From 25e0b6064eed7a4ffeca7bacbba9dcca6fa8cc86 Mon Sep 17 00:00:00 2001 From: Aiden Scandella Date: Mon, 25 Nov 2024 16:10:39 -0800 Subject: [PATCH 001/118] system: fix detection and ownership of /etc/synthetic.conf This file is owned by root and mode 600 on my system, so the grep is failing and it's adding a new entry every run. ```sh -rw------- 1 root wheel 664 Nov 25 15:52 /etc/synthetic.conf ``` --- modules/system/base.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/system/base.nix b/modules/system/base.nix index f20e2b64..2374855a 100644 --- a/modules/system/base.nix +++ b/modules/system/base.nix @@ -5,6 +5,16 @@ IFS="." read -r -a macOSVersion <<< "$(sw_vers -productVersion)" if [[ ''${macOSVersion[0]} -gt 10 || ( ''${macOSVersion[0]} -eq 10 && ''${macOSVersion[1]} -ge 15 ) ]]; then + if [[ $(stat -c '%a' /etc/synthetic.conf) != "644" ]]; then + echo "fixing permissions on /etc/synthetic.conf..." + sudo chmod 644 /etc/synthetic.conf + fi + + if [[ $(grep -c '^run\b' /etc/synthetic.conf) -gt 1 ]]; then + echo "found duplicate run entries in /etc/synthetic.conf, removing..." + sudo sed -i "" -e '/^run\tprivate\/var\/run$/d' /etc/synthetic.conf + fi + if ! grep -q '^run\b' /etc/synthetic.conf 2>/dev/null; then echo "setting up /run via /etc/synthetic.conf..." printf 'run\tprivate/var/run\n' | sudo tee -a /etc/synthetic.conf >/dev/null From 70957ab0c6a37fe72d21e1a2c273189a05c3670c Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 28 Nov 2024 14:14:25 +1100 Subject: [PATCH 002/118] linux-builder: default `maxJobs` to amount of cores for Linux builder --- modules/nix/linux-builder.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index 2bcb62ea..ae39547f 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -61,9 +61,16 @@ in maxJobs = mkOption { type = types.ints.positive; - default = 1; - example = 4; + default = cfg.package.nixosConfig.virtualisation.cores; + defaultText = '' + The `virtualisation.cores` of the build machine's final NixOS configuration. + ''; + example = 2; description = '' + Instead of setting this directly, you should set + {option}`nix.linux-builder.config.virtualisation.cores` to configure + the amount of cores the Linux builder should have. + The number of concurrent jobs the Linux builder machine supports. The build machine will enforce its own limits, but this allows hydra to schedule better since there is no work-stealing between build From 09e5dfb67ee27355d78d35a4f4ab747c230cb9b8 Mon Sep 17 00:00:00 2001 From: Beta-Computer <67995456+Beta-Computer@users.noreply.github.com> Date: Thu, 14 Nov 2024 10:44:14 +1300 Subject: [PATCH 003/118] defaults: add `EnableTiledWindowMargins` option Co-authored-by: Michael Hoang --- modules/system/defaults/WindowManager.nix | 7 +++++++ tests/fixtures/system-defaults-write/activate-user.txt | 5 +++++ tests/system-defaults-write.nix | 1 + 3 files changed, 13 insertions(+) diff --git a/modules/system/defaults/WindowManager.nix b/modules/system/defaults/WindowManager.nix index 38fbaa37..6a62ebce 100644 --- a/modules/system/defaults/WindowManager.nix +++ b/modules/system/defaults/WindowManager.nix @@ -56,6 +56,13 @@ with lib; Hide items in Stage Manager. ''; }; + system.defaults.WindowManager.EnableTiledWindowMargins = mkOption { + type = types.nullOr types.bool; + default = null; + description = '' + Enable Window Margins. The default is true. + ''; + }; system.defaults.WindowManager.StandardHideWidgets = mkOption { type = types.nullOr types.bool; diff --git a/tests/fixtures/system-defaults-write/activate-user.txt b/tests/fixtures/system-defaults-write/activate-user.txt index f6e9bbaa..5b883012 100644 --- a/tests/fixtures/system-defaults-write/activate-user.txt +++ b/tests/fixtures/system-defaults-write/activate-user.txt @@ -509,6 +509,11 @@ defaults write com.apple.WindowManager 'EnableStandardClickToShowDesktop' $' ' +defaults write com.apple.WindowManager 'EnableTiledWindowMargins' $' + + + +' defaults write com.apple.WindowManager 'GloballyEnabled' $' diff --git a/tests/system-defaults-write.nix b/tests/system-defaults-write.nix index 078cf82f..435d1383 100644 --- a/tests/system-defaults-write.nix +++ b/tests/system-defaults-write.nix @@ -94,6 +94,7 @@ system.defaults.WindowManager.AppWindowGroupingBehavior = true; system.defaults.WindowManager.StandardHideDesktopIcons = false; system.defaults.WindowManager.HideDesktop = false; + system.defaults.WindowManager.EnableTiledWindowMargins = true; system.defaults.WindowManager.StandardHideWidgets = true; system.defaults.WindowManager.StageManagerHideWidgets = true; system.defaults.CustomUserPreferences = { From 567bae1e17fdd10eccc9d5c6ec20e3d98d498de7 Mon Sep 17 00:00:00 2001 From: Austin Horstman Date: Thu, 21 Nov 2024 21:40:11 -0600 Subject: [PATCH 004/118] defaults: expose-group-by-app -> expose-group-apps Default was renamed in previous macOS release. --- modules/system/defaults-write.nix | 5 ++++- modules/system/defaults/dock.nix | 9 ++++++--- tests/fixtures/system-defaults-write/activate-user.txt | 7 ++++++- tests/system-defaults-write.nix | 1 + 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/modules/system/defaults-write.nix b/modules/system/defaults-write.nix index 87b179b8..22657219 100644 --- a/modules/system/defaults-write.nix +++ b/modules/system/defaults-write.nix @@ -9,6 +9,9 @@ let "defaults write ${domain} '${key}' $'${strings.escape [ "'" ] (generators.toPlist { } value)}'"; defaultsToList = domain: attrs: mapAttrsToList (writeDefault domain) (filterAttrs (n: v: v != null) attrs); + # Filter out options to not pass through + # dock has alias options that we need to ignore + dockFiltered = (builtins.removeAttrs cfg.dock ["expose-group-by-app"]); # defaults alf = defaultsToList "/Library/Preferences/com.apple.alf" cfg.alf; @@ -21,7 +24,7 @@ let LaunchServices = defaultsToList "com.apple.LaunchServices" cfg.LaunchServices; NSGlobalDomain = defaultsToList "-g" cfg.NSGlobalDomain; menuExtraClock = defaultsToList "com.apple.menuextra.clock" cfg.menuExtraClock; - dock = defaultsToList "com.apple.dock" cfg.dock; + dock = defaultsToList "com.apple.dock" dockFiltered; finder = defaultsToList "com.apple.finder" cfg.finder; hitoolbox = defaultsToList "com.apple.HIToolbox" cfg.hitoolbox; magicmouse = defaultsToList "com.apple.AppleMultitouchMouse" cfg.magicmouse; diff --git a/modules/system/defaults/dock.nix b/modules/system/defaults/dock.nix index 2d5c1619..bba0afb7 100644 --- a/modules/system/defaults/dock.nix +++ b/modules/system/defaults/dock.nix @@ -6,6 +6,10 @@ let # Should only be used with options that previously used floats defined as strings. inherit (config.lib.defaults.types) floatWithDeprecationError; in { + imports = [ + (mkRenamedOptionModule [ "system" "defaults" "dock" "expose-group-by-app" ] [ "system" "defaults" "dock" "expose-group-apps" ]) + ]; + options = { system.defaults.dock.appswitcher-all-displays = mkOption { @@ -67,11 +71,11 @@ in { ''; }; - system.defaults.dock.expose-group-by-app = mkOption { + system.defaults.dock.expose-group-apps = mkOption { type = types.nullOr types.bool; default = null; description = '' - Whether to group windows by application in Mission Control's Exposé. The default is true. + Whether to group windows by application in Mission Control's Exposé. The default is false. ''; }; @@ -220,7 +224,6 @@ in { Magnified icon size on hover. The default is 16. ''; }; - system.defaults.dock.wvous-tl-corner = mkOption { type = types.nullOr types.ints.positive; diff --git a/tests/fixtures/system-defaults-write/activate-user.txt b/tests/fixtures/system-defaults-write/activate-user.txt index 5b883012..e09f689b 100644 --- a/tests/fixtures/system-defaults-write/activate-user.txt +++ b/tests/fixtures/system-defaults-write/activate-user.txt @@ -235,6 +235,11 @@ defaults write com.apple.dock 'autohide-delay' $' 0.240000 ' +defaults write com.apple.dock 'expose-group-apps' $' + + + +' defaults write com.apple.dock 'orientation' $' @@ -573,4 +578,4 @@ defaults write ~/Library/Preferences/ByHost/com.apple.controlcenter 'Sound' $' 24 -' \ No newline at end of file +' diff --git a/tests/system-defaults-write.nix b/tests/system-defaults-write.nix index 435d1383..fae08de3 100644 --- a/tests/system-defaults-write.nix +++ b/tests/system-defaults-write.nix @@ -46,6 +46,7 @@ system.defaults.menuExtraClock.Show24Hour = false; system.defaults.menuExtraClock.ShowDayOfWeek = true; system.defaults.menuExtraClock.ShowDate = 2; + system.defaults.dock.expose-group-apps = true; system.defaults.dock.appswitcher-all-displays = false; system.defaults.dock.autohide-delay = 0.24; system.defaults.dock.orientation = "left"; From 0f9576cedc9b23ec8b01302daae919bc6018c3ca Mon Sep 17 00:00:00 2001 From: Alex James Date: Tue, 3 Dec 2024 22:53:36 -0600 Subject: [PATCH 005/118] nix: fix Lix version detection in auto-optimise-store assertion --- modules/nix/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 09e6e50d..41398fac 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -763,8 +763,8 @@ in { # Should be fixed in Lix by https://gerrit.lix.systems/c/lix/+/2100 - # As `isNixAtLeast "2.92.0" "2.92.0-devpre20241107" == false`, we need to explicitly check if the user is running Lix 2.92.0 - assertion = cfg.settings.auto-optimise-store -> (cfg.package.pname == "lix" && (isNixAtLeast "2.92.0-devpre20241107" || cfg.package.version == "2.92.0")); + # Lix 2.92.0 will set `VERSION_SUFFIX` to `""`; `lib.versionAtLeast "" "pre20241107"` will return `true`. + assertion = cfg.settings.auto-optimise-store -> (cfg.package.pname == "lix" && (isNixAtLeast "2.92.0" && versionAtLeast (strings.removePrefix "-" cfg.package.VERSION_SUFFIX) "pre20241107")); message = "`nix.settings.auto-optimise-store` is known to corrupt the Nix Store, please use `nix.optimise.automatic` instead."; } ]; From 9a5955601847c728ffb98e70b89a359390b24d28 Mon Sep 17 00:00:00 2001 From: z0al <12673605+z0al@users.noreply.github.com> Date: Wed, 4 Dec 2024 19:03:03 +0000 Subject: [PATCH 006/118] fix(aerospace): allow startup commands --- modules/services/aerospace/default.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/modules/services/aerospace/default.nix b/modules/services/aerospace/default.nix index 50d47b3b..531e7b22 100644 --- a/modules/services/aerospace/default.nix +++ b/modules/services/aerospace/default.nix @@ -36,7 +36,8 @@ in after-startup-command = lib.mkOption { type = listOf str; default = [ ]; - description = "Do not use AeroSpace to run commands after startup. (Managed by launchd instead)"; + description = "Add commands that run after AeroSpace startup"; + example = [ "layout tiles" ]; }; enable-normalization-flatten-containers = lib.mkOption { type = bool; @@ -142,10 +143,6 @@ in assertion = cfg.settings.after-login-command == [ ]; message = "AeroSpace will not run these commands as it does not start itself."; } - { - assertion = cfg.settings.after-startup-command == [ ]; - message = "AeroSpace will not run these commands as it does not start itself."; - } ]; environment.systemPackages = [ cfg.package ]; From 55d46b8997e16e52d8a05232f4444124e04ba686 Mon Sep 17 00:00:00 2001 From: z0al <12673605+z0al@users.noreply.github.com> Date: Wed, 4 Dec 2024 21:58:31 +0000 Subject: [PATCH 007/118] test(aerospace): assert config values --- tests/services-aerospace.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tests/services-aerospace.nix b/tests/services-aerospace.nix index 8cbd292f..28688c46 100644 --- a/tests/services-aerospace.nix +++ b/tests/services-aerospace.nix @@ -8,6 +8,7 @@ in services.aerospace.enable = true; services.aerospace.package = aerospace; services.aerospace.settings = { + after-startup-command = [ "layout tiles" ]; gaps = { outer.left = 8; outer.bottom = 8; @@ -31,6 +32,16 @@ in ${config.out}/user/Library/LaunchAgents/org.nixos.aerospace.plist` echo >&2 "checking config in $conf" - if [ `cat $conf | wc -l` -eq "27" ]; then echo "aerospace.toml config correctly contains 27 lines"; else return 1; fi + grep 'after-startup-command = \["layout tiles"\]' $conf + + grep 'bottom = 8' $conf + grep 'left = 8' $conf + grep 'right = 8' $conf + grep 'top = 8' $conf + + grep 'alt-h = "focus left"' $conf + grep 'alt-j = "focus down"' $conf + grep 'alt-k = "focus up"' $conf + grep 'alt-l = "focus right"' $conf ''; } From d8255f09da39e603e710149dc87a5f3eaa4ff049 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 7 Dec 2024 12:53:16 +1100 Subject: [PATCH 008/118] github-runner: remove `with lib;` --- modules/services/github-runner/options.nix | 4 +++- modules/services/github-runner/service.nix | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/services/github-runner/options.nix b/modules/services/github-runner/options.nix index 8f98aa07..75084344 100644 --- a/modules/services/github-runner/options.nix +++ b/modules/services/github-runner/options.nix @@ -3,7 +3,9 @@ , ... }: -with lib; +let + inherit (lib) literalExpression mkOption mkPackageOption types; +in { options.services.github-runners = mkOption { description = '' diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 21d908e0..7360a343 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -1,6 +1,10 @@ { config, lib, pkgs, ... }: -with lib; + let + inherit (lib) any attrValues boolToString concatStringsSep escapeShellArg + flatten flip getExe hasAttr hasPrefix mapAttrsToList mapAttrs' mkBefore + mkDefault mkIf mkMerge nameValuePair optionalAttrs optionalString replaceStrings; + mkSvcName = name: "github-runner-${name}"; mkStateDir = cfg: "/var/lib/github-runners/${cfg.name}"; mkLogDir = cfg: "/var/log/github-runners/${cfg.name}"; From 06e1d770687a832a13aa23f37cdebeadc3af89b8 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 7 Dec 2024 13:00:54 +1100 Subject: [PATCH 009/118] github-runner: use `lib.getExe{,'}` --- modules/services/github-runner/service.nix | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 7360a343..2c2411db 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -2,7 +2,7 @@ let inherit (lib) any attrValues boolToString concatStringsSep escapeShellArg - flatten flip getExe hasAttr hasPrefix mapAttrsToList mapAttrs' mkBefore + flatten flip getExe getExe' hasAttr hasPrefix mapAttrsToList mapAttrs' mkBefore mkDefault mkIf mkMerge nameValuePair optionalAttrs optionalString replaceStrings; mkSvcName = name: "github-runner-${name}"; @@ -55,15 +55,15 @@ in ( umask -S u=rwx,g=rx,o= > /dev/null - ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkStateDir cfg)} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkStateDir cfg)} + ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkStateDir cfg)} + ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkStateDir cfg)} - ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkLogDir cfg)} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkLogDir cfg)} + ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkLogDir cfg)} + ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkLogDir cfg)} ${optionalString (cfg.workDir == null) '' - ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkWorkDir cfg)} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} + ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkWorkDir cfg)} + ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkWorkDir cfg)} ''} ) ''); @@ -127,7 +127,7 @@ in else args+=(--token "$token") fi - ${package}/bin/config.sh "''${args[@]}" + ${getExe' package "config.sh"} "''${args[@]}" ''; }; in @@ -135,12 +135,12 @@ in echo "Configuring GitHub Actions Runner" # Always clean the working directory - ${pkgs.findutils}/bin/find ${escapeShellArg workDir} -mindepth 1 -delete + ${getExe pkgs.findutils} ${escapeShellArg workDir} -mindepth 1 -delete # Clean the $RUNNER_ROOT if we are in ephemeral mode if ${boolToString cfg.ephemeral}; then echo "Cleaning $RUNNER_ROOT" - ${pkgs.findutils}/bin/find "$RUNNER_ROOT" -mindepth 1 -delete + ${getExe pkgs.findutils} "$RUNNER_ROOT" -mindepth 1 -delete fi # If the `.runner` file does not exist, we assume the runner is not configured @@ -149,7 +149,7 @@ in fi # Start the service - ${package}/bin/Runner.Listener run --startuptype service + ${getExe' package "Runner.Listener"} run --startuptype service ''; serviceConfig = mkMerge [ From 22cde06f497b97cbab4186292f9fd82487bbfecc Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 7 Dec 2024 13:06:10 +1100 Subject: [PATCH 010/118] github-runner: fix service not starting --- modules/services/github-runner/service.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 2c2411db..029f863e 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -59,6 +59,8 @@ in ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkStateDir cfg)} ${getExe' pkgs.coreutils "mkdir"} -p ${escapeShellArg (mkLogDir cfg)} + # launchd will fail to start the service if the outer direction doesn't have sufficient permissions + ${getExe' pkgs.coreutils "chmod"} o+rx ${escapeShellArg (mkLogDir { name = ""; })} ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkLogDir cfg)} ${optionalString (cfg.workDir == null) '' From 8752b6ae3c0d6b44ca4ef28e50503f8efcec0096 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Sat, 7 Dec 2024 13:08:04 +1100 Subject: [PATCH 011/118] github-runner: add instructions for triggering a runner registration --- modules/services/github-runner/options.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/services/github-runner/options.nix b/modules/services/github-runner/options.nix index 75084344..5152cc43 100644 --- a/modules/services/github-runner/options.nix +++ b/modules/services/github-runner/options.nix @@ -90,6 +90,9 @@ in Changing this option or the `tokenFile`’s content triggers a new runner registration. + You can also manually trigger a new runner registration by deleting + {file}`/var/lib/github-runners//.runner` and restarting the service. + We suggest using the fine-grained PATs. A runner registration token is valid only for 1 hour after creation, so the next time the runner configuration changes this will give you hard-to-debug HTTP 404 errors in the configure step. From 2c86af2e996ac6abbf9e1711f36c28d33b328df6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 12 Aug 2024 10:26:41 +0200 Subject: [PATCH 012/118] programs.ssh: add extraConfig option Same interface as in NixOS. This is useful to apply configuration for remote builders. --- modules/programs/ssh/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix index 51c7796d..1e87732a 100644 --- a/modules/programs/ssh/default.nix +++ b/modules/programs/ssh/default.nix @@ -114,6 +114,15 @@ in type = with types; attrsOf (submodule userOptions); }; + programs.ssh.extraConfig = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + Extra configuration text loaded in {file}`ssh_config`. + See {manpage}`ssh_config(5)` for help. + ''; + }; + programs.ssh.knownHosts = mkOption { default = {}; type = types.attrsOf (types.submodule host); @@ -151,6 +160,7 @@ in + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile) )) + "\n"; }; + "ssh/ssh_config.d/100-nix-darwin.conf".text = config.programs.ssh.extraConfig; "ssh/sshd_config.d/101-authorized-keys.conf" = { text = '' # sshd doesn't like reading from symbolic links, so we cat From 016b1608eec6c54cfaece96b63ec9d1a6cd4672b Mon Sep 17 00:00:00 2001 From: gnammix <71704832+gnammix@users.noreply.github.com> Date: Fri, 27 Dec 2024 21:36:31 +0100 Subject: [PATCH 013/118] power: restartAfterPowerFailure option is carried out in activation script only if supported Minor documentation change --- modules/power/default.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/power/default.nix b/modules/power/default.nix index a99905ff..e36a027d 100644 --- a/modules/power/default.nix +++ b/modules/power/default.nix @@ -15,6 +15,8 @@ in default = null; description = '' Whether to restart the computer after a power failure. + + Option is not supported on all devices. ''; }; @@ -33,8 +35,10 @@ in echo "configuring power..." >&2 ${lib.optionalString (cfg.restartAfterPowerFailure != null) '' - systemsetup -setRestartPowerFailure \ - '${onOff cfg.restartAfterPowerFailure}' &> /dev/null + if ! systemsetup -getRestartPowerFailure | grep -q "Not supported"; then + systemsetup -setRestartPowerFailure \ + '${onOff cfg.restartAfterPowerFailure}' &> /dev/null + fi ''} ${lib.optionalString (cfg.restartAfterFreeze != null) '' From 2165857a24668cc3cb09c052eb0d518a1dfa6d3f Mon Sep 17 00:00:00 2001 From: "Adam C. Stephens" Date: Wed, 18 Dec 2024 09:44:07 -0500 Subject: [PATCH 014/118] fish: add package option --- modules/programs/fish.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/programs/fish.nix b/modules/programs/fish.nix index 4b76e02e..65797ccd 100644 --- a/modules/programs/fish.nix +++ b/modules/programs/fish.nix @@ -57,6 +57,8 @@ in type = types.bool; }; + package = lib.mkPackageOption pkgs "fish" { }; + useBabelfish = mkOption { type = types.bool; default = false; @@ -238,7 +240,7 @@ in ++ optional cfg.vendor.functions.enable "/share/fish/vendor_functions.d"; } - { systemPackages = [ pkgs.fish ]; } + { systemPackages = [ cfg.package ]; } ]; }; From daf9d9fe5d5a7a5ef25aa446582f8c656aab2b9b Mon Sep 17 00:00:00 2001 From: Xingquan Liu Date: Tue, 17 Dec 2024 23:03:57 +0800 Subject: [PATCH 015/118] fix(zsh): correct the path of zsh-fast-syntax-highlighting --- modules/programs/zsh/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/programs/zsh/default.nix b/modules/programs/zsh/default.nix index c6ec9175..65689bad 100644 --- a/modules/programs/zsh/default.nix +++ b/modules/programs/zsh/default.nix @@ -204,7 +204,7 @@ in } ${optionalString cfg.enableFastSyntaxHighlighting - "source ${pkgs.zsh-fast-syntax-highlighting}/share/zsh-fast-syntax-highlighting/zsh-fast-syntax-highlighting.zsh" + "source ${pkgs.zsh-fast-syntax-highlighting}/share/zsh/site-functions/fast-syntax-highlighting.plugin.zsh" } ${optionalString cfg.enableFzfCompletion "source ${fzfCompletion}"} From 25fb52710582c19ad811d1ac9a2fe9d8920c0a66 Mon Sep 17 00:00:00 2001 From: Filip Kania Date: Sat, 28 Dec 2024 23:30:47 +0100 Subject: [PATCH 016/118] feat: add screencapture.target option --- modules/system/defaults/screencapture.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/modules/system/defaults/screencapture.nix b/modules/system/defaults/screencapture.nix index 80dcaabb..795cd034 100644 --- a/modules/system/defaults/screencapture.nix +++ b/modules/system/defaults/screencapture.nix @@ -48,5 +48,20 @@ with lib; Show thumbnail after screencapture before writing to file. The default is true. ''; }; + + system.defaults.screencapture.target = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Target to which screencapture should save screenshot to. The default is "file". + Valid values include: + + * `file`: Saves as a file in location specified by `system.defaults.screencapture.location` + * `clipboard`: Saves screenshot to clipboard + * `preview`: Opens screenshot in Preview app + * `mail` + * `messages` + ''; + }; }; } From 19bc0d6cbeacb20c5ca865d06c274152c42ffd22 Mon Sep 17 00:00:00 2001 From: Filip Kania Date: Sun, 29 Dec 2024 00:14:48 +0100 Subject: [PATCH 017/118] tests: add screencapture.target test case --- tests/fixtures/system-defaults-write/activate-user.txt | 5 +++++ tests/system-defaults-write.nix | 1 + 2 files changed, 6 insertions(+) diff --git a/tests/fixtures/system-defaults-write/activate-user.txt b/tests/fixtures/system-defaults-write/activate-user.txt index e09f689b..3656a47b 100644 --- a/tests/fixtures/system-defaults-write/activate-user.txt +++ b/tests/fixtures/system-defaults-write/activate-user.txt @@ -426,6 +426,11 @@ defaults write com.apple.screencapture 'location' $' /tmp ' +defaults write com.apple.screencapture 'target' $' + + +file +' defaults write com.apple.screensaver 'askForPassword' $' diff --git a/tests/system-defaults-write.nix b/tests/system-defaults-write.nix index fae08de3..1a29aa2d 100644 --- a/tests/system-defaults-write.nix +++ b/tests/system-defaults-write.nix @@ -74,6 +74,7 @@ system.defaults.finder.ShowRemovableMediaOnDesktop = false; system.defaults.hitoolbox.AppleFnUsageType = "Show Emoji & Symbols"; system.defaults.screencapture.location = "/tmp"; + system.defaults.screencapture.target = "file"; system.defaults.screencapture.include-date = true; system.defaults.screensaver.askForPassword = true; system.defaults.screensaver.askForPasswordDelay = 5; From b8e184ebf271367cf1c93d942e71ae51d2a248cb Mon Sep 17 00:00:00 2001 From: Filip Kania Date: Sun, 29 Dec 2024 10:58:47 +0100 Subject: [PATCH 018/118] refactor: use enum as option type --- modules/system/defaults/screencapture.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/defaults/screencapture.nix b/modules/system/defaults/screencapture.nix index 795cd034..351ca5f2 100644 --- a/modules/system/defaults/screencapture.nix +++ b/modules/system/defaults/screencapture.nix @@ -50,7 +50,7 @@ with lib; }; system.defaults.screencapture.target = mkOption { - type = types.nullOr types.str; + type = types.nullOr (types.enum [ "file" "clipboard" "preview" "mail" "messages" ]); default = null; description = '' Target to which screencapture should save screenshot to. The default is "file". From 62d8f5f289341497ea0fa21814e734cbea69a0a1 Mon Sep 17 00:00:00 2001 From: gnammix <71704832+gnammix@users.noreply.github.com> Date: Sun, 29 Dec 2024 12:13:54 +0100 Subject: [PATCH 019/118] power: move the check for restartPowerfailure support to checks.nix --- modules/power/default.nix | 6 ++---- modules/system/checks.nix | 10 ++++++++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/modules/power/default.nix b/modules/power/default.nix index e36a027d..c3e4974d 100644 --- a/modules/power/default.nix +++ b/modules/power/default.nix @@ -35,10 +35,8 @@ in echo "configuring power..." >&2 ${lib.optionalString (cfg.restartAfterPowerFailure != null) '' - if ! systemsetup -getRestartPowerFailure | grep -q "Not supported"; then - systemsetup -setRestartPowerFailure \ - '${onOff cfg.restartAfterPowerFailure}' &> /dev/null - fi + systemsetup -setRestartPowerFailure \ + '${onOff cfg.restartAfterPowerFailure}' &> /dev/null ''} ${lib.optionalString (cfg.restartAfterFreeze != null) '' diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 796e7e4e..e6ee1b3f 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -308,6 +308,15 @@ let exit 2 fi ''; + + # some mac devices, notably notebook do not support restartAfterPowerFailure option + restartAfterPowerFailureIsSupported = '' + if sudo /usr/sbin/systemsetup -getRestartPowerFailure | grep -q "Not supported"; then + echo "error: Your system do not support the restartAfterPowerFailure feature" >&2 + echo "Please ensure that power.restartAfterPowerFailure is not set." >&2 + exit 2 + fi + ''; in { @@ -357,6 +366,7 @@ in (mkIf cfg.verifyNixPath nixPath) oldSshAuthorizedKeysDirectory (mkIf config.homebrew.enable homebrewInstalled) + (mkIf (config.power.restartAfterPowerFailure != null) restartAfterPowerFailureIsSupported) ]; system.activationScripts.checks.text = '' From aefd56bb562b26ae799e261b1ead27682bf0d8ff Mon Sep 17 00:00:00 2001 From: thuvasooriya Date: Mon, 2 Dec 2024 07:06:09 +0530 Subject: [PATCH 020/118] aerospace: add workspace-to-monitor-force-assignment option and fix on-window-detected type #1208 trying to fix #1142 testing requested changes adding workspace to monitor force assignment remove formatting tests pass proper tests undo formatting tests for on-window-detected and workspace-to-monitor-force-assignment testing submodules cleanup n if fiz checking final toml null field aerospace callback issue custom null filter for submodule list check for no presense of window-regex and if.workspace config check aerospace: add workspace-to-monitor-force-assignment option and fix on-window-detected type #1208 trying to fix #1142 testing requested changes adding workspace to monitor force assignment remove formatting tests pass proper tests undo formatting tests for on-window-detected and workspace-to-monitor-force-assignment testing submodules cleanup n if fiz checking final toml null field aerospace callback issue custom null filter for submodule list check for no presense of window-regex and if.workspace config check error formatting mishap space left small fix formatting mishaps --- modules/services/aerospace/default.nix | 105 ++++++++++++++++++++++++- tests/services-aerospace.nix | 45 +++++++++++ 2 files changed, 147 insertions(+), 3 deletions(-) diff --git a/modules/services/aerospace/default.nix b/modules/services/aerospace/default.nix index 531e7b22..3080579d 100644 --- a/modules/services/aerospace/default.nix +++ b/modules/services/aerospace/default.nix @@ -9,7 +9,31 @@ let cfg = config.services.aerospace; format = pkgs.formats.toml { }; - configFile = format.generate "aerospace.toml" cfg.settings; + filterAttrsRecursive = pred: set: + lib.listToAttrs ( + lib.concatMap ( + name: let + v = set.${name}; + in + if pred v + then [ + (lib.nameValuePair name ( + if lib.isAttrs v + then filterAttrsRecursive pred v + else if lib.isList v + then + (map (i: + if lib.isAttrs i + then filterAttrsRecursive pred i + else i) (lib.filter pred v)) + else v + )) + ] + else [] + ) (lib.attrNames set) + ); + filterNulls = filterAttrsRecursive (v: v != null); + configFile = format.generate "aerospace.toml" (filterNulls cfg.settings); in { @@ -72,9 +96,84 @@ in description = "Default orientation for the root container."; }; on-window-detected = lib.mkOption { - type = listOf str; + type = listOf (submodule { + options = { + "if" = lib.mkOption { + type = submodule { + options = { + app-id = lib.mkOption { + type = nullOr str; + default = null; + description = "The application ID to match (optional)."; + }; + workspace = lib.mkOption { + type = nullOr str; + default = null; + description = "The workspace name to match (optional)."; + }; + window-title-regex-substring = lib.mkOption { + type = nullOr str; + default = null; + description = "Substring to match in the window title (optional)."; + }; + app-name-regex-substring = lib.mkOption { + type = nullOr str; + default = null; + description = "Regex substring to match the app name (optional)."; + }; + during-aerospace-startup = lib.mkOption { + type = nullOr bool; + default = null; + description = "Whether to match during aerospace startup (optional)."; + }; + }; + }; + default = { }; + description = "Conditions for detecting a window."; + }; + check-further-callbacks = lib.mkOption { + type = nullOr bool; + default = null; + description = "Whether to check further callbacks after this rule (optional)."; + }; + run = lib.mkOption { + type = oneOf [str (listOf str)]; + example = ["move-node-to-workspace m" "resize-node"]; + description = "Commands to execute when the conditions match (required)."; + }; + }; + }); default = [ ]; - description = "Commands to run every time a new window is detected."; + example = [ + { + "if" = { + app-id = "Another.Cool.App"; + workspace = "cool-workspace"; + window-title-regex-substring = "Title"; + app-name-regex-substring = "CoolApp"; + during-aerospace-startup = false; + }; + check-further-callbacks = false; + run = ["move-node-to-workspace m" "resize-node"]; + } + ]; + description = "Commands to run every time a new window is detected with optional conditions."; + }; + workspace-to-monitor-force-assignment = lib.mkOption { + type = attrsOf (oneOf [int str (listOf str)]); + default = { }; + description = '' + Map workspaces to specific monitors. + Left-hand side is the workspace name, and right-hand side is the monitor pattern. + ''; + example = { + "1" = 1; # First monitor from left to right. + "2" = "main"; # Main monitor. + "3" = "secondary"; # Secondary monitor (non-main). + "4" = "built-in"; # Built-in display. + "5" = "^built-in retina display$"; # Regex for the built-in retina display. + "6" = ["secondary" "dell"]; # Match first pattern in the list. + }; }; on-focus-changed = lib.mkOption { type = listOf str; diff --git a/tests/services-aerospace.nix b/tests/services-aerospace.nix index 28688c46..088c92d9 100644 --- a/tests/services-aerospace.nix +++ b/tests/services-aerospace.nix @@ -21,6 +21,32 @@ in alt-k = "focus up"; alt-l = "focus right"; }; + on-window-detected = [ + { + "if" = { + app-id = "Another.Cool.App"; + during-aerospace-startup = false; + }; + check-further-callbacks = false; + run = "move-node-to-workspace m"; + } + { + "if".app-name-regex-substring = "finder|calendar"; + run = "layout floating"; + } + { + "if".workspace = "1"; + run = "layout h_accordion"; + } + ]; + workspace-to-monitor-force-assignment = { + "1" = 1; + "2" = "main"; + "3" = "secondary"; + "4" = "built-in"; + "5" = "^built-in retina display$"; + "6" = [ "secondary" "dell" ]; + }; }; test = '' @@ -43,5 +69,24 @@ in grep 'alt-j = "focus down"' $conf grep 'alt-k = "focus up"' $conf grep 'alt-l = "focus right"' $conf + + grep 'check-further-callbacks = false' $conf + grep 'run = "move-node-to-workspace m"' $conf + grep 'app-id = "Another.Cool.App"' $conf + grep 'during-aerospace-startup = false' $conf + + grep 'run = "layout floating"' $conf + grep 'app-name-regex-substring = "finder|calendar"' $conf + (! grep 'window-title-regex-substring' $conf) + + grep 'workspace = "1"' $conf + grep 'run = "layout h_accordion"' $conf + + grep '1 = 1' $conf + grep '2 = "main"' $conf + grep '3 = "secondary"' $conf + grep '4 = "built-in"' $conf + grep '5 = "^built-in retina display$"' $conf + grep '6 = \["secondary", "dell"\]' $conf ''; } From 492a72007ae2e7bd5895458fcd72ac2c8c9a0dc4 Mon Sep 17 00:00:00 2001 From: gnammix <71704832+gnammix@users.noreply.github.com> Date: Tue, 31 Dec 2024 14:38:42 +0100 Subject: [PATCH 021/118] power: echo to print in error messages Co-authored-by: Michael Hoang --- modules/system/checks.