From 5c3146b75d5d478f0693d0ea6c83f1da8382ff56 Mon Sep 17 00:00:00 2001 From: Daiderd Jordan Date: Wed, 17 Feb 2021 21:58:03 +0100 Subject: [PATCH] users: migrate nixbld -> _nixbld According to some investigation creating "role" accounts avoids migration problems when upgrading to certain macOS versions, so create the build users to match that definition and remove the old ones if present. Role accounts require name starting with _ and UID in 200-400 range --- modules/system/checks.nix | 20 ++++++++++++++++++-- modules/users/nixbld/default.nix | 13 ++++++++----- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 22a4d86..d19d789 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -44,14 +44,29 @@ let fi ''; + oldBuildUsers = '' + if dscl . -list /Users | grep -q '^nixbld'; then + echo "warning: Detected old style nixbld users" >&2 + echo "These can cause migration problems when upgrading to certain macOS versions" >&2 + echo "Running the installer again will remove and recreate the users in a way that avoids these problems" >&2 + echo >&2 + echo "$ darwin-install" >&2 + echo >&2 + echo "or enable to automatically manage the users" >&2 + echo >&2 + echo " users.nix.configureBuildUsers = true;" >&2 + echo >&2 + fi + ''; + buildUsers = '' buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true if [ -z $buildUser ]; then echo "error: Using the nix-daemon requires build users, aborting activation" >&2 echo "Create the build users or disable the daemon:" >&2 - echo "$ ./bootstrap -u" >&2 + echo "$ darwin-install" >&2 echo >&2 - echo "or set" >&2 + echo "or set (this requires some manual intervention to restore permissions)" >&2 echo >&2 echo " services.nix-daemon.enable = false;" >&2 echo >&2 @@ -200,6 +215,7 @@ in system.checks.text = mkMerge [ darwinChanges runLink + oldBuildUsers (mkIf config.nix.useDaemon buildUsers) (mkIf (!config.nix.useDaemon) singleUser) nixStore diff --git a/modules/users/nixbld/default.nix b/modules/users/nixbld/default.nix index ca09880..8dadd56 100644 --- a/modules/users/nixbld/default.nix +++ b/modules/users/nixbld/default.nix @@ -13,9 +13,9 @@ let mkUsers = f: genList (x: f (x + 1)) cfg.nix.nrBuildUsers; buildUsers = mkUsers (i: { - name = "nixbld${toString i}"; - uid = 30000 + i; - gid = 30000; + name = "_nixbld${toString i}"; + uid = 300 + i; + gid = 300; description = "Nix build user ${toString i}"; }); @@ -52,7 +52,7 @@ in assertions = [ { assertion = elem "nixbld" cfg.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; } - { assertion = elem "nixbld1" cfg.knownUsers -> elem "nixbld1" createdUsers; message = "refusing to delete user nixbld1 in users.knownUsers, this would break nix"; } + { assertion = elem "_nixbld1" cfg.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } { assertion = cfg.groups ? "nixbld" -> cfg.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; } ]; @@ -60,7 +60,10 @@ in users.users = mkIf cfg.nix.configureBuildUsers (named buildUsers); users.knownGroups = mkIf cfg.nix.configureBuildUsers [ "nixbld" ]; - users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkUsers (i: "nixbld${toString i}")); + users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkMerge [ + (mkUsers (i: "_nixbld${toString i}")) + (mkUsers (i: "nixbld${toString i}")) # delete old style nixbld users + ]); }; }