nix: fix auto-allocate-uids

Fixes auto-allocate-uids not working due to errors during activation checks. Also fixes a bug where raising `nrBuildUsers` would create new `_nixbld` users, but lowering it wouldn't then remove those users.
2025-03-31 04:04:45 +00:00 · 2025-02-13 09:55:56 +04:00 · 2025-02-13 09:55:56 +04:00 · 3d43c108c8
commit 3d43c108c8
parent 5d6e0851b6
3 changed files with 34 additions and 11 deletions
--- a/modules/nix/default.nix
+++ b/modules/nix/default.nix
@ -412,8 +412,20 @@ in
        description = "Environment variables used by Nix.";
      };

-      nrBuildUsers = mkOption {
+      # Not in NixOS module
+      maxBuildUsers = mkOption {
        type = types.int;
+        internal = true;
+        # Having over 40 users can be problematic with the default build user
+        # UIDs starting at 351. Apple already uses GID 395 in macOS Sequoia.
+        default = 40;
+        description = ''
+          Maximum number of users to allow for {option}`nrBuildUsers`.
+        '';
+      };
+
+      nrBuildUsers = mkOption {
+        type = types.ints.between 0 cfg.maxBuildUsers;
        inherit (managedDefault "nix.nrBuildUsers" 0) default defaultText;
        description = ''
          Number of `nixbld` user accounts created to
@ -807,8 +819,8 @@ in

        # Not in NixOS module
        { assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; }
-        { assertion = elem "_nixbld1" config.users.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
-        { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
+        { assertion = configureBuildUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
+        { assertion = configureBuildUsers -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }

        {
          # Should be fixed in Lix by https://gerrit.lix.systems/c/lix/+/2100
@ -843,18 +855,28 @@ in
      rm --force $out/bin/nix-channel
    '';

-    nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs));
+    nix.nrBuildUsers = mkDefault (
+      if !configureBuildUsers then
+        0
+      else
+        max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)
+    );

-    users.users = mkIf configureBuildUsers nixbldUsers;
+    users.users = nixbldUsers;

    # Not in NixOS module
-    users.groups.nixbld = mkIf configureBuildUsers {
+    users.groups.nixbld = {
      description = "Nix build group for nix-daemon";
      gid = config.ids.gids.nixbld;
      members = attrNames nixbldUsers;
    };
    users.knownUsers =
-      let nixbldUserNames = attrNames nixbldUsers;
+      let
+        # This creates 128 "known" build users -- in other words, any user
+        # between `_nixbld1` and `_nixbld128` is considered "managed" by
+        # nix-darwin, and will be created/deleted as `nrBuildUsers` increases
+        # and decreases (or is set to 0 in case of `auto-allocate-uids`.
+        nixbldUserNames = map (x: "_nixbld${toString x}") (range 1 128);
      in
      mkMerge [
        nixbldUserNames
--- a/modules/system/checks.nix
+++ b/modules/system/checks.nix
@ -50,10 +50,11 @@ let
  '';

  preSequoiaBuildUsers = ''
-    firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}')
+    firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID 2>/dev/null | awk '{print $2}' || echo 0)
    if
      # Don’t complain when we’re about to migrate old‐style build users…
      [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]] \
+      && [[ $firstBuildUserID != 0 ]] \
      && ! dscl . -list /Users | grep -q '^nixbld'
    then
        printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n'
@ -277,7 +278,7 @@ in
      (mkIf cfg.verifyMacOSVersion macOSVersion)
      (mkIf config.nix.enable determinate)
      (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers)
-      (mkIf cfg.verifyBuildUsers buildGroupID)
+      (mkIf config.nix.enable buildGroupID)
      (mkIf config.nix.enable nixDaemon)
      nixInstaller
      (mkIf cfg.verifyNixPath nixPath)
--- a/modules/users/default.nix
+++ b/modules/users/default.nix
@ -317,11 +317,11 @@ in
      ${concatMapStringsSep "\n" (name: ''
        u=$(id -u ${escapeShellArg name} 2> /dev/null) || true
        if [ -n "$u" ]; then
-          if [ "$u" -gt 501 ]; then
+          if [ "$u" -gt 501 ] || { [ "$u" -gt ${toString config.ids.uids.nixbld} ] && [ "$u" -le ${toString (config.ids.uids.nixbld + config.nix.maxBuildUsers)} ]; }; then
            echo "deleting user ${name}..." >&2
            dscl . -delete ${escapeShellArg "/Users/${name}"}
          else
-            echo "[1;31mwarning: existing user '${name}' has unexpected uid $u, skipping...[0m" >&2
+            echo "[1;31mwarning: skipping deletion of system user '${name}' with uid $u...[0m" >&2
          fi
        fi
      '') deletedUsers}