{ config, lib, pkgs, ... }: with lib; let # Similar to lib.escapeShellArg but escapes "s instead of 's, to allow for parameter expansion in shells escapeDoubleQuote = arg: ''"${replaceStrings ["\""] ["\"\\\"\""] (toString arg)}"''; cfg = config.system.checks; macOSVersion = '' IFS=. read -ra osVersion <<<"$(sw_vers -productVersion)" if (( osVersion[0] < 11 || (osVersion[0] == 11 && osVersion[1] < 3) )); then printf >&2 '\e[1;31merror: macOS version is less than 11.3, aborting activation\e[0m\n' printf >&2 'Nixpkgs 25.05 requires macOS Big Sur 11.3 or newer, and 25.11 will\n' printf >&2 'require macOS Sonoma 14.\n' printf >&2 '\n' printf >&2 'For more information on your options going forward, see the 25.05\n' printf >&2 'release notes:\n' printf >&2 '\n' printf >&2 '\n' printf >&2 'Nixpkgs 24.11 and nix-darwin 24.11 continue to support down to macOS\n' printf >&2 'Sierra 10.12, and will be supported through June 2025.\n' printf >&2 '\n' printf >&2 'You can override this check by setting:\n' printf >&2 '\n' printf >&2 ' system.checks.verifyMacOSVersion = false;\n' printf >&2 '\n' printf >&2 'However, we are unable to provide support if you do so.\n' exit 1 fi ''; determinate = '' if [[ -e /usr/local/bin/determinate-nixd ]]; then printf >&2 '\e[1;31merror: Determinate detected, aborting activation\e[0m\n' printf >&2 'Determinate uses its own daemon to manage the Nix installation that\n' printf >&2 'conflicts with nix-darwin’s native Nix management.\n' printf >&2 '\n' printf >&2 'To turn off nix-darwin’s management of the Nix installation, set:\n' printf >&2 '\n' printf >&2 ' nix.enable = false;\n' printf >&2 '\n' printf >&2 'This will allow you to use nix-darwin with Determinate. Some nix-darwin\n' printf >&2 'functionality that relies on managing the Nix installation, like the\n' printf >&2 '`nix.*` options to adjust Nix settings or configure a Linux builder,\n' printf >&2 'will be unavailable.\n' exit 2 fi ''; preSequoiaBuildUsers = '' firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}') if # Don’t complain when we’re about to migrate old‐style build users… [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]] \ && ! dscl . -list /Users | grep -q '^nixbld' then printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n' printf >&2 'The default Nix build user ID range has been adjusted for\n' printf >&2 'compatibility with macOS Sequoia 15. Your _nixbld1 user currently has\n' printf >&2 'UID %d rather than the new default of 351.\n' "$firstBuildUserID" printf >&2 '\n' printf >&2 'You can automatically migrate the users with the following command:\n' printf >&2 '\n' if [[ -e /nix/receipt.json ]]; then if ${pkgs.jq}/bin/jq --exit-status \ 'try(.planner.settings | has("enable_flakes"))' \ /nix/receipt.json \ >/dev/null then installerUrl="https://install.lix.systems/lix" else installerUrl="https://install.determinate.systems/nix" fi printf >&2 " curl --proto '=https' --tlsv1.2 -sSf -L %s | sh -s -- repair sequoia --move-existing-users\n" \ "$installerUrl" else printf >&2 " curl --proto '=https' --tlsv1.2 -sSf -L https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh | bash -\n" fi printf >&2 '\n' printf >&2 'If you have no intention of upgrading to macOS Sequoia 15, or already\n' printf >&2 'have a custom UID range that you know is compatible with Sequoia, you\n' printf >&2 'can disable this check by setting:\n' printf >&2 '\n' printf >&2 ' ids.uids.nixbld = %d;\n' "$((firstBuildUserID - 1))" printf >&2 '\n' exit 2 fi ''; buildGroupID = '' buildGroupID=$(dscl . -read /Groups/nixbld PrimaryGroupID | awk '{print $2}') expectedBuildGroupID=${toString config.ids.gids.nixbld} if [[ $buildGroupID != "$expectedBuildGroupID" ]]; then printf >&2 '\e[1;31merror: Build user group has mismatching GID, aborting activation\e[0m\n' printf >&2 'The default Nix build user group ID was changed from 30000 to 350.