From 1e16e2a9c25b5a15040686be6f07d0ce67043260 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 26 Jan 2025 21:38:12 +0000 Subject: [PATCH 01/69] ci: use the PR head as `` for install test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was installing against the base branch, which causes annoying issues when things like the state version are bumped. It’s possible this was intentional to test the upgrade path, but it’s inconsistent with the flake installation test and keeps breaking stuff on my PRs. If we want to test the upgrade path then we could re‐add it again later in a more sophisticated manner (e.g. using the example config from the previous version). --- .github/workflows/test.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 63c155b6..c03cee1f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,7 +7,6 @@ on: env: NIXPKGS_BRANCH: nixpkgs-unstable - NIX_DARWIN_BRANCH: master NIX_VERSION: 2.24.11 jobs: @@ -40,7 +39,6 @@ jobs: nix_path: nixpkgs=channel:${{ env.NIXPKGS_BRANCH }} - name: Install channels run: | - nix-channel --add https://github.com/LnL7/nix-darwin/archive/${{ env.NIX_DARWIN_BRANCH }}.tar.gz darwin nix-channel --add https://nixos.org/channels/${{ env.NIXPKGS_BRANCH }} nixpkgs nix-channel --update - name: Install nix-darwin @@ -52,11 +50,22 @@ jobs: nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) /usr/bin/sed -i.bak \ - "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ + "s/# programs.fish.enable = true;/ \ + imports = [ \ + ({ options, ... }: { \ + nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; \ + environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; \ + nix.nixPath = \ + [ { darwin = \"${PWD////\/}\"; } ] \ + ++ options.nix.nixPath.default; \ + }) \ + ]; \ + /" \ ~/.config/nix-darwin/configuration.nix nix run .#darwin-rebuild \ -- switch \ + -I darwin=. \ -I darwin-config=$HOME/.config/nix-darwin/configuration.nix - name: Switch to new configuration run: | @@ -66,7 +75,7 @@ jobs: "s/pkgs.vim/pkgs.hello/" \ ~/.config/nix-darwin/configuration.nix - darwin-rebuild switch -I darwin=. + darwin-rebuild switch hello - name: Test uninstallation of nix-darwin From 2119dd10f65e376dd42f32b0f7ec43577f48129a Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 27 Jan 2025 20:53:07 +0000 Subject: [PATCH 02/69] checks: remove `darwinChanges` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It seems like this has been broken since 26bab2fd3290b42a3df54db291f0d8775f128857 from 2018; macOS `diff(1)` does not support these arguments and the `$PATH` has been fixed since that point. Before that, it would presumably only have worked if you added GNU diffutils to `environment.systemPackages`. Proactively notifying users about breaking changes isn’t a bad idea, but the activation script doesn’t seem like the right place for it, and as it’s non‐blocking it’s likely that even if it worked it would get drowned out by the later output anyway. I’d like to move the changelog into release notes as part of the manual, which would requires changes to this anyway. Since it’s been broken for almost seven years anyway, let’s just drop it for now and revisit later. --- modules/system/checks.nix | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 628f6ed4..9d6470be 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -8,22 +8,6 @@ let cfg = config.system.checks; - darwinChanges = '' - darwinChanges=/dev/null - if test -e /run/current-system/darwin-changes; then - darwinChanges=/run/current-system/darwin-changes - fi - - darwinChanges=$(diff --changed-group-format='%>' --unchanged-group-format= /run/current-system/darwin-changes $systemConfig/darwin-changes 2> /dev/null) || true - if test -n "$darwinChanges"; then - echo >&2 - echo "CHANGELOG" >&2 - echo >&2 - echo "$darwinChanges" >&2 - echo >&2 - fi - ''; - macOSVersion = '' IFS=. read -ra osVersion <<<"$(sw_vers --productVersion)" if (( osVersion[0] < 11 || (osVersion[0] == 11 && osVersion[1] < 3) )); then @@ -368,7 +352,6 @@ in config = { system.checks.text = mkMerge [ - darwinChanges (mkIf cfg.verifyMacOSVersion macOSVersion) (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers) (mkIf cfg.verifyBuildUsers buildUsers) From 0e87d3d3914321ceea5b10a87f48b6ff6179e190 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 11 Jan 2025 15:44:41 +0000 Subject: [PATCH 03/69] =?UTF-8?q?activate-system:=20don=E2=80=99t=20`KeepA?= =?UTF-8?q?live`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It seems like a bad idea to keep restarting the activation daemon when it fails. --- modules/services/activate-system/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/services/activate-system/default.nix b/modules/services/activate-system/default.nix index 6a982fe8..d8d86831 100644 --- a/modules/services/activate-system/default.nix +++ b/modules/services/activate-system/default.nix @@ -28,7 +28,6 @@ ${config.system.activationScripts.keyboard.text} ''; serviceConfig.RunAtLoad = true; - serviceConfig.KeepAlive.SuccessfulExit = false; }; }; } From ff80eacd0f756fa2c410f9128b114eeb0b4e5bc5 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 11 Jan 2025 15:44:41 +0000 Subject: [PATCH 04/69] activation-scripts: remove `_status` I believe this has been obsolete since `set -e` was added in 8708ebb7964fc68311f5eae73bb7c45bfbb93d54. --- modules/system/activation-scripts.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 5f8916cc..b95ea324 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -44,9 +44,6 @@ in systemConfig=@out@ - _status=0 - trap "_status=1" ERR - # Ensure a consistent umask. umask 0022 @@ -82,8 +79,6 @@ in # Prevent the current configuration from being garbage-collected. ln -sfn /run/current-system /nix/var/nix/gcroots/current-system - - exit $_status ''; # FIXME: activationScripts.checks should be system level From 4bff4bc8ae105dbc3a56ed5255fbde9495cbf4c1 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 11 Jan 2025 15:44:41 +0000 Subject: [PATCH 05/69] {activation-scripts,activate-system}: purify environment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This ensures that system activation does not depend on various details of its process environment, ensuring uniformity across various invocation contexts and with the `activate-system` daemon. This becomes more important in a post‐user‐activation world to avoid problematic dependencies like `$SUDO_USER`, but is a good idea in general. The `sudoers(5)` defaults on my Sequoia system are: Defaults env_reset Defaults env_keep += "BLOCKSIZE" Defaults env_keep += "COLORFGBG COLORTERM" Defaults env_keep += "__CF_USER_TEXT_ENCODING" Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" Defaults env_keep += "LINES COLUMNS" Defaults env_keep += "LSCOLORS" Defaults env_keep += "SSH_AUTH_SOCK" Defaults env_keep += "TZ" Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY" Defaults env_keep += "EDITOR VISUAL" Defaults env_keep += "HOME MAIL" Of these preserved environment variables, the ones that are set in practice when I run `sudo env` that aren’t set in the activation script here are: * `$COLORTERM` * `$DISPLAY` * `$EDITOR` * `$MAIL` * `$SSH_AUTH_SOCK` * `$TERM` * `$__CF_USER_TEXT_ENCODING` Most of these seem either pointless or actively harmful to set for the purpose of the system activation script. This will mean that tools run during activation won’t print output in the user’s preferred language, but that’s probably the right trade‐off overall, as that is likely to break activation scripts that parse command output anyway. --- modules/services/activate-system/default.nix | 7 +++++++ modules/system/activation-scripts.nix | 19 ++++++++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/modules/services/activate-system/default.nix b/modules/services/activate-system/default.nix index d8d86831..127514a6 100644 --- a/modules/services/activate-system/default.nix +++ b/modules/services/activate-system/default.nix @@ -10,7 +10,14 @@ script = '' set -e set -o pipefail + export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" + export USER=root + export LOGNAME=root + export HOME=~root + export SHELL=$BASH + export LANG=C + export LC_CTYPE=UTF-8 systemConfig=$(cat ${config.system.profile}/systemConfig) diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index b95ea324..0143d2ba 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -37,16 +37,33 @@ in config = { system.activationScripts.script.text = '' - #! ${stdenv.shell} + #!/usr/bin/env -i ${stdenv.shell} + # shellcheck shell=bash + # shellcheck disable=SC2096 + set -e set -o pipefail + export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" + export USER=root + export LOGNAME=root + export HOME=~root + export SHELL=$BASH + export LANG=C + export LC_CTYPE=UTF-8 systemConfig=@out@ # Ensure a consistent umask. umask 0022 + cd / + + if [[ $(id -u) -ne 0 ]]; then + printf >&2 '\e[1;31merror: `activate` must be run as root\e[0m\n' + exit 2 + fi + ${cfg.activationScripts.preActivation.text} # We run `etcChecks` again just in case someone runs `activate` From 5bc4677c03b61213912de654a9409d225fd9fe07 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 13 Jan 2025 23:21:04 +0000 Subject: [PATCH 06/69] readme: reduce duplication in installation instructions --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 97200d69..3346fe0a 100644 --- a/README.md +++ b/README.md @@ -142,11 +142,7 @@ sudo nix-channel --update To install `nix-darwin`, you can just run `darwin-rebuild switch` to install nix-darwin. As `darwin-rebuild` won't be installed in your `PATH` yet, you can use the following command: ```bash -# If you use Nixpkgs unstable (the default): -nix-build https://github.com/LnL7/nix-darwin/archive/master.tar.gz -A darwin-rebuild -# If you use Nixpkgs 24.11: -nix-build https://github.com/LnL7/nix-darwin/archive/nix-darwin-24.11.tar.gz -A darwin-rebuild - +nix-build '' -A darwin-rebuild ./result/bin/darwin-rebuild switch -I darwin-config=$HOME/.config/nix-darwin/configuration.nix ``` From 2733527a586bad9939edc829017acdbc99654d9b Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 13 Jan 2025 23:21:04 +0000 Subject: [PATCH 07/69] {environment,readme}: default configuration path to `/etc/nix-darwin` --- .github/workflows/test.yml | 41 ++++++++++++++++---------------- CHANGELOG | 8 +++++++ README.md | 15 ++++++------ modules/environment/default.nix | 20 ++++++++++++++-- modules/examples/flake/flake.nix | 2 +- modules/examples/hydra.nix | 2 +- modules/examples/lnl.nix | 4 ++-- modules/examples/simple.nix | 5 +--- modules/system/checks.nix | 2 +- modules/system/version.nix | 2 +- 10 files changed, 61 insertions(+), 40 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c03cee1f..d87b7636 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -43,13 +43,11 @@ jobs: nix-channel --update - name: Install nix-darwin run: | - export NIX_PATH=$HOME/.nix-defexpr/channels - - mkdir -p ~/.config/nix-darwin - cp modules/examples/simple.nix ~/.config/nix-darwin/configuration.nix + sudo mkdir -p /etc/nix-darwin + sudo cp modules/examples/simple.nix /etc/nix-darwin/configuration.nix nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) - /usr/bin/sed -i.bak \ + sudo /usr/bin/sed -i.bak \ "s/# programs.fish.enable = true;/ \ imports = [ \ ({ options, ... }: { \ @@ -61,19 +59,18 @@ jobs: }) \ ]; \ /" \ - ~/.config/nix-darwin/configuration.nix + /etc/nix-darwin/configuration.nix - nix run .#darwin-rebuild \ - -- switch \ + nix run .#darwin-rebuild -- switch \ -I darwin=. \ - -I darwin-config=$HOME/.config/nix-darwin/configuration.nix + -I darwin-config=/etc/nix-darwin/configuration.nix - name: Switch to new configuration run: | . /etc/bashrc - /usr/bin/sed -i.bak \ + sudo /usr/bin/sed -i.bak \ "s/pkgs.vim/pkgs.hello/" \ - ~/.config/nix-darwin/configuration.nix + /etc/nix-darwin/configuration.nix darwin-rebuild switch @@ -100,31 +97,33 @@ jobs: install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install - name: Install nix-darwin run: | - mkdir -p ~/.config/nix-darwin + sudo mkdir -p /etc/nix-darwin darwin=$(pwd) - pushd ~/.config/nix-darwin - nix flake init -t $darwin + pushd /etc/nix-darwin + sudo nix flake init -t $darwin nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) - /usr/bin/sed -i.bak \ + sudo /usr/bin/sed -i.bak \ "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ flake.nix - /usr/bin/sed -i.bak \ + sudo /usr/bin/sed -i.bak \ + 's/darwinConfigurations."simple"/darwinConfigurations."'$(scutil --get LocalHostName)'"/g' \ + flake.nix + sudo /usr/bin/sed -i.bak \ 's/nixpkgs.hostPlatform = "aarch64-darwin";/nixpkgs.hostPlatform = "'$(nix eval --expr builtins.currentSystem --impure --raw)'";/' \ flake.nix popd - nix run .#darwin-rebuild -- \ - switch --flake ~/.config/nix-darwin#simple \ + nix run .#darwin-rebuild -- switch \ --override-input nix-darwin . \ --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} - name: Switch to new configuration run: | . /etc/bashrc - /usr/bin/sed -i.bak \ + sudo /usr/bin/sed -i.bak \ "s/pkgs.vim/pkgs.hello/" \ - ~/.config/nix-darwin/flake.nix + /etc/nix-darwin/flake.nix - darwin-rebuild switch --flake ~/.config/nix-darwin#simple \ + darwin-rebuild switch \ --override-input nix-darwin . \ --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} diff --git a/CHANGELOG b/CHANGELOG index b9a9adcc..ce169403 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,11 @@ +2025-01-18 +- The default configuration path for all new installations + is `/etc/nix-darwin`. This was already the undocumented + default for `darwin-rebuild switch` when using flakes. This + is implemented by setting `environment.darwinConfig` to + `"/etc/nix-darwin/configuration.nix"` by default when + `system.stateVersion` ≥ 6. + 2024-09-10 - The default Nix build user group ID is now set to 350 when `system.stateVersion` ≥ 5, to reflect the default for new Nix diff --git a/README.md b/README.md index 3346fe0a..ffdfca9f 100644 --- a/README.md +++ b/README.md @@ -33,11 +33,12 @@ Despite being an experimental feature in Nix currently, nix-darwin recommends th Getting started from scratch

-If you don't have an existing `configuration.nix`, you can run the following commands to generate a basic `flake.nix` inside `~/.config/nix-darwin`: +If you don't have an existing `configuration.nix`, you can run the following commands to generate a basic `flake.nix` inside `/etc/nix-darwin`: ```bash -mkdir -p ~/.config/nix-darwin -cd ~/.config/nix-darwin +sudo mkdir -p /etc/nix-darwin +sudo chown $(id -nu):$(id -ng) /etc/nix-darwin +cd /etc/nix-darwin # To use Nixpkgs unstable: nix flake init -t nix-darwin/master @@ -88,7 +89,7 @@ Make sure to set `nixpkgs.hostPlatform` in your `configuration.nix` to either `x Unlike NixOS, `nix-darwin` does not have an installer, you can just run `darwin-rebuild switch` to install nix-darwin. As `darwin-rebuild` won't be installed in your `PATH` yet, you can use the following command: ```bash -nix run nix-darwin -- switch --flake ~/.config/nix-darwin +nix run nix-darwin -- switch ``` ### Step 3. Using `nix-darwin` @@ -96,7 +97,7 @@ nix run nix-darwin -- switch --flake ~/.config/nix-darwin After installing, you can run `darwin-rebuild` to apply changes to your system: ```bash -darwin-rebuild switch --flake ~/.config/nix-darwin +darwin-rebuild switch ``` #### Using flake inputs @@ -124,7 +125,7 @@ nix-darwin.lib.darwinSystem { ### Step 1. Creating `configuration.nix` -Copy the [simple](./modules/examples/simple.nix) example to `~/.config/nix-darwin/configuration.nix`. +Copy the [simple](./modules/examples/simple.nix) example to `/etc/nix-darwin/configuration.nix`. ### Step 2. Adding `nix-darwin` channel @@ -143,7 +144,7 @@ To install `nix-darwin`, you can just run `darwin-rebuild switch` to install nix ```bash nix-build '' -A darwin-rebuild -./result/bin/darwin-rebuild switch -I darwin-config=$HOME/.config/nix-darwin/configuration.nix +./result/bin/darwin-rebuild switch -I darwin-config=/etc/nix-darwin/configuration.nix ``` ### Step 4. Using `nix-darwin` diff --git a/modules/environment/default.nix b/modules/environment/default.nix index 79f760e9..377a9594 100644 --- a/modules/environment/default.nix +++ b/modules/environment/default.nix @@ -67,8 +67,24 @@ in }; environment.darwinConfig = mkOption { - type = types.either types.path types.str; - default = "$HOME/.nixpkgs/darwin-configuration.nix"; + type = types.nullOr (types.either types.path types.str); + default = + if config.nixpkgs.flake.setNixPath then + # Don’t set this for flake‐based systems. + null + else if config.system.stateVersion >= 6 then + "/etc/nix-darwin/configuration.nix" + else + "$HOME/.nixpkgs/darwin-configuration.nix"; + defaultText = literalExpression '' + if config.nixpkgs.flake.setNixPath then + # Don’t set this for flake‐based systems. + null + else if config.system.stateVersion >= 6 then + "/etc/nix-darwin/configuration.nix" + else + "$HOME/.nixpkgs/darwin-configuration.nix" + ''; description = '' The path of the darwin configuration.nix used to configure the system, this updates the default darwin-config entry in NIX_PATH. Since this diff --git a/modules/examples/flake/flake.nix b/modules/examples/flake/flake.nix index 138c0473..447c468a 100644 --- a/modules/examples/flake/flake.nix +++ b/modules/examples/flake/flake.nix @@ -27,7 +27,7 @@ # Used for backwards compatibility, please read the changelog before changing. # $ darwin-rebuild changelog - system.stateVersion = 5; + system.stateVersion = 6; # The platform the configuration will be used on. nixpkgs.hostPlatform = "aarch64-darwin"; diff --git a/modules/examples/hydra.nix b/modules/examples/hydra.nix index f87ed5d0..d30f5c00 100644 --- a/modules/examples/hydra.nix +++ b/modules/examples/hydra.nix @@ -43,5 +43,5 @@ in echo "ok" ''; - system.stateVersion = 5; + system.stateVersion = 6; } diff --git a/modules/examples/lnl.nix b/modules/examples/lnl.nix index 2204c2fa..90142f65 100644 --- a/modules/examples/lnl.nix +++ b/modules/examples/lnl.nix @@ -199,7 +199,7 @@ programs.zsh.enableFzfGit = true; programs.zsh.enableFzfHistory = true; - programs.zsh.variables.cfg = "$HOME/.config/nixpkgs/darwin/configuration.nix"; + programs.zsh.variables.cfg = "/etc/nix-darwin/configuration.nix"; programs.zsh.variables.darwin = "$HOME/.nix-defexpr/darwin"; programs.zsh.variables.nixpkgs = "$HOME/.nix-defexpr/nixpkgs"; @@ -322,5 +322,5 @@ nix.configureBuildUsers = true; nix.nrBuildUsers = 32; - system.stateVersion = 5; + system.stateVersion = 6; } diff --git a/modules/examples/simple.nix b/modules/examples/simple.nix index 5771ec60..7751fb29 100644 --- a/modules/examples/simple.nix +++ b/modules/examples/simple.nix @@ -7,13 +7,10 @@ [ pkgs.vim ]; - # Use custom location for configuration.nix. - environment.darwinConfig = "$HOME/.config/nix-darwin/configuration.nix"; - # Enable alternative shell support in nix-darwin. # programs.fish.enable = true; # Used for backwards compatibility, please read the changelog before changing. # $ darwin-rebuild changelog - system.stateVersion = 5; + system.stateVersion = 6; } diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 9d6470be..8b526b35 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -193,7 +193,7 @@ let darwinConfig=$(NIX_PATH=$nixPath nix-instantiate --find-file darwin-config) || true if ! test -e "$darwinConfig"; then echo "error: Changed but target does not exist, aborting activation" >&2 - echo "Create ''${darwinConfig:-~/.nixpkgs/darwin-configuration.nix} or set environment.darwinConfig:" >&2 + echo "Create ''${darwinConfig:-/etc/nix-darwin/configuration.nix} or set environment.darwinConfig:" >&2 echo >&2 echo " environment.darwinConfig = \"$(nix-instantiate --find-file darwin-config 2> /dev/null || echo '***')\";" >&2 echo >&2 diff --git a/modules/system/version.nix b/modules/system/version.nix index 54829d1d..3fac46ef 100644 --- a/modules/system/version.nix +++ b/modules/system/version.nix @@ -51,7 +51,7 @@ in system.maxStateVersion = mkOption { internal = true; type = types.int; - default = 5; + default = 6; }; system.darwinLabel = mkOption { From 3509925a8634f08b764922577d169757b94df97b Mon Sep 17 00:00:00 2001 From: Emily Date: Thu, 16 Jan 2025 00:00:05 +0000 Subject: [PATCH 08/69] readme: make `darwin-rebuild` use more explicit --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ffdfca9f..b0f095a1 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,10 @@ Make sure to set `nixpkgs.hostPlatform` in your `configuration.nix` to either `x Unlike NixOS, `nix-darwin` does not have an installer, you can just run `darwin-rebuild switch` to install nix-darwin. As `darwin-rebuild` won't be installed in your `PATH` yet, you can use the following command: ```bash -nix run nix-darwin -- switch +# To use Nixpkgs unstable: +nix run nix-darwin/master#darwin-rebuild -- switch +# To use Nixpkgs 24.11: +nix run nix-darwin/nix-darwin-24.11#darwin-rebuild -- switch ``` ### Step 3. Using `nix-darwin` From cc9c8408bb9f29b4afe919eff4ad922d054cf591 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 02:31:20 +0000 Subject: [PATCH 09/69] Revert "{activation-scripts,activate-system}: purify environment" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This shouldn’t actually be split out from the Plan because of the current use of `$HOME` in the defaults for channel‐based setups. This reverts commit 4bff4bc8ae105dbc3a56ed5255fbde9495cbf4c1. --- modules/services/activate-system/default.nix | 7 ------- modules/system/activation-scripts.nix | 19 +------------------ 2 files changed, 1 insertion(+), 25 deletions(-) diff --git a/modules/services/activate-system/default.nix b/modules/services/activate-system/default.nix index 127514a6..d8d86831 100644 --- a/modules/services/activate-system/default.nix +++ b/modules/services/activate-system/default.nix @@ -10,14 +10,7 @@ script = '' set -e set -o pipefail - export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" - export USER=root - export LOGNAME=root - export HOME=~root - export SHELL=$BASH - export LANG=C - export LC_CTYPE=UTF-8 systemConfig=$(cat ${config.system.profile}/systemConfig) diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 0143d2ba..b95ea324 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -37,33 +37,16 @@ in config = { system.activationScripts.script.text = '' - #!