nixos/flake: set up NIX_PATH and system flake registry automatically

[lf-]

Currently there are a bunch of really wacky hacks required to get nixpkgs path correctly set up under flake configs such that nix run nixpkgs#hello and nix run -f '<nixpkgs>' hello hit the nixpkgs that the system was built with. In particular you have to use specialArgs or an anonymous module, and everyone has to include this hack in their own configs.

We can do this for users automatically.

I have tested these manually with a basic config; I don't know if it is even possible to write a nixos test for it since you can't really get a string-with-context to yourself unless you are in a flake context.

cc @RaitoBezarius

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[IreneKnapp]

overall looks great, I want this!

[IreneKnapp]

This could use more documentation about where the symlink points to. I mean, I assume it points to the path to the derivation that nixos is being built out of, but there must be an appropriately precise way to say that...

[IreneKnapp]

Similarly, I assume this points to the derivation nixos is built out of, but find some precise way to say that. Also specify explicitly whether this option relies on the /etc/nix/inputs/nixpkgs symlink to exist or not.

Also, it's called the system registry not the local registry. Since that term is vague and confusing and doesn't help a user to understand why they'd want this option turned on, by all means keep the present wording about "local" as well, but do use it in conjunction with the official name.

[lf-]

Ah, not quite the one nixos is built out of, which means my docs are bad. I will write better ones than I wrote while originally writing this whilst tired at nixcon tomorrow :)

[lf-]

Apparently I misunderstood what you wrote because it was 2am. This option doesn't require /etc/nix/inputs/nixpkgs to exist, and is completely independent of the other option.

[IreneKnapp]

it sure was 2am <3

[lf-]

Alright, I have pushed a change rewriting the documentation to have examples and to use more clear wording. I have also turned it on by default.

The reasoning for enabling it by default on flake configurations is that we do things that are suboptimal for closure size by default, for example environment.noXlibs = false;, documentation.enable = true;, and it seems much more important to make the out of the box experience better for machines that might be used interactively.

This change only affects systems built with flakes.

[IreneKnapp]

looks solid to me! note that this is by way of peer review, I'm not a committer, somebody else will need to approve it

[IreneKnapp]

don't you mean nullOr str?

[lf-]

Yes, I didn't realize null was coerced to empty string.

[IreneKnapp]

just to be absolutely clear: the symlink points to a path in the store, right?

[lf-]

Yep. I will word this more carefully.

[IreneKnapp]

so the understanding I get from this is that it replicates the protocol, URL, etc but pins based on rev. correct? I still feel like there could be a bit more wording to say so explicitly, but it's good as-is.

[lf-]

Nope. It is a string-with-context that introduces a simple dependency:

nix-repl> nixosConfigurations.micro.options.nix.registry.value.nixpkgs.to
{ path = "/nix/store/c8cz4q0y6jw9qvjwk45nf6pvwysj7yn6-source"; type = "path"; }

nix-repl> :p builtins.getContext nixosConfigurations.micro.options.nix.registry.value.nixpkgs.to.path
{ "/nix/store/c8cz4q0y6jw9qvjwk45nf6pvwysj7yn6-source" = { path = true; }; }

[IreneKnapp]

ah! that's nice and simple. the clearest way to say that might be "by referencing it in the store"?

[IreneKnapp]

ah good call

[roberth]

Bad call: unnecessary breaking change. Why not fix the bug instead?

[lf-]

I don't want to try getting anything into Nix after a one line change to fix nix-shell in shebangs by a former coworker continues to sit unreviewed for going on two years now, in spite of repeated prodding for reviews including by back channels.

I understand the Nix team has been improving things, and I think more prompt reviews generally happen now but I'm still not interested.

I can remove the workaround because the bug isn't that bad.

[tomberek]

@lf- i have an interest in the shebangs features, but I am not finding the referenced shebang PR. (my own effort in bringing shebangs to nix-command took more than two years with 5189, so I understand the patience can get worn out)

[lf-]

i had it written down somewhere; it's NixOS/nix#5088

[lf-]

I have done a final pass through the docs. I am not sure if they are too verbose, but even if they are, usually we have the opposite problem and I have rarely thought that of module docs.

[IreneKnapp]

the latest revision of the docs looks great. thanks for indulging me! I know I tend to prefer more verbose docs than others do, but I feel that a lot of flake semantics are under-documented and I'd much rather not have to guess at these details.

[Artturin]

The diff looks very weird, are there formatting changes or something?

Related PR #197424

[lf-]

The diff looks very weird, are there formatting changes or something?

Related PR #197424

Yes. I moved the whole existing config= contents right one indent, put it in a mkMerge, and added my own things. When I rebased I did these changes manually because git had made such an absolute dog's breakfast of the diff and I couldn't make any sense of it.

I don't know what made git fail so hard on this PR's diff, but I am sorry it is annoying to review.