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index e6ee1b3f..91622e51 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -312,8 +312,8 @@ let # some mac devices, notably notebook do not support restartAfterPowerFailure option restartAfterPowerFailureIsSupported = '' if sudo /usr/sbin/systemsetup -getRestartPowerFailure | grep -q "Not supported"; then - echo "error: Your system do not support the restartAfterPowerFailure feature" >&2 - echo "Please ensure that power.restartAfterPowerFailure is not set." >&2 + printf >&2 "�[1;31merror: restarting after power failure is not supported on your machine�[0m\n" >&2 + printf >&2 "Please ensure that `power.restartAfterPowerFailure` is not set.\n" >&2 exit 2 fi ''; From 0680f9e9e1a2861e1513a4ffe5b483130ce736c7 Mon Sep 17 00:00:00 2001 From: Sam <30577766+Samasaur1@users.noreply.github.com> Date: Tue, 31 Dec 2024 22:29:20 +0000 Subject: [PATCH 022/118] ci, readme: update stable nixpkgs to 24.11 --- .github/workflows/test.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 25211d30..94fec9da 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,7 +6,7 @@ on: - master env: - CURRENT_STABLE_CHANNEL: nixpkgs-24.05-darwin + CURRENT_STABLE_CHANNEL: nixpkgs-24.11-darwin jobs: test-stable: diff --git a/README.md b/README.md index d5373273..ba9fa779 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ Add the following to `flake.nix` in the same folder as `configuration.nix`: description = "John's darwin system"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-24.05-darwin"; + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-24.11-darwin"; nix-darwin.url = "github:LnL7/nix-darwin"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; }; From 89be82cb2b19b6371a786af6eb9effc79babb70f Mon Sep 17 00:00:00 2001 From: gnammix <71704832+gnammix@users.noreply.github.com> Date: Sat, 4 Jan 2025 14:35:53 +0100 Subject: [PATCH 023/118] power: quote in string triggered shellcheck SC2016 --- modules/system/checks.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 91622e51..57ddfd27 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -312,8 +312,8 @@ let # some mac devices, notably notebook do not support restartAfterPowerFailure option restartAfterPowerFailureIsSupported = '' if sudo /usr/sbin/systemsetup -getRestartPowerFailure | grep -q "Not supported"; then - printf >&2 "�[1;31merror: restarting after power failure is not supported on your machine�[0m\n" >&2 - printf >&2 "Please ensure that `power.restartAfterPowerFailure` is not set.\n" >&2 + printf >&2 "\e[1;31merror: restarting after power failure is not supported on your machine\e[0m\n" >&2 + printf >&2 "Please ensure that \`power.restartAfterPowerFailure\` is not set.\n" >&2 exit 2 fi ''; From 6ee6262d2468cf053f39cb53ea6272af337f2cf7 Mon Sep 17 00:00:00 2001 From: Jalal El Mansouri Date: Sun, 5 Jan 2025 10:29:12 -0300 Subject: [PATCH 024/118] Add --ignore-dependencies option for casks Some casks have extrenal dependencies managed by brew, neovide for examples declares neovim as a dependency, a problem arises when you want to use a nix managed neovim instead --- modules/homebrew.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/homebrew.nix b/modules/homebrew.nix index 7aee9e13..d9751709 100644 --- a/modules/homebrew.nix +++ b/modules/homebrew.nix @@ -396,6 +396,9 @@ let no_binaries = mkNullOrBoolOption { description = "Whether to disable linking of helper executables."; }; + ignore_dependencies = mkNullOrBoolOption { + description = "Ignore casks dependencies in case you manage them extrenally"; + }; brewfileLine = mkInternalOption { type = types.nullOr types.str; }; }; From 9e856ad0c1a677d1585e53a634c4abe487601c51 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Wed, 8 Jan 2025 14:26:32 +1100 Subject: [PATCH 025/118] nix: merge `nix.settings.trusted-users` by default Backport of https://github.com/NixOS/nixpkgs/pull/318635 --- modules/nix/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 41398fac..6e4292a3 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -617,7 +617,6 @@ in trusted-users = mkOption { type = types.listOf types.str; - default = [ "root" ]; example = [ "root" "alice" "@admin" ]; description = '' A list of names of users that have additional rights when @@ -835,10 +834,10 @@ in done ''; - # Legacy configuration conversion. nix.settings = mkMerge [ { trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + trusted-users = [ "root" ]; substituters = mkAfter [ "https://cache.nixos.org/" ]; # Not implemented yet From 0ef91bc148dc1873cdc21d8efbe3c65f91db311a Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 8 Jan 2025 19:10:22 +0000 Subject: [PATCH 026/118] flake: pin Nixpkgs explicitly --- flake.lock | 12 +++++++----- flake.nix | 4 ++++ 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 3ce8eac6..0f05e93e 100644 --- a/flake.lock +++ b/flake.lock @@ -2,16 +2,18 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1718149104, - "narHash": "sha256-Ds1QpobBX2yoUDx9ZruqVGJ/uQPgcXoYuobBguyKEh8=", + "lastModified": 1736241350, + "narHash": "sha256-CHd7yhaDigUuJyDeX0SADbTM9FXfiWaeNyY34FL1wQU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e913ae340076bbb73d9f4d3d065c2bca7caafb16", + "rev": "8c9fd3e564728e90829ee7dbac6edc972971cd0f", "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" } }, "root": { diff --git a/flake.nix b/flake.nix index 2c1ae1b2..92569fa9 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,10 @@ { description = "A collection of darwin modules"; + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + }; + outputs = { self, nixpkgs }: let forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-darwin" "x86_64-darwin" "aarch64-linux" "x86_64-linux" ]; forDarwinSystems = nixpkgs.lib.genAttrs [ "aarch64-darwin" "x86_64-darwin" ]; From be4c1b897accbdfc3429e99b5bd5234c5663776e Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Fri, 15 Nov 2024 13:50:58 +1100 Subject: [PATCH 027/118] openssh: init module --- modules/module-list.nix | 1 + modules/services/openssh.nix | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 modules/services/openssh.nix diff --git a/modules/module-list.nix b/modules/module-list.nix index aa190c7d..8b2215ba 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -82,6 +82,7 @@ ./services/nix-gc ./services/nix-optimise ./services/ofborg + ./services/openssh.nix ./services/postgresql ./services/privoxy ./services/redis diff --git a/modules/services/openssh.nix b/modules/services/openssh.nix new file mode 100644 index 00000000..859f79d8 --- /dev/null +++ b/modules/services/openssh.nix @@ -0,0 +1,33 @@ +{ config, lib, ... }: + +let + cfg = config.services.openssh; +in +{ + options = { + services.openssh.enable = lib.mkOption { + type = lib.types.nullOr lib.types.bool; + default = null; + description = '' + Whether to enable Apple's built-in OpenSSH server. + + The default is null which means let macOS manage the OpenSSH server. + ''; + }; + }; + + config = { + # We don't use `systemsetup -setremotelogin` as it requires Full Disk Access + system.activationScripts.launchd.text = lib.mkIf (cfg.enable != null) (if cfg.enable then '' + if [[ "$(systemsetup -getremotelogin | sed 's/Remote Login: //')" == "Off" ]]; then + launchctl enable system/com.openssh.sshd + launchctl bootstrap system /System/Library/LaunchDaemons/ssh.plist + fi + '' else '' + if [[ "$(systemsetup -getremotelogin | sed 's/Remote Login: //')" == "On" ]]; then + launchctl bootout system/com.openssh.sshd + launchctl disable system/com.openssh.sshd + fi + ''); + }; +} From 8a3ea966bcb14655b231308e9d52195715c71692 Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 8 Jan 2025 19:10:22 +0000 Subject: [PATCH 028/118] version: implement nix-darwin release versions --- modules/system/version.nix | 20 ++++++++++++++------ version.json | 4 ++++ 2 files changed, 18 insertions(+), 6 deletions(-) create mode 100644 version.json diff --git a/modules/system/version.nix b/modules/system/version.nix index 826ad352..54829d1d 100644 --- a/modules/system/version.nix +++ b/modules/system/version.nix @@ -59,11 +59,18 @@ in description = "Label to be used in the names of generated outputs."; }; + system.darwinRelease = mkOption { + readOnly = true; + type = types.str; + default = (lib.importJSON ../../version.json).release; + description = "The nix-darwin release (e.g. `24.11`)."; + }; + system.darwinVersion = mkOption { internal = true; type = types.str; - default = "darwin${toString cfg.stateVersion}${cfg.darwinVersionSuffix}"; - description = "The full darwin version (e.g. `darwin4.2abdb5a`)."; + default = cfg.darwinRelease + cfg.darwinVersionSuffix; + description = "The full nix-darwin version (e.g. `24.11.2abdb5a`)."; }; system.darwinVersionSuffix = mkOption { @@ -72,7 +79,7 @@ in default = if cfg.darwinRevision != null then ".${substring 0 7 cfg.darwinRevision}" else ""; - description = "The short darwin version suffix (e.g. `.2abdb5a`)."; + description = "The short nix-darwin version suffix (e.g. `.2abdb5a`)."; }; system.darwinRevision = mkOption { @@ -86,14 +93,15 @@ in readOnly = true; type = types.str; default = lib.trivial.release; - description = "The nixpkgs release (e.g. `16.03`)."; + description = "The nixpkgs release (e.g. `24.11`)."; }; + # TODO: Shouldn’t mismatch the Darwin release, rethink all this… system.nixpkgsVersion = mkOption { internal = true; type = types.str; default = cfg.nixpkgsRelease + cfg.nixpkgsVersionSuffix; - description = "The full nixpkgs version (e.g. `16.03.1160.f2d4ee1`)."; + description = "The full nixpkgs version (e.g. `24.11.1160.f2d4ee1`)."; }; system.nixpkgsVersionSuffix = mkOption { @@ -124,7 +132,7 @@ in config = { # This default is set here rather than up there so that the options # documentation is not reprocessed on every commit - system.darwinLabel = mkDefault "${cfg.nixpkgsVersion}+${cfg.darwinVersion}"; + system.darwinLabel = mkDefault cfg.darwinVersion; assertions = [ { diff --git a/version.json b/version.json new file mode 100644 index 00000000..1d2863a0 --- /dev/null +++ b/version.json @@ -0,0 +1,4 @@ +{ + "release": "25.05", + "isReleaseBranch": false +} From 303a8143a43579d12b4996ad3ab0e8380ae8c8b5 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 12 Jan 2025 00:39:05 +0000 Subject: [PATCH 029/118] =?UTF-8?q?checks:=20check=20for=20macOS=20?= =?UTF-8?q?=E2=89=A5=2011.3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/system/checks.nix | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 57ddfd27..26d6d9db 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -24,6 +24,29 @@ let fi ''; + macOSVersion = '' + IFS=. read -ra osVersion <<<"$(sw_vers --productVersion)" + if (( osVersion[0] < 11 || (osVersion[0] == 11 && osVersion[1] < 3) )); then + printf >&2 '\e[1;31merror: macOS version is less than 11.3, aborting activation\e[0m\n' + printf >&2 'Nixpkgs 25.05 requires macOS Big Sur 11.3 or newer, and 25.11 will\n' + printf >&2 'require macOS Sonoma 14.\n' + printf >&2 '\n' + printf >&2 'For more information on your options going forward, see the 25.05\n' + printf >&2 'release notes:\n' + printf >&2 '\n' + printf >&2 '\n' + printf >&2 'Nixpkgs 24.11 and nix-darwin 24.11 continue to support down to macOS\n' + printf >&2 'Sierra 10.12, and will be supported through June 2025.\n' + printf >&2 '\n' + printf >&2 'You can override this check by setting:\n' + printf >&2 '\n' + printf >&2 ' system.checks.verifyMacOSVersion = false;\n' + printf >&2 '\n' + printf >&2 'However, we are unable to provide support if you do so.\n' + exit 1 + fi + ''; + runLink = '' if [[ ! -e /run ]]; then printf >&2 'error: directory /run does not exist, aborting activation\n' @@ -341,6 +364,12 @@ in description = "Whether to run the Nix build users validation checks."; }; + system.checks.verifyMacOSVersion = mkOption { + type = types.bool; + default = true; + description = "Whether to run the macOS version check."; + }; + system.checks.text = mkOption { internal = true; type = types.lines; @@ -352,6 +381,7 @@ in system.checks.text = mkMerge [ darwinChanges + (mkIf cfg.verifyMacOSVersion macOSVersion) runLink (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers) (mkIf cfg.verifyBuildUsers buildUsers) From c7b33c131fcbb83eb2f47e07de5a8dee587e5d4b Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 8 Jan 2025 19:10:22 +0000 Subject: [PATCH 030/118] ci: only test one version --- .github/workflows/test.yml | 152 +++++++------------------------------ 1 file changed, 28 insertions(+), 124 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 94fec9da..63c155b6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,42 +6,42 @@ on: - master env: - CURRENT_STABLE_CHANNEL: nixpkgs-24.11-darwin + NIXPKGS_BRANCH: nixpkgs-unstable + NIX_DARWIN_BRANCH: master + NIX_VERSION: 2.24.11 jobs: + # The `test-stable` and `install-against-stable` job names are + # load‐bearing, despite their inaccuracy on the unstable branch, as + # they are set as required checks in the repository configuration, + # which only repository admins can change. + # + # TODO: Change them once the repository configuration is updated. + test-stable: runs-on: macos-13 steps: - uses: actions/checkout@v4 - - name: Install nix corresponding to latest stable channel + - name: Install Nix uses: cachix/install-nix-action@v30 with: - install_url: https://releases.nixos.org/nix/nix-2.18.8/install - - run: nix flake check --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} - - test-unstable: - runs-on: macos-13 - steps: - - uses: actions/checkout@v4 - - name: Install nix from current unstable channel - uses: cachix/install-nix-action@v30 - with: - install_url: https://releases.nixos.org/nix/nix-2.24.9/install - - run: nix flake check --override-input nixpkgs nixpkgs/nixpkgs-unstable + install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install + - run: nix flake check --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} install-against-stable: runs-on: macos-13 + timeout-minutes: 30 steps: - uses: actions/checkout@v4 - - name: Install nix corresponding to latest stable channel + - name: Install Nix uses: cachix/install-nix-action@v30 with: - install_url: https://releases.nixos.org/nix/nix-2.18.8/install - nix_path: nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} + install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install + nix_path: nixpkgs=channel:${{ env.NIXPKGS_BRANCH }} - name: Install channels run: | - nix-channel --add https://github.com/LnL7/nix-darwin/archive/master.tar.gz darwin - nix-channel --add https://nixos.org/channels/${{ env.CURRENT_STABLE_CHANNEL }} nixpkgs + nix-channel --add https://github.com/LnL7/nix-darwin/archive/${{ env.NIX_DARWIN_BRANCH }}.tar.gz darwin + nix-channel --add https://nixos.org/channels/${{ env.NIXPKGS_BRANCH }} nixpkgs nix-channel --update - name: Install nix-darwin run: | @@ -75,71 +75,20 @@ jobs: # `cachix/install-nix-action` but not by our default config above nix run .#darwin-uninstaller \ --extra-experimental-features "nix-command flakes" \ - --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} + --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} nix run .#darwin-uninstaller.tests.uninstaller \ --extra-experimental-features "nix-command flakes" \ - --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} + --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} - install-against-unstable: + install-flake: runs-on: macos-13 timeout-minutes: 30 steps: - uses: actions/checkout@v4 - - name: Install nix from current unstable channel + - name: Install Nix uses: cachix/install-nix-action@v30 with: - install_url: https://releases.nixos.org/nix/nix-2.24.9/install - nix_path: nixpkgs=channel:nixpkgs-unstable - - name: Install channels - run: | - nix-channel --add https://github.com/LnL7/nix-darwin/archive/master.tar.gz darwin - nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgs - nix-channel --update - - name: Install nix-darwin - run: | - export NIX_PATH=$HOME/.nix-defexpr/channels - - mkdir -p ~/.config/nix-darwin - cp modules/examples/simple.nix ~/.config/nix-darwin/configuration.nix - - nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) - /usr/bin/sed -i.bak \ - "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ - ~/.config/nix-darwin/configuration.nix - - nix run .#darwin-rebuild \ - -- switch \ - -I darwin-config=$HOME/.config/nix-darwin/configuration.nix - - name: Switch to new configuration - run: | - . /etc/bashrc - - /usr/bin/sed -i.bak \ - "s/pkgs.vim/pkgs.hello/" \ - ~/.config/nix-darwin/configuration.nix - - darwin-rebuild switch -I darwin=. - - hello - - name: Test uninstallation of nix-darwin - run: | - # We need to specify `--extra-experimental-features` because `experimental-features` is set by - # `cachix/install-nix-action` but not by our default config above - nix run .#darwin-uninstaller \ - --extra-experimental-features "nix-command flakes" \ - --override-input nixpkgs nixpkgs/nixpkgs-unstable - nix run .#darwin-uninstaller.tests.uninstaller \ - --extra-experimental-features "nix-command flakes" \ - --override-input nixpkgs nixpkgs/nixpkgs-unstable - - install-flake-against-stable: - runs-on: macos-13 - steps: - - uses: actions/checkout@v4 - - name: Install nix version corresponding to latest stable channel - uses: cachix/install-nix-action@v30 - with: - install_url: https://releases.nixos.org/nix/nix-2.18.8/install + install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install - name: Install nix-darwin run: | mkdir -p ~/.config/nix-darwin @@ -157,7 +106,7 @@ jobs: nix run .#darwin-rebuild -- \ switch --flake ~/.config/nix-darwin#simple \ --override-input nix-darwin . \ - --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} + --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} - name: Switch to new configuration run: | . /etc/bashrc @@ -168,55 +117,10 @@ jobs: darwin-rebuild switch --flake ~/.config/nix-darwin#simple \ --override-input nix-darwin . \ - --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} + --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} hello - name: Test uninstallation of nix-darwin run: | - nix run .#darwin-uninstaller --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} - nix run .#darwin-uninstaller.tests.uninstaller --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} - - install-flake-against-unstable: - runs-on: macos-13 - timeout-minutes: 30 - steps: - - uses: actions/checkout@v4 - - name: Install nix from current unstable channel - uses: cachix/install-nix-action@v30 - with: - install_url: https://releases.nixos.org/nix/nix-2.24.9/install - - name: Install nix-darwin - run: | - mkdir -p ~/.config/nix-darwin - darwin=$(pwd) - pushd ~/.config/nix-darwin - nix flake init -t $darwin - nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) - /usr/bin/sed -i.bak \ - "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ - flake.nix - /usr/bin/sed -i.bak \ - 's/nixpkgs.hostPlatform = "aarch64-darwin";/nixpkgs.hostPlatform = "'$(nix eval --expr builtins.currentSystem --impure --raw)'";/' \ - flake.nix - popd - nix run .#darwin-rebuild -- \ - switch --flake ~/.config/nix-darwin#simple \ - --override-input nix-darwin . \ - --override-input nixpkgs nixpkgs/nixpkgs-unstable - - name: Switch to new configuration - run: | - . /etc/bashrc - - /usr/bin/sed -i.bak \ - "s/pkgs.vim/pkgs.hello/" \ - ~/.config/nix-darwin/flake.nix - - darwin-rebuild switch --flake ~/.config/nix-darwin#simple \ - --override-input nix-darwin . \ - --override-input nixpkgs nixpkgs/nixpkgs-unstable - - hello - - name: Test uninstallation of nix-darwin - run: | - nix run .#darwin-uninstaller --override-input nixpkgs nixpkgs/nixpkgs-unstable - nix run .#darwin-uninstaller.tests.uninstaller --override-input nixpkgs nixpkgs/nixpkgs-unstable + nix run .#darwin-uninstaller --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} + nix run .#darwin-uninstaller.tests.uninstaller --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} From efba3517fcd8f034e01dfda1c94a865d11aaf69f Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 8 Jan 2025 19:10:22 +0000 Subject: [PATCH 031/118] eval-config: implement release branch checks --- eval-config.nix | 62 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/eval-config.nix b/eval-config.nix index cd14493d..5014c6c9 100644 --- a/eval-config.nix +++ b/eval-config.nix @@ -1,10 +1,72 @@ +let + nixDarwinVersion = builtins.fromJSON (builtins.readFile ./version.json); + + checkRelease = lib: + # Avoid breaking configurations when the unstable Nixpkgs version + # rolls over. + # + # TODO: Something more refined than this would be ideal, as this + # still means you could be using unstable nix-darwin 25.05 with + # Nixpkgs 26.05, which would be unfortunate. + if nixDarwinVersion.isReleaseBranch then + lib.trivial.release == nixDarwinVersion.release + else + lib.versionAtLeast lib.trivial.release nixDarwinVersion.release; +in + { lib , modules , baseModules ? import ./modules/module-list.nix , specialArgs ? { } , check ? true +, enableNixpkgsReleaseCheck ? true }@args: +assert enableNixpkgsReleaseCheck -> checkRelease lib || throw '' + + nix-darwin now uses release branches that correspond to Nixpkgs releases. + The nix-darwin and Nixpkgs branches in use must match, but you are currently + using nix-darwin ${nixDarwinVersion.release} with Nixpkgs ${lib.trivial.release}. + + On macOS, you should use either the `nixpkgs-unstable` or + `nixpkgs-YY.MM-darwin` branches of Nixpkgs. These correspond to the + `master` and `nix-darwin-YY.MM` branches of nix-darwin, respectively. Check + for the currently supported Nixpkgs releases. + + If you’re using flakes, make sure your inputs look like this: + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/NIXPKGS-BRANCH"; + nix-darwin.url = "github:LnL7/nix-darwin/NIX-DARWIN-BRANCH"; + nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; + # … + }; + + If you’re using channels, you can check your current channels with: + + $ sudo nix-channel --list + nixpkgs https://nixos.org/channels/NIXPKGS-BRANCH + darwin https://github.com/LnL7/nix-darwin/archive/NIX-DARWIN-BRANCH.tar.gz + … + $ nix-channel --list + … + + If `darwin` or `nixpkgs` are present in `nix-channel --list` (without + `sudo`), you should delete them with `nix-channel --remove NAME`. These can + contribute to version mismatch problems. + + You can then fix your channels like this: + + $ sudo nix-channel --add https://nixos.org/channels/NIXPKGS-BRANCH nixpkgs + $ sudo nix-channel --add https://github.com/LnL7/nix-darwin/archive/NIX-DARWIN-BRANCH.tar.gz darwin + $ sudo nix-channel --update + + After that, activating your system again should work correctly. If it + doesn’t, please open an issue at + and include as much + information as possible. +''; + let argsModule = { _file = ./eval-config.nix; From d5aeb4e5b17c4e17b4eb515e088d6ea6babd14d8 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 14 Jan 2025 01:18:53 +0000 Subject: [PATCH 032/118] checks: recommend `sudo nix-channel` --- modules/system/checks.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 57ddfd27..a5fd44a8 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -211,8 +211,8 @@ let if ! test -e "$darwinPath"; then echo "error: Changed but target does not exist, aborting activation" >&2 echo "Add the darwin repo as a channel or set nix.nixPath:" >&2 - echo "$ nix-channel --add https://github.com/LnL7/nix-darwin/archive/master.tar.gz darwin" >&2 - echo "$ nix-channel --update" >&2 + echo "$ sudo nix-channel --add https://github.com/LnL7/nix-darwin/archive/master.tar.gz darwin" >&2 + echo "$ sudo nix-channel --update" >&2 echo >&2 echo "or set" >&2 echo >&2 @@ -225,8 +225,8 @@ let if ! test -e "$nixpkgsPath"; then echo "error: Changed but target does not exist, aborting activation" >&2 echo "Add a nixpkgs channel or set nix.nixPath:" >&2 - echo "$ nix-channel --add http://nixos.org/channels/nixpkgs-unstable nixpkgs" >&2 - echo "$ nix-channel --update" >&2 + echo "$ sudo nix-channel --add http://nixos.org/channels/nixpkgs-unstable nixpkgs" >&2 + echo "$ sudo nix-channel --update" >&2 echo >&2 echo "or set" >&2 echo >&2 From e33d37c41f8040631f0cc16b032a1cf214aeeb4e Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 8 Jan 2025 19:10:22 +0000 Subject: [PATCH 033/118] {readme,examples/flake}: update for release branches --- README.md | 29 ++++++++++++++++++++++------- modules/examples/flake/flake.nix | 2 +- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index ba9fa779..97200d69 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,12 @@ If you don't have an existing `configuration.nix`, you can run the following com ```bash mkdir -p ~/.config/nix-darwin cd ~/.config/nix-darwin -nix flake init -t nix-darwin + +# To use Nixpkgs unstable: +nix flake init -t nix-darwin/master +# To use Nixpkgs 24.11: +nix flake init -t nix-darwin/nix-darwin-24.11 + sed -i '' "s/simple/$(scutil --get LocalHostName)/" flake.nix ``` @@ -57,8 +62,10 @@ Add the following to `flake.nix` in the same folder as `configuration.nix`: description = "John's darwin system"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-24.11-darwin"; - nix-darwin.url = "github:LnL7/nix-darwin"; + # Use `github:NixOS/nixpkgs/nixpkgs-24.11-darwin` to use Nixpkgs 24.11. + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + # Use `github:LnL7/nix-darwin/nix-darwin-24.11` to use Nixpkgs 24.11. + nix-darwin.url = "github:LnL7/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; }; @@ -122,8 +129,12 @@ Copy the [simple](./modules/examples/simple.nix) example to `~/.config/nix-darwi ### Step 2. Adding `nix-darwin` channel ```bash -nix-channel --add https://github.com/LnL7/nix-darwin/archive/master.tar.gz darwin -nix-channel --update +# If you use Nixpkgs unstable (the default): +sudo nix-channel --add https://github.com/LnL7/nix-darwin/archive/master.tar.gz darwin +# If you use Nixpkgs 24.11: +sudo nix-channel --add https://github.com/LnL7/nix-darwin/archive/nix-darwin-24.11.tar.gz darwin + +sudo nix-channel --update ``` ### Step 3. Installing `nix-darwin` @@ -131,7 +142,11 @@ nix-channel --update To install `nix-darwin`, you can just run `darwin-rebuild switch` to install nix-darwin. As `darwin-rebuild` won't be installed in your `PATH` yet, you can use the following command: ```bash +# If you use Nixpkgs unstable (the default): nix-build https://github.com/LnL7/nix-darwin/archive/master.tar.gz -A darwin-rebuild +# If you use Nixpkgs 24.11: +nix-build https://github.com/LnL7/nix-darwin/archive/nix-darwin-24.11.tar.gz -A darwin-rebuild + ./result/bin/darwin-rebuild switch -I darwin-config=$HOME/.config/nix-darwin/configuration.nix ``` @@ -145,10 +160,10 @@ darwin-rebuild switch ### Step 5. Updating `nix-darwin` -You can update `nix-darwin` using the following command: +You can update Nixpkgs and `nix-darwin` using the following command: ```bash -nix-channel --update darwin +sudo nix-channel --update ``` diff --git a/modules/examples/flake/flake.nix b/modules/examples/flake/flake.nix index 4520b8ff..138c0473 100644 --- a/modules/examples/flake/flake.nix +++ b/modules/examples/flake/flake.nix @@ -3,7 +3,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; - nix-darwin.url = "github:LnL7/nix-darwin"; + nix-darwin.url = "github:LnL7/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; }; From ed6c4aabeae2ae8869a647eee04a45372a74ab56 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 12 Jan 2025 16:49:02 +0000 Subject: [PATCH 034/118] system: remove code for macOS < 11 --- modules/system/base.nix | 75 ++++++++++++++--------------------------- 1 file changed, 25 insertions(+), 50 deletions(-) diff --git a/modules/system/base.nix b/modules/system/base.nix index 2374855a..fb27c545 100644 --- a/modules/system/base.nix +++ b/modules/system/base.nix @@ -2,60 +2,35 @@ { system.activationScripts.createRun.text = '' - IFS="." read -r -a macOSVersion <<< "$(sw_vers -productVersion)" + if [[ $(stat -c '%a' /etc/synthetic.conf) != "644" ]]; then + echo "fixing permissions on /etc/synthetic.conf..." + sudo chmod 644 /etc/synthetic.conf + fi - if [[ ''${macOSVersion[0]} -gt 10 || ( ''${macOSVersion[0]} -eq 10 && ''${macOSVersion[1]} -ge 15 ) ]]; then - if [[ $(stat -c '%a' /etc/synthetic.conf) != "644" ]]; then - echo "fixing permissions on /etc/synthetic.conf..." - sudo chmod 644 /etc/synthetic.conf - fi + if [[ $(grep -c '^run\b' /etc/synthetic.conf) -gt 1 ]]; then + echo "found duplicate run entries in /etc/synthetic.conf, removing..." + sudo sed -i "" -e '/^run\tprivate\/var\/run$/d' /etc/synthetic.conf + fi - if [[ $(grep -c '^run\b' /etc/synthetic.conf) -gt 1 ]]; then - echo "found duplicate run entries in /etc/synthetic.conf, removing..." - sudo sed -i "" -e '/^run\tprivate\/var\/run$/d' /etc/synthetic.conf - fi + if ! grep -q '^run\b' /etc/synthetic.conf 2>/dev/null; then + echo "setting up /run via /etc/synthetic.conf..." + printf 'run\tprivate/var/run\n' | sudo tee -a /etc/synthetic.conf >/dev/null + fi - if ! grep -q '^run\b' /etc/synthetic.conf 2>/dev/null; then - echo "setting up /run via /etc/synthetic.conf..." - printf 'run\tprivate/var/run\n' | sudo tee -a /etc/synthetic.conf >/dev/null - fi + sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t || true - if [[ ''${macOSVersion[0]} -gt 10 ]]; then - sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t || true - else - sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B || true - fi - - if [[ ! -L /run ]]; then - printf >&2 'error: apfs.util failed to symlink /run, aborting activation\n' - printf >&2 'To create a symlink from /run to /var/run, please run:\n' - printf >&2 '\n' - printf >&2 "$ printf 'run\tprivate/var/run\n' | sudo tee -a /etc/synthetic.conf" - - if [[ ''${macOSVersion[0]} -gt 10 ]]; then - printf >&2 '$ sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t\n' - else - printf >&2 '$ sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B\n' - fi - - printf >&2 '\n' - printf >&2 'The current contents of /etc/synthetic.conf is:\n' - printf >&2 '\n' - sudo sed 's/^/ /' /etc/synthetic.conf >&2 - printf >&2 '\n' - exit 1 - fi - else - echo "setting up /run..." - sudo ln -sfn private/var/run /run - - if [[ ! -L /run ]]; then - printf >&2 'error: failed to symlink /run, aborting activation\n' - printf >&2 'To create a symlink from /run to /var/run, please run:\n' - printf >&2 '\n' - printf >&2 '$ sudo ln -sfn private/var/link /run\n' - exit 1 - fi + if [[ ! -L /run ]]; then + printf >&2 'error: apfs.util failed to symlink /run, aborting activation\n' + printf >&2 'To create a symlink from /run to /var/run, please run:\n' + printf >&2 '\n' + printf >&2 "$ printf 'run\tprivate/var/run\n' | sudo tee -a /etc/synthetic.conf" + printf >&2 '$ sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t\n' + printf >&2 '\n' + printf >&2 'The current contents of /etc/synthetic.conf is:\n' + printf >&2 '\n' + sudo sed 's/^/ /' /etc/synthetic.conf >&2 + printf >&2 '\n' + exit 1 fi ''; } From b721000dc6990f3a9ac8e5f8c9fcd7431c4396af Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 12 Jan 2025 16:49:25 +0000 Subject: [PATCH 035/118] system: add missing newline --- modules/system/base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/base.nix b/modules/system/base.nix index fb27c545..6d5e2a96 100644 --- a/modules/system/base.nix +++ b/modules/system/base.nix @@ -23,7 +23,7 @@ printf >&2 'error: apfs.util failed to symlink /run, aborting activation\n' printf >&2 'To create a symlink from /run to /var/run, please run:\n' printf >&2 '\n' - printf >&2 "$ printf 'run\tprivate/var/run\n' | sudo tee -a /etc/synthetic.conf" + printf >&2 "$ printf 'run\tprivate/var/run\n' | sudo tee -a /etc/synthetic.conf\n" printf >&2 '$ sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t\n' printf >&2 '\n' printf >&2 'The current contents of /etc/synthetic.conf is:\n' From 1c21c9410eefec51cb7613d38250e49322eb0ab5 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 14 Jan 2025 02:19:01 +0000 Subject: [PATCH 036/118] system: remove unnecessary `sudo` --- modules/system/base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/base.nix b/modules/system/base.nix index 6d5e2a96..40c3699b 100644 --- a/modules/system/base.nix +++ b/modules/system/base.nix @@ -28,7 +28,7 @@ printf >&2 '\n' printf >&2 'The current contents of /etc/synthetic.conf is:\n' printf >&2 '\n' - sudo sed 's/^/ /' /etc/synthetic.conf >&2 + sed 's/^/ /' /etc/synthetic.conf >&2 printf >&2 '\n' exit 1 fi From 8f4f3d8d2d333248f5edf8bb9ef7c7d3274bf06f Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 14 Jan 2025 15:55:50 +0000 Subject: [PATCH 037/118] darwin-uninstaller: remove code for macOS < 11 --- pkgs/darwin-uninstaller/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/darwin-uninstaller/default.nix b/pkgs/darwin-uninstaller/default.nix index da58682e..93092a8f 100644 --- a/pkgs/darwin-uninstaller/default.nix +++ b/pkgs/darwin-uninstaller/default.nix @@ -56,7 +56,6 @@ in writeShellApplication { if [[ -L /run ]]; then if [[ -e /etc/synthetic.conf ]]; then sudo sed -i -E '/^run[[:space:]]/d' /etc/synthetic.conf - sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B &>/dev/null || true sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t &>/dev/null || true echo >&2 "NOTE: the /run symlink will be removed on reboot" else From c5b7b604caad7924924f762b603a978c33091552 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 12 Jan 2025 17:26:47 +0000 Subject: [PATCH 038/118] darwin-rebuild: remove code for macOS < 11 --- pkgs/nix-tools/darwin-rebuild.sh | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/pkgs/nix-tools/darwin-rebuild.sh b/pkgs/nix-tools/darwin-rebuild.sh index 7824913d..f945e6b4 100644 --- a/pkgs/nix-tools/darwin-rebuild.sh +++ b/pkgs/nix-tools/darwin-rebuild.sh @@ -22,15 +22,9 @@ showSyntax() { } sudo() { - # REMOVEME when support for macOS 10.13 is dropped - # macOS 10.13 does not support sudo --preserve-env so we make this conditional - if command sudo --help | grep -- --preserve-env= >/dev/null; then - # We use `env` before our command to ensure the preserved PATH gets checked - # when trying to resolve the command to execute - command sudo -H --preserve-env=PATH --preserve-env=SSH_CONNECTION env "$@" - else - command sudo -H "$@" - fi + # We use `env` before our command to ensure the preserved PATH gets checked + # when trying to resolve the command to execute + command sudo -H --preserve-env=PATH --preserve-env=SSH_CONNECTION env "$@" } # Parse the command line. From fe2fc038fd2a63f23bc646b0f3ce022b7c9b3129 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 12 Jan 2025 17:27:10 +0000 Subject: [PATCH 039/118] defaults/universalaccess: remove docs for macOS < 11 --- modules/system/defaults/universalaccess.