/usr/bin/env -i ${stdenv.shell} - # shellcheck shell=bash - # shellcheck disable=SC2096 - + #! ${stdenv.shell} set -e set -o pipefail - export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" - export USER=root - export LOGNAME=root - export HOME=~root - export SHELL=$BASH - export LANG=C - export LC_CTYPE=UTF-8 systemConfig=@out@ # Ensure a consistent umask. umask 0022 - cd / - - if [[ $(id -u) -ne 0 ]]; then - printf >&2 '\e[1;31merror: `activate` must be run as root\e[0m\n' - exit 2 - fi - ${cfg.activationScripts.preActivation.text} # We run `etcChecks` again just in case someone runs `activate` From f1cf8c4f5a853683494cd93acbdecedb61dfc179 Mon Sep 17 00:00:00 2001 From: tarc Date: Thu, 30 Jan 2025 12:46:25 -0300 Subject: [PATCH 10/69] checks: fix sw_vers parameter for macOSVersion (`--productVersion`, not `-productVersion`) --- modules/system/checks.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 8b526b35..b466f425 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -9,7 +9,7 @@ let cfg = config.system.checks; macOSVersion = '' - IFS=. read -ra osVersion <<<"$(sw_vers --productVersion)" + IFS=. read -ra osVersion <<<"$(sw_vers -productVersion)" if (( osVersion[0] < 11 || (osVersion[0] == 11 && osVersion[1] < 3) )); then printf >&2 '\e[1;31merror: macOS version is less than 11.3, aborting activation\e[0m\n' printf >&2 'Nixpkgs 25.05 requires macOS Big Sur 11.3 or newer, and 25.11 will\n' From 5b0cffeec2973101432f7a6ce5644e73ca661618 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 20:24:31 +0000 Subject: [PATCH 11/69] nixpkgs: fix undefined variable in assertion This got mangled in the backport a year and a half ago. Fixes: e25eeff158ceb415079e38f6e78a470c5664fa2f --- modules/nix/nixpkgs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index ee999971..511d718c 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -284,7 +284,7 @@ in pkgsSystem = finalPkgs.stdenv.targetPlatform.system; in { assertion = cfg.constructedByUs -> !hasPlatform -> cfg.system == pkgsSystem; - message = "The nix-darwin nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but nix-darwin was configured for system ${darwinExpectedSystem} via nix-darwin option nixpkgs.system. The nix-darwin system settings must match the Nixpkgs target system."; + message = "The nix-darwin nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but nix-darwin was configured for system ${config.nixpkgs.system} via nix-darwin option nixpkgs.system. The nix-darwin system settings must match the Nixpkgs target system."; } ) { From 962eb3f1c0c2d5e4ac92eb8bfc91333d3b1cb0e7 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:29:03 +0000 Subject: [PATCH 12/69] nixpkgs: assert that nixpkgs.config is not set when pkgs is passed in externally This is a common footgun people hit often. Remove it. Backport of Nixpkgs commit ce87196a00214a0062ece1c3e03a9a97f563580f. Co-authored-by: K900 --- modules/nix/nixpkgs.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 511d718c..2ed7b8da 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -300,6 +300,16 @@ in the legacy definitions. ''; } + { + assertion = opt.pkgs.isDefined -> cfg.config == {}; + message = '' + Your system configures nixpkgs with an externally created instance. + `nixpkgs.config` options should be passed when creating the instance instead. + + Current value: + ${lib.generators.toPretty { multiline = true; } opt.config} + ''; + } ]; }; } From 3cd3a79f9ba7f6c3421f4f7fd557b4c8666e7183 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:31:14 +0000 Subject: [PATCH 13/69] nixpkgs: Rewrite overlays option docs henrik-ch was also here :) Backport of Nixpkgs commit 11406bdc0e5af9b3c8a8d597da23349238c65277. Co-authored-by: Silvan Mosberger Co-Authored-By: Valentin Gagarin --- modules/nix/nixpkgs.nix | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 2ed7b8da..4e876beb 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -151,16 +151,12 @@ in ''; type = types.listOf overlayType; description = '' - List of overlays to use with the Nix Packages collection. - (For details, see the Nixpkgs documentation.) It allows - you to override packages globally. Each function in the list - takes as an argument the *original* Nixpkgs. - The first argument should be used for finding dependencies, and - the second should be used for overriding recipes. + List of overlays to apply to Nixpkgs. + This option allows modifying the Nixpkgs package set accessed through the `pkgs` module argument. - If `nixpkgs.pkgs` is set, overlays specified here - will be applied after the overlays that were already present - in `nixpkgs.pkgs`. + For details, see the [Overlays chapter in the Nixpkgs manual](https://nixos.org/manual/nixpkgs/stable/#chap-overlays). + + If the {option}`nixpkgs.pkgs` option is set, overlays specified using `nixpkgs.overlays` will be applied after the overlays that were already included in `nixpkgs.pkgs`. ''; }; From 2df9e4811008fca085d15f67b51cd7bc497a17bb Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:32:13 +0000 Subject: [PATCH 14/69] nixpkgs: use less confusing example systems MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit system and config shouldn't both be specified — each will be filled in based on the other when the system is elaborated. Backport of Nixpkgs commit a3ba0495452cd8e72735ebd4472838e96902a259. Co-authored-by: Alyssa Ross --- modules/nix/nixpkgs.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 4e876beb..6c54c82d 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -162,7 +162,7 @@ in hostPlatform = mkOption { type = types.either types.str types.attrs; # TODO utilize lib.systems.parsedPlatform - example = { system = "aarch64-darwin"; config = "aarch64-apple-darwin"; }; + example = { system = "aarch64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. TODO make `lib.systems` itself use the module system. apply = lib.systems.elaborate; @@ -178,7 +178,7 @@ in buildPlatform = mkOption { type = types.either types.str types.attrs; # TODO utilize lib.systems.parsedPlatform default = cfg.hostPlatform; - example = { system = "x86_64-darwin"; config = "x86_64-apple-darwin"; }; + example = { system = "x86_64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. apply = lib.systems.elaborate; From 6b81859ed0e35f052043384c7febb853176bc500 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:33:20 +0000 Subject: [PATCH 15/69] nixpkgs: fix determination for cross-compiled nix-darwin system Since the output of `lib.systems.elaborate` contains functions, an equality check with `==` does not suffice, `lib.systems.equals` should be used instead. Backport of Nixpkgs commit 3794246066409d7baac72e3fdfb0e4f66ef4a013. Co-authored-by: Jared Baur --- modules/nix/nixpkgs.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 6c54c82d..383b140c 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -181,7 +181,12 @@ in example = { system = "x86_64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. - apply = lib.systems.elaborate; + apply = inputBuildPlatform: + let elaborated = lib.systems.elaborate inputBuildPlatform; + in if lib.systems.equals elaborated cfg.hostPlatform + then cfg.hostPlatform # make identical, so that `==` equality works; +see https://github.com/NixOS/nixpkgs/issues/278001 + else elaborated; defaultText = literalExpression ''config.nixpkgs.hostPlatform''; description = '' From 320bf025d22ae9c50a410bef27596b945be65889 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:34:11 +0000 Subject: [PATCH 16/69] nixpkgs: link to Nixpkgs manual for global configuration options Backport of Nixpkgs commit e6057cfd59f278db3aeb058a4e1e0bcc24696267. Co-authored-by: Valentin Gagarin Co-authored-by: Dominic Mills --- modules/nix/nixpkgs.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 383b140c..a7585290 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -128,12 +128,11 @@ in ''; type = configType; description = '' - The configuration of the Nix Packages collection. (For - details, see the Nixpkgs documentation.) It allows you to set - package configuration options. + Global configuration for Nixpkgs. + The complete list of [Nixpkgs configuration options](https://nixos.org/manual/nixpkgs/unstable/#sec-config-options-reference) is in the [Nixpkgs manual section on global configuration](https://nixos.org/manual/nixpkgs/unstable/#chap-packageconfig). - Ignored when `nixpkgs.pkgs` is set. - ''; + Ignored when {option}`nixpkgs.pkgs` is set. +''; }; overlays = mkOption { From bd1d46766afb73b87b0e07172ca6a00a036d03da Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:26:13 +0000 Subject: [PATCH 17/69] nixpkgs: remove `with lib;` Backport of Nixpkgs commit 609e57485d1fa111e3a689498d9d338dc03a7bc5. Co-authored-by: Felix Buehler --- modules/nix/nixpkgs.nix | 70 ++++++++++++++++++++--------------------- 1 file changed, 34 insertions(+), 36 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index a7585290..f74398f6 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -1,7 +1,5 @@ { config, options, lib, pkgs, ... }: -with lib; - let cfg = config.nixpkgs; opt = options.nixpkgs; @@ -19,19 +17,19 @@ let lhs = optCall lhs_ { inherit pkgs; }; rhs = optCall rhs_ { inherit pkgs; }; in - recursiveUpdate lhs rhs // - optionalAttrs (lhs ? packageOverrides) { + lib.recursiveUpdate lhs rhs // + lib.optionalAttrs (lhs ? packageOverrides) { packageOverrides = pkgs: optCall lhs.packageOverrides pkgs // - optCall (attrByPath [ "packageOverrides" ] { } rhs) pkgs; + optCall (lib.attrByPath [ "packageOverrides" ] { } rhs) pkgs; } // - optionalAttrs (lhs ? perlPackageOverrides) { + lib.optionalAttrs (lhs ? perlPackageOverrides) { perlPackageOverrides = pkgs: optCall lhs.perlPackageOverrides pkgs // - optCall (attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs; + optCall (lib.attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs; }; - configType = mkOptionType { + configType = lib.mkOptionType { name = "nixpkgs-config"; description = "nixpkgs config"; check = x: @@ -39,32 +37,32 @@ let if c x then true else lib.traceSeqN 1 x false; in traceXIfNot isConfig; - merge = args: foldr (def: mergeConfig def.value) {}; + merge = args: lib.foldr (def: mergeConfig def.value) {}; }; - overlayType = mkOptionType { + overlayType = lib.mkOptionType { name = "nixpkgs-overlay"; description = "nixpkgs overlay"; check = lib.isFunction; merge = lib.mergeOneOption; }; - pkgsType = types.pkgs // { + pkgsType = lib.types.pkgs // { # This type is only used by itself, so let's elaborate the description a bit # for the purpose of documentation. description = "An evaluation of Nixpkgs; the top level attribute set of packages"; }; - hasBuildPlatform = opt.buildPlatform.highestPrio < (mkOptionDefault {}).priority; + hasBuildPlatform = opt.buildPlatform.highestPrio < (lib.mkOptionDefault {}).priority; hasHostPlatform = opt.hostPlatform.isDefined; hasPlatform = hasHostPlatform || hasBuildPlatform; # Context for messages - hostPlatformLine = optionalString hasHostPlatform "${showOptionWithDefLocs opt.hostPlatform}"; - buildPlatformLine = optionalString hasBuildPlatform "${showOptionWithDefLocs opt.buildPlatform}"; + hostPlatformLine = lib.optionalString hasHostPlatform "${lib.showOptionWithDefLocs opt.hostPlatform}"; + buildPlatformLine = lib.optionalString hasBuildPlatform "${lib.showOptionWithDefLocs opt.buildPlatform}"; legacyOptionsDefined = - optional (opt.system.highestPrio < (mkDefault {}).priority) opt.system + lib.optional (opt.system.highestPrio < (lib.mkDefault {}).priority) opt.system ; defaultPkgs = @@ -96,9 +94,9 @@ in { options.nixpkgs = { - pkgs = mkOption { + pkgs = lib.mkOption { type = pkgsType; - example = literalExpression "import {}"; + example = lib.literalExpression "import {}"; description = '' If set, the pkgs argument to all nix-darwin modules is the value of this option, extended with `nixpkgs.overlays`, if @@ -120,9 +118,9 @@ in ''; }; - config = mkOption { + config = lib.mkOption { default = {}; - example = literalExpression + example = lib.literalExpression '' { allowBroken = true; allowUnfree = true; } ''; @@ -135,9 +133,9 @@ in ''; }; - overlays = mkOption { + overlays = lib.mkOption { default = []; - example = literalExpression + example = lib.literalExpression '' [ (self: super: { @@ -148,7 +146,7 @@ in }) ] ''; - type = types.listOf overlayType; + type = lib.types.listOf overlayType; description = '' List of overlays to apply to Nixpkgs. This option allows modifying the Nixpkgs package set accessed through the `pkgs` module argument. @@ -159,8 +157,8 @@ in ''; }; - hostPlatform = mkOption { - type = types.either types.str types.attrs; # TODO utilize lib.systems.parsedPlatform + hostPlatform = lib.mkOption { + type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform example = { system = "aarch64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. TODO make `lib.systems` itself use the module system. @@ -174,8 +172,8 @@ in ''; }; - buildPlatform = mkOption { - type = types.either types.str types.attrs; # TODO utilize lib.systems.parsedPlatform + buildPlatform = lib.mkOption { + type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform default = cfg.hostPlatform; example = { system = "x86_64-darwin"; }; # Make sure that the final value has all fields for sake of other modules @@ -186,7 +184,7 @@ in then cfg.hostPlatform # make identical, so that `==` equality works; see https://github.com/NixOS/nixpkgs/issues/278001 else elaborated; - defaultText = literalExpression + defaultText = lib.literalExpression ''config.nixpkgs.hostPlatform''; description = '' Specifies the platform on which nix-darwin should be built. @@ -202,8 +200,8 @@ see https://github.com/NixOS/nixpkgs/issues/278001 ''; }; - system = mkOption { - type = types.str; + system = lib.mkOption { + type = lib.types.str; example = "x86_64-darwin"; default = if opt.hostPlatform.isDefined @@ -232,9 +230,9 @@ see https://github.com/NixOS/nixpkgs/issues/278001 # nix-darwin only - source = mkOption { - type = types.path; - defaultText = literalMD '' + source = lib.mkOption { + type = lib.types.path; + defaultText = lib.literalMD '' `` or nix-darwin's `nixpkgs` flake input ''; description = '' @@ -247,8 +245,8 @@ see https://github.com/NixOS/nixpkgs/issues/278001 ''; }; - constructedByUs = mkOption { - type = types.bool; + constructedByUs = lib.mkOption { + type = lib.types.bool; internal = true; description = '' Whether `pkgs` was constructed by this module. This is false when any of @@ -290,12 +288,12 @@ see https://github.com/NixOS/nixpkgs/issues/278001 { assertion = cfg.constructedByUs -> hasPlatform -> legacyOptionsDefined == []; message = '' - Your system configures nixpkgs with the platform parameter${optionalString hasBuildPlatform "s"}: + Your system configures nixpkgs with the platform parameter${lib.optionalString hasBuildPlatform "s"}: ${hostPlatformLine }${buildPlatformLine } However, it also defines the legacy options: - ${concatMapStrings showOptionWithDefLocs legacyOptionsDefined} + ${lib.concatMapStrings lib.showOptionWithDefLocs legacyOptionsDefined} For a future proof system configuration, we recommend to remove the legacy definitions. ''; From e84e84a2566a1b431686c9c5ed45b01e1fdcf831 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:35:53 +0000 Subject: [PATCH 18/69] nixpkgs: fix `config` assertion text The assertion message should include the `nixpkgs.config` value, however it currently includes the entire `nixpkgs.config` _option_. This means the type, declarations, definitions, etc were all printed. Backport of Nixpkgs commit 1bd4da1848cb7b68858ebb2ca1f8b0e5fed46c58. Co-authored-by: Matt Sturgeon --- modules/nix/nixpkgs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index f74398f6..739d02d4 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -305,7 +305,7 @@ see https://github.com/NixOS/nixpkgs/issues/278001 `nixpkgs.config` options should be passed when creating the instance instead. Current value: - ${lib.generators.toPretty { multiline = true; } opt.config} + ${lib.generators.toPretty { multiline = true; } cfg.config} ''; } ]; From 80eddf2bf743620faab78d06846d9478fb21aa3b Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:36:42 +0000 Subject: [PATCH 19/69] nixpkgs: show definition files in `config` assertion Backport of Nixpkgs commit 6d9dfef94ffd59a327573eea7bc709a84c44b3d2. Co-authored-by: Matt Sturgeon --- modules/nix/nixpkgs.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 739d02d4..c0151655 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -306,6 +306,9 @@ see https://github.com/NixOS/nixpkgs/issues/278001 Current value: ${lib.generators.toPretty { multiline = true; } cfg.config} + + Defined in: + ${lib.concatMapStringsSep "\n" (file: " - ${file}") opt.config.files} ''; } ]; From dc1c716ded39758062ed7e6bc410ad274119de9f Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:37:53 +0000 Subject: [PATCH 20/69] nixpkgs: format with `nixfmt` --- modules/nix/nixpkgs.nix | 168 +++++++++++++++++++++------------------- 1 file changed, 90 insertions(+), 78 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index c0151655..fa156a51 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -1,43 +1,48 @@ -{ config, options, lib, pkgs, ... }: +{ + config, + options, + lib, + pkgs, + ... +}: let cfg = config.nixpkgs; opt = options.nixpkgs; - isConfig = x: - builtins.isAttrs x || lib.isFunction x; + isConfig = x: builtins.isAttrs x || lib.isFunction x; - optCall = f: x: - if lib.isFunction f - then f x - else f; + optCall = f: x: if lib.isFunction f then f x else f; - mergeConfig = lhs_: rhs_: + mergeConfig = + lhs_: rhs_: let lhs = optCall lhs_ { inherit pkgs; }; rhs = optCall rhs_ { inherit pkgs; }; in - lib.recursiveUpdate lhs rhs // - lib.optionalAttrs (lhs ? packageOverrides) { - packageOverrides = pkgs: - optCall lhs.packageOverrides pkgs // - optCall (lib.attrByPath [ "packageOverrides" ] { } rhs) pkgs; - } // - lib.optionalAttrs (lhs ? perlPackageOverrides) { - perlPackageOverrides = pkgs: - optCall lhs.perlPackageOverrides pkgs // - optCall (lib.attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs; + lib.recursiveUpdate lhs rhs + // lib.optionalAttrs (lhs ? packageOverrides) { + packageOverrides = + pkgs: + optCall lhs.packageOverrides pkgs // optCall (lib.attrByPath [ "packageOverrides" ] { } rhs) pkgs; + } + // lib.optionalAttrs (lhs ? perlPackageOverrides) { + perlPackageOverrides = + pkgs: + optCall lhs.perlPackageOverrides pkgs + // optCall (lib.attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs; }; configType = lib.mkOptionType { name = "nixpkgs-config"; description = "nixpkgs config"; - check = x: - let traceXIfNot = c: - if c x then true - else lib.traceSeqN 1 x false; - in traceXIfNot isConfig; - merge = args: lib.foldr (def: mergeConfig def.value) {}; + check = + x: + let + traceXIfNot = c: if c x then true else lib.traceSeqN 1 x false; + in + traceXIfNot isConfig; + merge = args: lib.foldr (def: mergeConfig def.value) { }; }; overlayType = lib.mkOptionType { @@ -53,7 +58,7 @@ let description = "An evaluation of Nixpkgs; the top level attribute set of packages"; }; - hasBuildPlatform = opt.buildPlatform.highestPrio < (lib.mkOptionDefault {}).priority; + hasBuildPlatform = opt.buildPlatform.highestPrio < (lib.mkOptionDefault { }).priority; hasHostPlatform = opt.hostPlatform.isDefined; hasPlatform = hasHostPlatform || hasBuildPlatform; @@ -61,27 +66,31 @@ let hostPlatformLine = lib.optionalString hasHostPlatform "${lib.showOptionWithDefLocs opt.hostPlatform}"; buildPlatformLine = lib.optionalString hasBuildPlatform "${lib.showOptionWithDefLocs opt.buildPlatform}"; - legacyOptionsDefined = - lib.optional (opt.system.highestPrio < (lib.mkDefault {}).priority) opt.system - ; + legacyOptionsDefined = lib.optional ( + opt.system.highestPrio < (lib.mkDefault { }).priority + ) opt.system; defaultPkgs = - if opt.hostPlatform.isDefined - then - let isCross = cfg.buildPlatform != cfg.hostPlatform; - systemArgs = - if isCross - then { + if opt.hostPlatform.isDefined then + let + isCross = cfg.buildPlatform != cfg.hostPlatform; + systemArgs = + if isCross then + { localSystem = cfg.buildPlatform; crossSystem = cfg.hostPlatform; } - else { + else + { localSystem = cfg.hostPlatform; }; in - import cfg.source ({ - inherit (cfg) config overlays; - } // systemArgs) + import cfg.source ( + { + inherit (cfg) config overlays; + } + // systemArgs + ) else import cfg.source { inherit (cfg) config overlays; @@ -119,33 +128,31 @@ in }; config = lib.mkOption { - default = {}; - example = lib.literalExpression - '' - { allowBroken = true; allowUnfree = true; } - ''; + default = { }; + example = lib.literalExpression '' + { allowBroken = true; allowUnfree = true; } + ''; type = configType; description = '' Global configuration for Nixpkgs. The complete list of [Nixpkgs configuration options](https://nixos.org/manual/nixpkgs/unstable/#sec-config-options-reference) is in the [Nixpkgs manual section on global configuration](https://nixos.org/manual/nixpkgs/unstable/#chap-packageconfig). Ignored when {option}`nixpkgs.pkgs` is set. -''; + ''; }; overlays = lib.mkOption { - default = []; - example = lib.literalExpression - '' - [ - (self: super: { - openssh = super.openssh.override { - hpnSupport = true; - kerberos = self.libkrb5; - }; - }) - ] - ''; + default = [ ]; + example = lib.literalExpression '' + [ + (self: super: { + openssh = super.openssh.override { + hpnSupport = true; + kerberos = self.libkrb5; + }; + }) + ] + ''; type = lib.types.listOf overlayType; description = '' List of overlays to apply to Nixpkgs. @@ -159,7 +166,9 @@ in hostPlatform = lib.mkOption { type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform - example = { system = "aarch64-darwin"; }; + example = { + system = "aarch64-darwin"; + }; # Make sure that the final value has all fields for sake of other modules # referring to this. TODO make `lib.systems` itself use the module system. apply = lib.systems.elaborate; @@ -175,17 +184,23 @@ in buildPlatform = lib.mkOption { type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform default = cfg.hostPlatform; - example = { system = "x86_64-darwin"; }; + example = { + system = "x86_64-darwin"; + }; # Make sure that the final value has all fields for sake of other modules # referring to this. - apply = inputBuildPlatform: - let elaborated = lib.systems.elaborate inputBuildPlatform; - in if lib.systems.equals elaborated cfg.hostPlatform - then cfg.hostPlatform # make identical, so that `==` equality works; -see https://github.com/NixOS/nixpkgs/issues/278001 - else elaborated; - defaultText = lib.literalExpression - ''config.nixpkgs.hostPlatform''; + apply = + inputBuildPlatform: + let + elaborated = lib.systems.elaborate inputBuildPlatform; + in + if lib.systems.equals elaborated cfg.hostPlatform then + cfg.hostPlatform # make identical, so that `==` equality works; + see + "https://github.com/NixOS/nixpkgs/issues/278001" + else + elaborated; + defaultText = lib.literalExpression ''config.nixpkgs.hostPlatform''; description = '' Specifies the platform on which nix-darwin should be built. By default, nix-darwin is built on the system where it runs, but you can @@ -204,8 +219,7 @@ see https://github.com/NixOS/nixpkgs/issues/278001 type = lib.types.str; example = "x86_64-darwin"; default = - if opt.hostPlatform.isDefined - then + if opt.hostPlatform.isDefined then throw '' Neither ${opt.system} nor any other option in nixpkgs.* is meant to be read by modules and configurations. @@ -264,34 +278,32 @@ see https://github.com/NixOS/nixpkgs/issues/278001 # which is somewhat costly for Nixpkgs. With an explicit priority, we only # evaluate the wrapper to find out that the priority is lower, and then we # don't need to evaluate `finalPkgs`. - lib.mkOverride lib.modules.defaultOverridePriority - finalPkgs.__splicedPackages; + lib.mkOverride lib.modules.defaultOverridePriority finalPkgs.__splicedPackages; }; nixpkgs.constructedByUs = # We set it with default priority and it can not be merged, so if the # pkgs module argument has that priority, it's from us. (lib.modules.mergeAttrDefinitionsWithPrio options._module.args).pkgs.highestPrio - == lib.modules.defaultOverridePriority + == lib.modules.defaultOverridePriority # Although, if nixpkgs.pkgs is set, we did forward it, but we did not construct it. - && !opt.pkgs.isDefined; + && !opt.pkgs.isDefined; assertions = [ ( let pkgsSystem = finalPkgs.stdenv.targetPlatform.system; - in { + in + { assertion = cfg.constructedByUs -> !hasPlatform -> cfg.system == pkgsSystem; message = "The nix-darwin nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but nix-darwin was configured for system ${config.nixpkgs.system} via nix-darwin option nixpkgs.system. The nix-darwin system settings must match the Nixpkgs target system."; } ) { - assertion = cfg.constructedByUs -> hasPlatform -> legacyOptionsDefined == []; + assertion = cfg.constructedByUs -> hasPlatform -> legacyOptionsDefined == [ ]; message = '' Your system configures nixpkgs with the platform parameter${lib.optionalString hasBuildPlatform "s"}: - ${hostPlatformLine - }${buildPlatformLine - } + ${hostPlatformLine}${buildPlatformLine} However, it also defines the legacy options: ${lib.concatMapStrings lib.showOptionWithDefLocs legacyOptionsDefined} For a future proof system configuration, we recommend to remove @@ -299,7 +311,7 @@ see https://github.com/NixOS/nixpkgs/issues/278001 ''; } { - assertion = opt.pkgs.isDefined -> cfg.config == {}; + assertion = opt.pkgs.isDefined -> cfg.config == { }; message = '' Your system configures nixpkgs with an externally created instance. `nixpkgs.config` options should be passed when creating the instance instead. From 5084b33265f1c14551af63e61ec8bb75fec3ccbc Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 20:53:35 +0000 Subject: [PATCH 21/69] git-blame-ignore-revs: add `nixpkgs` module formatting commit --- .git-blame-ignore-revs | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .git-blame-ignore-revs diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs new file mode 100644 index 00000000..92331afe --- /dev/null +++ b/.git-blame-ignore-revs @@ -0,0 +1,2 @@ +# nixpkgs: format with `nixfmt` +dc1c716ded39758062ed7e6bc410ad274119de9f From 7c72c013b160627540b8b465a05ba258f47a16d8 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:40:03 +0000 Subject: [PATCH 22/69] nixpkgs: make config.nixpkgs.{buildPlatform,hostPlatform} write only The description for options.nixpkgs.system already hints at this: Neither ${opt.system} nor any other option in nixpkgs.* is meant to be read by modules and configurations. Use pkgs.stdenv.hostPlatform instead. We can support this goal by not elaborating the systems anymore, forcing users to go via pkgs.stdenv. This will prevent problems when making the top-level package sets composable in the next commit. For this to work, you should pass a fully elaborated system to nixpkgs' localSystem or crossSystem options. Backport of Nixpkgs commit 0a19371146130c0e2a402fd0c35f8283b0e81910. Co-authored-by: Wolfgang Walther --- modules/nix/nixpkgs.nix | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index fa156a51..d4fa306c 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -73,7 +73,10 @@ let defaultPkgs = if opt.hostPlatform.isDefined then let - isCross = cfg.buildPlatform != cfg.hostPlatform; + isCross = + !(lib.systems.equals (lib.systems.elaborate cfg.buildPlatform) ( + lib.systems.elaborate cfg.hostPlatform + )); systemArgs = if isCross then { @@ -165,13 +168,10 @@ in }; hostPlatform = lib.mkOption { - type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform + type = lib.types.either lib.types.str lib.types.attrs; example = { system = "aarch64-darwin"; }; - # Make sure that the final value has all fields for sake of other modules - # referring to this. TODO make `lib.systems` itself use the module system. - apply = lib.systems.elaborate; description = '' Specifies the platform where the nix-darwin configuration will run. @@ -182,24 +182,13 @@ in }; buildPlatform = lib.mkOption { - type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform + type = lib.types.either lib.types.str lib.types.attrs; default = cfg.hostPlatform; example = { system = "x86_64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. - apply = - inputBuildPlatform: - let - elaborated = lib.systems.elaborate inputBuildPlatform; - in - if lib.systems.equals elaborated cfg.hostPlatform then - cfg.hostPlatform # make identical, so that `==` equality works; - see - "https://github.com/NixOS/nixpkgs/issues/278001" - else - elaborated; defaultText = lib.literalExpression ''config.nixpkgs.hostPlatform''; description = '' Specifies the platform on which nix-darwin should be built. @@ -323,6 +312,16 @@ in ${lib.concatMapStringsSep "\n" (file: " - ${file}") opt.config.files} ''; } + { + assertion = + (opt.hostPlatform.isDefined -> builtins.isAttrs cfg.buildPlatform -> !(cfg.buildPlatform ? parsed)) + && (opt.hostPlatform.isDefined -> builtins.isAttrs cfg.hostPlatform -> !(cfg.hostPlatform ? parsed)); + message = '' + Passing fully elaborated systems to `nixpkgs.localSystem`, `nixpkgs.crossSystem`, `nixpkgs.buildPlatform` + or `nixpkgs.hostPlatform` will break composability of package sets in nixpkgs. For example, pkgs.pkgsStatic + would not work in modules anymore. + ''; + } ]; }; } From 1f7ed1c7fe20d9b9d410c4f385a7d13ae1f4349e Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 15:19:46 +0000 Subject: [PATCH 23/69] checks: remove `nixChannels` check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I don’t think this is very important given the `nixPath` check, and it doesn’t fit very well into a post‐user‐activation world. --- modules/system/checks.nix | 30 ++++-------------------------- 1 file changed, 4 insertions(+), 26 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index b466f425..7fbe1590 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -152,25 +152,6 @@ let fi ''; - nixChannels = '' - channelsLink=$(readlink "$HOME/.nix-defexpr/channels") || true - case "$channelsLink" in - *"$USER"*) - ;; - "") - ;; - *) - echo "error: The ~/.nix-defexpr/channels symlink does not point your users channels, aborting activation" >&2 - echo "Running nix-channel will regenerate it" >&2 - echo >&2 - echo " rm ~/.nix-defexpr/channels" >&2 - echo " nix-channel --update" >&2 - echo >&2 - exit 2 - ;; - esac - ''; - nixInstaller = '' if grep -q 'etc/profile.d/nix-daemon.sh' /etc/profile; then echo "error: Found nix-daemon.sh reference in /etc/profile, aborting activation" >&2 @@ -315,6 +296,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "system" "checks" "verifyNixChannels" ] "This check has been removed.") + ]; + options = { system.checks.verifyNixPath = mkOption { type = types.bool; @@ -322,12 +307,6 @@ in description = "Whether to run the NIX_PATH validation checks."; }; - system.checks.verifyNixChannels = mkOption { - type = types.bool; - default = config.nix.channel.enable; - description = "Whether to run the nix-channels validation checks."; - }; - system.checks.verifyBuildUsers = mkOption { type = types.bool; default = @@ -361,7 +340,6 @@ in nixStore (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector) (mkIf (config.nix.optimise.automatic && config.nix.optimise.user == null) nixStoreOptimiser) - (mkIf cfg.verifyNixChannels nixChannels) nixInstaller (mkIf cfg.verifyNixPath nixPath) oldSshAuthorizedKeysDirectory From 8f227c405e0d42dfdbfce9849c689152c083a48b Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 01:08:02 +0000 Subject: [PATCH 24/69] nix: fix typo in assertion conditional --- modules/nix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 857c4be8..b70487d7 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -759,7 +759,7 @@ in # Not in NixOS module { assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; } - { assertion = elem "_nixbld1" config.users.knownGroups -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } + { assertion = elem "_nixbld1" config.users.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; } { From 9b9c9a57b626d72c4def5c2ddb7253bccb19c75d Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 19:30:20 +0000 Subject: [PATCH 25/69] =?UTF-8?q?nix:=20don=E2=80=99t=20set=20`$NIX=5FREMO?= =?UTF-8?q?TE`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NixOS doesn’t bother doing this, and Nix already matches this conditional behaviour when `$NIX_REMOTE` is unset. --- modules/nix/default.nix | 20 +++++--------------- tests/services-nix-daemon.nix | 3 --- 2 files changed, 5 insertions(+), 18 deletions(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b70487d7..b373e778 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -785,21 +785,11 @@ in # Set up the environment variables for running Nix. environment.variables = cfg.envVars // { NIX_PATH = cfg.nixPath; }; - environment.extraInit = mkMerge [ - (mkIf cfg.channel.enable '' - if [ -e "$HOME/.nix-defexpr/channels" ]; then - export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" - fi - '') - # Not in NixOS module - '' - # Set up secure multi-user builds: non-root users build through the - # Nix daemon. - if [ ! -w /nix/var/nix/db ]; then - export NIX_REMOTE=daemon - fi - '' - ]; + environment.extraInit = mkIf cfg.channel.enable '' + if [ -e "$HOME/.nix-defexpr/channels" ]; then + export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" + fi + ''; environment.extraSetup = mkIf (!cfg.channel.enable) '' rm --force $out/bin/nix-channel diff --git a/tests/services-nix-daemon.nix b/tests/services-nix-daemon.nix index 3a217cbb..86dbd57c 100644 --- a/tests/services-nix-daemon.nix +++ b/tests/services-nix-daemon.nix @@ -27,8 +27,5 @@ in echo checking nix-daemon reload in /activate >&2 grep "launchctl kill HUP system/org.nixos.nix-daemon" ${config.out}/activate - - echo checking NIX_REMOTE=daemon in setEnvironment >&2 - grep "NIX_REMOTE=daemon" ${config.system.build.setEnvironment} ''; } From 3f6f512406d852afa0e54118b2002896da66fd3e Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 21:47:09 +0000 Subject: [PATCH 26/69] users: fix typo --- modules/users/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/default.nix b/modules/users/default.nix index ecce2af3..47b67fbc 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -172,7 +172,7 @@ in printf >&2 '`darwin-rebuild` requires permissions to administrate your computer,\n' printf >&2 'please accept the dialog that pops up.\n' printf >&2 '\n' - printf >&2 'If you do not wish to be prompted every time `darwin-rebuild updates your users,\n' + printf >&2 'If you do not wish to be prompted every time `darwin-rebuild` updates your users,\n' printf >&2 'you can grant Full Disk Access to your terminal emulator in System Settings.\n' printf >&2 '\n' printf >&2 'This can be found in System Settings > Privacy & Security > Full Disk Access.\n' From da3311397a1a2ba1a02f026cce1700a3556279cc Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 5 Feb 2025 15:06:20 +0000 Subject: [PATCH 27/69] Revert "nixpkgs: make config.nixpkgs.{buildPlatform,hostPlatform} write only" This was reverted upstream in 0b47fba23078cc01251b136c7af0127abd57112b. This reverts commit 7c72c013b160627540b8b465a05ba258f47a16d8. --- modules/nix/nixpkgs.nix | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index d4fa306c..51bb1718 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -73,10 +73,7 @@ let defaultPkgs = if opt.hostPlatform.isDefined then let - isCross = - !(lib.systems.equals (lib.systems.elaborate cfg.buildPlatform) ( - lib.systems.elaborate cfg.hostPlatform - )); + isCross = cfg.buildPlatform != cfg.hostPlatform; systemArgs = if isCross then { @@ -168,10 +165,13 @@ in }; hostPlatform = lib.mkOption { - type = lib.types.either lib.types.str lib.types.attrs; + type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform example = { system = "aarch64-darwin"; }; + # Make sure that the final value has all fields for sake of other modules + # referring to this. TODO make `lib.systems` itself use the module system. + apply = lib.systems.elaborate; description = '' Specifies the platform where the nix-darwin configuration will run. @@ -182,13 +182,22 @@ in }; buildPlatform = lib.mkOption { - type = lib.types.either lib.types.str lib.types.attrs; + type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform default = cfg.hostPlatform; example = { system = "x86_64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. + apply = + inputBuildPlatform: + let + elaborated = lib.systems.elaborate inputBuildPlatform; + in + if lib.systems.equals elaborated cfg.hostPlatform then + cfg.hostPlatform # make identical, so that `==` equality works; see https://github.com/NixOS/nixpkgs/issues/278001 + else + elaborated; defaultText = lib.literalExpression ''config.nixpkgs.hostPlatform''; description = '' Specifies the platform on which nix-darwin should be built. @@ -312,16 +321,6 @@ in ${lib.concatMapStringsSep "\n" (file: " - ${file}") opt.config.files} ''; } - { - assertion = - (opt.hostPlatform.isDefined -> builtins.isAttrs cfg.buildPlatform -> !(cfg.buildPlatform ? parsed)) - && (opt.hostPlatform.isDefined -> builtins.isAttrs cfg.hostPlatform -> !(cfg.hostPlatform ? parsed)); - message = '' - Passing fully elaborated systems to `nixpkgs.localSystem`, `nixpkgs.crossSystem`, `nixpkgs.buildPlatform` - or `nixpkgs.hostPlatform` will break composability of package sets in nixpkgs. For example, pkgs.pkgsStatic - would not work in modules anymore. - ''; - } ]; }; } From 0824c13801d18722a5dd7827f575f5c42e80ad43 Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 15:48:57 +0000 Subject: [PATCH 28/69] checks: fix macOS version check exit code --- modules/system/checks.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 8b526b35..119fba4c 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -27,7 +27,7 @@ let printf >&2 ' system.checks.verifyMacOSVersion = false;\n' printf >&2 '\n' printf >&2 'However, we are unable to provide support if you do so.\n' - exit 1 + exit 2 fi ''; From d634e28f67b5e1fc82b3ea107fbd9b3a3abf3a7b Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 21:47:09 +0000 Subject: [PATCH 29/69] users: use `launchctl managername` to determine session type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Seems like this should be more robust, and it will work even after the activation script purifies its environment. Apparently it may treat `tmux` sessions like SSH ones, which may have something to do with `reattach-to-user-namespace`/`pam_reattach`; see . (My hope is that `pam_reattach` does the right thing here, but I haven’t tested.) --- modules/users/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/default.nix b/modules/users/default.nix index 47b67fbc..706abbfa 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -147,7 +147,7 @@ in homeDirectory=''${homeDirectory#NFSHomeDirectory: } if ! sudo dscl . -change /Users/nobody NFSHomeDirectory "$homeDirectory" "$homeDirectory" &> /dev/null; then - if [[ -n "$SSH_CONNECTION" ]]; then + if [[ "$(launchctl managername)" != Aqua ]]; then printf >&2 '\e[1;31merror: users cannot be %s over SSH without Full Disk Access, aborting activation\e[0m\n' "$2" printf >&2 'The user %s could not be %s as `darwin-rebuild` was not executed with Full Disk Access over SSH.\n' "$1" "$2" printf >&2 'You can either:\n' From e182d8dff6bd3b0913ae6531c6abae3ed1e38364 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 18:40:29 +0000 Subject: [PATCH 30/69] nix: add `nix.enable` option to disable Nix management MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is an equivalent of the `nix.enable` option from NixOS and Home Manager. On NixOS, it mostly serves to allow building fixed‐configuration systems without any Nix installation at all. It should work for that purpose with nix-darwin too, and the implementation is largely the same, but the main use case is more similar to the Home Manager option: to allow the use of nix-darwin with an unmanaged system installation of Nix, including when there is another service expecting to manage it, as with Determinate. By providing an escape hatch to opt out of Nix management entirely, this will also allow us to consolidate and simplify our existing Nix installation management, by being more opinionated about things like taking ownership of the daemon and the build users. Porting one option from NixOS lets us drop two that only ever existed in nix-darwin and reduce overall complexity. --- modules/nix/default.nix | 52 +++++++++++++++++++++-- modules/services/nix-daemon.nix | 2 +- modules/system/checks.nix | 9 ++-- pkgs/darwin-uninstaller/configuration.nix | 12 +----- pkgs/darwin-uninstaller/default.nix | 9 ++-- release.nix | 1 + tests/nix-enable.nix | 14 ++++++ 7 files changed, 78 insertions(+), 21 deletions(-) create mode 100644 tests/nix-enable.nix diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b373e778..39820dac 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -134,6 +134,26 @@ let namedPaths ++ searchPaths; }; + handleUnmanaged = managedConfig: mkMerge [ + (mkIf cfg.enable managedConfig) + (mkIf (!cfg.enable) { + system.activationScripts.nix-daemon.text = '' + # Restore unmanaged Nix daemon if present + unmanagedNixProfile=/nix/var/nix/profiles/default + if [[ + -e /run/current-system/Library/LaunchDaemons/org.nixos.nix-daemon.plist + && -e $unmanagedNixProfile/Library/LaunchDaemons/org.nixos.nix-daemon.plist + ]]; then + printf >&2 'restoring unmanaged Nix daemon...