Commit Graph

176 Commits

Author SHA1 Message Date
Artemis Tosini
c9526e289a Add new libexec/nix-nswrapper program
nix-nswrapper allows running nix in its own user namespace,
believing it is root and with access to build users for sandboxing
with auto-allocate-uids, while it is actually unprivileged.

It is used to wrap nix, and an example of its use has been
added to the unprivileged daemon functional tests.

Running it does not require any elevated privileges,
only uids and gids allocated in /etc/sub{uid,gid}
2026-02-11 16:53:08 -05:00
Sergei Zimmerman
3b473c4be5 Merge pull request #14952 from koberbe/koberbe/master/SW-100752-nix-commands-help-is-missing-unformatted
Install nix-manual in default user profile
2026-02-07 15:37:54 +00:00
Sergei Zimmerman
f43566f4d7 packaging/components: Drop hardeningDisable
This is no longer necessary and produces an eval warning:

> evaluation warning: The 'pie' hardening flag has been removed in favor of enabling PIE by default in compilers and should no longer be used.

This was first introduced in 2200f315da, but
is no longer necessary since the switch to meson.
2026-01-25 22:12:32 +03:00
Taeer Bar-Yam
db576d599c fix infinite recursion 2026-01-25 22:07:18 +03:00
Taeer Bar-Yam
8928cb4fb8 separateDebugInfo implies __structuredAttrs 2026-01-25 22:07:00 +03:00
Sergei Zimmerman
0dd38bc8b6 packaging/dependencies: Override fixes
- nghttp3 is not supported on mingw
- onetbb doesn't build on mingw
- lowdown override is no longer needed, same for toml11
2026-01-25 22:05:53 +03:00
Sergei Zimmerman
dcaaf2c65f dev-shell: Use stdenv.hostPlatform instead of hostPlatform
This is now a warning in 25.11:

> evaluation warning: 'hostPlatform' has been renamed to/replaced by 'stdenv.hostPlatform'
2026-01-25 00:50:56 +03:00
Eelco Dolstra
33ce87276f Fix typo spotted by coderabbit 2026-01-16 20:08:56 +01:00
Kai Oberbeckmann
cd6eb7e473 Install nix-manual in default user profile
This makes man pages available in the default profile after using nix
installer.

Relates to: https://github.com/NixOS/nix/issues/12382
2026-01-09 16:16:44 +01:00
Sergei Zimmerman
931f84b720 Merge pull request #14921 from qowoz/lowdown
packaging: fix lowdown with overridden nixpkgs
2026-01-06 03:41:10 +00:00
zowoq
ec12953822 packaging: fix lowdown with overridden nixpkgs
unstable has a patch that doesn't apply to 2.0.2
2026-01-06 13:15:55 +10:00
Sergei Zimmerman
ab7c0ae4a3 Drop kaitai checks
Pulling in the java into the tests closure for just testing a piece of code
for the docs (and the tests actually are wrong, since a correct parser must *reject*
those NARs). This is too much of an ask to maintain for zero benefit. I already had
to disable it basically everywhere, because it works only on linux.

It can be revisited in the future, but considering that it's not exercised anywhere and
shouldn't be used anywhere other than a toy example for the docs I think it's best to drop
it.
2026-01-04 21:45:34 -05:00
Sergei Zimmerman
4b8991256a dev-shell: Fix on freebsd 2026-01-01 15:26:54 +03:00
David McFarland
ce16d6fdd3 packaging: disable LTO on cygwin
This was already done for windows, and it fails in the same way.
2025-12-20 22:52:44 -04:00
John Ericson
a5edc2d921 Fix up dev shell in a few ways
- Skip packages that don't build for Windows when building for windows
- Automatically disable kaitai / json schema, fixing todo
- Skip native build of Nix for manual
2025-12-17 15:41:47 -05:00
Eelco Dolstra
fc81840a8e dev-shell: Set mesonBuildType to debugoptimized
Previously, we got debug symbols implicitly because we were using
`separateDebugInfo = true`, which adds `-ggdb` to the compiler flags.
2025-12-15 19:09:37 +01:00
Sergei Zimmerman
0302cd00c9 packaging/hydra: Don't build kaitai nar docs tests in hydra
It's not evaling on hydra currently and is only part of the docs. Support
for this it best effort at best so we should not build this in hydra, considering
the amount of effort required to support this. I would even consider dropping these
checks and component altogether, since there doesn't seem to be much interest in maintaining
these docs from the core team anyway.
2025-12-08 00:37:10 +03:00
Robert Hensing
ab0ca5f922 doc: make HTML manual build optional
Add `html-manual` Meson option to allow building manpages without the
HTML manual, removing the mdbook dependency for manpage-only builds.