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/system/defaults/universalaccess.nix b/modules/system/defaults/universalaccess.nix index 8a2de90f..996f23b6 100644 --- a/modules/system/defaults/universalaccess.nix +++ b/modules/system/defaults/universalaccess.nix @@ -28,7 +28,6 @@ with lib; default = null; description = '' Disable transparency in the menu bar and elsewhere. - Requires macOS Yosemite or later. The default is false. ''; }; From 47174f38689dba3221883db5f908f7e3ef924ef6 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 13 Jan 2025 23:21:04 +0000 Subject: [PATCH 040/118] doc/manual: use `--replace-fail` --- doc/manual/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/manual/default.nix b/doc/manual/default.nix index d8e12f29..ef4b64d5 100644 --- a/doc/manual/default.nix +++ b/doc/manual/default.nix @@ -53,7 +53,7 @@ in rec { substitute \ ${optionsDoc.optionsJSON}/nix-support/hydra-build-products \ $out/nix-support/hydra-build-products \ - --replace \ + --replace-fail \ '${optionsDoc.optionsJSON}/share/doc/nixos' \ "$out/share/doc/darwin" ''; @@ -74,8 +74,8 @@ in rec { cp -r ${pkgs.documentation-highlighter} $dst/highlightjs substitute ${./manual.md} manual.md \ - --replace '@DARWIN_VERSION@' "${version}" \ - --replace \ + --replace-fail '@DARWIN_VERSION@' "${version}" \ + --replace-fail \ '@DARWIN_OPTIONS_JSON@' \ ${optionsJSON}/share/doc/darwin/options.json From ff1d6384dfa276ff4ab092fd9f37a66b5234466c Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 13 Jan 2025 23:21:04 +0000 Subject: [PATCH 041/118] {environment,nix-tools}: correct default `$PATH` ordering to match macOS --- modules/environment/default.nix | 2 +- pkgs/nix-tools/default.nix | 2 +- tests/environment-path.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/environment/default.nix b/modules/environment/default.nix index fc4db2ab..79f760e9 100644 --- a/modules/environment/default.nix +++ b/modules/environment/default.nix @@ -161,7 +161,7 @@ in environment.systemPath = mkMerge [ [ (makeBinPath cfg.profiles) ] - (mkOrder 1200 [ "/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin" ]) + (mkOrder 1200 [ "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin" ]) ]; # Use user, default and system profiles. diff --git a/pkgs/nix-tools/default.nix b/pkgs/nix-tools/default.nix index 5fdc3821..4a496bb1 100644 --- a/pkgs/nix-tools/default.nix +++ b/pkgs/nix-tools/default.nix @@ -6,7 +6,7 @@ , stdenv , profile ? "/nix/var/nix/profiles/system" , nixPackage ? "/nix/var/nix/profiles/default" -, systemPath ? "$HOME/.nix-profile/bin:/etc/profiles/per-user/$USER/bin:/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin:/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin" +, systemPath ? "$HOME/.nix-profile/bin:/etc/profiles/per-user/$USER/bin:/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin" }: let diff --git a/tests/environment-path.nix b/tests/environment-path.nix index 0bb9a055..b5e4754d 100644 --- a/tests/environment-path.nix +++ b/tests/environment-path.nix @@ -30,8 +30,8 @@ with lib; "afterProfile/bin" "/usr/local/bin" "/usr/bin" - "/usr/sbin" "/bin" + "/usr/sbin" "/sbin" "afterPath" ]}" From f959b8878b2a2e27f2df024930e52cb68b0528be Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 15 Jan 2025 17:15:49 +0000 Subject: [PATCH 042/118] defaults-write: fix activation script conditionalization These are lists, not attribute sets, so the condition was always succeeding. As far as I can tell this bug has been present since the function was added. --- modules/system/defaults-write.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/system/defaults-write.nix b/modules/system/defaults-write.nix index 22657219..a00b0e42 100644 --- a/modules/system/defaults-write.nix +++ b/modules/system/defaults-write.nix @@ -42,7 +42,7 @@ let CustomSystemPreferences = flatten (mapAttrsToList (name: value: defaultsToList name value) cfg.CustomSystemPreferences); - mkIfAttrs = list: mkIf (any (attrs: attrs != { }) list); + mkIfLists = list: mkIf (any (attrs: attrs != [ ]) list); in { @@ -57,7 +57,7 @@ in else types.float.check x; }; - system.activationScripts.defaults.text = mkIfAttrs [ + system.activationScripts.defaults.text = mkIfLists [ alf loginwindow smb @@ -74,7 +74,7 @@ in ${concatStringsSep "\n" CustomSystemPreferences} ''; - system.activationScripts.userDefaults.text = mkIfAttrs + system.activationScripts.userDefaults.text = mkIfLists [ GlobalPreferences LaunchServices From 4075a3c23aa7996acc960e61df9f21038136d08a Mon Sep 17 00:00:00 2001 From: Kaleb Elwert Date: Fri, 10 Jan 2025 15:55:31 -0800 Subject: [PATCH 043/118] Add support for additional window tiling options This adds support for the following defaults: - com.apple.WindowManager.EnableTilingByEdgeDrag - com.apple.WindowManager.EnableTopTilingByEdgeDrag - com.apple.WindowManager.EnableTilingOptionAccelerator --- modules/system/defaults/WindowManager.nix | 27 ++++++++++++++++++- .../system-defaults-write/activate-user.txt | 15 +++++++++++ tests/system-defaults-write.nix | 3 +++ 3 files changed, 44 insertions(+), 1 deletion(-) diff --git a/modules/system/defaults/WindowManager.nix b/modules/system/defaults/WindowManager.nix index 6a62ebce..7b9048cc 100644 --- a/modules/system/defaults/WindowManager.nix +++ b/modules/system/defaults/WindowManager.nix @@ -56,11 +56,36 @@ with lib; Hide items in Stage Manager. ''; }; + + system.defaults.WindowManager.EnableTilingByEdgeDrag = mkOption { + type = types.nullOr types.bool; + default = null; + description = '' + Enable dragging windows to screen edges to tile them. The default is true. + ''; + }; + + system.defaults.WindowManager.EnableTopTilingByEdgeDrag = mkOption { + type = types.nullOr types.bool; + default = null; + description = '' + Enable dragging windows to the menu bar to fill the screen. The default is true. + ''; + }; + + system.defaults.WindowManager.EnableTilingOptionAccelerator = mkOption { + type = types.nullOr types.bool; + default = null; + description = '' + Enable holding alt to tile windows. The default is true. + ''; + }; + system.defaults.WindowManager.EnableTiledWindowMargins = mkOption { type = types.nullOr types.bool; default = null; description = '' - Enable Window Margins. The default is true. + Enable window margins when tiling windows. The default is true. ''; }; diff --git a/tests/fixtures/system-defaults-write/activate-user.txt b/tests/fixtures/system-defaults-write/activate-user.txt index 3656a47b..eda37537 100644 --- a/tests/fixtures/system-defaults-write/activate-user.txt +++ b/tests/fixtures/system-defaults-write/activate-user.txt @@ -524,6 +524,21 @@ defaults write com.apple.WindowManager 'EnableTiledWindowMargins' $' ' +defaults write com.apple.WindowManager 'EnableTilingByEdgeDrag' $' + + + +' +defaults write com.apple.WindowManager 'EnableTilingOptionAccelerator' $' + + + +' +defaults write com.apple.WindowManager 'EnableTopTilingByEdgeDrag' $' + + + +' defaults write com.apple.WindowManager 'GloballyEnabled' $' diff --git a/tests/system-defaults-write.nix b/tests/system-defaults-write.nix index 1a29aa2d..0b8bc030 100644 --- a/tests/system-defaults-write.nix +++ b/tests/system-defaults-write.nix @@ -96,6 +96,9 @@ system.defaults.WindowManager.AppWindowGroupingBehavior = true; system.defaults.WindowManager.StandardHideDesktopIcons = false; system.defaults.WindowManager.HideDesktop = false; + system.defaults.WindowManager.EnableTilingByEdgeDrag = true; + system.defaults.WindowManager.EnableTopTilingByEdgeDrag = true; + system.defaults.WindowManager.EnableTilingOptionAccelerator = true; system.defaults.WindowManager.EnableTiledWindowMargins = true; system.defaults.WindowManager.StandardHideWidgets = true; system.defaults.WindowManager.StageManagerHideWidgets = true; From 2fe899db70f8d2e9162e9ff44eef4f734787b5b1 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 13 Jan 2025 15:22:01 +0000 Subject: [PATCH 044/118] nix: check `/etc/nix/nix.custom.conf` hash --- ...82c205cfd8e8cca425d91253ec2c10a88179bb34aa | 3 ++ ...e78e1fc788705c2c5257fddf9b59bdd963ca6fec63 | 4 ++ modules/nix/default.nix | 52 ++++++++++++++++++- 3 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 doc/known-files/3bd68ef979a42070a44f8d82c205cfd8e8cca425d91253ec2c10a88179bb34aa create mode 100644 doc/known-files/6787fade1cf934f82db554e78e1fc788705c2c5257fddf9b59bdd963ca6fec63 diff --git a/doc/known-files/3bd68ef979a42070a44f8d82c205cfd8e8cca425d91253ec2c10a88179bb34aa b/doc/known-files/3bd68ef979a42070a44f8d82c205cfd8e8cca425d91253ec2c10a88179bb34aa new file mode 100644 index 00000000..dacf1689 --- /dev/null +++ b/doc/known-files/3bd68ef979a42070a44f8d82c205cfd8e8cca425d91253ec2c10a88179bb34aa @@ -0,0 +1,3 @@ +# Written by https://github.com/DeterminateSystems/nix-installer. +# The contents below are based on options specified at installation time. + diff --git a/doc/known-files/6787fade1cf934f82db554e78e1fc788705c2c5257fddf9b59bdd963ca6fec63 b/doc/known-files/6787fade1cf934f82db554e78e1fc788705c2c5257fddf9b59bdd963ca6fec63 new file mode 100644 index 00000000..74a863d8 --- /dev/null +++ b/doc/known-files/6787fade1cf934f82db554e78e1fc788705c2c5257fddf9b59bdd963ca6fec63 @@ -0,0 +1,4 @@ + +# Written by https://github.com/DeterminateSystems/nix-installer. +# The contents below are based on options specified at installation time. + diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 41398fac..b49e42c5 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -823,8 +823,58 @@ in ]); users.knownGroups = mkIf cfg.configureBuildUsers [ "nixbld" ]; + # The Determinate Systems installer puts user‐specified settings in + # `/etc/nix/nix.custom.conf` since v0.33.0. Supplement the + # `/etc/nix/nix.conf` hash check so that we don’t accidentally + # clobber user configuration. + # + # TODO: Maybe this could use a more general file placement mechanism + # to express that we want it deleted and know only one hash? + system.activationScripts.etcChecks.text = mkAfter '' + nixCustomConfKnownSha256Hashes=( + # v0.33.0 + 6787fade1cf934f82db554e78e1fc788705c2c5257fddf9b59bdd963ca6fec63 + # v0.34.0 + 3bd68ef979a42070a44f8d82c205cfd8e8cca425d91253ec2c10a88179bb34aa + ) + if [[ -e /etc/nix/nix.custom.conf ]]; then + nixCustomConfSha256Output=$(shasum -a 256 /etc/nix/nix.custom.conf) + nixCustomConfSha256Hash=''${nixCustomConfSha256Output%% *} + nixCustomConfIsKnown= + for nixCustomConfKnownSha256Hash + in "''${nixCustomConfKnownSha256Hashes[@]}" + do + if + [[ $nixCustomConfSha256Hash == "$nixCustomConfKnownSha256Hash" ]] + then + nixCustomConfIsKnown=1 + break + fi + done + if [[ ! $nixCustomConfIsKnown ]]; then + # shellcheck disable=SC2016 + printf >&2 '\e[1;31merror: custom settings in `/etc/nix/nix.custom.conf`, aborting activation\e[0m\n' + # shellcheck disable=SC2016 + printf >&2 'You will need to migrate these to nix-darwin `nix.*` settings if you\n' + printf >&2 'wish to keep them. Check the manual for the appropriate settings and\n' + printf >&2 'add them to your system configuration, then run:\n' + printf >&2 '\n' + printf >&2 ' $ sudo mv /etc/nix/nix.custom.conf{,.before-nix-darwin}\n' + printf >&2 '\n' + printf >&2 'and activate your system again.\n' + exit 2 + fi + fi + ''; + # Unrelated to use in NixOS module - system.activationScripts.nix-daemon.text = mkIf cfg.useDaemon '' + system.activationScripts.nix-daemon.text = '' + # Follow up on the `/etc/nix/nix.custom.conf` check. + # TODO: Use a more generalized file placement mechanism for this. + if [[ -e /etc/nix/nix.custom.conf ]]; then + mv /etc/nix/nix.custom.conf{,.before-nix-darwin} + fi + '' + optionalString cfg.useDaemon '' if ! diff /etc/nix/nix.conf /run/current-system/etc/nix/nix.conf &> /dev/null || ! diff /etc/nix/machines /run/current-system/etc/nix/machines &> /dev/null; then echo "reloading nix-daemon..." >&2 launchctl kill HUP system/org.nixos.nix-daemon From 8abb2e7244b998a9d73818baa744044f8882e68b Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 14 Jan 2025 22:53:19 +0000 Subject: [PATCH 045/118] nix: add hashes for Determinate Systems installer v0.33.0 and v0.34.0 --- ...fb46bb235f8cffcac83fea404bd32dc99417ac89e2dd7c5 | 14 ++++++++++++++ ...793a9b8382dac76c926e4c16ffb8ddd2bb4884d1ca3f811 | 13 +++++++++++++ modules/nix/default.nix | 2 ++ 3 files changed, 29 insertions(+) create mode 100644 doc/known-files/53712b4335030e2dbfb46bb235f8cffcac83fea404bd32dc99417ac89e2dd7c5 create mode 100644 doc/known-files/6bb8d6b0dd16b44ee793a9b8382dac76c926e4c16ffb8ddd2bb4884d1ca3f811 diff --git a/doc/known-files/53712b4335030e2dbfb46bb235f8cffcac83fea404bd32dc99417ac89e2dd7c5 b/doc/known-files/53712b4335030e2dbfb46bb235f8cffcac83fea404bd32dc99417ac89e2dd7c5 new file mode 100644 index 00000000..44b308a0 --- /dev/null +++ b/doc/known-files/53712b4335030e2dbfb46bb235f8cffcac83fea404bd32dc99417ac89e2dd7c5 @@ -0,0 +1,14 @@ + +# Generated by https://github.com/DeterminateSystems/nix-installer. +# See `/nix/nix-installer --version` for the version details. + +!include nix.custom.conf + +experimental-features = nix-command flakes +always-allow-substitutes = true +extra-trusted-substituters = https://cache.flakehub.com +extra-trusted-public-keys = cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM= cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio= cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU= cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU= cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8= cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ= cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o= cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y= +bash-prompt-prefix = (nix:$name)\040 +max-jobs = auto +extra-nix-path = nixpkgs=flake:nixpkgs +upgrade-nix-store-path-url = https://install.determinate.systems/nix-upgrade/stable/universal diff --git a/doc/known-files/6bb8d6b0dd16b44ee793a9b8382dac76c926e4c16ffb8ddd2bb4884d1ca3f811 b/doc/known-files/6bb8d6b0dd16b44ee793a9b8382dac76c926e4c16ffb8ddd2bb4884d1ca3f811 new file mode 100644 index 00000000..0973d2c6 --- /dev/null +++ b/doc/known-files/6bb8d6b0dd16b44ee793a9b8382dac76c926e4c16ffb8ddd2bb4884d1ca3f811 @@ -0,0 +1,13 @@ +# Generated by https://github.com/DeterminateSystems/nix-installer. +# See `/nix/nix-installer --version` for the version details. + +extra-experimental-features = nix-command flakes +always-allow-substitutes = true +extra-trusted-substituters = https://cache.flakehub.com +extra-trusted-public-keys = cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM= cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio= cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU= cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU= cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8= cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ= cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o= cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y= +bash-prompt-prefix = (nix:$name)\040 +max-jobs = auto +extra-nix-path = nixpkgs=flake:nixpkgs +upgrade-nix-store-path-url = https://install.determinate.systems/nix-upgrade/stable/universal + +!include nix.custom.conf diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b49e42c5..97bb8959 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -703,6 +703,8 @@ in "5d23e6d7015756c6f300f8cd558ec4d9234ca61deefd4f2478e91a49760b0747" # DeterminateSystems Nix installer 0.16.0 "e4974acb79c56148cb8e92137fa4f2de9b7356e897b332fc4e6769e8c0b83e18" # DeterminateSystems Nix installer 0.20.0 "966d22ef5bb9b56d481e8e0d5f7ca2deaf4d24c0f0fc969b2eeaa7ae0aa42907" # DeterminateSystems Nix installer 0.22.0 + "53712b4335030e2dbfb46bb235f8cffcac83fea404bd32dc99417ac89e2dd7c5" # DeterminateSystems Nix installer 0.33.0 + "6bb8d6b0dd16b44ee793a9b8382dac76c926e4c16ffb8ddd2bb4884d1ca3f811" # DeterminateSystems Nix installer 0.34.0 "24797ac05542ff8b52910efc77870faa5f9e3275097227ea4e50c430a5f72916" # lix-installer 0.17.1 with flakes "b027b5cad320b5b8123d9d0db9f815c3f3921596c26dc3c471457098e4d3cc40" # lix-installer 0.17.1 without flakes ]; From e1976612f0054a8143f37e7ef25c4ef4b88b44bd Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 15 Jan 2025 18:41:10 +0000 Subject: [PATCH 046/118] system: tweak ShellCheck settings --- modules/networking/default.nix | 1 - modules/nix/default.nix | 2 -- modules/system/checks.nix | 4 ---- modules/system/default.nix | 5 ++++- modules/users/default.nix | 5 ----- 5 files changed, 4 insertions(+), 13 deletions(-) diff --git a/modules/networking/default.nix b/modules/networking/default.nix index 7a81ca1c..b53a9e4a 100644 --- a/modules/networking/default.nix +++ b/modules/networking/default.nix @@ -118,7 +118,6 @@ in echo "configuring networking..." >&2 ${optionalString (cfg.computerName != null) '' - # shellcheck disable=SC1112 scutil --set ComputerName ${escapeShellArg cfg.computerName} ''} ${optionalString (cfg.hostName != null) '' diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 8d8ffc8d..857c4be8 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -853,9 +853,7 @@ in fi done if [[ ! $nixCustomConfIsKnown ]]; then - # shellcheck disable=SC2016 printf >&2 '\e[1;31merror: custom settings in `/etc/nix/nix.custom.conf`, aborting activation\e[0m\n' - # shellcheck disable=SC2016 printf >&2 'You will need to migrate these to nix-darwin `nix.*` settings if you\n' printf >&2 'wish to keep them. Check the manual for the appropriate settings and\n' printf >&2 'add them to your system configuration, then run:\n' diff --git a/modules/system/checks.nix b/modules/system/checks.nix index c1ab4095..fade846d 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -141,7 +141,6 @@ let printf >&2 'Possible causes include setting up a new Nix installation with an\n' printf >&2 'existing nix-darwin configuration, setting up a new nix-darwin\n' printf >&2 'installation with an existing Nix installation, or manually increasing\n' - # shellcheck disable=SC2016 printf >&2 'your `system.stateVersion` setting.\n' printf >&2 '\n' printf >&2 'You can set the configured group ID to match the actual value:\n' @@ -162,7 +161,6 @@ let printf >&2 '\n' printf >&2 ' services.nix-daemon.enable = false;\n' printf >&2 '\n' - # shellcheck disable=SC2016 printf >&2 'and remove `nix.useDaemon` from your configuration if it is present.\n' printf >&2 '\n' exit 2 @@ -302,7 +300,6 @@ let if [[ -d /etc/ssh/authorized_keys.d ]]; then printf >&2 '\e[1;31merror: /etc/ssh/authorized_keys.d exists, aborting activation\e[0m\n' printf >&2 'SECURITY NOTICE: The previous implementation of the\n' - # shellcheck disable=SC2016 printf >&2 '`users.users..openssh.authorizedKeys.*` options would not delete\n' printf >&2 'authorized keys files when the setting for a given user was removed.\n' printf >&2 '\n' @@ -325,7 +322,6 @@ let echo "Homebrew doesn't seem to be installed. Please install homebrew separately." >&2 echo "You can install homebrew using the following command:" >&2 echo >&2 - # shellcheck disable=SC2016 echo ' /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"' >&2 echo >&2 exit 2 diff --git a/modules/system/default.nix b/modules/system/default.nix index a1862fae..8351dcc6 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -135,7 +135,10 @@ in chmod u+x $out/activate-user unset activationUserScript - shellcheck $out/activate $out/activate-user + # We exclude the warnings for `…` in single‐quote strings and + # non‐ASCII quotation marks as they are noisy and lead to a lot + # of false positives in our user‐facing output: + shellcheck --exclude=SC2016,SC1112 $out/activate $out/activate-user echo -n "$systemConfig" > $out/systemConfig diff --git a/modules/users/default.nix b/modules/users/default.nix index 574f5a4e..ecce2af3 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -149,7 +149,6 @@ in if ! sudo dscl . -change /Users/nobody NFSHomeDirectory "$homeDirectory" "$homeDirectory" &> /dev/null; then if [[ -n "$SSH_CONNECTION" ]]; then printf >&2 '\e[1;31merror: users cannot be %s over SSH without Full Disk Access, aborting activation\e[0m\n' "$2" - # shellcheck disable=SC2016 printf >&2 'The user %s could not be %s as `darwin-rebuild` was not executed with Full Disk Access over SSH.\n' "$1" "$2" printf >&2 'You can either:\n' printf >&2 '\n' @@ -157,7 +156,6 @@ in printf >&2 '\n' printf >&2 'or\n' printf >&2 '\n' - # shellcheck disable=SC2016 printf >&2 ' run `darwin-rebuild` in a graphical session.\n' printf >&2 '\n' printf >&2 'The option "Allow full disk access for remote users" can be found by\n' @@ -171,11 +169,9 @@ in if ! sudo dscl . -change /Users/nobody NFSHomeDirectory "$homeDirectory" "$homeDirectory" &> /dev/null; then printf >&2 '\e[1;31merror: permission denied when trying to %s user %s, aborting activation\e[0m\n' "$2" "$1" - # shellcheck disable=SC2016 printf >&2 '`darwin-rebuild` requires permissions to administrate your computer,\n' printf >&2 'please accept the dialog that pops up.\n' printf >&2 '\n' - # shellcheck disable=SC2016 printf >&2 'If you do not wish to be prompted every time `darwin-rebuild updates your users,\n' printf >&2 'you can grant Full Disk Access to your terminal emulator in System Settings.\n' printf >&2 '\n' @@ -224,7 +220,6 @@ in if [ "$u" -gt 501 ]; then # TODO: add `darwin.primaryUser` as well if [[ ${name} == "$USER" ]]; then - # shellcheck disable=SC2016 printf >&2 '\e[1;31merror: refusing to delete the user calling `darwin-rebuild` (%s), aborting activation\e[0m\n', ${name} exit 1 fi From 94adbd6259190f49104f2edfe82d8e8c2073be05 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 13 Jan 2025 23:21:04 +0000 Subject: [PATCH 047/118] darwin-uninstaller: remove `darwin` channel from `root` too --- pkgs/darwin-uninstaller/configuration.nix | 6 +++--- pkgs/darwin-uninstaller/default.nix | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/darwin-uninstaller/configuration.nix b/pkgs/darwin-uninstaller/configuration.nix index 295477a6..56ab228f 100644 --- a/pkgs/darwin-uninstaller/configuration.nix +++ b/pkgs/darwin-uninstaller/configuration.nix @@ -16,12 +16,12 @@ with lib; nix.useDaemon = mkForce false; system.activationScripts.postUserActivation.text = mkAfter '' - if [[ -L ~/.nix-defexpr/channels/darwin ]]; then - nix-channel --remove darwin || true - fi + nix-channel --remove darwin || true ''; system.activationScripts.postActivation.text = mkAfter '' + nix-channel --remove darwin || true + if [[ -L /Applications/Nix\ Apps ]]; then rm /Applications/Nix\ Apps fi diff --git a/pkgs/darwin-uninstaller/default.nix b/pkgs/darwin-uninstaller/default.nix index 93092a8f..0214652b 100644 --- a/pkgs/darwin-uninstaller/default.nix +++ b/pkgs/darwin-uninstaller/default.nix @@ -77,7 +77,7 @@ in writeShellApplication { echo >&2 echo >&2 "checking darwin channel" - test -e ~/.nix-defexpr/channels/darwin && exit 1 + nix-instantiate --find-file darwin && exit 1 echo >&2 "checking /etc" test -e /etc/static && exit 1 echo >&2 "checking /run/current-system" From 5665d6c05ef73b904e3a8bc37c35b7be1d923f4d Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 13 Jan 2025 23:21:04 +0000 Subject: [PATCH 048/118] darwin-rebuild: pass `${extraBuildFlags[@]}` to `nix-instantiate` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Theoretically required for `darwin-rebuild edit -I darwin-config=…`, I guess. We also shouldn’t run it for flake‐based setups. --- pkgs/nix-tools/darwin-rebuild.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/nix-tools/darwin-rebuild.sh b/pkgs/nix-tools/darwin-rebuild.sh index f945e6b4..844c0a8e 100644 --- a/pkgs/nix-tools/darwin-rebuild.sh +++ b/pkgs/nix-tools/darwin-rebuild.sh @@ -171,8 +171,8 @@ if [ "$action" != build ]; then fi if [ "$action" = edit ]; then - darwinConfig=$(nix-instantiate --find-file darwin-config) if [ -z "$flake" ]; then + darwinConfig=$(nix-instantiate "${extraBuildFlags[@]}" --find-file darwin-config) exec "${EDITOR:-vi}" "$darwinConfig" else exec nix "${flakeFlags[@]}" edit "${extraLockFlags[@]}" -- "$flake#$flakeAttr" From 02232f71c5712d08d6fb9d0dbedec50509cebbba Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 11 Jan 2025 15:44:41 +0000 Subject: [PATCH 049/118] nix-tools: drop `nixPackage` We already put `/nix/var/nix/profiles/default/bin` on the `$PATH`, and whatever `nix.package` is set to already gets installed into `/run/current-system/sw/bin`, so this is pointless. --- modules/nix/nix-darwin.nix | 1 - pkgs/nix-tools/default.nix | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/nix/nix-darwin.nix b/modules/nix/nix-darwin.nix index 4a989d79..4fed9fda 100644 --- a/modules/nix/nix-darwin.nix +++ b/modules/nix/nix-darwin.nix @@ -4,7 +4,6 @@ let nix-tools = pkgs.callPackage ../../pkgs/nix-tools { inherit (config.system) profile; inherit (config.environment) systemPath; - nixPackage = config.nix.package; }; darwin-uninstaller = pkgs.callPackage ../../pkgs/darwin-uninstaller { }; diff --git a/pkgs/nix-tools/default.nix b/pkgs/nix-tools/default.nix index 4a496bb1..449a8c4d 100644 --- a/pkgs/nix-tools/default.nix +++ b/pkgs/nix-tools/default.nix @@ -5,12 +5,11 @@ , substituteAll , stdenv , profile ? "/nix/var/nix/profiles/system" -, nixPackage ? "/nix/var/nix/profiles/default" , systemPath ? "$HOME/.nix-profile/bin:/etc/profiles/per-user/$USER/bin:/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin" }: let - extraPath = lib.makeBinPath [ nixPackage coreutils jq git ]; + extraPath = lib.makeBinPath [ coreutils jq git ]; writeProgram = name: env: src: substituteAll ({ From 3d95b013516aa3c97e645ad803d1a497097dab90 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 18 Jan 2025 20:27:17 +0000 Subject: [PATCH 050/118] nix-tools: make `systemPath` more readable --- pkgs/nix-tools/default.