\n' printf >&2 'You are currently managing Nix build users with nix-darwin, but your\n' printf >&2 'nixbld group has GID %d, whereas we expected %d.\n' \ "$buildGroupID" "$expectedBuildGroupID" printf >&2 '\n' printf >&2 'Possible causes include setting up a new Nix installation with an\n' printf >&2 'existing nix-darwin configuration, setting up a new nix-darwin\n' printf >&2 'installation with an existing Nix installation, or manually increasing\n' printf >&2 'your `system.stateVersion` setting.\n' printf >&2 '\n' printf >&2 'You can set the configured group ID to match the actual value:\n' printf >&2 '\n' printf >&2 ' ids.gids.nixbld = %d;\n' "$buildGroupID" printf >&2 '\n' printf >&2 'We do not recommend trying to change the group ID with macOS user\n' printf >&2 'management tools without a complete uninstallation and reinstallation\n' printf >&2 'of Nix.\n' exit 2 fi ''; nixDaemon = '' if [[ "$(stat --format='%u' /nix)" != 0 ]]; then printf >&2 'error: single‐user install detected, aborting activation\n' printf >&2 'nix-darwin now only supports managing multi‐user daemon installations\n' printf >&2 'of Nix. You can uninstall nix-darwin and Nix and then reinstall both to\n' printf >&2 'fix this.\n' printf >&2 '\n' printf >&2 'If you don’t want to do that, you can disable management of the Nix\n' printf >&2 'installation with:\n' printf >&2 '\n' printf >&2 ' nix.enable = false;\n' printf >&2 '\n' printf >&2 'See the `nix.enable` option documentation for caveats.\n' exit 2 fi ''; nixInstaller = '' if grep -q 'etc/profile.d/nix-daemon.sh' /etc/profile; then echo "error: Found nix-daemon.sh reference in /etc/profile, aborting activation" >&2 echo "This will override options like nix.nixPath because it runs later," >&2 echo "remove this snippet from /etc/profile:" >&2 echo >&2 echo " # Nix" >&2 echo " if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then" >&2 echo " . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'" >&2 echo " fi" >&2 echo " # End Nix" >&2 echo >&2 exit 2 fi ''; nixPath = '' nixPath=${concatMapStringsSep ":" escapeDoubleQuote config.nix.nixPath}:$HOME/.nix-defexpr/channels darwinConfig=$(NIX_PATH=$nixPath nix-instantiate --find-file darwin-config) || true if ! test -e "$darwinConfig"; then echo "error: Changed but target does not exist, aborting activation" >&2 echo "Create ''${darwinConfig:-/etc/nix-darwin/configuration.nix} or set environment.darwinConfig:" >&2 echo >&2 echo " environment.darwinConfig = \"$(nix-instantiate --find-file darwin-config 2> /dev/null || echo '***')\";" >&2 echo >&2 echo "And rebuild using (only required once)" >&2 echo "$ darwin-rebuild switch -I \"darwin-config=$(nix-instantiate --find-file darwin-config 2> /dev/null || echo '***')\"" >&2 echo >&2 echo >&2 exit 2 fi darwinPath=$(NIX_PATH=$nixPath nix-instantiate --find-file darwin) || true if ! test -e "$darwinPath"; then echo "error: Changed but target does not exist, aborting activation" >&2 echo "Add the darwin repo as a channel or set nix.nixPath:" >&2 echo "$ sudo nix-channel --add https://github.com/LnL7/nix-darwin/archive/master.tar.gz darwin" >&2 echo "$ sudo nix-channel --update" >&2 echo >&2 echo "or set" >&2 echo >&2 echo " nix.nixPath = [ \"darwin=$(nix-instantiate --find-file darwin 2> /dev/null || echo '***')\" ];" >&2 echo >&2 exit 2 fi nixpkgsPath=$(NIX_PATH=$nixPath nix-instantiate --find-file nixpkgs) || true if ! test -e "$nixpkgsPath"; then echo "error: Changed but target does not exist, aborting activation" >&2 echo "Add a nixpkgs channel or set