diff --git a/modules/nix/default.nix b/modules/nix/default.nix
index 39820da..6028e6b 100644
--- a/modules/nix/default.nix
+++ b/modules/nix/default.nix
@@ -176,6 +176,10 @@ in
(mkRenamedOptionModule [ "users" "nix" "nrBuildUsers" ] [ "nix" "nrBuildUsers" ])
(mkRenamedOptionModule [ "nix" "daemonIONice" ] [ "nix" "daemonIOLowPriority" ])
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] (consider "nix.daemonProcessType"))
+ (mkRemovedOptionModule [ "nix" "useDaemon" ] ''
+ nix-darwin now only supports managing multi‐user daemon
+ installations of Nix.
+ '')
] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings;
###### interface
@@ -220,17 +224,6 @@ in
'';
};
- # Not in NixOS module
- useDaemon = mkOption {
- type = types.bool;
- default = false;
- description = ''
- If set, Nix will use the daemon to perform operations.
- Use this instead of services.nix-daemon.enable if you don't want the
- daemon service to be managed for you.
- '';
- };
-
distributedBuilds = mkOption {
type = types.bool;
default = false;
@@ -909,7 +902,7 @@ in
if [[ -e /etc/nix/nix.custom.conf ]]; then
mv /etc/nix/nix.custom.conf{,.before-nix-darwin}
fi
- '' + optionalString cfg.useDaemon ''
+
if ! diff /etc/nix/nix.conf /run/current-system/etc/nix/nix.conf &> /dev/null || ! diff /etc/nix/machines /run/current-system/etc/nix/machines &> /dev/null; then
echo "reloading nix-daemon..." >&2
launchctl kill HUP system/org.nixos.nix-daemon
@@ -926,6 +919,9 @@ in
trusted-users = [ "root" ];
substituters = mkAfter [ "https://cache.nixos.org/" ];
+ # Not in NixOS module
+ build-users-group = "nixbld";
+
# Not implemented yet
# system-features = mkDefault (
# [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++
@@ -941,8 +937,6 @@ in
(mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })
- # Not in NixOS module
- (mkIf cfg.useDaemon { build-users-group = "nixbld"; })
];
};
diff --git a/modules/services/buildkite-agents.nix b/modules/services/buildkite-agents.nix
index 69bc1f6..3c04d90 100644
--- a/modules/services/buildkite-agents.nix
+++ b/modules/services/buildkite-agents.nix
@@ -227,8 +227,9 @@ in
{ path = cfg.runtimePackages ++ [ cfg.package pkgs.coreutils pkgs.darwin.DarwinTools ];
environment = {
HOME = cfg.dataDir;
+ NIX_REMOTE = "daemon";
inherit (config.environment.variables) NIX_SSL_CERT_FILE;
- } // (if config.nix.useDaemon then { NIX_REMOTE = "daemon"; } else {});
+ };
## NB: maximum care is taken so that secrets (ssh keys and the CI token)
## don't end up in the Nix store.
diff --git a/modules/services/gitlab-runner.nix b/modules/services/gitlab-runner.nix
index 94c291e..329fd72 100644
--- a/modules/services/gitlab-runner.nix
+++ b/modules/services/gitlab-runner.nix
@@ -551,8 +551,9 @@ in
launchd.daemons.gitlab-runner = {
environment = { #config.networking.proxy.envVars // {
HOME = "${config.users.users.gitlab-runner.home}";
+ NIX_REMOTE = "daemon";
NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
- } // (if config.nix.useDaemon then { NIX_REMOTE = "daemon"; } else {});
+ };
path = with pkgs; [
bash
gawk
diff --git a/modules/services/hercules-ci-agent/default.nix b/modules/services/hercules-ci-agent/default.nix
index fc3d952..3912506 100644
--- a/modules/services/hercules-ci-agent/default.nix
+++ b/modules/services/hercules-ci-agent/default.nix
@@ -74,7 +74,7 @@ in
darwin.label = config.system.darwinLabel;
darwin.revision = config.system.darwinRevision;
darwin.version = config.system.darwinVersion;
- darwin.nix.daemon = config.nix.useDaemon;
+ darwin.nix.daemon = true;
darwin.nix.sandbox = config.nix.settings.sandbox;
};
};
diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix
index df3fa31..ee866a6 100644
--- a/modules/services/nix-daemon.nix
+++ b/modules/services/nix-daemon.nix
@@ -41,8 +41,6 @@ in
config = mkIf cfg.enable {
- nix.useDaemon = true;
-
launchd.daemons.nix-daemon = {
command = lib.getExe' config.nix.package "nix-daemon";
serviceConfig.ProcessType = config.nix.daemonProcessType;
diff --git a/modules/services/nix-gc/default.nix b/modules/services/nix-gc/default.nix
index 9fe8e86..44278e6 100644
--- a/modules/services/nix-gc/default.nix
+++ b/modules/services/nix-gc/default.nix
@@ -14,6 +14,7 @@ in
(mkRemovedOptionModule [ "nix" "gc" "dates" ] "Use `nix.gc.interval` instead.")
