nix: remove nix.configureBuildUsers

We now manage the build users unconditionally when we manage the
Nix installation.

modules/examples/lnl.nix

@@ -319,7 +319,6 @@
   #     path = /etc/per-user/lnl/gitconfig
   # environment.etc."per-user/lnl/gitconfig".text = builtins.readFile "${inputs.dotfiles}/git/gitconfig";
 
-  nix.configureBuildUsers = true;
   nix.nrBuildUsers = 32;
 
   system.stateVersion = 6;

modules/nix/default.nix

@@ -12,6 +12,8 @@ let
 
   isNixAtLeast = versionAtLeast (getVersion nixPackage);
 
+  configureBuildUsers = !(config.nix.settings.auto-allocate-uids or false);
+
   makeNixBuildUser = nr: {
     name = "_nixbld${toString nr}";
     value = {
@@ -180,6 +182,10 @@ in
         nix-darwin now only supports managing multi‐user daemon
         installations of Nix.
       '')
+      (mkRemovedOptionModule [ "nix" "configureBuildUsers" ] ''
+        nix-darwin now manages build users unconditionally when
+        `nix.enable` is on.
+      '')
     ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings;
 
   ###### interface
@@ -397,15 +403,6 @@ in
         description = "Environment variables used by Nix.";
       };
 
-      # Not in NixOS module
-      configureBuildUsers = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Enable configuration for nixbld group and users.
-        '';
-      };
-
       nrBuildUsers = mkOption {
         type = types.int;
         description = ''
@@ -836,10 +833,10 @@ in
 
     nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs));
 
-    users.users = mkIf cfg.configureBuildUsers nixbldUsers;
+    users.users = mkIf configureBuildUsers nixbldUsers;
 
     # Not in NixOS module
-    users.groups.nixbld = mkIf cfg.configureBuildUsers {
+    users.groups.nixbld = mkIf configureBuildUsers {
       description = "Nix build group for nix-daemon";
       gid = config.ids.gids.nixbld;
       members = attrNames nixbldUsers;
@@ -847,11 +844,11 @@ in
     users.knownUsers =
       let nixbldUserNames = attrNames nixbldUsers;
       in
-      mkIf cfg.configureBuildUsers (mkMerge [
+      mkMerge [
         nixbldUserNames
         (map (removePrefix "_") nixbldUserNames) # delete old style nixbld users
-      ]);
-    users.knownGroups = mkIf cfg.configureBuildUsers [ "nixbld" ];
+      ];
+    users.knownGroups = [ "nixbld" ];
 
     # The Determinate Systems installer puts user‐specified settings in
     # `/etc/nix/nix.custom.conf` since v0.33.0. Supplement the

modules/system/checks.nix

@@ -31,29 +31,13 @@ let
     fi
   '';
 
-  oldBuildUsers = ''
-    if dscl . -list /Users | grep -q '^nixbld'; then
-        echo "error: Detected old style nixbld users, aborting activation" >&2
-        echo "These can cause migration problems when upgrading to certain macOS versions" >&2
-        echo "You can enable the following option to migrate to new style nixbld users" >&2
-        echo >&2
-        echo "    nix.configureBuildUsers = true;" >&2
-        echo >&2
-        echo "or disable this check with" >&2
-        echo >&2
-        echo "    system.checks.verifyBuildUsers = false;" >&2
-        echo >&2
-        exit 2
-     fi
-   '';
-
   preSequoiaBuildUsers = ''
-    ${lib.optionalString config.nix.configureBuildUsers ''
-      # Don’t complain when we’re about to migrate old‐style build users…
-      if ! dscl . -list /Users | grep -q '^nixbld'; then
-    ''}
     firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}')
-    if [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]]; then
+    if
+      # Don’t complain when we’re about to migrate old‐style build users…
+      [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]] \
+      && ! dscl . -list /Users | grep -q '^nixbld'
+    then
         printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n'
         printf >&2 'The default Nix build user ID range has been adjusted for\n'
         printf >&2 'compatibility with macOS Sequoia 15. Your _nixbld1 user currently has\n'
@@ -86,22 +70,6 @@ let
         printf >&2 '\n'
         exit 2
     fi
-    ${lib.optionalString config.nix.configureBuildUsers "fi"}
-  '';
-
-  buildUsers = ''
-    buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true
-    if [[ -z "$buildUser" ]]; then
-        echo "error: Using the nix-daemon requires build users, aborting activation" >&2
-        echo "Create the build users or disable the daemon:" >&2
-        echo "$ darwin-install" >&2
-        echo >&2
-        echo "or set (this requires some manual intervention to restore permissions)" >&2
-        echo >&2
-        echo "    services.nix-daemon.enable = false;" >&2
-        echo >&2
-        exit 2
-    fi
   '';
 
   buildGroupID = ''
@@ -268,9 +236,7 @@ in
     system.checks.verifyBuildUsers = mkOption {
       type = types.bool;
       default =
-        config.nix.enable &&
-        ((!(config.nix.settings.auto-allocate-uids or false))
-          || config.nix.configureBuildUsers);
+        config.nix.enable && !(config.nix.settings.auto-allocate-uids or false);
       description = "Whether to run the Nix build users validation checks.";
     };
 
@@ -291,10 +257,8 @@ in
 
     system.checks.text = mkMerge [
       (mkIf cfg.verifyMacOSVersion macOSVersion)
-      (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers)
-      (mkIf cfg.verifyBuildUsers buildUsers)
       (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers)
-      (mkIf config.nix.configureBuildUsers buildGroupID)
+      (mkIf cfg.verifyBuildUsers buildGroupID)
       (mkIf config.nix.enable nixDaemon)
       nixInstaller
       (mkIf cfg.verifyNixPath nixPath)