From 5531b3f74be2edca239978f3091731e272c4ebee Mon Sep 17 00:00:00 2001
From: Andrew Marshall <andrew@johnandrewmarshall.com>
Date: Wed, 1 Mar 2023 21:26:39 -0500
Subject: [PATCH] home: Add buildEnvWithNoChroot to help avoid darwin sandbox
 failures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Allows setting `__noChroot = true` on select derivations that assemble
large numbers of paths. This may be used to avoid sandbox failures on
darwin, see https://github.com/NixOS/nix/issues/4119 and the `sandbox`
option in `man nix.conf`.

I wish there was a way to do something akin to overlays for config, alas
there is not afaik, so the only way is to add an option. Since this is
opt-in, anyone enabling it thus understands the “risks” of disabling the
sandbox, however the risk for these derivations should be fairly low,
and this allows enabling the sandbox more generally on Darwin, which is
beneficial.

I have only added to the derivations that started giving me problems,
others may suffer from others but these are definitely likely to have
huge dependency lists therefore exposing the problem.

Despite this being intended only for use on Darwin, it is left somewhat
generic and thus up to the user to do set it to e.g.
`stdenv.hostPlatform.isDarwin`.
---
 modules/home-environment.nix        | 26 ++++++++++++++++++++------
 modules/targets/darwin/fonts.nix    |  4 ++--
 modules/targets/darwin/linkapps.nix |  5 +++--
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/modules/home-environment.nix b/modules/home-environment.nix
index 0e3bef900..b1a3a14f3 100644
--- a/modules/home-environment.nix
+++ b/modules/home-environment.nix
@@ -474,6 +474,14 @@ in
       '';
     };
 
+    home.buildEnvWithNoChroot = lib.mkEnableOption ''
+      Sets <code>__noChroot = true</code> on select <code>buildEnv</code>
+      derivations that assemble large numbers of paths, as well the activation
+      script derivations. This may be used to avoid sandbox failures on Darwin,
+      see https://github.com/NixOS/nix/issues/4119 and the <code>sandbox</code>
+      option in <command>man nix.conf</command>.
+    '';
+
     home.preferXdgDirectories = lib.mkEnableOption "" // {
       description = ''
         Whether to make programs use XDG directories whenever supported.
@@ -709,7 +717,7 @@ in
         )
         + lib.optionalString (!cfg.emptyActivationPath) "\${PATH:+:}$PATH";
 
-        activationScript = pkgs.writeShellScript "activation-script" ''
+        activationScript = (pkgs.writeShellScript "activation-script" ''
           set -eu
           set -o pipefail
 
@@ -739,9 +747,11 @@ in
               run rm $VERBOSE_ARG "$legacyGenGcPath"
             fi
           ''}
-        '';
+        '').overrideAttrs (old: {
+          __noChroot = cfg.buildEnvWithNoChroot;
+        });
       in
-        pkgs.runCommand
+        (pkgs.runCommand
           "home-manager-generation"
           {
             preferLocalBuild = true;
@@ -763,9 +773,11 @@ in
             ln -s ${cfg.path} $out/home-path
 
             ${cfg.extraBuilderCommands}
-          '';
+          '').overrideAttrs (old: {
+            __noChroot = cfg.buildEnvWithNoChroot;
+          });
 
-    home.path = pkgs.buildEnv {
+    home.path = (pkgs.buildEnv {
       name = "home-manager-path";
 
       paths = cfg.packages;
@@ -776,6 +788,8 @@ in
       meta = {
         description = "Environment of packages installed through home-manager";
       };
-    };
+    }).overrideAttrs (old: {
+      __noChroot = cfg.buildEnvWithNoChroot;
+    });
   };
 }
diff --git a/modules/targets/darwin/fonts.nix b/modules/targets/darwin/fonts.nix
index 4c98f94d9..23fa4acce 100644
--- a/modules/targets/darwin/fonts.nix
+++ b/modules/targets/darwin/fonts.nix
@@ -2,11 +2,11 @@
 
 let
   homeDir = config.home.homeDirectory;
-  fontsEnv = pkgs.buildEnv {
+  fontsEnv = (pkgs.buildEnv {
     name = "home-manager-fonts";
     paths = config.home.packages;
     pathsToLink = "/share/fonts";
-  };
+  }).overrideAttrs (old: { __noChroot = config.home.buildEnvWithNoChroot; });
   fonts = "${fontsEnv}/share/fonts";
   installDir = "${homeDir}/Library/Fonts/HomeManager";
 in {
diff --git a/modules/targets/darwin/linkapps.nix b/modules/targets/darwin/linkapps.nix
index caa461f45..765236071 100644
--- a/modules/targets/darwin/linkapps.nix
+++ b/modules/targets/darwin/linkapps.nix
@@ -19,11 +19,12 @@ in {
   config = lib.mkIf (pkgs.stdenv.hostPlatform.isDarwin && cfg.linkApps.enable) {
     # Install MacOS applications to the user environment.
     home.file.${cfg.linkApps.directory}.source = let
-      apps = pkgs.buildEnv {
+      apps = (pkgs.buildEnv {
         name = "home-manager-applications";
         paths = config.home.packages;
         pathsToLink = "/Applications";
-      };
+      }).overrideAttrs
+        (old: { __noChroot = config.home.buildEnvWithNoChroot; });
     in "${apps}/Applications";
   };
 }