nix/8.nix-darwin
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nix: remove nix.useDaemon

Browse source 
We now assume the daemon is used unconditionally when we manage the
Nix installation.

The `nix.gc` and `nix.optimise` services lose their `$NIX_REMOTE`
setting rather than making it unconditional, as the NixOS `nix.gc`
module does not set it. Possibly it should, but I think uniformity
between the two systems is better than diverging, even though I kind
of hate that the non‐daemon method of access is even a thing.
This commit is contained in:
Emily 2025-01-28 19:30:20 +00:00
parent e182d8dff6
commit c796587d2e
12 changed files with 26 additions and 125 deletions
Download patch file Download diff file Expand all files Collapse all files

22
modules/nix/default.nix
View file

@ -176,6 +176,10 @@ in
(mkRenamedOptionModule [ "users" "nix" "nrBuildUsers" ] [ "nix" "nrBuildUsers" ])
(mkRenamedOptionModule [ "nix" "daemonIONice" ] [ "nix" "daemonIOLowPriority" ])
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] (consider "nix.daemonProcessType"))
(mkRemovedOptionModule [ "nix" "useDaemon" ] ''
nix-darwin now only supports managing multiuser daemon
installations of Nix.
'')
] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings;
###### interface
@ -220,17 +224,6 @@ in
'';
};
# Not in NixOS module
useDaemon = mkOption {
type = types.bool;
default = false;
description = ''
If set, Nix will use the daemon to perform operations.
Use this instead of services.nix-daemon.enable if you don't want the
daemon service to be managed for you.
'';
};
distributedBuilds = mkOption {
type = types.bool;
default = false;
@ -909,7 +902,7 @@ in
if [[ -e /etc/nix/nix.custom.conf ]]; then
mv /etc/nix/nix.custom.conf{,.before-nix-darwin}
fi
'' + optionalString cfg.useDaemon ''
if ! diff /etc/nix/nix.conf /run/current-system/etc/nix/nix.conf &> /dev/null || ! diff /etc/nix/machines /run/current-system/etc/nix/machines &> /dev/null; then
echo "reloading nix-daemon..." >&2
launchctl kill HUP system/org.nixos.nix-daemon
@ -926,6 +919,9 @@ in
trusted-users = [ "root" ];
substituters = mkAfter [ "https://cache.nixos.org/" ];
# Not in NixOS module
build-users-group = "nixbld";
# Not implemented yet
# system-features = mkDefault (
# [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
@ -941,8 +937,6 @@ in
(mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })
# Not in NixOS module
(mkIf cfg.useDaemon { build-users-group = "nixbld"; })
];
};

3
modules/services/buildkite-agents.nix
View file

@ -227,8 +227,9 @@ in
{ path = cfg.runtimePackages ++ [ cfg.package pkgs.coreutils pkgs.darwin.DarwinTools ];
environment = {
HOME = cfg.dataDir;
NIX_REMOTE = "daemon";
inherit (config.environment.variables) NIX_SSL_CERT_FILE;
} // (if config.nix.useDaemon then { NIX_REMOTE = "daemon"; } else {});
};
## NB: maximum care is taken so that secrets (ssh keys and the CI token)
## don't end up in the Nix store.

3
modules/services/gitlab-runner.nix
View file

@ -551,8 +551,9 @@ in
launchd.daemons.gitlab-runner = {
environment = { #config.networking.proxy.envVars // {
HOME = "${config.users.users.gitlab-runner.home}";
NIX_REMOTE = "daemon";
NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
} // (if config.nix.useDaemon then { NIX_REMOTE = "daemon"; } else {});
};
path = with pkgs; [
bash
gawk

2
modules/services/hercules-ci-agent/default.nix
View file

@ -74,7 +74,7 @@ in
darwin.label = config.system.darwinLabel;
darwin.revision = config.system.darwinRevision;
darwin.version = config.system.darwinVersion;
darwin.nix.daemon = config.nix.useDaemon;
darwin.nix.daemon = true;
darwin.nix.sandbox = config.nix.settings.sandbox;
};
};

2
modules/services/nix-daemon.nix
View file

@ -41,8 +41,6 @@ in
config = mkIf cfg.enable {
nix.useDaemon = true;
launchd.daemons.nix-daemon = {
command = lib.getExe' config.nix.package "nix-daemon";
serviceConfig.ProcessType = config.nix.daemonProcessType;

