diff --git a/modules/module-list.nix b/modules/module-list.nix index d01bbdb9..026a348b 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -10,6 +10,7 @@ ./security/sudo.nix ./system ./system/base.nix + ./system/primary-user.nix ./system/checks.nix ./system/activation-scripts.nix ./system/applications.nix diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 6afe796c..0c87735c 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -31,6 +31,18 @@ let fi ''; + primaryUser = '' + primaryUser=${escapeShellArg config.system.primaryUser} + if ! id -- "$primaryUser" >/dev/null 2>&1; then + printf >&2 '\e[1;31merror: primary user `%s` does not exist, aborting activation\e[0m\n' \ + "$primaryUser" + printf >&2 'Please ensure that `system.primaryUser` is set to the name of an\n' + printf >&2 'existing user. Usually this should be the user you have been using to\n' + printf >&2 'run `darwin-rebuild`.\n' + exit 2 + fi + ''; + determinate = '' if [[ -e /usr/local/bin/determinate-nixd ]]; then printf >&2 '\e[1;31merror: Determinate detected, aborting activation\e[0m\n' @@ -275,6 +287,7 @@ in system.checks.text = mkMerge [ (mkIf cfg.verifyMacOSVersion macOSVersion) + (mkIf (config.system.primaryUser != null) primaryUser) (mkIf config.nix.enable determinate) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) (mkIf cfg.verifyBuildUsers buildGroupID) diff --git a/modules/system/primary-user.nix b/modules/system/primary-user.nix new file mode 100644 index 00000000..1eb7b29d --- /dev/null +++ b/modules/system/primary-user.nix @@ -0,0 +1,60 @@ +{ + lib, + options, + config, + ... +}: + +{ + options = { + system.primaryUser = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = '' + The user used for options that previously applied to the user + running `darwin-rebuild`. + + This is a transition mechanism as nix-darwin reorganizes its + options and will eventually be unnecessary and removed. + ''; + }; + + system.requiresPrimaryUser = lib.mkOption { + internal = true; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; + + config = { + assertions = [ + { + assertion = config.system.primaryUser == null -> config.system.requiresPrimaryUser == [ ]; + message = '' + Previously, some nix-darwin options applied to the user running + `darwin-rebuild`. As part of a long‐term migration to make + nix-darwin focus on system‐wide activation and support first‐class + multi‐user setups, all system activation now runs as `root`, and + these options instead apply to the `system.primaryUser` user. + + You currently have the following primary‐user‐requiring options set: + + ${lib.concatMapStringsSep "\n" (name: "* `${name}`") ( + lib.sort (name1: name2: name1 < name2) config.system.requiresPrimaryUser + )} + + To continue using these options, set `system.primaryUser` to the name + of the user you have been using to run `darwin-rebuild`. In the long + run, this setting will be deprecated and removed after all the + functionality it is relevant for has been adjusted to allow + specifying the relevant user separately, moved under the + `users.users.*` namespace, or migrated to Home Manager. + + If you run into any unexpected issues with the migration, please + open an issue at + and include as much information as possible. + ''; + } + ]; + }; +}