1 #pragma once 2 3 #include "types.hh" 4 #include "config.hh" 5 #include "util.hh" 6 7 #include <map> 8 #include <limits> 9 10 #include <sys/types.h> 11 12 namespace nix { 13 14 typedef enum { smEnabled, smRelaxed, smDisabled } SandboxMode; 15 16 struct MaxBuildJobsSetting : public BaseSetting<unsigned int> 17 { MaxBuildJobsSettingnix::MaxBuildJobsSetting18 MaxBuildJobsSetting(Config * options, 19 unsigned int def, 20 const std::string & name, 21 const std::string & description, 22 const std::set<std::string> & aliases = {}) 23 : BaseSetting<unsigned int>(def, name, description, aliases) 24 { 25 options->addSetting(this); 26 } 27 28 void set(const std::string & str) override; 29 }; 30 31 class Settings : public Config { 32 33 unsigned int getDefaultCores(); 34 35 StringSet getDefaultSystemFeatures(); 36 37 bool isWSL1(); 38 39 public: 40 41 Settings(); 42 43 Path nixPrefix; 44 45 /* The directory where we store sources and derived files. */ 46 Path nixStore; 47 48 Path nixDataDir; /* !!! fix */ 49 50 /* The directory where we log various operations. */ 51 Path nixLogDir; 52 53 /* The directory where state is stored. */ 54 Path nixStateDir; 55 56 /* The directory where configuration files are stored. */ 57 Path nixConfDir; 58 59 /* The directory where internal helper programs are stored. */ 60 Path nixLibexecDir; 61 62 /* The directory where the main programs are stored. */ 63 Path nixBinDir; 64 65 /* The directory where the man pages are stored. */ 66 Path nixManDir; 67 68 /* File name of the socket the daemon listens to. */ 69 Path nixDaemonSocketFile; 70 71 Setting<std::string> storeUri{this, getEnv("NIX_REMOTE", "auto"), "store", 72 "The default Nix store to use."}; 73 74 Setting<bool> keepFailed{this, false, "keep-failed", 75 "Whether to keep temporary directories of failed builds."}; 76 77 Setting<bool> keepGoing{this, false, "keep-going", 78 "Whether to keep building derivations when another build fails."}; 79 80 Setting<bool> tryFallback{this, false, "fallback", 81 "Whether to fall back to building when substitution fails.", 82 {"build-fallback"}}; 83 84 /* Whether to show build log output in real time. */ 85 bool verboseBuild = true; 86 87 Setting<size_t> logLines{this, 10, "log-lines", 88 "If verbose-build is false, the number of lines of the tail of " 89 "the log to show if a build fails."}; 90 91 MaxBuildJobsSetting maxBuildJobs{this, 1, "max-jobs", 92 "Maximum number of parallel build jobs. \"auto\" means use number of cores.", 93 {"build-max-jobs"}}; 94 95 Setting<unsigned int> buildCores{this, getDefaultCores(), "cores", 96 "Number of CPU cores to utilize in parallel within a build, " 97 "i.e. by passing this number to Make via '-j'. 0 means that the " 98 "number of actual CPU cores on the local host ought to be " 99 "auto-detected.", {"build-cores"}}; 100 101 /* Read-only mode. Don't copy stuff to the store, don't change 102 the database. */ 103 bool readOnlyMode = false; 104 105 Setting<std::string> thisSystem{this, SYSTEM, "system", 106 "The canonical Nix system name."}; 107 108 Setting<time_t> maxSilentTime{this, 0, "max-silent-time", 109 "The maximum time in seconds that a builer can go without " 110 "producing any output on stdout/stderr before it is killed. " 111 "0 means infinity.", 112 {"build-max-silent-time"}}; 113 114 Setting<time_t> buildTimeout{this, 0, "timeout", 115 "The maximum duration in seconds that a builder can run. " 116 "0 means infinity.", {"build-timeout"}}; 117 118 PathSetting buildHook{this, true, nixLibexecDir + "/nix/build-remote", "build-hook", 119 "The path of the helper program that executes builds to remote machines."}; 120 121 Setting<std::string> builders{this, "@" + nixConfDir + "/machines", "builders", 122 "A semicolon-separated list of build machines, in the format of nix.machines."}; 123 124 Setting<bool> buildersUseSubstitutes{this, false, "builders-use-substitutes", 125 "Whether build machines should use their own substitutes for obtaining " 126 "build dependencies if possible, rather than waiting for this host to " 127 "upload them."}; 128 129 Setting<off_t> reservedSize{this, 8 * 1024 * 1024, "gc-reserved-space", 130 "Amount of reserved disk space for the garbage collector."}; 131 132 Setting<bool> fsyncMetadata{this, true, "fsync-metadata", 133 "Whether SQLite should use fsync()."}; 134 135 Setting<bool> useSQLiteWAL{this, !isWSL1(), "use-sqlite-wal", 136 "Whether SQLite should use WAL mode."}; 137 138 Setting<bool> syncBeforeRegistering{this, false, "sync-before-registering", 139 "Whether to call sync() before registering a path as valid."}; 140 141 Setting<bool> useSubstitutes{this, true, "substitute", 142 "Whether to use substitutes.", 143 {"build-use-substitutes"}}; 144 145 Setting<std::string> buildUsersGroup{this, "", "build-users-group", 146 "The Unix group that contains the build users."}; 147 148 Setting<bool> impersonateLinux26{this, false, "impersonate-linux-26", 149 "Whether to impersonate a Linux 2.6 machine on newer kernels.", 150 {"build-impersonate-linux-26"}}; 151 152 Setting<bool> keepLog{this, true, "keep-build-log", 153 "Whether to store build logs.", 154 {"build-keep-log"}}; 155 156 Setting<bool> compressLog{this, true, "compress-build-log", 157 "Whether to compress logs.", 158 {"build-compress-log"}}; 159 160 Setting<unsigned long> maxLogSize{this, 0, "max-build-log-size", 161 "Maximum number of bytes a builder can write to stdout/stderr " 162 "before being killed (0 means no limit).", 163 {"build-max-log-size"}}; 164 165 /* When buildRepeat > 0 and verboseBuild == true, whether to print 166 repeated builds (i.e. builds other than the first one) to 167 stderr. Hack to prevent Hydra logs from being polluted. */ 168 bool printRepeatedBuilds = true; 169 170 Setting<unsigned int> pollInterval{this, 5, "build-poll-interval", 171 "How often (in seconds) to poll for locks."}; 172 173 Setting<bool> checkRootReachability{this, false, "gc-check-reachability", 174 "Whether to check if new GC roots can in fact be found by the " 175 "garbage collector."}; 176 177 Setting<bool> gcKeepOutputs{this, false, "keep-outputs", 178 "Whether the garbage collector should keep outputs of live derivations.", 179 {"gc-keep-outputs"}}; 180 181 Setting<bool> gcKeepDerivations{this, true, "keep-derivations", 182 "Whether the garbage collector should keep derivers of live paths.", 183 {"gc-keep-derivations"}}; 184 185 Setting<bool> autoOptimiseStore{this, false, "auto-optimise-store", 186 "Whether to automatically replace files with identical contents with hard links."}; 187 188 Setting<bool> envKeepDerivations{this, false, "keep-env-derivations", 189 "Whether to add derivations as a dependency of user environments " 190 "(to prevent them from being GCed).", 191 {"env-keep-derivations"}}; 192 193 /* Whether to lock the Nix client and worker to the same CPU. */ 194 bool lockCPU; 195 196 /* Whether to show a stack trace if Nix evaluation fails. */ 197 Setting<bool> showTrace{this, false, "show-trace", 198 "Whether to show a stack trace on evaluation errors."}; 199 200 Setting<SandboxMode> sandboxMode{this, 201 #if __linux__ 202 smEnabled 203 #else 204 smDisabled 205 #endif 206 , "sandbox", 207 "Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".", 208 {"build-use-chroot", "build-use-sandbox"}}; 209 210 Setting<PathSet> sandboxPaths{this, {}, "sandbox-paths", 211 "The paths to make available inside the build sandbox.", 212 {"build-chroot-dirs", "build-sandbox-paths"}}; 213 214 Setting<bool> sandboxFallback{this, true, "sandbox-fallback", 215 "Whether to disable sandboxing when the kernel doesn't allow it."}; 216 217 Setting<PathSet> extraSandboxPaths{this, {}, "extra-sandbox-paths", 218 "Additional paths to make available inside the build sandbox.", 219 {"build-extra-chroot-dirs", "build-extra-sandbox-paths"}}; 220 221 Setting<size_t> buildRepeat{this, 0, "repeat", 222 "The number of times to repeat a build in order to verify determinism.", 223 {"build-repeat"}}; 224 225 #if __linux__ 226 Setting<std::string> sandboxShmSize{this, "50%", "sandbox-dev-shm-size", 227 "The size of /dev/shm in the build sandbox."}; 228 229 Setting<Path> sandboxBuildDir{this, "/build", "sandbox-build-dir", 230 "The build directory inside the sandbox."}; 231 #endif 232 233 Setting<PathSet> allowedImpureHostPrefixes{this, {}, "allowed-impure-host-deps", 234 "Which prefixes to allow derivations to ask for access to (primarily for Darwin)."}; 235 236 #if __APPLE__ 237 Setting<bool> darwinLogSandboxViolations{this, false, "darwin-log-sandbox-violations", 238 "Whether to log Darwin sandbox access violations to the system log."}; 239 #endif 240 241 Setting<bool> runDiffHook{this, false, "run-diff-hook", 242 "Whether to run the program specified by the diff-hook setting " 243 "repeated builds produce a different result. Typically used to " 244 "plug in diffoscope."}; 245 246 PathSetting diffHook{this, true, "", "diff-hook", 247 "A program that prints out the differences between the two paths " 248 "specified on its command line."}; 249 250 Setting<bool> enforceDeterminism{this, true, "enforce-determinism", 251 "Whether to fail if repeated builds produce different output."}; 252 253 Setting<Strings> trustedPublicKeys{this, 254 {"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="}, 255 "trusted-public-keys", 256 "Trusted public keys for secure substitution.", 257 {"binary-cache-public-keys"}}; 258 259 Setting<Strings> secretKeyFiles{this, {}, "secret-key-files", 260 "Secret keys with which to sign local builds."