From 25ecb1c3674b3e0a9267a6274d53784ca3fe06d0 Mon Sep 17 00:00:00 2001 From: "Chinmay D. Pai" Date: Sun, 22 Sep 2024 14:56:53 +0530 Subject: [PATCH] chore: pin nix to 2.23 A security issue currently plagues nix_git package, along with some other issues cropping up in the newer versions. So we'll stick to the last stable, bug-free nix version for a while. Signed-off-by: Chinmay D. Pai --- modules/nixos/core/nix/default.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/modules/nixos/core/nix/default.nix b/modules/nixos/core/nix/default.nix index 457f3ed..560c335 100644 --- a/modules/nixos/core/nix/default.nix +++ b/modules/nixos/core/nix/default.nix @@ -4,8 +4,7 @@ lib, pkgs, ... -}: -{ +}: { options.snowflake.core.nix = { enable = lib.mkEnableOption "Enable core nix configuration"; }; @@ -22,13 +21,16 @@ # Add each flake input as a registry to make nix3 commands # consistent with nix flakes. - registry = lib.mapAttrs (_: value: { flake = value; }) inputs; + registry = lib.mapAttrs (_: value: {flake = value;}) inputs; # Add inputs to system's legacy channels. nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry; # Use the latest, unstable version of nix. - package = pkgs.nixVersions.git; + package = pkgs.nixVersions.nix_2_23; + # TODO: switch back to nix git. Current version has a security issue that allows + # remote code execution. + # package = pkgs.nixVersions.git; settings = { # Accept flake configuration without prompting. @@ -65,8 +67,8 @@ warn-dirty = false; # Add cache substituters to allow fetching cached builds. - trusted-substituters = [ "https://nix-community.cachix.org" ]; - trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; + trusted-substituters = ["https://nix-community.cachix.org"]; + trusted-public-keys = ["nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="]; }; }; };