FAQ/Pinning Nixpkgs: Difference between revisions
imported>Samueldr m Adds missing `;` |
mNo edit summary |
||
(20 intermediate revisions by 11 users not shown) | |||
Line 4: | Line 4: | ||
not impacted by other systems' requirements. | not impacted by other systems' requirements. | ||
Another reason why one would want to pin nixpkgs is to get older versions of a specific software. [https://lazamar.co.uk/nix-versions/ This site] can show you all the versions a package went through, and what nixpkgs revision to use to get your specific version. | |||
Note: You can <code>sudo nix-channel --remove nixpkgs</code>, but you still need a nix-channel for nixos | |||
<pre> | |||
sudo nix-channel --list | |||
nixos https://nixos.org/channels/nixos-21.05 | |||
</pre> | |||
== Nix 2.0 onwards == | |||
Nix 2.0 introduces new builtins, <code>fetchTarball</code> and <code>fetchGit</code>, which make it possible to fetch a specific version of nixpkgs without depending on an existing one: | |||
<syntaxhighlight lang="nix"> | |||
import (builtins.fetchTarball { | |||
# Descriptive name to make the store path easier to identify | |||
name = "nixos-unstable-2018-09-12"; | |||
# Commit hash for nixos-unstable as of 2018-09-12 | |||
url = "https://github.com/nixos/nixpkgs/archive/ca2ba44cab47767c8127d1c8633e2b581644eb8f.tar.gz"; | |||
# Hash obtained using `nix-prefetch-url --unpack <url>` | |||
sha256 = "1jg7g6cfpw8qvma0y19kwyp549k1qyf11a5sg6hvn6awvmkny47v"; | |||
}) {} | |||
</syntaxhighlight> | |||
Or, to use git for fetching<!-- (this has the advantage of being somewhat faster for updates, but is slower for the initial fetch) [not true anymore, the repository sharing mechanism has been disabled (https://github.com/NixOS/nix/pull/2358)]-->: | |||
<syntaxhighlight lang="nix"> | |||
import (builtins.fetchGit { | |||
# Descriptive name to make the store path easier to identify | |||
name = "nixos-unstable-2018-09-12"; | |||
url = "https://github.com/nixos/nixpkgs/"; | |||
# Commit hash for nixos-unstable as of 2018-09-12 | |||
# `git ls-remote https://github.com/nixos/nixpkgs nixos-unstable` | |||
ref = "refs/heads/nixos-unstable"; | |||
rev = "ca2ba44cab47767c8127d1c8633e2b581644eb8f"; | |||
}) {} | |||
</syntaxhighlight> | |||
If the <code>ref</code> attribute is omitted, we get an error like this: | |||
<syntaxhighlight> | |||
fatal: not a tree object: 3d70d4ba0b6be256974910e635fadcc0e9579b2a | |||
error: while evaluating the attribute 'buildInputs' of the derivation 'nix-shell' at /nix/store/b93cq865x6qxpn4dw9ivrk3yjcsm8r97-nixos-19.09/pkgs/build-support/mkshell/default.nix:28:3: | |||
while evaluating 'getOutput' at /nix/store/b93cq865x6qxpn4dw9ivrk3yjcsm8r97-nixos-19.09/lib/attrsets.nix:464:23, called from undefined position: | |||
while evaluating anonymous function at /nix/store/b93cq865x6qxpn4dw9ivrk3yjcsm8r97-nixos-19.09/pkgs/stdenv/generic/make-derivation.nix:142:17, called from undefined position: | |||
program 'git' failed with exit code 128 | |||
</syntaxhighlight> | |||
== Before 2.0 == | |||
The following code uses the host's Nixpkgs as a | |||
springboard to fetch and import a specific, pinned version of Nixpkgs. | springboard to fetch and import a specific, pinned version of Nixpkgs. | ||
This is safe because the specific code we're using from the variable | This is safe because the specific code we're using from the variable | ||
Line 20: | Line 70: | ||
pinnedPkgs = hostPkgs.fetchFromGitHub { | pinnedPkgs = hostPkgs.fetchFromGitHub { | ||
owner = "NixOS"; | owner = "NixOS"; | ||
repo = "nixpkgs | repo = "nixpkgs"; | ||
# nixos-unstable as of 2017-11-13T08:53:10-00:00 | # nixos-unstable as of 2017-11-13T08:53:10-00:00 | ||
rev = "ac355040656de04f59406ba2380a96f4124ebdad"; | rev = "ac355040656de04f59406ba2380a96f4124ebdad"; | ||
sha256 = "0frhc7mnx88sird6ipp6578k5badibsl0jfa22ab9w6qrb88j825"; | sha256 = "0frhc7mnx88sird6ipp6578k5badibsl0jfa22ab9w6qrb88j825"; | ||
}; | }; | ||
in import pinnedPkgs {} | in import pinnedPkgs {} | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 40: | Line 90: | ||
$ nix-shell -p nix-prefetch-git | $ nix-shell -p nix-prefetch-git | ||
[nix-shell:~]$ nix-prefetch-git https://github.com/nixos/nixpkgs | [nix-shell:~]$ nix-prefetch-git https://github.com/nixos/nixpkgs.git refs/heads/nixos-unstable > nixpkgs-version.json | ||
... | ... | ||
Line 46: | Line 96: | ||
