restrict-eval is set to true by default #12659
Description
Describe the bug
The documentation states that restrict-eval in nix.conf is set to false by default: https://hydra.nixos.org/build/292448195/download/1/manual/command-ref/conf-file.html#conf-restrict-eval, however, I'm running into errors that should only happen if restrict-eval is true. The configuration does not have restrict-eval set at all...
nix-repl> outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.allowed-uris
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.allowed-users
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.auto-optimise-store
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.cores
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.experimental-features
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.extra-platforms
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.extra-sandbox-paths
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.flake-registry
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.gc-keep-derivations
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.gc-keep-outputs
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.max-jobs
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.netrc-file
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.post-build-hook
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.pre-build-hook
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.require-sigs
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.sandbox
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.sandbox-fallback
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.substituters
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.system-features
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.trusted-public-keys
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.trusted-substituters
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.trusted-users
error: access to URI 'github:nix-community/poetry2nix/3c92540611f42d3fb2d0d084a6c694cd6544b609?narHash=sha256-2GOiFTkvs5MtVF65sC78KNVxQSmsxtk0WmV1wJ9V2ck%3D' is forbidden in restricted mode
error: worker error: error:
… in the right operand of the update (//) operator
at /nix/store/sk4ga2wy0b02k7pnzakwq4r3jdknda4g-source/default.nix:137:19:
136| ${key} = (attrs.${key} or { })
137| // (appendSystem key system ret);
Steps To Reproduce
- create a flake configuration
- do not set
nix.settings.restrict-eval - add an input like
github:<something>
Expected behavior
Expected not to see errors about restricted eval mode.
Metadata
nix-env (Nix) 2.24.11
Additional context
Up until this point, the same configuration worked fine, but we bumped to unstable and now restrict-eval is throwing errors even though it is unset. We were able to get past this by adding github: gitlab: to allowed-uris, though I'd assume that setting . EDIT: restrict-eval = false would also workrestrict-eval = lib.mkForce false; does not fix it, somehow hydra-eval-jobs is still running in restricted mode.
May also be important to note this is on hydra machines.
Checklist
- checked latest Nix manual (source)
- checked open bug issues and pull requests for possible duplicates
Add 👍 to issues you find important.