,536 UIDs available.
878 This is primarily useful for running containers such as `systemd-nspawn` inside a Nix build. For an example, see [`tests/systemd-nspawn/nix`][nspawn].
879
880 [nspawn]: https://github.com/NixOS/nix/blob/67bcb99700a0da1395fa063d7c6586740b304598/tests/systemd-nspawn.nix.
881
882 Included by default on Linux if the [`auto-allocate-uids`](#conf-auto-allocate-uids) setting is enabled.
883 )",
884 {},
885 // Don't document the machine-specific default value
886 false};
887
888 Setting<Strings> substituters{
889 this,
890 Strings{"https://cache.nixos.org/"},
891 "substituters",
892 R"(
893 A list of [URLs of Nix stores](@docroot@/store/types/index.md#store-url-format) to be used as substituters, separated by whitespace.
894 A substituter is an additional [store](@docroot@/glossary.md#gloss-store) from which Nix can obtain [store objects](@docroot@/store/store-object.md) instead of building them.
895
896 Substituters are tried based on their priority value, which each substituter can set independently.
897 Lower value means higher priority.
898 The default is `https://cache.nixos.org`, which has a priority of 40.
899
900 At least one of the following conditions must be met for Nix to use a substituter:
901
902 - The substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
903 - The user calling Nix is in the [`trusted-users`](#conf-trusted-users) list
904
905 In addition, each store path should be trusted as described in [`trusted-public-keys`](#conf-trusted-public-keys)
906 )",
907 {"binary-caches"}};
908
909 Setting<StringSet> trustedSubstituters{
910 this, {}, "trusted-substituters",
911 R"(
912 A list of [Nix store URLs](@docroot@/store/types/index.md#store-url-format), separated by whitespace.
913 These are not used by default, but users of the Nix daemon can enable them by specifying [`substituters`](#conf-substituters).
914
915 Unprivileged users (those set in only [`allowed-users`](#conf-allowed-users) but not [`trusted-users`](#conf-trusted-users)) can pass as `substituters` only those URLs listed in `trusted-substituters`.
916 )",
917 {"trusted-binary-caches"}};
918
919 Setting<unsigned int> ttlNegativeNarInfoCache{
920 this, 3600, "narinfo-cache-negative-ttl",
921 R"(
922 The TTL in seconds for negative lookups.
923 If a store path is queried from a [substituter](#conf-substituters) but was not found, there will be a negative lookup cached in the local disk cache database for the specified duration.
924
925 Set to `0` to force updating the lookup cache.
926
927 To wipe the lookup cache completely:
928
929 ```shell-session
930 $ rm $HOME/.cache/nix/binary-cache-v*.sqlite*
931 # rm /root/.cache/nix/binary-cache-v*.sqlite*
932 ```
933 )"};
934
935 Setting<unsigned int> ttlPositiveNarInfoCache{
936 this, 30 * 24 * 3600, "narinfo-cache-positive-ttl",
937 R"(
938 The TTL in seconds for positive lookups. If a store path is queried
939 from a substituter, the result of the query will be cached in the
940 local disk cache database including some of the NAR metadata. The
941 default TTL is a month, setting a shorter TTL for positive lookups
942 can be useful for binary caches that have frequent garbage
943 collection, in which case having a more frequent cache invalidation
944 would prevent trying to pull the path again and failing with a hash
945 mismatch if the build isn't reproducible.
946 )"};
947
948 Setting<bool> printMissing{this, true, "print-missing",
949 "Whether to print what paths need to be built or downloaded."};
950
951 Setting<std::string> preBuildHook{
952 this, "", "pre-build-hook",
953 R"(
954 If set, the path to a program that can set extra derivation-specific
955 settings for this system. This is used for settings that can't be
956 captured by the derivation model itself and are too variable between
957 different versions of the same system to be hard-coded into nix.
958
959 The hook is passed the derivation path and, if sandboxes are
960 enabled, the sandbox directory. It can then modify the sandbox and
961 send a series of commands to modify various settings to stdout. The
962 currently recognized commands are:
963
964 - `extra-sandbox-paths`\
965 Pass a list of files and directories to be included in the
966 sandbox for this build. One entry per line, terminated by an
967 empty line. Entries have the same format as `sandbox-paths`.
