Document security concerns for nix.conf settings

[sellout]

Is your feature request related to a problem? Please describe.

The nix.conf documentation doesn’t do a good job of indicating or describing the security concerns of various settings, or how to mitigate them.

As #9649 points out, accept-flake-config is described very innocuously, but for various reasons is a massive security hole that has already resulted in compromised systems in the wild.

Describe the solution you'd like

The Nix manual should clearly tag each nix.conf setting with a known severity level, and link that tag to a detailed description of the known issues with that setting, along with any possible mitigations (e.g., “prefer to use --accept-flake-config on the command line as needed, after manually reviewing the nixConfig section of the flake, along with the security issues listed here for each of the settings in the nixConfig.”).

Priorities

Add 👍 to issues you find important.

[sellout]

#9649 (which inspired this issue) lists security concerns with settings including

• accept-flake-config
• trusted-users
• (trusted-)substituters
• post-build-hook

[sellout]

In the interests of making the documentation more navigable and less cluttered, it might also be worth pulling the experimental features blocks (like in flake-registry) out into another tag, like “[experimental:flakes]” that also links to somewhere else that describes once (and in more detail) how to enable the experimental features needed to make those settings available.

[fricklerhandwerk]

Triaged in Nix maintainer team meeting:

• @roberth: we could add a label to the data structure, could even include cross-cutting concerns such as fetching or caching
• PRs welcome!

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-07-10-nix-team-meeting-minutes-160/49101/1