From 6c08608ffe94cbdfcc6e63876347f85a0cea5184 Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 15 Jan 2025 18:41:10 +0000 Subject: [PATCH 1/7] system: tweak ShellCheck settings (cherry picked from commit e1976612f0054a8143f37e7ef25c4ef4b88b44bd) --- modules/networking/default.nix | 1 - modules/nix/default.nix | 2 -- modules/system/checks.nix | 4 ---- modules/system/default.nix | 5 ++++- modules/users/default.nix | 5 ----- 5 files changed, 4 insertions(+), 13 deletions(-) diff --git a/modules/networking/default.nix b/modules/networking/default.nix index 7a81ca1c8..b53a9e4a7 100644 --- a/modules/networking/default.nix +++ b/modules/networking/default.nix @@ -118,7 +118,6 @@ in echo "configuring networking..." >&2 ${optionalString (cfg.computerName != null) '' - # shellcheck disable=SC1112 scutil --set ComputerName ${escapeShellArg cfg.computerName} ''} ${optionalString (cfg.hostName != null) '' diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 8d8ffc8d5..857c4be81 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -853,9 +853,7 @@ in fi done if [[ ! $nixCustomConfIsKnown ]]; then - # shellcheck disable=SC2016 printf >&2 '\e[1;31merror: custom settings in `/etc/nix/nix.custom.conf`, aborting activation\e[0m\n' - # shellcheck disable=SC2016 printf >&2 'You will need to migrate these to nix-darwin `nix.*` settings if you\n' printf >&2 'wish to keep them. Check the manual for the appropriate settings and\n' printf >&2 'add them to your system configuration, then run:\n' diff --git a/modules/system/checks.nix b/modules/system/checks.nix index a5fd44a81..e9f83d216 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -118,7 +118,6 @@ let printf >&2 'Possible causes include setting up a new Nix installation with an\n' printf >&2 'existing nix-darwin configuration, setting up a new nix-darwin\n' printf >&2 'installation with an existing Nix installation, or manually increasing\n' - # shellcheck disable=SC2016 printf >&2 'your `system.stateVersion` setting.\n' printf >&2 '\n' printf >&2 'You can set the configured group ID to match the actual value:\n' @@ -139,7 +138,6 @@ let printf >&2 '\n' printf >&2 ' services.nix-daemon.enable = false;\n' printf >&2 '\n' - # shellcheck disable=SC2016 printf >&2 'and remove `nix.useDaemon` from your configuration if it is present.\n' printf >&2 '\n' exit 2 @@ -279,7 +277,6 @@ let if [[ -d /etc/ssh/authorized_keys.d ]]; then printf >&2 '\e[1;31merror: /etc/ssh/authorized_keys.d exists, aborting activation\e[0m\n' printf >&2 'SECURITY NOTICE: The previous implementation of the\n' - # shellcheck disable=SC2016 printf >&2 '`users.users..openssh.authorizedKeys.*` options would not delete\n' printf >&2 'authorized keys files when the setting for a given user was removed.\n' printf >&2 '\n' @@ -302,7 +299,6 @@ let echo "Homebrew doesn't seem to be installed. Please install homebrew separately." >&2 echo "You can install homebrew using the following command:" >&2 echo >&2 - # shellcheck disable=SC2016 echo ' /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"' >&2 echo >&2 exit 2 diff --git a/modules/system/default.nix b/modules/system/default.nix index a1862faee..8351dcc66 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -135,7 +135,10 @@ in chmod u+x $out/activate-user unset activationUserScript - shellcheck $out/activate $out/activate-user + # We exclude the warnings for `…` in single‐quote strings and + # non‐ASCII quotation marks as they are noisy and lead to a lot + # of false positives in our user‐facing output: + shellcheck --exclude=SC2016,SC1112 $out/activate $out/activate-user echo -n "$systemConfig" > $out/systemConfig diff --git a/modules/users/default.nix b/modules/users/default.nix index 574f5a4eb..ecce2af3b 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -149,7 +149,6 @@ in if ! sudo dscl . -change /Users/nobody NFSHomeDirectory "$homeDirectory" "$homeDirectory" &> /dev/null; then if [[ -n "$SSH_CONNECTION" ]]; then printf >&2 '\e[1;31merror: users cannot be %s over SSH without Full Disk Access, aborting activation\e[0m\n' "$2" - # shellcheck disable=SC2016 printf >&2 'The user %s could not be %s as `darwin-rebuild` was not executed with Full Disk Access over SSH.