addresses https://github.com/LnL7/nix-darwin/issues/1043
fix: use exec in launchd daemon config
fix: dont use a script thats in the nix store
fix: remove manual wait4path in linux-builder
fix: remove manual wait4path in karabiner elements
fix: remove manual wait4path in nix-daemon
fix: remove manual wait4path in nix-optimise
fix: remove manual wait4path in tailscaled
fix: autossh test
Revert "fix: remove manual wait4path in nix-daemon"
This reverts commit 6aec084fa5.
fix: remove bad exec
Reapply "fix: remove manual wait4path in nix-daemon"
This reverts commit c8f136ecc5.
fix: update autossh test
to reflect changes in f86e6133d9
fix: services-activate-system-changed-label-prefix test
fix: services-buildkite-agent test
fix: services-activate-system test
fix: escape ampersand
fix: services-lorri test
fix: services-nix-optimise test
fix: services-nix-gc test
refactor: use script rather than command in daemon
fix: use config.command for clarity
style: fix indentation
fix: use lib.getExe rather than directly pointing to file
revert: a87fc7bbbb
- mistaken refactor meant that service waited for nix store and not the relevant path
This is hopefully largely cosmetic, but should increase user
confidence in the safety and effectiveness of the migration, and the
Determinate Systems and Lix installer commands will also update the
`/nix/receipt.json` files to match the changes made. They cannot
properly handle the format of each other’s receipts, so we need to
detect which was used.
The condition does not match the comment, and therefore not the original
intention. It currently returns early in *any* type of Nix shell, not
just pure ones, including 'nix develop'.
Besides being unnecessary, this check prevents Nix shells from
functioning properly. For instance, it causes the initialization of the
Zsh fpath to be skipped, which is critical. The fact that the user is
unable to opt out of this behaviour makes this an ever bigger problem
since /etc/zshenv is being loaded unconditionally by Zsh.
For reference, NixOS does not perform such check, and apparently never
did.
When testing the Sequoia UID change, I discovered that @mjm
didn’t have `system.stateVersion` set; I suspect this is not too
uncommon. Let’s make it required now, like NixOS is trying to,
to improve our backwards‐compatibility story in anticipation of
starting to cut release branches.
When a script specifies the shell option "nounset" as part of the
shebang (e.g., via "#!/usr/bin/env -S zsh -u"), our initialization
scripts would produce error messages of the form:
__ETC_FOO_SOURCED: parameter not set
These messages could probably be confusing to users when running such
scripts. By providing a fall-back in the parameter expansion, we can
avoid them.
This patch does not address interactive shell start-up, where such
messages may (or may not) be less problematic.
NixOS/nixpkgs@7d84dbdf5b
Currently zshenv by default only sets fpath without exporting it. A
parent shell would also not set those variables usually as they are
shell local.
It also sources a file called set-environment but this is protected by
an environment variable called __NIX_DARWIN_SET_ENVIRONMENT_DONE. Hence
any modification done by the parent shell should persist as long as
__NIX_DARWIN_SET_ENVIRONMENT_DONE is not unset.
This behavior deviates from what we do in bashrc and breaks common
setups such as tmux/mosh or screen.
NixOS/nixpkgs@55819e6c86
Currently there are a bunch of really wacky hacks required to get
nixpkgs path correctly set up under flake configs such that `nix run
nixpkgs#hello` and `nix run -f '<nixpkgs>' hello` hit the nixpkgs that
the system was built with. In particular you have to use specialArgs or
an anonymous module, and everyone has to include this hack in their own
configs.
We can do this for users automatically.
NixOS/nixpkgs@e456032add
Co-authored-by: Antoine Cotten <hello@acotten.com>
Checking for the Sequoia stuff won’t work properly if a system is
still in this old state. Best to be loud about it to deal with any
straggler systems that haven’t yet dealt with this issue.
Zsh ships some rudimentary completions for programs where upstream also
ships their own completions (e.g., curl). So as not to shadow those
completions, we need to prepend to the fpath instead of appending.