nix.nixPath:" >&2 echo "$ sudo nix-channel --add http://nixos.org/channels/nixpkgs-unstable nixpkgs" >&2 echo "$ sudo nix-channel --update" >&2 echo >&2 echo "or set" >&2 echo >&2 echo " nix.nixPath = [ \"nixpkgs=$(nix-instantiate --find-file nixpkgs 2> /dev/null || echo '***')\" ];" >&2 echo >&2 exit 2 fi ''; # TODO: Remove this a couple years down the line when we can assume # that anyone who cares about security has upgraded. oldSshAuthorizedKeysDirectory = '' if [[ -d /etc/ssh/authorized_keys.d ]]; then printf >&2 '\e[1;31merror: /etc/ssh/authorized_keys.d exists, aborting activation\e[0m\n' printf >&2 'SECURITY NOTICE: The previous implementation of the\n' printf >&2 '`users.users..openssh.authorizedKeys.*` options would not delete\n' printf >&2 'authorized keys files when the setting for a given user was removed.\n' printf >&2 '\n' printf >&2 "This means that if you previously stopped managing a user's authorized\n" printf >&2 'SSH keys with nix-darwin, or intended to revoke their access by\n' printf >&2 'removing the option, the previous set of keys could still be used to\n' printf >&2 'log in as that user.\n' printf >&2 '\n' printf >&2 'You can check the /etc/ssh/authorized_keys.d directory to see which\n' printf >&2 'keys were permitted; afterwards, please remove the directory and\n' printf >&2 're-run activation. The options continue to be supported and will now\n' printf >&2 'correctly permit only the keys in your current system configuration.\n' exit 2 fi ''; homebrewInstalled = '' if [[ ! -f ${escapeShellArg config.homebrew.brewPrefix}/brew && -z "''${INSTALLING_HOMEBREW:-}" ]]; then echo "error: Using the homebrew module requires homebrew installed, aborting activation" >&2 echo "Homebrew doesn't seem to be installed. Please install homebrew separately." >&2 echo "You can install homebrew using the following command:" >&2 echo >&2 echo ' /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"' >&2 echo >&2 exit 2 fi ''; # some mac devices, notably notebook do not support restartAfterPowerFailure option restartAfterPowerFailureIsSupported = '' if sudo /usr/sbin/systemsetup -getRestartPowerFailure | grep -q "Not supported"; then printf >&2 "\e[1;31merror: restarting after power failure is not supported on your machine\e[0m\n" >&2 printf >&2 "Please ensure that \`power.restartAfterPowerFailure\` is not set.\n" >&2 exit 2 fi ''; in { imports = [ (mkRemovedOptionModule [ "system" "checks" "verifyNixChannels" ] "This check has been removed.") ]; options = { system.checks.verifyNixPath = mkOption { type = types.bool; default = config.nix.enable; description = "Whether to run the NIX_PATH validation checks."; }; system.checks.verifyBuildUsers = mkOption { type = types.bool; default = config.nix.enable && !(config.nix.settings.auto-allocate-uids or false); description = "Whether to run the Nix build users validation checks."; }; system.checks.verifyMacOSVersion = mkOption { type = types.bool; default = true; description = "Whether to run the macOS version check."; }; system.checks.text = mkOption { internal = true; type = types.lines; default = ""; }; }; config = { system.checks.text = mkMerge [ (mkIf cfg.verifyMacOSVersion macOSVersion) (mkIf config.nix.enable determinate) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) (mkIf cfg.verifyBuildUsers buildGroupID) (mkIf config.nix.enable nixDaemon) nixInstaller (mkIf cfg.verifyNixPath nixPath) oldSshAuthorizedKeysDirectory (mkIf config.homebrew.enable homebrewInstalled) (mkIf (config.power.restartAfterPowerFailure != null) restartAfterPowerFailureIsSupported) ]; system.activationScripts.checks.text = '' ${cfg.text} if [[ "''${checkActivation:-0}" -eq 1 ]]; then echo "ok" >&2 exit 0 fi ''; }; }