10
modules/services/nix-gc/default.nix
View file

@ -14,6 +14,7 @@ in
(mkRemovedOptionModule [ "nix" "gc" "dates" ] "Use `nix.gc.interval` instead.")
(mkRemovedOptionModule [ "nix" "gc" "randomizedDelaySec" ] "No `nix-darwin` equivalent to this NixOS option.")
(mkRemovedOptionModule [ "nix" "gc" "persistent" ] "No `nix-darwin` equivalent to this NixOS option.")
(mkRemovedOptionModule [ "nix" "gc" "user" ] "The garbage collection service now always runs as `root`.")
];
###### interface
@ -28,13 +29,6 @@ in
description = "Automatically run the garbage collector at a specific time.";
};
# Not in NixOS module
user = mkOption {
type = types.nullOr types.str;
default = null;
description = "User that runs the garbage collector.";
};
interval = mkOption {
type = launchdTypes.StartCalendarInterval;
default = [{ Weekday = 7; Hour = 3; Minute = 15; }];
@ -66,10 +60,8 @@ in
launchd.daemons.nix-gc = {
command = "${config.nix.package}/bin/nix-collect-garbage ${cfg.options}";
environment.NIX_REMOTE = optionalString config.nix.useDaemon "daemon";
serviceConfig.RunAtLoad = false;
serviceConfig.StartCalendarInterval = cfg.interval;
serviceConfig.UserName = cfg.user;
};
};

10
modules/services/nix-optimise/default.nix
View file

@ -20,6 +20,7 @@ in
{
imports = [
(mkRemovedOptionModule [ "nix" "optimise" "dates" ] "Use `nix.optimise.interval` instead.")
(mkRemovedOptionModule [ "nix" "optimise" "user" ] "The store optimisation service now always runs as `root`.")
];
###### interface
@ -34,13 +35,6 @@ in
description = "Automatically run the nix store optimiser at a specific time.";
};
# Not in NixOS module
user = mkOption {
type = types.nullOr types.str;
default = null;
description = "User that runs the store optimisation.";
};
interval = mkOption {
type = launchdTypes.StartCalendarInterval;
default = [{ Weekday = 7; Hour = 4; Minute = 15; }];
@ -61,12 +55,10 @@ in
config = mkIf cfg.automatic {
launchd.daemons.nix-optimise = {
environment.NIX_REMOTE = optionalString config.nix.useDaemon "daemon";
command = "${lib.getExe' config.nix.package "nix-store"} --optimise";
serviceConfig = {
RunAtLoad = false;
StartCalendarInterval = cfg.interval;
UserName = cfg.user;
};
};

