diff --git a/nixos/modules/programs/nix-required-mounts.nix b/nixos/modules/programs/nix-required-mounts.nix index 98ab819af55e..c339dd1cfddd 100644 --- a/nixos/modules/programs/nix-required-mounts.nix +++ b/nixos/modules/programs/nix-required-mounts.nix @@ -1,10 +1,16 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.programs.nix-required-mounts; package = pkgs.nix-required-mounts; - Mount = with lib; + Mount = + with lib; types.submodule { options.host = mkOption { type = types.str; @@ -15,25 +21,30 @@ let description = "Location in the sandbox to mount the host path at"; }; }; - Pattern = with lib.types; - types.submodule ({ config, name, ... }: { - options.onFeatures = lib.mkOption { - type = listOf types.str; - description = - "Which requiredSystemFeatures should trigger relaxation of the sandbox"; - default = [ name ]; - }; - options.paths = lib.mkOption { - type = listOf (oneOf [ path Mount ]); - description = - "A list of glob patterns, indicating which paths to expose to the sandbox"; - }; - options.unsafeFollowSymlinks = lib.mkEnableOption '' - Instructs the hook to mount the symlink targets as well, when any of - the `paths` contain symlinks. This may not work correctly with glob - patterns. - ''; - }); + Pattern = + with lib.types; + types.submodule ( + { config, name, ... }: + { + options.onFeatures = lib.mkOption { + type = listOf types.str; + description = "Which requiredSystemFeatures should trigger relaxation of the sandbox"; + default = [ name ]; + }; + options.paths = lib.mkOption { + type = listOf (oneOf [ + path + Mount + ]); + description = "A list of glob patterns, indicating which paths to expose to the sandbox"; + }; + options.unsafeFollowSymlinks = lib.mkEnableOption '' + Instructs the hook to mount the symlink targets as well, when any of + the `paths` contain symlinks. This may not work correctly with glob + patterns. + ''; + } + ); driverPaths = [ pkgs.addOpenGLRunpath.driverLink @@ -53,8 +64,7 @@ in { meta.maintainers = with lib.maintainers; [ SomeoneSerge ]; options.programs.nix-required-mounts = { - enable = lib.mkEnableOption - "Expose extra paths to the sandbox depending on derivations' requiredSystemFeatures"; + enable = lib.mkEnableOption "Expose extra paths to the sandbox depending on derivations' requiredSystemFeatures"; presets.nvidia-gpu.enable = lib.mkEnableOption '' Declare the support for derivations that require an Nvidia GPU to be available, e.g. derivations with `requiredSystemFeatures = [ "cuda" ]`. @@ -64,11 +74,11 @@ in You may extend or override the exposed paths via the `programs.nix-required-mounts.allowedPatterns.nvidia-gpu.paths` option. ''; - allowedPatterns = with lib.types; + allowedPatterns = + with lib.types; lib.mkOption rec { type = attrsOf Pattern; - description = - "The hook config, describing which paths to mount for which system features"; + description = "The hook config, describing which paths to mount for which system features"; default = { }; defaultText = lib.literalExpression '' { @@ -86,28 +96,24 @@ in extraWrapperArgs = lib.mkOption { type = with lib.types; listOf str; default = [ ]; - description = - lib.mdDoc - "List of extra arguments (such as `--add-flags -v`) to pass to the hook's wrapper"; + description = "List of