users: migrate nixbld -> _nixbld

According to some investigation creating "role" accounts avoids migration problems when upgrading to certain macOS versions, so create the build users to match that definition and remove the old ones if present. Role accounts require name starting with _ and UID in 200-400 range
2025-03-13 20:30:02 +00:00 · 2021-02-17 21:58:03 +01:00 · 2021-02-17 21:58:03 +01:00 · 5c3146b75d
commit 5c3146b75d
parent 3b28c4675a
2 changed files with 26 additions and 7 deletions
--- a/modules/system/checks.nix
+++ b/modules/system/checks.nix
@ -44,14 +44,29 @@ let
    fi
  '';

+  oldBuildUsers = ''
+    if dscl . -list /Users | grep -q '^nixbld'; then
+        echo "[1;31mwarning: Detected old style nixbld users[0m" >&2
+        echo "These can cause migration problems when upgrading to certain macOS versions" >&2
+        echo "Running the installer again will remove and recreate the users in a way that avoids these problems" >&2
+        echo >&2
+        echo "$ darwin-install" >&2
+        echo >&2
+        echo "or enable to automatically manage the users" >&2
+        echo >&2
+        echo "    users.nix.configureBuildUsers = true;" >&2
+        echo >&2
+    fi
+  '';
+
  buildUsers = ''
    buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true
    if [ -z $buildUser ]; then
        echo "[1;31merror: Using the nix-daemon requires build users, aborting activation[0m" >&2
        echo "Create the build users or disable the daemon:" >&2
-        echo "$ ./bootstrap -u" >&2
+        echo "$ darwin-install" >&2
        echo >&2
-        echo "or set" >&2
+        echo "or set (this requires some manual intervention to restore permissions)" >&2
        echo >&2
        echo "    services.nix-daemon.enable = false;" >&2
        echo >&2
@ -200,6 +215,7 @@ in
    system.checks.text = mkMerge [
      darwinChanges
      runLink
+      oldBuildUsers
      (mkIf config.nix.useDaemon buildUsers)
      (mkIf (!config.nix.useDaemon) singleUser)
      nixStore
--- a/modules/users/nixbld/default.nix
+++ b/modules/users/nixbld/default.nix
@ -13,9 +13,9 @@ let
  mkUsers = f: genList (x: f (x + 1)) cfg.nix.nrBuildUsers;

  buildUsers = mkUsers (i: {
-    name = "nixbld${toString i}";
-    uid = 30000 + i;
-    gid = 30000;
+    name = "_nixbld${toString i}";
+    uid = 300 + i;
+    gid = 300;
    description = "Nix build user ${toString i}";
  });

@ -52,7 +52,7 @@ in

    assertions = [
      { assertion = elem "nixbld" cfg.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; }
-      { assertion = elem "nixbld1" cfg.knownUsers -> elem "nixbld1" createdUsers; message = "refusing to delete user nixbld1 in users.knownUsers, this would break nix"; }
+      { assertion = elem "_nixbld1" cfg.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
      { assertion = cfg.groups ? "nixbld" -> cfg.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
    ];

@ -60,7 +60,10 @@ in
    users.users = mkIf cfg.nix.configureBuildUsers (named buildUsers);

    users.knownGroups = mkIf cfg.nix.configureBuildUsers [ "nixbld" ];
-    users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkUsers (i: "nixbld${toString i}"));
+    users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkMerge [
+      (mkUsers (i: "_nixbld${toString i}"))
+      (mkUsers (i: "nixbld${toString i}"))  # delete old style nixbld users
+    ]);

  };
 }