Changes:
- Add `html-manual` Meson option (default: true)
- Make HTML manual build conditional in meson.build
- Add `buildHtmlManual` parameter to package.nix
- Conditional outputs: ["out" "man"] when enabled, ["out"] when disabled
- Make mdbook/rsync/json-schema-for-humans dependencies conditional
- Add `nix-manual-manpages-only` package variant

This allows systems that only need manpages to avoid the mdbook build
dependency while preserving full functionality for HTML manual builds.
2025-12-06 22:35:45 +01:00
Robert Hensing
0aef1ddb9e maint: Fix lowdown override compatibility with newer nixpkgs
Use `or ""` fallback for postInstall attribute which may not exist in
newer nixpkgs versions of lowdown.
2025-12-02 02:38:33 +01:00
Sergei Zimmerman
2de742155a packaging: Unbork win shells with unavailable dependencies
Makes the cross-x86_64-w64-mingw32 devshell slightly less
broken. It still needs a bit of massaging to function, but
that's much less cumbersome now that the generic machinery
with genericClosure that evaluates drvPath doesn't barf on
unavailable packages.
2025-11-19 00:43:28 +03:00
Sergei Zimmerman
bdeaf976bd packaging/dev-shell: Fix configurePhase
Since 918c1a9e58 configurePhase variable points to cmakeConfigurePhase
and runPhase configurePhase does the wrong thing.

configurePhase function on the other hand still worked correctly.
2025-11-17 20:58:27 +03:00
Robert Hensing
1fa235b77c devShells: Infer inputs from input closure boundary 2025-11-07 15:17:49 -05:00
Jörg Thalheim
724086005a nix-kaitai-struct: make it not longer part of the devshell
just now pulls in jdk in
2025-11-05 22:22:45 +01:00
Farid Zakaria
53b4ea6c85 Add documentation for NAR spec in kaitai
* Add a new flake check
* Add unit tests
* Add Kaitai spec
* Updated documentation
2025-11-03 12:59:16 -05:00
Robert Hensing
01b001d5ba Add JSON Schema infrastructure, use for Derivation
For manual, and testing formats
2025-10-16 17:24:18 -04:00
Bernardo Meurer Costa
9295c14a35 refactor(libstore): replace AWS SDK with curl-based S3 implementation
This commit replaces the AWS C++ SDK with a lighter curl-based approach
for S3 binary cache operations.

- Removed dependency on the heavy aws-cpp-sdk-s3 and aws-cpp-sdk-transfer
- Added lightweight aws-crt-cpp for credential resolution only
- Leverages curl's native AWS SigV4 authentication (requires curl >= 7.75.0)
- S3BinaryCacheStore now delegates to HttpBinaryCacheStore
- Function s3ToHttpsUrl converts ParsedS3URL to ParsedURL
- Multipart uploads are no longer supported (may be reimplemented later)
- Build now requires curl >= 7.75.0 for AWS SigV4 support

Fixes: #13084, #12671, #11748, #12403, #5947
2025-10-15 18:23:55 +00:00
John Ericson
606eb1dfb5 Merge pull request #14250 from fzakaria/patch-1
Remove duplicate shellcheck in dev-shell.nix
2025-10-15 05:03:19 +00:00
Farid Zakaria
7bc3d9b9a9 First attempt at uwyu for libflake 2025-10-14 22:53:13 -04:00
Farid Zakaria
092639709f Remove duplicate shellcheck in dev-shell.nix 2025-10-14 19:25:06 -07:00
Sergei Zimmerman
89b35ec0dc packaging/hydra: buildNoGC is the same as buildWithSanitizers
This will reduce the load on hydra. It doesn't make sense to
build 2 slightly different variations where the difference
is only in the nix-perl-bindings and additional sanitizers.
2025-10-12 22:10:35 +03:00
Sergei Zimmerman
de75a180cb packaging: Add buildWithSanitizers to hydraJobs 2025-10-12 19:38:01 +03:00
Sergei Zimmerman
a491173369 packaging: Add withASan,withUBSan options to the scope 2025-10-12 19:16:08 +03:00
Sergei Zimmerman
47705139c9 packaging: Remove no longer necessary libgit2 patches
25.05 already has 1.9.0 and we don't support older nixpkgs versions.
2025-10-11 16:30:55 +03:00
Seth Flynn
0f016f9bf5 packaging: only override toml11 when necessary
v4.4.0 hit Nixpkgs in https://github.com/NixOS/nixpkgs/pull/442682.
Ideally we'd just use that, but this keeps the fallback behavior until
it's more widespread
2025-10-09 03:24:57 -04:00
Sergei Zimmerman
c5b88c22fa dev-shell: Disable separateDebugInfo
This breaks gdb pretty-printers inserted into .debug_gdb_scripts section,
because it implies --compress-debug-sections=zlib, -Wa,--compress-debug-sections.
This is very unfortunate, because then gdb can't use pretty printers for
Boost.Unordered (which are very useful, since boost::unoredred_flat_map is
impossible to debug). This seems perfectly fine to disable in the dev-shell for
the time being.

See [1-3] for further references.

