nixbld: update Nix unstable patch for networked derivations

Fixes Gitea issue #7

nixbld-etc-nixos/configuration.nix

@@ -148,7 +148,7 @@ in
 
       no-resolv
 
-      # Static IPv4s to make Red Pitayas less annoying
+      # Static IPv4s to make Red Pitayas with factory firmware less annoying
       dhcp-host=rp-f05cc9,192.168.1.190
       dhcp-host=rp-f0612e,192.168.1.191
       # Static IPv4s to make port redirections work
@@ -165,6 +165,8 @@ in
       address=/zynq-experiments/192.168.1.51
       address=/zc706/192.168.1.52
       address=/zc706-2/192.168.1.53
+      address=/cora-z7/192.168.1.54
+      address=/rust-pitaya/192.168.1.55
       address=/sayma/192.168.1.60
       address=/metlino/192.168.1.65
       address=/kasli/192.168.1.70
@@ -229,24 +231,26 @@ in
   hardware.sane.enable = true;
   hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
 
-  users.extraGroups.plugdev = { };
+  users.extraGroups.hkadmin = { };
   users.extraUsers.sb = {
     isNormalUser = true;
-    extraGroups = ["wheel" "plugdev" "dialout" "lp" "scanner"];
-    shell = pkgs.fish;
+    extraGroups = ["wheel" "hkadmin" "lp" "scanner"];
     openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
     ];
+    shell = pkgs.fish;
   };
   users.extraUsers.rj = {
     isNormalUser = true;
-    extraGroups = ["wheel" "plugdev" "dialout"];
+    extraGroups = ["wheel"];
   };
-  users.extraUsers.astro = {
+  users.extraUsers.harry = {
     isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
-    shell = pkgs.bashInteractive;
+    extraGroups = ["hkadmin" "lp" "scanner"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDcPNCgtdz8erFPRrAwCr4JrkeYXJUUvoRBgP0X2HlzJgDe1Inuo6sC6CGcO3IXbf4MwVA9XEp8BYPHARVeEHhufg/0wnIABLx2GcK99yxOLDUe4h/3YwtqvOcqHEsDx7w=="
+    ];
   };
   users.extraUsers.nix = {
     isNormalUser = true;

nixbld-etc-nixos/nix-3-networked-derivations.patch

@@ -1,43 +1,27 @@
-From d7fc00b5770a7d194c0ba9e70a4cdb2ece621d5b Mon Sep 17 00:00:00 2001
+From e9d0448929a46df1b5923d69989fa3ca4c9e47ba Mon Sep 17 00:00:00 2001
 From: Astro <astro@spaceboyz.net>
-Date: Mon, 5 Oct 2020 14:18:59 +0200
+Date: Thu, 5 Nov 2020 17:21:09 +0100
 Subject: [PATCH] networked derivations
 
 ---
- src/libstore/build.cc | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
+ src/libstore/build/derivation-goal.cc | 14 ++++++++------
+ src/libstore/build/derivation-goal.hh |  6 ++++++
+ 2 files changed, 14 insertions(+), 6 deletions(-)
 
-diff --git a/src/libstore/build.cc b/src/libstore/build.cc
-index 0499273a4..40fe4e859 100644
---- a/src/libstore/build.cc
-+++ b/src/libstore/build.cc
-@@ -845,9 +845,16 @@ private:
-     /* The sort of derivation we are building. */
-     DerivationType derivationType;
- 
-+    bool networked;
-+
-     /* Whether to run the build in a private network namespace. */
-     bool privateNetwork = false;
- 
-+    bool allowNetwork()
-+    {
-+        return derivationIsFixed(drv->type()) || networked;
-+    }
-+
-     typedef void (DerivationGoal::*GoalState)();
-     GoalState state;
- 
-@@ -1293,6 +1300,8 @@ void DerivationGoal::haveDerivation()
-     parsedDrv = std::make_unique<ParsedDerivation>(drvPath, *drv);
- 
+diff --git a/src/libstore/build/derivation-goal.cc b/src/libstore/build/derivation-goal.cc
+index bf2bad62c..ef4ce8a0b 100644
+--- a/src/libstore/build/derivation-goal.cc
++++ b/src/libstore/build/derivation-goal.cc
+@@ -1199,6 +1199,8 @@ void DerivationGoal::startBuilder()
+     additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
+ #endif
  
