Fixup various issues with the nix.conf / nix.custom.conf split (#1393)

* fixup: no newline at the beginning of the config * Use extra-experimental-features instead of experimental-features * Move the user's ssl cert file into the custom config * Add a footer to the config So that we can place the "include" directive at the end of our standard config, allowing users to override our defaults. * Force `experimental-features` passed in `--extra-conf` to become `extra-experimental-features` Otherwise, users may accidentally override our `experimental-features` default of `nix-command` and `flakes`. If a user truly wanted to override this, they can manually modify the `nix.conf` / `nix.custom.conf` after the install completes. * Temporarily write trusted-users specified in `--extra-conf` to nix.conf _AND_ nix.custom.conf Cachix relies on the presence of this setting in the system `/etc/nix/nix.conf` so that it can provide users with a helpful error if `cachix use`ing a cache would not actually work for them (because only trusted users can modify the trusted caches and trusted cache signing keys in their user-specific configuration). * Test trusted-user, experimental-features changes * fixup: spacing, naming nits --------- Co-authored-by: Graham Christensen <[email protected]>
DeterminateSystems · Jan 15, 2025 · d7de0e4 · d7de0e4
1 parent 35c93ca
commit d7de0e4
Show file tree

Hide file tree

Showing 3 changed files with 329 additions and 54 deletions.
diff --git a/src/action/base/create_directory.rs b/src/action/base/create_directory.rs
@@ -21,11 +21,11 @@ If `force_prune_on_revert` is set, the folder will always be deleted on
 #[serde(tag = "action_name", rename = "create_directory")]
 pub struct CreateDirectory {
     pub(crate) path: PathBuf,
-    user: Option<String>,
-    group: Option<String>,
-    mode: Option<u32>,
-    is_mountpoint: bool,
-    force_prune_on_revert: bool,
+    pub(crate) user: Option<String>,
+    pub(crate) group: Option<String>,
+    pub(crate) mode: Option<u32>,
+    pub(crate) is_mountpoint: bool,
+    pub(crate) force_prune_on_revert: bool,
 }
 
 impl CreateDirectory {

diff --git a/src/action/base/create_or_merge_nix_config.rs b/src/action/base/create_or_merge_nix_config.rs
@@ -15,9 +15,13 @@ use crate::action::{
     Action, ActionDescription, ActionError, ActionErrorKind, ActionTag, StatefulAction,
 };
 
+pub(crate) const TRUSTED_USERS_CONF_NAME: &str = "trusted-users";
+pub(crate) const EXPERIMENTAL_FEATURES_CONF_NAME: &str = "experimental-features";
+pub(crate) const EXTRA_EXPERIMENTAL_FEATURES_CONF_NAME: &str = "extra-experimental-features";
 /// The `nix.conf` configuration names that are safe to merge.
 // FIXME(@cole-h): make configurable by downstream users?
-const MERGEABLE_CONF_NAMES: &[&str] = &["experimental-features"];
+// NOTE(cole-h): evaluate if any additions here need to be handled in PlaceNixConfiguration::setup_extra_config
+const MERGEABLE_CONF_NAMES: &[&str] = &[EXPERIMENTAL_FEATURES_CONF_NAME];
 const NIX_CONF_MODE: u32 = 0o644;
 const NIX_CONF_COMMENT_CHAR: char = '#';
 
@@ -48,6 +52,7 @@ pub struct CreateOrMergeNixConfig {
     pub(crate) path: PathBuf,
     pending_nix_config: NixConfig,
     header: String,
+    footer: Option<String>,
 }
 
 impl CreateOrMergeNixConfig {
@@ -56,13 +61,15 @@ impl CreateOrMergeNixConfig {
         path: impl AsRef<Path>,
         pending_nix_config: NixConfig,
         header: String,
+        footer: Option<String>,
     ) -> Result<StatefulAction<Self>, ActionError> {
         let path = path.as_ref().to_path_buf();
 
         let this = Self {
             path,
             pending_nix_config,
             header,
+            footer,
         };
 
         if this.path.exists() {
@@ -405,6 +412,12 @@ impl Action for CreateOrMergeNixConfig {
             new_config.push('\n');
         }
 