\n' + cp \ + "$unmanagedNixProfile/Library/LaunchDaemons/org.nixos.nix-daemon.plist" \ + /Library/LaunchDaemons + launchctl load -w /Library/LaunchDaemons/org.nixos.nix-daemon.plist + fi + ''; + }) + ]; + in { @@ -144,7 +164,6 @@ in in [ # Only ever in NixOS - (mkRemovedOptionModule [ "nix" "enable" ] "No `nix-darwin` equivalent to this NixOS option.") (mkRemovedOptionModule [ "nix" "daemonCPUSchedPolicy" ] (altOption "nix.daemonProcessType")) (mkRemovedOptionModule [ "nix" "daemonIOSchedClass" ] (altOption "nix.daemonProcessType")) (mkRemovedOptionModule [ "nix" "daemonIOSchedPriority" ] (altOption "nix.daemonIOLowPriority")) @@ -165,9 +184,36 @@ in nix = { + enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether to enable Nix. + + Disabling this will stop nix-darwin from managing the + installed version of Nix, the nix-daemon launchd daemon, and + the settings in {file}`/etc/nix/nix.conf`. + + This allows you to use nix-darwin without it taking over your + system installation of Nix. Some nix-darwin functionality + that relies on managing the Nix installation, like the + `nix.*` options to adjust Nix settings or configure a Linux + builder, will be unavailable. You will also have to upgrade + Nix yourself, as nix-darwin will no longer do so. + + ::: {.warning} + If you have already removed your global system installation + of Nix, this will break nix-darwin and you will have to + reinstall Nix to fix it. + ::: + ''; + }; + package = mkOption { type = types.package; - default = pkgs.nix; + default = warnIf (!cfg.enable) + "nix.package: accessed when `nix.enable` is off; this is a bug" + pkgs.nix; defaultText = literalExpression "pkgs.nix"; description = '' This option specifies the Nix package instance to use throughout the system. @@ -678,7 +724,7 @@ in ###### implementation - config = { + config = handleUnmanaged { environment.systemPackages = [ nixPackage diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix index ffc7e651..df3fa310 100644 --- a/modules/services/nix-daemon.nix +++ b/modules/services/nix-daemon.nix @@ -10,7 +10,7 @@ in options = { services.nix-daemon.enable = mkOption { type = types.bool; - default = true; + default = config.nix.enable; description = "Whether to enable the nix-daemon service."; }; diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 7fbe1590..cc8048de 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -303,15 +303,16 @@ in options = { system.checks.verifyNixPath = mkOption { type = types.bool; - default = true; + default = config.nix.enable; description = "Whether to run the NIX_PATH validation checks."; }; system.checks.verifyBuildUsers = mkOption { type = types.bool; default = - (config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false)) - || config.nix.configureBuildUsers; + config.nix.enable && + ((config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false)) + || config.nix.configureBuildUsers); description = "Whether to run the Nix build users validation checks."; }; @@ -336,7 +337,7 @@ in (mkIf cfg.verifyBuildUsers buildUsers) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) (mkIf config.nix.configureBuildUsers buildGroupID) - nixDaemon + (mkIf config.nix.enable nixDaemon) nixStore (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector) (mkIf (config.nix.optimise.automatic && config.nix.optimise.user == null) nixStoreOptimiser) diff --git a/pkgs/darwin-uninstaller/configuration.nix b/pkgs/darwin-uninstaller/configuration.nix index 56ab228f..ce6be6ca 100644 --- a/pkgs/darwin-uninstaller/configuration.nix +++ b/pkgs/darwin-uninstaller/configuration.nix @@ -12,8 +12,8 @@ with lib; launchd.daemons = mkForce {}; launchd.user.agents = mkForce {}; - # Don't try to reload `nix-daemon` - nix.useDaemon = mkForce false; + # Restore any unmanaged `nix-daemon`. + nix.enable = false; system.activationScripts.postUserActivation.text = mkAfter '' nix-channel --remove darwin || true @@ -30,14 +30,6 @@ with lib; rm /etc/static fi - # If the Nix Store is owned by root then we're on a multi-user system - if [[ -O /nix/store ]]; then - if [[ -e /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist ]]; then - sudo cp /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist /Library/LaunchDaemons/org.nixos.nix-daemon.plist - sudo launchctl load -w /Library/LaunchDaemons/org.nixos.nix-daemon.plist - fi - fi - # grep will return 1 when no lines matched which makes this line fail with `set -eo pipefail` dscl . -list /Users UserShell | { grep "\s/run/" || true; } | awk '{print $1}' | while read -r user; do shell=$(dscl . -read /Users/"$user" UserShell) diff --git a/pkgs/darwin-uninstaller/default.nix b/pkgs/darwin-uninstaller/default.nix index 0214652b..6b43bcfc 100644 --- a/pkgs/darwin-uninstaller/default.nix +++ b/pkgs/darwin-uninstaller/default.nix @@ -31,8 +31,11 @@ in writeShellApplication { echo >&2 " - remove /Applications/Nix Apps symlink" echo >&2 " - cleanup static /etc files" echo >&2 " - disable and remove all launchd services managed by nix-darwin" - if [[ $(stat -f '%Su' /nix/store) == "root" ]]; then - echo >&2 " - restore nix-daemon service from nix installer as this is a multi-user install" + if [[ + -e /run/current-system/Library/LaunchDaemons/org.nixos.nix-daemon.plist + && -e /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist + ]]; then + echo >&2 " - restore nix-daemon service from the Nix installer" fi echo >&2 @@ -87,7 +90,7 @@ in writeShellApplication { launchctl print system/org.nixos.nix-daemon pgrep -l nix-daemon test -e /Library/LaunchDaemons/org.nixos.nix-daemon.plist - [[ "$(shasum -a 256 /Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" == "$(shasum -a 256 /Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" ]] + [[ "$(shasum -a 256 /Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" == "$(shasum -a 256 /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" ]] nix-store --store daemon -q --hash ${stdenv.shell} fi echo >&2 ok diff --git a/release.nix b/release.nix index b3e2df7e..52b3c2aa 100644 --- a/release.nix +++ b/release.nix @@ -88,6 +88,7 @@ in { tests.launchd-setenv = makeTest ./tests/launchd-setenv.nix; tests.networking-hostname = makeTest ./tests/networking-hostname.nix; tests.networking-networkservices = makeTest ./tests/networking-networkservices.nix; + tests.nix-enable = makeTest ./tests/nix-enable.nix; tests.nixpkgs-overlays = makeTest ./tests/nixpkgs-overlays.nix; tests.programs-ssh = makeTest ./tests/programs-ssh.nix; tests.programs-tmux = makeTest ./tests/programs-tmux.nix; diff --git a/tests/nix-enable.nix b/tests/nix-enable.nix new file mode 100644 index 00000000..4e7a1782 --- /dev/null +++ b/tests/nix-enable.nix @@ -0,0 +1,14 @@ +{ config, ... }: + +{ + nix.enable = false; + nix.package = throw "`nix.package` used when `nix.enable` is turned off"; + + test = '' + printf >&2 'checking for unexpected Nix binary in /sw/bin\n' + [[ -e ${config.out}/sw/bin/nix-env ]] && exit 1 + + printf >&2 'checking for unexpected nix-daemon plist in /Library/LaunchDaemons\n' + [[ -e ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist ]] && exit 1 + ''; +} From c796587d2ef4ab06f84c4f740931f579f719b6f5 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 19:30:20 +0000 Subject: [PATCH 31/69] nix: remove `nix.useDaemon` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We now assume the daemon is used unconditionally when we manage the Nix installation. The `nix.gc` and `nix.optimise` services lose their `$NIX_REMOTE` setting rather than making it unconditional, as the NixOS `nix.gc` module does not set it. Possibly it should, but I think uniformity between the two systems is better than diverging, even though I kind of hate that the non‐daemon method of access is even a thing. --- modules/nix/default.nix | 22 +++--- modules/services/buildkite-agents.nix | 3 +- modules/services/gitlab-runner.nix | 3 +- .../services/hercules-ci-agent/default.nix | 2 +- modules/services/nix-daemon.nix | 2 - modules/services/nix-gc/default.nix | 10 +-- modules/services/nix-optimise/default.nix | 10 +-- modules/system/checks.nix | 67 +++---------------- release.nix | 1 - tests/checks-nix-gc.nix | 19 ------ tests/services-nix-gc.nix | 6 -- tests/services-nix-optimise.nix | 6 -- 12 files changed, 26 insertions(+), 125 deletions(-) delete mode 100644 tests/checks-nix-gc.nix diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 39820dac..6028e6bb 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -176,6 +176,10 @@ in (mkRenamedOptionModule [ "users" "nix" "nrBuildUsers" ] [ "nix" "nrBuildUsers" ]) (mkRenamedOptionModule [ "nix" "daemonIONice" ] [ "nix" "daemonIOLowPriority" ]) (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] (consider "nix.daemonProcessType")) + (mkRemovedOptionModule [ "nix" "useDaemon" ] '' + nix-darwin now only supports managing multi‐user daemon + installations of Nix. + '') ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings; ###### interface @@ -220,17 +224,6 @@ in ''; }; - # Not in NixOS module - useDaemon = mkOption { - type = types.bool; - default = false; - description = '' - If set, Nix will use the daemon to perform operations. - Use this instead of services.nix-daemon.enable if you don't want the - daemon service to be managed for you. - ''; - }; - distributedBuilds = mkOption { type = types.bool; default = false; @@ -909,7 +902,7 @@ in if [[ -e /etc/nix/nix.custom.conf ]]; then mv /etc/nix/nix.custom.conf{,.before-nix-darwin} fi - '' + optionalString cfg.useDaemon '' + if ! diff /etc/nix/nix.conf /run/current-system/etc/nix/nix.conf &> /dev/null || ! diff /etc/nix/machines /run/current-system/etc/nix/machines &> /dev/null; then echo "reloading nix-daemon..." >&2 launchctl kill HUP system/org.nixos.nix-daemon @@ -926,6 +919,9 @@ in trusted-users = [ "root" ]; substituters = mkAfter [ "https://cache.nixos.org/" ]; + # Not in NixOS module + build-users-group = "nixbld"; + # Not implemented yet # system-features = mkDefault ( # [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ @@ -941,8 +937,6 @@ in (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) - # Not in NixOS module - (mkIf cfg.useDaemon { build-users-group = "nixbld"; }) ]; }; diff --git a/modules/services/buildkite-agents.nix b/modules/services/buildkite-agents.nix index 69bc1f65..3c04d904 100644 --- a/modules/services/buildkite-agents.nix +++ b/modules/services/buildkite-agents.nix @@ -227,8 +227,9 @@ in { path = cfg.runtimePackages ++ [ cfg.package pkgs.coreutils pkgs.darwin.DarwinTools ]; environment = { HOME = cfg.dataDir; + NIX_REMOTE = "daemon"; inherit (config.environment.variables) NIX_SSL_CERT_FILE; - } // (if config.nix.useDaemon then { NIX_REMOTE = "daemon"; } else {}); + }; ## NB: maximum care is taken so that secrets (ssh keys and the CI token) ## don't end up in the Nix store. diff --git a/modules/services/gitlab-runner.nix b/modules/services/gitlab-runner.nix index 94c291ef..329fd727 100644 --- a/modules/services/gitlab-runner.nix +++ b/modules/services/gitlab-runner.nix @@ -551,8 +551,9 @@ in launchd.daemons.gitlab-runner = { environment = { #config.networking.proxy.envVars // { HOME = "${config.users.users.gitlab-runner.home}"; + NIX_REMOTE = "daemon"; NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - } // (if config.nix.useDaemon then { NIX_REMOTE = "daemon"; } else {}); + }; path = with pkgs; [ bash gawk diff --git a/modules/services/hercules-ci-agent/default.nix b/modules/services/hercules-ci-agent/default.nix index fc3d9520..39125065 100644 --- a/modules/services/hercules-ci-agent/default.nix +++ b/modules/services/hercules-ci-agent/default.nix @@ -74,7 +74,7 @@ in darwin.label = config.system.darwinLabel; darwin.revision = config.system.darwinRevision; darwin.version = config.system.darwinVersion; - darwin.nix.daemon = config.nix.useDaemon; + darwin.nix.daemon = true; darwin.nix.sandbox = config.nix.settings.sandbox; }; }; diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix index df3fa310..ee866a6f 100644 --- a/modules/services/nix-daemon.nix +++ b/modules/services/nix-daemon.nix @@ -41,8 +41,6 @@ in config = mkIf cfg.enable { - nix.useDaemon = true; - launchd.daemons.nix-daemon = { command = lib.getExe' config.nix.package "nix-daemon"; serviceConfig.ProcessType = config.nix.daemonProcessType; diff --git a/modules/services/nix-gc/default.nix b/modules/services/nix-gc/default.nix index 9fe8e86d..44278e64 100644 --- a/modules/services/nix-gc/default.nix +++ b/modules/services/nix-gc/default.nix @@ -14,6 +14,7 @@ in (mkRemovedOptionModule [ "nix" "gc" "dates" ] "Use `nix.gc.interval` instead.") (mkRemovedOptionModule [ "nix" "gc" "randomizedDelaySec" ] "No `nix-darwin` equivalent to this NixOS option.") (mkRemovedOptionModule [ "nix" "gc" "persistent" ] "No `nix-darwin` equivalent to this NixOS option.") + (mkRemovedOptionModule [ "nix" "gc" "user" ] "The garbage collection service now always runs as `root`.") ]; ###### interface @@ -28,13 +29,6 @@ in description = "Automatically run the garbage collector at a specific time."; }; - # Not in NixOS module - user = mkOption { - type = types.nullOr types.str; - default = null; - description = "User that runs the garbage collector."; - }; - interval = mkOption { type = launchdTypes.StartCalendarInterval; default = [{ Weekday = 7; Hour = 3; Minute = 15; }]; @@ -66,10 +60,8 @@ in launchd.daemons.nix-gc = { command = "${config.nix.package}/bin/nix-collect-garbage ${cfg.options}"; - environment.NIX_REMOTE = optionalString config.nix.useDaemon "daemon"; serviceConfig.RunAtLoad = false; serviceConfig.StartCalendarInterval = cfg.interval; - serviceConfig.UserName = cfg.user; }; }; diff --git a/modules/services/nix-optimise/default.nix b/modules/services/nix-optimise/default.nix index c0ee0a38..4eefc480 100644 --- a/modules/services/nix-optimise/default.nix +++ b/modules/services/nix-optimise/default.nix @@ -20,6 +20,7 @@ in { imports = [ (mkRemovedOptionModule [ "nix" "optimise" "dates" ] "Use `nix.optimise.interval` instead.") + (mkRemovedOptionModule [ "nix" "optimise" "user" ] "The store optimisation service now always runs as `root`.") ]; ###### interface @@ -34,13 +35,6 @@ in description = "Automatically run the nix store optimiser at a specific time."; }; - # Not in NixOS module - user = mkOption { - type = types.nullOr types.str; - default = null; - description = "User that runs the store optimisation."; - }; - interval = mkOption { type = launchdTypes.StartCalendarInterval; default = [{ Weekday = 7; Hour = 4; Minute = 15; }]; @@ -61,12 +55,10 @@ in config = mkIf cfg.automatic { launchd.daemons.nix-optimise = { - environment.NIX_REMOTE = optionalString config.nix.useDaemon "daemon"; command = "${lib.getExe' config.nix.package "nix-store"} --optimise"; serviceConfig = { RunAtLoad = false; StartCalendarInterval = cfg.interval; - UserName = cfg.user; }; }; diff --git a/modules/system/checks.nix b/modules/system/checks.nix index cc8048de..c3800385 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -130,24 +130,19 @@ let fi ''; - nixDaemon = if config.nix.useDaemon then '' - if ! dscl . -read /Groups/nixbld PrimaryGroupID &> /dev/null; then - printf >&2 'error: The daemon should not be enabled for single-user installs, aborting activation\n' - printf >&2 'Disable the nix-daemon service:\n' + nixDaemon = '' + if [[ "$(stat --format='%u' /nix)" != 0 ]]; then + printf >&2 'error: single‐user install detected, aborting activation\n' + printf >&2 'nix-darwin now only supports managing multi‐user daemon installations\n' + printf >&2 'of Nix. You can uninstall nix-darwin and Nix and then reinstall both to\n' + printf >&2 'fix this.\n' printf >&2 '\n' - printf >&2 ' services.nix-daemon.enable = false;\n' + printf >&2 'If you don’t want to do that, you can disable management of the Nix\n' + printf >&2 'installation with:\n' printf >&2 '\n' - printf >&2 'and remove `nix.useDaemon` from your configuration if it is present.\n' - printf >&2 '\n' - exit 2 - fi - '' else '' - if dscl . -read /Groups/nixbld PrimaryGroupID &> /dev/null; then - printf >&2 'error: The daemon should be enabled for multi-user installs, aborting activation\n' - printf >&2 'Enable the nix-daemon service:\n' - printf >&2 '\n' - printf >&2 ' services.nix-daemon.enable = true;\n' + printf >&2 ' nix.enable = false;\n' printf >&2 '\n' + printf >&2 'See the `nix.enable` option documentation for caveats.\n' exit 2 fi ''; @@ -214,43 +209,6 @@ let fi ''; - nixStore = '' - if test -w /nix/var/nix/db -a ! -O /nix/store; then - echo >&2 "error: the store is not owned by this user, but /nix/var/nix/db is writable" - echo >&2 "If you are using the daemon:" - echo >&2 - echo >&2 " sudo chown -R root:wheel /nix/var/nix/db" - echo >&2 - echo >&2 "Otherwise:" - echo >&2 - echo >&2 " sudo chown -R $USER:staff /nix/store" - echo >&2 - exit 2 - fi - ''; - - nixGarbageCollector = '' - if test -O /nix/store; then - echo "error: A single-user install can't run gc as root, aborting activation" >&2 - echo "Configure the garbage collector to run as the current user:" >&2 - echo >&2 - echo " nix.gc.user = \"$USER\";" >&2 - echo >&2 - exit 2 - fi - ''; - - nixStoreOptimiser = '' - if test -O /nix/store; then - echo "error: A single-user install can't run optimiser as root, aborting activation" >&2 - echo "Configure the optimiser to run as the current user:" >&2 - echo >&2 - echo " nix.optimise.user = \"$USER\";" >&2 - echo >&2 - exit 2 - fi - ''; - # TODO: Remove this a couple years down the line when we can assume # that anyone who cares about security has upgraded. oldSshAuthorizedKeysDirectory = '' @@ -311,7 +269,7 @@ in type = types.bool; default = config.nix.enable && - ((config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false)) + ((!(config.nix.settings.auto-allocate-uids or false)) || config.nix.configureBuildUsers); description = "Whether to run the Nix build users validation checks."; }; @@ -338,9 +296,6 @@ in (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) (mkIf config.nix.configureBuildUsers buildGroupID) (mkIf config.nix.enable nixDaemon) - nixStore - (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector) - (mkIf (config.nix.optimise.automatic && config.nix.optimise.user == null) nixStoreOptimiser) nixInstaller (mkIf cfg.verifyNixPath nixPath) oldSshAuthorizedKeysDirectory diff --git a/release.nix b/release.nix index 52b3c2aa..115025ee 100644 --- a/release.nix +++ b/release.nix @@ -80,7 +80,6 @@ in { tests.activation-scripts = makeTest ./tests/activation-scripts.nix; tests.autossh = makeTest ./tests/autossh.nix; - tests.checks-nix-gc = makeTest ./tests/checks-nix-gc.nix; tests.environment-path = makeTest ./tests/environment-path.nix; tests.environment-terminfo = makeTest ./tests/environment-terminfo.nix; tests.homebrew = makeTest ./tests/homebrew.nix; diff --git a/tests/checks-nix-gc.nix b/tests/checks-nix-gc.nix deleted file mode 100644 index e3dccd7f..00000000 --- a/tests/checks-nix-gc.