968 )"};
969
970 Setting<std::string> postBuildHook{
971 this, "", "post-build-hook",
972 R"(
973 Optional. The path to a program to execute after each build.
974
975 This option is only settable in the global `nix.conf`, or on the
976 command line by trusted users.
977
978 When using the nix-daemon, the daemon executes the hook as `root`.
979 If the nix-daemon is not involved, the hook runs as the user
980 executing the nix-build.
981
982 - The hook executes after an evaluation-time build.
983
984 - The hook does not execute on substituted paths.
985
986 - The hook's output always goes to the user's terminal.
987
988 - If the hook fails, the build succeeds but no further builds
989 execute.
990
991 - The hook executes synchronously, and blocks other builds from
992 progressing while it runs.
993
994 The program executes with no arguments. The program's environment
995 contains the following environment variables:
996
997 - `DRV_PATH`
998 The derivation for the built paths.
999
1000 Example:
1001 `/nix/store/5nihn1a7pa8b25l9zafqaqibznlvvp3f-bash-4.4-p23.drv`
1002
1003 - `OUT_PATHS`
1004 Output paths of the built derivation, separated by a space
1005 character.
1006
1007 Example:
1008 `/nix/store/zf5lbh336mnzf1nlswdn11g4n2m8zh3g-bash-4.4-p23-dev
1009 /nix/store/rjxwxwv1fpn9wa2x5ssk5phzwlcv4mna-bash-4.4-p23-doc
1010 /nix/store/6bqvbzjkcp9695dq0dpl5y43nvy37pq1-bash-4.4-p23-info
1011 /nix/store/r7fng3kk3vlpdlh2idnrbn37vh4imlj2-bash-4.4-p23-man
1012 /nix/store/xfghy8ixrhz3kyy6p724iv3cxji088dx-bash-4.4-p23`.
1013 )"};
1014
1015 Setting<unsigned int> downloadSpeed {
1016 this, 0, "download-speed",
1017 R"(
1018 Specify the maximum transfer rate in kilobytes per second you want
1019 Nix to use for downloads.
1020 )"};
1021
1022 Setting<std::string> netrcFile{
1023 this, fmt("%s/%s", nixConfDir, "netrc"), "netrc-file",
1024 R"(
1025 If set to an absolute path to a `netrc` file, Nix will use the HTTP
1026 authentication credentials in this file when trying to download from
1027 a remote host through HTTP or HTTPS. Defaults to
1028 `$NIX_CONF_DIR/netrc`.
1029
1030 The `netrc` file consists of a list of accounts in the following
1031 format:
1032
1033 machine my-machine
1034 login my-username
1035 password my-password
1036
1037 For the exact syntax, see [the `curl`
1038 documentation](https://ec.haxx.se/usingcurl-netrc.html).
1039
1040 > **Note**
1041 >
1042 > This must be an absolute path, and `~` is not resolved. For
1043 > example, `~/.netrc` won't resolve to your home directory's
1044 > `.netrc`.
1045 )"};
1046
1047 Setting<Path> caFile{
1048 this, getDefaultSSLCertFile(), "ssl-cert-file",
1049 R"(
1050 The path of a file containing CA certificates used to
1051 authenticate `https://` downloads. Nix by default will use
1052 the first of the following files that exists:
1053
1054 1. `/etc/ssl/certs/ca-certificates.crt`
1055 2. `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
1056
1057 The path can be overridden by the following environment
1058 variables, in order of precedence:
1059
1060 1. `NIX_SSL_CERT_FILE`
1061 2. `SSL_CERT_FILE`
1062 )"};
1063
1064#if __linux__
1065 Setting<bool> filterSyscalls{
1066 this, true, "filter-syscalls",
1067 R"(
1068 Whether to prevent certain dangerous system calls, such as
1069 creation of setuid/setgid files or adding ACLs or extended
1070 attributes. Only disable this if you're aware of the
1071 security implications.
