Add support for impure derivations

Impure derivations are derivations that can produce a different result
every time they're built. Example:

  stdenv.mkDerivation {
    name = "impure";
    __impure = true; # marks this derivation as impure
    outputHashAlgo = "sha256";
    outputHashMode = "recursive";
    buildCommand = "date > $out";
  };

Some important characteristics:

* This requires the 'impure-derivations' experimental feature.

* Impure derivations are not "cached". Thus, running "nix-build" on
  the example above multiple times will cause a rebuild every time.

* They are implemented similar to CA derivations, i.e. the output is
  moved to a content-addressed path in the store. The difference is
  that we don't register a realisation in the Nix database.

* Pure derivations are not allowed to depend on impure derivations. In
  the future fixed-output derivations will be allowed to depend on
  impure derivations, thus forming an "impurity barrier" in the
  dependency graph.

* When sandboxing is enabled, impure derivations can access the
  network in the same way as fixed-output derivations. In relaxed
  sandboxing mode, they can access the local filesystem.

tests/impure-derivations.nix

@@ -0,0 +1,46 @@
+with import ./config.nix;
+
+rec {
+
+  impure = mkDerivation {
+    name = "impure";
+    outputs = [ "out" "stuff" ];
+    buildCommand =
+      ''
+        x=$(< $TEST_ROOT/counter)
+        mkdir $out $stuff
+        echo $x > $out/n
+        ln -s $out/n $stuff/bla
+        printf $((x + 1)) > $TEST_ROOT/counter
+      '';
+    __impure = true;
+    outputHashAlgo = "sha256";
+    outputHashMode = "recursive";
+    impureEnvVars = [ "TEST_ROOT" ];
+  };
+
+  impureOnImpure = mkDerivation {
+    name = "impure-on-impure";
+    buildCommand =
+      ''
+        x=$(< ${impure}/n)
+        mkdir $out
+        printf X$x > $out/n
+        ln -s ${impure.stuff} $out/symlink
+        ln -s $out $out/self
+      '';
+    __impure = true;
+    outputHashAlgo = "sha256";
+    outputHashMode = "recursive";
+  };
+
+  # This is not allowed.
+  inputAddressed = mkDerivation {
+    name = "input-addressed";
+    buildCommand =
+      ''
+        cat ${impure} > $out
+      '';
+  };
+
+}

tests/impure-derivations.sh

@@ -0,0 +1,39 @@
+source common.sh
+
+requireDaemonNewerThan "2.8pre20220311"
+
+enableFeatures "ca-derivations ca-references impure-derivations"
+
+clearStore
+
+# Basic test of impure derivations: building one a second time should not use the previous result.
+printf 0 > $TEST_ROOT/counter
+
+json=$(nix build -L --no-link --json --file ./impure-derivations.nix impure)
+path1=$(echo $json | jq -r .[].outputs.out)
+path1_stuff=$(echo $json | jq -r .[].outputs.stuff)
+[[ $(< $path1/n) = 0 ]]
+[[ $(< $path1_stuff/bla) = 0 ]]
+
+[[ $(nix path-info --json $path1 | jq .[].ca) =~ fixed:r:sha256: ]]
+
+path2=$(nix build -L --no-link --json --file ./impure-derivations.nix impure | jq -r .[].outputs.out)
+[[ $(< $path2/n) = 1 ]]
+
+# Test impure derivations that depend on impure derivations.
+path3=$(nix build -L --no-link --json --file ./impure-derivations.nix impureOnImpure -vvvvv | jq -r .[].outputs.out)
+[[ $(< $path3/n) = X2 ]]
+
+path4=$(nix build -L --no-link --json --file ./impure-derivations.nix impureOnImpure -vvvvv | jq -r .[].outputs.out)
+[[ $(< $path4/n) = X3 ]]
+
+# Test that (self-)references work.
+[[ $(< $path4/symlink/bla) = 3 ]]
+[[ $(< $path4/self/n) = X3 ]]
+
+# Input-addressed derivations cannot depend on impure derivations directly.
+nix build -L --no-link --json --file ./impure-derivations.nix inputAddressed 2>&1 | grep 'depends on impure derivation'
+
+drvPath=$(nix eval --json --file ./impure-derivations.nix impure.drvPath | jq -r .)
+[[ $(nix show-derivation $drvPath | jq ".[\"$drvPath\"].outputs.out.impure") = true ]]
+[[ $(nix show-derivation $drvPath | jq ".[\"$drvPath\"].outputs.stuff.impure") = true ]]

tests/local.mk

@@ -97,7 +97,8 @@ nix_tests = \
   nix-profile.sh \
   suggestions.sh \
   store-ping.sh \
-  fetchClosure.sh
+  fetchClosure.sh \
+  impure-derivations.sh
 
 ifeq ($(HAVE_LIBCPUID), 1)
 	nix_tests += compute-levels.sh