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, pkgs, ... }: - -let - nix = pkgs.runCommand "nix-2.2" {} "mkdir -p $out"; -in - -{ - nix.gc.automatic = true; - nix.package = nix; - - test = '' - echo checking nix-gc validation >&2 - grep "nix.gc.user = " ${config.out}/activate-user - - echo checking nix-gc service in /Library/LaunchDaemons >&2 - grep "org.nixos.nix-gc" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist - (! grep "UserName" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist) - ''; -} diff --git a/tests/services-nix-gc.nix b/tests/services-nix-gc.nix index 6d7cdef8..9c8ba817 100644 --- a/tests/services-nix-gc.nix +++ b/tests/services-nix-gc.nix @@ -7,19 +7,13 @@ in { nix.gc.automatic = true; nix.gc.options = "--delete-older-than 30d"; - nix.gc.user = "nixuser"; nix.package = nix; test = '' echo checking nix-gc service in /Library/LaunchDaemons >&2 grep "org.nixos.nix-gc" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist grep "/bin/wait4path /nix/store && exec ${nix}/bin/nix-collect-garbage --delete-older-than 30d" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist - grep "UserName" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist - grep "nixuser" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist (! grep "KeepAlive" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist) - - echo checking nix-gc validation >&2 - (! grep "nix.gc.user = " ${config.out}/activate-user) ''; } diff --git a/tests/services-nix-optimise.nix b/tests/services-nix-optimise.nix index 4108eb0f..acdc1dce 100644 --- a/tests/services-nix-optimise.nix +++ b/tests/services-nix-optimise.nix @@ -6,7 +6,6 @@ in { nix.optimise.automatic = true; - nix.optimise.user = "nixuser"; nix.package = nix; test = '' @@ -15,11 +14,6 @@ in ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist grep "/bin/wait4path /nix/store && exec ${nix}/bin/nix-store --optimise" \ ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist - grep "UserName" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist - grep "nixuser" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist (! grep "KeepAlive" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist) - - echo checking nix-optimise validation >&2 - (! grep "nix.optimise.user = " ${config.out}/activate-user) ''; } From adc989f7ec9efd8bb4e1b6b48c15f4c0f41be018 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 19:30:20 +0000 Subject: [PATCH 32/69] nix: remove `nix.configureBuildUsers` We now manage the build users unconditionally when we manage the Nix installation. --- modules/examples/lnl.nix | 1 - modules/nix/default.nix | 25 +++++++++----------- modules/system/checks.nix | 50 ++++++--------------------------------- 3 files changed, 18 insertions(+), 58 deletions(-) diff --git a/modules/examples/lnl.nix b/modules/examples/lnl.nix index 90142f65..8dff10cc 100644 --- a/modules/examples/lnl.nix +++ b/modules/examples/lnl.nix @@ -319,7 +319,6 @@ # path = /etc/per-user/lnl/gitconfig # environment.etc."per-user/lnl/gitconfig".text = builtins.readFile "${inputs.dotfiles}/git/gitconfig"; - nix.configureBuildUsers = true; nix.nrBuildUsers = 32; system.stateVersion = 6; diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 6028e6bb..b201a692 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -12,6 +12,8 @@ let isNixAtLeast = versionAtLeast (getVersion nixPackage); + configureBuildUsers = !(config.nix.settings.auto-allocate-uids or false); + makeNixBuildUser = nr: { name = "_nixbld${toString nr}"; value = { @@ -180,6 +182,10 @@ in nix-darwin now only supports managing multi‐user daemon installations of Nix. '') + (mkRemovedOptionModule [ "nix" "configureBuildUsers" ] '' + nix-darwin now manages build users unconditionally when + `nix.enable` is on. + '') ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings; ###### interface @@ -397,15 +403,6 @@ in description = "Environment variables used by Nix."; }; - # Not in NixOS module - configureBuildUsers = mkOption { - type = types.bool; - default = false; - description = '' - Enable configuration for nixbld group and users. - ''; - }; - nrBuildUsers = mkOption { type = types.int; description = '' @@ -836,10 +833,10 @@ in nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)); - users.users = mkIf cfg.configureBuildUsers nixbldUsers; + users.users = mkIf configureBuildUsers nixbldUsers; # Not in NixOS module - users.groups.nixbld = mkIf cfg.configureBuildUsers { + users.groups.nixbld = mkIf configureBuildUsers { description = "Nix build group for nix-daemon"; gid = config.ids.gids.nixbld; members = attrNames nixbldUsers; @@ -847,11 +844,11 @@ in users.knownUsers = let nixbldUserNames = attrNames nixbldUsers; in - mkIf cfg.configureBuildUsers (mkMerge [ + mkMerge [ nixbldUserNames (map (removePrefix "_") nixbldUserNames) # delete old style nixbld users - ]); - users.knownGroups = mkIf cfg.configureBuildUsers [ "nixbld" ]; + ]; + users.knownGroups = [ "nixbld" ]; # The Determinate Systems installer puts user‐specified settings in # `/etc/nix/nix.custom.conf` since v0.33.0. Supplement the diff --git a/modules/system/checks.nix b/modules/system/checks.nix index c3800385..f13f7db9 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -31,29 +31,13 @@ let fi ''; - oldBuildUsers = '' - if dscl . -list /Users | grep -q '^nixbld'; then - echo "error: Detected old style nixbld users, aborting activation" >&2 - echo "These can cause migration problems when upgrading to certain macOS versions" >&2 - echo "You can enable the following option to migrate to new style nixbld users" >&2 - echo >&2 - echo " nix.configureBuildUsers = true;" >&2 - echo >&2 - echo "or disable this check with" >&2 - echo >&2 - echo " system.checks.verifyBuildUsers = false;" >&2 - echo >&2 - exit 2 - fi - ''; - preSequoiaBuildUsers = '' - ${lib.optionalString config.nix.configureBuildUsers '' - # Don’t complain when we’re about to migrate old‐style build users… - if ! dscl . -list /Users | grep -q '^nixbld'; then - ''} firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}') - if [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]]; then + if + # Don’t complain when we’re about to migrate old‐style build users… + [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]] \ + && ! dscl . -list /Users | grep -q '^nixbld' + then printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n' printf >&2 'The default Nix build user ID range has been adjusted for\n' printf >&2 'compatibility with macOS Sequoia 15. Your _nixbld1 user currently has\n' @@ -86,22 +70,6 @@ let printf >&2 '\n' exit 2 fi - ${lib.optionalString config.nix.configureBuildUsers "fi"} - ''; - - buildUsers = '' - buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true - if [[ -z "$buildUser" ]]; then - echo "error: Using the nix-daemon requires build users, aborting activation" >&2 - echo "Create the build users or disable the daemon:" >&2 - echo "$ darwin-install" >&2 - echo >&2 - echo "or set (this requires some manual intervention to restore permissions)" >&2 - echo >&2 - echo " services.nix-daemon.enable = false;" >&2 - echo >&2 - exit 2 - fi ''; buildGroupID = '' @@ -268,9 +236,7 @@ in system.checks.verifyBuildUsers = mkOption { type = types.bool; default = - config.nix.enable && - ((!(config.nix.settings.auto-allocate-uids or false)) - || config.nix.configureBuildUsers); + config.nix.enable && !(config.nix.settings.auto-allocate-uids or false); description = "Whether to run the Nix build users validation checks."; }; @@ -291,10 +257,8 @@ in system.checks.text = mkMerge [ (mkIf cfg.verifyMacOSVersion macOSVersion) - (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers) - (mkIf cfg.verifyBuildUsers buildUsers) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) - (mkIf config.nix.configureBuildUsers buildGroupID) + (mkIf cfg.verifyBuildUsers buildGroupID) (mkIf config.nix.enable nixDaemon) nixInstaller (mkIf cfg.verifyNixPath nixPath) From 8a94b5b99bfa6aec7846bec63eba93d05f8f44d8 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 19:30:20 +0000 Subject: [PATCH 33/69] nix-daemon: remove `services.nix-daemon.enable` We now manage the launchd daemon unconditionally when we manage the Nix installation. --- modules/services/nix-daemon.nix | 17 +++++++++-------- tests/services-nix-daemon.nix | 1 - tests/sockets-nix-daemon.nix | 1 - 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix index ee866a6f..404ca057 100644 --- a/modules/services/nix-daemon.nix +++ b/modules/services/nix-daemon.nix @@ -3,17 +3,18 @@ let cfg = config.services.nix-daemon; - inherit (lib) mkDefault mkIf mkMerge mkOption types; + inherit (lib) mkRemovedOptionModule mkDefault mkIf mkMerge mkOption types; in { - options = { - services.nix-daemon.enable = mkOption { - type = types.bool; - default = config.nix.enable; - description = "Whether to enable the nix-daemon service."; - }; + imports = [ + (mkRemovedOptionModule [ "services" "nix-daemon" "enable" ] '' + nix-darwin now manages nix-daemon unconditionally when + `nix.enable` is on. + '') + ]; + options = { services.nix-daemon.enableSocketListener = mkOption { type = types.bool; default = false; @@ -39,7 +40,7 @@ in }; }; - config = mkIf cfg.enable { + config = mkIf config.nix.enable { launchd.daemons.nix-daemon = { command = lib.getExe' config.nix.package "nix-daemon"; diff --git a/tests/services-nix-daemon.nix b/tests/services-nix-daemon.nix index 86dbd57c..f8f06e5d 100644 --- a/tests/services-nix-daemon.nix +++ b/tests/services-nix-daemon.nix @@ -6,7 +6,6 @@ let in { - services.nix-daemon.enable = true; nix.package = nix; launchd.labelPrefix = "org.nix-darwin"; # should not have an effect on nix-daemon diff --git a/tests/sockets-nix-daemon.nix b/tests/sockets-nix-daemon.nix index 606b7b6f..bafd6c10 100644 --- a/tests/sockets-nix-daemon.nix +++ b/tests/sockets-nix-daemon.nix @@ -5,7 +5,6 @@ let in { - services.nix-daemon.enable = true; services.nix-daemon.enableSocketListener = true; nix.package = nix; launchd.labelPrefix = "org.nix-darwin"; # should not have an effect on nix-daemon From fb2bc03f922d406621928a80b28225340cb2b070 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 18:40:29 +0000 Subject: [PATCH 34/69] activation-scripts: add unmanaged system Nix to activation path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, the `bin` directory of the configured system is embedded in the `$PATH` of activation scripts, but not other elements of the default `environment.systemPath` like `/nix/var/nix/profiles/default/bin` or `/usr/local/bin`. This means that when nix-darwin is not managing the Nix installation, activation scripts like Home Manager’s that want to look up the system‐managed Nix can’t find it. Search for it on the entire `environment.systemPath` and add the appropriate directory if found. We leave the launchd `activate-system` daemon alone, because it has erroneously referred to `@out@/sw/bin` forever and therefore never got a Nix on the path to begin with. That’s a problem for another time. (The more ideal solution is probably for Home Manager activation to be driven by launchd or something, but that’s a longer‐term goal.) --- modules/system/activation-scripts.nix | 34 +++++++++++++++++++++++++-- tests/nix-enable.nix | 3 +++ 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index b95ea324..341e782e 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -13,6 +13,32 @@ let mkTextDerivation = name: text: pkgs.writeScript "activate-${name}" text; }; + activationPath = + lib.makeBinPath [ + pkgs.gnugrep + pkgs.coreutils + ] + + lib.optionalString (!config.nix.enable) '' + $( + # If `nix.enable` is off, there might be an unmanaged Nix + # installation (say in `/nix/var/nix/profiles/default`) that + # activation scripts (such as Home Manager) want to find on the + # `$PATH`. Search for it directly to avoid polluting the + # activation script environment with everything on the + # `environment.systemPath`. + if nixEnvPath=$( + PATH="${config.environment.systemPath}" command -v nix-env + ); then + printf ':' + ${lib.getExe' pkgs.coreutils "dirname"} -- "$( + ${lib.getExe' pkgs.coreutils "readlink"} \ + --canonicalize-missing \ + -- "$nixEnvPath" + )" + fi + )'' + + ":@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"; + in { @@ -40,7 +66,9 @@ in #! ${stdenv.shell} set -e set -o pipefail - export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" + + PATH="${activationPath}" + export PATH systemConfig=@out@ @@ -86,7 +114,9 @@ in #! ${stdenv.shell} set -e set -o pipefail - export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin" + + PATH="${activationPath}" + export PATH systemConfig=@out@ diff --git a/tests/nix-enable.nix b/tests/nix-enable.nix index 4e7a1782..0828834f 100644 --- a/tests/nix-enable.nix +++ b/tests/nix-enable.nix @@ -10,5 +10,8 @@ printf >&2 'checking for unexpected nix-daemon plist in /Library/LaunchDaemons\n' [[ -e ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist ]] && exit 1 + + printf >&2 'checking for late‐bound Nix lookup in /activate\n' + grep nixEnvPath= ${config.out}/activate ''; } From 03877755e9f67e584381ecde74ed2c030639aa0c Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 15:48:54 +0000 Subject: [PATCH 35/69] checks: add check for Determinate This provides a more useful error message than the `/etc/nix/nix.conf` hash mismatch error that would otherwise occur. --- modules/system/checks.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index f13f7db9..9bbaf2c7 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -31,6 +31,24 @@ let fi ''; + determinate = '' + if [[ -e /usr/local/bin/determinate-nixd ]]; then + printf >&2 '\e[1;31merror: Determinate detected, aborting activation\e[0m\n' + printf >&2 'Determinate uses its own daemon to manage the Nix installation that\n' + printf >&2 'conflicts with nix-darwin’s native Nix management.\n' + printf >&2 '\n' + printf >&2 'To turn off nix-darwin’s management of the Nix installation, set:\n' + printf >&2 '\n' + printf >&2 ' nix.enable = false;\n' + printf >&2 '\n' + printf >&2 'This will allow you to use nix-darwin with Determinate. Some nix-darwin\n' + printf >&2 'functionality that relies on managing the Nix installation, like the\n' + printf >&2 '`nix.*` options to adjust Nix settings or configure a Linux builder,\n' + printf >&2 'will be unavailable.\n' + exit 2 + fi + ''; + preSequoiaBuildUsers = '' firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}') if @@ -257,6 +275,7 @@ in system.checks.text = mkMerge [ (mkIf cfg.verifyMacOSVersion macOSVersion) + (mkIf config.nix.enable determinate) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) (mkIf cfg.verifyBuildUsers buildGroupID) (mkIf config.nix.enable nixDaemon) From 00a8cb30fa7d52681f3445de672db95479b83d8c Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 17:38:34 +0000 Subject: [PATCH 36/69] readme: update information about Determinate --- README.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b0f095a1..1a9900b1 100644 --- a/README.md +++ b/README.md @@ -11,11 +11,19 @@ nix-darwin is built up around [Nixpkgs](https://github.com/NixOS/nixpkgs), quite ## Prerequisites -The only prerequisite is a Nix implementation, both Nix and Lix are supported. +The only prerequisite is a Nix implementation; both Nix and Lix are supported. As the official Nix installer does not include an automated uninstaller, and manual uninstallation on macOS is a complex process, we recommend using one of the following installers instead: -- The [Nix installer from Determinate Systems](https://github.com/DeterminateSystems/nix-installer?tab=readme-ov-file#determinate-nix-installer) is only recommended for use with flake-based setups. **Make sure you use it without the `--determinate` flag**. The `--determinate` flag installs the Determinate Nix distribution which does not work out of the box with nix-darwin. +* The [Nix installer from Determinate Systems](https://github.com/DeterminateSystems/nix-installer?tab=readme-ov-file#determinate-nix-installer) is only recommended for use with flake-based setups. + It can install one of two distributions of Nix: + + * By default, it will install vanilla upstream [Nix](https://nixos.org/) with flakes enabled. + + * When run with the `--determinate` flag, it will install the [Determinate](https://docs.determinate.systems/) distribution. + As Determinate manages the Nix installation itself, you will need to set `nix.enable = false;` in your configuration to disable nix-darwin’s own Nix management. + Some nix-darwin functionality that relies on managing the Nix installation, like the `nix.*` options to adjust Nix settings or configure a Linux builder, will be unavailable. + * The [Lix installer](https://lix.systems/install/#on-any-other-linuxmacos-system) supports both flake-based and channel-based setups. From a2e44a84be1c6b951d1764a1d44fff37d8fc59f5 Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 21:41:43 +0000 Subject: [PATCH 37/69] changelog: document changes to Nix installation management --- CHANGELOG | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index ce169403..74591eff 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,15 @@ +2025-01-29 +- There is now a `nix.enable` toggle to disable management of the Nix + installation. Nix installation management has been made more + opinionated as a consequence; nix-darwin now only supports managing a + multi‐user daemon installation of Nix, and unconditionally takes + ownership of the nix-daemon launchd daemon and the `_nixbld*` build + users when Nix installation management is enabled. + + If the new constraints do not work with your setup, you can disable + the `nix.enable` option to opt out of Nix installation management + entirely; see the option documentation for caveats. + 2025-01-18 - The default configuration path for all new installations is `/etc/nix-darwin`. This was already the undocumented From c31b6e8a0305fee46238387a3462ec060e377500 Mon Sep 17 00:00:00 2001 From: Emily Date: Thu, 30 Jan 2025 02:39:27 +0000 Subject: [PATCH 38/69] homebrew: use `mas` from Nixpkgs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, setting `homebrew.masApps` causes `"mas"` to automatically be added to `homebrew.brews`. Users who want to use Homebrew only for managing App Store apps and casks, like me, can override this by setting `homebrew.brews = lib.mkForce [ ];` and adding Nixpkgs’ `mas` to their `environment.systemPackages`. When the activation script path no longer depends on the built configuration’s `environment.systemPackages`, this will no longer work. Since this was originally added before `mas` was packaged in Nixpkgs and we now have a perfectly serviceable binary package, we can add it to the `$PATH` when invoking Homebrew and skip the automatic formula installation. As the Homebrew `bin` directory still comes first, users who specifically want the formula can restore the previous behaviour by explicitly adding `"mas"` to `homebrew.brews`. Closes: #1314 --- modules/homebrew.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/modules/homebrew.nix b/modules/homebrew.nix index d9751709..6f8cfcb9 100644 --- a/modules/homebrew.nix +++ b/modules/homebrew.nix @@ -708,9 +708,6 @@ in description = '' Applications to install from Mac App Store using {command}`mas`. - When this option is used, `"mas"` is automatically added to - [](#opt-homebrew.brews). - Note that you need to be signed into the Mac App Store for {command}`mas` to successfully install and upgrade applications, and that unfortunately apps removed from this option will not be uninstalled automatically even if @@ -768,8 +765,7 @@ in ]; homebrew.brews = - optional (cfg.masApps != { }) "mas" - ++ optional (cfg.whalebrews != [ ]) "whalebrew"; + optional (cfg.whalebrews != [ ]) "whalebrew"; homebrew.brewfile = "# Created by `nix-darwin`'s `homebrew` module\n\n" @@ -789,7 +785,8 @@ in # Homebrew Bundle echo >&2 "Homebrew bundle..." if [ -f "${cfg.brewPrefix}/brew" ]; then - PATH="${cfg.brewPrefix}":$PATH ${cfg.onActivation.brewBundleCmd} + PATH="${cfg.brewPrefix}:${lib.makeBinPath [ pkgs.mas ]}:$PATH" \ + ${cfg.onActivation.brewBundleCmd} else echo -e "\e[1;31merror: Homebrew is not installed, skipping...\e[0m" >&2 fi From fc9367a9ec8ce3527291fc3bfc1b12c0260bc676 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:14:24 +0000 Subject: [PATCH 39/69] nix-gc: check for `nix.enable` This was added to Nixpkgs in eb8b70c020e6693b29634660fa173d7f14f882eb. --- modules/services/nix-gc/default.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/services/nix-gc/default.nix b/modules/services/nix-gc/default.nix index 44278e64..b8d5c4d9 100644 --- a/modules/services/nix-gc/default.nix +++ b/modules/services/nix-gc/default.nix @@ -56,13 +56,18 @@ in ###### implementation - config = mkIf cfg.automatic { + config = { + assertions = [ + { + assertion = cfg.automatic -> config.nix.enable; + message = ''nix.gc.automatic requires nix.enable''; + } + ]; - launchd.daemons.nix-gc = { + launchd.daemons.nix-gc = mkIf cfg.automatic { command = "${config.nix.package}/bin/nix-collect-garbage ${cfg.options}"; serviceConfig.RunAtLoad = false; serviceConfig.StartCalendarInterval = cfg.interval; }; - }; } From 0176a5082ba8450e1480204a824ed188cdc81600 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:15:18 +0000 Subject: [PATCH 40/69] nix-optimise: check for `nix.enable` This was added to Nixpkgs in eb8b70c020e6693b29634660fa173d7f14f882eb. --- modules/services/nix-optimise/default.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/services/nix-optimise/default.nix b/modules/services/nix-optimise/default.nix index 4eefc480..addf0467 100644 --- a/modules/services/nix-optimise/default.nix +++ b/modules/services/nix-optimise/default.nix @@ -52,15 +52,20 @@ in ###### implementation - config = mkIf cfg.automatic { + config = { + assertions = [ + { + assertion = cfg.automatic -> config.nix.enable; + message = ''nix.optimise.automatic requires nix.enable''; + } + ]; - launchd.daemons.nix-optimise = { + launchd.daemons.nix-optimise = mkIf cfg.automatic { command = "${lib.getExe' config.nix.package "nix-store"} --optimise"; serviceConfig = { RunAtLoad = false; StartCalendarInterval = cfg.interval; }; }; - }; } From 7cca8f95f7761bff239066306148714e560cbc2e Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:25:18 +0000 Subject: [PATCH 41/69] linux-builder: check for `nix.enable` --- modules/nix/linux-builder.