extra arguments (such as `--add-flags -v`) to pass to the hook's wrapper"; }; package = lib.mkOption { type = lib.types.package; - default = package.override { - inherit (cfg) - allowedPatterns - extraWrapperArgs; - }; - description = lib.mdDoc "The final package with the final config applied"; + default = package.override { inherit (cfg) allowedPatterns extraWrapperArgs; }; + description = "The final package with the final config applied"; internal = true; }; }; - config = lib.mkIf cfg.enable (lib.mkMerge [ - { nix.settings.pre-build-hook = lib.getExe cfg.package; } - (lib.mkIf cfg.presets.nvidia-gpu.enable { - nix.settings.system-features = cfg.allowedPatterns.nvidia-gpu.onFeatures; - programs.nix-required-mounts.allowedPatterns = { - inherit (defaults) nvidia-gpu; - }; - }) - ]); + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { nix.settings.pre-build-hook = lib.getExe cfg.package; } + (lib.mkIf cfg.presets.nvidia-gpu.enable { + nix.settings.system-features = cfg.allowedPatterns.nvidia-gpu.onFeatures; + programs.nix-required-mounts.allowedPatterns = { + inherit (defaults) nvidia-gpu; + }; + }) + ] + ); } diff --git a/nixos/tests/nix-required-mounts/default.nix b/nixos/tests/nix-required-mounts/default.nix index 49bf3b0268a6..60f894ce0bcc 100644 --- a/nixos/tests/nix-required-mounts/default.nix +++ b/nixos/tests/nix-required-mounts/default.nix @@ -1,6 +1,4 @@ -{ pkgs -, ... -}: +{ pkgs, ... }: let inherit (pkgs) lib; @@ -9,32 +7,34 @@ in { name = "nix-required-mounts"; meta.maintainers = with lib.maintainers; [ SomeoneSerge ]; - nodes.machine = { config, pkgs, ... }: { - virtualisation.writableStore = true; - system.extraDependencies = [ (pkgs.runCommand "deps" { } "mkdir $out").inputDerivation ]; - nix.nixPath = [ "nixpkgs=${../../..}" ]; - nix.settings.substituters = lib.mkForce [ ]; - nix.settings.system-features = [ "supported-feature" ]; - nix.settings.experimental-features = [ "nix-command" ]; - programs.nix-required-mounts.enable = true; - programs.nix-required-mounts.allowedPatterns.supported-feature = { - onFeatures = [ "supported-feature" ]; - paths = [ - "/supported-feature-files" - { - host = "/usr/lib/imaginary-fhs-drivers"; - guest = "/run/opengl-driver/lib"; - } + nodes.machine = + { config, pkgs, ... }: + { + virtualisation.writableStore = true; + system.extraDependencies = [ (pkgs.runCommand "deps" { } "mkdir $out").inputDerivation ]; + nix.nixPath = [ "nixpkgs=${../../..}" ]; + nix.settings.substituters = lib.mkForce [ ]; + nix.settings.system-features = [ "supported-feature" ]; + nix.settings.experimental-features = [ "nix-command" ]; + programs.nix-required-mounts.enable = true; + programs.nix-required-mounts.allowedPatterns.supported-feature = { + onFeatures = [ "supported-feature" ]; + paths = [ + "/supported-feature-files" + { + host = "/usr/lib/imaginary-fhs-drivers"; + guest = "/run/opengl-driver/lib"; + } + ]; + unsafeFollowSymlinks = true; + }; + users.users.person.isNormalUser = true; + systemd.tmpfiles.rules = [ + "d /supported-feature-files 0755 person users -" + "f /usr/lib/libcuda.so 0444 root root - fakeContent" + "L /usr/lib/imaginary-fhs-drivers/libcuda.so 0444 root root - /usr/lib/libcuda.so" ]; - unsafeFollowSymlinks = true; }; - users.users.person.isNormalUser = true; - systemd.tmpfiles.rules = [ - "d /supported-feature-files 0755 person users -" - "f /usr/lib/libcuda.so 0444 root root - fakeContent" - "L /usr/lib/imaginary-fhs-drivers/libcuda.so 0444 root root - /usr/lib/libcuda.so" - ]; - }; testScript = '' import shlex diff --git a/nixos/tests/nix-required-mounts/ensure-path-not-present.nix b/nixos/tests/nix-required-mounts/ensure-path-not-present.nix index 871f336ee9bd..270c268fcbd9 100644 --- a/nixos/tests/nix-required-mounts/ensure-path-not-present.nix +++ b/nixos/tests/nix-required-mounts/ensure-path-not-present.nix @@ -1,8 +1,9 @@ -{ pkgs ? import { }, feature }: - -pkgs.runCommandNoCC "${feature}-not-present" { -} '' + pkgs ? import { }, + feature, +}: + +pkgs.runCommandNoCC "${feature}-not-present" { } '' if [[ -e /${feature}-files ]]; then echo "No ${feature} in requiredSystemFeatures, but /${feature}-files was mounted anyway" exit 1 @@ -10,4 +11,3 @@ pkgs.runCommandNoCC "${feature}-not-present" touch $out fi '' - diff --git a/nixos/tests/nix-required-mounts/test-require-feature.nix b/nixos/tests/nix-required-mounts/test-require-feature.nix index 647d9a92d4a3..447fd49a300a 100644 --- a/nixos/tests/nix-required-mounts/test-require-feature.nix +++ b/nixos/tests/nix-required-mounts/test-require-feature.nix @@ -1,9 +1,9 @@ -{ pkgs ? import { }, feature }: - -pkgs.runCommandNoCC "${feature}-present" { - requiredSystemFeatures = [ feature ]; -} '' + pkgs ? import { }, + feature, +}: + +pkgs.runCommandNoCC "${feature}-present" { requiredSystemFeatures = [ feature ]; } '' if [[ ! -e /${feature}-files ]]; then echo "The host declares ${feature} support, but doesn't expose /${feature}-files" >&2 exit 1 diff --git a/nixos/tests/nix-required-mounts/test-structured-attrs-empty.nix b/nixos/tests/nix-required-mounts/test-structured-attrs-empty.nix index d788c6773c8e..86f275330936 100644 --- a/nixos/tests/nix-required-mounts/test-structured-attrs-empty.nix +++ b/nixos/tests/nix-required-mounts/test-structured-attrs-empty.nix @@ -1,10 +1,8 @@ -{ pkgs ? import { } }: - -pkgs.runCommandNoCC "nix-required-mounts-structured-attrs-no-features" { - __structuredAttrs = true; -} '' - touch $out -'' - + pkgs ? import { }, +}: +pkgs.runCommandNoCC "nix-required-mounts-structured-attrs-no-features" { __structuredAttrs = true; } + '' + touch $out + '' diff --git a/nixos/tests/nix-required-mounts/test-structured-attrs.nix b/nixos/tests/nix-required-mounts/test-structured-attrs.nix index fecd2c32eec0..874910eee7bb 100644 --- a/nixos/tests/nix-required-mounts/test-structured-attrs.nix +++ b/nixos/tests/nix-required-mounts/test-structured-attrs.nix @@ -1,15 +1,18 @@ -{ pkgs ? import { }, feature }: +{ + pkgs ? import { }, + feature, +}: pkgs.runCommandNoCC "${feature}-present-structured" -{ - __structuredAttrs = true; - requiredSystemFeatures = [ feature ]; -} '' - if [[ -e /${feature}-files ]]; then - touch $out - else - echo "The host declares ${feature} support, but doesn't expose /${feature}-files" >&2 - echo "Do we fail to parse __structuredAttrs=true derivations?" >&2 - fi -'' - + { + __structuredAttrs = true; + requiredSystemFeatures = [ feature ]; + } + '' + if [[ -e /${feature}-files ]]; then + touch $out + else + echo "The host declares ${feature} support, but