impure-checks: improve performance by disabling dynamic deps

checks/impure/flake-module.nix

@@ -1,6 +1,11 @@
 {
   perSystem =
-    { pkgs, lib, ... }:
+    {
+      pkgs,
+      lib,
+      self',
+      ...
+    }:
     {
       # a script that executes all other checks
       packages.impure-checks = pkgs.writeShellScriptBin "impure-checks" ''
@@ -10,14 +15,21 @@
         unset CLAN_DIR
 
         export PATH="${
-          lib.makeBinPath [
-            pkgs.gitMinimal
-            pkgs.nix
-            pkgs.rsync # needed to have rsync installed on the dummy ssh server
-          ]
+          lib.makeBinPath (
+            [
+              pkgs.gitMinimal
+              pkgs.nix
+              pkgs.rsync # needed to have rsync installed on the dummy ssh server
+            ]
+            ++ self'.packages.clan-cli-full.runtimeDependencies
+          )
         }"
         ROOT=$(git rev-parse --show-toplevel)
         cd "$ROOT/pkgs/clan-cli"
+
+        # this disables dynamic dependency loading in clan-cli
+        export CLAN_NO_DYNAMIC_DEPS=1
+
         nix develop "$ROOT#clan-cli" -c bash -c "TMPDIR=/tmp python -m pytest -s -m impure ./tests $@"
       '';
     };

pkgs/clan-cli/clan_cli/machines/machines.py

@@ -166,7 +166,10 @@ class Machine:
         if extra_config is not None:
             metadata = nix_metadata(self.flake_dir)
             url = metadata["url"]
-            if "dirtyRevision" in metadata:
+            if (
+                "dirtyRevision" in metadata
+                or "dirtyRev" in metadata["locks"]["nodes"]["clan-core"]["locked"]
+            ):
                 # if not impure:
                 #     raise ClanError(
                 #         "The machine has a dirty revision, and impure mode is not allowed"

pkgs/clan-cli/clan_cli/nix/__init__.py

@@ -103,7 +103,7 @@ def nix_metadata(flake_url: str | Path) -> dict[str, Any]:
 def nix_shell(packages: list[str], cmd: list[str]) -> list[str]:
     # we cannot use nix-shell inside the nix sandbox
     # in our tests we just make sure we have all the packages
-    if os.environ.get("IN_NIX_SANDBOX"):
+    if os.environ.get("IN_NIX_SANDBOX") or os.environ.get("CLAN_NO_DYNAMIC_DEPS"):
         return cmd
     return [
         *nix_command(["shell", "--inputs-from", f"{nixpkgs_flake()!s}"]),

pkgs/clan-cli/clan_cli/nix/allowed-programs.json

@@ -1,6 +1,7 @@
 [
   "age",
   "bash",
+  "bubblewrap",
   "e2fsprogs",
   "git",
   "mypy",
@@ -8,8 +9,10 @@
   "openssh",
   "qemu",
   "rsync",
+  "pass",
   "sops",
   "sshpass",
   "tor",
+  "virtiofsd",
   "zbar"
 ]

pkgs/clan-cli/default.nix

@@ -30,8 +30,8 @@ let
   # load nixpkgs runtime dependencies from a json file
   # This file represents an allow list at the same time that is checked by the run_cmd
   #   implementation in nix.py
-  runtimeDependenciesAsSet = lib.genAttrs (lib.importJSON ./clan_cli/nix/allowed-programs.json) (
-    name: pkgs.${name}
+  runtimeDependenciesAsSet = lib.filterAttrs (_name: pkg: !pkg.meta.unsupported or false) (
+    lib.genAttrs (lib.importJSON ./clan_cli/nix/allowed-programs.json) (name: pkgs.${name})
   );
 
   runtimeDependencies = lib.attrValues runtimeDependenciesAsSet;

pkgs/clan-cli/tests/test_vms_cli.py

@@ -40,7 +40,7 @@ def run_vm_in_thread(machine_name: str) -> None:
 # wait for qmp socket to exist
 def wait_vm_up(state_dir: Path) -> None:
     socket_file = state_dir / "qga.sock"
-    timeout: float = 20
+    timeout: float = 100
     while True:
         if timeout <= 0:
             raise TimeoutError(