\n' "$1" "$2" printf >&2 'You can either:\n' printf >&2 '\n' @@ -157,7 +156,6 @@ in printf >&2 '\n' printf >&2 'or\n' printf >&2 '\n' - # shellcheck disable=SC2016 printf >&2 ' run `darwin-rebuild` in a graphical session.\n' printf >&2 '\n' printf >&2 'The option "Allow full disk access for remote users" can be found by\n' @@ -171,11 +169,9 @@ in if ! sudo dscl . -change /Users/nobody NFSHomeDirectory "$homeDirectory" "$homeDirectory" &> /dev/null; then printf >&2 '\e[1;31merror: permission denied when trying to %s user %s, aborting activation\e[0m\n' "$2" "$1" - # shellcheck disable=SC2016 printf >&2 '`darwin-rebuild` requires permissions to administrate your computer,\n' printf >&2 'please accept the dialog that pops up.\n' printf >&2 '\n' - # shellcheck disable=SC2016 printf >&2 'If you do not wish to be prompted every time `darwin-rebuild updates your users,\n' printf >&2 'you can grant Full Disk Access to your terminal emulator in System Settings.\n' printf >&2 '\n' @@ -224,7 +220,6 @@ in if [ "$u" -gt 501 ]; then # TODO: add `darwin.primaryUser` as well if [[ ${name} == "$USER" ]]; then - # shellcheck disable=SC2016 printf >&2 '\e[1;31merror: refusing to delete the user calling `darwin-rebuild` (%s), aborting activation\e[0m\n', ${name} exit 1 fi From 338d5d5bf294383da56fe55f8898a69063d22329 Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 01:08:02 +0000 Subject: [PATCH 2/7] nix: fix typo in assertion conditional (cherry picked from commit 8f227c405e0d42dfdbfce9849c689152c083a48b) --- modules/nix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 857c4be81..b70487d71 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -759,7 +759,7 @@ in # Not in NixOS module { assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; } - { assertion = elem "_nixbld1" config.users.knownGroups -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } + { assertion = elem "_nixbld1" config.users.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; } { From 32b00fd3396d580e90d0cf14a0d491a36d4db785 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 18:40:29 +0000 Subject: [PATCH 3/7] nix: add `nix.enable` option to disable Nix management MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is an equivalent of the `nix.enable` option from NixOS and Home Manager. On NixOS, it mostly serves to allow building fixed‐configuration systems without any Nix installation at all. It should work for that purpose with nix-darwin too, and the implementation is largely the same, but the main use case is more similar to the Home Manager option: to allow the use of nix-darwin with an unmanaged system installation of Nix, including when there is another service expecting to manage it, as with Determinate. By providing an escape hatch to opt out of Nix management entirely, this will also allow us to consolidate and simplify our existing Nix installation management, by being more opinionated about things like taking ownership of the daemon and the build users. Porting one option from NixOS lets us drop two that only ever existed in nix-darwin and reduce overall complexity. (cherry picked from commit e182d8dff6bd3b0913ae6531c6abae3ed1e38364) --- modules/nix/default.nix | 52 +++++++++++++++++++++-- modules/nix/nix-darwin.nix | 2 +- modules/services/nix-daemon.nix | 2 +- modules/system/checks.nix | 11 ++--- pkgs/darwin-uninstaller/configuration.nix | 12 +----- pkgs/darwin-uninstaller/default.nix | 9 ++-- release.nix | 1 + tests/nix-enable.nix | 14 ++++++ 8 files changed, 80 insertions(+), 23 deletions(-) create mode 100644 tests/nix-enable.nix diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b70487d71..c93a19b9f 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -134,6 +134,26 @@ let namedPaths ++ searchPaths; }; + handleUnmanaged = managedConfig: mkMerge [ + (mkIf cfg.enable managedConfig) + (mkIf (!cfg.enable) { + system.activationScripts.nix-daemon.text = '' + # Restore unmanaged Nix daemon if present + unmanagedNixProfile=/nix/var/nix/profiles/default + if [[ + -e /run/current-system/Library/LaunchDaemons/org.nixos.nix-daemon.plist + && -e $unmanagedNixProfile/Library/LaunchDaemons/org.nixos.nix-daemon.plist + ]]; then + printf >&2 'restoring unmanaged Nix daemon...\n' + cp \ + "$unmanagedNixProfile/Library/LaunchDaemons/org.nixos.nix-daemon.plist" \ + /Library/LaunchDaemons + launchctl load -w /Library/LaunchDaemons/org.nixos.nix-daemon.plist + fi + ''; + }) + ]; + in { @@ -144,7 +164,6 @@ in in [ # Only ever in NixOS - (mkRemovedOptionModule [ "nix" "enable" ] "No `nix-darwin` equivalent to this NixOS option.") (mkRemovedOptionModule [ "nix" "daemonCPUSchedPolicy" ] (altOption "nix.daemonProcessType")) (mkRemovedOptionModule [ "nix" "daemonIOSchedClass" ] (altOption "nix.daemonProcessType")) (mkRemovedOptionModule [ "nix" "daemonIOSchedPriority" ] (altOption "nix.daemonIOLowPriority")) @@ -165,9 +184,36 @@ in nix = { + enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether to enable Nix. + + Disabling this will stop nix-darwin from managing the + installed version of Nix, the nix-daemon launchd daemon, and + the settings in {file}`/etc/nix/nix.conf`. + + This allows you to use nix-darwin without it taking over your + system installation of Nix. Some nix-darwin functionality + that relies on managing the Nix installation, like the + `nix.*` options to adjust Nix settings or configure a Linux + builder, will be unavailable. You will also have to upgrade + Nix yourself, as nix-darwin will no longer do so. + + ::: {.warning} + If you have already removed your global system installation + of Nix, this will break nix-darwin and you will have to + reinstall Nix to fix it. + ::: + ''; + }; + package = mkOption { type = types.package; - default = pkgs.nix; + default = warnIf (!cfg.enable) + "nix.package: accessed when `nix.enable` is off; this is a bug" + pkgs.nix; defaultText = literalExpression "pkgs.nix"; description = '' This option specifies the Nix package instance to use throughout the system. @@ -678,7 +724,7 @@ in ###### implementation - config = { + config = handleUnmanaged { environment.systemPackages = [ nixPackage diff --git a/modules/nix/nix-darwin.nix b/modules/nix/nix-darwin.nix index 4a989d791..2766b1126 100644 --- a/modules/nix/nix-darwin.nix +++ b/modules/nix/nix-darwin.nix @@ -4,7 +4,7 @@ let nix-tools = pkgs.callPackage ../../pkgs/nix-tools { inherit (config.system) profile; inherit (config.environment) systemPath; - nixPackage = config.nix.package; + nixPackage = if config.nix.enable then config.nix.package else null; }; darwin-uninstaller = pkgs.callPackage ../../pkgs/darwin-uninstaller { }; diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix index ffc7e651b..df3fa310e 100644 --- a/modules/services/nix-daemon.nix +++ b/modules/services/nix-daemon.nix @@ -10,7 +10,7 @@ in options = { services.nix-daemon.enable = mkOption { type = types.bool; - default = true; + default = config.nix.enable; description = "Whether to enable the nix-daemon service."; }; diff --git a/modules/system/checks.nix b/modules/system/checks.nix index e9f83d216..71030f221 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -319,21 +319,22 @@ in options = { system.checks.verifyNixPath = mkOption { type = types.bool; - default = true; + default = config.nix.enable; description = "Whether to run the NIX_PATH validation checks."; }; system.checks.verifyNixChannels = mkOption { type = types.bool; - default = config.nix.channel.enable; + default = config.nix.enable && config.nix.channel.enable; description = "Whether to run the nix-channels validation checks."; }; system.checks.verifyBuildUsers = mkOption { type = types.bool; default = - (config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false)) - || config.nix.configureBuildUsers; + config.nix.enable && + ((config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false)) + || config.nix.configureBuildUsers); description = "Whether to run the Nix build users validation checks."; }; @@ -353,7 +354,7 @@ in (mkIf cfg.verifyBuildUsers buildUsers) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) (mkIf config.nix.configureBuildUsers buildGroupID) - nixDaemon + (mkIf config.nix.enable nixDaemon) nixStore (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector) (mkIf (config.nix.optimise.automatic && config.nix.optimise.user == null) nixStoreOptimiser) diff --git a/pkgs/darwin-uninstaller/configuration.nix b/pkgs/darwin-uninstaller/configuration.nix index 295477a68..419db71d2 100644 --- a/pkgs/darwin-uninstaller/configuration.nix +++ b/pkgs/darwin-uninstaller/configuration.nix @@ -12,8 +12,8 @@ with lib; launchd.daemons = mkForce {}; launchd.user.agents = mkForce {}; - # Don't try to reload `nix-daemon` - nix.useDaemon = mkForce false; + # Restore any unmanaged `nix-daemon`. + nix.enable = false; system.activationScripts.postUserActivation.text = mkAfter '' if [[ -L ~/.nix-defexpr/channels/darwin ]]; then @@ -30,14 +30,6 @@ with lib; rm /etc/static fi - # If the Nix Store is owned by root then we're on a multi-user system - if [[ -O /nix/store ]]; then - if [[ -e /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist ]]; then - sudo cp /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist /Library/LaunchDaemons/org.nixos.nix-daemon.plist - sudo launchctl load -w /Library/LaunchDaemons/org.nixos.nix-daemon.plist - fi - fi - # grep will return 1 when no lines matched which makes this line fail with `set -eo pipefail` dscl . -list /Users UserShell | { grep "\s/run/" || true; } | awk '{print $1}' | while read -r user; do shell=$(dscl . -read /Users/"$user" UserShell) diff --git a/pkgs/darwin-uninstaller/default.nix b/pkgs/darwin-uninstaller/default.nix index da58682e3..dc5938973 100644 --- a/pkgs/darwin-uninstaller/default.nix +++ b/pkgs/darwin-uninstaller/default.nix @@ -31,8 +31,11 @@ in writeShellApplication { echo >&2 " - remove /Applications/Nix Apps symlink" echo >&2 " - cleanup static /etc files" echo >&2 " - disable and remove all launchd services managed by nix-darwin" - if [[ $(stat -f '%Su' /nix/store) == "root" ]]; then - echo >&2 " - restore nix-daemon service from nix installer as this is a multi-user install" + if [[ + -e /run/current-system/Library/LaunchDaemons/org.nixos.nix-daemon.plist + && -e /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist + ]]; then + echo >&2 " - restore nix-daemon service from the Nix installer" fi echo >&2 @@ -88,7 +91,7 @@ in writeShellApplication { launchctl print system/org.nixos.nix-daemon pgrep -l nix-daemon test -e /Library/LaunchDaemons/org.nixos.nix-daemon.plist - [[ "$(shasum -a 256 /Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" == "$(shasum -a 256 /Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" ]] + [[ "$(shasum -a 256 /Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" == "$(shasum -a 256 /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist | awk '{print $1}')" ]] nix-store --store daemon -q --hash ${stdenv.shell} fi echo >&2 ok diff --git a/release.nix b/release.nix index b3e2df7ed..52b3c2aa7 100644 --- a/release.nix +++ b/release.nix @@ -88,6 +88,7 @@ in { tests.launchd-setenv = makeTest ./tests/launchd-setenv.nix; tests.networking-hostname = makeTest ./tests/networking-hostname.nix; tests.networking-networkservices = makeTest ./tests/networking-networkservices.nix; + tests.nix-enable = makeTest ./tests/nix-enable.nix; tests.nixpkgs-overlays = makeTest ./tests/nixpkgs-overlays.nix; tests.programs-ssh = makeTest ./tests/programs-ssh.nix; tests.programs-tmux = makeTest ./tests/programs-tmux.nix; diff --git a/tests/nix-enable.nix b/tests/nix-enable.nix new file mode 100644 index 000000000..4e7a17822 --- /dev/null +++ b/tests/nix-enable.nix @@ -0,0 +1,14 @@ +{ config, ... }: + +{ + nix.enable = false; + nix.package = throw "`nix.package` used when `nix.enable` is turned off"; + + test = '' + printf >&2 'checking for unexpected Nix binary in /sw/bin\n' + [[ -e ${config.out}/sw/bin/nix-env ]] && exit 1 + + printf >&2 'checking for unexpected nix-daemon plist in /Library/LaunchDaemons\n' + [[ -e ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist ]] && exit 1 + ''; +} From a9590d5bb27c4b146ee79a40415bd45b4d6a8b03 Mon Sep 17 00:00:00 2001 From: Emily Date: Fri, 7 Feb 2025 18:29:39 +0000 Subject: [PATCH 4/7] nix: set `nix.useDaemon` by default for unmanaged Nix --- modules/nix/default.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index c93a19b9f..817bfc0ef 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -223,7 +223,16 @@ in # Not in NixOS module useDaemon = mkOption { type = types.bool; - default = false; + # We assume that unmanaged Nix installations use the daemon by + # default, to match the logic in nix-darwin 25.05. This is + # weird, but it matches the default behaviour in practice + # (since `services.nix-daemon.enable` is on by default and sets + # `nix.useDaemon` to true), and since `nix.enable` didn’t + # previously exist, it’s not a backwards‐compatibility concern; + # we can consequently avoid bifurcating the user experience + # across the release branches. + default = !config.nix.enable; + defaultText = literalExpression "!config.nix.enable"; description = '' If set, Nix will use the daemon to perform operations. Use this instead of services.nix-daemon.enable if you don't want the From 3032a10c4cff624dc883882e9307fd92d7d4f9ce Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 28 Jan 2025 18:40:29 +0000 Subject: [PATCH 5/7] activation-scripts: add unmanaged system Nix to activation path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, the `bin` directory of the configured system is embedded in the `$PATH` of activation scripts, but not other elements of the default `environment.systemPath` like `/nix/var/nix/profiles/default/bin` or `/usr/local/bin`. This means that when nix-darwin is not managing the Nix installation, activation scripts like Home Manager’s that want to look up the system‐managed Nix can’t find it. Search for it on the entire `environment.systemPath` and add the appropriate directory if found. We leave the launchd `activate-system` daemon alone, because it has erroneously referred to `@out@/sw/bin` forever and therefore never got a Nix on the path to begin with. That’s a problem for another time. (The more ideal solution is probably for Home Manager activation to be driven by launchd or something, but that’s a longer‐term goal.) (cherry picked from commit fb2bc03f922d406621928a80b28225340cb2b070) --- modules/system/activation-scripts.nix | 34 +++++++++++++++++++++++++-- tests/nix-enable.nix | 3 +++ 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 5f8916cc7..b051972b5 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -13,6 +13,32 @@ let mkTextDerivation = name: text: pkgs.writeScript "activate-${name}" text; }; + activationPath = + lib.makeBinPath [ + pkgs.gnugrep + pkgs.coreutils + ] + + lib.optionalString (!config.nix.enable) '' + $( + # If `nix.enable` is off, there might be an unmanaged Nix + # installation (say in `/nix/var/nix/profiles/default`) that + # activation scripts (such as Home Manager) want to find on the + # `$PATH`. Search for it directly to avoid polluting the + # activation script environment with everything on the + # `environment.systemPath`. + if nixEnvPath=$( + PATH="${config.environment.systemPath}" command -v nix-env + ); then + printf ':' + ${lib.getExe' pkgs.coreutils "dirname"} -- "$( + ${lib.getExe' pkgs.coreutils "readlink"} \ + --canonicalize-missing \ + -- "$nixEnvPath" + )" + fi + )'' + + ":@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"; + in { @@ -40,7 +66,9 @@ in #! ${stdenv.shell} set -e set -o pipefail - export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin" + + PATH="${activationPath}" + export PATH systemConfig=@out@ @@ -91,7 +119,9 @@ in #! ${stdenv.shell} set -e set -o pipefail - export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin" + + PATH="${activationPath}" + export PATH systemConfig=@out@ diff --git a/tests/nix-enable.nix b/tests/nix-enable.nix index 4e7a17822..0828834f1 100644 --- a/tests/nix-enable.nix +++ b/tests/nix-enable.nix @@ -10,5 +10,8 @@ printf >&2 'checking for unexpected nix-daemon plist in /Library/LaunchDaemons\n' [[ -e ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist ]] && exit 1 + + printf >&2 'checking for late‐bound Nix lookup in /activate\n' + grep nixEnvPath= ${config.out}/activate ''; } From b2b26e8856fd71188bdc8cb7f00ef66e5b4b233e Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 29 Jan 2025 15:48:54 +0000 Subject: [PATCH 6/7] checks: add check for Determinate This provides a more useful error message than the `/etc/nix/nix.conf` hash mismatch error that would otherwise occur. (cherry picked from commit 03877755e9f67e584381ecde74ed2c030639aa0c) --- modules/system/checks.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 71030f221..17f6467db 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -31,6 +31,23 @@ let fi ''; + determinate = '' + if [[ -e /usr/local/bin/determinate-nixd ]]; then + printf >&2 '\e[1;31merror: Determinate detected, aborting activation\e[0m\n' + printf >&2 'Determinate uses its own daemon to manage the Nix installation that\n' + printf >&2 'conflicts with nix-darwin’s native Nix management.\n' + printf >&2 '\n' + printf >&2 'To turn off nix-darwin’s management of the Nix installation, set:\n' + printf >&2 '\n' + printf >&2 ' nix.enable = false;\n' + printf >&2 '\n' + printf >&2 'This will allow you to use nix-darwin with Determinate. Some nix-darwin\n' + printf >&2 'functionality that relies on managing the Nix installation, like the\n' + printf >&2 '`nix.*` options to adjust Nix settings or configure a Linux builder,\n' + printf >&2 'will be unavailable.\n' + exit 2 + fi + ''; oldBuildUsers = '' if dscl . -list /Users | grep -q '^nixbld'; then @@ -350,6 +367,7 @@ in system.checks.text = mkMerge [ darwinChanges runLink + (mkIf config.nix.enable determinate) (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers) (mkIf cfg.verifyBuildUsers buildUsers) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) From 78a8ba905fda2dcb30e7c92e371016534f531413 Mon Sep 17 00:00:00 2001 From: Emily Date: Fri, 7 Feb 2025 18:20:23 +0000 Subject: [PATCH 7/7] readme: point to `master` branch readme MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ideally we’d have separate manuals per release, but in the meantime this should help avoid user confusion. --- README.md | 230 +----------------------------------------------------- 