NixOS/nixpkgs@8dad5a2239
Shellcheck complains:
> args=(
> ^-- SC2054 (warning): Use spaces, not commas, to separate array elements.
Quote the --labels argument to resolve.
Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
The upstream Nix UID/GID changes for Sequoia will require us to manage
a group with GID 350. That will require more work on our end to ensure
compatibility and a working migration path, but this is enough to
allow hacking around it locally in system configurations for now.
In some scenarios, the command may fail, e.g. when the shell is executed
with a different $HOME from where gpg agent is configured to run from.
(E.g. this happens in kitty terminal test suite.)
This patch will suppress stderr errors on tty in this situation.
Note that zsh does not allow to suppress execution of /etc/zshenv on
startup, so it's impossible to skip it in the test suite environment.
An alternative would be to set IN_NIX_SHELL in the test suite, but this
was rejected in upstream:
https://github.com/kovidgoyal/kitty/pull/7800
There's also a kitty package specific fix posted here but this may be
unnecessary once nix-darwin is patched here:
https://github.com/NixOS/nixpkgs/pull/338070
Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
Use this and never find yourself again hitting fn because of muscle
memory! (you can even physically swap the keycaps, at least on M series)
Keycodes have been pulled from https://hidutil-generator.netlify.app/
and the hex value has been converted to a base 10 int.
As `/run` gets recreated every reboot and we can't specify dependencies
for launchd, creating the `workDir` every reboot will require extra
complexity with a separate daemon that runs as `root` otherwise it won't
have sufficient privileges.
As we clean the `workDir` when the service first starts anyway, it ends
up being the same.
- Added the jankyborders service.
- Introduced changes for whitelist and blacklist options and assertions.
- emoved path reference from launchd argument.
- Corrected missing trailing newline in default.nix.
Before this commit, aarch64 users building the following configuration
would end up with an aarch64-linux builder, while after it, they get the
x86_64-linux builder they expect:
```nix
nix.linux-builder = {
enable = true;
package = pkgs.darwin.linux-builder-x86_64;
};
```
Before, in order to get an x86_64-linux builder, they would have needed
to use this configuration instead:
```nix
nix.linux-builder = {
enable = true;
config.nixpkgs.hostPlatform = "x86_64-linux";
systems = ["x86_64-linux"];
};
```
The reason for this is that the linux-builder module calls `override` on
the package option, and the `linux-builder-x86_64` package is also
defined using override:
```nix
linux-builder-x86_64 = linux-builder.override {
modules = [ { nixpkgs.hostPlatform = "x86_64-linux"; } ];
};
```
The module was effectively discarding the `nixpkgs.hostPlatform` option.
Example issue: https://github.com/NixOS/nixpkgs/issues/313784
This is a huge anti‐declarative footgun; `copy` files cannot
distinguish if a previous version is managed by nix-darwin, so they
can’t check the hash, so they’re prone to destroying data, and
copied files are not deleted when they’re removed from the system
configuration, which led to a security bug. Nothing else in‐tree
was using this functionality, so let’s make sure it doesn’t
cause any more bugs.
As explained in the changelog and activation check, the previous
implementation had a nasty security bug that made removing a user’s
authorized keys effectively a no‐op.
As far as I can tell, this isn't required to get fonts to work on
NixOS, so we shouldn't require it on nix-darwin either, even if the
implementations are superficially similar.
Stricter launchd -> StartCalendarInterval type:
- Verify that the integers passed to `Minute`, `Hour`, etc. are within
range.
- When provided, the value for StartCalendarInterval must be a non-empty
list of calendar intervals and must not contain duplicates entries
(throw an error otherwise).
- For increased flexibility and backwards-compatibility, allow an
attrset to be passed as well (which will be type-checked and is
functionally equivalent to passing a singleton list). Allowing an
attrset or list is precisely in-line with what `launchd.plist(5)`
accepts for StartCalendarInterval.
Migrate `nix.gc.interval` and `nix.optimise.interval` over to use this
new type, and update their defaults to run weekly instead of daily.
Create `modules/launchd/types.nix` file for easier/modular use of
launchd types needed in multiple files.
