about summary refs log tree commit diff
path: root/third_party/nix/src/libstore/globals.hh
#pragma once

#include <limits>
#include <map>

#include <sys/types.h>

#include "config.hh"
#include "types.hh"
#include "util.hh"

namespace nix {

typedef enum { smEnabled, smRelaxed, smDisabled } SandboxMode;

struct MaxBuildJobsSetting : public BaseSetting<unsigned int> {
  MaxBuildJobsSetting(Config* options, unsigned int def,
                      const std::string& name, const std::string& description,
                      const std::set<std::string>& aliases = {})
      : BaseSetting<unsigned int>(def, name, description, aliases) {
    options->addSetting(this);
  }

  void set(const std::string& str) override;
};

class Settings : public Config {
  static unsigned int getDefaultCores();

  static StringSet getDefaultSystemFeatures();

 public:
  Settings();

  Path nixPrefix;

  /* The directory where we store sources and derived files. */
  Path nixStore;

  Path nixDataDir; /* !!! fix */

  /* The directory where we log various operations. */
  Path nixLogDir;

  /* The directory where state is stored. */
  Path nixStateDir;

  /* The directory where configuration files are stored. */
  Path nixConfDir;

  /* The directory where internal helper programs are stored. */
  Path nixLibexecDir;

  /* The directory where the main programs are stored. */
  Path nixBinDir;

  /* The directory where the man pages are stored. */
  Path nixManDir;

  /* File name of the socket the daemon listens to.  */
  Path nixDaemonSocketFile;

  Setting<std::string> storeUri{this, getEnv("NIX_REMOTE", "auto"), "store",
                                "The default Nix store to use."};

  Setting<bool> keepFailed{
      this, false, "keep-failed",
      "Whether to keep temporary directories of failed builds."};

  Setting<bool> keepGoing{
      this, false, "keep-going",
      "Whether to keep building derivations when another build fails."};

  Setting<bool> tryFallback{
      this,
      false,
      "fallback",
      "Whether to fall back to building when substitution fails.",
      {"build-fallback"}};

  /* Whether to show build log output in real time. */
  bool verboseBuild = true;

  Setting<size_t> logLines{
      this, 10, "log-lines",
      "If verbose-build is false, the number of lines of the tail of "
      "the log to show if a build fails."};

  MaxBuildJobsSetting maxBuildJobs{this,
                                   1,
                                   "max-jobs",
                                   "Maximum number of parallel build jobs. "
                                   "\"auto\" means use number of cores.",
                                   {"build-max-jobs"}};

  Setting<unsigned int> buildCores{
      this,
      getDefaultCores(),
      "cores",
      "Number of CPU cores to utilize in parallel within a build, "
      "i.e. by passing this number to Make via '-j'. 0 means that the "
      "number of actual CPU cores on the local host ought to be "
      "auto-detected.",
      {"build-cores"}};

  /* Read-only mode.  Don't copy stuff to the store, don't change
     the database. */
  bool readOnlyMode = false;

  Setting<std::string> thisSystem{this, SYSTEM, "system",
                                  "The canonical Nix system name."};

  Setting<time_t> maxSilentTime{
      this,
      0,
      "max-silent-time",
      "The maximum time in seconds that a builer can go without "
      "producing any output on stdout/stderr before it is killed. "
      "0 means infinity.",
      {"build-max-silent-time"}};

  Setting<time_t> buildTimeout{
      this,
      0,
      "timeout",
      "The maximum duration in seconds that a builder can run. "
      "0 means infinity.",
      {"build-timeout"}};

  PathSetting buildHook{this, true, nixLibexecDir + "/nix/build-remote",
                        "build-hook",
                        "The path of the helper program that executes builds "
                        "to remote machines."};

  Setting<std::string> builders{this, "@" + nixConfDir + "/machines",
                                "builders",
                                "A semicolon-separated list of build machines, "
                                "in the format of nix.machines."};

  Setting<bool> buildersUseSubstitutes{
      this, false, "builders-use-substitutes",
      "Whether build machines should use their own substitutes for obtaining "
      "build dependencies if possible, rather than waiting for this host to "
      "upload them."};

  Setting<off_t> reservedSize{
      this, 8 * 1024 * 1024, "gc-reserved-space",
      "Amount of reserved disk space for the garbage collector."};

  Setting<bool> fsyncMetadata{this, true, "fsync-metadata",
                              "Whether SQLite should use fsync()."};

  Setting<bool> useSQLiteWAL{this, true, "use-sqlite-wal",
                             "Whether SQLite should use WAL mode."};

  Setting<bool> syncBeforeRegistering{
      this, false, "sync-before-registering",
      "Whether to call sync() before registering a path as valid."};

  Setting<bool> useSubstitutes{this,
                               true,
                               "substitute",
                               "Whether to use substitutes.",
                               {"build-use-substitutes"}};

  Setting<std::string> buildUsersGroup{
      this, "", "build-users-group",
      "The Unix group that contains the build users."};