 +    networked = parsedDrv->getBoolAttr("__networked");
 +
-     /* We are first going to try to create the invalid output paths
-        through substitutes.  If that doesn't work, we'll build
-        them. */
-@@ -2210,7 +2219,7 @@ void DerivationGoal::startBuilder()
+     /* Are we doing a chroot build? */
+     {
+         auto noChroot = parsedDrv->getBoolAttr("__noChroot");
+@@ -1216,7 +1218,7 @@ void DerivationGoal::startBuilder()
          else if (settings.sandboxMode == smDisabled)
              useChroot = false;
          else if (settings.sandboxMode == smRelaxed)
@@ -46,42 +30,68 @@ index 0499273a4..40fe4e859 100644
      }
  
      if (worker.store.storeDir != worker.store.realStoreDir) {
-@@ -2434,7 +2443,7 @@ void DerivationGoal::startBuilder()
-                 "nogroup:x:65534:\n") % sandboxGid).str());
+@@ -1430,7 +1432,7 @@ void DerivationGoal::startBuilder()
+                 "nogroup:x:65534:\n", sandboxGid()));
  
          /* Create /etc/hosts with localhost entry. */
 -        if (!(derivationIsImpure(derivationType)))
-+        if (!allowNetwork())
++        if (!allowNetwork() && !(derivationIsImpure(derivationType)))
              writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
  
          /* Make the closure of the inputs available in the chroot,
-@@ -2621,7 +2630,7 @@ void DerivationGoal::startBuilder()
+@@ -1617,7 +1619,7 @@ void DerivationGoal::startBuilder()
             us.
          */
  
 -        if (!(derivationIsImpure(derivationType)))
-+        if (!allowNetwork())
++        if (!allowNetwork() && !(derivationIsImpure(derivationType)))
              privateNetwork = true;
  
          userNamespaceSync.create();
-@@ -2833,7 +2842,7 @@ void DerivationGoal::initEnv()
+@@ -1865,7 +1867,7 @@ void DerivationGoal::initEnv()
         to the builder is generally impure, but the output of
         fixed-output derivations is by definition pure (since we
         already know the cryptographic hash of the output). */
 -    if (derivationIsImpure(derivationType)) {
-+    if (allowNetwork()) {
++    if (allowNetwork() || derivationIsImpure(derivationType)) {
          for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
              env[i] = getEnv(i).value_or("");
      }
-@@ -3447,7 +3456,7 @@ void DerivationGoal::runChild()
+@@ -2487,7 +2489,7 @@ void DerivationGoal::runChild()
              /* Fixed-output derivations typically need to access the
                 network, so give them access to /etc/resolv.conf and so
                 on. */
 -            if (derivationIsImpure(derivationType)) {
-+            if (allowNetwork()) {
++            if (allowNetwork() || derivationIsImpure(derivationType)) {
                  ss.push_back("/etc/resolv.conf");
  
                  // Only use nss functions to resolve hosts and
+@@ -2728,7 +2730,7 @@ void DerivationGoal::runChild()
+ 
+                 sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
+ 
+-                if (derivationIsImpure(derivationType))
++                if (allowNetwork() || derivationIsImpure(derivationType))
+                     sandboxProfile += "(import \"sandbox-network.sb\")\n";
+ 
+                 /* Add the output paths we'll use at build-time to the chroot */
+diff --git a/src/libstore/build/derivation-goal.hh b/src/libstore/build/derivation-goal.hh
+index 4976207e0..c57238403 100644
+--- a/src/libstore/build/derivation-goal.hh
++++ b/src/libstore/build/derivation-goal.hh
+@@ -134,6 +134,12 @@ private:
+     /* Whether to run the build in a private network namespace. */
+     bool privateNetwork = false;
+ 
++    bool networked;
++    bool allowNetwork()
++    {
++        return derivationIsFixed(drv->type()) || networked;
++    }
++
+     typedef void (DerivationGoal::*GoalState)();
+     GoalState state;
+ 
 -- 
-2.28.0
+2.29.0
 

