From 2d3231856a4125cd24258112fc9b02bbc118b8ea Mon Sep 17 00:00:00 2001
From: Magic_RB <magic_rb@redalder.org>
Date: Sun, 15 Aug 2021 00:24:08 +0200
Subject: [PATCH] Switch Hydra to use a patch instead of a fork

Signed-off-by: Magic_RB <magic_rb@redalder.org>
---
 .../0001-Add-ignored_acls-setting.patch       | 49 +++++++++++++++++++
 containers/hydra.nix                          |  9 +---
 2 files changed, 51 insertions(+), 7 deletions(-)
 create mode 100644 containers/0001-Add-ignored_acls-setting.patch

diff --git a/containers/0001-Add-ignored_acls-setting.patch b/containers/0001-Add-ignored_acls-setting.patch
new file mode 100644
index 0000000..8a80ceb
--- /dev/null
+++ b/containers/0001-Add-ignored_acls-setting.patch
@@ -0,0 +1,49 @@
+From 8438114399ce025b6977215dbaedc05697a6d958 Mon Sep 17 00:00:00 2001
+From: Magic_RB <magic_rb@redalder.org>
+Date: Mon, 3 May 2021 09:54:31 +0200
+Subject: [PATCH] Add ignored_acls setting
+
+Signed-off-by: Magic_RB <magic_rb@redalder.org>
+---
+ src/libstore/globals.hh     | 9 +++++++++
+ src/libstore/local-store.cc | 4 +---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
+index 8784d5faf..7e01b4960 100644
+--- a/src/libstore/globals.hh
++++ b/src/libstore/globals.hh
+@@ -805,6 +805,15 @@ public:
+           may be useful in certain scenarios (e.g. to spin up containers or
+           set up userspace network interfaces in tests).
+         )"};
++
++    Setting<StringSet> ignoredAcls{
++        this, {"security.selinux"}, "ignored-acls",
++        R"(
++          A list of ACLs that should be ignored, normally Nix attempts to
++          remove all ACLs from files and directories in the Nix store, but
++          some ACLs like `security.selinux` or `system.nfs4_acl` can't be
++          removed even by root. Therefore it's best to just ignore them.
++        )"};
+ #endif
+ 
+     Setting<Strings> hashedMirrors{
+diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
+index 747eb205e..c6f774bc2 100644
+--- a/src/libstore/local-store.cc
++++ b/src/libstore/local-store.cc
+@@ -583,9 +583,7 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe
+             throw SysError("querying extended attributes of '%s'", path);
+ 
+         for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) {
+-            /* Ignore SELinux security labels since these cannot be
+-               removed even by root. */
+-            if (eaName == "security.selinux") continue;
++            if (settings.ignoredAcls.get().count(eaName)) continue;
+             if (lremovexattr(path.c_str(), eaName.c_str()) == -1)
+                 throw SysError("removing extended attribute '%s' from '%s'", eaName, path);
+         }
+-- 
+2.32.0
+
diff --git a/containers/hydra.nix b/containers/hydra.nix
index 4720296..9ae3613 100644
--- a/containers/hydra.nix
+++ b/containers/hydra.nix
@@ -48,13 +48,8 @@ in
             type.services = {};
           };
           nix = {
-            package = pkgs.nixFlakes.override {
-              src = pkgs.fetchFromGitHub {
-                owner = "MagicRB";
-                repo = "nix";
-                rev = "a02c34500960b8bc18fe1bdc1431ea252573a5cf";
-                sha256 = "sha256-6VbjvNIDxPdjA+FcY2Kh1vSh8RJ7ubezqprTy81lq9U=";
-              };
+            package = pkgs.nixUnstable.override {
+              patches = [ ./0001-Add-ignored_acls-setting.patch ];
             };
             loadNixDb = true;
             overlayNix = "/nix-persist";