  Setting<bool> impersonateLinux26{
      this,
      false,
      "impersonate-linux-26",
      "Whether to impersonate a Linux 2.6 machine on newer kernels.",
      {"build-impersonate-linux-26"}};

  Setting<bool> keepLog{this,
                        true,
                        "keep-build-log",
                        "Whether to store build logs.",
                        {"build-keep-log"}};

  Setting<bool> compressLog{this,
                            true,
                            "compress-build-log",
                            "Whether to compress logs.",
                            {"build-compress-log"}};

  Setting<unsigned long> maxLogSize{
      this,
      0,
      "max-build-log-size",
      "Maximum number of bytes a builder can write to stdout/stderr "
      "before being killed (0 means no limit).",
      {"build-max-log-size"}};

  /* When buildRepeat > 0 and verboseBuild == true, whether to print
     repeated builds (i.e. builds other than the first one) to
     stderr. Hack to prevent Hydra logs from being polluted. */
  bool printRepeatedBuilds = true;

  Setting<unsigned int> pollInterval{
      this, 5, "build-poll-interval",
      "How often (in seconds) to poll for locks."};

  Setting<bool> checkRootReachability{
      this, false, "gc-check-reachability",
      "Whether to check if new GC roots can in fact be found by the "
      "garbage collector."};

  Setting<bool> gcKeepOutputs{
      this,
      false,
      "keep-outputs",
      "Whether the garbage collector should keep outputs of live derivations.",
      {"gc-keep-outputs"}};

  Setting<bool> gcKeepDerivations{
      this,
      true,
      "keep-derivations",
      "Whether the garbage collector should keep derivers of live paths.",
      {"gc-keep-derivations"}};

  Setting<bool> autoOptimiseStore{this, false, "auto-optimise-store",
                                  "Whether to automatically replace files with "
                                  "identical contents with hard links."};

  Setting<bool> envKeepDerivations{
      this,
      false,
      "keep-env-derivations",
      "Whether to add derivations as a dependency of user environments "
      "(to prevent them from being GCed).",
      {"env-keep-derivations"}};

  /* Whether to lock the Nix client and worker to the same CPU. */
  bool lockCPU;

  /* Whether to show a stack trace if Nix evaluation fails. */
  Setting<bool> showTrace{
      this, false, "show-trace",
      "Whether to show a stack trace on evaluation errors."};

  Setting<SandboxMode> sandboxMode {
    this,
#if __linux__
        smEnabled
#else
        smDisabled
#endif
        ,
        "sandbox",
        "Whether to enable sandboxed builds. Can be \"true\", \"false\" or "
        "\"relaxed\".",
    {
      "build-use-chroot", "build-use-sandbox"
    }
  };

  Setting<PathSet> sandboxPaths{
      this,
      {},
      "sandbox-paths",
      "The paths to make available inside the build sandbox.",
      {"build-chroot-dirs", "build-sandbox-paths"}};

  Setting<bool> sandboxFallback{
      this, true, "sandbox-fallback",
      "Whether to disable sandboxing when the kernel doesn't allow it."};

  Setting<PathSet> extraSandboxPaths{
      this,
      {},
      "extra-sandbox-paths",
      "Additional paths to make available inside the build sandbox.",
      {"build-extra-chroot-dirs", "build-extra-sandbox-paths"}};

  Setting<size_t> buildRepeat{
      this,
      0,
      "repeat",
      "The number of times to repeat a build in order to verify determinism.",
      {"build-repeat"}};

#if __linux__
  Setting<std::string> sandboxShmSize{
      this, "50%", "sandbox-dev-shm-size",
      "The size of /dev/shm in the build sandbox."};

  Setting<Path> sandboxBuildDir{this, "/build", "sandbox-build-dir",
                                "The build directory inside the sandbox."};
#endif

  Setting<PathSet> allowedImpureHostPrefixes{
      this,
      {},
      "allowed-impure-host-deps",
      "Which prefixes to allow derivations to ask for access to (primarily for "
      "Darwin)."};

#if __APPLE__
  Setting<bool> darwinLogSandboxViolations{
      this, false, "darwin-log-sandbox-violations",
      "Whether to log Darwin sandbox access violations to the system log."};
#endif

  Setting<bool> runDiffHook{
      this, false, "run-diff-hook",
      "Whether to run the program specified by the diff-hook setting "
      "repeated builds produce a different result. Typically used to "
      "plug in diffoscope."};

  PathSetting diffHook{
      this, true, "", "diff-hook",
      "A program that prints out the differences between the two paths "
      "specified on its command line."};

  Setting<bool> enforceDeterminism{
      this, true, "enforce-determinism",
      "Whether to fail if repeated builds produce different output."};

  Setting<Strings> trustedPublicKeys{
      this,
      {"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},
      "trusted-public-keys",
      "Trusted public keys for secure substitution.",
      {"binary-cache-public-keys"}};