1 file changed, 1 insertion(+), 229 deletions(-) diff --git a/README.md b/README.md index 97200d69c..2419f391a 100644 --- a/README.md +++ b/README.md @@ -1,231 +1,3 @@ -[logo](https://github.com/LnL7/nix-darwin) - # nix-darwin -[![Test](https://github.com/LnL7/nix-darwin/actions/workflows/test.yml/badge.svg)](https://github.com/LnL7/nix-darwin/actions/workflows/test.yml) - -Nix modules for darwin, `/etc/nixos/configuration.nix` for macOS. - -This project aims to bring the convenience of a declarative system approach to macOS. -nix-darwin is built up around [Nixpkgs](https://github.com/NixOS/nixpkgs), quite similar to [NixOS](https://nixos.org/). - -## Prerequisites - -The only prerequisite is a Nix implementation, both Nix and Lix are supported. - -As the official Nix installer does not include an automated uninstaller, and manual uninstallation on macOS is a complex process, we recommend using one of the following installers instead: - -- The [Nix installer from Determinate Systems](https://github.com/DeterminateSystems/nix-installer?tab=readme-ov-file#determinate-nix-installer) is only recommended for use with flake-based setups. **Make sure you use it without the `--determinate` flag**. The `--determinate` flag installs the Determinate Nix distribution which does not work out of the box with nix-darwin. -* The [Lix installer](https://lix.systems/install/#on-any-other-linuxmacos-system) supports both flake-based and channel-based setups. - - - -## Getting started - -Despite being an experimental feature in Nix currently, nix-darwin recommends that beginners use flakes to manage their nix-darwin configurations. - -
-Flakes (Recommended for beginners) - -### Step 1. Creating `flake.nix` - -
-Getting started from scratch -

- -If you don't have an existing `configuration.nix`, you can run the following commands to generate a basic `flake.nix` inside `~/.config/nix-darwin`: - -```bash -mkdir -p ~/.config/nix-darwin -cd ~/.config/nix-darwin - -# To use Nixpkgs unstable: -nix flake init -t nix-darwin/master -# To use Nixpkgs 24.11: -nix flake init -t nix-darwin/nix-darwin-24.11 - -sed -i '' "s/simple/$(scutil --get LocalHostName)/" flake.nix -``` - -Make sure to change `nixpkgs.hostPlatform` to `aarch64-darwin` if you are using Apple Silicon. - -
- -
-Migrating from an existing configuration.nix -

- -Add the following to `flake.nix` in the same folder as `configuration.nix`: - -```nix -{ - description = "John's darwin system"; - - inputs = { - # Use `github:NixOS/nixpkgs/nixpkgs-24.11-darwin` to use Nixpkgs 24.11. - nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; - # Use `github:LnL7/nix-darwin/nix-darwin-24.11` to use Nixpkgs 24.11. - nix-darwin.url = "github:LnL7/nix-darwin/master"; - nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = inputs@{ self, nix-darwin, nixpkgs }: { - darwinConfigurations."Johns-MacBook" = nix-darwin.lib.darwinSystem { - modules = [ ./configuration.nix ]; - }; - }; -} -``` - -Make sure to replace `Johns-MacBook` with your hostname which you can find by running `scutil --get LocalHostName`. - -Make sure to set `nixpkgs.hostPlatform` in your `configuration.nix` to either `x86_64-darwin` (Intel) or `aarch64-darwin` (Apple Silicon). - -
- -### Step 2. Installing `nix-darwin` - -Unlike NixOS, `nix-darwin` does not have an installer, you can just run `darwin-rebuild switch` to install nix-darwin. As `darwin-rebuild` won't be installed in your `PATH` yet, you can use the following command: - -```bash -nix run nix-darwin -- switch --flake ~/.config/nix-darwin -``` - -### Step 3. Using `nix-darwin` - -After installing, you can run `darwin-rebuild` to apply changes to your system: - -```bash -darwin-rebuild switch --flake ~/.config/nix-darwin -``` - -#### Using flake inputs - -Inputs from the flake can also be passed into `darwinSystem`. These inputs are then -accessible as an argument `inputs`, similar to `pkgs` and `lib`, inside the configuration. - -```nix -# in flake.nix -nix-darwin.lib.darwinSystem { - modules = [ ./configuration.nix ]; - specialArgs = { inherit inputs; }; -} -``` - -```nix -# in configuration.nix -{ pkgs, lib, inputs }: -# inputs.self, inputs.nix-darwin, and inputs.nixpkgs can be accessed here -``` -
