Unverified Commit 8e82ef5d authored by Sandro Jäckel's avatar Sandro Jäckel Committed by GitHub
Browse files

nixos/binfmt: add option `addEmulatedSystemsToNixSandbox` (#354533)

parents d79beaac bbb6e83f

nixos/doc/manual/release-notes/rl-2411.section.md

+2 −0
Original line number Diff line number Diff line
@@ -830,6 +830,8 @@ 
    Note that first solution of the [official FAQ answer](https://cloud.seatable.io/dtable/external-links/7b976c85f504491cbe8e/?tid=0000&vid=0000&row-id=BQhH-2HSQs68Nq2EW91DBA)

    is not allowed by the `services.nginx` module's config-checker.



- The new option `boot.binfmt.addEmulatedSystemsToNixSandbox` allows you to skip adding the emulated systems to `nix.settings.extra-platforms`. Now you can emulate foreign binaries locally while only building them on native remote builders.



- The latest available version of Nextcloud is v30 (available as `pkgs.nextcloud30`). The installation logic is as follows:

  - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)

  - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud29` will be installed by default.

nixos/modules/system/boot/binfmt.nix

+11 −1
Original line number Diff line number Diff line
@@ -279,6 +279,16 @@ in { 
        type = types.listOf (types.enum (builtins.attrNames magics));

      };



      addEmulatedSystemsToNixSandbox = mkOption {

        type = types.bool;

        default = true;

        example = false;

        description = ''

          Whether to add the {option}`boot.binfmt.emulatedSystems` to {option}`nix.settings.extra-platforms`.

          Disable this to use remote builders for those platforms, while allowing testing binaries locally.

        '';

      };



      preferStaticEmulators = mkOption {

        default = false;

        description = ''
@@ -325,7 +335,7 @@ in { 
        interpreterSandboxPath = mkDefault (dirOf (dirOf config.interpreter));

      } // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}")));

    }) cfg.emulatedSystems);

    nix.settings = lib.mkIf (cfg.emulatedSystems != []) {

    nix.settings = lib.mkIf (cfg.addEmulatedSystemsToNixSandbox && cfg.emulatedSystems != []) {

      extra-platforms = cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux";

      extra-sandbox-paths = let

        ruleFor = system: cfg.registrations.${system};