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index ae39547f..36a41310 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -160,6 +160,13 @@ in }; config = mkIf cfg.enable { + assertions = [ + { + assertion = config.nix.enable; + message = ''`nix.linux-builder.enable` requires `nix.enable`''; + } + ]; + system.activationScripts.preActivation.text = '' mkdir -p ${cfg.workingDirectory} ''; From 147ed950e382ef45d083f060b4529df817077069 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:28:56 +0000 Subject: [PATCH 42/69] nixpkgs-flake: check for `nix.enable` --- modules/nix/nixpkgs-flake.nix | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/modules/nix/nixpkgs-flake.nix b/modules/nix/nixpkgs-flake.nix index bb7c1b0a..bc00c78d 100644 --- a/modules/nix/nixpkgs-flake.nix +++ b/modules/nix/nixpkgs-flake.nix @@ -37,8 +37,8 @@ in setNixPath = mkOption { type = types.bool; - default = cfg.source != null; - defaultText = "config.nixpkgs.flake.source != null"; + default = config.nix.enable && cfg.source != null; + defaultText = literalExpression ''config.nix.enable && nixpkgs.flake.source != null''; description = '' Whether to set {env}`NIX_PATH` to include `nixpkgs=flake:nixpkgs` such that `` @@ -57,8 +57,8 @@ in setFlakeRegistry = mkOption { type = types.bool; - default = cfg.source != null; - defaultText = "config.nixpkgs.flake.source != null"; + default = config.nix.enable && cfg.source != null; + defaultText = literalExpression ''config.nix.enable && config.nixpkgs.flake.source != null''; description = '' Whether to pin nixpkgs in the system-wide flake registry (`/etc/nix/registry.json`) to the @@ -85,6 +85,18 @@ in be set, since it is implemented in terms of indirection through the flake registry. ''; } + + # TODO: Upstream these to NixOS. + + { + assertion = cfg.setNixPath -> config.nix.enable; + message = ''`nixpkgs.flake.setNixPath` requires `nix.enable`''; + } + + { + assertion = cfg.setFlakeRegistry -> config.nix.enable; + message = ''`nixpkgs.flake.setFlakeRegistry` requires `nix.enable`''; + } ]; } (mkIf cfg.setFlakeRegistry { From 57c93ffe6cbb627e5c9d10ceae7b31e68ba945ac Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:31:28 +0000 Subject: [PATCH 43/69] hercules-ci-agent: check for `nix.enable` --- modules/services/hercules-ci-agent/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/services/hercules-ci-agent/default.nix b/modules/services/hercules-ci-agent/default.nix index 39125065..47368294 100644 --- a/modules/services/hercules-ci-agent/default.nix +++ b/modules/services/hercules-ci-agent/default.nix @@ -22,6 +22,14 @@ in }; config = mkIf cfg.enable { + # TODO: Upstream this to NixOS. + assertions = [ + { + assertion = config.nix.enable; + message = ''`services.hercules-ci-agent.enable` requires `nix.enable`''; + } + ]; + launchd.daemons.hercules-ci-agent = { script = "exec ${cfg.package}/bin/hercules-ci-agent --config ${cfg.tomlFile}"; From aba0c60ebab549f69ece1622d99ffc5e6ad81af3 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:41:14 +0000 Subject: [PATCH 44/69] lorri: check for `nix.enable` --- modules/services/lorri.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/services/lorri.nix b/modules/services/lorri.nix index 0c123004..c4e1acee 100644 --- a/modules/services/lorri.nix +++ b/modules/services/lorri.nix @@ -29,6 +29,14 @@ in }; config = mkIf cfg.enable { + # TODO: Upstream this to NixOS. + assertions = [ + { + assertion = config.nix.enable; + message = ''`services.lorri.enable` requires `nix.enable`''; + } + ]; + environment.systemPackages = [ pkgs.lorri ]; launchd.user.agents.lorri = { command = with pkgs; "${lorri}/bin/lorri daemon"; @@ -43,4 +51,4 @@ in }; }; }; -} \ No newline at end of file +} From f4e2805e19f84420538590ff4e91b1bfa2e79784 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:49:48 +0000 Subject: [PATCH 45/69] ofborg: check for `nix.enable` --- modules/services/ofborg/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/services/ofborg/default.nix b/modules/services/ofborg/default.nix index 8959cc84..acd6974f 100644 --- a/modules/services/ofborg/default.nix +++ b/modules/services/ofborg/default.nix @@ -46,6 +46,13 @@ in }; config = mkIf cfg.enable { + assertions = [ + { + assertion = config.nix.enable; + message = ''`services.ofborg.enable` requires `nix.enable`''; + } + ]; + warnings = mkIf (isDerivation cfg.configFile) [ "services.ofborg.configFile is a derivation, credentials will be world readable" ]; From e3bde1588bc6b4cf774197228330139338a4a12c Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:51:42 +0000 Subject: [PATCH 46/69] github-runner: check for `nix.enable` --- modules/services/github-runner/service.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 029f863e..3668a721 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -13,6 +13,11 @@ in { config.assertions = flatten ( flip mapAttrsToList config.services.github-runners (name: cfg: map (mkIf cfg.enable) [ + # TODO: Upstream this to NixOS. + { + assertion = config.nix.enable; + message = ''`services.github-runners.${name}.enable` requires `nix.enable`''; + } { assertion = (cfg.user == null && cfg.group == null) || (cfg.user != null); message = "`services.github-runners.${name}`: Either set `user` and `group` to `null` to have nix-darwin manage them or set at least `user` explicitly"; From 42e16f31c6faf29a51a2aa15aeff64934bf5d157 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:53:25 +0000 Subject: [PATCH 47/69] cachix-agent: check for `nix.enable` --- modules/services/cachix-agent.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/services/cachix-agent.nix b/modules/services/cachix-agent.nix index d9e4a909..508261af 100644 --- a/modules/services/cachix-agent.nix +++ b/modules/services/cachix-agent.nix @@ -51,6 +51,14 @@ in { }; config = mkIf cfg.enable { + # TODO: Upstream this to NixOS. + assertions = [ + { + assertion = config.nix.enable; + message = ''`services.cachix-agent.enable` requires `nix.enable`''; + } + ]; + launchd.daemons.cachix-agent = { script = '' . ${cfg.credentialsFile} From d677e3e844e21789c6f39a90aacadf6dc777ca42 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 20:14:17 +0000 Subject: [PATCH 48/69] nix-tools: only pass `config.nix.nixPath` through if `nix.enable` --- modules/nix/nix-darwin.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/nix-darwin.nix b/modules/nix/nix-darwin.nix index a064f49a..9c78f3a6 100644 --- a/modules/nix/nix-darwin.nix +++ b/modules/nix/nix-darwin.nix @@ -4,7 +4,7 @@ let nix-tools = pkgs.callPackage ../../pkgs/nix-tools { inherit (config.system) profile; inherit (config.environment) systemPath; - nixPath = lib.concatStringsSep ":" config.nix.nixPath; + nixPath = lib.optionalString config.nix.enable (lib.concatStringsSep ":" config.nix.nixPath); }; darwin-uninstaller = pkgs.callPackage ../../pkgs/darwin-uninstaller { }; From cd445c546561d5ca4e9124cb4668ce80939ac0c9 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 20:54:52 +0000 Subject: [PATCH 49/69] nix: catch reads of unmanaged defaults MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When we’re not managing the Nix installation, these defaults aren’t used out of the box and won’t accurately represent the state of any unmanaged Nix or the desired Nix package, so reading the option defaults is a bug. This was previously a warning for `nix.package` and a silent failure for all the others. Now that all the problematic accesses in nix-darwin have been appropriately conditionalized, and since a throw gives a backtrace where a warning doesn’t, give throwing defaults to all the `nix.*` options that don’t reflect reality and that that modules shouldn’t be reading when `nix.enable` is off. I’m not in love with the implementation strategy here… ideally we’d think of something better than this and then upstream it to NixOS. `nix.nrBuildUsers` growing a fake default that is never used is particularly unfortunate. But this should hopefully catch mistakes in module code reasonably reliably. --- modules/nix/default.nix | 43 +++++++++++++++++++++++++---------------- tests/nix-enable.nix | 1 - 2 files changed, 26 insertions(+), 18 deletions(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b201a692..270bae43 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -156,6 +156,14 @@ let }) ]; + managedDefault = name: default: { + default = if cfg.enable then default else throw '' + ${name}: accessed when `nix.enable` is off; this is a bug in + nix-darwin or a third‐party module + ''; + defaultText = default; + }; + in { @@ -221,9 +229,7 @@ in package = mkOption { type = types.package; - default = warnIf (!cfg.enable) - "nix.package: accessed when `nix.enable` is off; this is a bug" - pkgs.nix; + inherit (managedDefault "nix.package" pkgs.nix) default; defaultText = literalExpression "pkgs.nix"; description = '' This option specifies the Nix package instance to use throughout the system. @@ -232,7 +238,7 @@ in distributedBuilds = mkOption { type = types.bool; - default = false; + inherit (managedDefault "nix.distributedBuilds" false) default defaultText; description = '' Whether to distribute builds to the machines listed in {option}`nix.buildMachines`. @@ -242,7 +248,7 @@ in # Not in NixOS module daemonProcessType = mkOption { type = types.enum [ "Background" "Standard" "Adaptive" "Interactive" ]; - default = "Standard"; + inherit (managedDefault "nix.daemonProcessType" "Standard") default defaultText; description = '' Nix daemon process resource limits class. These limits propagate to build processes. `Standard` is the default process type @@ -257,7 +263,7 @@ in # Not in NixOS module daemonIOLowPriority = mkOption { type = types.bool; - default = false; + inherit (managedDefault "nix.daemonIOLowPriority" false) default defaultText; description = '' Whether the Nix daemon process should considered to be low priority when doing file system I/O. @@ -385,7 +391,7 @@ in }; }; }); - default = [ ]; + inherit (managedDefault "nix.buildMachines" [ ]) default defaultText; description = '' This option lists the machines to be used if distributed builds are enabled (see {option}`nix.distributedBuilds`). @@ -399,12 +405,13 @@ in envVars = mkOption { type = types.attrs; internal = true; - default = { }; + inherit (managedDefault "nix.envVars" { }) default defaultText; description = "Environment variables used by Nix."; }; nrBuildUsers = mkOption { type = types.int; + inherit (managedDefault "nix.nrBuildUsers" 0) default defaultText; description = '' Number of `nixbld` user accounts created to perform secure concurrent builds. If you receive an error @@ -432,11 +439,13 @@ in # Definition differs substantially from NixOS module nixPath = mkOption { type = nixPathType; - default = lib.optionals cfg.channel.enable [ - # Include default path . - { darwin-config = "${config.environment.darwinConfig}"; } - "/nix/var/nix/profiles/per-user/root/channels" - ]; + inherit (managedDefault "nix.nixPath" ( + lib.optionals cfg.channel.enable [ + # Include default path . + { darwin-config = "${config.environment.darwinConfig}"; } + "/nix/var/nix/profiles/per-user/root/channels" + ] + )) default; defaultText = lib.literalExpression '' lib.optionals cfg.channel.enable [ @@ -458,7 +467,7 @@ in checkConfig = mkOption { type = types.bool; - default = true; + inherit (managedDefault "nix.checkConfig" true) default defaultText; description = '' If enabled (the default), checks for data type mismatches and that Nix can parse the generated nix.conf. @@ -519,7 +528,7 @@ in }; } )); - default = { }; + inherit (managedDefault "nix.registry" { }) default defaultText; description = '' A system-wide flake registry. ''; @@ -527,7 +536,7 @@ in extraOptions = mkOption { type = types.lines; - default = ""; + inherit (managedDefault "nix.extraOptions" "") default defaultText; example = '' keep-outputs = true keep-derivations = true @@ -696,7 +705,7 @@ in }; }; }; - default = { }; + inherit (managedDefault "nix.settings" { }) default defaultText; description = '' Configuration for Nix, see diff --git a/tests/nix-enable.nix b/tests/nix-enable.nix index 0828834f..e052aa2f 100644 --- a/tests/nix-enable.nix +++ b/tests/nix-enable.nix @@ -2,7 +2,6 @@ { nix.enable = false; - nix.package = throw "`nix.package` used when `nix.enable` is turned off"; test = '' printf >&2 'checking for unexpected Nix binary in /sw/bin\n' From 731910af010086c4dbe23eb6ae79d81bcec703aa Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 11 Feb 2025 19:46:21 +0000 Subject: [PATCH 50/69] {activation-scripts,activate-system}: check `gcroots` before linking MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When `nix.enable` is off, we don’t necessarily have an active Nix installation, so there won’t necessarily be an active `/nix/var/nix/gcroots` directory to link things into. NixOS just skips this unconditionally when `nix.enable` is off, but that doesn’t work well with a context in which we usually expect `nix.enable` to be coupled with an unmanaged system installation of Nix. --- modules/services/activate-system/default.nix | 4 +++- modules/system/activation-scripts.nix | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/services/activate-system/default.nix b/modules/services/activate-system/default.nix index d8d86831..df0b48e4 100644 --- a/modules/services/activate-system/default.nix +++ b/modules/services/activate-system/default.nix @@ -21,7 +21,9 @@ ln -sfn $(cat ${config.system.profile}/systemConfig) /run/current-system # Prevent the current configuration from being garbage-collected. - ln -sfn /run/current-system /nix/var/nix/gcroots/current-system + if [[ -d /nix/var/nix/gcroots ]]; then + ln -sfn /run/current-system /nix/var/nix/gcroots/current-system + fi ${config.system.activationScripts.etcChecks.text} ${config.system.activationScripts.etc.text} diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 341e782e..c8ad20ad 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -106,7 +106,9 @@ in ln -sfn "$(readlink -f "$systemConfig")" /run/current-system # Prevent the current configuration from being garbage-collected. - ln -sfn /run/current-system /nix/var/nix/gcroots/current-system + if [[ -d /nix/var/nix/gcroots ]]; then + ln -sfn /run/current-system /nix/var/nix/gcroots/current-system + fi ''; # FIXME: activationScripts.checks should be system level From 5926058aecd67ec1bf5030b5a419c260876ea9ba Mon Sep 17 00:00:00 2001 From: Sander Date: Fri, 14 Feb 2025 16:33:12 +0400 Subject: [PATCH 51/69] nix: place `extra-`prefixed settings after their non-prefixed variants Fixes #626. Essentially a copy of NixOS's workaround: https://github.com/NixOS/nixpkgs/pull/278064 --- modules/nix/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b201a692..eeaf47bd 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -51,13 +51,16 @@ let mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); + isExtra = key: hasPrefix "extra-" key; + in pkgs.writeTextFile { name = "nix.conf"; text = '' # WARNING: this file is generated from the nix.* options in # your nix-darwin configuration. Do not edit it! - ${mkKeyValuePairs cfg.settings} + ${mkKeyValuePairs (filterAttrs (key: value: !(isExtra key)) cfg.settings)} + ${mkKeyValuePairs (filterAttrs (key: value: isExtra key) cfg.settings)} ${cfg.extraOptions} ''; checkPhase = From 02ba211ea19fb4e5a5da2e24a6ebbed526f5231d Mon Sep 17 00:00:00 2001 From: Austin Horstman Date: Thu, 21 Nov 2024 15:18:31 -0600 Subject: [PATCH 52/69] dock: allow setting tile-types You can create spacer tiles in the dock by passing empty tile-data with specific tile-types --- modules/system/defaults/dock.nix | 12 ++++++++---- .../system-defaults-write/activate-user.txt | 16 ++++++++++++++++ tests/system-defaults-write.nix | 2 +- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/modules/system/defaults/dock.nix b/modules/system/defaults/dock.nix index bba0afb7..8eaf5ca8 100644 --- a/modules/system/defaults/dock.nix +++ b/modules/system/defaults/dock.nix @@ -134,10 +134,14 @@ in { description = '' Persistent applications in the dock. ''; - apply = value: - if !(isList value) - then value - else map (app: { tile-data = { file-data = { _CFURLString = app; _CFURLStringType = 0; }; }; }) value; + apply = + let + tileTypes = ["spacer-tile" "small-spacer-tile"]; + toSpecialTile = type: { tile-data = {}; tile-type = type; }; + toAppTile = cfurl: { tile-data = { file-data = { _CFURLString = cfurl; _CFURLStringType = 0; }; }; }; + toTile = s: if elem s tileTypes then toSpecialTile s else toAppTile s; + in + value: if isList value then map toTile value else value; }; system.defaults.dock.persistent-others = mkOption { diff --git a/tests/fixtures/system-defaults-write/activate-user.txt b/tests/fixtures/system-defaults-write/activate-user.txt index eda37537..aa605002 100644 --- a/tests/fixtures/system-defaults-write/activate-user.txt +++ b/tests/fixtures/system-defaults-write/activate-user.txt @@ -273,6 +273,22 @@ defaults write com.apple.dock 'persistent-apps' $' + + tile-data + + + + tile-type + small-spacer-tile + + + tile-data + + + + tile-type + spacer-tile + ' defaults write com.apple.dock 'persistent-others' $' diff --git a/tests/system-defaults-write.nix b/tests/system-defaults-write.nix index 0b8bc030..3f69c0bd 100644 --- a/tests/system-defaults-write.nix +++ b/tests/system-defaults-write.nix @@ -50,7 +50,7 @@ system.defaults.dock.appswitcher-all-displays = false; system.defaults.dock.autohide-delay = 0.24; system.defaults.dock.orientation = "left"; - system.defaults.dock.persistent-apps = ["MyApp.app" "Cool.app"]; + system.defaults.dock.persistent-apps = ["MyApp.app" "Cool.app" "small-spacer-tile" "spacer-tile"]; system.defaults.dock.persistent-others = ["~/Documents" "~/Downloads/file.txt"]; system.defaults.dock.scroll-to-open = false; system.defaults.finder.AppleShowAllFiles = true; From e21d07988b30adbd5b77d16f9fa40b7d5fc00a09 Mon Sep 17 00:00:00 2001 From: Austin Horstman Date: Tue, 17 Dec 2024 18:44:48 -0600 Subject: [PATCH 53/69] dock: refactor persistent-apps option --- modules/system/defaults/dock.nix | 68 ++++++++++++++++--- .../system-defaults-write/activate-user.txt | 32 ++++++++- tests/system-defaults-write.nix | 9 ++- 3 files changed, 98 insertions(+), 11 deletions(-) diff --git a/modules/system/defaults/dock.nix b/modules/system/defaults/dock.nix index 8eaf5ca8..d88b6afa 100644 --- a/modules/system/defaults/dock.nix +++ b/modules/system/defaults/dock.nix @@ -128,20 +128,72 @@ in { }; system.defaults.dock.persistent-apps = mkOption { - type = types.nullOr (types.listOf (types.either types.path types.str)); + type = let + taggedType = types.attrTag { + app = mkOption { + description = "An application to be added to the dock."; + type = types.str; + }; + file = mkOption { + description = "A file to be added to the dock."; + type = types.str; + }; + folder = mkOption { + description = "A folder to be added to the dock."; + type = types.str; + }; + spacer = mkOption { + description = "A spacer to be added to the dock. Can be small or regular size."; + type = types.submodule { + options.small = mkOption { + description = "Whether the spacer is small."; + type = types.bool; + default = false; + }; + }; + }; + }; + + simpleType = types.either types.str types.path; + toTagged = path: { app = path; }; + in + types.nullOr (types.listOf (types.coercedTo simpleType toTagged taggedType)); default = null; - example = [ "/Applications/Safari.app" "/System/Applications/Utilities/Terminal.app" ]; + example = [ + { app = "/Applications/Safari.app"; } + { spacer = { small = false; }; } + { spacer = { small = true; }; } + { folder = "/System/Applications/Utilities"; } + { file = "/User/example/Downloads/test.csv"; } + ]; description = '' - Persistent applications in the dock. + Persistent applications, spacers, files, and folders in the dock. ''; apply = let - tileTypes = ["spacer-tile" "small-spacer-tile"]; - toSpecialTile = type: { tile-data = {}; tile-type = type; }; - toAppTile = cfurl: { tile-data = { file-data = { _CFURLString = cfurl; _CFURLStringType = 0; }; }; }; - toTile = s: if elem s tileTypes then toSpecialTile s else toAppTile s; + toTile = item: if item ? app then { + tile-data.file-data = { + _CFURLString = item.app; + _CFURLStringType = 0; + }; + } else if item ? spacer then { + tile-data = { }; + tile-type = if item.spacer.small then "small-spacer-tile" else "spacer-tile"; + } else if item ? folder then { + tile-data.file-data = { + _CFURLString = "file://" + item.folder; + _CFURLStringType = 15; + }; + tile-type = "directory-tile"; + } else if item ? file then { + tile-data.file-data = { + _CFURLString = "file://" + item.file; + _CFURLStringType = 15; + }; + tile-type = "file-tile"; + } else item; in - value: if isList value then map toTile value else value; + value: if value == null then null else map toTile value; }; system.defaults.dock.persistent-others = mkOption { diff --git a/tests/fixtures/system-defaults-write/activate-user.txt b/tests/fixtures/system-defaults-write/activate-user.txt index aa605002..7162a414 100644 --- a/tests/fixtures/system-defaults-write/activate-user.txt +++ b/tests/fixtures/system-defaults-write/activate-user.txt @@ -255,7 +255,7 @@ defaults write com.apple.dock 'persistent-apps' $'file-data _CFURLString - MyApp.app + /Applications/MyApp.app _CFURLStringType 0 @@ -267,7 +267,7 @@ defaults write com.apple.dock 'persistent-apps' $'file-data _CFURLString - Cool.app + /Applications/Cool.app _CFURLStringType 0 @@ -289,6 +289,34 @@ defaults write com.apple.dock 'persistent-apps' $'tile-type spacer-tile + + tile-data + + file-data + + _CFURLString + file:///Applications/Utilities + _CFURLStringType + 15 + + + tile-type + directory-tile + + + tile-data + + file-data + + _CFURLString + file:///Users/example/Downloads/test.csv + _CFURLStringType + 15 + + + tile-type + file-tile + ' defaults write com.apple.dock 'persistent-others' $' diff --git a/tests/system-defaults-write.nix b/tests/system-defaults-write.nix index 3f69c0bd..19ce3c4f 100644 --- a/tests/system-defaults-write.nix +++ b/tests/system-defaults-write.nix @@ -50,7 +50,14 @@ system.defaults.dock.appswitcher-all-displays = false; system.defaults.dock.autohide-delay = 0.24; system.defaults.dock.orientation = "left"; - system.defaults.dock.persistent-apps = ["MyApp.app" "Cool.app" "small-spacer-tile" "spacer-tile"]; + system.defaults.dock.persistent-apps = [ + "/Applications/MyApp.app" + { app = "/Applications/Cool.app"; } + { spacer = { small = true; }; } + { spacer = { small = false; }; } + { folder = "/Applications/Utilities"; } + { file = "/Users/example/Downloads/test.csv"; } + ]; system.defaults.dock.persistent-others = ["~/Documents" "~/Downloads/file.txt"]; system.defaults.dock.scroll-to-open = false; system.defaults.finder.AppleShowAllFiles = true; From c9c2d40f7172747823dc9c5ab16b9bb541cf3c0d Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 20 Feb 2025 17:46:40 +0700 Subject: [PATCH 54/69] pam: remove `with lib;` --- modules/security/pam.