nixops/common-users.nix

@@ -68,6 +68,7 @@
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];
     openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMviQek/1Wj525Y5QQb3fXimJ9srOgWJNBxKKB5xfOzEzlU/MQr49sUSyq1+wUXOc2lHjQQb4aNbs8QyzhgynvlZZ4C/scFXLv83V8SFd8fXb8YiJ5OXBCxiHAZWJF/99kxQNeLvp3qvU+hWG3nLHd6NDTbyqG+EIEaZkJsVbdCzL/ERUbCZPNkfgY5zv62i9zR8XJtt77lyCprOs4q27wD+FplkjN3skeWJYr0F+yuf2DEC1ZrOS1uYHVgPlOZRSQq8qtWr4K4ZMrFJ0Ul7Qzj/GjtqH59QZFcVgoHJhlSM5MUNn863IKuLPmHOsTYqA57bPj+vulMZwt63Qw0ehpVZnUo3MZjfI/fS5Ox8c0B+7/JmGXxQVe+mQ6feg24h3C3+npzI6VbGXr09+ka36d7bRDJdY6/LEhQZTiwXrwOxstFjbEucGDPFx0rsqDxPeQ77mA0GQw2J/hYr6kc+KDIipclxqq6tE6LEYaAzeiTePU+QSutLsOzEpXezY3vINd/Tp8oySQBliseKsByPV8m37egTHheLNbVvh6a4sfhm68MGDYNBAKGHyMpnnDf/G1PVf97wq0YpQWoCrYNbp7QQZST0UjEk8hARnI/UuZtkYOaube0lcO0zaMUtmX8Qq4dq+RMblcwjWVsqExljFNEhjJqRRY7ZfpJ5OdeiXFLQ=="
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ+FieYdkTS3BomeEVp7SMGD3HYDzdQHKi1WgqiFF5c3CYjFiwc/W/NrsCavEkLM9GrLKS1OKxHlG6gpsMGxiHuidoK7NDd3NhHL2jJFzH7haFktJ5DrkfRPPi4QPscZPg=="
     ];
   };

nixops/desktop.nix

@@ -3,7 +3,7 @@
 { config, pkgs, ... }:
 let
   m-labs = import (fetchTarball https://nixbld.m-labs.hk/channel/custom/artiq/full/artiq-full/nixexprs.tar.xz) { inherit pkgs; };
-  pkgs-unstable = import (fetchTarball https://github.com/NixOS/nixpkgs/archive/master.tar.gz) {};
+  pkgs-unstable = import (fetchTarball https://github.com/NixOS/nixpkgs/archive/nixos-20.09.tar.gz) {};
 in
 {
   deployment.targetHost = host;

nixops/experimental-users.nix

@@ -1,20 +1,6 @@
 { pkgs, ... }:
 