(mkRemovedOptionModule [ "nix" "gc" "randomizedDelaySec" ] "No `nix-darwin` equivalent to this NixOS option.")
(mkRemovedOptionModule [ "nix" "gc" "persistent" ] "No `nix-darwin` equivalent to this NixOS option.")
+ (mkRemovedOptionModule [ "nix" "gc" "user" ] "The garbage collection service now always runs as `root`.")
];
###### interface
@@ -28,13 +29,6 @@ in
description = "Automatically run the garbage collector at a specific time.";
};
- # Not in NixOS module
- user = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "User that runs the garbage collector.";
- };
-
interval = mkOption {
type = launchdTypes.StartCalendarInterval;
default = [{ Weekday = 7; Hour = 3; Minute = 15; }];
@@ -66,10 +60,8 @@ in
launchd.daemons.nix-gc = {
command = "${config.nix.package}/bin/nix-collect-garbage ${cfg.options}";
- environment.NIX_REMOTE = optionalString config.nix.useDaemon "daemon";
serviceConfig.RunAtLoad = false;
serviceConfig.StartCalendarInterval = cfg.interval;
- serviceConfig.UserName = cfg.user;
};
};
diff --git a/modules/services/nix-optimise/default.nix b/modules/services/nix-optimise/default.nix
index c0ee0a3..4eefc48 100644
--- a/modules/services/nix-optimise/default.nix
+++ b/modules/services/nix-optimise/default.nix
@@ -20,6 +20,7 @@ in
{
imports = [
(mkRemovedOptionModule [ "nix" "optimise" "dates" ] "Use `nix.optimise.interval` instead.")
+ (mkRemovedOptionModule [ "nix" "optimise" "user" ] "The store optimisation service now always runs as `root`.")
];
###### interface
@@ -34,13 +35,6 @@ in
description = "Automatically run the nix store optimiser at a specific time.";
};
- # Not in NixOS module
- user = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "User that runs the store optimisation.";
- };
-
interval = mkOption {
type = launchdTypes.StartCalendarInterval;
default = [{ Weekday = 7; Hour = 4; Minute = 15; }];
@@ -61,12 +55,10 @@ in
config = mkIf cfg.automatic {
launchd.daemons.nix-optimise = {
- environment.NIX_REMOTE = optionalString config.nix.useDaemon "daemon";
command = "${lib.getExe' config.nix.package "nix-store"} --optimise";
serviceConfig = {
RunAtLoad = false;
StartCalendarInterval = cfg.interval;
- UserName = cfg.user;
};
};
diff --git a/modules/system/checks.nix b/modules/system/checks.nix
index cc8048d..c380038 100644
--- a/modules/system/checks.nix
+++ b/modules/system/checks.nix
@@ -130,24 +130,19 @@ let
fi
'';
- nixDaemon = if config.nix.useDaemon then ''
- if ! dscl . -read /Groups/nixbld PrimaryGroupID &> /dev/null; then
- printf >&2 '�[1;31merror: The daemon should not be enabled for single-user installs, aborting activation�[0m\n'
- printf >&2 'Disable the nix-daemon service:\n'
+ nixDaemon = ''
+ if [[ "$(stat --format='%u' /nix)" != 0 ]]; then
+ printf >&2 '�[1;31merror: single‐user install detected, aborting activation�[0m\n'
+ printf >&2 'nix-darwin now only supports managing multi‐user daemon installations\n'
+ printf >&2 'of Nix. You can uninstall nix-darwin and Nix and then reinstall both to\n'
+ printf >&2 'fix this.\n'
printf >&2 '\n'
- printf >&2 ' services.nix-daemon.enable = false;\n'
+ printf >&2 'If you don’t want to do that, you can disable management of the Nix\n'
+ printf >&2 'installation with:\n'
printf >&2 '\n'
- printf >&2 'and remove `nix.useDaemon` from your configuration if it is present.\n'
- printf >&2 '\n'
- exit 2
- fi
- '' else ''
- if dscl . -read /Groups/nixbld PrimaryGroupID &> /dev/null; then
- printf >&2 '�[1;31merror: The daemon should be enabled for multi-user installs, aborting activation�[0m\n'
- printf >&2 'Enable the nix-daemon service:\n'
- printf >&2 '\n'
- printf >&2 ' services.nix-daemon.enable = true;\n'
+ printf >&2 ' nix.enable = false;\n'
printf >&2 '\n'
+ printf >&2 'See the `nix.enable` option documentation for caveats.\n'
exit 2
fi
'';
@@ -214,43 +209,6 @@ let
fi
'';
- nixStore = ''
- if test -w /nix/var/nix/db -a ! -O /nix/store; then
- echo >&2 "�[1;31merror: the store is not owned by this user, but /nix/var/nix/db is writable�[0m"
- echo >&2 "If you are using the daemon:"
- echo >&2
- echo >&2 " sudo chown -R root:wheel /nix/var/nix/db"
- echo >&2
- echo >&2 "Otherwise:"
- echo >&2
- echo >&2 " sudo chown -R $USER:staff /nix/store"
- echo >&2
- exit 2
- fi
- '';
-
- nixGarbageCollector = ''
- if test -O /nix/store; then
- echo "�[1;31merror: A single-user install can't run gc as root, aborting activation�[0m" >&2
- echo "Configure the garbage collector to run as the current user:" >&2
- echo >&2
- echo " nix.gc.user = \"$USER\";" >&2
- echo >&2
- exit 2
- fi
- '';
-
- nixStoreOptimiser = ''
- if test -O /nix/store; then
- echo "�[1;31merror: A single-user install can't run optimiser as root, aborting activation�[0m" >&2
- echo "Configure the optimiser to run as the current user:" >&2
- echo >&2
- echo " nix.optimise.user = \"$USER\";" >&2
- echo >&2
- exit 2
- fi
- '';