[nix-shell:~]$ cat nixpkgs-version.json | [nix-shell:~]$ cat nixpkgs-version.json | ||
{ | { | ||
"url": "https://github.com/nixos/nixpkgs | "url": "https://github.com/nixos/nixpkgs.git", | ||
"rev": "f607771d0f5e4fa905afff1c772febd9f3103e1a", | "rev": "f607771d0f5e4fa905afff1c772febd9f3103e1a", | ||
"date": "2018-01-09T11:18:25-05:00", | "date": "2018-01-09T11:18:25-05:00", | ||
Line 62: | Line 112: | ||
pinnedPkgs = hostPkgs.fetchFromGitHub { | pinnedPkgs = hostPkgs.fetchFromGitHub { | ||
owner = "NixOS"; | owner = "NixOS"; | ||
repo = "nixpkgs | repo = "nixpkgs"; | ||
inherit (pinnedVersion) rev sha256; | inherit (pinnedVersion) rev sha256; | ||
}; | }; | ||
Line 80: | Line 130: | ||
pinnedPkgs = hostPkgs.fetchFromGitHub { | pinnedPkgs = hostPkgs.fetchFromGitHub { | ||
owner = "NixOS"; | owner = "NixOS"; | ||
repo = "nixpkgs | repo = "nixpkgs"; | ||
inherit (pinnedVersion) rev sha256; | inherit (pinnedVersion) rev sha256; | ||
}; | }; | ||
Line 103: | Line 153: | ||
in import patchedPkgs {}; | in import patchedPkgs {}; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Pinning an unstable service == | |||
How to upgrade a single package and service to an unstable version | |||
There is probably a better way, especially once flakes come around. Some packages let you specify which <code>package</code> to run as an option but most don't. The following is a generic way that also works for those which don't. | |||
add to configuration.nix a set allowing unstable packages. | |||
This assumes a channel named <code>nixpkgs-unstable</code> exists, like so: | |||
<syntaxhighlight lang="bash"> | |||
nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgs-unstable | |||
nix-channel --update | |||
</syntaxhighlight> | |||
then in <code>configuration.nix</code> allow unstable packages: | |||
<syntaxhighlight lang="nix"> | |||
# Allow unstable packages. | |||
nixpkgs.config = { | |||
allowUnfree = true; | |||
packageOverrides = pkgs: { | |||
unstable = import <nixpkgs-unstable> { | |||
config = config.nixpkgs.config; | |||
}; | |||
}; | |||
}; | |||
</syntaxhighlight> | |||
This means you can now refer to unstable packages as <code>pkgs.unstable.nameofpackage</code> which is great. | |||
For example: | |||
<syntaxhighlight lang="nix"> | |||
environment.systemPackages = with pkgs; [ | |||
unstable.bind | |||
unstable.dnsutils | |||
vim | |||
]; | |||
</syntaxhighlight> | |||
This will use unstable bind and dnsutils, but the stable vim. | |||
Except bind is a service, and if you want a service....usually you just do something like: | |||
<syntaxhighlight lang="nix"> | |||
services.bind.enable = true; | |||
... | |||
</syntaxhighlight> | |||
Except services will refer to <code>pkgs.bind</code>, not <code>pkgs.unstable.bind</code> | |||
so disable services.bind and create your own: | |||
<syntaxhighlight lang="nix"> | |||
users.users.named = | |||
{ uid = config.ids.uids.bind; | |||
description = "BIND daemon user"; | |||
}; | |||
systemd.services.mybind = { | |||
description = "BIND Domain Name Server"; | |||
unitConfig.Documentation = "man:named(8)"; | |||
after = [ "network.target" ]; | |||
wantedBy = [ "multi-user.target" ]; | |||
preStart = '' | |||
mkdir -m 0755 -p /etc/bind | |||
if ! [ -f "/etc/bind/rndc.key" ]; then | |||
${pkgs.unstable.bind.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u named -a -A hmac-sha256 2>/dev/null | |||
fi | |||
${pkgs.coreutils}/bin/mkdir -p /run/named | |||
chown named /run/named | |||
''; | |||
serviceConfig = { | |||
ExecStart = "${pkgs.unstable.bind.out}/sbin/named -u named -4 -c /etc/bind/named.conf -f"; | |||
ExecReload = "${pkgs.unstable.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' reload"; | |||
ExecStop = "${pkgs.unstable.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; | |||
}; | |||
}; | |||
</syntaxhighlight> | |||
where all the stuff just comes from the bind services definition(which you can get from the source link on the nixos options page.) | |||
Just replace named variables, and replace <code>${pkgs.bind.out</code> with <code>${pkgs.unstable.bind.out}</code> | |||
== See also == | |||
- [https://nix.dev/reference/pinning-nixpkgs Pinning Nixpkgs] | |||
- [https://nix.dev/tutorials/first-steps/towards-reproducibility-pinning-nixpkgs Towards Reproducibility: Pinning Nixpkgs] | |||
- [https://nix.dev/guides/recipes/dependency-management.html Dependency Management] |