Currently as per documentation the nix.conf files loaded are:
- The system-wide configuration file
sysconfdir/nix/nix.conf(i.e./etc/nix/nix.confon most systems), or$NIX_CONF_DIR/nix.confifNIX_CONF_DIRis set.- The user configuration file
$XDG_CONFIG_HOME/nix/nix.conf, or~/.config/nix/nix.confifXDG_CONFIG_HOMEis not set.
What would be great, is if there was a 3rd option:
- __
nix.conflocated in the current directory.__
This way a project git repo could contain it's own nix.conf which, for example, points at additional extra-substituters and adds trusted-public-keys.
jakubgs
All 10 comments
FWIW, this can be done with direnv currently
shlevy
on 26 Feb 2019
Also, if we were going to do this, I'd want it to walk up the path
shlevy
on 26 Feb 2019
FWIW, this can be done with direnv currently
You mean NIX_CONF_DIR? That's nice, but it requires user intervention. I'd have to explain to the user that they have to export the right NIX_CONF_DIR before they should use nix-build in the project root. With loading from ./nix.conf it can be implicit the moment you enter that project root dir.
Also, if we were going to do this, I'd want it to walk up the path
As in check recursively for all available nix.conf files in the folder? And merge the settings? I guess that could be useful too.
jakubgs
on 26 Feb 2019
More importantly we'd need https://github.com/NixOS/nix/issues/2149
domenkozar
on 27 Feb 2019
Loading files from the current directory frightens me from a security perspective...
edolstra
on 27 Feb 2019
Firstly, :-1:, I agree with @edolstra, running nix-build in a random project directory and having it add substituters and public keys seems like a security issue to me.
Secondly, I don't see how this can be sanely implemented anyway, nix-daemon normally runs as root, I run nix-build as my own user, would nix-build like read and push nix.conf via socket and reconfigure the daemon run by root something?
If you really want something like this, you can just provide a wrapper that would do
export NIX_CONF_DIR="$PWD"
export NIX_REMOTE=
nix-build "$@"
to your users and be done with it.
oxij
on 10 Mar 2019
would
nix-buildlike read and pushnix.confvia socket and reconfigure the daemon run by root something?
Yes, this is in fact already the case. The client sends its settings to the daemon, but the daemon ignores most of them for security reasons.
edolstra
on 11 Mar 2019
Yes, this is in fact already the case. The client sends its settings to the daemon, but the daemon ignores most of them for security reasons.
I see. (See case wopSetOptions in src/nix-daemon/nix-daemon.cc if anyone else is interested.)
Which reminds me, what does extra-substituters option do? All of its mentions in the .cc sources (which are only two wopSetOptions and src/libstore/store-api.cc), handle it as if it was appended to substituters. What is the point in having it?
Anyway, in the light of the above I retract the argument of
Secondly, ...
as to the argument of
Firstly, ...
I guess adding an option to nix-build and etc that would set nix.conf from the argv wouldn't hurt (especially since it's the only thing from NIX_CONF_DIR that can be used by the client to influence the daemon, AFAICS), but since one would have to add those desired substituters to trusted-substituters in the daemon it wouldn't solve the OP's issue anyway, AFAICS.
oxij
on 13 Mar 2019
I agree that this should not happen without user intervention, regardless of whether the options are considered safe or not.
That aside, this is already possible (with user intervention, through direnv for example) with XDG_CONFIG_DIRS support (#2501).
lheckemann
on 22 Mar 2019
This may be partially solved by pr #3458
roberth
on 1 Apr 2020
Related issues
lovesegfault
路
37Comments
edolstra
路
99Comments
taktoa
路
35Comments
vcunat
路
159Comments
cbarrett
路
49Comments
Most helpful comment
Loading files from the current directory frightens me from a security perspective...