[Artturin]

Hiding the whitespace changes makes it better

rightmost icon

[tomberek]

• blocking: /etc/nix/inputs/nixpkgs is awkward, please examine some other possibilities mentioned above
• thought: having nixpkgs.flake.setNixPath interacting with nix.nixPath (same with nixpkgs.flake.setFlakeRegistry / nix.registry) might cause confusion. There are then two ways to do the same thing, which takes precedence, etc. Here i don't yet know of solid suggestion; there is merit to having it in both option sets.

[ethorsoe]

While I like this change a lot, I understood that this breaks (at least works unexpectedly for) initializing new flake.lock files using nixpkgs name on such a system, am I wrong?

[mjm]

I didn't test this PR specifically, but I do have my config set up to point nixpkgs in the registry at my flake's nixpkgs input. And this does cause a surprising issue where if you create new flakes (maybe for a specific project), then if they use the nixpkgs registry alias, the lockfile will reference the store path rather than the github URL for nixpkgs.

This happens, for instance, with the default flake template:

$ cd $(mktemp -d)
$ nix flake init
$ nix build
warning: creating lock file '/tmp/tmp.cqX16SmdSg/flake.lock'
$ cat flake.lock
{
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1707743206,
        "narHash": "sha256-AehgH64b28yKobC/DAWYZWkJBxL/vP83vkY+ag2Hhy4=",
        "path": "/nix/store/qn2bp2ipwdfsv5a4fp8sdk6kmibxhvsw-source",
        "rev": "2d627a2a704708673e56346fcb13d25344b8eaf3",
        "type": "path"
      },
      "original": {
        "id": "nixpkgs",
        "type": "indirect"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
}

I'm not sure if nix flake update will then use the registry alias or the path in the lockfile. Either of those seem undesirable in different ways. But if it uses the path in the lockfile, then overriding the registry alias by default for flake-based systems will probably cause surprising behavior for folks that create new flakes that don't specify a nixpkgs input explicitly.

[lf-]

Good grief, our default flake template is really really broken then. We should fix that.

[lf-]

Thanks for pointing this out; I wish to throw my computer into the sea. The remote flake registry should be removed imo or at least not used in lock file updates. NixOS/nix#7422

I've now found the previous attempt at this pr, which had a lot more respect for wrongly written flakes that use the registry for their inputs, a use case which should not be allowed imo. #197424

Fortunately the default template is here, so I'll send a pr to stop doing bad things in there at least: https://github.com/NixOS/templates/blob/master/trivial/flake.nix

But this needs to be fixed in nix flake update to issue a warning at least. Putting it at nixos in the system registry like the previous pr does is not an acceptable solution as it makes "get random packages" invocations different on NixOS; it's <nixos> all over again.

[lf-]

This is the PR from ages ago that should be merged to fix nix flake init NixOS/templates#67

[ethorsoe]

Makes me a bit uneasy that all references are to open unfinished discussions, but this is the experimental unstable new thing anyway so ymmv.

I have been recommending people to use aliases in their flakes on the main channel without any interjections so I would assume not everyone knows or agrees that they should not be used. I don't have strong opinion on the matter, but at least it would be good to standardize that opinion.

[IreneKnapp]

wow :( good research. what a distressing situation.

for sure, nix flake update needs to stop doing this ><

[IreneKnapp]

This is the PR from ages ago that should be merged to fix nix flake init NixOS/templates#67

wait, really? this looks Haskell-specific

[lf-]

This is the PR from ages ago that should be merged to fix nix flake init NixOS/templates#67

wait, really? this looks Haskell-specific

Clicked wrong, meant NixOS/templates#53

[RaitoBezarius]

This has been reviewed, scrutinized for a long time, this change makes a lot of sense and improves the statut-quo. Let's iterate from now on.

stale

[totoroot]

Just for reference, in case someone is looking for the change that caused their flake-based NixOS systems to no longer rebuild.

Since I previously had nix.registry.nixpkgs.flake set in my flake config, I got the following error when trying to rebuild my system:

       error: The option `nix.registry.nixpkgs.to.path' has conflicting definition values:
       - In `/nix/store/1gpgihsi21bni03hy6i5ccw9lfrhnbqi-source/nixos/modules/config/nix-flakes.nix': "/nix/store/84q33bh989jr3hadc8jj2rsz6ax5cqyj-source"
       - In `/nix/store/1gpgihsi21bni03hy6i5ccw9lfrhnbqi-source/nixos/modules/misc/nixpkgs-flake.nix': "/nix/store/1gpgihsi21bni03hy6i5ccw9lfrhnbqi-source"
       Use `lib.mkForce value` or `lib.mkDefault value` to change the priority on any of these definitions.

The suggested use of lib.mkForce or lib.mkDefault is not advisable.
Instead just remove the manual NIX_PATH override in your config, as this is now handled automatically.

If you do not wish to do so, you can also disable the newly added option, as described in the release notes (look for NIX_PATH).

To disable this, set nixpkgs.flake.setNixPath and nixpkgs.flake.setFlakeRegistry to false.

IMO the documentation of this change in the release notes is good, but users might still look for this error in the issues and PRs of the nixpkgs repository, so I thought I'd mention it.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/use-a-system-nixpkgs-version-in-a-flake/43784/3