mirror of
https://github.com/LnL7/nix-darwin.git
synced 2024-12-14 11:57:34 +00:00
{ids,checks}: update for new builder UID/GID values
This commit is contained in:
parent
9c60c95008
commit
88b97aa49c
7 changed files with 83 additions and 8 deletions
14
CHANGELOG
14
CHANGELOG
|
@ -1,3 +1,17 @@
|
||||||
|
2024-09-10
|
||||||
|
- The default Nix build user group ID is now set to 350 when
|
||||||
|
`system.stateVersion` ≥ 5, to reflect the default for new Nix
|
||||||
|
installations. This only affects installations that enable
|
||||||
|
`nix.configureBuildUsers`, and any divergence will be detected on
|
||||||
|
system activation. To use `nix.configureBuildUsers` with a higher
|
||||||
|
`system.stateVersion` on installations using the old group ID, set:
|
||||||
|
|
||||||
|
ids.gids.nixbld = 30000;
|
||||||
|
|
||||||
|
We do not recommend trying to change the group ID with macOS user
|
||||||
|
management tools without a complete uninstallation and reinstallation
|
||||||
|
of Nix.
|
||||||
|
|
||||||
2024-06-15
|
2024-06-15
|
||||||
- SECURITY NOTICE: The previous implementation of the
|
- SECURITY NOTICE: The previous implementation of the
|
||||||
`users.users.<name>.openssh.authorizedKeys.*` options would not delete
|
`users.users.<name>.openssh.authorizedKeys.*` options would not delete
|
||||||
|
|
|
@ -32,7 +32,7 @@
|
||||||
|
|
||||||
# Used for backwards compatibility, please read the changelog before changing.
|
# Used for backwards compatibility, please read the changelog before changing.
|
||||||
# $ darwin-rebuild changelog
|
# $ darwin-rebuild changelog
|
||||||
system.stateVersion = 4;
|
system.stateVersion = 5;
|
||||||
|
|
||||||
# The platform the configuration will be used on.
|
# The platform the configuration will be used on.
|
||||||
nixpkgs.hostPlatform = "x86_64-darwin";
|
nixpkgs.hostPlatform = "x86_64-darwin";
|
||||||
|
|
|
@ -25,5 +25,5 @@ with lib;
|
||||||
|
|
||||||
# Used for backwards compatibility, please read the changelog before changing.
|
# Used for backwards compatibility, please read the changelog before changing.
|
||||||
# $ darwin-rebuild changelog
|
# $ darwin-rebuild changelog
|
||||||
system.stateVersion = 4;
|
system.stateVersion = 5;
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,5 +21,5 @@
|
||||||
|
|
||||||
# Used for backwards compatibility, please read the changelog before changing.
|
# Used for backwards compatibility, please read the changelog before changing.
|
||||||
# $ darwin-rebuild changelog
|
# $ darwin-rebuild changelog
|
||||||
system.stateVersion = 4;
|
system.stateVersion = 5;
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
# to change uids/gids on service start, in example a service with a lot of
|
# to change uids/gids on service start, in example a service with a lot of
|
||||||
# files.
|
# files.
|
||||||
|
|
||||||
{ lib, ... }:
|
{ lib, config, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) types;
|
inherit (lib) types;
|
||||||
|
@ -34,15 +34,14 @@ in
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
|
||||||
ids.uids = {
|
ids.uids = {
|
||||||
nixbld = 300;
|
nixbld = lib.mkDefault 350;
|
||||||
};
|
};
|
||||||
|
|
||||||
ids.gids = {
|
ids.gids = {
|
||||||
nixbld = 30000;
|
nixbld = lib.mkDefault (if config.system.stateVersion < 5 then 30000 else 350);
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
|
@ -60,6 +60,40 @@ let
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
preSequoiaBuildUsers = ''
|
||||||
|
${lib.optionalString config.nix.configureBuildUsers ''
|
||||||
|
# Don’t complain when we’re about to migrate old‐style build users…
|
||||||
|
if ! dscl . -list /Users | grep -q '^nixbld'; then
|
||||||
|
''}
|
||||||
|
firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}')
|
||||||
|
if [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]]; then
|
||||||
|
printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n'
|
||||||
|
printf >&2 'The default Nix build user ID range has been adjusted for\n'
|
||||||
|
printf >&2 'compatibility with macOS Sequoia 15. Your _nixbld1 user currently has\n'
|
||||||
|
printf >&2 'UID %d rather than the new default of 351.\n' "$firstBuildUserID"
|
||||||
|
printf >&2 '\n'
|
||||||
|
printf >&2 'You can automatically migrate your users using the following script\n'
|
||||||
|
printf >&2 'from the Nix repository:\n'
|
||||||
|
printf >&2 '\n'
|
||||||
|
printf >&2 ' https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh\n'
