From bda49fe089795d8d387419cd2ad877b345f3f840 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 10 Sep 2024 16:17:57 +0100 Subject: [PATCH 1/6] ci: update stable Nixpkgs to 24.05 --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a494fd651..fee1ca197 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,7 +4,7 @@ on: push: env: - CURRENT_STABLE_CHANNEL: nixpkgs-23.11-darwin + CURRENT_STABLE_CHANNEL: nixpkgs-24.05-darwin jobs: test-stable: From f29c6fc015f3cf2b7fb8b6fc98e2471a2acc53d6 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 10 Sep 2024 21:14:05 +0100 Subject: [PATCH 2/6] ci: use Nix 2.24.6 for unstable jobs Includes the Sequoia installer fixes. --- .github/workflows/test.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fee1ca197..38afeb685 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -26,7 +26,9 @@ jobs: steps: - uses: actions/checkout@v3 - name: Install nix from current unstable channel - uses: cachix/install-nix-action@v23 + uses: cachix/install-nix-action@v27 + with: + install_url: https://releases.nixos.org/nix/nix-2.24.6/install - run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A tests - run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A manpages - run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A examples.simple @@ -82,8 +84,9 @@ jobs: steps: - uses: actions/checkout@v3 - name: Install nix from current unstable channel - uses: cachix/install-nix-action@v23 + uses: cachix/install-nix-action@v27 with: + install_url: https://releases.nixos.org/nix/nix-2.24.6/install nix_path: nixpkgs=channel:nixpkgs-unstable - name: Install nixpkgs-unstable channel run: | @@ -209,7 +212,9 @@ jobs: steps: - uses: actions/checkout@v3 - name: Install nix from current unstable channel - uses: cachix/install-nix-action@v23 + uses: cachix/install-nix-action@v27 + with: + install_url: https://releases.nixos.org/nix/nix-2.24.6/install - name: Install nix-darwin run: | mkdir -p ~/.config/nix-darwin From 98189683a4674d26fab2b5a7134bcfb5aa05cdf1 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 10 Sep 2024 20:40:43 +0100 Subject: [PATCH 3/6] ci: use Determinate Systems installer for stable Nix --- .github/workflows/test.yml | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 38afeb685..6583817f4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,10 +12,13 @@ jobs: timeout-minutes: 30 steps: - uses: actions/checkout@v3 + # We use the Determinate Systems installer for 2.18 because the + # Sequoia UID/GID changes have not yet been backported to the + # official installer for that version. - name: Install nix corresponding to latest stable channel - uses: cachix/install-nix-action@v23 + uses: DeterminateSystems/nix-installer-action@main with: - install_url: https://releases.nixos.org/nix/nix-2.13.6/install + nix-package-url: https://releases.nixos.org/nix/nix-2.18.5/nix-2.18.5-x86_64-darwin.tar.xz - run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A tests - run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A manpages - run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A examples.simple @@ -38,18 +41,20 @@ jobs: timeout-minutes: 30 steps: - uses: actions/checkout@v3 + # We use the Determinate Systems installer for 2.18 because the + # Sequoia UID/GID changes have not yet been backported to the + # official installer for that version. - name: Install nix corresponding to latest stable channel - uses: cachix/install-nix-action@v23 + uses: DeterminateSystems/nix-installer-action@main with: - install_url: https://releases.nixos.org/nix/nix-2.13.6/install - nix_path: nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} + nix-package-url: https://releases.nixos.org/nix/nix-2.18.5/nix-2.18.5-x86_64-darwin.tar.xz - name: Install ${{ env.CURRENT_STABLE_CHANNEL }} channel run: | nix-channel --add https://nixos.org/channels/${{ env.CURRENT_STABLE_CHANNEL }} nixpkgs nix-channel --update - name: Install nix-darwin and test run: | - export NIX_PATH=$HOME/.nix-defexpr/channels + export NIX_PATH=nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} # We run nix-darwin twice to test that it can create darwin-configuration correctly for us # but we expect it to fail setting up /etc/nix/nix.conf @@ -128,10 +133,13 @@ jobs: timeout-minutes: 30 steps: - uses: actions/checkout@v3 - - name: Install nix version corresponding to latest stable channel - uses: cachix/install-nix-action@v23 + # We use the Determinate Systems installer for 2.18 because the + # Sequoia UID/GID changes have not yet been backported to the + # official installer for that version. + - name: Install nix corresponding to latest stable channel + uses: DeterminateSystems/nix-installer-action@main with: - install_url: https://releases.nixos.org/nix/nix-2.13.6/install + nix-package-url: https://releases.nixos.org/nix/nix-2.18.5/nix-2.18.5-x86_64-darwin.tar.xz - name: Install nix-darwin run: | mkdir -p ~/.config/nix-darwin From 2af5f0fb9e554ea3c85e57d35a5f2ed5a10b8867 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 10 Sep 2024 21:32:06 +0100 Subject: [PATCH 4/6] checks: factor out `nix.useDaemon` check --- modules/system/checks.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 6afce81d4..1cfe1c8da 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -242,7 +242,9 @@ in system.checks.verifyBuildUsers = mkOption { type = types.bool; - default = !(config.nix.settings.auto-allocate-uids or false); + default = + (config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false)) + || config.nix.configureBuildUsers; description = "Whether to run the Nix build users validation checks."; }; @@ -259,7 +261,7 @@ in darwinChanges runLink oldBuildUsers - (mkIf (config.nix.useDaemon && cfg.verifyBuildUsers) buildUsers) + (mkIf cfg.verifyBuildUsers buildUsers) (mkIf (!config.nix.useDaemon) singleUser) nixStore (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector) From 9c60c95008e2862c45d01d3d453508f644adeff6 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 10 Sep 2024 21:32:06 +0100 Subject: [PATCH 5/6] checks: make `oldBuildUsers` check fail hard MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Checking for the Sequoia stuff won’t work properly if a system is still in this old state. Best to be loud about it to deal with any straggler systems that haven’t yet dealt with this issue. --- modules/system/checks.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 1cfe1c8da..f2971c479 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -46,12 +46,17 @@ let oldBuildUsers = '' if dscl . -list /Users | grep -q '^nixbld'; then - echo "warning: Detected old style nixbld users" >&2 + echo "error: Detected old style nixbld users, aborting activation" >&2 echo "These can cause migration problems when upgrading to certain macOS versions" >&2 echo "You can enable the following option to migrate to new style nixbld users" >&2 echo >&2 echo " nix.configureBuildUsers = true;" >&2 echo >&2 + echo "or disable this check with" >&2 + echo >&2 + echo " system.checks.verifyBuildUsers = false;" >&2 + echo >&2 + exit 2 fi ''; @@ -260,7 +265,7 @@ in system.checks.text = mkMerge [ darwinChanges runLink - oldBuildUsers + (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers) (mkIf cfg.verifyBuildUsers buildUsers) (mkIf (!config.nix.useDaemon) singleUser) nixStore From 88b97aa49c451070d2978b291a6280f2e1c5c2b6 Mon Sep 17 00:00:00 2001 From: Emily Date: Tue, 10 Sep 2024 16:17:57 +0100 Subject: [PATCH 6/6] {ids,checks}: update for new builder UID/GID values --- CHANGELOG | 14 ++++++++ modules/examples/flake/flake.nix | 2 +- modules/examples/ofborg.nix | 2 +- modules/examples/simple.nix | 2 +- modules/misc/ids.nix | 7 ++-- modules/system/checks.nix | 62 ++++++++++++++++++++++++++++++++ modules/system/version.nix | 2 +- 7 files changed, 83 insertions(+), 8 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 6523ef16d..b9a9adcc4 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,17 @@ +2024-09-10 +- The default Nix build user group ID is now set to 350 when + `system.stateVersion` ≥ 5, to reflect the default for new Nix + installations. This only affects installations that enable + `nix.configureBuildUsers`, and any divergence will be detected on + system activation. To use `nix.configureBuildUsers` with a higher + `system.stateVersion` on installations using the old group ID, set: + + ids.gids.nixbld = 30000; + + We do not recommend trying to change the group ID with macOS user + management tools without a complete uninstallation and reinstallation + of Nix. + 2024-06-15 - SECURITY NOTICE: The previous implementation of the `users.users..openssh.authorizedKeys.*` options would not delete diff --git a/modules/examples/flake/flake.nix b/modules/examples/flake/flake.nix index 865056295..94c600edc 100644 --- a/modules/examples/flake/flake.nix +++ b/modules/examples/flake/flake.nix @@ -32,7 +32,7 @@ # Used for backwards compatibility, please read the changelog before changing. # $ darwin-rebuild changelog - system.stateVersion = 4; + system.stateVersion = 5; # The platform the configuration will be used on. nixpkgs.hostPlatform = "x86_64-darwin"; diff --git a/modules/examples/ofborg.nix b/modules/examples/ofborg.nix index 1054c57cd..6cef6e793 100644 --- a/modules/examples/ofborg.nix +++ b/modules/examples/ofborg.nix @@ -25,5 +25,5 @@ with lib; # Used for backwards compatibility, please read the changelog before changing. # $ darwin-rebuild changelog - system.stateVersion = 4; + system.stateVersion = 5; } diff --git a/modules/examples/simple.nix b/modules/examples/simple.nix index d146fde51..1133da82e 100644 --- a/modules/examples/simple.nix +++ b/modules/examples/simple.nix @@ -21,5 +21,5 @@ # Used for backwards compatibility, please read the changelog