Flake support

[edolstra]

Motivation for this change

This PR:

• Adds a flake.nix file to Nixpkgs, making Nixpkgs usable from other flakes.
• Adds flake support to nixos-rebuild, enabling hermetic NixOS builds.
• Adds flake support to nixos-container.

A typical NixOS system configuration flake looks like this:

{
  edition = 201909;

  outputs = { self, nixpkgs, dwarffs, hydra }: rec {

    nixosConfigurations.my-server = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules =
        [ dwarffs.nixosModules.dwarffs
          nixpkgs.nixosModules.notDetected
          hydra.nixosModules.hydra
          { system.configurationRevision = self.rev;
            /* typical configuration.nix stuff follows */
          }
        ];
    };

  };
}

which can be installed by doing

# nixos-rebuild switch --flake /path/to/flake --config my-server

(--config defaults to the host name so it can usually be omitted).

The option system.configurationRevision tracks the revision of the top-level flake. This allows the entire configuration to be reproduced reliably. In a running system, it can be queried using nixos-version:

$ nixos-version --json | jq -r .configurationRevision
2c475bc41c13e7a9ae5c16b6c10d8d328cd07ee7

Note: NIX_PATH is unavailable in flake-based builds. In particular this means that

imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];

in hardware-configuration.nix no longer works. Instead you have to use

modules = [ nixpkgs.nixosModules.notDetected ];

nixos-container also supports flakes. For example, the following command creates a container that serves the NixOS homepage:

$ nixos-container create homepage --flake nixos-homepage 
$ nixos-container start homepage 
$ curl http://$(nixos-container show-ip homepage)

TODO: add flake support to nixos-install, add tests.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

Notify maintainers

cc @

[flokli]

does this mean we currently can't use the nixpkgs flake from any non-x86 system?

[edolstra]

Not from the nix command line. You can call it from other flakes with a non-x86_64-linux system argument though.

[matthewbauer]

Can't we use builtins.currentSystem?

[jD91mZM2]

Nope, not in pure evaluation mode.

$ nix eval "(builtins.currentSystem)"
error: attribute 'currentSystem' missing, at (string):1:2
$ nix eval --impure "(builtins.currentSystem)"
"x86_64-linux"

[arianvp]

I myself had a slightly different take on nixos-rebuild in the presence of flakes which I am using here: https://github.com/arianvp/nixos-stuff/blob/master/deployments.nix#L15-L46 (Though I'm still implementing the flake part, but the idea of calling lib.nixosSystem inside your package definition is the same to what I am doing).

The idea is that you ou can do:

nix run github:arianvp/nixos-stuff:deployments.arianvp-me -c deploy [switch|boot|test] [target*]

or in two steps:

nix build github:arianvp/nixos-stuff:deployments.arianvp-me
./result/deploy switch

# or deploy remotely
./result/deploy switch  root@arianvp.me

E.g. a nixos flake returns a nixos-rebuild-like command that can be called instead of having nixos-rebuild call nix build. Kind of an inversion of control thing.

Would such a thing be more ergonomic? It would also mean you don't need nixos-rebuild on your computer to be able to deploy a nixos derivation. (Because nixos-rebuild doesn't seem to be exposed as a package in nixpkgs. so I do this so I can deploy nixos servers from my non-nixos machines)

Of course this is a bit of a backwards incompatible change, but we could also keep the old nixos-rebuild for non-flake deployments, and use this "design pattern" for flake-like deployments.

What do you think?

[edolstra]

@arianvp Well, you already don't need nixos-rebuild since you can build the top-level system derivation and then run its switch-to-configuration script, e.g.

$ nix build .:nixosConfigurations.vyr.config.system.build.toplevel
$ ./result/bin/switch-to-configuration test

which is just what nixos-rebuild does.

Edit: or indeed

$ nix run .:nixosConfigurations.vyr.config.system.build.toplevel -c switch-to-configuration test

as you suggested.

[edolstra]

Update: added flake support to nixos-container.

[arianvp]

Well and you have to nix-env --set it right? Would there be a way to do that in one step?

[matthewbauer]

Why include this?

[jtojnar]

Note: NIX_PATH is unavailable in flake-based builds.

---

Should we add other modules as well? For example, I use the following imports on my server:

<nixpkgs/nixos/modules/profiles/minimal.nix>
<nixpkgs/nixos/modules/virtualisation/container-config.nix>
<nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/building-nixos-system-with-nix-build-and-a-channel-specifier/4747/2

[yorickvP]

Would be happy to see this merged. However, I'm afraid that the FIXME's in here will never get fixed once this is merged. We depend on the nixos-rebuild re'execing currently, so that fixme would be a blocker for moving to flakes for us, personally.

[yorickvP]

This is important for my workflow

[edolstra]

The re-exec is fundamentally broken anyway, since it tries to build nixos-rebuild with the old Nix. (The code to upgrade Nix happens later.) We could do nix build $flake#nixosConfigurations.$flakeAttr.config.system.build.nixos-rebuild but I don't think it's useful currently.

[yorickvP]

FIXME: get nix from the flake.

[yorickvP]

fixme: read the container config in a more sensible way

[yorickvP]

^

[yorickvP]

todo: not implemented

[yorickvP]

Not supporting nixos vm builds will ensure limited flake adoption.

[edolstra]

I haven't used build-vm in years.

[yorickvP]

I use it almost all the time, to do integration tests of modules. It's fairly prominent in the documentation and one of nixos's selling points.

[edolstra]

Sure, but nixos-rebuild build-vm is just a wrapper around nix build. It doesn't do anything you couldn't otherwise do.

[worldofpeace]

I've used build-vm to test the many many PRs that I've reviewed, merged, and tested. It's a very very useful tool for me.

[worldofpeace]

Do you mean people can just do?

nix run vm -f '<nixpkgs/nixos>' --arg configuration "$PWD/configuration.nix" -c run-nixos-vm

[yorickvP]

todo: not implemented

[alyssais]

I feel very conflicted about making this change now, when not only have we still not decided on the format for flake.nix, but the RFC seems to have been stalled for months…

[edolstra]

Well and you have to nix-env --set it right? Would there be a way to do that in one step?

Yes, you can do nix build --profile /nix/var/nix/profiles/system $flake#nixosConfigurations.$hostname.config.system.build.toplevel to do the build and the profile update in one step.

[FRidh]

I would like to know how we deal on the stable with changes to e.g. the Flake format. Can it be relied on being stable during the lifetime of 20.03, or is it consider experimental? Probably needs a release note either way, clarifying this.

[edolstra]

I've added a note that it's experimental (so it shouldn't be relied on).

[arianvp]

Nixpkgs.lib.nixosSystem already exists as pkgs.nixos
It's confusing to have both. Can we remove one of the two?

Iirc nixpkgs.nixos is explicitly mentioned in our documentation too

I already noted this in November. But no reply. Could we still address this?

[edolstra]

Ideally we would remove pkgs.nixos, since it's not a package, but I don't want to make incompatible changes since this is all experimental.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/pinning-configuration-nix-with-niv/49031/4