- -
-Channels - -### Step 1. Creating `configuration.nix` - -Copy the [simple](./modules/examples/simple.nix) example to `~/.config/nix-darwin/configuration.nix`. - -### Step 2. Adding `nix-darwin` channel - -```bash -# If you use Nixpkgs unstable (the default): -sudo nix-channel --add https://github.com/LnL7/nix-darwin/archive/master.tar.gz darwin -# If you use Nixpkgs 24.11: -sudo nix-channel --add https://github.com/LnL7/nix-darwin/archive/nix-darwin-24.11.tar.gz darwin - -sudo nix-channel --update -``` - -### Step 3. Installing `nix-darwin` - -To install `nix-darwin`, you can just run `darwin-rebuild switch` to install nix-darwin. As `darwin-rebuild` won't be installed in your `PATH` yet, you can use the following command: - -```bash -# If you use Nixpkgs unstable (the default): -nix-build https://github.com/LnL7/nix-darwin/archive/master.tar.gz -A darwin-rebuild -# If you use Nixpkgs 24.11: -nix-build https://github.com/LnL7/nix-darwin/archive/nix-darwin-24.11.tar.gz -A darwin-rebuild - -./result/bin/darwin-rebuild switch -I darwin-config=$HOME/.config/nix-darwin/configuration.nix -``` - -### Step 4. Using `nix-darwin` - -After installing, you can run `darwin-rebuild` to apply changes to your system: - -```bash -darwin-rebuild switch -``` - -### Step 5. Updating `nix-darwin` - -You can update Nixpkgs and `nix-darwin` using the following command: - -```bash -sudo nix-channel --update -``` -
- -## Documentation - -`darwin-help` will open up a local copy of the reference documentation, it can also be found online [here](https://daiderd.com/nix-darwin/manual/index.html). - -The documentation is also available as manpages by running `man 5 configuration.nix`. - -## Uninstalling - -To run the latest version of the uninstaller, you can run the following command: - -``` -nix --extra-experimental-features "nix-command flakes" run nix-darwin#darwin-uninstaller -``` - -If that command doesn't work for you, you can try the locally installed uninstaller: - -``` -darwin-uninstaller -``` - -## Tests - -There are basic tests that run sanity checks for some of the modules, -you can run them like this: - -```bash -# run all tests -nix-build release.nix -A tests -# or just a subset -nix-build release.nix -A tests.environment-path -``` - -## Contributing - -Let's make Nix on macOS awesome! - -Don't hesitate to contribute modules or open an issue. - -To build your configuration with local changes you can run this. This -flag can also be used to override darwin-config or nixpkgs, for more -information on the `-I` flag look at the nix-build [manpage](https://nixos.org/manual/nix/stable/command-ref/nix-build.html). - -```bash -darwin-rebuild switch -I darwin=. -``` - -If you're adding a module, please add yourself to `meta.maintainers`, for example - -```nix - meta.maintainers = [ - lib.maintainers.alice or "alice" - ]; - - options.services.alicebot = # ... -``` - -The `or` operator takes care of graceful degradation when `lib` from Nixpkgs -goes out of sync. - -Also feel free to contact me if you have questions, -- Matrix - @daiderd:matrix.org, you can find me in [#macos:nixos.org](https://matrix.to/#/#macos:nixos.org) -- @LnL7 on twitter +This is the 24.11 release branch of nix-darwin. See [the main readme](https://github.com/LnL7/nix-darwin#readme) for documentation.