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 69b4c37e..2e091b98 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.security.pam; @@ -39,7 +37,7 @@ in { options = { - security.pam.enableSudoTouchIdAuth = mkEnableOption "" // { + security.pam.enableSudoTouchIdAuth = lib.mkEnableOption "" // { description = '' Enable sudo authentication with Touch ID. From bde9fa6f64211dc8bc9717fb37463e65de238b08 Mon Sep 17 00:00:00 2001 From: ibizaman Date: Wed, 4 Dec 2024 08:50:08 +0100 Subject: [PATCH 55/69] add networking.hosts and .hostFiles from nixos --- .github/workflows/test.yml | 5 +- ...2596c5b54026b9a894fa481381ffd399b556c0e2da | 9 +++ modules/networking/default.nix | 76 ++++++++++++++++++- release.nix | 1 + tests/networking-hosts.nix | 20 +++++ 5 files changed, 109 insertions(+), 2 deletions(-) create mode 100644 doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da create mode 100644 tests/networking-hosts.nix diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d87b7636..8eab6d35 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -47,12 +47,14 @@ jobs: sudo cp modules/examples/simple.nix /etc/nix-darwin/configuration.nix nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) + etcHostsHash=$(shasum -a 256 /etc/hosts | cut -d ' ' -f 1) sudo /usr/bin/sed -i.bak \ "s/# programs.fish.enable = true;/ \ imports = [ \ ({ options, ... }: { \ nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; \ environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; \ + environment.etc.hosts.knownSha256Hashes = [ \"$etcHostsHash\" ]; \ nix.nixPath = \ [ { darwin = \"${PWD////\/}\"; } ] \ ++ options.nix.nixPath.default; \ @@ -102,8 +104,9 @@ jobs: pushd /etc/nix-darwin sudo nix flake init -t $darwin nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) + etcHostsHash=$(shasum -a 256 /etc/hosts | cut -d ' ' -f 1) sudo /usr/bin/sed -i.bak \ - "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ + "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; environment.etc.hosts.knownSha256Hashes = [ \"$etcHostsHash\" ];/" \ flake.nix sudo /usr/bin/sed -i.bak \ 's/darwinConfigurations."simple"/darwinConfigurations."'$(scutil --get LocalHostName)'"/g' \ diff --git a/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da b/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da new file mode 100644 index 00000000..34d00684 --- /dev/null +++ b/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da @@ -0,0 +1,9 @@ +## +# Host Database +# +# localhost is used to configure the loopback interface +# when the system is booting. Do not change this entry. +## +127.0.0.1 localhost +255.255.255.255 broadcasthost +::1 localhost diff --git a/modules/networking/default.nix b/modules/networking/default.nix index b53a9e4a..9b697590 100644 --- a/modules/networking/default.nix +++ b/modules/networking/default.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -22,6 +22,8 @@ let esac '') cfg.knownNetworkServices} ''; + + localhostMultiple = any (elem "localhost") (attrValues (removeAttrs cfg.hosts [ "127.0.0.1" "::1" ])); in { @@ -105,9 +107,50 @@ in Battery powered devices may require being connected to power. ''; }; + + networking.hosts = lib.mkOption { + type = types.attrsOf (types.listOf types.str); + example = literalExpression '' + { + "127.0.0.1" = [ "foo.bar.baz" ]; + "192.168.0.2" = [ "fileserver.local" "nameserver.local" ]; + }; + ''; + description = '' + Locally defined maps of hostnames to IP addresses. + ''; + default = {}; + }; + + networking.hostFiles = lib.mkOption { + type = types.listOf types.path; + defaultText = literalMD "Hosts from {option}`networking.hosts` and {option}`networking.extraHosts`"; + example = literalExpression ''[ "''${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]''; + description = '' + Files that should be concatenated together to form {file}`/etc/hosts`. + ''; + }; + + networking.extraHosts = lib.mkOption { + type = types.lines; + default = ""; + example = "192.168.0.1 lanlocalhost"; + description = '' + Additional verbatim entries to be appended to {file}`/etc/hosts`. + For adding hosts from derivation results, use {option}`networking.hostFiles` instead. + ''; + }; }; config = { + assertions = [{ + assertion = !localhostMultiple; + message = '' + `networking.hosts` maps "localhost" to something other than "127.0.0.1" + or "::1". This will break some applications. Please use + `networking.extraHosts` if you really want to add such a mapping. + ''; + }]; warnings = [ (mkIf (cfg.knownNetworkServices == [] && cfg.dns != []) "networking.knownNetworkServices is empty, dns servers will not be configured.") @@ -134,5 +177,36 @@ in ''} ''; + networking.hostFiles = let + # Note: localhostHosts has to appear first in /etc/hosts so that 127.0.0.1 + # resolves back to "localhost" (as some applications assume) instead of + # the FQDN! + localhostHosts = pkgs.writeText "localhost-hosts" '' + ## + # Host Database + # + # localhost is used to configure the loopback interface + # when the system is booting. Do not change this entry. + ## + 127.0.0.1 localhost + 255.255.255.255 broadcasthost + ::1 localhost + ''; + stringHosts = + let + oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip} + "\n"; + allToString = set: concatMapStrings (oneToString set) (attrNames set); + in pkgs.writeText "string-hosts" (allToString (filterAttrs (_: v: v != []) cfg.hosts)); + extraHosts = pkgs.writeText "extra-hosts" cfg.extraHosts; + in mkBefore [ localhostHosts stringHosts extraHosts ]; + + environment.etc.hosts = { + knownSha256Hashes = [ + # Comes from MacOS: Darwin 24.1.0 Darwin Kernel Version 24.1.0. + "c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da" + ]; + + source = pkgs.concatText "hosts" cfg.hostFiles; + }; }; } diff --git a/release.nix b/release.nix index 115025ee..10856525 100644 --- a/release.nix +++ b/release.nix @@ -86,6 +86,7 @@ in { tests.launchd-daemons = makeTest ./tests/launchd-daemons.nix; tests.launchd-setenv = makeTest ./tests/launchd-setenv.nix; tests.networking-hostname = makeTest ./tests/networking-hostname.nix; + tests.networking-hosts = makeTest ./tests/networking-hosts.nix; tests.networking-networkservices = makeTest ./tests/networking-networkservices.nix; tests.nix-enable = makeTest ./tests/nix-enable.nix; tests.nixpkgs-overlays = makeTest ./tests/nixpkgs-overlays.nix; diff --git a/tests/networking-hosts.nix b/tests/networking-hosts.nix new file mode 100644 index 00000000..2d73946e --- /dev/null +++ b/tests/networking-hosts.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: + +{ + networking.hosts = { + "127.0.0.1" = [ "my.super.host" ]; + "10.0.0.1" = [ "my.super.host" "my.other.host" ]; + }; + + test = '' + set -v + echo checking /etc/hosts file >&2 + + file=${config.out}/etc/hosts + + grep '127.0.0.1' $file | head -n1 | grep localhost$ + grep '127.0.0.1' $file | tail -n1 | grep my.super.host$ + grep '::1' $file | grep localhost$ + grep '10.0.0.1' $file | grep my.super.host\ my.other.host$ + ''; +} From 47f263077ee53de95a1c35eb6892665d77ce6165 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 20 Feb 2025 17:51:32 +0700 Subject: [PATCH 56/69] pam: switch to using `sudo_local` file Co-Authored-By: Andrew Lubawy --- modules/security/pam.nix | 110 ++++++++++++++++++++++----------------- 1 file changed, 61 insertions(+), 49 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 2e091b98..58dff015 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -1,67 +1,79 @@ { config, lib, pkgs, ... }: let - cfg = config.security.pam; - - # Implementation Notes - # - # We don't use `environment.etc` because this would require that the user manually delete - # `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires - # sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the - # changes again after OS updates (which remove modifications to this file). - # - # As such, we resort to line addition/deletion in place using `sed`. We add a comment to the - # added line that includes the name of the option, to make it easier to identify the line that - # should be deleted when the option is disabled. - mkSudoTouchIdAuthScript = isEnabled: - let - file = "/etc/pam.d/sudo"; - option = "security.pam.enableSudoTouchIdAuth"; - sed = "${pkgs.gnused}/bin/sed"; - in '' - ${if isEnabled then '' - # Enable sudo Touch ID authentication, if not already enabled - if ! grep 'pam_tid.so' ${file} > /dev/null; then - ${sed} -i '2i\ - auth sufficient pam_tid.so # nix-darwin: ${option} - ' ${file} - fi - '' else '' - # Disable sudo Touch ID authentication, if added by nix-darwin - if grep '${option}' ${file} > /dev/null; then - ${sed} -i '/${option}/d' ${file} - fi - ''} - ''; + cfg = config.security.pam.services.sudo_local; in - { + imports = [ + (lib.mkRemovedOptionModule [ "security" "pam" "enableSudoTouchIdAuth" ] '' + This option has been renamed to `security.pam.services.sudo_local.touchIdAuth` for consistency with NixOS. + '') + ]; + options = { - security.pam.enableSudoTouchIdAuth = lib.mkEnableOption "" // { - description = '' - Enable sudo authentication with Touch ID. + security.pam.services.sudo_local = { + enable = lib.mkEnableOption "managing {file}`/etc/pam.d/sudo_local` with nix-darwin" // { + default = true; + example = false; + }; - When enabled, this option adds the following line to - {file}`/etc/pam.d/sudo`: + text = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + Contents of {file}`/etc/pam.d/sudo_local` + ''; + }; - ``` - auth sufficient pam_tid.so - ``` + touchIdAuth = lib.mkEnableOption "" // { + description = '' + Whether to enable Touch ID with sudo. - ::: {.note} - macOS resets this file when doing a system update. As such, sudo - authentication with Touch ID won't work after a system update - until the nix-darwin configuration is reapplied. - ::: - ''; + This will also allow your Apple Watch to be used for sudo. If this doesn't work, + you can go into `System Settings > Touch ID & Password` and toggle the switch for + your Apple Watch. + ''; + }; }; }; config = { - system.activationScripts.pam.text = '' + security.pam.services.sudo_local.text = lib.optionalString cfg.touchIdAuth "auth sufficient pam_tid.so"; + + environment.etc."pam.d/sudo_local" = { + inherit (cfg) enable text; + }; + + system.activationScripts.pam.text = + let + file = "/etc/pam.d/sudo"; + marker = "security.pam.services.sudo_local"; + deprecatedOption = "security.pam.enableSudoTouchIdAuth"; + sed = lib.getExe pkgs.gnused; + in + '' # PAM settings echo >&2 "setting up pam..." - ${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth} + + # REMOVEME when macOS 13 no longer supported as macOS automatically + # nukes this file on system upgrade + # Always clear out older implementation if it is present + if grep '${deprecatedOption}' ${file} > /dev/null; then + ${sed} -i '/${deprecatedOption}/d' ${file} + fi + + ${if cfg.enable then '' + # REMOVEME when macOS 13 no longer supported + # `sudo_local` is automatically included after macOS 14 + if ! grep 'sudo_local' ${file} > /dev/null; then + ${sed} -i '2iauth include sudo_local # nix-darwin: ${marker}' ${file} + fi + '' else '' + # Remove include line if we added it + if grep '${marker}' ${file} > /dev/null; then + ${sed} -i '/${marker}/d' ${file} + fi + ''} ''; }; } From 11ea44f3e20737004f7c0f1d27354b9d7a79c2f5 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 20 Feb 2025 17:52:40 +0700 Subject: [PATCH 57/69] pam: add `pam_reattach` support Co-Authored-By: Andrew Lubawy --- modules/security/pam.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 58dff015..1ecea923 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -34,11 +34,26 @@ in your Apple Watch. ''; }; + + reattach = lib.mkEnableOption "" // { + description = '' + Whether to enable reattaching a program to the user's bootstrap session. + + This fixes Touch ID for sudo not working inside tmux and screen. + + This allows programs like tmux and screen that run in the background to + survive across user sessions to work with PAM services that are tied to the + bootstrap session. + ''; + }; }; }; config = { - security.pam.services.sudo_local.text = lib.optionalString cfg.touchIdAuth "auth sufficient pam_tid.so"; + security.pam.services.sudo_local.text = lib.concatLines ( + (lib.optional cfg.reattach "auth optional ${pkgs.pam-reattach}/lib/pam/pam_reattach.so") + ++ (lib.optional cfg.touchIdAuth "auth sufficient pam_tid.so") + ); environment.etc."pam.d/sudo_local" = { inherit (cfg) enable text; From 727119f8c7420879e83ffc310b8c1f4fa2800c11 Mon Sep 17 00:00:00 2001 From: Coosis <1159727122@qq.com> Date: Tue, 25 Feb 2025 21:50:55 +0800 Subject: [PATCH 58/69] pam: add `pam_watchid` support --- modules/security/pam.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 1ecea923..e671e23f 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -35,6 +35,17 @@ in ''; }; + watchIdAuth = lib.mkEnableOption "" // { + description = '' + Use Apple Watch for sudo authentication, for devices without Touch ID or + laptops with lids closed, consider using this. + + When enabled, you can use your Apple Watch to authenticate sudo commands. + If this doesn't work, you can go into `System Settings > Touch ID & Password` + and toggle the switch for your Apple Watch. + ''; + }; + reattach = lib.mkEnableOption "" // { description = '' Whether to enable reattaching a program to the user's bootstrap session. @@ -53,6 +64,7 @@ in security.pam.services.sudo_local.text = lib.concatLines ( (lib.optional cfg.reattach "auth optional ${pkgs.pam-reattach}/lib/pam/pam_reattach.so") ++ (lib.optional cfg.touchIdAuth "auth sufficient pam_tid.so") + ++ (lib.optional cfg.watchIdAuth "auth sufficient ${pkgs.pam-watchid}/lib/pam_watchid.so") ); environment.etc."pam.d/sudo_local" = { From 1d9f622484f00df0a8c00b13f427e4175760cf3c Mon Sep 17 00:00:00 2001 From: Ihar Hrachyshka Date: Wed, 26 Feb 2025 09:24:15 -0500 Subject: [PATCH 59/69] Revert "Add networking.hosts and .hostFiles from nixos " --- .github/workflows/test.yml | 5 +- ...2596c5b54026b9a894fa481381ffd399b556c0e2da | 9 --- modules/networking/default.nix | 76 +------------------ release.nix | 1 - tests/networking-hosts.nix | 20 ----- 5 files changed, 2 insertions(+), 109 deletions(-) delete mode 100644 doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da delete mode 100644 tests/networking-hosts.nix diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8eab6d35..d87b7636 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -47,14 +47,12 @@ jobs: sudo cp modules/examples/simple.nix /etc/nix-darwin/configuration.nix nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) - etcHostsHash=$(shasum -a 256 /etc/hosts | cut -d ' ' -f 1) sudo /usr/bin/sed -i.bak \ "s/# programs.fish.enable = true;/ \ imports = [ \ ({ options, ... }: { \ nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; \ environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; \ - environment.etc.hosts.knownSha256Hashes = [ \"$etcHostsHash\" ]; \ nix.nixPath = \ [ { darwin = \"${PWD////\/}\"; } ] \ ++ options.nix.nixPath.default; \ @@ -104,9 +102,8 @@ jobs: pushd /etc/nix-darwin sudo nix flake init -t $darwin nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) - etcHostsHash=$(shasum -a 256 /etc/hosts | cut -d ' ' -f 1) sudo /usr/bin/sed -i.bak \ - "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; environment.etc.hosts.knownSha256Hashes = [ \"$etcHostsHash\" ];/" \ + "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ flake.nix sudo /usr/bin/sed -i.bak \ 's/darwinConfigurations."simple"/darwinConfigurations."'$(scutil --get LocalHostName)'"/g' \ diff --git a/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da b/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da deleted file mode 100644 index 34d00684..00000000 --- a/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da +++ /dev/null @@ -1,9 +0,0 @@ -## -# Host Database -# -# localhost is used to configure the loopback interface -# when the system is booting. Do not change this entry. -## -127.0.0.1 localhost -255.255.255.255 broadcasthost -::1 localhost diff --git a/modules/networking/default.nix b/modules/networking/default.nix index 9b697590..b53a9e4a 100644 --- a/modules/networking/default.nix +++ b/modules/networking/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: with lib; @@ -22,8 +22,6 @@ let esac '') cfg.knownNetworkServices} ''; - - localhostMultiple = any (elem "localhost") (attrValues (removeAttrs cfg.hosts [ "127.0.0.1" "::1" ])); in { @@ -107,50 +105,9 @@ in Battery powered devices may require being connected to power. ''; }; - - networking.hosts = lib.mkOption { - type = types.attrsOf (types.listOf types.str); - example = literalExpression '' - { - "127.0.0.1" = [ "foo.bar.baz" ]; - "192.168.0.2" = [ "fileserver.local" "nameserver.local" ]; - }; - ''; - description = '' - Locally defined maps of hostnames to IP addresses. - ''; - default = {}; - }; - - networking.hostFiles = lib.mkOption { - type = types.listOf types.path; - defaultText = literalMD "Hosts from {option}`networking.hosts` and {option}`networking.extraHosts`"; - example = literalExpression ''[ "''${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]''; - description = '' - Files that should be concatenated together to form {file}`/etc/hosts`. - ''; - }; - - networking.extraHosts = lib.mkOption { - type = types.lines; - default = ""; - example = "192.168.0.1 lanlocalhost"; - description = '' - Additional verbatim entries to be appended to {file}`/etc/hosts`. - For adding hosts from derivation results, use {option}`networking.hostFiles` instead. - ''; - }; }; config = { - assertions = [{ - assertion = !localhostMultiple; - message = '' - `networking.hosts` maps "localhost" to something other than "127.0.0.1" - or "::1". This will break some applications. Please use - `networking.extraHosts` if you really want to add such a mapping. - ''; - }]; warnings = [ (mkIf (cfg.knownNetworkServices == [] && cfg.dns != []) "networking.knownNetworkServices is empty, dns servers will not be configured.") @@ -177,36 +134,5 @@ in ''} ''; - networking.hostFiles = let - # Note: localhostHosts has to appear first in /etc/hosts so that 127.0.0.1 - # resolves back to "localhost" (as some applications assume) instead of - # the FQDN! - localhostHosts = pkgs.writeText "localhost-hosts" '' - ## - # Host Database - # - # localhost is used to configure the loopback interface - # when the system is booting. Do not change this entry. - ## - 127.0.0.1 localhost - 255.255.255.255 broadcasthost - ::1 localhost - ''; - stringHosts = - let - oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip} + "\n"; - allToString = set: concatMapStrings (oneToString set) (attrNames set); - in pkgs.writeText "string-hosts" (allToString (filterAttrs (_: v: v != []) cfg.hosts)); - extraHosts = pkgs.writeText "extra-hosts" cfg.extraHosts; - in mkBefore [ localhostHosts stringHosts extraHosts ]; - - environment.etc.hosts = { - knownSha256Hashes = [ - # Comes from MacOS: Darwin 24.1.0 Darwin Kernel Version 24.1.0. - "c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da" - ]; - - source = pkgs.concatText "hosts" cfg.hostFiles; - }; }; } diff --git a/release.nix b/release.nix index 10856525..115025ee 100644 --- a/release.nix +++ b/release.nix @@ -86,7 +86,6 @@ in { tests.launchd-daemons = makeTest ./tests/launchd-daemons.nix; tests.launchd-setenv = makeTest ./tests/launchd-setenv.nix; tests.networking-hostname = makeTest ./tests/networking-hostname.nix; - tests.networking-hosts = makeTest ./tests/networking-hosts.nix; tests.networking-networkservices = makeTest ./tests/networking-networkservices.nix; tests.nix-enable = makeTest ./tests/nix-enable.nix; tests.nixpkgs-overlays = makeTest ./tests/nixpkgs-overlays.nix; diff --git a/tests/networking-hosts.nix b/tests/networking-hosts.nix deleted file mode 100644 index 2d73946e..00000000 --- a/tests/networking-hosts.