Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nix: fix auto-allocate-uids #1335

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+14 −11
Open

nix: fix auto-allocate-uids #1335

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions modules/nix/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -795,8 +795,8 @@ in

# Not in NixOS module
{ assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; }
{ assertion = elem "_nixbld1" config.users.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
{ assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
{ assertion = configureBuildUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
{ assertion = configureBuildUsers -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }

{
# Should be fixed in Lix by https://gerrit.lix.systems/c/lix/+/2100
Expand Down Expand Up @@ -836,7 +836,7 @@ in
users.users = mkIf configureBuildUsers nixbldUsers;

# Not in NixOS module
users.groups.nixbld = mkIf configureBuildUsers {
users.groups.nixbld = {
description = "Nix build group for nix-daemon";
gid = config.ids.gids.nixbld;
members = attrNames nixbldUsers;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be empty if !configureBuildUsers.

Copy link
Author

@andre4ik3 andre4ik3 Feb 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But then the group wouldn't be created if auto-allocate-uids is true? I mean, to be fair, I haven't seen it actually documented anywhere that the group is required. Maybe I'm wrong or my config is messed up somehow. But both on my NixOS and Darwin machines, if the group doesn't exist, it just gives the error:

error: the group 'nixbld' specified in 'build-users-group' does not exist

If the group is created, even though it has no members, it will work fine and create the UIDs. If the build-users-group is set to be empty, it will just build everything as root. (I am also using Lix, maybe could be because of that)

Expand Down
11 changes: 9 additions & 2 deletions modules/system/checks.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,11 @@ let
'';

preSequoiaBuildUsers = ''
firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}')
firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID 2>/dev/null | awk '{print $2}' || echo 0)
if
# Don’t complain when we’re about to migrate old‐style build users…
[[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]] \
&& [[ $firstBuildUserID != 0 ]] \
&& ! dscl . -list /Users | grep -q '^nixbld'
then
printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n'
Expand Down Expand Up @@ -258,6 +259,12 @@ in
description = "Whether to run the Nix build users validation checks.";
};

system.checks.verifyBuildGroup = mkOption {
type = types.bool;
default = config.nix.enable;
description = "Whether to run the Nix build group validation checks.";
};

system.checks.verifyMacOSVersion = mkOption {
type = types.bool;
default = true;
Expand All @@ -277,7 +284,7 @@ in
(mkIf cfg.verifyMacOSVersion macOSVersion)
(mkIf config.nix.enable determinate)
(mkIf cfg.verifyBuildUsers preSequoiaBuildUsers)
(mkIf cfg.verifyBuildUsers buildGroupID)
(mkIf cfg.verifyBuildGroup buildGroupID)
(mkIf config.nix.enable nixDaemon)
nixInstaller
(mkIf cfg.verifyNixPath nixPath)
Expand Down
8 changes: 2 additions & 6 deletions modules/users/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,12 +317,8 @@ in
${concatMapStringsSep "\n" (name: ''
u=$(id -u ${escapeShellArg name} 2> /dev/null) || true
if [ -n "$u" ]; then
if [ "$u" -gt 501 ]; then
echo "deleting user ${name}..." >&2
dscl . -delete ${escapeShellArg "/Users/${name}"}
else
echo "warning: existing user '${name}' has unexpected uid $u, skipping..." >&2
fi
echo "deleting user ${name}..." >&2
dscl . -delete ${escapeShellArg "/Users/${name}"}
fi
'') deletedUsers}
'';
Expand Down