Standard gentoo-like "use" flags across nixpkgs

[copumpkin]

Before telling me nix already supports this, hear me out 😄

Take a "headless" Nix (NixOS or otherwise) system. A whole load of packages have slightly different options to disable GUI components, but none of them are standardized, and thus we can end up with a completely headless server bundling a ton of graphics stuff because it depends for example on pinentry which optionally supports a GUI prompt and thus pulls in a ton of graphical crap.

What if we instituted a set of standard flags that would be available through stdenv that would help us determine those options? For example:

{ stdenv, fetchurl, mesa, gnome }:

stdenv.mkDerivation {
  buildInputs = stdenv.lib.optional (!stdenv.flags.headless) [ mesa gnome ];
}

And then our closures get small again. Individual packages could still keep ad-hoc flags in their parameter set, but this would help us standardize on a set of common flags of this sort.

Off the top of my head, I'd start with these common flags:

• headless: disable any GUI components
• hardened: use any additional package-specific hardening measures available (the stdenv would also apply some default hardening steps, but certain packages might need additional knowledge of this) [this is already on by default, now]
• monolingual: get rid of language translations (and default to whatever you specify if not english)

There are probably others, but I think we could get a lot of value out of just these two.

cc:

• @edolstra @shlevy @vcunat: general knowing of things
• @globin @thoughtpolice: probably care about the hardened flag

[copumpkin]

I guess this is basically the config field, but cast in a slightly different light, with a centrally determined schema.

[cleverca22]

one issue i have noticed is that while there is a config.pulseaudio to force it on/off, every app has its own default, so its a total mess until you set it, and once you do, half of them miss the binary cache

[copumpkin]

I'd like to keep the space of flags fairly small so that we can conceivably get Hydra to build common combinations of them. Some sort of audio enable/disable flag also sounds reasonable, but I might just lump it under headless to keep the combination set small.

[domenkozar]

I think we all agree on this one, we need to define an API and the rest will follow :)

[vcunat]

Well, just a single flag may double the number of jobs on Hydra, and I imagine the hardened flag would want to affect some mass-rebuild stuff such as glibc. But we could have a smaller jobset for the hardened config.

What's missing in the config field? Centrally defined defaults and perhaps centrally checked basic consistency (like nixos types)? Why not add such features to config instead?

[jagajaga]

I suppose there was a discussion somehow related to this question.

[jagajaga]

Ooops, here is a link: #6968

[wmertens]

Good idea! The current implementation of this is basically the profiles like https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/headless.nix , but having actual boolean values to check would indeed be better

[spacekitteh]

@grahamc policy discussion, security

[vcunat]

The hardening is on by default, as amended in the issue, so I don't see any security-related stuff remaining here.