1072 )"};
1073
1074 Setting<bool> allowNewPrivileges{
1075 this, false, "allow-new-privileges",
1076 R"(
1077 (Linux-specific.) By default, builders on Linux cannot acquire new
1078 privileges by calling setuid/setgid programs or programs that have
1079 file capabilities. For example, programs such as `sudo` or `ping`
1080 will fail. (Note that in sandbox builds, no such programs are
1081 available unless you bind-mount them into the sandbox via the
1082 `sandbox-paths` option.) You can allow the use of such programs by
1083 enabling this option. This is impure and usually undesirable, but
1084 may be useful in certain scenarios (e.g. to spin up containers or
1085 set up userspace network interfaces in tests).
1086 )"};
1087#endif
1088
1089#if HAVE_ACL_SUPPORT
1090 Setting<StringSet> ignoredAcls{
1091 this, {"security.selinux", "system.nfs4_acl", "security.csm"}, "ignored-acls",
1092 R"(
1093 A list of ACLs that should be ignored, normally Nix attempts to
1094 remove all ACLs from files and directories in the Nix store, but
1095 some ACLs like `security.selinux` or `system.nfs4_acl` can't be
1096 removed even by root. Therefore it's best to just ignore them.
1097 )"};
1098#endif
1099
1100 Setting<Strings> hashedMirrors{
1101 this, {}, "hashed-mirrors",
1102 R"(
1103 A list of web servers used by `builtins.fetchurl` to obtain files by
1104 hash. Given a hash algorithm *ha* and a base-16 hash *h*, Nix will try to
1105 download the file from *hashed-mirror*/*ha*/*h*. This allows files to
1106 be downloaded even if they have disappeared from their original URI.
1107 For example, given an example mirror `http://tarballs.nixos.org/`,
1108 when building the derivation
1109
1110 ```nix
1111 builtins.fetchurl {
1112 url = "https://example.org/foo-1.2.3.tar.xz";
1113 sha256 = "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae";
1114 }
1115 ```
1116
1117 Nix will attempt to download this file from
1118 `http://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae`
1119 first. If it is not available there, if will try the original URI.
1120 )"};
1121
1122 Setting<uint64_t> minFree{
1123 this, 0, "min-free",
1124 R"(
1125 When free disk space in `/nix/store` drops below `min-free` during a
1126 build, Nix performs a garbage-collection until `max-free` bytes are
1127 available or there is no more garbage. A value of `0` (the default)
1128 disables this feature.
1129 )"};
1130
1131 Setting<uint64_t> maxFree{
1132 // n.b. this is deliberately int64 max rather than uint64 max because
1133 // this goes through the Nix language JSON parser and thus needs to be
1134 // representable in Nix language integers.
1135 this, std::numeric_limits<int64_t>::max(), "max-free",
1136 R"(
1137 When a garbage collection is triggered by the `min-free` option, it
1138 stops as soon as `max-free` bytes are available. The default is
1139 infinity (i.e. delete all garbage).
1140 )"};
1141
1142 Setting<uint64_t> minFreeCheckInterval{this, 5, "min-free-check-interval",
1143 "Number of seconds between checking free disk space."};
1144
1145 Setting<size_t> narBufferSize{this, 32 * 1024 * 1024, "nar-buffer-size",
1146 "Maximum size of NARs before spilling them to disk."};
1147
1148 Setting<bool> allowSymlinkedStore{
1149 this, false, "allow-symlinked-store",
1150 R"(
1151 If set to `true`, Nix will stop complaining if the store directory
1152 (typically /nix/store) contains symlink components.
1153
1154 This risks making some builds "impure" because builders sometimes
1155 "canonicalise" paths by resolving all symlink components. Problems
1156 occur if those builds are then deployed to machines where /nix/store
1157 resolves to a different location from that of the build machine. You
1158 can enable this setting if you are sure you're not going to do that.
1159 )"};
1160
1161 Setting<bool> useXDGBaseDirectories{
1162 this, false, "use-xdg-base-directories",
1163 R"(
1164 If set to `true`, Nix will conform to the [XDG Base Directory Specification] for files in `$HOME`.
1165 The environment variables used to implement this are documented in the [Environment Variables section](@docroot@/command-ref/env-common.md).
1166
1167 [XDG Base Directory Specification]: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
1168
1169 > **Warning**
1170 > This changes the location of some well-known symlinks that Nix creates, which might break tools that rely on the old, non-XDG-conformant locations.