doesn't expose /${feature}-files" >&2 + echo "Do we fail to parse __structuredAttrs=true derivations?" >&2 + fi + '' diff --git a/pkgs/applications/misc/blender/gpu-checks.nix b/pkgs/applications/misc/blender/gpu-checks.nix index 144cdeb968c4..bfbaf25b989a 100644 --- a/pkgs/applications/misc/blender/gpu-checks.nix +++ b/pkgs/applications/misc/blender/gpu-checks.nix @@ -8,7 +8,7 @@ }: let - blenderWithCuda = blender.override {cudaSupport = true;}; + blenderWithCuda = blender.override { cudaSupport = true; }; name = "${blenderWithCuda.name}-check-cuda"; unwrapped = writeScriptBin "${name}-unwrapped" '' #!${lib.getExe bash} @@ -16,14 +16,11 @@ let ''; in { - cudaAvailable = - runCommand name - { - nativeBuildInputs = [unwrapped]; - requiredSystemFeatures = ["cuda"]; - passthru = { - inherit unwrapped; - }; - } - "${name}-unwrapped && touch $out"; + cudaAvailable = runCommand name { + nativeBuildInputs = [ unwrapped ]; + requiredSystemFeatures = [ "cuda" ]; + passthru = { + inherit unwrapped; + }; + } "${name}-unwrapped && touch $out"; } diff --git a/pkgs/by-name/ni/nix-required-mounts/closure.nix b/pkgs/by-name/ni/nix-required-mounts/closure.nix index 70a00e86f729..3e361114bc4c 100644 --- a/pkgs/by-name/ni/nix-required-mounts/closure.nix +++ b/pkgs/by-name/ni/nix-required-mounts/closure.nix @@ -3,32 +3,35 @@ # in the sandbox as well. In practice, things seemed to have worked without # this as well, but we go with the safe option until we understand why. -{ lib -, runCommand -, python3Packages -, allowedPatterns +{ + lib, + runCommand, + python3Packages, + allowedPatterns, }: runCommand "allowed-patterns.json" -{ - nativeBuildInputs = [ python3Packages.python ]; - exportReferencesGraph = - builtins.concatMap - (name: - builtins.concatMap - (path: - let - prefix = "${builtins.storeDir}/"; - # Has to start with a letter: https://github.com/NixOS/nix/blob/516e7ddc41f39ff939b5d5b5dc71e590f24890d4/src/libstore/build/local-derivation-goal.cc#L568 - exportName = ''references-${lib.strings.removePrefix prefix "${path}"}''; - isStorePath = lib.isStorePath path && (lib.hasPrefix prefix "${path}"); - in - lib.optionals isStorePath [ exportName path ]) - allowedPatterns.${name}.paths) - (builtins.attrNames allowedPatterns); - env.storeDir = "${builtins.storeDir}/"; - shallowConfig = builtins.toJSON allowedPatterns; - passAsFile = [ "shallowConfig" ]; -} + { + nativeBuildInputs = [ python3Packages.python ]; + exportReferencesGraph = builtins.concatMap ( + name: + builtins.concatMap ( + path: + let + prefix = "${builtins.storeDir}/"; + # Has to start with a letter: https://github.com/NixOS/nix/blob/516e7ddc41f39ff939b5d5b5dc71e590f24890d4/src/libstore/build/local-derivation-goal.cc#L568 + exportName = ''references-${lib.strings.removePrefix prefix "${path}"}''; + isStorePath = lib.isStorePath path && (lib.hasPrefix prefix "${path}"); + in + lib.optionals isStorePath [ + exportName + path + ] + ) allowedPatterns.