Nix in Darwin

[aciceri]

This adds an optionally executed (idempotent) script at the VM boot that installs Nix using the Determinate Systems' Nix installer and builds and activates a given nix-darwin config (it's also possible installing only Nix without the nix-darwin configuration).

It also adds the needed options in the module. I've been testing it on my NixOS machine with these options:

{flake, ...}: {
  services.macos-ventura = {
    enable = true;
    cores = 8;
    threads = 8;
    mem = "8G";
    vncListenAddr = "0.0.0.0";
    extraQemuFlags = [ "-nographic" ];
    sshPort = 2021;
    installNix = true;
    stateless = true;
    darwinConfig = flake.darwinConfigurations.foo;
  };
}

This is just a draft, I was considering the following improvements:

• apparently it's possible to perform offline installation using the Determinate Systems' installer. It would be nice moving the installation to build time, possibly adding another derivation layer in order to preserve caching.
• at the moment the nix-darwin configuration is evaluated externally and its drv closure is copied to the VM. At that point the build happens inside darwin (otherwise we would need a darwin builder externally) and it may require internet. It should be possible copying both the drv closures and the fixed output realisations from that closure, this way it should be possible building (and activating) the darwin config at build time (build time for the host!). Anyway this would require fetching much more paths than directly building the config on darwin.
• would it make sense adding a NixOS test? I'm not very familiar with those, probably if we implement the first improvement here we can test that nix is installed but how can we test if we can activate a nix-darwin configuration? We would need to copy the realisations closure for a darwin config i.e. we would need a darwin builder to run the tests.

[aciceri]

Feel free to drop this, it's here just for my convenience. Without it I cannot fetch the image, don't know why but it's not related to the PR's goal.

[MatthewCroughan]

would it make sense adding a NixOS test? I'm not very familiar with those, probably if we implement the first improvement here we can test that nix is installed but how can we test if we can activate a nix-darwin configuration? We would need to copy the realisations closure for a darwin config i.e. we would need a darwin builder to run the tests.

@roberth talked about a potential "builder-from-derivation", for Nix which would allow specifying a builder as part of a derivation. I don't see many other solutions to this problem today otherwise.

[roberth]

A NixOS test could work, if nested KVM virtualisation is supported and enabled on the host.
You could build the nix-darwin toplevel in the VM by passing .drvPath; something like

-${toplevel}/bin/switch-to-configuration
+$(nix-store -r ${toplevel.drvPath})/bin/switch-to-configuration

(so to speak)

hercules-ci-effects has a flag for that sort of thing. It works well, and you could do something similar here. https://docs.hercules-ci.com/hercules-ci-effects/reference/nix-functions/runnixdarwin#param-buildOnDestination

builder-from-derivation

Not sure if that was a good idea tbh.