 {
-  jaime = {
-    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPZGCpGW8n+cbGJbIa6Xqp/RpjbRXm55FfGCgw5uQzSk3MJraYaYZVUw4Z4n3WF0XyFirlgOf9RRxYM2GQoXaiq+qwPK1u4GvLTthGtfJ7LJJMjV4ouxooK205jTxp9mb3WTxzMRkcRK44B9tTZH7e36f+snBjCQRsjDTjZaYaxIUQ10gij+I4Cpq9EKrTf7fLgv+56tI6nxz3n8zeihklPOlCauA1WCN8nEU5PxRXL7Fi67kiXBoJJyUmhPg40YhC0zLhOzm7OhhM7RyIGB3bAyF1Q5GKScpPCYiAlm8j9VmQFHtulozs4cwypAOzMr48ekS3VMD1PPwbhHOOlSB1 jaime@jaime-ThinkPad"
-    ];
-  };
-  bpmasc = {
-    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArypocGpldQFmC1w5cIPnFi9UBKQsZ0F5+RdlxcsBTmpEpPStNAUoo9/WhBkybSyR+LoKgJi50uDHk1PnfCyQ6xEI75aPQKEhAk3Vm3XUesASB7yoRKqEGTxznC0XnIlTIMe1GpLSgJnxTcR6GZWukIX49QoK1qEcZ8z5Cn5CLR849jkBON6Lt9Z+dh/NZT93Ne+Yya1h1weibz4igTrLYelcVTfepgk4R+qRahfQXhjeG0gfAVCBV6AvHqBMs8HaUXQxdVN6OstKiIfw9DQsPf36HToDWmdRuZ1NUhiMr98K83C+AGQIkdZnN0f5ZUz7AB+kmGZgYwLc9R49qkYdvw=="
-    ];
-  };
   gs = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];
@@ -22,18 +8,11 @@
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGtpxj1UPfV0oy5WGLYq2xXN8wBFUcsry9JStLVdc8eFBbp9VSb01Ba/JnJZOwEPvkOM0X5zdLxdOp3fMdL7tQ1Pqg2q/HdZpvkAHh5hH3fTAHx0Eu18SIWubG46Imv9yoOw/skCpIhIbaTrhzS6BB6A6m1hRv9U96cn9tUWtpAxS+3FZjylaBuJPDpClZB3dFgy0uCm3Pg9W/zdVM9VLlGdu2wVmFIoJ2BKhHJSbG6kA6+9Y5cPON64qoaL8j/LwrNLh+YXRU16kk1bVLfuEmUUE23+jbemkhIkBEFQdGG0+CxtsVpSv1/NJXfST+BuQ9Ef3+85kIl3vmTe4geFNn"
     ];
   };
-  cp = {
+  yrw = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];
     openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZybZ/6DWAH7VwS+Mbr68MDtrMXUW5Qe7ovIHjsndprcLRGmkNVhfUU6XdWH4y4Y4KIPLjpJgEKbzYZLFMb0tIR1DbpCAZSRUI/iqyzs95h91qCVMlUyaNDlxag+tEUoV9h2p5tJB24/hSfnKXiZDV+WBFvKBdYXr5/oj13qBT9fFF/gqp9vhn/V81uy7U4r+5wNVUCDrNtFyGhWukDcKqip6Z3UcA3etjsSus5F90z4KAyZZpd3ADQjNJTgacEk0Cg1jR3qdyVW4P2M0QccNmjwAIz+8y3CemMoeiWxGMORVUyxX4biY/VAQR/qXbBXGVJD5S8ewQyTpfPtFHdzAcFn0OeX5RJguwPIx3V8L3X7NZTUyvR1hVNWwA4Ckh1mmwaqDLj2EnGAuWW4GL4TAVRVD1a3xzP0V59u9yuqlJKqWGSqIb7Lqqym/NL3ooPuF1Sf92NeRLmpWCXpd6mHadHZ0ChOT0OUFXxg1HBtUp1mqfelV6aRGpSYNsK7zC1f8="
-    ];
-  };
-  jim = {
-    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoHJaTx/646l19AHq7vuFT0Thd7kzQgka80p8dUFNuf4PxouyMGclUU7Fai4Y1pymE8scU7VL/W1tu1OSkUz7SXDcGNgGAZYfJZIJMvc27R3JsDGKdGDr9bSnOrohBN6pBhRg8edBOHoBLEz6lmJ0EZouiKBhmZFrEl6DSUDNotMHxggAe52wqO2e8aDBz6YkET25pSPdf21SOV3QNszZAWn/3NSJcb0AIsAdMb9FTdNXQK+fdBsWAxG/mGidIvJm/MhMmV1Qfc6TI9wqsXSKT+IeM1kfQ+xgobrdiG9zwnLmyu+uyFS+S3mGbP3P3YasUfSWOWq1lfRVgzGyqZtxj"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwyYQ6NV/+GWFpgLJa7fz8FBiSVYczVi900CWfMSyAYIusYrNt9xBYWBk5bUDqDLKrHlyjbtKIKUTjC9uGmdDD4rWlW1cHNabxeD7wu1DcjdLsRiB6ulFXRleq16RMDlFbFHyVaRD4J2j/1JxWqYTVeMNe4KuW979zcrwCSm/3VtWasLh88089FGyl1bEQiza/yCBqXCUyY1wGfpRESTfxn18zaP5jc1jGOeBl694Ci2iErwk42rjdhtSsQx+B9FAuYYXz6VPfPrQB6fqn2a70QATPQUEbiT9bXgh541xqHC9gt4QLYEj2bNR64DNjvos32jv9wWAjnSpC73m39o5QLNglF77KC1pdz7oMTH2dF+boOGAj0IpsnZJElcFVUpW1SBTuNDgSN2Yc8I5JlpoNUClKNefRQPeNvtenlJKgPI3TETx7PbWprmDaDunSp2URkKCYu+p3JV5MF6Up5crzNUoNLOYlIGauN/7Kh1/8ybVj9+zTKpP2D31RTmZG2ck="
     ];
   };
 }

nixops/rpi.nix

@@ -59,7 +59,7 @@ in
 
   documentation.enable = false;
   environment.systemPackages = with pkgs; [
-    psmisc wget vim git usbutils uhubctl lm_sensors file telnet mosh tmux xc3sprog m-labs.openocd screen gdb minicom picocom
+    psmisc wget vim git sshfs usbutils uhubctl lm_sensors file telnet mosh tmux xc3sprog m-labs.openocd screen gdb minicom picocom
   ];
   programs.fish.enable = true;
   programs.wireshark.enable = true;