1171
1172 In particular, the following locations change:
1173
1174 | Old | New |
1175 |-------------------|--------------------------------|
1176 | `~/.nix-profile` | `$XDG_STATE_HOME/nix/profile` |
1177 | `~/.nix-defexpr` | `$XDG_STATE_HOME/nix/defexpr` |
1178 | `~/.nix-channels` | `$XDG_STATE_HOME/nix/channels` |
1179
1180 If you already have Nix installed and are using [profiles](@docroot@/package-management/profiles.md) or [channels](@docroot@/command-ref/nix-channel.md), you should migrate manually when you enable this option.
1181 If `$XDG_STATE_HOME` is not set, use `$HOME/.local/state/nix` instead of `$XDG_STATE_HOME/nix`.
1182 This can be achieved with the following shell commands:
1183
1184 ```sh
1185 nix_state_home=${XDG_STATE_HOME-$HOME/.local/state}/nix
1186 mkdir -p $nix_state_home
1187 mv $HOME/.nix-profile $nix_state_home/profile
1188 mv $HOME/.nix-defexpr $nix_state_home/defexpr
1189 mv $HOME/.nix-channels $nix_state_home/channels
1190 ```
1191 )"
1192 };
1193
1194 Setting<StringMap> impureEnv {this, {}, "impure-env",
1195 R"(
1196 A list of items, each in the format of:
1197
1198 - `name=value`: Set environment variable `name` to `value`.
1199
1200 If the user is trusted (see `trusted-users` option), when building
1201 a fixed-output derivation, environment variables set in this option
1202 will be passed to the builder if they are listed in [`impureEnvVars`](@docroot@/language/advanced-attributes.md#adv-attr-impureEnvVars).
1203
1204 This option is useful for, e.g., setting `https_proxy` for
1205 fixed-output derivations and in a multi-user Nix installation, or
1206 setting private access tokens when fetching a private repository.
1207 )",
1208 {}, // aliases
1209 true, // document default
1210 Xp::ConfigurableImpureEnv
1211 };
1212
1213 Setting<std::string> upgradeNixStorePathUrl{
1214 this,
1215 "https://github.com/NixOS/nixpkgs/raw/master/nixos/modules/installer/tools/nix-fallback-paths.nix",
1216 "upgrade-nix-store-path-url",
1217 R"(
1218 Used by `nix upgrade-nix`, the URL of the file that contains the
1219 store paths of the latest Nix release.
1220 )"
1221 };
1222
1223 Setting<uint64_t> warnLargePathThreshold{
1224 this,
1225 0,
1226 "warn-large-path-threshold",
1227 R"(
1228 Warn when copying a path larger than this number of bytes to the Nix store
1229 (as determined by its NAR serialisation).
1230 Default is 0, which disables the warning.
1231 Set it to 1 to warn on all paths.
1232 )"
1233 };
1234};
1235
1236
1237// FIXME: don't use a global variable.
1238extern Settings settings;
1239
1246void loadConfFile(AbstractConfig & config);
1247
1248// Used by the Settings constructor
1249std::vector<Path> getUserConfigFiles();
1250
1259extern std::string nixVersion;
1260
1265void initLibStore(bool loadConfig = true);
1266
1272void assertLibStoreInitialized();
1273
1274}
Definition config.hh:51
Definition config.hh:138
Definition config.hh:320
Definition globals.hh:42
std::vector< Path > nixUserConfFiles
Definition globals.hh:85
Path nixStateDir
Definition globals.hh:75
bool verboseBuild
Definition globals.hh:119
bool readOnlyMode
Definition globals.hh:181
Path nixConfDir
Definition globals.hh:80
Path nixDaemonSocketFile
Definition globals.hh:90
Path nixLogDir
Definition globals.hh:70
Path nixStore
Definition globals.hh:63
std::string fmt(const std::string &s)
Definition fmt.hh:67
OptionalPathSetting(Config *options, const std::optional< Path > &def, const std::string &name, const std::string &description, const std::set< std::string > &aliases={})
std::ostream & str
Definition lexer.l:1728
Definition globals.hh:20
unsigned int parse(const std::string &str) const override
Definition globals.cc:299
std::string Path
Definition types.hh:22
bool isRootUser()