67
modules/system/checks.nix
View file

@ -130,24 +130,19 @@ let
fi
'';
nixDaemon = if config.nix.useDaemon then ''
if ! dscl . -read /Groups/nixbld PrimaryGroupID &> /dev/null; then
printf >&2 'error: The daemon should not be enabled for single-user installs, aborting activation\n'
printf >&2 'Disable the nix-daemon service:\n'
nixDaemon = ''
if [[ "$(stat --format='%u' /nix)" != 0 ]]; then
printf >&2 'error: singleuser install detected, aborting activation\n'
printf >&2 'nix-darwin now only supports managing multiuser daemon installations\n'
printf >&2 'of Nix. You can uninstall nix-darwin and Nix and then reinstall both to\n'
printf >&2 'fix this.\n'
printf >&2 '\n'
printf >&2 ' services.nix-daemon.enable = false;\n'
printf >&2 'If you dont want to do that, you can disable management of the Nix\n'
printf >&2 'installation with:\n'
printf >&2 '\n'
printf >&2 'and remove `nix.useDaemon` from your configuration if it is present.\n'
printf >&2 '\n'
exit 2
fi
'' else ''
if dscl . -read /Groups/nixbld PrimaryGroupID &> /dev/null; then
printf >&2 'error: The daemon should be enabled for multi-user installs, aborting activation\n'
printf >&2 'Enable the nix-daemon service:\n'
printf >&2 '\n'
printf >&2 ' services.nix-daemon.enable = true;\n'
printf >&2 ' nix.enable = false;\n'
printf >&2 '\n'
printf >&2 'See the `nix.enable` option documentation for caveats.\n'
exit 2
fi
'';
@ -214,43 +209,6 @@ let
fi
'';
nixStore = ''
if test -w /nix/var/nix/db -a ! -O /nix/store; then
echo >&2 "error: the store is not owned by this user, but /nix/var/nix/db is writable"
echo >&2 "If you are using the daemon:"
echo >&2
echo >&2 " sudo chown -R root:wheel /nix/var/nix/db"
echo >&2
echo >&2 "Otherwise:"
echo >&2
echo >&2 " sudo chown -R $USER:staff /nix/store"
echo >&2
exit 2
fi
'';
nixGarbageCollector = ''
if test -O /nix/store; then
echo "error: A single-user install can't run gc as root, aborting activation" >&2
echo "Configure the garbage collector to run as the current user:" >&2
echo >&2
echo " nix.gc.user = \"$USER\";" >&2
echo >&2
exit 2
fi
'';
nixStoreOptimiser = ''
if test -O /nix/store; then
echo "error: A single-user install can't run optimiser as root, aborting activation" >&2
echo "Configure the optimiser to run as the current user:" >&2
echo >&2
echo " nix.optimise.user = \"$USER\";" >&2
echo >&2
exit 2
fi
'';
# TODO: Remove this a couple years down the line when we can assume
# that anyone who cares about security has upgraded.
oldSshAuthorizedKeysDirectory = ''
@ -311,7 +269,7 @@ in
type = types.bool;
default =
config.nix.enable &&
((config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false))
((!(config.nix.settings.auto-allocate-uids or false))
|| config.nix.configureBuildUsers);
description = "Whether to run the Nix build users validation checks.";
};
@ -338,9 +296,6 @@ in
(mkIf cfg.verifyBuildUsers preSequoiaBuildUsers)
(mkIf config.nix.configureBuildUsers buildGroupID)
(mkIf config.nix.enable nixDaemon)
nixStore
(mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector)
(mkIf (config.nix.optimise.automatic && config.nix.optimise.user == null) nixStoreOptimiser)
nixInstaller
(mkIf cfg.verifyNixPath nixPath)
oldSshAuthorizedKeysDirectory

1
release.nix
View file

@ -80,7 +80,6 @@ in {
tests.activation-scripts = makeTest ./tests/activation-scripts.nix;
tests.autossh = makeTest ./tests/autossh.nix;
tests.checks-nix-gc = makeTest ./tests/checks-nix-gc.nix;
tests.environment-path = makeTest ./tests/environment-path.nix;
tests.environment-terminfo = makeTest ./tests/environment-terminfo.nix;
tests.homebrew = makeTest ./tests/homebrew.nix;

19
tests/checks-nix-gc.nix
View file

@ -1,19 +0,0 @@
{ config, pkgs, ... }:
let
nix = pkgs.runCommand "nix-2.2" {} "mkdir -p $out";
in
{
nix.gc.automatic = true;
nix.package = nix;
test = ''
echo checking nix-gc validation >&2
grep "nix.gc.user = " ${config.out}/activate-user
echo checking nix-gc service in /Library/LaunchDaemons >&2
grep "<string>org.nixos.nix-gc</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist
(! grep "<key>UserName</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist)
'';
}

6
tests/services-nix-gc.nix
View file

@ -7,19 +7,13 @@ in
{
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 30d";
nix.gc.user = "nixuser";
nix.package = nix;
test = ''
echo checking nix-gc service in /Library/LaunchDaemons >&2
grep "<string>org.nixos.nix-gc</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist
grep "<string>/bin/wait4path /nix/store &amp;&amp; exec ${nix}/bin/nix-collect-garbage --delete-older-than 30d</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist
grep "<key>UserName</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist
grep "<string>nixuser</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist
(! grep "<key>KeepAlive</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist)
echo checking nix-gc validation >&2
(! grep "nix.gc.user = " ${config.out}/activate-user)
'';
}

6
tests/services-nix-optimise.nix
View file

@ -6,7 +6,6 @@ in
{
nix.optimise.automatic = true;
nix.optimise.user = "nixuser";
nix.package = nix;
test = ''
@ -15,11 +14,6 @@ in
${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist
grep "<string>/bin/wait4path /nix/store &amp;&amp; exec ${nix}/bin/nix-store --optimise</string>" \
${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist
grep "<key>UserName</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist
grep "<string>nixuser</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist
(! grep "<key>KeepAlive</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist)
echo checking nix-optimise validation >&2
(! grep "nix.optimise.user = " ${config.out}/activate-user)
'';
}