  Setting<Strings> secretKeyFiles{
      this,
      {},
      "secret-key-files",
      "Secret keys with which to sign local builds."};

  Setting<unsigned int> tarballTtl{
      this, 60 * 60, "tarball-ttl",
      "How long downloaded files are considered up-to-date."};

  Setting<bool> requireSigs{
      this, true, "require-sigs",
      "Whether to check that any non-content-addressed path added to the "
      "Nix store has a valid signature (that is, one signed using a key "
      "listed in 'trusted-public-keys'."};

  Setting<StringSet> extraPlatforms{
      this,
      std::string{SYSTEM} == "x86_64-linux" ? StringSet{"i686-linux"}
                                            : StringSet{},
      "extra-platforms",
      "Additional platforms that can be built on the local system. "
      "These may be supported natively (e.g. armv7 on some aarch64 CPUs "
      "or using hacks like qemu-user."};

  Setting<StringSet> systemFeatures{
      this, getDefaultSystemFeatures(), "system-features",
      "Optional features that this system implements (like \"kvm\")."};

  Setting<Strings> substituters{
      this,
      nixStore == "/nix/store" ? Strings{"https://cache.nixos.org/"}
                               : Strings(),
      "substituters",
      "The URIs of substituters (such as https://cache.nixos.org/).",
      {"binary-caches"}};

  // FIXME: provide a way to add to option values.
  Setting<Strings> extraSubstituters{this,
                                     {},
                                     "extra-substituters",
                                     "Additional URIs of substituters.",
                                     {"extra-binary-caches"}};

  Setting<StringSet> trustedSubstituters{
      this,
      {},
      "trusted-substituters",
      "Disabled substituters that may be enabled via the substituters option "
      "by untrusted users.",
      {"trusted-binary-caches"}};

  Setting<Strings> trustedUsers{this,
                                {"root"},
                                "trusted-users",
                                "Which users or groups are trusted to ask the "
                                "daemon to do unsafe things."};

  Setting<unsigned int> ttlNegativeNarInfoCache{
      this, 3600, "narinfo-cache-negative-ttl",
      "The TTL in seconds for negative lookups in the disk cache i.e binary "
      "cache lookups that "
      "return an invalid path result"};

  Setting<unsigned int> ttlPositiveNarInfoCache{
      this, 30 * 24 * 3600, "narinfo-cache-positive-ttl",
      "The TTL in seconds for positive lookups in the disk cache i.e binary "
      "cache lookups that "
      "return a valid path result."};

  /* ?Who we trust to use the daemon in safe ways */
  Setting<Strings> allowedUsers{
      this,
      {"*"},
      "allowed-users",
      "Which users or groups are allowed to connect to the daemon."};

  Setting<bool> printMissing{
      this, true, "print-missing",
      "Whether to print what paths need to be built or downloaded."};

  Setting<std::string> preBuildHook{
      this, "", "pre-build-hook",
      "A program to run just before a build to set derivation-specific build "
      "settings."};

  Setting<std::string> postBuildHook{
      this, "", "post-build-hook",
      "A program to run just after each successful build."};

  Setting<std::string> netrcFile{this, fmt("%s/%s", nixConfDir, "netrc"),
                                 "netrc-file",
                                 "Path to the netrc file used to obtain "
                                 "usernames/passwords for downloads."};

  /* Path to the SSL CA file used */
  Path caFile;

#if __linux__
  Setting<bool> filterSyscalls{
      this, true, "filter-syscalls",
      "Whether to prevent certain dangerous system calls, such as "
      "creation of setuid/setgid files or adding ACLs or extended "
      "attributes. Only disable this if you're aware of the "
      "security implications."};

  Setting<bool> allowNewPrivileges{
      this, false, "allow-new-privileges",
      "Whether builders can acquire new privileges by calling programs with "
      "setuid/setgid bits or with file capabilities."};
#endif

  Setting<Strings> hashedMirrors{
      this,
      {"http://tarballs.nixos.org/"},
      "hashed-mirrors",
      "A list of servers used by builtins.fetchurl to fetch files by hash."};

  Setting<uint64_t> minFree{this, 0, "min-free",
                            "Automatically run the garbage collector when free "
                            "disk space drops below the specified amount."};

  Setting<uint64_t> maxFree{this, std::numeric_limits<uint64_t>::max(),
                            "max-free",
                            "Stop deleting garbage when free disk space is "
                            "above the specified amount."};

  Setting<uint64_t> minFreeCheckInterval{
      this, 5, "min-free-check-interval",
      "Number of seconds between checking free disk space."};

  Setting<Paths> pluginFiles{
      this,
      {},
      "plugin-files",
      "Plugins to dynamically load at nix initialization time."};
};

// FIXME: don't use a global variable.
extern Settings settings;

/* This should be called after settings are initialized, but before
   anything else */
void initPlugins();

void loadConfFile();

extern const string nixVersion;

}  // namespace nix