Add setting 'client-only-settings' to prevent forwarding to the daemon

[edolstra]

Motivation

We may not want to forward settings like netrc-file, e.g. if it contains passwords that are only intended for fetching sources. In addition, we currently get annoying warnings like

warning: ignoring the client-specified setting 'netrc-file', because it is a restricted setting and you are not a trusted user

if the client is not trusted.

This PR adds a new setting client-only-settings that allows the user to selectively disable forwarding to the daemon, e.g.

netrc-file = /home/eelco/bla/netrc
client-only-settings = netrc-file

Context

Priorities and Process

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

[grahamc]

How about something like client-only-settings?

[roberth]

This would also be useful for locking down the daemon, rather than exclusively a client side option.

[Ericson2314]

This is a weakly-held opinion, but I sort of don't wish for new settings knob sat this time, at least just to silence a warning, when there whole way the settings works is suspect.

After the Meson stuff I get back to #11139, and then, yes, a counterpart for the main settings, and then bigger changes that would avoid the need for this are possible. We want Nix to have smarter defaults, and a better understanding of which settings affect which components, after all.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-08-02-nix-team-meeting-minutes-174/51512/1

[edolstra]

@roberth This is ready now. The daemon now also applies client-only-settings.

[roberth]

CI logs are gone. Reopening.