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/pkgs/nix-tools/default.nix b/pkgs/nix-tools/default.nix index 449a8c4d..582309ef 100644 --- a/pkgs/nix-tools/default.nix +++ b/pkgs/nix-tools/default.nix @@ -5,7 +5,22 @@ , substituteAll , stdenv , profile ? "/nix/var/nix/profiles/system" -, systemPath ? "$HOME/.nix-profile/bin:/etc/profiles/per-user/$USER/bin:/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin" +, # This should be kept in sync with the default + # `environment.systemPath`. We err on side of including conditional + # things like the profile directories, since they’re more likely to + # help than hurt, and this default is mostly used for fresh + # installations anyway. + systemPath ? lib.concatStringsSep ":" [ + "$HOME/.nix-profile/bin" + "/etc/profiles/per-user/$USER/bin" + "/run/current-system/sw/bin" + "/nix/var/nix/profiles/default/bin" + "/usr/local/bin" + "/usr/bin" + "/bin" + "/usr/sbin" + "/sbin" +] }: let From c3954c51c4a02a9ed5455252c09b7b1690cb59bf Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 18 Jan 2025 23:14:51 +0000 Subject: [PATCH 051/118] checks: remove `runLink` Now that we create `/run` as part of activation, this is no longer useful for anaything. --- modules/system/checks.nix | 9 --------- 1 file changed, 9 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index c1ab4095..edc1834a 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -47,14 +47,6 @@ let fi ''; - runLink = '' - if [[ ! -e /run ]]; then - printf >&2 'error: directory /run does not exist, aborting activation\n' - exit 1 - fi - ''; - - oldBuildUsers = '' if dscl . -list /Users | grep -q '^nixbld'; then echo "error: Detected old style nixbld users, aborting activation" >&2 @@ -382,7 +374,6 @@ in system.checks.text = mkMerge [ darwinChanges (mkIf cfg.verifyMacOSVersion macOSVersion) - runLink (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers) (mkIf cfg.verifyBuildUsers buildUsers) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) From 4d0ae6980d128baecf7e7f636e4df4a95740d628 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 11 Jan 2025 15:44:41 +0000 Subject: [PATCH 052/118] nix-tools: overwrite `$PATH` rather than prepending MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I don’t see any reason for these scripts to depend on more environmental state than necessary. --- pkgs/nix-tools/darwin-option.sh | 2 +- pkgs/nix-tools/darwin-rebuild.sh | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/nix-tools/darwin-option.sh b/pkgs/nix-tools/darwin-option.sh index 8e40e93c..d4cb5487 100755 --- a/pkgs/nix-tools/darwin-option.sh +++ b/pkgs/nix-tools/darwin-option.sh @@ -1,7 +1,7 @@ #! @shell@ set -e set -o pipefail -export PATH=@path@:$PATH +export PATH=@path@ evalNix() { nix-instantiate --eval --strict "${extraEvalFlags[@]}" -E "with import {}; $*" 2>/dev/null diff --git a/pkgs/nix-tools/darwin-rebuild.sh b/pkgs/nix-tools/darwin-rebuild.sh index f945e6b4..74ec7ecf 100644 --- a/pkgs/nix-tools/darwin-rebuild.sh +++ b/pkgs/nix-tools/darwin-rebuild.sh @@ -1,8 +1,7 @@ #! @shell@ set -e set -o pipefail -export PATH=@path@:$PATH - +export PATH=@path@ showSyntax() { echo "darwin-rebuild [--help] {edit | switch | activate | build | check | changelog}" >&2 From b5b7888793329a8c70c216cae9db8a0180b3dcda Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 11 Jan 2025 15:44:41 +0000 Subject: [PATCH 053/118] nix-tools: set `$NIX_PATH` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will be important once most users are running `sudo darwin-rebuild` and therefore not getting their environment’s `$NIX_PATH` passed through. --- modules/nix/nix-darwin.nix | 1 + pkgs/nix-tools/darwin-option.sh | 2 ++ pkgs/nix-tools/darwin-rebuild.sh | 2 ++ pkgs/nix-tools/default.nix | 9 +++++++-- 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/modules/nix/nix-darwin.nix b/modules/nix/nix-darwin.nix index 4fed9fda..a064f49a 100644 --- a/modules/nix/nix-darwin.nix +++ b/modules/nix/nix-darwin.nix @@ -4,6 +4,7 @@ let nix-tools = pkgs.callPackage ../../pkgs/nix-tools { inherit (config.system) profile; inherit (config.environment) systemPath; + nixPath = lib.concatStringsSep ":" config.nix.nixPath; }; darwin-uninstaller = pkgs.callPackage ../../pkgs/darwin-uninstaller { }; diff --git a/pkgs/nix-tools/darwin-option.sh b/pkgs/nix-tools/darwin-option.sh index d4cb5487..79ecee91 100755 --- a/pkgs/nix-tools/darwin-option.sh +++ b/pkgs/nix-tools/darwin-option.sh @@ -1,7 +1,9 @@ #! @shell@ set -e set -o pipefail + export PATH=@path@ +export NIX_PATH=${NIX_PATH:-@nixPath@} evalNix() { nix-instantiate --eval --strict "${extraEvalFlags[@]}" -E "with import {}; $*" 2>/dev/null diff --git a/pkgs/nix-tools/darwin-rebuild.sh b/pkgs/nix-tools/darwin-rebuild.sh index 74ec7ecf..2e250c5d 100644 --- a/pkgs/nix-tools/darwin-rebuild.sh +++ b/pkgs/nix-tools/darwin-rebuild.sh @@ -1,7 +1,9 @@ #! @shell@ set -e set -o pipefail + export PATH=@path@ +export NIX_PATH=${NIX_PATH:-@nixPath@} showSyntax() { echo "darwin-rebuild [--help] {edit | switch | activate | build | check | changelog}" >&2 diff --git a/pkgs/nix-tools/default.nix b/pkgs/nix-tools/default.nix index 582309ef..8d6b89b7 100644 --- a/pkgs/nix-tools/default.nix +++ b/pkgs/nix-tools/default.nix @@ -21,6 +21,11 @@ "/usr/sbin" "/sbin" ] +, # This should be kept in sync with the default `nix.nixPath`. + nixPath ? lib.concatStringsSep ":" [ + "darwin-config=/etc/nix-darwin/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" +] }: let @@ -39,14 +44,14 @@ in { darwin-option = writeProgram "darwin-option" { - inherit path; + inherit path nixPath; inherit (stdenv) shell; } ./darwin-option.sh; darwin-rebuild = writeProgram "darwin-rebuild" { - inherit path profile; + inherit path nixPath profile; inherit (stdenv) shell; postInstall = '' mkdir -p $out/share/zsh/site-functions From 87b61d666632de823338039e6a10785b15519ae4 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 21 Jan 2025 00:26:58 +0000 Subject: [PATCH 054/118] eval-config: omit `enableNixpkgsReleaseCheck` from `lib.evalModules` --- eval-config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eval-config.nix b/eval-config.nix index 5014c6c9..7c6d48ff 100644 --- a/eval-config.nix +++ b/eval-config.nix @@ -77,7 +77,7 @@ let }; }; - eval = lib.evalModules (builtins.removeAttrs args [ "lib" ] // { + eval = lib.evalModules (builtins.removeAttrs args [ "lib" "enableNixpkgsReleaseCheck" ] // { class = "darwin"; modules = modules ++ [ argsModule ] ++ baseModules; specialArgs = { modulesPath = builtins.toString ./modules; } // specialArgs; From 1e16e2a9c25b5a15040686be6f07d0ce67043260 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 26 Jan 2025 21:38:12 +0000 Subject: [PATCH 055/118] ci: use the PR head as `` for install test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was installing against the base branch, which causes annoying issues when things like the state version are bumped. It’s possible this was intentional to test the upgrade path, but it’s inconsistent with the flake installation test and keeps breaking stuff on my PRs. If we want to test the upgrade path then we could re‐add it again later in a more sophisticated manner (e.g. using the example config from the previous version). --- .github/workflows/test.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 63c155b6..c03cee1f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,7 +7,6 @@ on: env: NIXPKGS_BRANCH: nixpkgs-unstable - NIX_DARWIN_BRANCH: master NIX_VERSION: 2.24.11 jobs: @@ -40,7 +39,6 @@ jobs: nix_path: nixpkgs=channel:${{ env.NIXPKGS_BRANCH }} - name: Install channels run: | - nix-channel --add https://github.com/LnL7/nix-darwin/archive/${{ env.NIX_DARWIN_BRANCH }}.tar.gz darwin nix-channel --add https://nixos.org/channels/${{ env.NIXPKGS_BRANCH }} nixpkgs nix-channel --update - name: Install nix-darwin @@ -52,11 +50,22 @@ jobs: nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) /usr/bin/sed -i.bak \ - "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ + "s/# programs.fish.enable = true;/ \ + imports = [ \ + ({ options, ... }: { \ + nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; \ + environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; \ + nix.nixPath = \ + [ { darwin = \"${PWD////\/}\"; } ] \ + ++ options.nix.nixPath.default; \ + }) \ + ]; \ + /" \ ~/.config/nix-darwin/configuration.nix nix run .#darwin-rebuild \ -- switch \ + -I darwin=. \ -I darwin-config=$HOME/.config/nix-darwin/configuration.nix - name: Switch to new configuration run: | @@ -66,7 +75,7 @@ jobs: "s/pkgs.vim/pkgs.hello/" \ ~/.config/nix-darwin/configuration.nix - darwin-rebuild switch -I darwin=. + darwin-rebuild switch hello - name: Test uninstallation of nix-darwin From 2119dd10f65e376dd42f32b0f7ec43577f48129a Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 27 Jan 2025 20:53:07 +0000 Subject: [PATCH 056/118] checks: remove `darwinChanges` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It seems like this has been broken since 26bab2fd3290b42a3df54db291f0d8775f128857 from 2018; macOS `diff(1)` does not support these arguments and the `$PATH` has been fixed since that point. Before that, it would presumably only have worked if you added GNU diffutils to `environment.systemPackages`. Proactively notifying users about breaking changes isn’t a bad idea, but the activation script doesn’t seem like the right place for it, and as it’s non‐blocking it’s likely that even if it worked it would get drowned out by the later output anyway. I’d like to move the changelog into release notes as part of the manual, which would requires changes to this anyway. Since it’s been broken for almost seven years anyway, let’s just drop it for now and revisit later. --- modules/system/checks.nix | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 628f6ed4..9d6470be 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -8,22 +8,6 @@ let cfg = config.system.checks; - darwinChanges = '' - darwinChanges=/dev/null - if test -e /run/current-system/darwin-changes; then - darwinChanges=/run/current-system/darwin-changes - fi - - darwinChanges=$(diff --changed-group-format='%>' --unchanged-group-format= /run/current-system/darwin-changes $systemConfig/darwin-changes 2> /dev/null) || true - if test -n "$darwinChanges"; then - echo >&2 - echo "CHANGELOG" >&2 - echo >&2 - echo "$darwinChanges" >&2 - echo >&2 - fi - ''; - macOSVersion = '' IFS=. read -ra osVersion <<<"$(sw_vers --productVersion)" if (( osVersion[0] < 11 || (osVersion[0] == 11 && osVersion[1] < 3) )); then @@ -368,7 +352,6 @@ in config = { system.checks.text = mkMerge [ - darwinChanges (mkIf cfg.verifyMacOSVersion macOSVersion) (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers) (mkIf cfg.verifyBuildUsers buildUsers) From 0e87d3d3914321ceea5b10a87f48b6ff6179e190 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 11 Jan 2025 15:44:41 +0000 Subject: [PATCH 057/118] =?UTF-8?q?activate-system:=20don=E2=80=99t=20`Kee?= =?UTF-8?q?pAlive`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It seems like a bad idea to keep restarting the activation daemon when it fails. --- modules/services/activate-system/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/services/activate-system/default.nix b/modules/services/activate-system/default.nix index 6a982fe8..d8d86831 100644 --- a/modules/services/activate-system/default.nix +++ b/modules/services/activate-system/default.nix @@ -28,7 +28,6 @@ ${config.system.activationScripts.keyboard.text} ''; serviceConfig.RunAtLoad = true; - serviceConfig.KeepAlive.SuccessfulExit = false; }; }; } From ff80eacd0f756fa2c410f9128b114eeb0b4e5bc5 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 11 Jan 2025 15:44:41 +0000 Subject: [PATCH 058/118] activation-scripts: remove `_status` I believe this has been obsolete since `set -e` was added in 8708ebb7964fc68311f5eae73bb7c45bfbb93d54. --- modules/system/activation-scripts.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 5f8916cc..b95ea324 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -44,9 +44,6 @@ in systemConfig=@out@ - _status=0 - trap "_status=1" ERR - # Ensure a consistent umask. umask 0022 @@ -82,8 +79,6 @@ in # Prevent the current configuration from being garbage-collected. ln -sfn /run/current-system /nix/var/nix/gcroots/current-system - - exit $_status ''; # FIXME: activationScripts.checks should be system level From 4bff4bc8ae105dbc3a56ed5255fbde9495cbf4c1 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 11 Jan 2025 15:44:41 +0000 Subject: [PATCH 059/118] {activation-scripts,activate-system}: purify environment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This ensures that system activation does not depend on various details of its process environment, ensuring uniformity across various invocation contexts and with the `activate-system` daemon. This becomes more important in a post‐user‐activation world to avoid problematic dependencies like `$SUDO_USER`, but is a good idea in general. The `sudoers(5)` defaults on my Sequoia system are: Defaults env_reset Defaults env_keep += "BLOCKSIZE" Defaults env_keep += "COLORFGBG COLORTERM" Defaults env_keep += "__CF_USER_TEXT_ENCODING" Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" Defaults env_keep += "LINES COLUMNS" Defaults env_keep += "LSCOLORS" Defaults env_keep += "SSH_AUTH_SOCK" Defaults env_keep += "TZ" Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY" Defaults env_keep += "EDITOR VISUAL" Defaults env_keep += "HOME MAIL" Of these preserved environment variables, the ones that are set in practice when I run `sudo env` that aren’t set in the activation script here are: * `$COLORTERM` * `$DISPLAY` * `$EDITOR` * `$MAIL` * `$SSH_AUTH_SOCK` * `$TERM` * `$__CF_USER_TEXT_ENCODING` Most of these seem either pointless or actively harmful to set for the purpose of the system activation script. This will mean that tools run during activation won’t print output in the user’s preferred language, but that’s probably the right trade‐off overall, as that is likely to break activation scripts that parse command output anyway. --- modules/services/activate-system/default.nix | 7 +++++++ modules/system/activation-scripts.nix | 19 ++++++++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/modules/services/activate-system/default.nix b/modules/services/activate-system/default.nix index d8d86831..127514a6 100644 --- a/modules/services/activate-system/default.nix +++ b/modules/services/activate-system/default.nix @@ -10,7 +10,14 @@ script = '' set -e set -o pipefail + export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" + export USER=root + export LOGNAME=root + export HOME=~root + export SHELL=$BASH + export LANG=C + export LC_CTYPE=UTF-8 systemConfig=$(cat ${config.system.profile}/systemConfig) diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index b95ea324..0143d2ba 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -37,16 +37,33 @@ in config = { system.activationScripts.script.text = '' - #! ${stdenv.shell} + #!/usr/bin/env -i ${stdenv.shell} + # shellcheck shell=bash + # shellcheck disable=SC2096 + set -e set -o pipefail + export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" + export USER=root + export LOGNAME=root + export HOME=~root + export SHELL=$BASH + export LANG=C + export LC_CTYPE=UTF-8 systemConfig=@out@ # Ensure a consistent umask. umask 0022 + cd / + + if [[ $(id -u) -ne 0 ]]; then + printf >&2 '\e[1;31merror: `activate` must be run as root\e[0m\n' + exit 2 + fi + ${cfg.activationScripts.preActivation.text} # We run `etcChecks` again just in case someone runs `activate` From 5bc4677c03b61213912de654a9409d225fd9fe07 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 13 Jan 2025 23:21:04 +0000 Subject: [PATCH 060/118] readme: reduce duplication in installation instructions --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 97200d69..3346fe0a 100644 --- a/README.md +++ b/README.md @@ -142,11 +142,7 @@ sudo nix-channel --update To install `nix-darwin`, you can just run `darwin-rebuild switch` to install nix-darwin. As `darwin-rebuild` won't be installed in your `PATH` yet, you can use the following command: ```bash -# If you use Nixpkgs unstable (the default): -nix-build https://github.com/LnL7/nix-darwin/archive/master.tar.gz -A darwin-rebuild -# If you use Nixpkgs 24.11: -nix-build https://github.com/LnL7/nix-darwin/archive/nix-darwin-24.11.tar.gz -A darwin-rebuild - +nix-build '' -A darwin-rebuild ./result/bin/darwin-rebuild switch -I darwin-config=$HOME/.config/nix-darwin/configuration.nix ``` From 2733527a586bad9939edc829017acdbc99654d9b Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 13 Jan 2025 23:21:04 +0000 Subject: [PATCH 061/118] {environment,readme}: default configuration path to `/etc/nix-darwin` --- .github/workflows/test.yml | 41 ++++++++++++++++---------------- CHANGELOG | 8 +++++++ README.md | 15 ++++++------ modules/environment/default.nix | 20 ++++++++++++++-- modules/examples/flake/flake.nix | 2 +- modules/examples/hydra.nix | 2 +- modules/examples/lnl.nix | 4 ++-- modules/examples/simple.nix | 5 +--- modules/system/checks.nix | 2 +- modules/system/version.nix | 2 +- 10 files changed, 61 insertions(+), 40 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c03cee1f..d87b7636 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -43,13 +43,11 @@ jobs: nix-channel --update - name: Install nix-darwin run: | - export NIX_PATH=$HOME/.nix-defexpr/channels - - mkdir -p ~/.config/nix-darwin - cp modules/examples/simple.nix ~/.config/nix-darwin/configuration.nix + sudo mkdir -p /etc/nix-darwin + sudo cp modules/examples/simple.nix /etc/nix-darwin/configuration.nix nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) - /usr/bin/sed -i.bak \ + sudo /usr/bin/sed -i.bak \ "s/# programs.fish.enable = true;/ \ imports = [ \ ({ options, ... }: { \ @@ -61,19 +59,18 @@ jobs: }) \ ]; \ /" \ - ~/.config/nix-darwin/configuration.nix + /etc/nix-darwin/configuration.nix - nix run .#darwin-rebuild \ - -- switch \ + nix run .#darwin-rebuild -- switch \ -I darwin=. \ - -I darwin-config=$HOME/.config/nix-darwin/configuration.nix + -I darwin-config=/etc/nix-darwin/configuration.nix - name: Switch to new configuration run: | . /etc/bashrc - /usr/bin/sed -i.bak \ + sudo /usr/bin/sed -i.bak \ "s/pkgs.vim/pkgs.hello/" \ - ~/.config/nix-darwin/configuration.nix + /etc/nix-darwin/configuration.nix darwin-rebuild switch @@ -100,31 +97,33 @@ jobs: install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install - name: Install nix-darwin run: | - mkdir -p ~/.config/nix-darwin + sudo mkdir -p /etc/nix-darwin darwin=$(pwd) - pushd ~/.config/nix-darwin - nix flake init -t $darwin + pushd /etc/nix-darwin + sudo nix flake init -t $darwin nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) - /usr/bin/sed -i.bak \ + sudo /usr/bin/sed -i.bak \ "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ flake.nix - /usr/bin/sed -i.bak \ + sudo /usr/bin/sed -i.bak \ + 's/darwinConfigurations."simple"/darwinConfigurations."'$(scutil --get LocalHostName)'"/g' \ + flake.nix + sudo /usr/bin/sed -i.bak \ 's/nixpkgs.hostPlatform = "aarch64-darwin";/nixpkgs.hostPlatform = "'$(nix eval --expr builtins.currentSystem --impure --raw)'";/' \ flake.nix popd - nix run .#darwin-rebuild -- \ - switch --flake ~/.config/nix-darwin#simple \ + nix run .#darwin-rebuild -- switch \ --override-input nix-darwin . \ --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} - name: Switch to new configuration run: | . /etc/bashrc - /usr/bin/sed -i.bak \ + sudo /usr/bin/sed -i.bak \ "s/pkgs.vim/pkgs.hello/" \ - ~/.config/nix-darwin/flake.nix + /etc/nix-darwin/flake.nix - darwin-rebuild switch --flake ~/.config/nix-darwin#simple \ + darwin-rebuild switch \ --override-input nix-darwin . \ --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }} diff --git a/CHANGELOG b/CHANGELOG index b9a9adcc..ce169403 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,11 @@ +2025-01-18 +- The default configuration path for all new installations + is `/etc/nix-darwin`. This was already the undocumented + default for `darwin-rebuild switch` when using flakes. This + is implemented by setting `environment.darwinConfig` to + `"/etc/nix-darwin/configuration.nix"` by default when + `system.stateVersion` ≥ 6. + 2024-09-10 - The default Nix build user group ID is now set to 350 when `system.stateVersion` ≥ 5, to reflect the default for new Nix diff --git a/README.md b/README.md index 3346fe0a..ffdfca9f 100644 --- a/README.md +++ b/README.md @@ -33,11 +33,12 @@ Despite being an experimental feature in Nix currently, nix-darwin recommends th Getting started from scratch

-If you don't have an existing `configuration.nix`, you can run the following commands to generate a basic `flake.nix` inside `~/.config/nix-darwin`: +If you don't have an existing `configuration.nix`, you can run the following commands to generate a basic `flake.nix` inside `/etc/nix-darwin`: ```bash -mkdir -p ~/.config/nix-darwin -cd ~/.config/nix-darwin +sudo mkdir -p /etc/nix-darwin +sudo chown $(id -nu):$(id -ng) /etc/nix-darwin +cd /etc/nix-darwin # To use Nixpkgs unstable: nix flake init -t nix-darwin/master @@ -88,7 +89,7 @@ Make sure to set `nixpkgs.hostPlatform` in your `configuration.nix` to either `x Unlike NixOS, `nix-darwin` does not have an installer, you can just run `darwin-rebuild switch` to install nix-darwin. As `darwin-rebuild` won't be installed in your `PATH` yet, you can use the following command: ```bash -nix run nix-darwin -- switch --flake ~/.config/nix-darwin +nix run nix-darwin -- switch ``` ### Step 3. Using `nix-darwin` @@ -96,7 +97,7 @@ nix run nix-darwin -- switch --flake ~/.config/nix-darwin After installing, you can run `darwin-rebuild` to apply changes to your system: ```bash -darwin-rebuild switch --flake ~/.config/nix-darwin +darwin-rebuild switch ``` #### Using flake inputs @@ -124,7 +125,7 @@ nix-darwin.lib.darwinSystem { ### Step 1. Creating `configuration.nix` -Copy the [simple](./modules/examples/simple.nix) example to `~/.config/nix-darwin/configuration.nix`. +Copy the [simple](./modules/examples/simple.nix) example to `/etc/nix-darwin/configuration.nix`. ### Step 2. Adding `nix-darwin` channel @@ -143,7 +144,7 @@ To install `nix-darwin`, you can just run `darwin-rebuild switch` to install nix ```bash nix-build '' -A darwin-rebuild -./result/bin/darwin-rebuild switch -I darwin-config=$HOME/.config/nix-darwin/configuration.nix +./result/bin/darwin-rebuild switch -I darwin-config=/etc/nix-darwin/configuration.nix ``` ### Step 4. Using `nix-darwin` diff --git a/modules/environment/default.nix b/modules/environment/default.nix index 79f760e9..377a9594 100644 --- a/modules/environment/default.nix +++ b/modules/environment/default.nix @@ -67,8 +67,24 @@ in }; environment.darwinConfig = mkOption { - type = types.either types.path types.str; - default = "$HOME/.nixpkgs/darwin-configuration.nix"; + type = types.nullOr (types.either types.path types.str); + default = + if config.nixpkgs.flake.setNixPath then + # Don’t set this for flake‐based systems. + null + else if config.system.stateVersion >= 6 then + "/etc/nix-darwin/configuration.nix" + else + "$HOME/.nixpkgs/darwin-configuration.nix"; + defaultText = literalExpression '' + if config.nixpkgs.flake.setNixPath then + # Don’t set this for flake‐based systems. + null + else if config.system.stateVersion >= 6 then + "/etc/nix-darwin/configuration.nix" + else + "$HOME/.nixpkgs/darwin-configuration.nix" + ''; description = '' The path of the darwin configuration.nix used to configure the system, this updates the default darwin-config entry in NIX_PATH. Since this diff --git a/modules/examples/flake/flake.nix b/modules/examples/flake/flake.nix index 138c0473..447c468a 100644 --- a/modules/examples/flake/flake.nix +++ b/modules/examples/flake/flake.nix @@ -27,7 +27,7 @@ # Used for backwards compatibility, please read the changelog before changing. # $ darwin-rebuild changelog - system.stateVersion = 5; + system.stateVersion = 6; # The platform the configuration will be used on. nixpkgs.hostPlatform = "aarch64-darwin"; diff --git a/modules/examples/hydra.nix b/modules/examples/hydra.nix index f87ed5d0..d30f5c00 100644 --- a/modules/examples/hydra.nix +++ b/modules/examples/hydra.nix @@ -43,5 +43,5 @@ in echo "ok" ''; - system.stateVersion = 5; + system.stateVersion = 6; } diff --git a/modules/examples/lnl.nix b/modules/examples/lnl.nix index 2204c2fa..90142f65 100644 --- a/modules/examples/lnl.nix +++ b/modules/examples/lnl.nix @@ -199,7 +199,7 @@ programs.zsh.enableFzfGit = true; programs.zsh.enableFzfHistory = true; - programs.zsh.variables.cfg = "$HOME/.config/nixpkgs/darwin/configuration.nix"; + programs.zsh.variables.cfg = "/etc/nix-darwin/configuration.nix"; programs.zsh.variables.darwin = "$HOME/.nix-defexpr/darwin"; programs.zsh.variables.nixpkgs = "$HOME/.nix-defexpr/nixpkgs"; @@ -322,5 +322,5 @@ nix.configureBuildUsers = true; nix.nrBuildUsers = 32; - system.stateVersion = 5; + system.stateVersion = 6; } diff --git a/modules/examples/simple.nix b/modules/examples/simple.nix index 5771ec60..7751fb29 100644 --- a/modules/examples/simple.nix +++ b/modules/examples/simple.nix @@ -7,13 +7,10 @@ [ pkgs.vim ]; - # Use custom location for configuration.nix. - environment.darwinConfig = "$HOME/.config/nix-darwin/configuration.nix"; - # Enable alternative shell support in nix-darwin. # programs.fish.enable = true; # Used for backwards compatibility, please read the changelog before changing. # $ darwin-rebuild changelog - system.stateVersion = 5; + system.stateVersion = 6; } diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 9d6470be..8b526b35 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -193,7 +193,7 @@ let darwinConfig=$(NIX_PATH=$nixPath nix-instantiate --find-file darwin-config) || true if ! test -e "$darwinConfig"; then echo "error: Changed but target does not exist, aborting activation" >&2 - echo "Create ''${darwinConfig:-~/.nixpkgs/darwin-configuration.nix} or set environment.darwinConfig:" >&2 + echo "Create ''${darwinConfig:-/etc/nix-darwin/configuration.nix} or set environment.darwinConfig:" >&2 echo >&2 echo " environment.darwinConfig = \"$(nix-instantiate --find-file darwin-config 2> /dev/null || echo '***')\";" >&2 echo >&2 diff --git a/modules/system/version.nix b/modules/system/version.nix index 54829d1d..3fac46ef 100644 --- a/modules/system/version.nix +++ b/modules/system/version.nix @@ -51,7 +51,7 @@ in system.maxStateVersion = mkOption { internal = true; type = types.int; - default = 5; + default = 6; }; system.darwinLabel = mkOption { From 3509925a8634f08b764922577d169757b94df97b Mon Sep 17 00:00:00 2001 From: Emily Date: Thu, 16 Jan 2025 00:00:05 +0000 Subject: [PATCH 062/118] readme: make `darwin-rebuild` use more explicit --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ffdfca9f..b0f095a1 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,10 @@ Make sure to set `nixpkgs.hostPlatform` in your `configuration.nix` to either `x Unlike NixOS, `nix-darwin` does not have an installer, you can just run `darwin-rebuild switch` to install nix-darwin. As `darwin-rebuild` won't be installed in your `PATH` yet, you can use the following command: ```bash -nix run nix-darwin -- switch +# To use Nixpkgs unstable: +nix run nix-darwin/master#darwin-rebuild -- switch +# To use Nixpkgs 24.11: +nix run nix-darwin/nix-darwin-24.11#darwin-rebuild -- switch ``` ### Step 3. Using `nix-darwin` From cc9c8408bb9f29b4afe919eff4ad922d054cf591 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 02:31:20 +0000 Subject: [PATCH 063/118] Revert "{activation-scripts,activate-system}: purify environment" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This shouldn’t actually be split out from the Plan because of the current use of `$HOME` in the defaults for channel‐based setups. This reverts commit 4bff4bc8ae105dbc3a56ed5255fbde9495cbf4c1. --- modules/services/activate-system/default.nix | 7 ------- modules/system/activation-scripts.nix | 19 +------------------ 2 files changed, 1 insertion(+), 25 deletions(-) diff --git a/modules/services/activate-system/default.nix b/modules/services/activate-system/default.nix index 127514a6..d8d86831 100644 --- a/modules/services/activate-system/default.nix +++ b/modules/services/activate-system/default.nix @@ -10,14 +10,7 @@ script = '' set -e set -o pipefail - export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" - export USER=root - export LOGNAME=root - export HOME=~root - export SHELL=$BASH - export LANG=C - export LC_CTYPE=UTF-8 systemConfig=$(cat ${config.system.profile}/systemConfig) diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 0143d2ba..b95ea324 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -37,33 +37,16 @@ in config = { system.activationScripts.script.text = '' - #!/usr/bin/env -i ${stdenv.shell} - # shellcheck shell=bash - # shellcheck disable=SC2096 - + #! ${stdenv.shell} set -e set -o pipefail - export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" - export USER=root - export LOGNAME=root - export HOME=~root - export SHELL=$BASH - export LANG=C - export LC_CTYPE=UTF-8 systemConfig=@out@ # Ensure a consistent umask. umask 0022 - cd / - - if [[ $(id -u) -ne 0 ]]; then - printf >&2 '\e[1;31merror: `activate` must be run as root\e[0m\n' - exit 2 - fi - ${cfg.activationScripts.preActivation.text} # We run `etcChecks` again just in case someone runs `activate` From f1cf8c4f5a853683494cd93acbdecedb61dfc179 Mon Sep 17 00:00:00 2001 From: tarc Date: Thu, 30 Jan 2025 12:46:25 -0300 Subject: [PATCH 064/118] checks: fix sw_vers parameter for macOSVersion (`--productVersion`, not `-productVersion`) --- modules/system/checks.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 8b526b35..b466f425 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -9,7 +9,7 @@ let cfg = config.system.checks; macOSVersion = '' - IFS=. read -ra osVersion <<<"$(sw_vers --productVersion)" + IFS=. read -ra osVersion <<<"$(sw_vers -productVersion)" if (( osVersion[0] < 11 || (osVersion[0] == 11 && osVersion[1] < 3) )); then printf >&2 '\e[1;31merror: macOS version is less than 11.3, aborting activation\e[0m\n' printf >&2 'Nixpkgs 25.05 requires macOS Big Sur 11.3 or newer, and 25.11 will\n' From 5b0cffeec2973101432f7a6ce5644e73ca661618 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 20:24:31 +0000 Subject: [PATCH 065/118] nixpkgs: fix undefined variable in assertion This got mangled in the backport a year and a half ago. Fixes: e25eeff158ceb415079e38f6e78a470c5664fa2f --- modules/nix/nixpkgs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index ee999971..511d718c 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -284,7 +284,7 @@ in pkgsSystem = finalPkgs.stdenv.targetPlatform.system; in { assertion = cfg.constructedByUs -> !hasPlatform -> cfg.system == pkgsSystem; - message = "The nix-darwin nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but nix-darwin was configured for system ${darwinExpectedSystem} via nix-darwin option nixpkgs.system. The nix-darwin system settings must match the Nixpkgs target system."; + message = "The nix-darwin nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but nix-darwin was configured for system ${config.nixpkgs.system} via nix-darwin option nixpkgs.system. The nix-darwin system settings must match the Nixpkgs target system."; } ) { From 962eb3f1c0c2d5e4ac92eb8bfc91333d3b1cb0e7 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:29:03 +0000 Subject: [PATCH 066/118] nixpkgs: assert that nixpkgs.config is not set when pkgs is passed in externally This is a common footgun people hit often. Remove it. Backport of Nixpkgs commit ce87196a00214a0062ece1c3e03a9a97f563580f. Co-authored-by: K900 --- modules/nix/nixpkgs.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 511d718c..2ed7b8da 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -300,6 +300,16 @@ in the legacy definitions. ''; } + { + assertion = opt.pkgs.isDefined -> cfg.config == {}; + message = '' + Your system configures nixpkgs with an externally created instance. + `nixpkgs.config` options should be passed when creating the instance instead. + + Current value: + ${lib.generators.toPretty { multiline = true; } opt.config} + ''; + } ]; }; } From 3cd3a79f9ba7f6c3421f4f7fd557b4c8666e7183 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:31:14 +0000 Subject: [PATCH 067/118] nixpkgs: Rewrite overlays option docs henrik-ch was also here :) Backport of Nixpkgs commit 11406bdc0e5af9b3c8a8d597da23349238c65277. Co-authored-by: Silvan Mosberger Co-Authored-By: Valentin Gagarin --- modules/nix/nixpkgs.nix | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 2ed7b8da..4e876beb 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -151,16 +151,12 @@ in ''; type = types.listOf overlayType; description = '' - List of overlays to use with the Nix Packages collection. - (For details, see the Nixpkgs documentation.) It allows - you to override packages globally. Each function in the list - takes as an argument the *original* Nixpkgs. - The first argument should be used for finding dependencies, and - the second should be used for overriding recipes. + List of overlays to apply to Nixpkgs. + This option allows modifying the Nixpkgs package set accessed through the `pkgs` module argument. - If `nixpkgs.pkgs` is set, overlays specified here - will be applied after the overlays that were already present - in `nixpkgs.pkgs`. + For details, see the [Overlays chapter in the Nixpkgs manual](https://nixos.org/manual/nixpkgs/stable/#chap-overlays). + + If the {option}`nixpkgs.pkgs` option is set, overlays specified using `nixpkgs.overlays` will be applied after the overlays that were already included in `nixpkgs.pkgs`. ''; }; From 2df9e4811008fca085d15f67b51cd7bc497a17bb Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:32:13 +0000 Subject: [PATCH 068/118] nixpkgs: use less confusing example systems MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit system and config shouldn't both be specified — each will be filled in based on the other when the system is elaborated. Backport of Nixpkgs commit a3ba0495452cd8e72735ebd4472838e96902a259. Co-authored-by: Alyssa Ross --- modules/nix/nixpkgs.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 4e876beb..6c54c82d 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -162,7 +162,7 @@ in hostPlatform = mkOption { type = types.either types.str types.attrs; # TODO utilize lib.systems.parsedPlatform - example = { system = "aarch64-darwin"; config = "aarch64-apple-darwin"; }; + example = { system = "aarch64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. TODO make `lib.systems` itself use the module system. apply = lib.systems.elaborate; @@ -178,7 +178,7 @@ in buildPlatform = mkOption { type = types.either types.str types.attrs; # TODO utilize lib.systems.parsedPlatform default = cfg.hostPlatform; - example = { system = "x86_64-darwin"; config = "x86_64-apple-darwin"; }; + example = { system = "x86_64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. apply = lib.systems.elaborate; From 6b81859ed0e35f052043384c7febb853176bc500 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:33:20 +0000 Subject: [PATCH 069/118] nixpkgs: fix determination for cross-compiled nix-darwin system Since the output of `lib.systems.elaborate` contains functions, an equality check with `==` does not suffice, `lib.systems.equals` should be used instead. Backport of Nixpkgs commit 3794246066409d7baac72e3fdfb0e4f66ef4a013. Co-authored-by: Jared Baur --- modules/nix/nixpkgs.