From 3d43c108c8181ac1d299130144c29c9629764300 Mon Sep 17 00:00:00 2001 From: andre4ik3 Date: Thu, 13 Feb 2025 09:55:56 +0400 Subject: [PATCH] nix: fix auto-allocate-uids Fixes auto-allocate-uids not working due to errors during activation checks. Also fixes a bug where raising `nrBuildUsers` would create new `_nixbld` users, but lowering it wouldn't then remove those users. --- modules/nix/default.nix | 36 +++++++++++++++++++++++++++++------- modules/system/checks.nix | 5 +++-- modules/users/default.nix | 4 ++-- 3 files changed, 34 insertions(+), 11 deletions(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index e5d0801d..ff35c892 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -412,8 +412,20 @@ in description = "Environment variables used by Nix."; }; - nrBuildUsers = mkOption { + # Not in NixOS module + maxBuildUsers = mkOption { type = types.int; + internal = true; + # Having over 40 users can be problematic with the default build user + # UIDs starting at 351. Apple already uses GID 395 in macOS Sequoia. + default = 40; + description = '' + Maximum number of users to allow for {option}`nrBuildUsers`. + ''; + }; + + nrBuildUsers = mkOption { + type = types.ints.between 0 cfg.maxBuildUsers; inherit (managedDefault "nix.nrBuildUsers" 0) default defaultText; description = '' Number of `nixbld` user accounts created to @@ -807,8 +819,8 @@ in # Not in NixOS module { assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; } - { assertion = elem "_nixbld1" config.users.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } - { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; } + { assertion = configureBuildUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } + { assertion = configureBuildUsers -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; } { # Should be fixed in Lix by https://gerrit.lix.systems/c/lix/+/2100 @@ -843,18 +855,28 @@ in rm --force $out/bin/nix-channel ''; - nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)); + nix.nrBuildUsers = mkDefault ( + if !configureBuildUsers then + 0 + else + max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs) + ); - users.users = mkIf configureBuildUsers nixbldUsers; + users.users = nixbldUsers; # Not in NixOS module - users.groups.nixbld = mkIf configureBuildUsers { + users.groups.nixbld = { description = "Nix build group for nix-daemon"; gid = config.ids.gids.nixbld; members = attrNames nixbldUsers; }; users.knownUsers = - let nixbldUserNames = attrNames nixbldUsers; + let + # This creates 128 "known" build users -- in other words, any user + # between `_nixbld1` and `_nixbld128` is considered "managed" by + # nix-darwin, and will be created/deleted as `nrBuildUsers` increases + # and decreases (or is set to 0 in case of `auto-allocate-uids`. + nixbldUserNames = map (x: "_nixbld${toString x}") (range 1 128); in mkMerge [ nixbldUserNames diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 6afe796c..7680a4eb 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -50,10 +50,11 @@ let ''; preSequoiaBuildUsers = '' - firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}') + firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID 2>/dev/null | awk '{print $2}' || echo 0) if # Don’t complain when we’re about to migrate old‐style build users… [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]] \ + && [[ $firstBuildUserID != 0 ]] \ && ! dscl . -list /Users | grep -q '^nixbld' then printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n' @@ -277,7 +278,7 @@ in (mkIf cfg.verifyMacOSVersion macOSVersion) (mkIf config.nix.enable determinate) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) - (mkIf cfg.verifyBuildUsers buildGroupID) + (mkIf config.nix.enable buildGroupID) (mkIf config.nix.enable nixDaemon) nixInstaller (mkIf cfg.verifyNixPath nixPath) diff --git a/modules/users/default.nix b/modules/users/default.nix index 706abbfa..f7895be3 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -317,11 +317,11 @@ in ${concatMapStringsSep "\n" (name: '' u=$(id -u ${escapeShellArg name} 2> /dev/null) || true if [ -n "$u" ]; then - if [ "$u" -gt 501 ]; then + if [ "$u" -gt 501 ] || { [ "$u" -gt ${toString config.ids.uids.nixbld} ] && [ "$u" -le ${toString (config.ids.uids.nixbld + config.nix.maxBuildUsers)} ]; }; then echo "deleting user ${name}..." >&2 dscl . -delete ${escapeShellArg "/Users/${name}"} else - echo "warning: existing user '${name}' has unexpected uid $u, skipping..." >&2 + echo "warning: skipping deletion of system user '${name}' with uid $u..." >&2 fi fi '') deletedUsers}