}; 261 262 Setting<unsigned int> tarballTtl{this, 60 * 60, "tarball-ttl", 263 "How long downloaded files are considered up-to-date."}; 264 265 Setting<bool> requireSigs{this, true, "require-sigs", 266 "Whether to check that any non-content-addressed path added to the " 267 "Nix store has a valid signature (that is, one signed using a key " 268 "listed in 'trusted-public-keys'."}; 269 270 Setting<StringSet> extraPlatforms{this, 271 std::string{SYSTEM} == "x86_64-linux" ? StringSet{"i686-linux"} : StringSet{}, 272 "extra-platforms", 273 "Additional platforms that can be built on the local system. " 274 "These may be supported natively (e.g. armv7 on some aarch64 CPUs " 275 "or using hacks like qemu-user."}; 276 277 Setting<StringSet> systemFeatures{this, getDefaultSystemFeatures(), 278 "system-features", 279 "Optional features that this system implements (like \"kvm\")."}; 280 281 Setting<Strings> substituters{this, 282 nixStore == "/nix/store" ? Strings{"https://cache.nixos.org/"} : Strings(), 283 "substituters", 284 "The URIs of substituters (such as https://cache.nixos.org/).", 285 {"binary-caches"}}; 286 287 // FIXME: provide a way to add to option values. 288 Setting<Strings> extraSubstituters{this, {}, "extra-substituters", 289 "Additional URIs of substituters.", 290 {"extra-binary-caches"}}; 291 292 Setting<StringSet> trustedSubstituters{this, {}, "trusted-substituters", 293 "Disabled substituters that may be enabled via the substituters option by untrusted users.", 294 {"trusted-binary-caches"}}; 295 296 Setting<Strings> trustedUsers{this, {"root"}, "trusted-users", 297 "Which users or groups are trusted to ask the daemon to do unsafe things."}; 298 299 Setting<unsigned int> ttlNegativeNarInfoCache{this, 3600, "narinfo-cache-negative-ttl", 300 "The TTL in seconds for negative lookups in the disk cache i.e binary cache lookups that " 301 "return an invalid path result"}; 302 303 Setting<unsigned int> ttlPositiveNarInfoCache{this, 30 * 24 * 3600, "narinfo-cache-positive-ttl", 304 "The TTL in seconds for positive lookups in the disk cache i.e binary cache lookups that " 305 "return a valid path result."}; 306 307 /* ?Who we trust to use the daemon in safe ways */ 308 Setting<Strings> allowedUsers{this, {"*"}, "allowed-users", 309 "Which users or groups are allowed to connect to the daemon."}; 310 311 Setting<bool> printMissing{this, true, "print-missing", 312 "Whether to print what paths need to be built or downloaded."}; 313 314 Setting<std::string> preBuildHook{this, "", 315 "pre-build-hook", 316 "A program to run just before a build to set derivation-specific build settings."}; 317 318 Setting<std::string> postBuildHook{this, "", "post-build-hook", 319 "A program to run just after each successful build."}; 320 321 Setting<std::string> netrcFile{this, fmt("%s/%s", nixConfDir, "netrc"), "netrc-file", 322 "Path to the netrc file used to obtain usernames/passwords for downloads."}; 323 324 /* Path to the SSL CA file used */ 325 Path caFile; 326 327 #if __linux__ 328 Setting<bool> filterSyscalls{this, true, "filter-syscalls", 329 "Whether to prevent certain dangerous system calls, such as " 330 "creation of setuid/setgid files or adding ACLs or extended " 331 "attributes. Only disable this if you're aware of the " 332 "security implications."}; 333 334 Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges", 335 "Whether builders can acquire new privileges by calling programs with " 336 "setuid/setgid bits or with file capabilities."}; 337 #endif 338 339 Setting<Strings> hashedMirrors{this, {"http://tarballs.nixos.org/"}, "hashed-mirrors", 340 "A list of servers used by builtins.fetchurl to fetch files by hash."}; 341 342 Setting<uint64_t> minFree{this, 0, "min-free", 343 "Automatically run the garbage collector when free disk space drops below the specified amount."}; 344 345 Setting<uint64_t> maxFree{this, std::numeric_limits<uint64_t>::max(), "max-free", 346 "Stop deleting garbage when free disk space is above the specified amount."}; 347 348 Setting<uint64_t> minFreeCheckInterval{this, 5, "min-free-check-interval", 349 "Number of seconds between checking free disk space."}; 350 351 Setting<Paths> pluginFiles{this, {}, "plugin-files", 352 "Plugins to dynamically load at nix initialization time."}; 353 }; 354 355 356 // FIXME: don't use a global variable. 357 extern Settings settings; 358 359 /* This should be called after settings are initialized, but before 360 anything else */ 361 void initPlugins(); 362 363 void loadConfFile(); 364 365 extern const string nixVersion; 366 367 } 368