${name}.paths + ) (builtins.attrNames allowedPatterns); + env.storeDir = "${builtins.storeDir}/"; + shallowConfig = builtins.toJSON allowedPatterns; + passAsFile = [ "shallowConfig" ]; + } '' python ${./scripts/nix_required_mounts_closure.py} '' diff --git a/pkgs/by-name/ni/nix-required-mounts/package.nix b/pkgs/by-name/ni/nix-required-mounts/package.nix index eded427635dc..a7b9c3093e3f 100644 --- a/pkgs/by-name/ni/nix-required-mounts/package.nix +++ b/pkgs/by-name/ni/nix-required-mounts/package.nix @@ -1,10 +1,16 @@ -{ addOpenGLRunpath -, cmake -, allowedPatternsPath ? callPackage ./closure.nix { inherit allowedPatterns; } -, allowedPatterns ? rec { +{ + addOpenGLRunpath, + cmake, + allowedPatternsPath ? callPackage ./closure.nix { inherit allowedPatterns; }, + allowedPatterns ? rec { # This config is just an example. # When the hook observes either of the following requiredSystemFeatures: - nvidia-gpu.onFeatures = [ "gpu" "nvidia-gpu" "opengl" "cuda" ]; + nvidia-gpu.onFeatures = [ + "gpu" + "nvidia-gpu" + "opengl" + "cuda" + ]; # It exposes these paths in the sandbox: nvidia-gpu.paths = [ addOpenGLRunpath.driverLink @@ -12,28 +18,26 @@ "/dev/nvidia*" ]; nvidia-gpu.unsafeFollowSymlinks = true; - } -, buildPackages -, callPackage -, extraWrapperArgs ? [ ] -, formats -, lib -, makeWrapper -, nix -, nixosTests -, python3Packages -, runCommand + }, + buildPackages, + callPackage, + extraWrapperArgs ? [ ], + formats, + lib, + makeWrapper, + nix, + nixosTests, + python3Packages, + runCommand, }: - let attrs = builtins.fromTOML (builtins.readFile ./pyproject.toml); pname = attrs.project.name; inherit (attrs.project) version; in -python3Packages.buildPythonApplication -{ +python3Packages.buildPythonApplication { inherit pname version; pyproject = true; diff --git a/pkgs/development/python-modules/pynvml/test-gpu.nix b/pkgs/development/python-modules/pynvml/test-gpu.nix index c316d0b5094b..6ab4290a2bba 100644 --- a/pkgs/development/python-modules/pynvml/test-gpu.nix +++ b/pkgs/development/python-modules/pynvml/test-gpu.nix @@ -1,23 +1,17 @@ -{ runCommandNoCC -, python -}: +{ runCommandNoCC, python }: runCommandNoCC "pynvml-gpu-test" -{ - nativeBuildInputs = [ - (python.withPackages (ps: [ ps.pynvml ])) - ]; - requiredSystemFeatures = [ - "cuda" - ]; -} '' - python3 << EOF - import pynvml - from pynvml.smi import nvidia_smi + { + nativeBuildInputs = [ (python.withPackages (ps: [ ps.pynvml ])) ]; + requiredSystemFeatures = [ "cuda" ]; + } + '' + python3 << EOF + import pynvml + from pynvml.smi import nvidia_smi - pynvml.nvmlInit() - EOF - - touch $out -'' + pynvml.nvmlInit() + EOF + touch $out + '' diff --git a/pkgs/development/python-modules/torch/gpu-checks.nix b/pkgs/development/python-modules/torch/gpu-checks.nix index 71004d8457b2..371b83f1b778 100644 --- a/pkgs/development/python-modules/torch/gpu-checks.nix +++ b/pkgs/development/python-modules/torch/gpu-checks.nix @@ -16,7 +16,7 @@ let }: let name = "${torch.name}-${feature}-check"; - unwrapped = writers.writePython3Bin "${name}-unwrapped" {libraries = [torch];} '' + unwrapped = writers.writePython3Bin "${name}-unwrapped" { libraries = [ torch ]; } '' import torch message = f"{torch.cuda.is_available()=} and {torch.version.${versionAttr}=}" assert torch.cuda.is_available() and torch.version.${versionAttr}, message @@ -25,8 +25,8 @@ let in runCommandNoCC name { - nativeBuildInputs = [unwrapped]; - requiredSystemFeatures = [feature]; + nativeBuildInputs = [ unwrapped ]; + requiredSystemFeatures = [ feature ]; passthru = { inherit unwrapped; };