|
||||||
|
printf >&2 '\n'
|
||||||
|
printf >&2 'This should work even if you installed Nix with the Determinate\n'
|
||||||
|
printf >&2 'Systems installer or are using Lix. If you are comfortable using the\n'
|
||||||
|
printf >&2 'script without review, you can run:\n'
|
||||||
|
printf >&2 '\n'
|
||||||
|
printf >&2 " curl --proto '=https' --tlsv1.2 -sSf -L https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh | bash -\n"
|
||||||
|
printf >&2 '\n'
|
||||||
|
printf >&2 'If you have no intention of upgrading to macOS Sequoia 15, or already\n'
|
||||||
|
printf >&2 'have a custom UID range that you know is compatible with Sequoia, you\n'
|
||||||
|
printf >&2 'can disable this check by setting:\n'
|
||||||
|
printf >&2 '\n'
|
||||||
|
printf >&2 ' ids.uids.nixbld = %d;\n' "$((firstBuildUserID - 1))"
|
||||||
|
printf >&2 '\n'
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
${lib.optionalString config.nix.configureBuildUsers "fi"}
|
||||||
|
'';
|
||||||
|
|
||||||
buildUsers = ''
|
buildUsers = ''
|
||||||
buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true
|
buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true
|
||||||
if [ -z $buildUser ]; then
|
if [ -z $buildUser ]; then
|
||||||
|
@ -75,6 +109,32 @@ let
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
buildGroupID = ''
|
||||||
|
buildGroupID=$(dscl . -read /Groups/nixbld PrimaryGroupID | awk '{print $2}')
|
||||||
|
expectedBuildGroupID=${toString config.ids.gids.nixbld}
|
||||||
|
if [[ $buildGroupID != $expectedBuildGroupID ]]; then
|
||||||
|
printf >&2 '\e[1;31merror: Build user group has mismatching GID, aborting activation\e[0m\n'
|
||||||
|
printf >&2 'The default Nix build user group ID was changed from 30000 to 350.\n'
|
||||||
|
printf >&2 'You are currently managing Nix build users with nix-darwin, but your\n'
|
||||||
|
printf >&2 'nixbld group has GID %d, whereas we expected %d.\n' \
|
||||||
|
"$buildGroupID" "$expectedBuildGroupID"
|
||||||
|
printf >&2 '\n'
|
||||||
|
printf >&2 'Possible causes include setting up a new Nix installation with an\n'
|
||||||
|
printf >&2 'existing nix-darwin configuration, setting up a new nix-darwin\n'
|
||||||
|
printf >&2 'installation with an existing Nix installation, or manually increasing\n'
|
||||||
|
printf >&2 'your `system.stateVersion` setting.\n'
|
||||||
|
printf >&2 '\n'
|
||||||
|
printf >&2 'You can set the configured group ID to match the actual value:\n'
|
||||||
|
printf >&2 '\n'
|
||||||
|
printf >&2 ' ids.gids.nixbld = %d;\n' "$buildGroupID"
|
||||||
|
printf >&2 '\n'
|
||||||
|
printf >&2 'We do not recommend trying to change the group ID with macOS user\n'
|
||||||
|
printf >&2 'management tools without a complete uninstallation and reinstallation\n'
|
||||||
|
printf >&2 'of Nix.\n'
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
singleUser = ''
|
singleUser = ''
|
||||||
if grep -q 'build-users-group =' /etc/nix/nix.conf; then
|
if grep -q 'build-users-group =' /etc/nix/nix.conf; then
|
||||||
echo "[1;31merror: The daemon is not enabled but this is a multi-user install, aborting activation[0m" >&2
|
echo "[1;31merror: The daemon is not enabled but this is a multi-user install, aborting activation[0m" >&2
|
||||||
|
@ -267,6 +327,8 @@ in
|
||||||
runLink
|
runLink
|
||||||
(mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers)
|
(mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers)
|
||||||
(mkIf cfg.verifyBuildUsers buildUsers)
|
(mkIf cfg.verifyBuildUsers buildUsers)
|
||||||
|
(mkIf cfg.verifyBuildUsers preSequoiaBuildUsers)
|
||||||
|
(mkIf config.nix.configureBuildUsers buildGroupID)
|
||||||
(mkIf (!config.nix.useDaemon) singleUser)
|
(mkIf (!config.nix.useDaemon) singleUser)
|
||||||
nixStore
|
nixStore
|
||||||
(mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector)
|
(mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector)
|
||||||
|
|
|
@ -35,7 +35,7 @@ in
|
||||||
options = {
|
options = {
|
||||||
system.stateVersion = mkOption {
|
system.stateVersion = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
default = 4;
|
default = 5;
|
||||||
description = ''
|
description = ''
|
||||||
Every once in a while, a new NixOS release may change
|
Every once in a while, a new NixOS release may change
|
||||||
configuration defaults in a way incompatible with stateful
|
configuration defaults in a way incompatible with stateful
|
||||||
|
|
Loading…
Reference in a new issue