Merge pull request #203956 from Artturin/addforbiddendependenciesregex

{ lib

, nixos

, expect

, testers

}:

let

  node-forbiddenDependencies-fail = nixos ({ ... }: {

    system.forbiddenDependenciesRegex = "-dev$";

    environment.etc."dev-dependency" = {

      text = "${expect.dev}";

    };

    documentation.enable = false;

    fileSystems."/".device = "ignore-root-device";

    boot.loader.grub.enable = false;

  });

  node-forbiddenDependencies-succeed = nixos ({ ... }: {

    system.forbiddenDependenciesRegex = "-dev$";

    system.extraDependencies = [ expect.dev ];

    documentation.enable = false;

    fileSystems."/".device = "ignore-root-device";

    boot.loader.grub.enable = false;

  });

in

lib.recurseIntoAttrs {

  test-forbiddenDependencies-fail = testers.testBuildFailure node-forbiddenDependencies-fail.config.system.build.toplevel;

  test-forbiddenDependencies-succeed = node-forbiddenDependencies-succeed.config.system.build.toplevel;

}

      ${config.system.systemBuilderCommands}

      echo -n "${toString config.system.extraDependencies}" > $out/extra-dependencies

      echo -n "$extraDependencies" > $out/extra-dependencies

      ${config.system.extraSystemBuilderCmds}

    '';

    dryActivationScript = config.system.dryActivationScript;

    nixosLabel = config.system.nixos.label;

    inherit (config.system) extraDependencies;

    # Needed by switch-to-configuration.

    perl = pkgs.perl.withPackages (p: with p; [ ConfigIniFiles FileSlurp ]);

  } // config.system.systemBuilderArgs);

      '';

    };

    system.forbiddenDependenciesRegex = mkOption {

      default = "";

      example = "-dev$";

      type = types.str;

      description = lib.mdDoc ''

        A POSIX Extended Regular Expression that matches store paths that

        should not appear in the system closure, with the exception of {option}`system.extraDependencies`, which is not checked.

      '';

    };

    system.extraSystemBuilderCmds = mkOption {

      type = types.lines;

      internal = true;

        config.system.copySystemConfiguration

        ''ln -s '${import ../../../lib/from-env.nix "NIXOS_CONFIG" <nixos-config>}' \

            "$out/configuration.nix"

        '' +

      optionalString

        (config.system.forbiddenDependenciesRegex != "")

        ''

          if [[ $forbiddenDependenciesRegex != "" && -n $closureInfo ]]; then

            if forbiddenPaths="$(grep -E -- "$forbiddenDependenciesRegex" $closureInfo/store-paths)"; then

              echo -e "System closure $out contains the following disallowed paths:\n$forbiddenPaths"

              exit 1

            fi

          fi

        '';

    system.systemBuilderArgs = lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") {

      inherit (config.system) forbiddenDependenciesRegex;

      closureInfo = pkgs.closureInfo { rootPaths = [

        # override to avoid  infinite recursion (and to allow using extraDependencies to add forbidden dependencies)

        (config.system.build.toplevel.overrideAttrs (_: { extraDependencies = []; closureInfo = null; }))

      ]; };

    };

    system.build.toplevel = system;

  };

  ergo = handleTest ./ergo.nix {};

  ergochat = handleTest ./ergochat.nix {};

  etc = pkgs.callPackage ../modules/system/etc/test.nix { inherit evalMinimalConfig; };

  activation = pkgs.callPackage ../modules/system/activation/test.nix { };

  etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {};

  etcd-cluster = handleTestOn ["x86_64-linux"] ./etcd-cluster.nix {};

  etebase-server = handleTest ./etebase-server.nix {};