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 6c54c82d..383b140c 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -181,7 +181,12 @@ in example = { system = "x86_64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. - apply = lib.systems.elaborate; + apply = inputBuildPlatform: + let elaborated = lib.systems.elaborate inputBuildPlatform; + in if lib.systems.equals elaborated cfg.hostPlatform + then cfg.hostPlatform # make identical, so that `==` equality works; +see https://github.com/NixOS/nixpkgs/issues/278001 + else elaborated; defaultText = literalExpression ''config.nixpkgs.hostPlatform''; description = '' From 320bf025d22ae9c50a410bef27596b945be65889 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:34:11 +0000 Subject: [PATCH 070/118] nixpkgs: link to Nixpkgs manual for global configuration options Backport of Nixpkgs commit e6057cfd59f278db3aeb058a4e1e0bcc24696267. Co-authored-by: Valentin Gagarin Co-authored-by: Dominic Mills --- modules/nix/nixpkgs.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 383b140c..a7585290 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -128,12 +128,11 @@ in ''; type = configType; description = '' - The configuration of the Nix Packages collection. (For - details, see the Nixpkgs documentation.) It allows you to set - package configuration options. + Global configuration for Nixpkgs. + The complete list of [Nixpkgs configuration options](https://nixos.org/manual/nixpkgs/unstable/#sec-config-options-reference) is in the [Nixpkgs manual section on global configuration](https://nixos.org/manual/nixpkgs/unstable/#chap-packageconfig). - Ignored when `nixpkgs.pkgs` is set. - ''; + Ignored when {option}`nixpkgs.pkgs` is set. +''; }; overlays = mkOption { From bd1d46766afb73b87b0e07172ca6a00a036d03da Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:26:13 +0000 Subject: [PATCH 071/118] nixpkgs: remove `with lib;` Backport of Nixpkgs commit 609e57485d1fa111e3a689498d9d338dc03a7bc5. Co-authored-by: Felix Buehler --- modules/nix/nixpkgs.nix | 70 ++++++++++++++++++++--------------------- 1 file changed, 34 insertions(+), 36 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index a7585290..f74398f6 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -1,7 +1,5 @@ { config, options, lib, pkgs, ... }: -with lib; - let cfg = config.nixpkgs; opt = options.nixpkgs; @@ -19,19 +17,19 @@ let lhs = optCall lhs_ { inherit pkgs; }; rhs = optCall rhs_ { inherit pkgs; }; in - recursiveUpdate lhs rhs // - optionalAttrs (lhs ? packageOverrides) { + lib.recursiveUpdate lhs rhs // + lib.optionalAttrs (lhs ? packageOverrides) { packageOverrides = pkgs: optCall lhs.packageOverrides pkgs // - optCall (attrByPath [ "packageOverrides" ] { } rhs) pkgs; + optCall (lib.attrByPath [ "packageOverrides" ] { } rhs) pkgs; } // - optionalAttrs (lhs ? perlPackageOverrides) { + lib.optionalAttrs (lhs ? perlPackageOverrides) { perlPackageOverrides = pkgs: optCall lhs.perlPackageOverrides pkgs // - optCall (attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs; + optCall (lib.attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs; }; - configType = mkOptionType { + configType = lib.mkOptionType { name = "nixpkgs-config"; description = "nixpkgs config"; check = x: @@ -39,32 +37,32 @@ let if c x then true else lib.traceSeqN 1 x false; in traceXIfNot isConfig; - merge = args: foldr (def: mergeConfig def.value) {}; + merge = args: lib.foldr (def: mergeConfig def.value) {}; }; - overlayType = mkOptionType { + overlayType = lib.mkOptionType { name = "nixpkgs-overlay"; description = "nixpkgs overlay"; check = lib.isFunction; merge = lib.mergeOneOption; }; - pkgsType = types.pkgs // { + pkgsType = lib.types.pkgs // { # This type is only used by itself, so let's elaborate the description a bit # for the purpose of documentation. description = "An evaluation of Nixpkgs; the top level attribute set of packages"; }; - hasBuildPlatform = opt.buildPlatform.highestPrio < (mkOptionDefault {}).priority; + hasBuildPlatform = opt.buildPlatform.highestPrio < (lib.mkOptionDefault {}).priority; hasHostPlatform = opt.hostPlatform.isDefined; hasPlatform = hasHostPlatform || hasBuildPlatform; # Context for messages - hostPlatformLine = optionalString hasHostPlatform "${showOptionWithDefLocs opt.hostPlatform}"; - buildPlatformLine = optionalString hasBuildPlatform "${showOptionWithDefLocs opt.buildPlatform}"; + hostPlatformLine = lib.optionalString hasHostPlatform "${lib.showOptionWithDefLocs opt.hostPlatform}"; + buildPlatformLine = lib.optionalString hasBuildPlatform "${lib.showOptionWithDefLocs opt.buildPlatform}"; legacyOptionsDefined = - optional (opt.system.highestPrio < (mkDefault {}).priority) opt.system + lib.optional (opt.system.highestPrio < (lib.mkDefault {}).priority) opt.system ; defaultPkgs = @@ -96,9 +94,9 @@ in { options.nixpkgs = { - pkgs = mkOption { + pkgs = lib.mkOption { type = pkgsType; - example = literalExpression "import {}"; + example = lib.literalExpression "import {}"; description = '' If set, the pkgs argument to all nix-darwin modules is the value of this option, extended with `nixpkgs.overlays`, if @@ -120,9 +118,9 @@ in ''; }; - config = mkOption { + config = lib.mkOption { default = {}; - example = literalExpression + example = lib.literalExpression '' { allowBroken = true; allowUnfree = true; } ''; @@ -135,9 +133,9 @@ in ''; }; - overlays = mkOption { + overlays = lib.mkOption { default = []; - example = literalExpression + example = lib.literalExpression '' [ (self: super: { @@ -148,7 +146,7 @@ in }) ] ''; - type = types.listOf overlayType; + type = lib.types.listOf overlayType; description = '' List of overlays to apply to Nixpkgs. This option allows modifying the Nixpkgs package set accessed through the `pkgs` module argument. @@ -159,8 +157,8 @@ in ''; }; - hostPlatform = mkOption { - type = types.either types.str types.attrs; # TODO utilize lib.systems.parsedPlatform + hostPlatform = lib.mkOption { + type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform example = { system = "aarch64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. TODO make `lib.systems` itself use the module system. @@ -174,8 +172,8 @@ in ''; }; - buildPlatform = mkOption { - type = types.either types.str types.attrs; # TODO utilize lib.systems.parsedPlatform + buildPlatform = lib.mkOption { + type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform default = cfg.hostPlatform; example = { system = "x86_64-darwin"; }; # Make sure that the final value has all fields for sake of other modules @@ -186,7 +184,7 @@ in then cfg.hostPlatform # make identical, so that `==` equality works; see https://github.com/NixOS/nixpkgs/issues/278001 else elaborated; - defaultText = literalExpression + defaultText = lib.literalExpression ''config.nixpkgs.hostPlatform''; description = '' Specifies the platform on which nix-darwin should be built. @@ -202,8 +200,8 @@ see https://github.com/NixOS/nixpkgs/issues/278001 ''; }; - system = mkOption { - type = types.str; + system = lib.mkOption { + type = lib.types.str; example = "x86_64-darwin"; default = if opt.hostPlatform.isDefined @@ -232,9 +230,9 @@ see https://github.com/NixOS/nixpkgs/issues/278001 # nix-darwin only - source = mkOption { - type = types.path; - defaultText = literalMD '' + source = lib.mkOption { + type = lib.types.path; + defaultText = lib.literalMD '' `` or nix-darwin's `nixpkgs` flake input ''; description = '' @@ -247,8 +245,8 @@ see https://github.com/NixOS/nixpkgs/issues/278001 ''; }; - constructedByUs = mkOption { - type = types.bool; + constructedByUs = lib.mkOption { + type = lib.types.bool; internal = true; description = '' Whether `pkgs` was constructed by this module. This is false when any of @@ -290,12 +288,12 @@ see https://github.com/NixOS/nixpkgs/issues/278001 { assertion = cfg.constructedByUs -> hasPlatform -> legacyOptionsDefined == []; message = '' - Your system configures nixpkgs with the platform parameter${optionalString hasBuildPlatform "s"}: + Your system configures nixpkgs with the platform parameter${lib.optionalString hasBuildPlatform "s"}: ${hostPlatformLine }${buildPlatformLine } However, it also defines the legacy options: - ${concatMapStrings showOptionWithDefLocs legacyOptionsDefined} + ${lib.concatMapStrings lib.showOptionWithDefLocs legacyOptionsDefined} For a future proof system configuration, we recommend to remove the legacy definitions. ''; From e84e84a2566a1b431686c9c5ed45b01e1fdcf831 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:35:53 +0000 Subject: [PATCH 072/118] nixpkgs: fix `config` assertion text The assertion message should include the `nixpkgs.config` value, however it currently includes the entire `nixpkgs.config` _option_. This means the type, declarations, definitions, etc were all printed. Backport of Nixpkgs commit 1bd4da1848cb7b68858ebb2ca1f8b0e5fed46c58. Co-authored-by: Matt Sturgeon --- modules/nix/nixpkgs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index f74398f6..739d02d4 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -305,7 +305,7 @@ see https://github.com/NixOS/nixpkgs/issues/278001 `nixpkgs.config` options should be passed when creating the instance instead. Current value: - ${lib.generators.toPretty { multiline = true; } opt.config} + ${lib.generators.toPretty { multiline = true; } cfg.config} ''; } ]; From 80eddf2bf743620faab78d06846d9478fb21aa3b Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:36:42 +0000 Subject: [PATCH 073/118] nixpkgs: show definition files in `config` assertion Backport of Nixpkgs commit 6d9dfef94ffd59a327573eea7bc709a84c44b3d2. Co-authored-by: Matt Sturgeon --- modules/nix/nixpkgs.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index 739d02d4..c0151655 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -306,6 +306,9 @@ see https://github.com/NixOS/nixpkgs/issues/278001 Current value: ${lib.generators.toPretty { multiline = true; } cfg.config} + + Defined in: + ${lib.concatMapStringsSep "\n" (file: " - ${file}") opt.config.files} ''; } ]; From dc1c716ded39758062ed7e6bc410ad274119de9f Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:37:53 +0000 Subject: [PATCH 074/118] nixpkgs: format with `nixfmt` --- modules/nix/nixpkgs.nix | 168 +++++++++++++++++++++------------------- 1 file changed, 90 insertions(+), 78 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index c0151655..fa156a51 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -1,43 +1,48 @@ -{ config, options, lib, pkgs, ... }: +{ + config, + options, + lib, + pkgs, + ... +}: let cfg = config.nixpkgs; opt = options.nixpkgs; - isConfig = x: - builtins.isAttrs x || lib.isFunction x; + isConfig = x: builtins.isAttrs x || lib.isFunction x; - optCall = f: x: - if lib.isFunction f - then f x - else f; + optCall = f: x: if lib.isFunction f then f x else f; - mergeConfig = lhs_: rhs_: + mergeConfig = + lhs_: rhs_: let lhs = optCall lhs_ { inherit pkgs; }; rhs = optCall rhs_ { inherit pkgs; }; in - lib.recursiveUpdate lhs rhs // - lib.optionalAttrs (lhs ? packageOverrides) { - packageOverrides = pkgs: - optCall lhs.packageOverrides pkgs // - optCall (lib.attrByPath [ "packageOverrides" ] { } rhs) pkgs; - } // - lib.optionalAttrs (lhs ? perlPackageOverrides) { - perlPackageOverrides = pkgs: - optCall lhs.perlPackageOverrides pkgs // - optCall (lib.attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs; + lib.recursiveUpdate lhs rhs + // lib.optionalAttrs (lhs ? packageOverrides) { + packageOverrides = + pkgs: + optCall lhs.packageOverrides pkgs // optCall (lib.attrByPath [ "packageOverrides" ] { } rhs) pkgs; + } + // lib.optionalAttrs (lhs ? perlPackageOverrides) { + perlPackageOverrides = + pkgs: + optCall lhs.perlPackageOverrides pkgs + // optCall (lib.attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs; }; configType = lib.mkOptionType { name = "nixpkgs-config"; description = "nixpkgs config"; - check = x: - let traceXIfNot = c: - if c x then true - else lib.traceSeqN 1 x false; - in traceXIfNot isConfig; - merge = args: lib.foldr (def: mergeConfig def.value) {}; + check = + x: + let + traceXIfNot = c: if c x then true else lib.traceSeqN 1 x false; + in + traceXIfNot isConfig; + merge = args: lib.foldr (def: mergeConfig def.value) { }; }; overlayType = lib.mkOptionType { @@ -53,7 +58,7 @@ let description = "An evaluation of Nixpkgs; the top level attribute set of packages"; }; - hasBuildPlatform = opt.buildPlatform.highestPrio < (lib.mkOptionDefault {}).priority; + hasBuildPlatform = opt.buildPlatform.highestPrio < (lib.mkOptionDefault { }).priority; hasHostPlatform = opt.hostPlatform.isDefined; hasPlatform = hasHostPlatform || hasBuildPlatform; @@ -61,27 +66,31 @@ let hostPlatformLine = lib.optionalString hasHostPlatform "${lib.showOptionWithDefLocs opt.hostPlatform}"; buildPlatformLine = lib.optionalString hasBuildPlatform "${lib.showOptionWithDefLocs opt.buildPlatform}"; - legacyOptionsDefined = - lib.optional (opt.system.highestPrio < (lib.mkDefault {}).priority) opt.system - ; + legacyOptionsDefined = lib.optional ( + opt.system.highestPrio < (lib.mkDefault { }).priority + ) opt.system; defaultPkgs = - if opt.hostPlatform.isDefined - then - let isCross = cfg.buildPlatform != cfg.hostPlatform; - systemArgs = - if isCross - then { + if opt.hostPlatform.isDefined then + let + isCross = cfg.buildPlatform != cfg.hostPlatform; + systemArgs = + if isCross then + { localSystem = cfg.buildPlatform; crossSystem = cfg.hostPlatform; } - else { + else + { localSystem = cfg.hostPlatform; }; in - import cfg.source ({ - inherit (cfg) config overlays; - } // systemArgs) + import cfg.source ( + { + inherit (cfg) config overlays; + } + // systemArgs + ) else import cfg.source { inherit (cfg) config overlays; @@ -119,33 +128,31 @@ in }; config = lib.mkOption { - default = {}; - example = lib.literalExpression - '' - { allowBroken = true; allowUnfree = true; } - ''; + default = { }; + example = lib.literalExpression '' + { allowBroken = true; allowUnfree = true; } + ''; type = configType; description = '' Global configuration for Nixpkgs. The complete list of [Nixpkgs configuration options](https://nixos.org/manual/nixpkgs/unstable/#sec-config-options-reference) is in the [Nixpkgs manual section on global configuration](https://nixos.org/manual/nixpkgs/unstable/#chap-packageconfig). Ignored when {option}`nixpkgs.pkgs` is set. -''; + ''; }; overlays = lib.mkOption { - default = []; - example = lib.literalExpression - '' - [ - (self: super: { - openssh = super.openssh.override { - hpnSupport = true; - kerberos = self.libkrb5; - }; - }) - ] - ''; + default = [ ]; + example = lib.literalExpression '' + [ + (self: super: { + openssh = super.openssh.override { + hpnSupport = true; + kerberos = self.libkrb5; + }; + }) + ] + ''; type = lib.types.listOf overlayType; description = '' List of overlays to apply to Nixpkgs. @@ -159,7 +166,9 @@ in hostPlatform = lib.mkOption { type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform - example = { system = "aarch64-darwin"; }; + example = { + system = "aarch64-darwin"; + }; # Make sure that the final value has all fields for sake of other modules # referring to this. TODO make `lib.systems` itself use the module system. apply = lib.systems.elaborate; @@ -175,17 +184,23 @@ in buildPlatform = lib.mkOption { type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform default = cfg.hostPlatform; - example = { system = "x86_64-darwin"; }; + example = { + system = "x86_64-darwin"; + }; # Make sure that the final value has all fields for sake of other modules # referring to this. - apply = inputBuildPlatform: - let elaborated = lib.systems.elaborate inputBuildPlatform; - in if lib.systems.equals elaborated cfg.hostPlatform - then cfg.hostPlatform # make identical, so that `==` equality works; -see https://github.com/NixOS/nixpkgs/issues/278001 - else elaborated; - defaultText = lib.literalExpression - ''config.nixpkgs.hostPlatform''; + apply = + inputBuildPlatform: + let + elaborated = lib.systems.elaborate inputBuildPlatform; + in + if lib.systems.equals elaborated cfg.hostPlatform then + cfg.hostPlatform # make identical, so that `==` equality works; + see + "https://github.com/NixOS/nixpkgs/issues/278001" + else + elaborated; + defaultText = lib.literalExpression ''config.nixpkgs.hostPlatform''; description = '' Specifies the platform on which nix-darwin should be built. By default, nix-darwin is built on the system where it runs, but you can @@ -204,8 +219,7 @@ see https://github.com/NixOS/nixpkgs/issues/278001 type = lib.types.str; example = "x86_64-darwin"; default = - if opt.hostPlatform.isDefined - then + if opt.hostPlatform.isDefined then throw '' Neither ${opt.system} nor any other option in nixpkgs.* is meant to be read by modules and configurations. @@ -264,34 +278,32 @@ see https://github.com/NixOS/nixpkgs/issues/278001 # which is somewhat costly for Nixpkgs. With an explicit priority, we only # evaluate the wrapper to find out that the priority is lower, and then we # don't need to evaluate `finalPkgs`. - lib.mkOverride lib.modules.defaultOverridePriority - finalPkgs.__splicedPackages; + lib.mkOverride lib.modules.defaultOverridePriority finalPkgs.__splicedPackages; }; nixpkgs.constructedByUs = # We set it with default priority and it can not be merged, so if the # pkgs module argument has that priority, it's from us. (lib.modules.mergeAttrDefinitionsWithPrio options._module.args).pkgs.highestPrio - == lib.modules.defaultOverridePriority + == lib.modules.defaultOverridePriority # Although, if nixpkgs.pkgs is set, we did forward it, but we did not construct it. - && !opt.pkgs.isDefined; + && !opt.pkgs.isDefined; assertions = [ ( let pkgsSystem = finalPkgs.stdenv.targetPlatform.system; - in { + in + { assertion = cfg.constructedByUs -> !hasPlatform -> cfg.system == pkgsSystem; message = "The nix-darwin nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but nix-darwin was configured for system ${config.nixpkgs.system} via nix-darwin option nixpkgs.system. The nix-darwin system settings must match the Nixpkgs target system."; } ) { - assertion = cfg.constructedByUs -> hasPlatform -> legacyOptionsDefined == []; + assertion = cfg.constructedByUs -> hasPlatform -> legacyOptionsDefined == [ ]; message = '' Your system configures nixpkgs with the platform parameter${lib.optionalString hasBuildPlatform "s"}: - ${hostPlatformLine - }${buildPlatformLine - } + ${hostPlatformLine}${buildPlatformLine} However, it also defines the legacy options: ${lib.concatMapStrings lib.showOptionWithDefLocs legacyOptionsDefined} For a future proof system configuration, we recommend to remove @@ -299,7 +311,7 @@ see https://github.com/NixOS/nixpkgs/issues/278001 ''; } { - assertion = opt.pkgs.isDefined -> cfg.config == {}; + assertion = opt.pkgs.isDefined -> cfg.config == { }; message = '' Your system configures nixpkgs with an externally created instance. `nixpkgs.config` options should be passed when creating the instance instead. From 5084b33265f1c14551af63e61ec8bb75fec3ccbc Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 20:53:35 +0000 Subject: [PATCH 075/118] git-blame-ignore-revs: add `nixpkgs` module formatting commit --- .git-blame-ignore-revs | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .git-blame-ignore-revs diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs new file mode 100644 index 00000000..92331afe --- /dev/null +++ b/.git-blame-ignore-revs @@ -0,0 +1,2 @@ +# nixpkgs: format with `nixfmt` +dc1c716ded39758062ed7e6bc410ad274119de9f From 7c72c013b160627540b8b465a05ba258f47a16d8 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 19:40:03 +0000 Subject: [PATCH 076/118] nixpkgs: make config.nixpkgs.{buildPlatform,hostPlatform} write only The description for options.nixpkgs.system already hints at this: Neither ${opt.system} nor any other option in nixpkgs.* is meant to be read by modules and configurations. Use pkgs.stdenv.hostPlatform instead. We can support this goal by not elaborating the systems anymore, forcing users to go via pkgs.stdenv. This will prevent problems when making the top-level package sets composable in the next commit. For this to work, you should pass a fully elaborated system to nixpkgs' localSystem or crossSystem options. Backport of Nixpkgs commit 0a19371146130c0e2a402fd0c35f8283b0e81910. Co-authored-by: Wolfgang Walther --- modules/nix/nixpkgs.nix | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index fa156a51..d4fa306c 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -73,7 +73,10 @@ let defaultPkgs = if opt.hostPlatform.isDefined then let - isCross = cfg.buildPlatform != cfg.hostPlatform; + isCross = + !(lib.systems.equals (lib.systems.elaborate cfg.buildPlatform) ( + lib.systems.elaborate cfg.hostPlatform + )); systemArgs = if isCross then { @@ -165,13 +168,10 @@ in }; hostPlatform = lib.mkOption { - type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform + type = lib.types.either lib.types.str lib.types.attrs; example = { system = "aarch64-darwin"; }; - # Make sure that the final value has all fields for sake of other modules - # referring to this. TODO make `lib.systems` itself use the module system. - apply = lib.systems.elaborate; description = '' Specifies the platform where the nix-darwin configuration will run. @@ -182,24 +182,13 @@ in }; buildPlatform = lib.mkOption { - type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform + type = lib.types.either lib.types.str lib.types.attrs; default = cfg.hostPlatform; example = { system = "x86_64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. - apply = - inputBuildPlatform: - let - elaborated = lib.systems.elaborate inputBuildPlatform; - in - if lib.systems.equals elaborated cfg.hostPlatform then - cfg.hostPlatform # make identical, so that `==` equality works; - see - "https://github.com/NixOS/nixpkgs/issues/278001" - else - elaborated; defaultText = lib.literalExpression ''config.nixpkgs.hostPlatform''; description = '' Specifies the platform on which nix-darwin should be built. @@ -323,6 +312,16 @@ in ${lib.concatMapStringsSep "\n" (file: " - ${file}") opt.config.files} ''; } + { + assertion = + (opt.hostPlatform.isDefined -> builtins.isAttrs cfg.buildPlatform -> !(cfg.buildPlatform ? parsed)) + && (opt.hostPlatform.isDefined -> builtins.isAttrs cfg.hostPlatform -> !(cfg.hostPlatform ? parsed)); + message = '' + Passing fully elaborated systems to `nixpkgs.localSystem`, `nixpkgs.crossSystem`, `nixpkgs.buildPlatform` + or `nixpkgs.hostPlatform` will break composability of package sets in nixpkgs. For example, pkgs.pkgsStatic + would not work in modules anymore. + ''; + } ]; }; } From 1f7ed1c7fe20d9b9d410c4f385a7d13ae1f4349e Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 15:19:46 +0000 Subject: [PATCH 077/118] checks: remove `nixChannels` check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I don’t think this is very important given the `nixPath` check, and it doesn’t fit very well into a post‐user‐activation world. --- modules/system/checks.nix | 30 ++++-------------------------- 1 file changed, 4 insertions(+), 26 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index b466f425..7fbe1590 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -152,25 +152,6 @@ let fi ''; - nixChannels = '' - channelsLink=$(readlink "$HOME/.nix-defexpr/channels") || true - case "$channelsLink" in - *"$USER"*) - ;; - "") - ;; - *) - echo "error: The ~/.nix-defexpr/channels symlink does not point your users channels, aborting activation" >&2 - echo "Running nix-channel will regenerate it" >&2 - echo >&2 - echo " rm ~/.nix-defexpr/channels" >&2 - echo " nix-channel --update" >&2 - echo >&2 - exit 2 - ;; - esac - ''; - nixInstaller = '' if grep -q 'etc/profile.d/nix-daemon.sh' /etc/profile; then echo "error: Found nix-daemon.sh reference in /etc/profile, aborting activation" >&2 @@ -315,6 +296,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "system" "checks" "verifyNixChannels" ] "This check has been removed.") + ]; + options = { system.checks.verifyNixPath = mkOption { type = types.bool; @@ -322,12 +307,6 @@ in description = "Whether to run the NIX_PATH validation checks."; }; - system.checks.verifyNixChannels = mkOption { - type = types.bool; - default = config.nix.channel.enable; - description = "Whether to run the nix-channels validation checks."; - }; - system.checks.verifyBuildUsers = mkOption { type = types.bool; default = @@ -361,7 +340,6 @@ in nixStore (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector) (mkIf (config.nix.optimise.automatic && config.nix.optimise.user == null) nixStoreOptimiser) - (mkIf cfg.verifyNixChannels nixChannels) nixInstaller (mkIf cfg.verifyNixPath nixPath) oldSshAuthorizedKeysDirectory From 8f227c405e0d42dfdbfce9849c689152c083a48b Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 01:08:02 +0000 Subject: [PATCH 078/118] nix: fix typo in assertion conditional --- modules/nix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 857c4be8..b70487d7 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -759,7 +759,7 @@ in # Not in NixOS module { assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; } - { assertion = elem "_nixbld1" config.users.knownGroups -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } + { assertion = elem "_nixbld1" config.users.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; } { From 9b9c9a57b626d72c4def5c2ddb7253bccb19c75d Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 19:30:20 +0000 Subject: [PATCH 079/118] =?UTF-8?q?nix:=20don=E2=80=99t=20set=20`$NIX=5FRE?= =?UTF-8?q?MOTE`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NixOS doesn’t bother doing this, and Nix already matches this conditional behaviour when `$NIX_REMOTE` is unset. --- modules/nix/default.nix | 20 +++++--------------- tests/services-nix-daemon.nix | 3 --- 2 files changed, 5 insertions(+), 18 deletions(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b70487d7..b373e778 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -785,21 +785,11 @@ in # Set up the environment variables for running Nix. environment.variables = cfg.envVars // { NIX_PATH = cfg.nixPath; }; - environment.extraInit = mkMerge [ - (mkIf cfg.channel.enable '' - if [ -e "$HOME/.nix-defexpr/channels" ]; then - export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" - fi - '') - # Not in NixOS module - '' - # Set up secure multi-user builds: non-root users build through the - # Nix daemon. - if [ ! -w /nix/var/nix/db ]; then - export NIX_REMOTE=daemon - fi - '' - ]; + environment.extraInit = mkIf cfg.channel.enable '' + if [ -e "$HOME/.nix-defexpr/channels" ]; then + export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" + fi + ''; environment.extraSetup = mkIf (!cfg.channel.enable) '' rm --force $out/bin/nix-channel diff --git a/tests/services-nix-daemon.nix b/tests/services-nix-daemon.nix index 3a217cbb..86dbd57c 100644 --- a/tests/services-nix-daemon.nix +++ b/tests/services-nix-daemon.nix @@ -27,8 +27,5 @@ in echo checking nix-daemon reload in /activate >&2 grep "launchctl kill HUP system/org.nixos.nix-daemon" ${config.out}/activate - - echo checking NIX_REMOTE=daemon in setEnvironment >&2 - grep "NIX_REMOTE=daemon" ${config.system.build.setEnvironment} ''; } From 3f6f512406d852afa0e54118b2002896da66fd3e Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 21:47:09 +0000 Subject: [PATCH 080/118] users: fix typo --- modules/users/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/default.nix b/modules/users/default.nix index ecce2af3..47b67fbc 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -172,7 +172,7 @@ in printf >&2 '`darwin-rebuild` requires permissions to administrate your computer,\n' printf >&2 'please accept the dialog that pops up.\n' printf >&2 '\n' - printf >&2 'If you do not wish to be prompted every time `darwin-rebuild updates your users,\n' + printf >&2 'If you do not wish to be prompted every time `darwin-rebuild` updates your users,\n' printf >&2 'you can grant Full Disk Access to your terminal emulator in System Settings.\n' printf >&2 '\n' printf >&2 'This can be found in System Settings > Privacy & Security > Full Disk Access.\n' From da3311397a1a2ba1a02f026cce1700a3556279cc Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 5 Feb 2025 15:06:20 +0000 Subject: [PATCH 081/118] Revert "nixpkgs: make config.nixpkgs.{buildPlatform,hostPlatform} write only" This was reverted upstream in 0b47fba23078cc01251b136c7af0127abd57112b. This reverts commit 7c72c013b160627540b8b465a05ba258f47a16d8. --- modules/nix/nixpkgs.nix | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/modules/nix/nixpkgs.nix b/modules/nix/nixpkgs.nix index d4fa306c..51bb1718 100644 --- a/modules/nix/nixpkgs.nix +++ b/modules/nix/nixpkgs.nix @@ -73,10 +73,7 @@ let defaultPkgs = if opt.hostPlatform.isDefined then let - isCross = - !(lib.systems.equals (lib.systems.elaborate cfg.buildPlatform) ( - lib.systems.elaborate cfg.hostPlatform - )); + isCross = cfg.buildPlatform != cfg.hostPlatform; systemArgs = if isCross then { @@ -168,10 +165,13 @@ in }; hostPlatform = lib.mkOption { - type = lib.types.either lib.types.str lib.types.attrs; + type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform example = { system = "aarch64-darwin"; }; + # Make sure that the final value has all fields for sake of other modules + # referring to this. TODO make `lib.systems` itself use the module system. + apply = lib.systems.elaborate; description = '' Specifies the platform where the nix-darwin configuration will run. @@ -182,13 +182,22 @@ in }; buildPlatform = lib.mkOption { - type = lib.types.either lib.types.str lib.types.attrs; + type = lib.types.either lib.types.str lib.types.attrs; # TODO utilize lib.systems.parsedPlatform default = cfg.hostPlatform; example = { system = "x86_64-darwin"; }; # Make sure that the final value has all fields for sake of other modules # referring to this. + apply = + inputBuildPlatform: + let + elaborated = lib.systems.elaborate inputBuildPlatform; + in + if lib.systems.equals elaborated cfg.hostPlatform then + cfg.hostPlatform # make identical, so that `==` equality works; see https://github.com/NixOS/nixpkgs/issues/278001 + else + elaborated; defaultText = lib.literalExpression ''config.nixpkgs.hostPlatform''; description = '' Specifies the platform on which nix-darwin should be built. @@ -312,16 +321,6 @@ in ${lib.concatMapStringsSep "\n" (file: " - ${file}") opt.config.files} ''; } - { - assertion = - (opt.hostPlatform.isDefined -> builtins.isAttrs cfg.buildPlatform -> !(cfg.buildPlatform ? parsed)) - && (opt.hostPlatform.isDefined -> builtins.isAttrs cfg.hostPlatform -> !(cfg.hostPlatform ? parsed)); - message = '' - Passing fully elaborated systems to `nixpkgs.localSystem`, `nixpkgs.crossSystem`, `nixpkgs.buildPlatform` - or `nixpkgs.hostPlatform` will break composability of package sets in nixpkgs. For example, pkgs.pkgsStatic - would not work in modules anymore. - ''; - } ]; }; } From 0824c13801d18722a5dd7827f575f5c42e80ad43 Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 15:48:57 +0000 Subject: [PATCH 082/118] checks: fix macOS version check exit code --- modules/system/checks.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 8b526b35..119fba4c 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -27,7 +27,7 @@ let printf >&2 ' system.checks.verifyMacOSVersion = false;\n' printf >&2 '\n' printf >&2 'However, we are unable to provide support if you do so.