Skip to content

[Backport release-25.05] nixos-rebuild-ng: validate NixOS configuration path#419059

Merged
thiagokokada merged 5 commits intorelease-25.05from
backport-418243-to-release-25.05
Jun 22, 2025
Merged

[Backport release-25.05] nixos-rebuild-ng: validate NixOS configuration path#419059
thiagokokada merged 5 commits intorelease-25.05from
backport-418243-to-release-25.05

Conversation

@nixpkgs-ci
Copy link
Copy Markdown
Contributor

@nixpkgs-ci nixpkgs-ci bot commented Jun 22, 2025

Bot-based backport to release-25.05, triggered by a label in #418243.

  • Before merging, ensure that this backport is acceptable for the release.
    • Even as a non-committer, if you find that it is not acceptable, leave a comment.

@thiagokokada @github-actions
nixos-rebuild-ng: validate NixOS configuration path
9705f0c 
When `path://` or `git+file://` protocol is used in Flake mode (that is
the most common case since we normalize the paths, see PR #375493) and
the current working directory in a symlink pointing base store path to
the Nix store (e.g., /run/opengl-driver/lib), there is a nasty bug where
Nix resolves the path as the Nix store path of the current derivation
instead of the target derivation.

Since we blindly activate this path, this can corrupt the installation
and break some other activation scripts, like `systemd-boot-builder.py`.
While it is possible to recover this situation using `nix-env -p
/nix/var/nix/profiles/system --delete-generations old`, this is far from
ideal.

This commit solves it by validating that the resolved NixOS
configuration path includes at least `$out/nixos-version`. I am not sure
if this is going to break some cases so there is a escape hatch in the
form of the environment variable
`NIXOS_REBUILD_I_UNDERSTAND_THE_CONSEQUENCES_PLEASE_BREAK_MY_SYSTEM`,
but in general it looks safe.

(cherry picked from commit 0dce56f)
@thiagokokada @github-actions
nixos-rebuild-ng: simplify Flake.parse() code
94b9c63 
(cherry picked from commit 8481fa7)
@thiagokokada @github-actions
nixos-rebuild-ng: add string concatenation linter
8cf7660 
(cherry picked from commit e2dbb9d)
@thiagokokada @github-actions
nixos-rebuild-ng: move validate_image_variant() outside execute()
feb284d 
(cherry picked from commit 3f58a11)
@thiagokokada @github-actions
nixos-rebuild-ng: NRError -> NixOSRebuildError
d6e6fde 
(cherry picked from commit e364976)
@nixpkgs-ci nixpkgs-ci bot mentioned this pull request Jun 22, 2025
Merged
13 tasks
@nix-owners nix-owners bot requested a review from thiagokokada June 22, 2025 18:46
@github-actions github-actions bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 4.workflow: backport This targets a stable branch labels Jun 22, 2025
@thiagokokada thiagokokada merged commit 0d0210a into release-25.05 Jun 22, 2025
23 of 27 checks passed
@thiagokokada thiagokokada deleted the backport-418243-to-release-25.05 branch June 22, 2025 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thiagokokada thiagokokada Awaiting requested review from thiagokokada

Assignees

No one assigned

Labels

4.workflow: backport This targets a stable branch 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thiagokokada