From 1668c398f80d488b68348454ae62a9d2c36c5749 Mon Sep 17 00:00:00 2001
From: "Travis A. Everett" <travis.a.everett@gmail.com>
Date: Fri, 23 Oct 2020 12:10:49 -0500
Subject: [PATCH] use login keychain for single-user install

---
 scripts/create-darwin-volume.sh     | 13 +++++++++----
 scripts/install-nix-from-closure.sh |  2 +-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/scripts/create-darwin-volume.sh b/scripts/create-darwin-volume.sh
index 47e816786f3..0f2927c8285 100755
--- a/scripts/create-darwin-volume.sh
+++ b/scripts/create-darwin-volume.sh
@@ -187,10 +187,15 @@ main() {
             # and be prompted for a pw to add; two step workaround:
             # 1. add a blank pw to a keychain
             #    - system if daemon
-            sudo /usr/bin/security add-generic-password -a "Nix Volume" -s "Nix Volume" -D "Nix Volume password" "/Library/Keychains/System.keychain"
-            #    - login if single-user
-            # TODO: pass something in to discriminate this case?
-            # sudo /usr/bin/security add-generic-password -a "Nix Volume" -s "Nix Volume" -D "Nix Volume password"
+            if [ "$INSTALL_MODE" = "daemon" ]; then # exported by caller
+                # system is technically less secure than user... in theory we
+                # could install the password in each user keychain, but we'd
+                # need some ergonomic way to add users after install...
+                sudo /usr/bin/security add-generic-password -a "Nix Volume" -s "Nix Volume" -D "Nix Volume password" "/Library/Keychains/System.keychain"
+            #    - login (default) if single-user
+            else
+                sudo /usr/bin/security add-generic-password -a "Nix Volume" -s "Nix Volume" -D "Nix Volume password"
+            fi
             # 2. add a password with the -U (update) flag and -w (prompt if last)
             #    flags, but specify no keychain; security will use the first it finds
             prepare_darwin_volume_password | sudo diskutil apfs addVolume "$disk" APFS 'Nix Volume' -mountpoint /nix -stdinpassphrase
diff --git a/scripts/install-nix-from-closure.sh b/scripts/install-nix-from-closure.sh
index 922d248f8f0..6b869d3bf0e 100644
--- a/scripts/install-nix-from-closure.sh
+++ b/scripts/install-nix-from-closure.sh
@@ -43,7 +43,7 @@ elif [ "$(uname -s)" = "Linux" ]; then
     echo "Note: a multi-user installation is possible. See https://nixos.org/nix/manual/#sect-multi-user-installation" >&2
 fi
 
-INSTALL_MODE=no-daemon
+export INSTALL_MODE=no-daemon
 CREATE_DARWIN_VOLUME=${CREATE_DARWIN_VOLUME:-1} # now default
 # handle the command line flags
 while [ $# -gt 0 ]; do