\n' - exit 1 + exit 2 fi ''; From d634e28f67b5e1fc82b3ea107fbd9b3a3abf3a7b Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 3 Feb 2025 21:47:09 +0000 Subject: [PATCH 083/118] users: use `launchctl managername` to determine session type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Seems like this should be more robust, and it will work even after the activation script purifies its environment. Apparently it may treat `tmux` sessions like SSH ones, which may have something to do with `reattach-to-user-namespace`/`pam_reattach`; see . (My hope is that `pam_reattach` does the right thing here, but I haven’t tested.) --- modules/users/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/default.nix b/modules/users/default.nix index 47b67fbc..706abbfa 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -147,7 +147,7 @@ in homeDirectory=''${homeDirectory#NFSHomeDirectory: } if ! sudo dscl . -change /Users/nobody NFSHomeDirectory "$homeDirectory" "$homeDirectory" &> /dev/null; then - if [[ -n "$SSH_CONNECTION" ]]; then + if [[ "$(launchctl managername)" != Aqua ]]; then printf >&2 '\e[1;31merror: users cannot be %s over SSH without Full Disk Access, aborting activation\e[0m\n' "$2" printf >&2 'The user %s could not be %s as `darwin-rebuild` was not executed with Full Disk Access over SSH.\n' "$1" "$2" printf >&2 'You can either:\n' From e182d8dff6bd3b0913ae6531c6abae3ed1e38364 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 18:40:29 +0000 Subject: [PATCH 084/118] nix: add `nix.enable` option to disable Nix management MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is an equivalent of the `nix.enable` option from NixOS and Home Manager. On NixOS, it mostly serves to allow building fixed‐configuration systems without any Nix installation at all. It should work for that purpose with nix-darwin too, and the implementation is largely the same, but the main use case is more similar to the Home Manager option: to allow the use of nix-darwin with an unmanaged system installation of Nix, including when there is another service expecting to manage it, as with Determinate. By providing an escape hatch to opt out of Nix management entirely, this will also allow us to consolidate and simplify our existing Nix installation management, by being more opinionated about things like taking ownership of the daemon and the build users. Porting one option from NixOS lets us drop two that only ever existed in nix-darwin and reduce overall complexity. --- modules/nix/default.nix | 52 +++++++++++++++++++++-- modules/services/nix-daemon.nix | 2 +- modules/system/checks.nix | 9 ++-- pkgs/darwin-uninstaller/configuration.nix | 12 +----- pkgs/darwin-uninstaller/default.nix | 9 ++-- release.nix | 1 + tests/nix-enable.nix | 14 ++++++ 7 files changed, 78 insertions(+), 21 deletions(-) create mode 100644 tests/nix-enable.nix diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b373e778..39820dac 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -134,6 +134,26 @@ let namedPaths ++ searchPaths; }; + handleUnmanaged = managedConfig: mkMerge [ + (mkIf cfg.enable managedConfig) + (mkIf (!cfg.enable) { + system.activationScripts.nix-daemon.text = '' + # Restore unmanaged Nix daemon if present + unmanagedNixProfile=/nix/var/nix/profiles/default + if [[ + -e /run/current-system/Library/LaunchDaemons/org.nixos.nix-daemon.plist + && -e $unmanagedNixProfile/Library/LaunchDaemons/org.nixos.nix-daemon.plist + ]]; then + printf >&2 'restoring unmanaged Nix daemon...\n' + cp \ + "$unmanagedNixProfile/Library/LaunchDaemons/org.nixos.nix-daemon.plist" \ + /Library/LaunchDaemons + launchctl load -w /Library/LaunchDaemons/org.nixos.nix-daemon.plist + fi + ''; + }) + ]; + in { @@ -144,7 +164,6 @@ in in [ # Only ever in NixOS - (mkRemovedOptionModule [ "nix" "enable" ] "No `nix-darwin` equivalent to this NixOS option.") (mkRemovedOptionModule [ "nix" "daemonCPUSchedPolicy" ] (altOption "nix.daemonProcessType")) (mkRemovedOptionModule [ "nix" "daemonIOSchedClass" ] (altOption "nix.daemonProcessType")) (mkRemovedOptionModule [ "nix" "daemonIOSchedPriority" ] (altOption "nix.daemonIOLowPriority")) @@ -165,9 +184,36 @@ in nix = { + enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether to enable Nix. + + Disabling this will stop nix-darwin from managing the + installed version of Nix, the nix-daemon launchd daemon, and + the settings in {file}`/etc/nix/nix.conf`. + + This allows you to use nix-darwin without it taking over your + system installation of Nix. Some nix-darwin functionality + that relies on managing the Nix installation, like the + `nix.*` options to adjust Nix settings or configure a Linux + builder, will be unavailable. You will also have to upgrade + Nix yourself, as nix-darwin will no longer do so. + + ::: {.warning} + If you have already removed your global system installation + of Nix, this will break nix-darwin and you will have to + reinstall Nix to fix it. + ::: + ''; + }; + package = mkOption { type = types.package; - default = pkgs.nix; + default = warnIf (!cfg.enable) + "nix.package: accessed when `nix.enable` is off; this is a bug" + pkgs.nix; defaultText = literalExpression "pkgs.nix"; description = '' This option specifies the Nix package instance to use throughout the system. @@ -678,7 +724,7 @@ in ###### implementation - config = { + config = handleUnmanaged { environment.systemPackages = [ nixPackage diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix index ffc7e651..df3fa310 100644 --- a/modules/services/nix-daemon.nix +++ b/modules/services/nix-daemon.nix @@ -10,7 +10,7 @@ in options = { services.nix-daemon.enable = mkOption { type = types.bool; - default = true; + default = config.nix.enable; description = "Whether to enable the nix-daemon service."; }; diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 7fbe1590..cc8048de 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -303,15 +303,16 @@ in options = { system.checks.verifyNixPath = mkOption { type = types.bool; - default = true; + default = config.nix.enable; description = "Whether to run the NIX_PATH validation checks."; }; system.checks.verifyBuildUsers = mkOption { type = types.bool; default = - (config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false)) - || config.nix.configureBuildUsers; + config.nix.enable && + ((config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false)) + || config.nix.configureBuildUsers); description = "Whether to run the Nix build users validation checks."; }; @@ -336,7 +337,7 @@ in (mkIf cfg.verifyBuildUsers buildUsers) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) (mkIf config.nix.configureBuildUsers buildGroupID) - nixDaemon + (mkIf config.nix.enable nixDaemon) nixStore (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector) (mkIf (config.nix.optimise.automatic && config.nix.optimise.user == null) nixStoreOptimiser) diff --git a/pkgs/darwin-uninstaller/configuration.nix b/pkgs/darwin-uninstaller/configuration.nix index 56ab228f..ce6be6ca 100644 --- a/pkgs/darwin-uninstaller/configuration.nix +++ b/pkgs/darwin-uninstaller/configuration.nix @@ -12,8 +12,8 @@ with lib; launchd.daemons = mkForce {}; launchd.user.agents = mkForce {}; - # Don't try to reload `nix-daemon` - nix.useDaemon = mkForce false; + # Restore any unmanaged `nix-daemon`. + nix.enable = false; system.activationScripts.postUserActivation.text = mkAfter '' nix-channel --remove darwin || true @@ -30,14 +30,6 @@ with lib; rm /etc/static fi - # If the Nix Store is owned by root then we're on a multi-user system - if [[ -O /nix/store ]]; then - if [[ -e /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist ]]; then - sudo cp /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist /Library/LaunchDaemons/org.nixos.nix-daemon.plist - sudo launchctl load -w /Library/LaunchDaemons/org.nixos.nix-daemon.plist - fi - fi - # grep will return 1 when no lines matched which makes this line fail with `set -eo pipefail` dscl . -list /Users UserShell | { grep "\s/run/" || true; } | awk '{print $1}' | while read -r user; do shell=$(dscl . -read /Users/"$user" UserShell) diff --git a/pkgs/darwin-uninstaller/default.nix b/pkgs/darwin-uninstaller/default.nix index 0214652b..6b43bcfc 100644 --- a/pkgs/darwin-uninstaller/default.nix +++ b/pkgs/darwin-uninstaller/default.nix @@ -31,8 +31,11 @@ in writeShellApplication { echo >&2 " - remove /Applications/Nix Apps symlink" echo >&2 " - cleanup static /etc files" echo >&2 " - disable and remove all launchd services managed by nix-darwin" - if [[ $(stat -f '%Su' /nix/store) == "root" ]]; then - echo >&2 " - restore nix-daemon service from nix installer as this is a multi-user install" + if [[ + -e /run/current-system/Library/LaunchDaemons/org.nixos.nix-daemon.plist + && -e /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist + ]]; then + echo >&2 " - restore nix-daemon service from the Nix installer" fi echo >&2 @@ -87,7 +90,7 @@ in writeShellApplication { launchctl print system/org.nixos.nix-daemon pgrep -l nix-daemon test -e /Library/LaunchDaemons/org.nixos.nix-daemon.plist - [[ "$(shasum -a 256 /Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" == "$(shasum -a 256 /Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" ]] + [[ "$(shasum -a 256 /Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" == "$(shasum -a 256 /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" ]] nix-store --store daemon -q --hash ${stdenv.shell} fi echo >&2 ok diff --git a/release.nix b/release.nix index b3e2df7e..52b3c2aa 100644 --- a/release.nix +++ b/release.nix @@ -88,6 +88,7 @@ in { tests.launchd-setenv = makeTest ./tests/launchd-setenv.nix; tests.networking-hostname = makeTest ./tests/networking-hostname.nix; tests.networking-networkservices = makeTest ./tests/networking-networkservices.nix; + tests.nix-enable = makeTest ./tests/nix-enable.nix; tests.nixpkgs-overlays = makeTest ./tests/nixpkgs-overlays.nix; tests.programs-ssh = makeTest ./tests/programs-ssh.nix; tests.programs-tmux = makeTest ./tests/programs-tmux.nix; diff --git a/tests/nix-enable.nix b/tests/nix-enable.nix new file mode 100644 index 00000000..4e7a1782 --- /dev/null +++ b/tests/nix-enable.nix @@ -0,0 +1,14 @@ +{ config, ... }: + +{ + nix.enable = false; + nix.package = throw "`nix.package` used when `nix.enable` is turned off"; + + test = '' + printf >&2 'checking for unexpected Nix binary in /sw/bin\n' + [[ -e ${config.out}/sw/bin/nix-env ]] && exit 1 + + printf >&2 'checking for unexpected nix-daemon plist in /Library/LaunchDaemons\n' + [[ -e ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist ]] && exit 1 + ''; +} From c796587d2ef4ab06f84c4f740931f579f719b6f5 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 19:30:20 +0000 Subject: [PATCH 085/118] nix: remove `nix.useDaemon` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We now assume the daemon is used unconditionally when we manage the Nix installation. The `nix.gc` and `nix.optimise` services lose their `$NIX_REMOTE` setting rather than making it unconditional, as the NixOS `nix.gc` module does not set it. Possibly it should, but I think uniformity between the two systems is better than diverging, even though I kind of hate that the non‐daemon method of access is even a thing. --- modules/nix/default.nix | 22 +++--- modules/services/buildkite-agents.nix | 3 +- modules/services/gitlab-runner.nix | 3 +- .../services/hercules-ci-agent/default.nix | 2 +- modules/services/nix-daemon.nix | 2 - modules/services/nix-gc/default.nix | 10 +-- modules/services/nix-optimise/default.nix | 10 +-- modules/system/checks.nix | 67 +++---------------- release.nix | 1 - tests/checks-nix-gc.nix | 19 ------ tests/services-nix-gc.nix | 6 -- tests/services-nix-optimise.nix | 6 -- 12 files changed, 26 insertions(+), 125 deletions(-) delete mode 100644 tests/checks-nix-gc.nix diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 39820dac..6028e6bb 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -176,6 +176,10 @@ in (mkRenamedOptionModule [ "users" "nix" "nrBuildUsers" ] [ "nix" "nrBuildUsers" ]) (mkRenamedOptionModule [ "nix" "daemonIONice" ] [ "nix" "daemonIOLowPriority" ]) (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] (consider "nix.daemonProcessType")) + (mkRemovedOptionModule [ "nix" "useDaemon" ] '' + nix-darwin now only supports managing multi‐user daemon + installations of Nix. + '') ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings; ###### interface @@ -220,17 +224,6 @@ in ''; }; - # Not in NixOS module - useDaemon = mkOption { - type = types.bool; - default = false; - description = '' - If set, Nix will use the daemon to perform operations. - Use this instead of services.nix-daemon.enable if you don't want the - daemon service to be managed for you. - ''; - }; - distributedBuilds = mkOption { type = types.bool; default = false; @@ -909,7 +902,7 @@ in if [[ -e /etc/nix/nix.custom.conf ]]; then mv /etc/nix/nix.custom.conf{,.before-nix-darwin} fi - '' + optionalString cfg.useDaemon '' + if ! diff /etc/nix/nix.conf /run/current-system/etc/nix/nix.conf &> /dev/null || ! diff /etc/nix/machines /run/current-system/etc/nix/machines &> /dev/null; then echo "reloading nix-daemon..." >&2 launchctl kill HUP system/org.nixos.nix-daemon @@ -926,6 +919,9 @@ in trusted-users = [ "root" ]; substituters = mkAfter [ "https://cache.nixos.org/" ]; + # Not in NixOS module + build-users-group = "nixbld"; + # Not implemented yet # system-features = mkDefault ( # [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ @@ -941,8 +937,6 @@ in (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) - # Not in NixOS module - (mkIf cfg.useDaemon { build-users-group = "nixbld"; }) ]; }; diff --git a/modules/services/buildkite-agents.nix b/modules/services/buildkite-agents.nix index 69bc1f65..3c04d904 100644 --- a/modules/services/buildkite-agents.nix +++ b/modules/services/buildkite-agents.nix @@ -227,8 +227,9 @@ in { path = cfg.runtimePackages ++ [ cfg.package pkgs.coreutils pkgs.darwin.DarwinTools ]; environment = { HOME = cfg.dataDir; + NIX_REMOTE = "daemon"; inherit (config.environment.variables) NIX_SSL_CERT_FILE; - } // (if config.nix.useDaemon then { NIX_REMOTE = "daemon"; } else {}); + }; ## NB: maximum care is taken so that secrets (ssh keys and the CI token) ## don't end up in the Nix store. diff --git a/modules/services/gitlab-runner.nix b/modules/services/gitlab-runner.nix index 94c291ef..329fd727 100644 --- a/modules/services/gitlab-runner.nix +++ b/modules/services/gitlab-runner.nix @@ -551,8 +551,9 @@ in launchd.daemons.gitlab-runner = { environment = { #config.networking.proxy.envVars // { HOME = "${config.users.users.gitlab-runner.home}"; + NIX_REMOTE = "daemon"; NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - } // (if config.nix.useDaemon then { NIX_REMOTE = "daemon"; } else {}); + }; path = with pkgs; [ bash gawk diff --git a/modules/services/hercules-ci-agent/default.nix b/modules/services/hercules-ci-agent/default.nix index fc3d9520..39125065 100644 --- a/modules/services/hercules-ci-agent/default.nix +++ b/modules/services/hercules-ci-agent/default.nix @@ -74,7 +74,7 @@ in darwin.label = config.system.darwinLabel; darwin.revision = config.system.darwinRevision; darwin.version = config.system.darwinVersion; - darwin.nix.daemon = config.nix.useDaemon; + darwin.nix.daemon = true; darwin.nix.sandbox = config.nix.settings.sandbox; }; }; diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix index df3fa310..ee866a6f 100644 --- a/modules/services/nix-daemon.nix +++ b/modules/services/nix-daemon.nix @@ -41,8 +41,6 @@ in config = mkIf cfg.enable { - nix.useDaemon = true; - launchd.daemons.nix-daemon = { command = lib.getExe' config.nix.package "nix-daemon"; serviceConfig.ProcessType = config.nix.daemonProcessType; diff --git a/modules/services/nix-gc/default.nix b/modules/services/nix-gc/default.nix index 9fe8e86d..44278e64 100644 --- a/modules/services/nix-gc/default.nix +++ b/modules/services/nix-gc/default.nix @@ -14,6 +14,7 @@ in (mkRemovedOptionModule [ "nix" "gc" "dates" ] "Use `nix.gc.interval` instead.") (mkRemovedOptionModule [ "nix" "gc" "randomizedDelaySec" ] "No `nix-darwin` equivalent to this NixOS option.") (mkRemovedOptionModule [ "nix" "gc" "persistent" ] "No `nix-darwin` equivalent to this NixOS option.") + (mkRemovedOptionModule [ "nix" "gc" "user" ] "The garbage collection service now always runs as `root`.") ]; ###### interface @@ -28,13 +29,6 @@ in description = "Automatically run the garbage collector at a specific time."; }; - # Not in NixOS module - user = mkOption { - type = types.nullOr types.str; - default = null; - description = "User that runs the garbage collector."; - }; - interval = mkOption { type = launchdTypes.StartCalendarInterval; default = [{ Weekday = 7; Hour = 3; Minute = 15; }]; @@ -66,10 +60,8 @@ in launchd.daemons.nix-gc = { command = "${config.nix.package}/bin/nix-collect-garbage ${cfg.options}"; - environment.NIX_REMOTE = optionalString config.nix.useDaemon "daemon"; serviceConfig.RunAtLoad = false; serviceConfig.StartCalendarInterval = cfg.interval; - serviceConfig.UserName = cfg.user; }; }; diff --git a/modules/services/nix-optimise/default.nix b/modules/services/nix-optimise/default.nix index c0ee0a38..4eefc480 100644 --- a/modules/services/nix-optimise/default.nix +++ b/modules/services/nix-optimise/default.nix @@ -20,6 +20,7 @@ in { imports = [ (mkRemovedOptionModule [ "nix" "optimise" "dates" ] "Use `nix.optimise.interval` instead.") + (mkRemovedOptionModule [ "nix" "optimise" "user" ] "The store optimisation service now always runs as `root`.") ]; ###### interface @@ -34,13 +35,6 @@ in description = "Automatically run the nix store optimiser at a specific time."; }; - # Not in NixOS module - user = mkOption { - type = types.nullOr types.str; - default = null; - description = "User that runs the store optimisation."; - }; - interval = mkOption { type = launchdTypes.StartCalendarInterval; default = [{ Weekday = 7; Hour = 4; Minute = 15; }]; @@ -61,12 +55,10 @@ in config = mkIf cfg.automatic { launchd.daemons.nix-optimise = { - environment.NIX_REMOTE = optionalString config.nix.useDaemon "daemon"; command = "${lib.getExe' config.nix.package "nix-store"} --optimise"; serviceConfig = { RunAtLoad = false; StartCalendarInterval = cfg.interval; - UserName = cfg.user; }; }; diff --git a/modules/system/checks.nix b/modules/system/checks.nix index cc8048de..c3800385 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -130,24 +130,19 @@ let fi ''; - nixDaemon = if config.nix.useDaemon then '' - if ! dscl . -read /Groups/nixbld PrimaryGroupID &> /dev/null; then - printf >&2 'error: The daemon should not be enabled for single-user installs, aborting activation\n' - printf >&2 'Disable the nix-daemon service:\n' + nixDaemon = '' + if [[ "$(stat --format='%u' /nix)" != 0 ]]; then + printf >&2 'error: single‐user install detected, aborting activation\n' + printf >&2 'nix-darwin now only supports managing multi‐user daemon installations\n' + printf >&2 'of Nix. You can uninstall nix-darwin and Nix and then reinstall both to\n' + printf >&2 'fix this.\n' printf >&2 '\n' - printf >&2 ' services.nix-daemon.enable = false;\n' + printf >&2 'If you don’t want to do that, you can disable management of the Nix\n' + printf >&2 'installation with:\n' printf >&2 '\n' - printf >&2 'and remove `nix.useDaemon` from your configuration if it is present.\n' - printf >&2 '\n' - exit 2 - fi - '' else '' - if dscl . -read /Groups/nixbld PrimaryGroupID &> /dev/null; then - printf >&2 'error: The daemon should be enabled for multi-user installs, aborting activation\n' - printf >&2 'Enable the nix-daemon service:\n' - printf >&2 '\n' - printf >&2 ' services.nix-daemon.enable = true;\n' + printf >&2 ' nix.enable = false;\n' printf >&2 '\n' + printf >&2 'See the `nix.enable` option documentation for caveats.\n' exit 2 fi ''; @@ -214,43 +209,6 @@ let fi ''; - nixStore = '' - if test -w /nix/var/nix/db -a ! -O /nix/store; then - echo >&2 "error: the store is not owned by this user, but /nix/var/nix/db is writable" - echo >&2 "If you are using the daemon:" - echo >&2 - echo >&2 " sudo chown -R root:wheel /nix/var/nix/db" - echo >&2 - echo >&2 "Otherwise:" - echo >&2 - echo >&2 " sudo chown -R $USER:staff /nix/store" - echo >&2 - exit 2 - fi - ''; - - nixGarbageCollector = '' - if test -O /nix/store; then - echo "error: A single-user install can't run gc as root, aborting activation" >&2 - echo "Configure the garbage collector to run as the current user:" >&2 - echo >&2 - echo " nix.gc.user = \"$USER\";" >&2 - echo >&2 - exit 2 - fi - ''; - - nixStoreOptimiser = '' - if test -O /nix/store; then - echo "error: A single-user install can't run optimiser as root, aborting activation" >&2 - echo "Configure the optimiser to run as the current user:" >&2 - echo >&2 - echo " nix.optimise.user = \"$USER\";" >&2 - echo >&2 - exit 2 - fi - ''; - # TODO: Remove this a couple years down the line when we can assume # that anyone who cares about security has upgraded. oldSshAuthorizedKeysDirectory = '' @@ -311,7 +269,7 @@ in type = types.bool; default = config.nix.enable && - ((config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false)) + ((!(config.nix.settings.auto-allocate-uids or false)) || config.nix.configureBuildUsers); description = "Whether to run the Nix build users validation checks."; }; @@ -338,9 +296,6 @@ in (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) (mkIf config.nix.configureBuildUsers buildGroupID) (mkIf config.nix.enable nixDaemon) - nixStore - (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector) - (mkIf (config.nix.optimise.automatic && config.nix.optimise.user == null) nixStoreOptimiser) nixInstaller (mkIf cfg.verifyNixPath nixPath) oldSshAuthorizedKeysDirectory diff --git a/release.nix b/release.nix index 52b3c2aa..115025ee 100644 --- a/release.nix +++ b/release.nix @@ -80,7 +80,6 @@ in { tests.activation-scripts = makeTest ./tests/activation-scripts.nix; tests.autossh = makeTest ./tests/autossh.nix; - tests.checks-nix-gc = makeTest ./tests/checks-nix-gc.nix; tests.environment-path = makeTest ./tests/environment-path.nix; tests.environment-terminfo = makeTest ./tests/environment-terminfo.nix; tests.homebrew = makeTest ./tests/homebrew.nix; diff --git a/tests/checks-nix-gc.nix b/tests/checks-nix-gc.nix deleted file mode 100644 index e3dccd7f..00000000 --- a/tests/checks-nix-gc.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, pkgs, ... }: - -let - nix = pkgs.runCommand "nix-2.2" {} "mkdir -p $out"; -in - -{ - nix.gc.automatic = true; - nix.package = nix; - - test = '' - echo checking nix-gc validation >&2 - grep "nix.gc.user = " ${config.out}/activate-user - - echo checking nix-gc service in /Library/LaunchDaemons >&2 - grep "org.nixos.nix-gc" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist - (! grep "UserName" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist) - ''; -} diff --git a/tests/services-nix-gc.nix b/tests/services-nix-gc.nix index 6d7cdef8..9c8ba817 100644 --- a/tests/services-nix-gc.nix +++ b/tests/services-nix-gc.nix @@ -7,19 +7,13 @@ in { nix.gc.automatic = true; nix.gc.options = "--delete-older-than 30d"; - nix.gc.user = "nixuser"; nix.package = nix; test = '' echo checking nix-gc service in /Library/LaunchDaemons >&2 grep "org.nixos.nix-gc" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist grep "/bin/wait4path /nix/store && exec ${nix}/bin/nix-collect-garbage --delete-older-than 30d" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist - grep "UserName" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist - grep "nixuser" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist (! grep "KeepAlive" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist) - - echo checking nix-gc validation >&2 - (! grep "nix.gc.user = " ${config.out}/activate-user) ''; } diff --git a/tests/services-nix-optimise.nix b/tests/services-nix-optimise.nix index 4108eb0f..acdc1dce 100644 --- a/tests/services-nix-optimise.nix +++ b/tests/services-nix-optimise.nix @@ -6,7 +6,6 @@ in { nix.optimise.automatic = true; - nix.optimise.user = "nixuser"; nix.package = nix; test = '' @@ -15,11 +14,6 @@ in ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist grep "/bin/wait4path /nix/store && exec ${nix}/bin/nix-store --optimise" \ ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist - grep "UserName" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist - grep "nixuser" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist (! grep "KeepAlive" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist) - - echo checking nix-optimise validation >&2 - (! grep "nix.optimise.user = " ${config.out}/activate-user) ''; } From adc989f7ec9efd8bb4e1b6b48c15f4c0f41be018 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 19:30:20 +0000 Subject: [PATCH 086/118] nix: remove `nix.configureBuildUsers` We now manage the build users unconditionally when we manage the Nix installation. --- modules/examples/lnl.nix | 1 - modules/nix/default.nix | 25 +++++++++----------- modules/system/checks.nix | 50 ++++++--------------------------------- 3 files changed, 18 insertions(+), 58 deletions(-) diff --git a/modules/examples/lnl.nix b/modules/examples/lnl.nix index 90142f65..8dff10cc 100644 --- a/modules/examples/lnl.nix +++ b/modules/examples/lnl.nix @@ -319,7 +319,6 @@ # path = /etc/per-user/lnl/gitconfig # environment.etc."per-user/lnl/gitconfig".text = builtins.readFile "${inputs.dotfiles}/git/gitconfig"; - nix.configureBuildUsers = true; nix.nrBuildUsers = 32; system.stateVersion = 6; diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 6028e6bb..b201a692 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -12,6 +12,8 @@ let isNixAtLeast = versionAtLeast (getVersion nixPackage); + configureBuildUsers = !(config.nix.settings.auto-allocate-uids or false); + makeNixBuildUser = nr: { name = "_nixbld${toString nr}"; value = { @@ -180,6 +182,10 @@ in nix-darwin now only supports managing multi‐user daemon installations of Nix. '') + (mkRemovedOptionModule [ "nix" "configureBuildUsers" ] '' + nix-darwin now manages build users unconditionally when + `nix.enable` is on. + '') ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings; ###### interface @@ -397,15 +403,6 @@ in description = "Environment variables used by Nix."; }; - # Not in NixOS module - configureBuildUsers = mkOption { - type = types.bool; - default = false; - description = '' - Enable configuration for nixbld group and users. - ''; - }; - nrBuildUsers = mkOption { type = types.int; description = '' @@ -836,10 +833,10 @@ in nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)); - users.users = mkIf cfg.configureBuildUsers nixbldUsers; + users.users = mkIf configureBuildUsers nixbldUsers; # Not in NixOS module - users.groups.nixbld = mkIf cfg.configureBuildUsers { + users.groups.nixbld = mkIf configureBuildUsers { description = "Nix build group for nix-daemon"; gid = config.ids.gids.nixbld; members = attrNames nixbldUsers; @@ -847,11 +844,11 @@ in users.knownUsers = let nixbldUserNames = attrNames nixbldUsers; in - mkIf cfg.configureBuildUsers (mkMerge [ + mkMerge [ nixbldUserNames (map (removePrefix "_") nixbldUserNames) # delete old style nixbld users - ]); - users.knownGroups = mkIf cfg.configureBuildUsers [ "nixbld" ]; + ]; + users.knownGroups = [ "nixbld" ]; # The Determinate Systems installer puts user‐specified settings in # `/etc/nix/nix.custom.conf` since v0.33.0. Supplement the diff --git a/modules/system/checks.nix b/modules/system/checks.nix index c3800385..f13f7db9 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -31,29 +31,13 @@ let fi ''; - oldBuildUsers = '' - if dscl . -list /Users | grep -q '^nixbld'; then - echo "error: Detected old style nixbld users, aborting activation" >&2 - echo "These can cause migration problems when upgrading to certain macOS versions" >&2 - echo "You can enable the following option to migrate to new style nixbld users" >&2 - echo >&2 - echo " nix.configureBuildUsers = true;" >&2 - echo >&2 - echo "or disable this check with" >&2 - echo >&2 - echo " system.checks.verifyBuildUsers = false;" >&2 - echo >&2 - exit 2 - fi - ''; - preSequoiaBuildUsers = '' - ${lib.optionalString config.nix.configureBuildUsers '' - # Don’t complain when we’re about to migrate old‐style build users… - if ! dscl . -list /Users | grep -q '^nixbld'; then - ''} firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}') - if [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]]; then + if + # Don’t complain when we’re about to migrate old‐style build users… + [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]] \ + && ! dscl . -list /Users | grep -q '^nixbld' + then printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n' printf >&2 'The default Nix build user ID range has been adjusted for\n' printf >&2 'compatibility with macOS Sequoia 15. Your _nixbld1 user currently has\n' @@ -86,22 +70,6 @@ let printf >&2 '\n' exit 2 fi - ${lib.optionalString config.nix.configureBuildUsers "fi"} - ''; - - buildUsers = '' - buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true - if [[ -z "$buildUser" ]]; then - echo "error: Using the nix-daemon requires build users, aborting activation" >&2 - echo "Create the build users or disable the daemon:" >&2 - echo "$ darwin-install" >&2 - echo >&2 - echo "or set (this requires some manual intervention to restore permissions)" >&2 - echo >&2 - echo " services.nix-daemon.enable = false;" >&2 - echo >&2 - exit 2 - fi ''; buildGroupID = '' @@ -268,9 +236,7 @@ in system.checks.verifyBuildUsers = mkOption { type = types.bool; default = - config.nix.enable && - ((!(config.nix.settings.auto-allocate-uids or false)) - || config.nix.configureBuildUsers); + config.nix.enable && !