+        if let Some(footer) = &self.footer {
+            new_config.push('\n');
+            new_config.push_str(footer);
+            new_config.push('\n');
+        }
+
         temp_file
             .write_all(new_config.as_bytes())
             .await
@@ -466,15 +479,21 @@ mod test {
         nix_config
             .settings_mut()
             .insert("experimental-features".into(), "ca-references".into());
-        let mut action =
-            CreateOrMergeNixConfig::plan(&test_file, nix_config, "# Generated by".to_string())
-                .await?;
+        let mut action = CreateOrMergeNixConfig::plan(
+            &test_file,
+            nix_config,
+            "# Generated by".to_string(),
+            Some("# opa".into()),
+        )
+        .await?;
 
         action.try_execute().await?;
 
         let s = std::fs::read_to_string(&test_file)?;
         assert!(s.contains("# Generated by"));
         assert!(s.contains("ca-references"));
+
+        assert!(s.contains("# opa"));
         assert!(NixConfig::parse_file(&test_file).is_ok());
 
         action.try_revert().await?;
@@ -494,9 +513,13 @@ mod test {
         nix_config
             .settings_mut()
             .insert("experimental-features".into(), "ca-references".into());
-        let mut action =
-            CreateOrMergeNixConfig::plan(&test_file, nix_config, "# Generated by".to_string())
-                .await?;
+        let mut action = CreateOrMergeNixConfig::plan(
+            &test_file,
+            nix_config,
+            "# Generated by".to_string(),
+            None,
+        )
+        .await?;
 
         action.try_execute().await?;
 
@@ -524,9 +547,13 @@ mod test {
         nix_config
             .settings_mut()
             .insert("experimental-features".into(), "flakes".into());
-        let mut action =
-            CreateOrMergeNixConfig::plan(&test_file, nix_config, "# Generated by".to_string())
-                .await?;
+        let mut action = CreateOrMergeNixConfig::plan(
+            &test_file,
+            nix_config,
+            "# Generated by".to_string(),
+            None,
+        )
+        .await?;
 
         action.try_execute().await?;
 
@@ -558,9 +585,13 @@ mod test {
         nix_config
             .settings_mut()
             .insert("allow-dirty".into(), "false".into());
-        let mut action =
-            CreateOrMergeNixConfig::plan(&test_file, nix_config, "# Generated by".to_string())
-                .await?;
+        let mut action = CreateOrMergeNixConfig::plan(
+            &test_file,
+            nix_config,
+            "# Generated by".to_string(),
+            None,
+        )
+        .await?;
 
         action.try_execute().await?;
 
@@ -605,7 +636,7 @@ mod test {
         nix_config
             .settings_mut()
             .insert("warn-dirty".into(), "false".into());
-        match CreateOrMergeNixConfig::plan(&test_file, nix_config, "".to_string()).await {
+        match CreateOrMergeNixConfig::plan(&test_file, nix_config, "".to_string(), None).await {
             Err(err) => {
                 if let ActionErrorKind::Custom(e) = err.kind() {
                     match e.downcast_ref::<CreateOrMergeNixConfigError>() {
@@ -647,9 +678,13 @@ mod test {
         nix_config
             .settings_mut()
             .insert("experimental-features".into(), "ca-references".into());
-        let mut action =
-            CreateOrMergeNixConfig::plan(&test_file, nix_config, "# Generated by".to_string())
-                .await?;
+        let mut action = CreateOrMergeNixConfig::plan(
+            &test_file,
+            nix_config,
+            "# Generated by".to_string(),
+            None,
+        )
+        .await?;
 
         action.try_execute().await?;
 
@@ -681,9 +716,13 @@ mod test {
         nix_config
             .settings_mut()
             .insert("experimental-features".into(), "ca-references".into());
-        let mut action =
-            CreateOrMergeNixConfig::plan(&test_file, nix_config, "# Generated by".to_string())
-                .await?;
+        let mut action = CreateOrMergeNixConfig::plan(
+            &test_file,
+            nix_config,
+            "# Generated by".to_string(),
+            None,
+        )
+        .await?;
 
         action.try_execute().await?;