Merge branch 'nix-community:master' into notifications

r0chd · web-flow · commit f61db4fb7b75 · 2025-09-08T20:40:02.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,7 +14,7 @@ be put in the "Changed" section or, if it's just to remove code or
 functionality, under the "Removed" section.
 -->
 
-## Unreleased
+## 4.2.0
 
 ### Changed
 
@@ -50,8 +50,8 @@ functionality, under the "Removed" section.
   `run0` and a fallback `pkexec` strategies will be attempted if the system does
   not use `sudo`.
 - Nh will correctly prompt you for your `sudo` password while deploying
-  remotely. This helps mitigate the need to allow password-less `sudo` on
-  the target host to deploy remotely.
+  remotely. This helps mitigate the need to allow password-less `sudo` on the
+  target host to deploy remotely.
 
 ### Fixed
 
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -5,7 +5,7 @@ members = [ ".", "xtask" ]
 [workspace.package]
 edition      = "2024"
 rust-version = "1.86.0"
-version      = "4.2.0-beta4"
+version      = "4.2.0"
 
 [workspace.dependencies.clap]
 features = [ "cargo", "color", "derive", "env", "unstable-styles" ]
@@ -16,7 +16,7 @@ name                   = "nh"
 license                = "EUPL-1.2"
 repository             = "https://github.com/nix-community/nh"
 description            = "Yet Another Nix Helper"
-keywords               = [ "nix", "helper" ]
+keywords               = [ "nix", "nixos", "nix-darwin", "helper", "CLI" ]
 readme                 = "README.md"
 version.workspace      = true
 edition.workspace      = true
@@ -46,7 +46,7 @@ reqwest = { default-features = false, features = [
   "blocking",
   "json",
 ], version = "0.12.23" }
-secrecy = { version = "0.8.0", features = [ "serde" ] }
+secrecy = { version = "0.10.3", features = [ "serde" ] }
 semver = "1.0.26"
 serde = { features = [ "derive" ], version = "1.0.219" }
 serde_json = "1.0.143"
diff --git a/README.md b/README.md
@@ -215,6 +215,54 @@ The config would look like this:
 }
 ```
 
+## Environment variables
+
+NH supports several environment variables to control command behaviour. Some of
+the common variables that you may encounter or choose to employ are as follows:
+
+- `NH_NO_CHECKS`
+  - When set (any non-empty value), skips startup checks such as Nix version and
+    experimental feature validation. Useful for generating completions or
+    running in constrained build environments. You can also consider this an
+    "expert flag" that you can set for a non-zero performance benefit. It
+    assumes you know what you are doing.
+
+- `NH_FLAKE`
+  - Preferred flake path/reference used by NH when running flake-based commands.
+    Historically `FLAKE` was used; NH will migrate `FLAKE` into `NH_FLAKE` if
+    present and the specific `NH_*_FLAKE` vars are not set.
+
+- `NH_OS_FLAKE`, `NH_HOME_FLAKE`, `NH_DARWIN_FLAKE`
+  - Command-specific flake references for `os`, `home`, and `darwin` commands
+    respectively. If present they take precedence over `NH_FLAKE`.
+
+- `NH_SUDO_ASKPASS`
+  - Path to a program used as `SUDO_ASKPASS` when NH self-elevates with `sudo`.
+    If set and `sudo` is used for elevation, NH will pass `-A` to `sudo` and set
+    `SUDO_ASKPASS` accordingly.
+
+- `NH_PRESERVE_ENV`
+  - Controls whether environment variables marked for preservation are passed to
+    elevated commands. Set to `"0"` to disable preservation, `"1"` to force
+    preservation. If unset, preservation defaults to enabled.
+
+- `NH_LOG`
+  - Sets the tracing/log filter for NH. This uses the same format as
+    `tracing_subscriber` env filters (for example: `nh=trace`).
+
+- `NH_NOM`
+  - Control whether `nom` (nix-output-monitor) should be enabled for the build
+    processes. Equivalent of `--no-nom`.
+
+### Notes
+
+- Any environment variables prefixed with `NH_` are explicitly propagated by NH
+  to commands when appropriate.
+- For backwards compatibility, if `FLAKE` is present and none of the
+  command-specific `NH_*_FLAKE` variables exist, NH will set `NH_FLAKE` from
+  `FLAKE` and emit a warning recommending migration to `NH_FLAKE`. `FLAKE` will
+  be removed in the future versions of NH.
+
 ## Hacking
 
 Contributions are always welcome. To get started, just clone the repository and
diff --git a/src/commands.rs b/src/commands.rs
@@ -126,8 +126,7 @@ impl ElevationStrategy {
   /// # Returns
   ///
   /// * `Result<PathBuf>` - The absolute path to the privilege elevation program
-  ///   binary or an error if a
-  /// program can't be found.
+  ///   binary or an error if a program can't be found.
   fn choice() -> Result<PathBuf> {
     const STRATEGIES: [&str; 4] = ["doas", "sudo", "run0", "pkexec"];
 
@@ -368,12 +367,7 @@ impl Command {
     // "1" to force, unset defaults to force
     let preserve_env = std::env::var("NH_PRESERVE_ENV")
       .as_deref()
-      .map(|x| {
-        match x {
-          "0" => false,
-          _ => true,
-        }
-      })
+      .map(|x| !matches!(x, "0"))
       .unwrap_or(true);
 
     // Insert 'env' command to explicitly pass environment variables to the
@@ -463,7 +457,7 @@ impl Command {
             .without_confirmation()
             .prompt()
             .context("Failed to read sudo password")?;
-        let secret_password = SecretString::new(password);
+        let secret_password = SecretString::new(password.into());
         cache_password(host, secret_password.clone());
         Some(secret_password)
       }
@@ -1189,7 +1183,7 @@ mod tests {
   #[test]
   fn test_ssh_wrap_with_password() {
     let cmd = subprocess::Exec::cmd("echo").arg("hello");
-    let password = SecretString::new("testpass".to_string());
+    let password = SecretString::new("testpass".into());
     let wrapped = ssh_wrap(cmd, Some("user@host"), Some(&password));
 
     let cmdline = wrapped.to_cmdline_lossy();
