Revert to 6f391da544

turns out environment propagation is hard

pkgs/nix-tools/darwin-rebuild.sh

@@ -26,11 +26,13 @@ showSyntax() {
 if command sudo --help | grep -- --preserve-env= >/dev/null; then
   # We use `env` before our command to ensure the preserved PATH gets checked
   # when trying to resolve the command to execute
-  sudo="command sudo -H --preserve-env=PATH --preserve-env=SSH_CONNECTION"
+  sudo_base="command sudo -H --preserve-env=PATH --preserve-env=SSH_CONNECTION"
+  sudo="$sudo_base env"
 else
-  sudo="command sudo -H"
+  sudo_base="command sudo -H"
+  sudo="$sudo_base"
 fi
-sudo() { $sudo env "$@"; }
+sudo() { $sudo "$@"; }
 
 # Parse the command line.
 origArgs=("$@")
@@ -146,28 +148,6 @@ done
 
 if [ -z "$action" ]; then showSyntax; fi
 
-# We currently need to invoke `activate-user` as a non-root user,
-# but need to be root for other actions such as switching profiles and
-# running `activate`. To avoid prompting for a password multiple times,
-# if we need to perform one of these actions we preemptively re-invoke
-# ourselves as root but remember the user who called us so that we can
-# later drop down to that user when invoking `activate-user`.
-if [ "$USER" = root ]; then
-  if [[ -z "$NIX_DARWIN_PRIMARY_USER" ]]; then
-    echo "$0: must be invoked as a non-root user"
-    exit 1
-  fi
-else
-  case $action in
-    edit|switch|activate|rollback|list)
-      sudo NIX_DARWIN_PRIMARY_USER="$USER" @out@/bin/darwin-rebuild "${origArgs[@]}"
-      exit $?
-      ;;
-  esac
-fi
-
-# From here on, if we are in the case list above, we are running as root.
-
 flakeFlags=(--extra-experimental-features 'nix-command flakes')
 
 # Use /etc/nix-darwin/flake.nix if it exists. It can be a symlink to the
@@ -219,7 +199,11 @@ if [ "$action" = switch ] || [ "$action" = build ] || [ "$action" = check ] || [
 fi
 
 if [ "$action" = list ] || [ "$action" = rollback ]; then
-  nix-env -p "$profile" "${extraProfileFlags[@]}"
+  if [ "$USER" != root ] && [ ! -w $(dirname "$profile") ]; then
+    sudo nix-env -p "$profile" "${extraProfileFlags[@]}"
+  else
+    nix-env -p "$profile" "${extraProfileFlags[@]}"
+  fi
 fi
 
 if [ "$action" = rollback ]; then
@@ -233,12 +217,26 @@ fi
 if [ -z "$systemConfig" ]; then exit 0; fi
 
 if [ "$action" = switch ]; then
-  nix-env -p "$profile" --set "$systemConfig"
+  if [ "$USER" != root ] && [ ! -w $(dirname "$profile") ]; then
+    sudo nix-env -p "$profile" --set "$systemConfig"
+  else
+    nix-env -p "$profile" --set "$systemConfig"
+  fi
 fi
 
 if [ "$action" = switch ] || [ "$action" = activate ] || [ "$action" = rollback ]; then
-  $sudo -u "$NIX_DARWIN_PRIMARY_USER" "$systemConfig/activate-user"
+  if [ "$USER" != root ]; then
-  "$systemConfig/activate"
+    # Running `$systemConfig/activate-user` may cause subsequent sudo invocations to prompt
+    # for the password even if we previously ran sudo in the same session, since `brew` resets
+    # the sudo timestamp: see https://github.com/Homebrew/brew/pull/17694.
+    # Indeed, by this point we've already run `nix-env --set` as sudo. So to avoid prompting a
+    # second time, we become root *before* running activate-user and then drop down to the user
+    # to invoke it. This way, the call to `activate` doesn't require a password.
+    sudo @shell@ -c "$sudo_base -u $USER $systemConfig/activate-user && $systemConfig/activate"
+  else
+    "$systemConfig/activate-user"
+    "$systemConfig/activate"
+  fi
 fi
 
 if [ "$action" = changelog ]; then