With this change I'm able to use boost's pretty-printers out-of-the box:

```
p *importResolutionCache
$2 = boost::concurrent_flat_map with 1 elements = {[{accessor = {p = std::shared_ptr<nix::SourceAccessor> (use count 5, weak count 1) = {
        get() = 0x555555d830a8}}, path = {static root = {static root = <same as static member of an already seen type>, path = "/"},
      path = "/derivation-internal.nix"}}] = {accessor = {p = std::shared_ptr<nix::SourceAccessor> (use count 5, weak count 1) = {
        get() = 0x555555d830a8}}, path = {static root = {static root = <same as static member of an already seen type>, path = "/"},
      path = "/derivation-internal.nix"}}}
```

When combined with a simple `add-auto-load-safe-path ~/code` in .gdbinit

[1]: https://gerrit.lix.systems/c/lix/+/3880
[2]: https://git.lix.systems/lix-project/lix/issues/1003
[3]: https://sourceware.org/pipermail/gdb-patches/2025-October/221398.html
2025-10-08 00:57:34 +03:00
Sergei Zimmerman
c1f805b856 packaging: Build without symbolic interposition on GCC
This turns out to be a big problem for performance of Bison
generated code, that for whatever reason cannot be made internal
to the shared library. This causes GCC to make a bunch of function
calls go through PLT. Ideally these hot functions (like move/copy ctor) could become
inline in upstream Bison. That will make sure that GCC can do interprocedular
optimizations without -fno-semantic-interposition [^]. Considering that
LLVM already does inlining and whatnot is a good motivation for this change.
I don't know of any case where Nix relies on LD_PRELOAD tricks for the shared
libraries in production use-cases.

[^]: https://maskray.me/blog/2021-05-09-fno-semantic-interposition
2025-09-29 01:46:40 +03:00
Robert Hensing
df23f2b3c1 packaging/dev-shell: Add shellcheck
It was already in the closure for the pre-commit hook installation
script.
2025-09-22 19:09:35 +02:00
Sergei Zimmerman
20b532eab0 packaging: Drop legacy apple sdk pattern
This has been dropped on unstable an nix no longer
compiled with overridden nixpkgs input. On 25.05 these
overrides already do nothing.

Tested with:

nix build .#packages.x86_64-darwin.nix-cli -L --override-input nixpkgs https://releases.nixos.org/nixos/unstable/nixos-25.11pre859555.ab0f3607a6c7/nixexprs.tar.xz

Default deployment target on 25.05 is 11.3, so 10.13
sdk override doesn't have to be updated at all as evident
from the fact that we didn't observe any issues with it.
2025-09-13 01:07:42 +03:00
Sergei Zimmerman
8251305aff Reapply "Merge pull request #13741 from xokdvium/toml-timestamps"
This reverts commit 75740fbd75.
2025-09-01 01:26:14 +03:00
Sergei Zimmerman
1d943f5819 flake: Apply nixfmt 1.0.0 2025-08-18 20:29:45 +03:00
Sergei Zimmerman
0216775ab7 packaging: Fix lowdown cross
Stupid mistake on my part. `binaryTarballCross.x86_64-linux.x86_64-unknown-freebsd` now
builds as expected.
2025-08-18 12:57:04 +03:00
Sergei Zimmerman
3ffeed497a packaging: Update lowdown to 2.0.2
Nixpkgs has been updated with this version and seems
like next stable nixos release will ship with lowdown 2.0.
2025-08-17 20:49:50 +03:00
Sergei Zimmerman
0348030ae2 dev-shell: Add gdb
It's about time we added debuggers to the dev-shell. Having it in build inputs
does some magic so pretty printers for standard library types work better.
2025-08-16 18:27:39 +03:00
Jörg Thalheim
75740fbd75 Revert "Merge pull request #13741 from xokdvium/toml-timestamps"
This reverts commit 53ac49f72c, reversing
changes made to 8e5ca787f4.

This broke nixpkgs eval test that was depending overflowing integers...
2025-08-13 22:46:09 +02:00
Sergei Zimmerman
320b2c74ef packaging: Build with toml11 4.4.0 2025-08-12 22:22:12 +03:00
John Ericson
bd9ce27df0 Merge pull request #13713 from Mic92/freebsd-installer
add freebsd multi-user installer
2025-08-08 11:53:02 -04:00
Sergei Zimmerman
51c0e6bc63 hydra: Restore coverage job
Sometime ago we lost the coverage job in the midst of
meson migration. Until we have something like codecov
it'd be very useful to restore this job with the html
reports and historical metrics.

As a bonus we get more coverage metrics by switching to
LLVM tooling from LCOV.
2025-08-08 12:05:06 +03:00
Jörg Thalheim
11d03893f8 add freebsd multi-user installer 2025-08-08 09:10:35 +02:00
Eelco Dolstra
0d559f0c13 Increase the initial Boehm GC mark stack size
If the mark stack size is too small, it greatly inhibits parallel
marking, which is very bad for performance on multi-core systems.
2025-08-07 11:45:06 +02:00
Jörg Thalheim
c7af923865 Merge pull request #13445 from xokdvium/simplify-util-url
libutil: Use Boost.URL for URI parsing
2025-08-04 19:46:58 +02:00