(config.nix.settings.auto-allocate-uids or false); description = "Whether to run the Nix build users validation checks."; }; @@ -291,10 +257,8 @@ in system.checks.text = mkMerge [ (mkIf cfg.verifyMacOSVersion macOSVersion) - (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers) - (mkIf cfg.verifyBuildUsers buildUsers) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) - (mkIf config.nix.configureBuildUsers buildGroupID) + (mkIf cfg.verifyBuildUsers buildGroupID) (mkIf config.nix.enable nixDaemon) nixInstaller (mkIf cfg.verifyNixPath nixPath) From 8a94b5b99bfa6aec7846bec63eba93d05f8f44d8 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 19:30:20 +0000 Subject: [PATCH 087/118] nix-daemon: remove `services.nix-daemon.enable` We now manage the launchd daemon unconditionally when we manage the Nix installation. --- modules/services/nix-daemon.nix | 17 +++++++++-------- tests/services-nix-daemon.nix | 1 - tests/sockets-nix-daemon.nix | 1 - 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix index ee866a6f..404ca057 100644 --- a/modules/services/nix-daemon.nix +++ b/modules/services/nix-daemon.nix @@ -3,17 +3,18 @@ let cfg = config.services.nix-daemon; - inherit (lib) mkDefault mkIf mkMerge mkOption types; + inherit (lib) mkRemovedOptionModule mkDefault mkIf mkMerge mkOption types; in { - options = { - services.nix-daemon.enable = mkOption { - type = types.bool; - default = config.nix.enable; - description = "Whether to enable the nix-daemon service."; - }; + imports = [ + (mkRemovedOptionModule [ "services" "nix-daemon" "enable" ] '' + nix-darwin now manages nix-daemon unconditionally when + `nix.enable` is on. + '') + ]; + options = { services.nix-daemon.enableSocketListener = mkOption { type = types.bool; default = false; @@ -39,7 +40,7 @@ in }; }; - config = mkIf cfg.enable { + config = mkIf config.nix.enable { launchd.daemons.nix-daemon = { command = lib.getExe' config.nix.package "nix-daemon"; diff --git a/tests/services-nix-daemon.nix b/tests/services-nix-daemon.nix index 86dbd57c..f8f06e5d 100644 --- a/tests/services-nix-daemon.nix +++ b/tests/services-nix-daemon.nix @@ -6,7 +6,6 @@ let in { - services.nix-daemon.enable = true; nix.package = nix; launchd.labelPrefix = "org.nix-darwin"; # should not have an effect on nix-daemon diff --git a/tests/sockets-nix-daemon.nix b/tests/sockets-nix-daemon.nix index 606b7b6f..bafd6c10 100644 --- a/tests/sockets-nix-daemon.nix +++ b/tests/sockets-nix-daemon.nix @@ -5,7 +5,6 @@ let in { - services.nix-daemon.enable = true; services.nix-daemon.enableSocketListener = true; nix.package = nix; launchd.labelPrefix = "org.nix-darwin"; # should not have an effect on nix-daemon From fb2bc03f922d406621928a80b28225340cb2b070 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 18:40:29 +0000 Subject: [PATCH 088/118] activation-scripts: add unmanaged system Nix to activation path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, the `bin` directory of the configured system is embedded in the `$PATH` of activation scripts, but not other elements of the default `environment.systemPath` like `/nix/var/nix/profiles/default/bin` or `/usr/local/bin`. This means that when nix-darwin is not managing the Nix installation, activation scripts like Home Manager’s that want to look up the system‐managed Nix can’t find it. Search for it on the entire `environment.systemPath` and add the appropriate directory if found. We leave the launchd `activate-system` daemon alone, because it has erroneously referred to `@out@/sw/bin` forever and therefore never got a Nix on the path to begin with. That’s a problem for another time. (The more ideal solution is probably for Home Manager activation to be driven by launchd or something, but that’s a longer‐term goal.) --- modules/system/activation-scripts.nix | 34 +++++++++++++++++++++++++-- tests/nix-enable.nix | 3 +++ 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index b95ea324..341e782e 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -13,6 +13,32 @@ let mkTextDerivation = name: text: pkgs.writeScript "activate-${name}" text; }; + activationPath = + lib.makeBinPath [ + pkgs.gnugrep + pkgs.coreutils + ] + + lib.optionalString (!config.nix.enable) '' + $( + # If `nix.enable` is off, there might be an unmanaged Nix + # installation (say in `/nix/var/nix/profiles/default`) that + # activation scripts (such as Home Manager) want to find on the + # `$PATH`. Search for it directly to avoid polluting the + # activation script environment with everything on the + # `environment.systemPath`. + if nixEnvPath=$( + PATH="${config.environment.systemPath}" command -v nix-env + ); then + printf ':' + ${lib.getExe' pkgs.coreutils "dirname"} -- "$( + ${lib.getExe' pkgs.coreutils "readlink"} \ + --canonicalize-missing \ + -- "$nixEnvPath" + )" + fi + )'' + + ":@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"; + in { @@ -40,7 +66,9 @@ in #! ${stdenv.shell} set -e set -o pipefail - export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" + + PATH="${activationPath}" + export PATH systemConfig=@out@ @@ -86,7 +114,9 @@ in #! ${stdenv.shell} set -e set -o pipefail - export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin" + + PATH="${activationPath}" + export PATH systemConfig=@out@ diff --git a/tests/nix-enable.nix b/tests/nix-enable.nix index 4e7a1782..0828834f 100644 --- a/tests/nix-enable.nix +++ b/tests/nix-enable.nix @@ -10,5 +10,8 @@ printf >&2 'checking for unexpected nix-daemon plist in /Library/LaunchDaemons\n' [[ -e ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist ]] && exit 1 + + printf >&2 'checking for late‐bound Nix lookup in /activate\n' + grep nixEnvPath= ${config.out}/activate ''; } From 03877755e9f67e584381ecde74ed2c030639aa0c Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 15:48:54 +0000 Subject: [PATCH 089/118] checks: add check for Determinate This provides a more useful error message than the `/etc/nix/nix.conf` hash mismatch error that would otherwise occur. --- modules/system/checks.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index f13f7db9..9bbaf2c7 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -31,6 +31,24 @@ let fi ''; + determinate = '' + if [[ -e /usr/local/bin/determinate-nixd ]]; then + printf >&2 '\e[1;31merror: Determinate detected, aborting activation\e[0m\n' + printf >&2 'Determinate uses its own daemon to manage the Nix installation that\n' + printf >&2 'conflicts with nix-darwin’s native Nix management.\n' + printf >&2 '\n' + printf >&2 'To turn off nix-darwin’s management of the Nix installation, set:\n' + printf >&2 '\n' + printf >&2 ' nix.enable = false;\n' + printf >&2 '\n' + printf >&2 'This will allow you to use nix-darwin with Determinate. Some nix-darwin\n' + printf >&2 'functionality that relies on managing the Nix installation, like the\n' + printf >&2 '`nix.*` options to adjust Nix settings or configure a Linux builder,\n' + printf >&2 'will be unavailable.\n' + exit 2 + fi + ''; + preSequoiaBuildUsers = '' firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}') if @@ -257,6 +275,7 @@ in system.checks.text = mkMerge [ (mkIf cfg.verifyMacOSVersion macOSVersion) + (mkIf config.nix.enable determinate) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) (mkIf cfg.verifyBuildUsers buildGroupID) (mkIf config.nix.enable nixDaemon) From 00a8cb30fa7d52681f3445de672db95479b83d8c Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 17:38:34 +0000 Subject: [PATCH 090/118] readme: update information about Determinate --- README.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b0f095a1..1a9900b1 100644 --- a/README.md +++ b/README.md @@ -11,11 +11,19 @@ nix-darwin is built up around [Nixpkgs](https://github.com/NixOS/nixpkgs), quite ## Prerequisites -The only prerequisite is a Nix implementation, both Nix and Lix are supported. +The only prerequisite is a Nix implementation; both Nix and Lix are supported. As the official Nix installer does not include an automated uninstaller, and manual uninstallation on macOS is a complex process, we recommend using one of the following installers instead: -- The [Nix installer from Determinate Systems](https://github.com/DeterminateSystems/nix-installer?tab=readme-ov-file#determinate-nix-installer) is only recommended for use with flake-based setups. **Make sure you use it without the `--determinate` flag**. The `--determinate` flag installs the Determinate Nix distribution which does not work out of the box with nix-darwin. +* The [Nix installer from Determinate Systems](https://github.com/DeterminateSystems/nix-installer?tab=readme-ov-file#determinate-nix-installer) is only recommended for use with flake-based setups. + It can install one of two distributions of Nix: + + * By default, it will install vanilla upstream [Nix](https://nixos.org/) with flakes enabled. + + * When run with the `--determinate` flag, it will install the [Determinate](https://docs.determinate.systems/) distribution. + As Determinate manages the Nix installation itself, you will need to set `nix.enable = false;` in your configuration to disable nix-darwin’s own Nix management. + Some nix-darwin functionality that relies on managing the Nix installation, like the `nix.*` options to adjust Nix settings or configure a Linux builder, will be unavailable. + * The [Lix installer](https://lix.systems/install/#on-any-other-linuxmacos-system) supports both flake-based and channel-based setups. From a2e44a84be1c6b951d1764a1d44fff37d8fc59f5 Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 21:41:43 +0000 Subject: [PATCH 091/118] changelog: document changes to Nix installation management --- CHANGELOG | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index ce169403..74591eff 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,15 @@ +2025-01-29 +- There is now a `nix.enable` toggle to disable management of the Nix + installation. Nix installation management has been made more + opinionated as a consequence; nix-darwin now only supports managing a + multi‐user daemon installation of Nix, and unconditionally takes + ownership of the nix-daemon launchd daemon and the `_nixbld*` build + users when Nix installation management is enabled. + + If the new constraints do not work with your setup, you can disable + the `nix.enable` option to opt out of Nix installation management + entirely; see the option documentation for caveats. + 2025-01-18 - The default configuration path for all new installations is `/etc/nix-darwin`. This was already the undocumented From c31b6e8a0305fee46238387a3462ec060e377500 Mon Sep 17 00:00:00 2001 From: Emily Date: Thu, 30 Jan 2025 02:39:27 +0000 Subject: [PATCH 092/118] homebrew: use `mas` from Nixpkgs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, setting `homebrew.masApps` causes `"mas"` to automatically be added to `homebrew.brews`. Users who want to use Homebrew only for managing App Store apps and casks, like me, can override this by setting `homebrew.brews = lib.mkForce [ ];` and adding Nixpkgs’ `mas` to their `environment.systemPackages`. When the activation script path no longer depends on the built configuration’s `environment.systemPackages`, this will no longer work. Since this was originally added before `mas` was packaged in Nixpkgs and we now have a perfectly serviceable binary package, we can add it to the `$PATH` when invoking Homebrew and skip the automatic formula installation. As the Homebrew `bin` directory still comes first, users who specifically want the formula can restore the previous behaviour by explicitly adding `"mas"` to `homebrew.brews`. Closes: #1314 --- modules/homebrew.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/modules/homebrew.nix b/modules/homebrew.nix index d9751709..6f8cfcb9 100644 --- a/modules/homebrew.nix +++ b/modules/homebrew.nix @@ -708,9 +708,6 @@ in description = '' Applications to install from Mac App Store using {command}`mas`. - When this option is used, `"mas"` is automatically added to - [](#opt-homebrew.brews). - Note that you need to be signed into the Mac App Store for {command}`mas` to successfully install and upgrade applications, and that unfortunately apps removed from this option will not be uninstalled automatically even if @@ -768,8 +765,7 @@ in ]; homebrew.brews = - optional (cfg.masApps != { }) "mas" - ++ optional (cfg.whalebrews != [ ]) "whalebrew"; + optional (cfg.whalebrews != [ ]) "whalebrew"; homebrew.brewfile = "# Created by `nix-darwin`'s `homebrew` module\n\n" @@ -789,7 +785,8 @@ in # Homebrew Bundle echo >&2 "Homebrew bundle..." if [ -f "${cfg.brewPrefix}/brew" ]; then - PATH="${cfg.brewPrefix}":$PATH ${cfg.onActivation.brewBundleCmd} + PATH="${cfg.brewPrefix}:${lib.makeBinPath [ pkgs.mas ]}:$PATH" \ + ${cfg.onActivation.brewBundleCmd} else echo -e "\e[1;31merror: Homebrew is not installed, skipping...\e[0m" >&2 fi From fc9367a9ec8ce3527291fc3bfc1b12c0260bc676 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:14:24 +0000 Subject: [PATCH 093/118] nix-gc: check for `nix.enable` This was added to Nixpkgs in eb8b70c020e6693b29634660fa173d7f14f882eb. --- modules/services/nix-gc/default.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/services/nix-gc/default.nix b/modules/services/nix-gc/default.nix index 44278e64..b8d5c4d9 100644 --- a/modules/services/nix-gc/default.nix +++ b/modules/services/nix-gc/default.nix @@ -56,13 +56,18 @@ in ###### implementation - config = mkIf cfg.automatic { + config = { + assertions = [ + { + assertion = cfg.automatic -> config.nix.enable; + message = ''nix.gc.automatic requires nix.enable''; + } + ]; - launchd.daemons.nix-gc = { + launchd.daemons.nix-gc = mkIf cfg.automatic { command = "${config.nix.package}/bin/nix-collect-garbage ${cfg.options}"; serviceConfig.RunAtLoad = false; serviceConfig.StartCalendarInterval = cfg.interval; }; - }; } From 0176a5082ba8450e1480204a824ed188cdc81600 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:15:18 +0000 Subject: [PATCH 094/118] nix-optimise: check for `nix.enable` This was added to Nixpkgs in eb8b70c020e6693b29634660fa173d7f14f882eb. --- modules/services/nix-optimise/default.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/services/nix-optimise/default.nix b/modules/services/nix-optimise/default.nix index 4eefc480..addf0467 100644 --- a/modules/services/nix-optimise/default.nix +++ b/modules/services/nix-optimise/default.nix @@ -52,15 +52,20 @@ in ###### implementation - config = mkIf cfg.automatic { + config = { + assertions = [ + { + assertion = cfg.automatic -> config.nix.enable; + message = ''nix.optimise.automatic requires nix.enable''; + } + ]; - launchd.daemons.nix-optimise = { + launchd.daemons.nix-optimise = mkIf cfg.automatic { command = "${lib.getExe' config.nix.package "nix-store"} --optimise"; serviceConfig = { RunAtLoad = false; StartCalendarInterval = cfg.interval; }; }; - }; } From 7cca8f95f7761bff239066306148714e560cbc2e Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:25:18 +0000 Subject: [PATCH 095/118] linux-builder: check for `nix.enable` --- modules/nix/linux-builder.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix index ae39547f..36a41310 100644 --- a/modules/nix/linux-builder.nix +++ b/modules/nix/linux-builder.nix @@ -160,6 +160,13 @@ in }; config = mkIf cfg.enable { + assertions = [ + { + assertion = config.nix.enable; + message = ''`nix.linux-builder.enable` requires `nix.enable`''; + } + ]; + system.activationScripts.preActivation.text = '' mkdir -p ${cfg.workingDirectory} ''; From 147ed950e382ef45d083f060b4529df817077069 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:28:56 +0000 Subject: [PATCH 096/118] nixpkgs-flake: check for `nix.enable` --- modules/nix/nixpkgs-flake.nix | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/modules/nix/nixpkgs-flake.nix b/modules/nix/nixpkgs-flake.nix index bb7c1b0a..bc00c78d 100644 --- a/modules/nix/nixpkgs-flake.nix +++ b/modules/nix/nixpkgs-flake.nix @@ -37,8 +37,8 @@ in setNixPath = mkOption { type = types.bool; - default = cfg.source != null; - defaultText = "config.nixpkgs.flake.source != null"; + default = config.nix.enable && cfg.source != null; + defaultText = literalExpression ''config.nix.enable && nixpkgs.flake.source != null''; description = '' Whether to set {env}`NIX_PATH` to include `nixpkgs=flake:nixpkgs` such that `` @@ -57,8 +57,8 @@ in setFlakeRegistry = mkOption { type = types.bool; - default = cfg.source != null; - defaultText = "config.nixpkgs.flake.source != null"; + default = config.nix.enable && cfg.source != null; + defaultText = literalExpression ''config.nix.enable && config.nixpkgs.flake.source != null''; description = '' Whether to pin nixpkgs in the system-wide flake registry (`/etc/nix/registry.json`) to the @@ -85,6 +85,18 @@ in be set, since it is implemented in terms of indirection through the flake registry. ''; } + + # TODO: Upstream these to NixOS. + + { + assertion = cfg.setNixPath -> config.nix.enable; + message = ''`nixpkgs.flake.setNixPath` requires `nix.enable`''; + } + + { + assertion = cfg.setFlakeRegistry -> config.nix.enable; + message = ''`nixpkgs.flake.setFlakeRegistry` requires `nix.enable`''; + } ]; } (mkIf cfg.setFlakeRegistry { From 57c93ffe6cbb627e5c9d10ceae7b31e68ba945ac Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:31:28 +0000 Subject: [PATCH 097/118] hercules-ci-agent: check for `nix.enable` --- modules/services/hercules-ci-agent/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/services/hercules-ci-agent/default.nix b/modules/services/hercules-ci-agent/default.nix index 39125065..47368294 100644 --- a/modules/services/hercules-ci-agent/default.nix +++ b/modules/services/hercules-ci-agent/default.nix @@ -22,6 +22,14 @@ in }; config = mkIf cfg.enable { + # TODO: Upstream this to NixOS. + assertions = [ + { + assertion = config.nix.enable; + message = ''`services.hercules-ci-agent.enable` requires `nix.enable`''; + } + ]; + launchd.daemons.hercules-ci-agent = { script = "exec ${cfg.package}/bin/hercules-ci-agent --config ${cfg.tomlFile}"; From aba0c60ebab549f69ece1622d99ffc5e6ad81af3 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:41:14 +0000 Subject: [PATCH 098/118] lorri: check for `nix.enable` --- modules/services/lorri.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/services/lorri.nix b/modules/services/lorri.nix index 0c123004..c4e1acee 100644 --- a/modules/services/lorri.nix +++ b/modules/services/lorri.nix @@ -29,6 +29,14 @@ in }; config = mkIf cfg.enable { + # TODO: Upstream this to NixOS. + assertions = [ + { + assertion = config.nix.enable; + message = ''`services.lorri.enable` requires `nix.enable`''; + } + ]; + environment.systemPackages = [ pkgs.lorri ]; launchd.user.agents.lorri = { command = with pkgs; "${lorri}/bin/lorri daemon"; @@ -43,4 +51,4 @@ in }; }; }; -} \ No newline at end of file +} From f4e2805e19f84420538590ff4e91b1bfa2e79784 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:49:48 +0000 Subject: [PATCH 099/118] ofborg: check for `nix.enable` --- modules/services/ofborg/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/services/ofborg/default.nix b/modules/services/ofborg/default.nix index 8959cc84..acd6974f 100644 --- a/modules/services/ofborg/default.nix +++ b/modules/services/ofborg/default.nix @@ -46,6 +46,13 @@ in }; config = mkIf cfg.enable { + assertions = [ + { + assertion = config.nix.enable; + message = ''`services.ofborg.enable` requires `nix.enable`''; + } + ]; + warnings = mkIf (isDerivation cfg.configFile) [ "services.ofborg.configFile is a derivation, credentials will be world readable" ]; From e3bde1588bc6b4cf774197228330139338a4a12c Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:51:42 +0000 Subject: [PATCH 100/118] github-runner: check for `nix.enable` --- modules/services/github-runner/service.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix index 029f863e..3668a721 100644 --- a/modules/services/github-runner/service.nix +++ b/modules/services/github-runner/service.nix @@ -13,6 +13,11 @@ in { config.assertions = flatten ( flip mapAttrsToList config.services.github-runners (name: cfg: map (mkIf cfg.enable) [ + # TODO: Upstream this to NixOS. + { + assertion = config.nix.enable; + message = ''`services.github-runners.${name}.enable` requires `nix.enable`''; + } { assertion = (cfg.user == null && cfg.group == null) || (cfg.user != null); message = "`services.github-runners.${name}`: Either set `user` and `group` to `null` to have nix-darwin manage them or set at least `user` explicitly"; From 42e16f31c6faf29a51a2aa15aeff64934bf5d157 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 19:53:25 +0000 Subject: [PATCH 101/118] cachix-agent: check for `nix.enable` --- modules/services/cachix-agent.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/services/cachix-agent.nix b/modules/services/cachix-agent.nix index d9e4a909..508261af 100644 --- a/modules/services/cachix-agent.nix +++ b/modules/services/cachix-agent.nix @@ -51,6 +51,14 @@ in { }; config = mkIf cfg.enable { + # TODO: Upstream this to NixOS. + assertions = [ + { + assertion = config.nix.enable; + message = ''`services.cachix-agent.enable` requires `nix.enable`''; + } + ]; + launchd.daemons.cachix-agent = { script = '' . ${cfg.credentialsFile} From d677e3e844e21789c6f39a90aacadf6dc777ca42 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 20:14:17 +0000 Subject: [PATCH 102/118] nix-tools: only pass `config.nix.nixPath` through if `nix.enable` --- modules/nix/nix-darwin.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/nix-darwin.nix b/modules/nix/nix-darwin.nix index a064f49a..9c78f3a6 100644 --- a/modules/nix/nix-darwin.nix +++ b/modules/nix/nix-darwin.nix @@ -4,7 +4,7 @@ let nix-tools = pkgs.callPackage ../../pkgs/nix-tools { inherit (config.system) profile; inherit (config.environment) systemPath; - nixPath = lib.concatStringsSep ":" config.nix.nixPath; + nixPath = lib.optionalString config.nix.enable (lib.concatStringsSep ":" config.nix.nixPath); }; darwin-uninstaller = pkgs.callPackage ../../pkgs/darwin-uninstaller { }; From cd445c546561d5ca4e9124cb4668ce80939ac0c9 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 10 Feb 2025 20:54:52 +0000 Subject: [PATCH 103/118] nix: catch reads of unmanaged defaults MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When we’re not managing the Nix installation, these defaults aren’t used out of the box and won’t accurately represent the state of any unmanaged Nix or the desired Nix package, so reading the option defaults is a bug. This was previously a warning for `nix.package` and a silent failure for all the others. Now that all the problematic accesses in nix-darwin have been appropriately conditionalized, and since a throw gives a backtrace where a warning doesn’t, give throwing defaults to all the `nix.*` options that don’t reflect reality and that that modules shouldn’t be reading when `nix.enable` is off. I’m not in love with the implementation strategy here… ideally we’d think of something better than this and then upstream it to NixOS. `nix.nrBuildUsers` growing a fake default that is never used is particularly unfortunate. But this should hopefully catch mistakes in module code reasonably reliably. --- modules/nix/default.nix | 43 +++++++++++++++++++++++++---------------- tests/nix-enable.nix | 1 - 2 files changed, 26 insertions(+), 18 deletions(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b201a692..270bae43 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -156,6 +156,14 @@ let }) ]; + managedDefault = name: default: { + default = if cfg.enable then default else throw '' + ${name}: accessed when `nix.enable` is off; this is a bug in + nix-darwin or a third‐party module + ''; + defaultText = default; + }; + in { @@ -221,9 +229,7 @@ in package = mkOption { type = types.package; - default = warnIf (!cfg.enable) - "nix.package: accessed when `nix.enable` is off; this is a bug" - pkgs.nix; + inherit (managedDefault "nix.package" pkgs.nix) default; defaultText = literalExpression "pkgs.nix"; description = '' This option specifies the Nix package instance to use throughout the system. @@ -232,7 +238,7 @@ in distributedBuilds = mkOption { type = types.bool; - default = false; + inherit (managedDefault "nix.distributedBuilds" false) default defaultText; description = '' Whether to distribute builds to the machines listed in {option}`nix.buildMachines`. @@ -242,7 +248,7 @@ in # Not in NixOS module daemonProcessType = mkOption { type = types.enum [ "Background" "Standard" "Adaptive" "Interactive" ]; - default = "Standard"; + inherit (managedDefault "nix.daemonProcessType" "Standard") default defaultText; description = '' Nix daemon process resource limits class. These limits propagate to build processes. `Standard` is the default process type @@ -257,7 +263,7 @@ in # Not in NixOS module daemonIOLowPriority = mkOption { type = types.bool; - default = false; + inherit (managedDefault "nix.daemonIOLowPriority" false) default defaultText; description = '' Whether the Nix daemon process should considered to be low priority when doing file system I/O. @@ -385,7 +391,7 @@ in }; }; }); - default = [ ]; + inherit (managedDefault "nix.buildMachines" [ ]) default defaultText; description = '' This option lists the machines to be used if distributed builds are enabled (see {option}`nix.distributedBuilds`). @@ -399,12 +405,13 @@ in envVars = mkOption { type = types.attrs; internal = true; - default = { }; + inherit (managedDefault "nix.envVars" { }) default defaultText; description = "Environment variables used by Nix."; }; nrBuildUsers = mkOption { type = types.int; + inherit (managedDefault "nix.nrBuildUsers" 0) default defaultText; description = '' Number of `nixbld` user accounts created to perform secure concurrent builds. If you receive an error @@ -432,11 +439,13 @@ in # Definition differs substantially from NixOS module nixPath = mkOption { type = nixPathType; - default = lib.optionals cfg.channel.enable [ - # Include default path . - { darwin-config = "${config.environment.darwinConfig}"; } - "/nix/var/nix/profiles/per-user/root/channels" - ]; + inherit (managedDefault "nix.nixPath" ( + lib.optionals cfg.channel.enable [ + # Include default path . + { darwin-config = "${config.environment.darwinConfig}"; } + "/nix/var/nix/profiles/per-user/root/channels" + ] + )) default; defaultText = lib.literalExpression '' lib.optionals cfg.channel.enable [ @@ -458,7 +467,7 @@ in checkConfig = mkOption { type = types.bool; - default = true; + inherit (managedDefault "nix.checkConfig" true) default defaultText; description = '' If enabled (the default), checks for data type mismatches and that Nix can parse the generated nix.conf. @@ -519,7 +528,7 @@ in }; } )); - default = { }; + inherit (managedDefault "nix.registry" { }) default defaultText; description = '' A system-wide flake registry. ''; @@ -527,7 +536,7 @@ in extraOptions = mkOption { type = types.lines; - default = ""; + inherit (managedDefault "nix.extraOptions" "") default defaultText; example = '' keep-outputs = true keep-derivations = true @@ -696,7 +705,7 @@ in }; }; }; - default = { }; + inherit (managedDefault "nix.settings" { }) default defaultText; description = '' Configuration for Nix, see diff --git a/tests/nix-enable.nix b/tests/nix-enable.nix index 0828834f..e052aa2f 100644 --- a/tests/nix-enable.nix +++ b/tests/nix-enable.nix @@ -2,7 +2,6 @@ { nix.enable = false; - nix.package = throw "`nix.package` used when `nix.enable` is turned off"; test = '' printf >&2 'checking for unexpected Nix binary in /sw/bin\n' From 731910af010086c4dbe23eb6ae79d81bcec703aa Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 11 Feb 2025 19:46:21 +0000 Subject: [PATCH 104/118] {activation-scripts,activate-system}: check `gcroots` before linking MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When `nix.enable` is off, we don’t necessarily have an active Nix installation, so there won’t necessarily be an active `/nix/var/nix/gcroots` directory to link things into. NixOS just skips this unconditionally when `nix.enable` is off, but that doesn’t work well with a context in which we usually expect `nix.enable` to be coupled with an unmanaged system installation of Nix. --- modules/services/activate-system/default.nix | 4 +++- modules/system/activation-scripts.nix | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/services/activate-system/default.nix b/modules/services/activate-system/default.nix index d8d86831..df0b48e4 100644 --- a/modules/services/activate-system/default.nix +++ b/modules/services/activate-system/default.nix @@ -21,7 +21,9 @@ ln -sfn $(cat ${config.system.profile}/systemConfig) /run/current-system # Prevent the current configuration from being garbage-collected. - ln -sfn /run/current-system /nix/var/nix/gcroots/current-system + if [[ -d /nix/var/nix/gcroots ]]; then + ln -sfn /run/current-system /nix/var/nix/gcroots/current-system + fi ${config.system.activationScripts.etcChecks.text} ${config.system.activationScripts.etc.text} diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 341e782e..c8ad20ad 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -106,7 +106,9 @@ in ln -sfn "$(readlink -f "$systemConfig")" /run/current-system # Prevent the current configuration from being garbage-collected. - ln -sfn /run/current-system /nix/var/nix/gcroots/current-system + if [[ -d /nix/var/nix/gcroots ]]; then + ln -sfn /run/current-system /nix/var/nix/gcroots/current-system + fi ''; # FIXME: activationScripts.checks should be system level From 5926058aecd67ec1bf5030b5a419c260876ea9ba Mon Sep 17 00:00:00 2001 From: Sander Date: Fri, 14 Feb 2025 16:33:12 +0400 Subject: [PATCH 105/118] nix: place `extra-`prefixed settings after their non-prefixed variants Fixes #626. Essentially a copy of NixOS's workaround: https://github.com/NixOS/nixpkgs/pull/278064 --- modules/nix/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b201a692..eeaf47bd 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -51,13 +51,16 @@ let mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); + isExtra = key: hasPrefix "extra-" key; + in pkgs.writeTextFile { name = "nix.conf"; text = '' # WARNING: this file is generated from the nix.* options in # your nix-darwin configuration. Do not edit it! - ${mkKeyValuePairs cfg.settings} + ${mkKeyValuePairs (filterAttrs (key: value: !(isExtra key)) cfg.settings)} + ${mkKeyValuePairs (filterAttrs (key: value: isExtra key) cfg.settings)} ${cfg.extraOptions} ''; checkPhase = From 02ba211ea19fb4e5a5da2e24a6ebbed526f5231d Mon Sep 17 00:00:00 2001 From: Austin Horstman Date: Thu, 21 Nov 2024 15:18:31 -0600 Subject: [PATCH 106/118] dock: allow setting tile-types You can create spacer tiles in the dock by passing empty tile-data with specific tile-types --- modules/system/defaults/dock.nix | 12 ++++++++---- .../system-defaults-write/activate-user.txt | 16 ++++++++++++++++ tests/system-defaults-write.nix | 2 +- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/modules/system/defaults/dock.nix b/modules/system/defaults/dock.nix index bba0afb7..8eaf5ca8 100644 --- a/modules/system/defaults/dock.nix +++ b/modules/system/defaults/dock.nix @@ -134,10 +134,14 @@ in { description = '' Persistent applications in the dock. ''; - apply = value: - if !(isList value) - then value - else map (app: { tile-data = { file-data = { _CFURLString = app; _CFURLStringType = 0; }; }; }) value; + apply = + let + tileTypes = ["spacer-tile" "small-spacer-tile"]; + toSpecialTile = type: { tile-data = {}; tile-type = type; }; + toAppTile = cfurl: { tile-data = { file-data = { _CFURLString = cfurl; _CFURLStringType = 0; }; }; }; + toTile = s: if elem s tileTypes then toSpecialTile s else toAppTile s; + in + value: if isList value then map toTile value else value; }; system.defaults.dock.persistent-others = mkOption { diff --git a/tests/fixtures/system-defaults-write/activate-user.txt b/tests/fixtures/system-defaults-write/activate-user.txt index eda37537..aa605002 100644 --- a/tests/fixtures/system-defaults-write/activate-user.txt +++ b/tests/fixtures/system-defaults-write/activate-user.txt @@ -273,6 +273,22 @@ defaults write com.apple.dock 'persistent-apps' $' + + tile-data + + + + tile-type + small-spacer-tile + + + tile-data + + + + tile-type + spacer-tile + ' defaults write com.apple.dock 'persistent-others' $' diff --git a/tests/system-defaults-write.nix b/tests/system-defaults-write.nix index 0b8bc030..3f69c0bd 100644 --- a/tests/system-defaults-write.nix +++ b/tests/system-defaults-write.nix @@ -50,7 +50,7 @@ system.defaults.dock.appswitcher-all-displays = false; system.defaults.dock.autohide-delay = 0.24; system.defaults.dock.orientation = "left"; - system.defaults.dock.persistent-apps = ["MyApp.app" "Cool.app"]; + system.defaults.dock.persistent-apps = ["MyApp.app" "Cool.app" "small-spacer-tile" "spacer-tile"]; system.defaults.dock.persistent-others = ["~/Documents" "~/Downloads/file.txt"]; system.defaults.dock.scroll-to-open = false; system.defaults.finder.AppleShowAllFiles = true; From e21d07988b30adbd5b77d16f9fa40b7d5fc00a09 Mon Sep 17 00:00:00 2001 From: Austin Horstman Date: Tue, 17 Dec 2024 18:44:48 -0600 Subject: [PATCH 107/118] dock: refactor persistent-apps option --- modules/system/defaults/dock.nix | 68 ++++++++++++++++--- .../system-defaults-write/activate-user.txt | 32 ++++++++- tests/system-defaults-write.nix | 9 ++- 3 files changed, 98 insertions(+), 11 deletions(-) diff --git a/modules/system/defaults/dock.nix b/modules/system/defaults/dock.nix index 8eaf5ca8..d88b6afa 100644 --- a/modules/system/defaults/dock.nix +++ b/modules/system/defaults/dock.nix @@ -128,20 +128,72 @@ in { }; system.defaults.dock.persistent-apps = mkOption { - type = types.nullOr (types.listOf (types.either types.path types.str)); + type = let + taggedType = types.attrTag { + app = mkOption { + description = "An application to be added to the dock."; + type = types.str; + }; + file = mkOption { + description = "A file to be added to the dock."; + type = types.str; + }; + folder = mkOption { + description = "A folder to be added to the dock."; + type = types.str; + }; + spacer = mkOption { + description = "A spacer to be added to the dock. Can be small or regular size."; + type = types.submodule { + options.small = mkOption { + description = "Whether the spacer is small."; + type = types.bool; + default = false; + }; + }; + }; + }; + + simpleType = types.either types.str types.path; + toTagged = path: { app = path; }; + in + types.nullOr (types.listOf (types.coercedTo simpleType toTagged taggedType)); default = null; - example = [ "/Applications/Safari.app" "/System/Applications/Utilities/Terminal.app" ]; + example = [ + { app = "/Applications/Safari.app"; } + { spacer = { small = false; }; } + { spacer = { small = true; }; } + { folder = "/System/Applications/Utilities"; } + { file = "/User/example/Downloads/test.csv"; } + ]; description = '' - Persistent applications in the dock. + Persistent applications, spacers, files, and folders in the dock. ''; apply = let - tileTypes = ["spacer-tile" "small-spacer-tile"]; - toSpecialTile = type: { tile-data = {}; tile-type = type; }; - toAppTile = cfurl: { tile-data = { file-data = { _CFURLString = cfurl; _CFURLStringType = 0; }; }; }; - toTile = s: if elem s tileTypes then toSpecialTile s else toAppTile s; + toTile = item: if item ? app then { + tile-data.file-data = { + _CFURLString = item.app; + _CFURLStringType = 0; + }; + } else if item ? spacer then { + tile-data = { }; + tile-type = if item.spacer.small then "small-spacer-tile" else "spacer-tile"; + } else if item ? folder then { + tile-data.file-data = { + _CFURLString = "file://" + item.folder; + _CFURLStringType = 15; + }; + tile-type = "directory-tile"; + } else if item ? file then { + tile-data.file-data = { + _CFURLString = "file://" + item.file; + _CFURLStringType = 15; + }; + tile-type = "file-tile"; + } else item; in - value: if isList value then map toTile value else value; + value: if value == null then null else map toTile value; }; system.defaults.dock.persistent-others = mkOption { diff --git a/tests/fixtures/system-defaults-write/activate-user.txt b/tests/fixtures/system-defaults-write/activate-user.txt index aa605002..7162a414 100644 --- a/tests/fixtures/system-defaults-write/activate-user.txt +++ b/tests/fixtures/system-defaults-write/activate-user.txt @@ -255,7 +255,7 @@ defaults write com.apple.dock 'persistent-apps' $'file-data _CFURLString - MyApp.app + /Applications/MyApp.app _CFURLStringType 0 @@ -267,7 +267,7 @@ defaults write com.apple.dock 'persistent-apps' $'file-data _CFURLString - Cool.app + /Applications/Cool.app _CFURLStringType 0 @@ -289,6 +289,34 @@ defaults write com.apple.dock 'persistent-apps' $'tile-type spacer-tile + + tile-data + + file-data + + _CFURLString + file:///Applications/Utilities + _CFURLStringType + 15 + + + tile-type + directory-tile + + + tile-data + + file-data + + _CFURLString + file:///Users/example/Downloads/test.csv + _CFURLStringType + 15 + + + tile-type + file-tile + ' defaults write com.apple.dock 'persistent-others' $' diff --git a/tests/system-defaults-write.nix b/tests/system-defaults-write.nix index 3f69c0bd..19ce3c4f 100644 --- a/tests/system-defaults-write.nix +++ b/tests/system-defaults-write.nix @@ -50,7 +50,14 @@ system.defaults.dock.appswitcher-all-displays = false; system.defaults.dock.autohide-delay = 0.24; system.defaults.dock.orientation = "left"; - system.defaults.dock.persistent-apps = ["MyApp.app" "Cool.app" "small-spacer-tile" "spacer-tile"]; + system.defaults.dock.persistent-apps = [ + "/Applications/MyApp.app" + { app = "/Applications/Cool.app"; } + { spacer = { small = true; }; } + { spacer = { small = false; }; } + { folder = "/Applications/Utilities"; } + { file = "/Users/example/Downloads/test.csv"; } + ]; system.defaults.dock.persistent-others = ["~/Documents" "~/Downloads/file.txt"]; system.defaults.dock.scroll-to-open = false; system.defaults.finder.AppleShowAllFiles = true; From c9c2d40f7172747823dc9c5ab16b9bb541cf3c0d Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 20 Feb 2025 17:46:40 +0700 Subject: [PATCH 108/118] pam: remove `with lib;` --- modules/security/pam.