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.hosts = { - "127.0.0.1" = [ "my.super.host" ]; - "10.0.0.1" = [ "my.super.host" "my.other.host" ]; - }; - - test = '' - set -v - echo checking /etc/hosts file >&2 - - file=${config.out}/etc/hosts - - grep '127.0.0.1' $file | head -n1 | grep localhost$ - grep '127.0.0.1' $file | tail -n1 | grep my.super.host$ - grep '::1' $file | grep localhost$ - grep '10.0.0.1' $file | grep my.super.host\ my.other.host$ - ''; -} From b1db30ce36f25eb07a7d4832cc2d29b1697c00f1 Mon Sep 17 00:00:00 2001 From: Ihar Hrachyshka Date: Wed, 26 Feb 2025 16:52:13 -0500 Subject: [PATCH 60/69] networking: Restore the original /etc/hosts on activation A patch that replaced the original file with a symlink to nix store was reverted because MacOS Network framework doesn't support symlinks for the file. The revert leaves the system without any /etc/hosts file at all though. To fix this, an activation step is added to restore the original file from .before-nix-darwin backup, if it exists. Signed-off-by: Ihar Hrachyshka --- modules/networking/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/networking/default.nix b/modules/networking/default.nix index b53a9e4a..8097e276 100644 --- a/modules/networking/default.nix +++ b/modules/networking/default.nix @@ -132,6 +132,11 @@ in ${optionalString (cfg.wakeOnLan.enable != null) '' systemsetup -setWakeOnNetworkAccess '${onOff cfg.wakeOnLan.enable}' &> /dev/null ''} + + if [ -e /etc/hosts.before-nix-darwin ]; then + echo "restoring /etc/hosts..." >&2 + sudo mv /etc/hosts{.before-nix-darwin,} + fi ''; }; From 7386d8878ec409f672f64df24e4d00da04bfc8ce Mon Sep 17 00:00:00 2001 From: r17x Date: Mon, 17 Feb 2025 23:25:40 +0700 Subject: [PATCH 61/69] services/dnscrypt-proxy: init --- modules/misc/ids.nix | 2 + modules/module-list.nix | 1 + modules/services/dnscrypt-proxy.nix | 81 +++++++++++++++++++++++++++++ release.nix | 1 + tests/services-dnscrypt-proxy.nix | 23 ++++++++ 5 files changed, 108 insertions(+) create mode 100644 modules/services/dnscrypt-proxy.nix create mode 100644 tests/services-dnscrypt-proxy.nix diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index 34b36859..ddab290a 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -39,11 +39,13 @@ in ids.uids = { nixbld = lib.mkDefault 350; _prometheus-node-exporter = 534; + _dnscrypt-proxy = 535; }; ids.gids = { nixbld = lib.mkDefault (if config.system.stateVersion < 5 then 30000 else 350); _prometheus-node-exporter = 534; + _dnscrypt-proxy = 535; }; }; diff --git a/modules/module-list.nix b/modules/module-list.nix index 8b2215ba..d01bbdb9 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -62,6 +62,7 @@ ./services/chunkwm.nix ./services/cachix-agent.nix ./services/dnsmasq.nix + ./services/dnscrypt-proxy.nix ./services/emacs.nix ./services/eternal-terminal.nix ./services/github-runner diff --git a/modules/services/dnscrypt-proxy.nix b/modules/services/dnscrypt-proxy.nix new file mode 100644 index 00000000..9073ff2a --- /dev/null +++ b/modules/services/dnscrypt-proxy.nix @@ -0,0 +1,81 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + + cfg = config.services.dnscrypt-proxy; + + format = pkgs.formats.toml { }; + + configFile = format.generate "dnscrypt-proxy.toml" cfg.settings; + +in + +{ + options.services.dnscrypt-proxy = { + + enable = lib.mkEnableOption "the dnscrypt-proxy service."; + + package = lib.mkPackageOption pkgs "dnscrypt-proxy2" { }; + + settings = lib.mkOption { + description = '' + Attrset that is converted and passed as TOML config file. + For available params, see: + ''; + example = lib.literalExpression '' + { + sources.public-resolvers = { + urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ]; + cache_file = "public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + refresh_delay = 72; + }; + } + ''; + type = format.type; + default = { }; + }; + }; + + config = lib.mkIf cfg.enable { + users.users._dnscrypt-proxy = { + uid = config.ids.uids._dnscrypt-proxy; + gid = config.ids.gids._dnscrypt-proxy; + home = "/var/lib/dnscrypt-proxy"; + createHome = true; + shell = "/usr/bin/false"; + description = "System user for dnscrypt-proxy"; + }; + + users.groups._dnscrypt-proxy = { + gid = config.ids.gids._dnscrypt-proxy; + description = "System group for dnscrypt-proxy"; + }; + + users.knownUsers = [ "_dnscrypt-proxy" ]; + users.knownGroups = [ "_dnscrypt-proxy" ]; + + launchd.daemons.dnscrypt-proxy = { + script = '' + ${lib.getExe' cfg.package "dnscrypt-proxy"} -config ${configFile} + ''; + serviceConfig = + let + logPath = config.users.users._dnscrypt-proxy.home + "/dnscrypt-proxy.log"; + in + { + RunAtLoad = true; + KeepAlive = true; + StandardOutPath = logPath; + StandardErrorPath = logPath; + GroupName = "_dnscrypt-proxy"; + UserName = "_dnscrypt-proxy"; + }; + }; + }; +} diff --git a/release.nix b/release.nix index 115025ee..eaf30044 100644 --- a/release.nix +++ b/release.nix @@ -103,6 +103,7 @@ in { tests.sockets-nix-daemon = makeTest ./tests/sockets-nix-daemon.nix; tests.services-aerospace = makeTest ./tests/services-aerospace.nix; tests.services-dnsmasq = makeTest ./tests/services-dnsmasq.nix; + tests.services-dnscrypt-proxy = makeTest ./tests/services-dnscrypt-proxy.nix; tests.services-eternal-terminal = makeTest ./tests/services-eternal-terminal.nix; tests.services-nix-gc = makeTest ./tests/services-nix-gc.nix; tests.services-nix-optimise = makeTest ./tests/services-nix-optimise.nix; diff --git a/tests/services-dnscrypt-proxy.nix b/tests/services-dnscrypt-proxy.nix new file mode 100644 index 00000000..15d59739 --- /dev/null +++ b/tests/services-dnscrypt-proxy.nix @@ -0,0 +1,23 @@ +{ + config, + pkgs, + ... +}: + +let + dnscrypt-proxy = pkgs.runCommand "dnscrypt-proxy-0.0.0" { } "mkdir $out"; +in +{ + services.dnscrypt-proxy.enable = true; + services.dnscrypt-proxy.package = dnscrypt-proxy; + + test = '' + + echo >&2 "checking dnscrypt-proxy service in /Library/LaunchDaemons" + grep -q "org.nixos.dnscrypt-proxy" -- ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist + grep -q "dnscrypt-proxy-start" -- ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist + + echo >&2 "checking dnscrypt-proxy system user in /Library/LaunchDaemons" + grep -q "_dnscrypt-proxy" -- ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist + ''; +} From fdc512d107d2777e9af89f4dc0191c8878b57aa5 Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 3 Mar 2025 08:13:33 -0500 Subject: [PATCH 62/69] services/dnscrypt-proxy: Fix use of pkg alias `dnscrypt-proxy2` is just an alias for `dnscrypt-proxy`. Use that and avoid eval failures when Nixpkgs is configured with `allowAliases = false`. --- modules/services/dnscrypt-proxy.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/services/dnscrypt-proxy.nix b/modules/services/dnscrypt-proxy.nix index 9073ff2a..f0ba1d52 100644 --- a/modules/services/dnscrypt-proxy.nix +++ b/modules/services/dnscrypt-proxy.nix @@ -20,12 +20,12 @@ in enable = lib.mkEnableOption "the dnscrypt-proxy service."; - package = lib.mkPackageOption pkgs "dnscrypt-proxy2" { }; + package = lib.mkPackageOption pkgs "dnscrypt-proxy" { }; settings = lib.mkOption { description = '' Attrset that is converted and passed as TOML config file. - For available params, see: + For available params, see: ''; example = lib.literalExpression '' { From d06cf700ee589527fde4bd9b91f899e7137c05a6 Mon Sep 17 00:00:00 2001 From: Yifei Sun Date: Tue, 4 Mar 2025 12:09:11 -0500 Subject: [PATCH 63/69] homebrew: remove `--no-lock` flag https://github.com/Homebrew/homebrew-bundle/pull/1630 --- modules/homebrew.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/homebrew.nix b/modules/homebrew.nix index 6f8cfcb9..10764fbb 100644 --- a/modules/homebrew.nix +++ b/modules/homebrew.nix @@ -137,7 +137,7 @@ let config = { brewBundleCmd = concatStringsSep " " ( optional (!config.autoUpdate) "HOMEBREW_NO_AUTO_UPDATE=1" - ++ [ "brew bundle --file='${brewfileFile}' --no-lock" ] + ++ [ "brew bundle --file='${brewfileFile}'" ] ++ optional (!config.upgrade) "--no-upgrade" ++ optional (config.cleanup == "uninstall") "--cleanup" ++ optional (config.cleanup == "zap") "--cleanup --zap" From df599ea8f10e86985c1b09e3cd7a3a331dc702f3 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Wed, 5 Mar 2025 11:23:25 +0900 Subject: [PATCH 64/69] readme: update instructions as Determinate Nix is now the default --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a9900b1..20447dec 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ As the official Nix installer does not include an automated uninstaller, and man * The [Nix installer from Determinate Systems](https://github.com/DeterminateSystems/nix-installer?tab=readme-ov-file#determinate-nix-installer) is only recommended for use with flake-based setups. It can install one of two distributions of Nix: - * By default, it will install vanilla upstream [Nix](https://nixos.org/) with flakes enabled. + * To install the **recommended** vanilla upstream [Nix](https://nixos.org), you will need to explicitly say `no` when prompted to install `Determinate Nix`. * When run with the `--determinate` flag, it will install the [Determinate](https://docs.determinate.systems/) distribution. As Determinate manages the Nix installation itself, you will need to set `nix.enable = false;` in your configuration to disable nix-darwin’s own Nix management. From 9ddb2e6ca73a842006b4fe2607840494fd944e9e Mon Sep 17 00:00:00 2001 From: Luna Heyman Date: Thu, 27 Feb 2025 23:49:48 +0100 Subject: [PATCH 65/69] fix: use correct username for profile --- modules/users/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/users/default.nix b/modules/users/default.nix index 706abbfa..bbfd0d16 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -11,14 +11,14 @@ let group = import ./group.nix; user = import ./user.nix; - toGID = v: { "${toString v.gid}" = v.name; }; - toUID = v: { "${toString v.uid}" = v.name; }; + toGID = n: v: { "${toString v.gid}" = n; }; + toUID = n: v: { "${toString v.uid}" = n; }; isCreated = list: name: elem name list; isDeleted = attrs: name: ! elem name (mapAttrsToList (n: v: v.name) attrs); - gids = mapAttrsToList (n: toGID) (filterAttrs (n: v: isCreated cfg.knownGroups v.name) cfg.groups); - uids = mapAttrsToList (n: toUID) (filterAttrs (n: v: isCreated cfg.knownUsers v.name) cfg.users); + gids = mapAttrsToList toGID (filterAttrs (n: v: isCreated cfg.knownGroups v.name) cfg.groups); + uids = mapAttrsToList toUID (filterAttrs (n: v: isCreated cfg.knownUsers v.name) cfg.users); createdGroups = mapAttrsToList (n: v: cfg.groups."${v}") cfg.gids; createdUsers = mapAttrsToList (n: v: cfg.users."${v}") cfg.uids; @@ -112,14 +112,14 @@ in in !user.ignoreShellProgramCheck -> (s == shell || (shell == "bash" && s == "bash-interactive")) -> (config.programs.${shell}.enable == true); message = '' - users.users.${user.name}.shell is set to ${shell}, but + users.users.${name}.shell is set to ${shell}, but programs.${shell}.enable is not true. This will cause the ${shell} shell to lack the basic Nix directories in its PATH and might make logging in as that user impossible. You can fix it with: programs.${shell}.enable = true; If you know what you're doing and you are fine with the behavior, - set users.users.${user.name}.ignoreShellProgramCheck = true; + set users.users.${name}.ignoreShellProgramCheck = true; instead. ''; }) [ @@ -331,7 +331,7 @@ in environment.systemPackages = systemShells; environment.etc = mapAttrs' (name: { packages, ... }: { - name = "profiles/per-user/${name}"; + name = "profiles/per-user/${cfg.users.${name}.name}"; value.source = pkgs.buildEnv { name = "user-environment"; paths = packages; From feecfd97cd7239d6fd8aff3faeb2aa30b633413f Mon Sep 17 00:00:00 2001 From: Niklas Ravnsborg Date: Sun, 8 Sep 2024 02:11:29 +0200 Subject: [PATCH 66/69] update nextdns to use `command` instead of `serviceConfig.ProgramArguments` --- modules/services/nextdns/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/services/nextdns/default.nix b/modules/services/nextdns/default.nix index adc9823e..cc486085 100644 --- a/modules/services/nextdns/default.nix +++ b/modules/services/nextdns/default.nix @@ -30,8 +30,7 @@ in { launchd.daemons.nextdns = { path = [ nextdns ]; - serviceConfig.ProgramArguments = - [ "${pkgs.nextdns}/bin/nextdns" "run" ] ++ cfg.arguments; + command = concatStringsSep " " (["${pkgs.nextdns}/bin/nextdns run"] ++ cfg.arguments); serviceConfig.KeepAlive = true; serviceConfig.RunAtLoad = true; }; From 814b50389980a257f4e2fe675e909633ccf88d8f Mon Sep 17 00:00:00 2001 From: Zhaofeng Li Date: Sat, 8 Mar 2025 09:36:15 -0700 Subject: [PATCH 67/69] Fix merging of system.defaults.CustomUserPreferences --- modules/system/defaults/CustomPreferences.nix | 21 ++++++++++++--- .../system-defaults-write/activate-user.txt | 8 ++++++ tests/system-defaults-write.nix | 26 ++++++++++++++----- 3 files changed, 45 insertions(+), 10 deletions(-) diff --git a/modules/system/defaults/CustomPreferences.nix b/modules/system/defaults/CustomPreferences.nix index 1b4b99b1..c709ae47 100644 --- a/modules/system/defaults/CustomPreferences.nix +++ b/modules/system/defaults/CustomPreferences.nix @@ -2,10 +2,25 @@ with lib; -{ +let + valueType = with lib.types; nullOr (oneOf [ + bool + int + float + str + path + (attrsOf valueType) + (listOf valueType) + ]) // { + description = "plist value"; + }; + defaultsType = types.submodule { + freeformType = valueType; + }; +in { options = { system.defaults.CustomUserPreferences = mkOption { - type = types.attrs; + type = defaultsType; default = { }; example = { "NSGlobalDomain" = { "TISRomanSwitchState" = 1; }; @@ -20,7 +35,7 @@ with lib; }; system.defaults.CustomSystemPreferences = mkOption { - type = types.attrs; + type = defaultsType; default = { }; example = { "NSGlobalDomain" = { "TISRomanSwitchState" = 1; }; diff --git a/tests/fixtures/system-defaults-write/activate-user.txt b/tests/fixtures/system-defaults-write/activate-user.txt index 7162a414..d93321ef 100644 --- a/tests/fixtures/system-defaults-write/activate-user.txt +++ b/tests/fixtures/system-defaults-write/activate-user.txt @@ -543,6 +543,14 @@ defaults write NSGlobalDomain 'TISRomanSwitchState' $' 1 ' +defaults write com.apple.Safari 'NSUserKeyEquivalents' $' + + + + Quit Safari + @^q + +' defaults write com.apple.Safari 'com.apple.Safari.ContentPageGroupIdentifier.WebKit2DeveloperExtrasEnabled' $' diff --git a/tests/system-defaults-write.nix b/tests/system-defaults-write.nix index 19ce3c4f..35ff8532 100644 --- a/tests/system-defaults-write.nix +++ b/tests/system-defaults-write.nix @@ -1,6 +1,25 @@ { config, pkgs, lib, ... }: { + imports = [ + { + system.defaults.CustomUserPreferences = { + "NSGlobalDomain" = { "TISRomanSwitchState" = 1; }; + "com.apple.Safari" = { + "com.apple.Safari.ContentPageGroupIdentifier.WebKit2DeveloperExtrasEnabled" = + true; + }; + }; + } + { + system.defaults.CustomUserPreferences = { + "com.apple.Safari" = { + "NSUserKeyEquivalents"."Quit Safari" = "@^q"; # Option-Cmd-Q + }; + }; + } + ]; + system.defaults.NSGlobalDomain.AppleShowAllFiles = true; system.defaults.NSGlobalDomain.AppleEnableMouseSwipeNavigateWithScrolls = false; system.defaults.NSGlobalDomain.AppleEnableSwipeNavigateWithScrolls = false; @@ -109,13 +128,6 @@ system.defaults.WindowManager.EnableTiledWindowMargins = true; system.defaults.WindowManager.StandardHideWidgets = true; system.defaults.WindowManager.StageManagerHideWidgets = true; - system.defaults.CustomUserPreferences = { - "NSGlobalDomain" = { "TISRomanSwitchState" = 1; }; - "com.apple.Safari" = { - "com.apple.Safari.ContentPageGroupIdentifier.WebKit2DeveloperExtrasEnabled" = - true; - }; - }; system.defaults.controlcenter.BatteryShowPercentage = true; system.defaults.controlcenter.Sound = false; system.defaults.controlcenter.Bluetooth = true; From 9951b44d5bdebd062dab70701d7b21350cbbc6ab Mon Sep 17 00:00:00 2001 From: isabel Date: Sun, 2 Feb 2025 13:50:37 +0000 Subject: [PATCH 68/69] nix-darwin: system tools can be configured indvidually --- modules/nix/nix-darwin.nix | 47 ++++++++++++++++------------- pkgs/darwin-uninstaller/default.nix | 2 +- 2 files changed, 27 insertions(+), 22 deletions(-) diff --git a/modules/nix/nix-darwin.nix b/modules/nix/nix-darwin.nix index 9c78f3a6..677acbe5 100644 --- a/modules/nix/nix-darwin.nix +++ b/modules/nix/nix-darwin.nix @@ -9,39 +9,44 @@ let darwin-uninstaller = pkgs.callPackage ../../pkgs/darwin-uninstaller { }; - inherit (nix-tools) darwin-option darwin-rebuild darwin-version; + mkToolModule = { name, package ? nix-tools.${name} }: { config, ... }: { + options.system.tools.${name}.enable = lib.mkEnableOption "${name} script" // { + default = config.system.tools.enable; + }; + + config = lib.mkIf config.system.tools.${name}.enable { + environment.systemPackages = [ package ]; + }; + }; in { options.system = { - disableInstallerTools = lib.mkOption { - type = lib.types.bool; - internal = true; - default = false; - description = '' - Disable darwin-rebuild and darwin-option. This is useful to shrink - systems which are not expected to rebuild or reconfigure themselves. - Use at your own risk! - ''; - }; - - includeUninstaller = lib.mkOption { + tools.enable = lib.mkOption { type = lib.types.bool; internal = true; default = true; + description = '' + Disable internal tools, such as darwin-rebuild and darwin-option. This + is useful to shrink systems which are not expected to rebuild or + reconfigure themselves. Use at your own risk! + ''; }; }; - config = { - environment.systemPackages = - [ darwin-version ] - ++ lib.optionals (!config.system.disableInstallerTools) [ - darwin-option - darwin-rebuild - ] ++ lib.optional config.system.includeUninstaller darwin-uninstaller; + imports = [ + (lib.mkRenamedOptionModule [ "system" "includeUninstaller" ] [ "system" "tools" "darwin-uninstaller" "enable" ]) + (lib.mkRemovedOptionModule [ "system" "disableInstallerTools" ] "Please use system.tools.enable instead") + (mkToolModule { name = "darwin-option"; }) + (mkToolModule { name = "darwin-rebuild"; }) + (mkToolModule { name = "darwin-version"; }) + (mkToolModule { name = "darwin-uninstaller"; package = darwin-uninstaller; }) + ]; + + config = { system.build = { - inherit darwin-option darwin-rebuild darwin-version; + inherit (nix-tools) darwin-option darwin-rebuild darwin-version; }; }; } diff --git a/pkgs/darwin-uninstaller/default.nix b/pkgs/darwin-uninstaller/default.nix index 6b43bcfc..658991b1 100644 --- a/pkgs/darwin-uninstaller/default.nix +++ b/pkgs/darwin-uninstaller/default.nix @@ -8,7 +8,7 @@ let { nixpkgs.source = path; nixpkgs.hostPlatform = stdenv.hostPlatform.system; - system.includeUninstaller = false; + system.tools.darwin-uninstaller.enable = false; } ]; }; From 7b4a4951dcec276a8a18e456ae1918444f05c805 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sun, 16 Mar 2025 19:24:15 +0900 Subject: [PATCH 69/69] Back out "github-runner: replace `mkdir -p -m` with `umask`" This backs out commit 3b738c765de1bb4ecc4993fa092b27dd46d495ed. Setting a `umask` made the parent directory have too conservative of permissions making it so `_github-runner` couldn't access the child directories. --- modules/services/github-runner/service.nix | 25 ++++++++++------------ 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 3668a721..bea799c3 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -57,22 +57,19 @@ in text = mkBefore ('' echo >&2 "setting up GitHub Runner '${cfg.name}'..." - ( - umask -S u=rwx,g=rx,o= > /dev/null + # shellcheck disable=SC2174 + ${getExe' pkgs.coreutils "mkdir"} -p -m u=rwx,g=rx,o= ${escapeShellArg (mkStateDir cfg)} + ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkStateDir cfg)} - ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkStateDir cfg)} - ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkStateDir cfg)} + # shellcheck disable=SC2174 + ${getExe' pkgs.coreutils "mkdir"} -p -m u=rwx,g=rx,o= ${escapeShellArg (mkLogDir cfg)} + ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkLogDir cfg)} - ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkLogDir cfg)} - # launchd will fail to start the service if the outer direction doesn't have sufficient permissions - ${getExe' pkgs.coreutils "chmod"} o+rx ${escapeShellArg (mkLogDir { name = ""; })} - ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkLogDir cfg)} - - ${optionalString (cfg.workDir == null) '' - ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkWorkDir cfg)} - ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} - ''} - ) + ${optionalString (cfg.workDir == null) '' + # shellcheck disable=SC2174 + ${getExe' pkgs.coreutils "mkdir"} -p -m u=rwx,g=rx,o= ${escapeShellArg (mkWorkDir cfg)} + ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} + ''} ''); }; }));