before changing. # $ darwin-rebuild changelog - system.stateVersion = 4; + system.stateVersion = 5; } diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index 07f1240b0..c0f3a197f 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -8,7 +8,7 @@ # to change uids/gids on service start, in example a service with a lot of # files. -{ lib, ... }: +{ lib, config, ... }: let inherit (lib) types; @@ -34,15 +34,14 @@ in }; - config = { ids.uids = { - nixbld = 300; + nixbld = lib.mkDefault 350; }; ids.gids = { - nixbld = 30000; + nixbld = lib.mkDefault (if config.system.stateVersion < 5 then 30000 else 350); }; }; diff --git a/modules/system/checks.nix b/modules/system/checks.nix index f2971c479..5ef9e5200 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -57,7 +57,41 @@ let echo " system.checks.verifyBuildUsers = false;" >&2 echo >&2 exit 2 + fi + ''; + + preSequoiaBuildUsers = '' + ${lib.optionalString config.nix.configureBuildUsers '' + # Don’t complain when we’re about to migrate old‐style build users… + if ! dscl . -list /Users | grep -q '^nixbld'; then + ''} + firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}') + if [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]]; then + printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n' + printf >&2 'The default Nix build user ID range has been adjusted for\n' + printf >&2 'compatibility with macOS Sequoia 15. Your _nixbld1 user currently has\n' + printf >&2 'UID %d rather than the new default of 351.\n' "$firstBuildUserID" + printf >&2 '\n' + printf >&2 'You can automatically migrate your users using the following script\n' + printf >&2 'from the Nix repository:\n' + printf >&2 '\n' + printf >&2 ' https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh\n' + printf >&2 '\n' + printf >&2 'This should work even if you installed Nix with the Determinate\n' + printf >&2 'Systems installer or are using Lix. If you are comfortable using the\n' + printf >&2 'script without review, you can run:\n' + printf >&2 '\n' + printf >&2 " curl --proto '=https' --tlsv1.2 -sSf -L https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh | bash -\n" + printf >&2 '\n' + printf >&2 'If you have no intention of upgrading to macOS Sequoia 15, or already\n' + printf >&2 'have a custom UID range that you know is compatible with Sequoia, you\n' + printf >&2 'can disable this check by setting:\n' + printf >&2 '\n' + printf >&2 ' ids.uids.nixbld = %d;\n' "$((firstBuildUserID - 1))" + printf >&2 '\n' + exit 2 fi + ${lib.optionalString config.nix.configureBuildUsers "fi"} ''; buildUsers = '' @@ -75,6 +109,32 @@ let fi ''; + buildGroupID = '' + buildGroupID=$(dscl . -read /Groups/nixbld PrimaryGroupID | awk '{print $2}') + expectedBuildGroupID=${toString config.ids.gids.nixbld} + if [[ $buildGroupID != $expectedBuildGroupID ]]; then + printf >&2 '\e[1;31merror: Build user group has mismatching GID, aborting activation\e[0m\n' + printf >&2 'The default Nix build user group ID was changed from 30000 to 350.\n' + printf >&2 'You are currently managing Nix build users with nix-darwin, but your\n' + printf >&2 'nixbld group has GID %d, whereas we expected %d.\n' \ + "$buildGroupID" "$expectedBuildGroupID" + printf >&2 '\n' + printf >&2 'Possible causes include setting up a new Nix installation with an\n' + printf >&2 'existing nix-darwin configuration, setting up a new nix-darwin\n' + printf >&2 'installation with an existing Nix installation, or manually increasing\n' + printf >&2 'your `system.stateVersion` setting.\n' + printf >&2 '\n' + printf >&2 'You can set the configured group ID to match the actual value:\n' + printf >&2 '\n' + printf >&2 ' ids.gids.nixbld = %d;\n' "$buildGroupID" + printf >&2 '\n' + printf >&2 'We do not recommend trying to change the group ID with macOS user\n' + printf >&2 'management tools without a complete uninstallation and reinstallation\n' + printf >&2 'of Nix.\n' + exit 2 + fi + ''; + singleUser = '' if grep -q 'build-users-group =' /etc/nix/nix.conf; then echo "error: The daemon is not enabled but this is a multi-user install, aborting activation" >&2 @@ -267,6 +327,8 @@ in runLink (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers) (mkIf cfg.verifyBuildUsers buildUsers) + (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) + (mkIf config.nix.configureBuildUsers buildGroupID) (mkIf (!config.nix.useDaemon) singleUser) nixStore (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector) diff --git a/modules/system/version.nix b/modules/system/version.nix index fa6ce6e1e..df8b7a0c0 100644 --- a/modules/system/version.nix +++ b/modules/system/version.nix @@ -35,7 +35,7 @@ in options = { system.stateVersion = mkOption { type = types.int; - default = 4; + default = 5; description = '' Every once in a while, a new NixOS release may change configuration defaults in a way incompatible with stateful