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 69b4c37e..2e091b98 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.security.pam; @@ -39,7 +37,7 @@ in { options = { - security.pam.enableSudoTouchIdAuth = mkEnableOption "" // { + security.pam.enableSudoTouchIdAuth = lib.mkEnableOption "" // { description = '' Enable sudo authentication with Touch ID. From bde9fa6f64211dc8bc9717fb37463e65de238b08 Mon Sep 17 00:00:00 2001 From: ibizaman Date: Wed, 4 Dec 2024 08:50:08 +0100 Subject: [PATCH 109/118] add networking.hosts and .hostFiles from nixos --- .github/workflows/test.yml | 5 +- ...2596c5b54026b9a894fa481381ffd399b556c0e2da | 9 +++ modules/networking/default.nix | 76 ++++++++++++++++++- release.nix | 1 + tests/networking-hosts.nix | 20 +++++ 5 files changed, 109 insertions(+), 2 deletions(-) create mode 100644 doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da create mode 100644 tests/networking-hosts.nix diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d87b7636..8eab6d35 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -47,12 +47,14 @@ jobs: sudo cp modules/examples/simple.nix /etc/nix-darwin/configuration.nix nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) + etcHostsHash=$(shasum -a 256 /etc/hosts | cut -d ' ' -f 1) sudo /usr/bin/sed -i.bak \ "s/# programs.fish.enable = true;/ \ imports = [ \ ({ options, ... }: { \ nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; \ environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; \ + environment.etc.hosts.knownSha256Hashes = [ \"$etcHostsHash\" ]; \ nix.nixPath = \ [ { darwin = \"${PWD////\/}\"; } ] \ ++ options.nix.nixPath.default; \ @@ -102,8 +104,9 @@ jobs: pushd /etc/nix-darwin sudo nix flake init -t $darwin nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) + etcHostsHash=$(shasum -a 256 /etc/hosts | cut -d ' ' -f 1) sudo /usr/bin/sed -i.bak \ - "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ + "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; environment.etc.hosts.knownSha256Hashes = [ \"$etcHostsHash\" ];/" \ flake.nix sudo /usr/bin/sed -i.bak \ 's/darwinConfigurations."simple"/darwinConfigurations."'$(scutil --get LocalHostName)'"/g' \ diff --git a/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da b/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da new file mode 100644 index 00000000..34d00684 --- /dev/null +++ b/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da @@ -0,0 +1,9 @@ +## +# Host Database +# +# localhost is used to configure the loopback interface +# when the system is booting. Do not change this entry. +## +127.0.0.1 localhost +255.255.255.255 broadcasthost +::1 localhost diff --git a/modules/networking/default.nix b/modules/networking/default.nix index b53a9e4a..9b697590 100644 --- a/modules/networking/default.nix +++ b/modules/networking/default.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -22,6 +22,8 @@ let esac '') cfg.knownNetworkServices} ''; + + localhostMultiple = any (elem "localhost") (attrValues (removeAttrs cfg.hosts [ "127.0.0.1" "::1" ])); in { @@ -105,9 +107,50 @@ in Battery powered devices may require being connected to power. ''; }; + + networking.hosts = lib.mkOption { + type = types.attrsOf (types.listOf types.str); + example = literalExpression '' + { + "127.0.0.1" = [ "foo.bar.baz" ]; + "192.168.0.2" = [ "fileserver.local" "nameserver.local" ]; + }; + ''; + description = '' + Locally defined maps of hostnames to IP addresses. + ''; + default = {}; + }; + + networking.hostFiles = lib.mkOption { + type = types.listOf types.path; + defaultText = literalMD "Hosts from {option}`networking.hosts` and {option}`networking.extraHosts`"; + example = literalExpression ''[ "''${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]''; + description = '' + Files that should be concatenated together to form {file}`/etc/hosts`. + ''; + }; + + networking.extraHosts = lib.mkOption { + type = types.lines; + default = ""; + example = "192.168.0.1 lanlocalhost"; + description = '' + Additional verbatim entries to be appended to {file}`/etc/hosts`. + For adding hosts from derivation results, use {option}`networking.hostFiles` instead. + ''; + }; }; config = { + assertions = [{ + assertion = !localhostMultiple; + message = '' + `networking.hosts` maps "localhost" to something other than "127.0.0.1" + or "::1". This will break some applications. Please use + `networking.extraHosts` if you really want to add such a mapping. + ''; + }]; warnings = [ (mkIf (cfg.knownNetworkServices == [] && cfg.dns != []) "networking.knownNetworkServices is empty, dns servers will not be configured.") @@ -134,5 +177,36 @@ in ''} ''; + networking.hostFiles = let + # Note: localhostHosts has to appear first in /etc/hosts so that 127.0.0.1 + # resolves back to "localhost" (as some applications assume) instead of + # the FQDN! + localhostHosts = pkgs.writeText "localhost-hosts" '' + ## + # Host Database + # + # localhost is used to configure the loopback interface + # when the system is booting. Do not change this entry. + ## + 127.0.0.1 localhost + 255.255.255.255 broadcasthost + ::1 localhost + ''; + stringHosts = + let + oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip} + "\n"; + allToString = set: concatMapStrings (oneToString set) (attrNames set); + in pkgs.writeText "string-hosts" (allToString (filterAttrs (_: v: v != []) cfg.hosts)); + extraHosts = pkgs.writeText "extra-hosts" cfg.extraHosts; + in mkBefore [ localhostHosts stringHosts extraHosts ]; + + environment.etc.hosts = { + knownSha256Hashes = [ + # Comes from MacOS: Darwin 24.1.0 Darwin Kernel Version 24.1.0. + "c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da" + ]; + + source = pkgs.concatText "hosts" cfg.hostFiles; + }; }; } diff --git a/release.nix b/release.nix index 115025ee..10856525 100644 --- a/release.nix +++ b/release.nix @@ -86,6 +86,7 @@ in { tests.launchd-daemons = makeTest ./tests/launchd-daemons.nix; tests.launchd-setenv = makeTest ./tests/launchd-setenv.nix; tests.networking-hostname = makeTest ./tests/networking-hostname.nix; + tests.networking-hosts = makeTest ./tests/networking-hosts.nix; tests.networking-networkservices = makeTest ./tests/networking-networkservices.nix; tests.nix-enable = makeTest ./tests/nix-enable.nix; tests.nixpkgs-overlays = makeTest ./tests/nixpkgs-overlays.nix; diff --git a/tests/networking-hosts.nix b/tests/networking-hosts.nix new file mode 100644 index 00000000..2d73946e --- /dev/null +++ b/tests/networking-hosts.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: + +{ + networking.hosts = { + "127.0.0.1" = [ "my.super.host" ]; + "10.0.0.1" = [ "my.super.host" "my.other.host" ]; + }; + + test = '' + set -v + echo checking /etc/hosts file >&2 + + file=${config.out}/etc/hosts + + grep '127.0.0.1' $file | head -n1 | grep localhost$ + grep '127.0.0.1' $file | tail -n1 | grep my.super.host$ + grep '::1' $file | grep localhost$ + grep '10.0.0.1' $file | grep my.super.host\ my.other.host$ + ''; +} From 47f263077ee53de95a1c35eb6892665d77ce6165 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 20 Feb 2025 17:51:32 +0700 Subject: [PATCH 110/118] pam: switch to using `sudo_local` file Co-Authored-By: Andrew Lubawy --- modules/security/pam.nix | 110 ++++++++++++++++++++++----------------- 1 file changed, 61 insertions(+), 49 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 2e091b98..58dff015 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -1,67 +1,79 @@ { config, lib, pkgs, ... }: let - cfg = config.security.pam; - - # Implementation Notes - # - # We don't use `environment.etc` because this would require that the user manually delete - # `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires - # sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the - # changes again after OS updates (which remove modifications to this file). - # - # As such, we resort to line addition/deletion in place using `sed`. We add a comment to the - # added line that includes the name of the option, to make it easier to identify the line that - # should be deleted when the option is disabled. - mkSudoTouchIdAuthScript = isEnabled: - let - file = "/etc/pam.d/sudo"; - option = "security.pam.enableSudoTouchIdAuth"; - sed = "${pkgs.gnused}/bin/sed"; - in '' - ${if isEnabled then '' - # Enable sudo Touch ID authentication, if not already enabled - if ! grep 'pam_tid.so' ${file} > /dev/null; then - ${sed} -i '2i\ - auth sufficient pam_tid.so # nix-darwin: ${option} - ' ${file} - fi - '' else '' - # Disable sudo Touch ID authentication, if added by nix-darwin - if grep '${option}' ${file} > /dev/null; then - ${sed} -i '/${option}/d' ${file} - fi - ''} - ''; + cfg = config.security.pam.services.sudo_local; in - { + imports = [ + (lib.mkRemovedOptionModule [ "security" "pam" "enableSudoTouchIdAuth" ] '' + This option has been renamed to `security.pam.services.sudo_local.touchIdAuth` for consistency with NixOS. + '') + ]; + options = { - security.pam.enableSudoTouchIdAuth = lib.mkEnableOption "" // { - description = '' - Enable sudo authentication with Touch ID. + security.pam.services.sudo_local = { + enable = lib.mkEnableOption "managing {file}`/etc/pam.d/sudo_local` with nix-darwin" // { + default = true; + example = false; + }; - When enabled, this option adds the following line to - {file}`/etc/pam.d/sudo`: + text = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + Contents of {file}`/etc/pam.d/sudo_local` + ''; + }; - ``` - auth sufficient pam_tid.so - ``` + touchIdAuth = lib.mkEnableOption "" // { + description = '' + Whether to enable Touch ID with sudo. - ::: {.note} - macOS resets this file when doing a system update. As such, sudo - authentication with Touch ID won't work after a system update - until the nix-darwin configuration is reapplied. - ::: - ''; + This will also allow your Apple Watch to be used for sudo. If this doesn't work, + you can go into `System Settings > Touch ID & Password` and toggle the switch for + your Apple Watch. + ''; + }; }; }; config = { - system.activationScripts.pam.text = '' + security.pam.services.sudo_local.text = lib.optionalString cfg.touchIdAuth "auth sufficient pam_tid.so"; + + environment.etc."pam.d/sudo_local" = { + inherit (cfg) enable text; + }; + + system.activationScripts.pam.text = + let + file = "/etc/pam.d/sudo"; + marker = "security.pam.services.sudo_local"; + deprecatedOption = "security.pam.enableSudoTouchIdAuth"; + sed = lib.getExe pkgs.gnused; + in + '' # PAM settings echo >&2 "setting up pam..." - ${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth} + + # REMOVEME when macOS 13 no longer supported as macOS automatically + # nukes this file on system upgrade + # Always clear out older implementation if it is present + if grep '${deprecatedOption}' ${file} > /dev/null; then + ${sed} -i '/${deprecatedOption}/d' ${file} + fi + + ${if cfg.enable then '' + # REMOVEME when macOS 13 no longer supported + # `sudo_local` is automatically included after macOS 14 + if ! grep 'sudo_local' ${file} > /dev/null; then + ${sed} -i '2iauth include sudo_local # nix-darwin: ${marker}' ${file} + fi + '' else '' + # Remove include line if we added it + if grep '${marker}' ${file} > /dev/null; then + ${sed} -i '/${marker}/d' ${file} + fi + ''} ''; }; } From 11ea44f3e20737004f7c0f1d27354b9d7a79c2f5 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 20 Feb 2025 17:52:40 +0700 Subject: [PATCH 111/118] pam: add `pam_reattach` support Co-Authored-By: Andrew Lubawy --- modules/security/pam.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 58dff015..1ecea923 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -34,11 +34,26 @@ in your Apple Watch. ''; }; + + reattach = lib.mkEnableOption "" // { + description = '' + Whether to enable reattaching a program to the user's bootstrap session. + + This fixes Touch ID for sudo not working inside tmux and screen. + + This allows programs like tmux and screen that run in the background to + survive across user sessions to work with PAM services that are tied to the + bootstrap session. + ''; + }; }; }; config = { - security.pam.services.sudo_local.text = lib.optionalString cfg.touchIdAuth "auth sufficient pam_tid.so"; + security.pam.services.sudo_local.text = lib.concatLines ( + (lib.optional cfg.reattach "auth optional ${pkgs.pam-reattach}/lib/pam/pam_reattach.so") + ++ (lib.optional cfg.touchIdAuth "auth sufficient pam_tid.so") + ); environment.etc."pam.d/sudo_local" = { inherit (cfg) enable text; From 727119f8c7420879e83ffc310b8c1f4fa2800c11 Mon Sep 17 00:00:00 2001 From: Coosis <1159727122@qq.com> Date: Tue, 25 Feb 2025 21:50:55 +0800 Subject: [PATCH 112/118] pam: add `pam_watchid` support --- modules/security/pam.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 1ecea923..e671e23f 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -35,6 +35,17 @@ in ''; }; + watchIdAuth = lib.mkEnableOption "" // { + description = '' + Use Apple Watch for sudo authentication, for devices without Touch ID or + laptops with lids closed, consider using this. + + When enabled, you can use your Apple Watch to authenticate sudo commands. + If this doesn't work, you can go into `System Settings > Touch ID & Password` + and toggle the switch for your Apple Watch. + ''; + }; + reattach = lib.mkEnableOption "" // { description = '' Whether to enable reattaching a program to the user's bootstrap session. @@ -53,6 +64,7 @@ in security.pam.services.sudo_local.text = lib.concatLines ( (lib.optional cfg.reattach "auth optional ${pkgs.pam-reattach}/lib/pam/pam_reattach.so") ++ (lib.optional cfg.touchIdAuth "auth sufficient pam_tid.so") + ++ (lib.optional cfg.watchIdAuth "auth sufficient ${pkgs.pam-watchid}/lib/pam_watchid.so") ); environment.etc."pam.d/sudo_local" = { From 1d9f622484f00df0a8c00b13f427e4175760cf3c Mon Sep 17 00:00:00 2001 From: Ihar Hrachyshka Date: Wed, 26 Feb 2025 09:24:15 -0500 Subject: [PATCH 113/118] Revert "Add networking.hosts and .hostFiles from nixos " --- .github/workflows/test.yml | 5 +- ...2596c5b54026b9a894fa481381ffd399b556c0e2da | 9 --- modules/networking/default.nix | 76 +------------------ release.nix | 1 - tests/networking-hosts.nix | 20 ----- 5 files changed, 2 insertions(+), 109 deletions(-) delete mode 100644 doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da delete mode 100644 tests/networking-hosts.nix diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8eab6d35..d87b7636 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -47,14 +47,12 @@ jobs: sudo cp modules/examples/simple.nix /etc/nix-darwin/configuration.nix nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) - etcHostsHash=$(shasum -a 256 /etc/hosts | cut -d ' ' -f 1) sudo /usr/bin/sed -i.bak \ "s/# programs.fish.enable = true;/ \ imports = [ \ ({ options, ... }: { \ nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; \ environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; \ - environment.etc.hosts.knownSha256Hashes = [ \"$etcHostsHash\" ]; \ nix.nixPath = \ [ { darwin = \"${PWD////\/}\"; } ] \ ++ options.nix.nixPath.default; \ @@ -104,9 +102,8 @@ jobs: pushd /etc/nix-darwin sudo nix flake init -t $darwin nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) - etcHostsHash=$(shasum -a 256 /etc/hosts | cut -d ' ' -f 1) sudo /usr/bin/sed -i.bak \ - "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; environment.etc.hosts.knownSha256Hashes = [ \"$etcHostsHash\" ];/" \ + "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ flake.nix sudo /usr/bin/sed -i.bak \ 's/darwinConfigurations."simple"/darwinConfigurations."'$(scutil --get LocalHostName)'"/g' \ diff --git a/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da b/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da deleted file mode 100644 index 34d00684..00000000 --- a/doc/known-files/c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da +++ /dev/null @@ -1,9 +0,0 @@ -## -# Host Database -# -# localhost is used to configure the loopback interface -# when the system is booting. Do not change this entry. -## -127.0.0.1 localhost -255.255.255.255 broadcasthost -::1 localhost diff --git a/modules/networking/default.nix b/modules/networking/default.nix index 9b697590..b53a9e4a 100644 --- a/modules/networking/default.nix +++ b/modules/networking/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: with lib; @@ -22,8 +22,6 @@ let esac '') cfg.knownNetworkServices} ''; - - localhostMultiple = any (elem "localhost") (attrValues (removeAttrs cfg.hosts [ "127.0.0.1" "::1" ])); in { @@ -107,50 +105,9 @@ in Battery powered devices may require being connected to power. ''; }; - - networking.hosts = lib.mkOption { - type = types.attrsOf (types.listOf types.str); - example = literalExpression '' - { - "127.0.0.1" = [ "foo.bar.baz" ]; - "192.168.0.2" = [ "fileserver.local" "nameserver.local" ]; - }; - ''; - description = '' - Locally defined maps of hostnames to IP addresses. - ''; - default = {}; - }; - - networking.hostFiles = lib.mkOption { - type = types.listOf types.path; - defaultText = literalMD "Hosts from {option}`networking.hosts` and {option}`networking.extraHosts`"; - example = literalExpression ''[ "''${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]''; - description = '' - Files that should be concatenated together to form {file}`/etc/hosts`. - ''; - }; - - networking.extraHosts = lib.mkOption { - type = types.lines; - default = ""; - example = "192.168.0.1 lanlocalhost"; - description = '' - Additional verbatim entries to be appended to {file}`/etc/hosts`. - For adding hosts from derivation results, use {option}`networking.hostFiles` instead. - ''; - }; }; config = { - assertions = [{ - assertion = !localhostMultiple; - message = '' - `networking.hosts` maps "localhost" to something other than "127.0.0.1" - or "::1". This will break some applications. Please use - `networking.extraHosts` if you really want to add such a mapping. - ''; - }]; warnings = [ (mkIf (cfg.knownNetworkServices == [] && cfg.dns != []) "networking.knownNetworkServices is empty, dns servers will not be configured.") @@ -177,36 +134,5 @@ in ''} ''; - networking.hostFiles = let - # Note: localhostHosts has to appear first in /etc/hosts so that 127.0.0.1 - # resolves back to "localhost" (as some applications assume) instead of - # the FQDN! - localhostHosts = pkgs.writeText "localhost-hosts" '' - ## - # Host Database - # - # localhost is used to configure the loopback interface - # when the system is booting. Do not change this entry. - ## - 127.0.0.1 localhost - 255.255.255.255 broadcasthost - ::1 localhost - ''; - stringHosts = - let - oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip} + "\n"; - allToString = set: concatMapStrings (oneToString set) (attrNames set); - in pkgs.writeText "string-hosts" (allToString (filterAttrs (_: v: v != []) cfg.hosts)); - extraHosts = pkgs.writeText "extra-hosts" cfg.extraHosts; - in mkBefore [ localhostHosts stringHosts extraHosts ]; - - environment.etc.hosts = { - knownSha256Hashes = [ - # Comes from MacOS: Darwin 24.1.0 Darwin Kernel Version 24.1.0. - "c7dd0e2ed261ce76d76f852596c5b54026b9a894fa481381ffd399b556c0e2da" - ]; - - source = pkgs.concatText "hosts" cfg.hostFiles; - }; }; } diff --git a/release.nix b/release.nix index 10856525..115025ee 100644 --- a/release.nix +++ b/release.nix @@ -86,7 +86,6 @@ in { tests.launchd-daemons = makeTest ./tests/launchd-daemons.nix; tests.launchd-setenv = makeTest ./tests/launchd-setenv.nix; tests.networking-hostname = makeTest ./tests/networking-hostname.nix; - tests.networking-hosts = makeTest ./tests/networking-hosts.nix; tests.networking-networkservices = makeTest ./tests/networking-networkservices.nix; tests.nix-enable = makeTest ./tests/nix-enable.nix; tests.nixpkgs-overlays = makeTest ./tests/nixpkgs-overlays.nix; diff --git a/tests/networking-hosts.nix b/tests/networking-hosts.nix deleted file mode 100644 index 2d73946e..00000000 --- a/tests/networking-hosts.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.hosts = { - "127.0.0.1" = [ "my.super.host" ]; - "10.0.0.1" = [ "my.super.host" "my.other.host" ]; - }; - - test = '' - set -v - echo checking /etc/hosts file >&2 - - file=${config.out}/etc/hosts - - grep '127.0.0.1' $file | head -n1 | grep localhost$ - grep '127.0.0.1' $file | tail -n1 | grep my.super.host$ - grep '::1' $file | grep localhost$ - grep '10.0.0.1' $file | grep my.super.host\ my.other.host$ - ''; -} From b1db30ce36f25eb07a7d4832cc2d29b1697c00f1 Mon Sep 17 00:00:00 2001 From: Ihar Hrachyshka Date: Wed, 26 Feb 2025 16:52:13 -0500 Subject: [PATCH 114/118] networking: Restore the original /etc/hosts on activation A patch that replaced the original file with a symlink to nix store was reverted because MacOS Network framework doesn't support symlinks for the file. The revert leaves the system without any /etc/hosts file at all though. To fix this, an activation step is added to restore the original file from .before-nix-darwin backup, if it exists. Signed-off-by: Ihar Hrachyshka --- modules/networking/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/networking/default.nix b/modules/networking/default.nix index b53a9e4a..8097e276 100644 --- a/modules/networking/default.nix +++ b/modules/networking/default.nix @@ -132,6 +132,11 @@ in ${optionalString (cfg.wakeOnLan.enable != null) '' systemsetup -setWakeOnNetworkAccess '${onOff cfg.wakeOnLan.enable}' &> /dev/null ''} + + if [ -e /etc/hosts.before-nix-darwin ]; then + echo "restoring /etc/hosts..." >&2 + sudo mv /etc/hosts{.before-nix-darwin,} + fi ''; }; From 7386d8878ec409f672f64df24e4d00da04bfc8ce Mon Sep 17 00:00:00 2001 From: r17x Date: Mon, 17 Feb 2025 23:25:40 +0700 Subject: [PATCH 115/118] services/dnscrypt-proxy: init --- modules/misc/ids.nix | 2 + modules/module-list.nix | 1 + modules/services/dnscrypt-proxy.nix | 81 +++++++++++++++++++++++++++++ release.nix | 1 + tests/services-dnscrypt-proxy.nix | 23 ++++++++ 5 files changed, 108 insertions(+) create mode 100644 modules/services/dnscrypt-proxy.nix create mode 100644 tests/services-dnscrypt-proxy.nix diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index 34b36859..ddab290a 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -39,11 +39,13 @@ in ids.uids = { nixbld = lib.mkDefault 350; _prometheus-node-exporter = 534; + _dnscrypt-proxy = 535; }; ids.gids = { nixbld = lib.mkDefault (if config.system.stateVersion < 5 then 30000 else 350); _prometheus-node-exporter = 534; + _dnscrypt-proxy = 535; }; }; diff --git a/modules/module-list.nix b/modules/module-list.nix index 8b2215ba..d01bbdb9 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -62,6 +62,7 @@ ./services/chunkwm.nix ./services/cachix-agent.nix ./services/dnsmasq.nix + ./services/dnscrypt-proxy.nix ./services/emacs.nix ./services/eternal-terminal.nix ./services/github-runner diff --git a/modules/services/dnscrypt-proxy.nix b/modules/services/dnscrypt-proxy.nix new file mode 100644 index 00000000..9073ff2a --- /dev/null +++ b/modules/services/dnscrypt-proxy.nix @@ -0,0 +1,81 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + + cfg = config.services.dnscrypt-proxy; + + format = pkgs.formats.toml { }; + + configFile = format.generate "dnscrypt-proxy.toml" cfg.settings; + +in + +{ + options.services.dnscrypt-proxy = { + + enable = lib.mkEnableOption "the dnscrypt-proxy service."; + + package = lib.mkPackageOption pkgs "dnscrypt-proxy2" { }; + + settings = lib.mkOption { + description = '' + Attrset that is converted and passed as TOML config file. + For available params, see: + ''; + example = lib.literalExpression '' + { + sources.public-resolvers = { + urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ]; + cache_file = "public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + refresh_delay = 72; + }; + } + ''; + type = format.type; + default = { }; + }; + }; + + config = lib.mkIf cfg.enable { + users.users._dnscrypt-proxy = { + uid = config.ids.uids._dnscrypt-proxy; + gid = config.ids.gids._dnscrypt-proxy; + home = "/var/lib/dnscrypt-proxy"; + createHome = true; + shell = "/usr/bin/false"; + description = "System user for dnscrypt-proxy"; + }; + + users.groups._dnscrypt-proxy = { + gid = config.ids.gids._dnscrypt-proxy; + description = "System group for dnscrypt-proxy"; + }; + + users.knownUsers = [ "_dnscrypt-proxy" ]; + users.knownGroups = [ "_dnscrypt-proxy" ]; + + launchd.daemons.dnscrypt-proxy = { + script = '' + ${lib.getExe' cfg.package "dnscrypt-proxy"} -config ${configFile} + ''; + serviceConfig = + let + logPath = config.users.users._dnscrypt-proxy.home + "/dnscrypt-proxy.log"; + in + { + RunAtLoad = true; + KeepAlive = true; + StandardOutPath = logPath; + StandardErrorPath = logPath; + GroupName = "_dnscrypt-proxy"; + UserName = "_dnscrypt-proxy"; + }; + }; + }; +} diff --git a/release.nix b/release.nix index 115025ee..eaf30044 100644 --- a/release.nix +++ b/release.nix @@ -103,6 +103,7 @@ in { tests.sockets-nix-daemon = makeTest ./tests/sockets-nix-daemon.nix; tests.services-aerospace = makeTest ./tests/services-aerospace.nix; tests.services-dnsmasq = makeTest ./tests/services-dnsmasq.nix; + tests.services-dnscrypt-proxy = makeTest ./tests/services-dnscrypt-proxy.nix; tests.services-eternal-terminal = makeTest ./tests/services-eternal-terminal.nix; tests.services-nix-gc = makeTest ./tests/services-nix-gc.nix; tests.services-nix-optimise = makeTest ./tests/services-nix-optimise.nix; diff --git a/tests/services-dnscrypt-proxy.nix b/tests/services-dnscrypt-proxy.nix new file mode 100644 index 00000000..15d59739 --- /dev/null +++ b/tests/services-dnscrypt-proxy.nix @@ -0,0 +1,23 @@ +{ + config, + pkgs, + ... +}: + +let + dnscrypt-proxy = pkgs.runCommand "dnscrypt-proxy-0.0.0" { } "mkdir $out"; +in +{ + services.dnscrypt-proxy.enable = true; + services.dnscrypt-proxy.package = dnscrypt-proxy; + + test = '' + + echo >&2 "checking dnscrypt-proxy service in /Library/LaunchDaemons" + grep -q "org.nixos.dnscrypt-proxy" -- ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist + grep -q "dnscrypt-proxy-start" -- ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist + + echo >&2 "checking dnscrypt-proxy system user in /Library/LaunchDaemons" + grep -q "_dnscrypt-proxy" -- ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist + ''; +} From fdc512d107d2777e9af89f4dc0191c8878b57aa5 Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 3 Mar 2025 08:13:33 -0500 Subject: [PATCH 116/118] services/dnscrypt-proxy: Fix use of pkg alias `dnscrypt-proxy2` is just an alias for `dnscrypt-proxy`. Use that and avoid eval failures when Nixpkgs is configured with `allowAliases = false`. --- modules/services/dnscrypt-proxy.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/services/dnscrypt-proxy.nix b/modules/services/dnscrypt-proxy.nix index 9073ff2a..f0ba1d52 100644 --- a/modules/services/dnscrypt-proxy.nix +++ b/modules/services/dnscrypt-proxy.nix @@ -20,12 +20,12 @@ in enable = lib.mkEnableOption "the dnscrypt-proxy service."; - package = lib.mkPackageOption pkgs "dnscrypt-proxy2" { }; + package = lib.mkPackageOption pkgs "dnscrypt-proxy" { }; settings = lib.mkOption { description = '' Attrset that is converted and passed as TOML config file. - For available params, see: + For available params, see: ''; example = lib.literalExpression '' { From d06cf700ee589527fde4bd9b91f899e7137c05a6 Mon Sep 17 00:00:00 2001 From: Yifei Sun Date: Tue, 4 Mar 2025 12:09:11 -0500 Subject: [PATCH 117/118] homebrew: remove `--no-lock` flag https://github.com/Homebrew/homebrew-bundle/pull/1630 --- modules/homebrew.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/homebrew.nix b/modules/homebrew.nix index 6f8cfcb9..10764fbb 100644 --- a/modules/homebrew.nix +++ b/modules/homebrew.nix @@ -137,7 +137,7 @@ let config = { brewBundleCmd = concatStringsSep " " ( optional (!config.autoUpdate) "HOMEBREW_NO_AUTO_UPDATE=1" - ++ [ "brew bundle --file='${brewfileFile}' --no-lock" ] + ++ [ "brew bundle --file='${brewfileFile}'" ] ++ optional (!config.upgrade) "--no-upgrade" ++ optional (config.cleanup == "uninstall") "--cleanup" ++ optional (config.cleanup == "zap") "--cleanup --zap" From df599ea8f10e86985c1b09e3cd7a3a331dc702f3 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Wed, 5 Mar 2025 11:23:25 +0900 Subject: [PATCH 118/118] readme: update instructions as Determinate Nix is now the default --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a9900b1..20447dec 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ As the official Nix installer does not include an automated uninstaller, and man * The [Nix installer from Determinate Systems](https://github.com/DeterminateSystems/nix-installer?tab=readme-ov-file#determinate-nix-installer) is only recommended for use with flake-based setups. It can install one of two distributions of Nix: - * By default, it will install vanilla upstream [Nix](https://nixos.org/) with flakes enabled. + * To install the **recommended** vanilla upstream [Nix](https://nixos.org), you will need to explicitly say `no` when prompted to install `Determinate Nix`. * When run with the `--determinate` flag, it will install the [Determinate](https://docs.determinate.systems/) distribution. As Determinate manages the Nix installation itself, you will need to set `nix.enable = false;` in your configuration to disable nix-darwin’s own Nix management.