Documentation:
- Update and improve wording/documentation of launchd's
`StartCalendarInterval`.
- Improve wording/documentation of `nix.gc.interval` and
`nix.optimise.interval` ("time interval" can be misleading as it's
actually a "calendar interval"; e.g. `{ Hour = 3; Minute = 15;}`
runs daily, not every 3.25 hours).
Previously, it was not possible to inject PATH entries between profiles
and the “default system” PATH entries. This confounds adding, e.g.
Homebrew on aarch64’s non-standard prefix as higher priority than the
builtin system paths, but lower than Nix profiles.
This is a backwards-incompatible change for some users, but should only
be so in the case a user used `mkOrder` with a value between 1000 (the
default priority) and 1200. Value of 1200 chosen as the same delta from
the default as just below in `environment.profiles` (which uses 800),
and mkAfter is 1500 so will still go after this.
One of cachix-agent's dependencies, `hs-certificate`, makes calls to
`security`. This lives in `/usr/bin`, which isn't available from
launchd. This commit makes the system paths available to cachix-agent.
Fixes#924.
Complex container values like `-array` have their own DSL which does not
allow specifying all data types. Instead of using the DSL use plist
fragments instead.
This commit updates the nix.conf validation logic to accommodate
different versions of Nix. It introduces a conditional assignment
of the `showCommand` variable, which determines the appropriate
command to use based on the Nix version. For versions at least
"2.20pre", it uses "config show"; otherwise, it falls back to
"show-config". This change ensures compatibility across various
Nix releases.
While #859 added basic support for configuring GitHub runners through
nix-darwin, it did not yet support all of the options the NixOS module
offers.
I am aware that this is a rather big overhaul. I think, however, that
it's worth it:
- Copies the `options.nix` from the [NixOS module] with only minor
adaptations. This should help to keep track of any changes to it.
- Respect the `workDir` config option. So far, the implementation didn't
even read the value of the option.
- Allow configuring a custom user and group.
If both are `null`, nix-darwin manages the `_github-runner` user
shared among all instances. Take care of creating your own users if
that's not what you want.
- Also creates the necessary directories for state, logs and the working
directory (unless `workDir != null`). It uses the following locations:
* state: `/var/lib/github-runners/${name}`
* logs: `/var/log/github-runners/${name}`
* work: The value of `workDir` or `/var/run/github-runners/${name}`
if (`workDir == null`).
We have to create the logs directory before starting the service since
launchd expects that the `Standard{Error,Out}Path` exist. We do this
by prepending to [`system.activationScripts.launchd.text`].
All directories belong to the configured `user` and `group`.
- Warn if a `tokenFile` points to the Nix store.
[NixOS module]: https://github.com/NixOS/nixpkgs/blob/3c30c56/nixos/modules/services/continuous-integration/github-runner/options.nix
[`system.activationScripts.launchd.text`]: https://github.com/LnL7/nix-darwin/blob/bbde06b/modules/system/launchd.nix#L99-L123
This commit adds a protocol option for the `linux-builder` and defaults
it to `ssh-ng`. I have observed it needing this with the following:
``` sh
$ nix store ping --store ssh://linux-builder
Store URL: ssh://linux-builder
$ nix store ping --store ssh-ng://linux-builder
Store URL: ssh-ng://linux-builder
Version: 2.18.1
Trusted: 0
```
This seems to make the difference on whether or not Nix picks up
`linux-builder` as an available builder.
enableScriptingAddition no longer triggers IFD
by using runCommand to generate sudoers.d/yabai,
instead of builtins.hashFile and interpolating the string in nix.
Adds a new module which allows to configure multiple GitHub self-hosted
runners on Darwin. The module is heavily inspired by the nixpkgs NixOS
module. Its implementation differs in some ways:
- There's currently no way to configure the user/group which runs the
runner. All configured runners share the same user and group.
- No automatic cleanup.
- No advanced sandboxing apart from user/group isolation
Properly detect the binary name (not just /nix/store/...-bash, but include the
.../bin/bash), and use the symlinked name which also appears in /etc/shells.