mirror of
https://github.com/LnL7/nix-darwin.git
synced 2025-03-13 20:30:02 +00:00
users: migrate nixbld -> _nixbld
According to some investigation creating "role" accounts avoids migration problems when upgrading to certain macOS versions, so create the build users to match that definition and remove the old ones if present. Role accounts require name starting with _ and UID in 200-400 range
This commit is contained in:
parent
3b28c4675a
commit
5c3146b75d
2 changed files with 26 additions and 7 deletions
|
@ -44,14 +44,29 @@ let
|
|||
fi
|
||||
'';
|
||||
|
||||
oldBuildUsers = ''
|
||||
if dscl . -list /Users | grep -q '^nixbld'; then
|
||||
echo "[1;31mwarning: Detected old style nixbld users[0m" >&2
|
||||
echo "These can cause migration problems when upgrading to certain macOS versions" >&2
|
||||
echo "Running the installer again will remove and recreate the users in a way that avoids these problems" >&2
|
||||
echo >&2
|
||||
echo "$ darwin-install" >&2
|
||||
echo >&2
|
||||
echo "or enable to automatically manage the users" >&2
|
||||
echo >&2
|
||||
echo " users.nix.configureBuildUsers = true;" >&2
|
||||
echo >&2
|
||||
fi
|
||||
'';
|
||||
|
||||
buildUsers = ''
|
||||
buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true
|
||||
if [ -z $buildUser ]; then
|
||||
echo "[1;31merror: Using the nix-daemon requires build users, aborting activation[0m" >&2
|
||||
echo "Create the build users or disable the daemon:" >&2
|
||||
echo "$ ./bootstrap -u" >&2
|
||||
echo "$ darwin-install" >&2
|
||||
echo >&2
|
||||
echo "or set" >&2
|
||||
echo "or set (this requires some manual intervention to restore permissions)" >&2
|
||||
echo >&2
|
||||
echo " services.nix-daemon.enable = false;" >&2
|
||||
echo >&2
|
||||
|
@ -200,6 +215,7 @@ in
|
|||
system.checks.text = mkMerge [
|
||||
darwinChanges
|
||||
runLink
|
||||
oldBuildUsers
|
||||
(mkIf config.nix.useDaemon buildUsers)
|
||||
(mkIf (!config.nix.useDaemon) singleUser)
|
||||
nixStore
|
||||
|
|
|
@ -13,9 +13,9 @@ let
|
|||
mkUsers = f: genList (x: f (x + 1)) cfg.nix.nrBuildUsers;
|
||||
|
||||
buildUsers = mkUsers (i: {
|
||||
name = "nixbld${toString i}";
|
||||
uid = 30000 + i;
|
||||
gid = 30000;
|
||||
name = "_nixbld${toString i}";
|
||||
uid = 300 + i;
|
||||
gid = 300;
|
||||
description = "Nix build user ${toString i}";
|
||||
});
|
||||
|
||||
|
@ -52,7 +52,7 @@ in
|
|||
|
||||
assertions = [
|
||||
{ assertion = elem "nixbld" cfg.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; }
|
||||
{ assertion = elem "nixbld1" cfg.knownUsers -> elem "nixbld1" createdUsers; message = "refusing to delete user nixbld1 in users.knownUsers, this would break nix"; }
|
||||
{ assertion = elem "_nixbld1" cfg.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
|
||||
{ assertion = cfg.groups ? "nixbld" -> cfg.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
|
||||
];
|
||||
|
||||
|
@ -60,7 +60,10 @@ in
|
|||
users.users = mkIf cfg.nix.configureBuildUsers (named buildUsers);
|
||||
|
||||
users.knownGroups = mkIf cfg.nix.configureBuildUsers [ "nixbld" ];
|
||||
users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkUsers (i: "nixbld${toString i}"));
|
||||
users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkMerge [
|
||||
(mkUsers (i: "_nixbld${toString i}"))
|
||||
(mkUsers (i: "nixbld${toString i}")) # delete old style nixbld users
|
||||
]);
|
||||
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue