Nix: restricted mode doesn't support builtins.storePath with <nix/config.nix> in Nix 2.0

This change was intentional since allowing access to the entire Nix store was not very "restricted".

cc @Gabriel439 @zimbatm you'll hit this one eventually.

As a workaround, maybe -I store=/nix/store works.

@domenkozar: Yeah, no problem. Thanks for the heads up

I have no issue using builtins.fetchTarball when switching to Nix 2.0. I don't mind if the hash changes as part of the switch

@Gabriel439 only issue, is that you either have to force every single user of your expressions to upgrade, or main 2 hashes

@domenkozar here is the latest back-compat magic:

let
  spec = builtins.fromJSON (builtins.readFile ./nixpkgs-src.json);
  fetchTarball = if builtins.lessThan builtins.nixVersion "1.12" then
    { url, sha256 }: builtins.fetchTarball url
    else builtins.fetchTarball;
in
  fetchTarball {
    url = "https://github.com/${spec.owner}/${spec.repo}/archive/${spec.rev}.tar.gz";
    sha256 = spec.sha256;
  }

It works on both nix 1.11 and 2.0 but pushes users to upgrade

i think that would just ignore the hash on 1.11, and i suspect hydra dis-allows that because its an impurity

Also I don't think that variant helps hydra eval w/2.0 either, fetchTarball doesn't work in restricted mode even with a sha256:

$ nix-instantiate --option restrict-eval true --eval -E 'fetchTarball { url = https://github.com/NixOS/nixpkgs/archive/566ded39b1c76ac512c65a14e6ab14751814a9b9.tar.gz; sha256 = "0j05khrlvjsj7aflv11by24k57gjncql5hkqihrh7q5s9snb220v"; }'
error: access to URI 'https://github.com/NixOS/nixpkgs/archive/566ded39b1c76ac512c65a14e6ab14751814a9b9.tar.gz' is forbidden in restricted mode

And in the nix manual documentation for restrict-eval it seems this is very much intended.
Time to rework my jobsets / hydra expressions!

I'm also having this issue on my 17.09 hydra machine. Note that I'm also fetching nixpkgs using an empty NIX_PATH.

I've "fixed" it by patching hydra using:

{ hydra = previous.hydra.overrideAttrs (_oldAttrs: {
    patches = [
      # Fix for https://github.com/NixOS/nix/issues/1888
      ./hydra/no-restrict-eval.patch
    ];
  });
}

where ./hydra/no-restrict-eval.patch is:

diff --git a/src/hydra-eval-jobs/hydra-eval-jobs.cc b/src/hydra-eval-jobs/hydra-eval-jobs.cc
index 1e17e99d..449121a1 100644
--- a/src/hydra-eval-jobs/hydra-eval-jobs.cc
+++ b/src/hydra-eval-jobs/hydra-eval-jobs.cc
@@ -186,7 +186,7 @@ int main(int argc, char * * argv)

         /* Prevent access to paths outside of the Nix search path and
            to the environment. */
-        settings.restrictEval = true;
+        settings.restrictEval = false;

         if (releaseExpr == "") throw UsageError("no expression specified");

It would be better if restrict-eval was a parameter of hydra.conf but this works for me.

that patch is kind of a big hammer, you might want to do something like https://github.com/cleverca22/nixos-configs/blob/master/nas-hydra.nix#L32-L34 instead

I have a new hydra server setup using Simple-hydra and struggled to even run hydra-example. I understand why pkgs = (import <nixpkgs> {}); fails as nixpkgs is not copied to nixops deploy, so I tried using fetchtarball instead. I hit this error, so tried adding:

    nix.extraOptions = ''
      restrict-eval = false
    '';

to my hydra server configuration. This had no effect. Anyone know why? Is this a bug?

@chessai's approach did work however. What's the format for a list of allowed-uris? A bit confused why I can't do nix.allowed-uris = [ ... ]; and instead am using nix.extraConfig = ''allowed-uris = https://github.com/tbenst/nixpkgs/archive/''