-
# TODO: Remove this a couple years down the line when we can assume
# that anyone who cares about security has upgraded.
oldSshAuthorizedKeysDirectory = ''
@@ -311,7 +269,7 @@ in
type = types.bool;
default =
config.nix.enable &&
- ((config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false))
+ ((!(config.nix.settings.auto-allocate-uids or false))
|| config.nix.configureBuildUsers);
description = "Whether to run the Nix build users validation checks.";
};
@@ -338,9 +296,6 @@ in
(mkIf cfg.verifyBuildUsers preSequoiaBuildUsers)
(mkIf config.nix.configureBuildUsers buildGroupID)
(mkIf config.nix.enable nixDaemon)
- nixStore
- (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector)
- (mkIf (config.nix.optimise.automatic && config.nix.optimise.user == null) nixStoreOptimiser)
nixInstaller
(mkIf cfg.verifyNixPath nixPath)
oldSshAuthorizedKeysDirectory
diff --git a/release.nix b/release.nix
index 52b3c2a..115025e 100644
--- a/release.nix
+++ b/release.nix
@@ -80,7 +80,6 @@ in {
tests.activation-scripts = makeTest ./tests/activation-scripts.nix;
tests.autossh = makeTest ./tests/autossh.nix;
- tests.checks-nix-gc = makeTest ./tests/checks-nix-gc.nix;
tests.environment-path = makeTest ./tests/environment-path.nix;
tests.environment-terminfo = makeTest ./tests/environment-terminfo.nix;
tests.homebrew = makeTest ./tests/homebrew.nix;
diff --git a/tests/checks-nix-gc.nix b/tests/checks-nix-gc.nix
deleted file mode 100644
index e3dccd7..0000000
--- a/tests/checks-nix-gc.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-{ config, pkgs, ... }:
-
-let
- nix = pkgs.runCommand "nix-2.2" {} "mkdir -p $out";
-in
-
-{
- nix.gc.automatic = true;
- nix.package = nix;
-
- test = ''
- echo checking nix-gc validation >&2
- grep "nix.gc.user = " ${config.out}/activate-user
-
- echo checking nix-gc service in /Library/LaunchDaemons >&2
- grep "org.nixos.nix-gc" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist
- (! grep "UserName" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist)
- '';
-}
diff --git a/tests/services-nix-gc.nix b/tests/services-nix-gc.nix
index 6d7cdef..9c8ba81 100644
--- a/tests/services-nix-gc.nix
+++ b/tests/services-nix-gc.nix
@@ -7,19 +7,13 @@ in
{
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 30d";
- nix.gc.user = "nixuser";
nix.package = nix;
test = ''
echo checking nix-gc service in /Library/LaunchDaemons >&2
grep "org.nixos.nix-gc" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist
grep "/bin/wait4path /nix/store && exec ${nix}/bin/nix-collect-garbage --delete-older-than 30d" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist
- grep "UserName" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist
- grep "nixuser" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist
(! grep "KeepAlive" ${config.out}/Library/LaunchDaemons/org.nixos.nix-gc.plist)
-
- echo checking nix-gc validation >&2
- (! grep "nix.gc.user = " ${config.out}/activate-user)
'';
}
diff --git a/tests/services-nix-optimise.nix b/tests/services-nix-optimise.nix
index 4108eb0..acdc1dc 100644
--- a/tests/services-nix-optimise.nix
+++ b/tests/services-nix-optimise.nix
@@ -6,7 +6,6 @@ in
{
nix.optimise.automatic = true;
- nix.optimise.user = "nixuser";
nix.package = nix;
test = ''
@@ -15,11 +14,6 @@ in
${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist
grep "/bin/wait4path /nix/store && exec ${nix}/bin/nix-store --optimise" \
${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist
- grep "UserName" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist
- grep "nixuser" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist
(! grep "KeepAlive" ${config.out}/Library/LaunchDaemons/org.nixos.nix-optimise.plist)
-
- echo checking nix-optimise validation >&2
- (! grep "nix.optimise.user = " ${config.out}/activate-user)
'';
}