Merge pull request #301827 from kampka/forbiddenDependenciesRegex

  "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`

  where the file `secret_file` contains the string `mysecret`.

- The `system.forbiddenDependenciesRegex` option has been renamed to `system.forbiddenDependenciesRegexes` and now has the type of `listOf string` instead of `string` to accept multiple regexes.

- `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading

  to another signature algorithm. However, for the time being it is possible to restore DSA key support using `override` to set `dsaKeysSupport = true`.

  # Check that the system does not contain a Nix store path that contains the

  # string "perl".

  system.forbiddenDependenciesRegex = "perl";

  system.forbiddenDependenciesRegexes = ["perl"];

}

}:

let

  node-forbiddenDependencies-fail = nixos ({ ... }: {

    system.forbiddenDependenciesRegex = "-dev$";

    system.forbiddenDependenciesRegexes = ["-dev$"];

    environment.etc."dev-dependency" = {

      text = "${expect.dev}";

    };

    boot.loader.grub.enable = false;

  });

  node-forbiddenDependencies-succeed = nixos ({ ... }: {

    system.forbiddenDependenciesRegex = "-dev$";

    system.forbiddenDependenciesRegexes = ["-dev$"];

    system.extraDependencies = [ expect.dev ];

    documentation.enable = false;

    fileSystems."/".device = "ignore-root-device";

    ../build.nix

    (mkRemovedOptionModule [ "nesting" "clone" ] "Use `specialisation.«name» = { inheritParentConfig = true; configuration = { ... }; }` instead.")

    (mkRemovedOptionModule [ "nesting" "children" ] "Use `specialisation.«name».configuration = { ... }` instead.")

    (mkRenamedOptionModule [ "system" "forbiddenDependenciesRegex" ] [ "system" "forbiddenDependenciesRegexes" ])

  ];

  options = {

      '';

    };

    system.forbiddenDependenciesRegex = mkOption {

      default = "";

      example = "-dev$";

      type = types.str;

    system.forbiddenDependenciesRegexes = mkOption {

      default = [];

      example = ["-dev$"];

      type = types.listOf types.str;

      description = ''

        A POSIX Extended Regular Expression that matches store paths that

        POSIX Extended Regular Expressions that match store paths that

        should not appear in the system closure, with the exception of {option}`system.extraDependencies`, which is not checked.

      '';

    };

            "$out/configuration.nix"

        '' +

      optionalString

        (config.system.forbiddenDependenciesRegex != "")

        ''

          if [[ $forbiddenDependenciesRegex != "" && -n $closureInfo ]]; then

            if forbiddenPaths="$(grep -E -- "$forbiddenDependenciesRegex" $closureInfo/store-paths)"; then

        (config.system.forbiddenDependenciesRegexes != []) (lib.concatStringsSep "\n" (map (regex: ''

          if [[ ${regex} != "" && -n $closureInfo ]]; then

            if forbiddenPaths="$(grep -E -- "${regex}" $closureInfo/store-paths)"; then

              echo -e "System closure $out contains the following disallowed paths:\n$forbiddenPaths"

              exit 1

            fi

          fi

        '';

        '') config.system.forbiddenDependenciesRegexes));

    system.systemBuilderArgs = {

      # option, as opposed to `system.extraDependencies`.

      passedChecks = concatStringsSep " " config.system.checks;

    }

    // lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") {

      inherit (config.system) forbiddenDependenciesRegex;

    // lib.optionalAttrs (config.system.forbiddenDependenciesRegexes != []) {

      closureInfo = pkgs.closureInfo { rootPaths = [

        # override to avoid  infinite recursion (and to allow using extraDependencies to add forbidden dependencies)

        (config.system.build.toplevel.overrideAttrs (_: { extraDependencies = []; closureInfo = null; }))