diff --git a/README.md b/README.md index 0e40e11..be85b09 100644 --- a/README.md +++ b/README.md @@ -13,15 +13,14 @@ You can get started with Determinate in one of two ways: | Situation | How to install | | :----------------------------------- | :--------------------------------------------------------------------------- | | **Linux** but not using [NixOS] | [Determinate Nix Installer](#installing-using-the-determinate-nix-installer) | -| **macOS** but not using [nix-darwin] | [Determinate Nix Installer](#installing-using-the-determinate-nix-installer) | +| **macOS** | [Determinate Nix Installer](#installing-using-the-determinate-nix-installer) | | **Linux** and using [NixOS] | The [NixOS module](#nixos) provided by this flake | -| **macOS** and using [nix-darwin] | The [nix-darwin module](#nix-darwin) provided by this flake | ## Installing using the Determinate Nix Installer If you use... -- **macOS** (not [nix-darwin]) or +- **macOS** (including [nix-darwin]) or - **Linux** (not [NixOS]) ...you can install Determinate using the [Determinate Nix Installer][installer] with the `--determinate` flag: @@ -33,7 +32,7 @@ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix ## Installing using our Nix flake -If you use [nix-darwin] or [NixOS] you can install Determinate using this [Nix flake][flakes]. +If you use [NixOS] you can install Determinate using this [Nix flake][flakes]. To add the `determinate` flake as a [flake input][flake-inputs]: ```nix @@ -44,9 +43,7 @@ To add the `determinate` flake as a [flake input][flake-inputs]: > We recommend not using a [`follows`][follows] directive for [Nixpkgs] (`inputs.nixpkgs.follows = "nixpkgs"`) in conjunction with the Determinate flake, as it leads to cache misses for artifacts otherwise available from [FlakeHub Cache][cache]. -### NixOS - -If you're a [NixOS] user, you can quickly set up Determinate using the `nixosModules.default` module output from this flake. +You can quickly set up Determinate using the `nixosModules.default` module output from this flake. Here's an example NixOS configuration: ```nix @@ -66,28 +63,6 @@ Here's an example NixOS configuration: } ``` -### nix-darwin - -If you're a [nix-darwin] user on macOS, you can quickly set up Determinate using the `darwinModules.default` module output from this flake. -Here's an example nix-darwin configuration: - -```nix -{ - inputs.determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/0.1"; - inputs.nix-darwin.url = "github:LnL7/nix-darwin"; - - outputs = { determinate, nix-darwin, ... }: { - darwinConfigurations.my-workstation-aarch64-darwin = nix-darwin.lib.darwinSystem { - system = "aarch64-darwin"; - modules = [ - # Load the Determinate module - determinate.darwinModules.default - ]; - }; - }; -} -``` - [actions]: https://github.com/features/actions [cache]: https://determinate.systems/posts/flakehub-cache-beta [det-nix]: https://determinate.systems/nix diff --git a/flake.nix b/flake.nix index 6379c1b..4d874aa 100644 --- a/flake.nix +++ b/flake.nix @@ -62,7 +62,8 @@ }; }); - darwinModules.default = import ./modules/nix-darwin.nix inputs; + # Stub for migration. + darwinModules.default = ./modules/nix-darwin.nix; nixosModules.default = import ./modules/nixos.nix inputs; }; diff --git a/modules/nix-darwin.nix b/modules/nix-darwin.nix index 8ed83fb..6470aa0 100644 --- a/modules/nix-darwin.nix +++ b/modules/nix-darwin.nix @@ -1,97 +1,89 @@ -inputs: -{ lib, config, pkgs, ... }: +{ lib, options, ... }: let - inherit (import ./shared.nix inputs) - commonNixSettingsModule - restrictedNixSettingsModule - mkPreferable - ; -in -{ - imports = [ - commonNixSettingsModule - restrictedNixSettingsModule - ]; - - config = { - # Make Nix use the Nix daemon - nix.useDaemon = true; - - # Make sure that the user can't enable the nix-daemon in their own nix-darwin config - services.nix-daemon.enable = lib.mkForce false; - - system.activationScripts.nix-daemon = lib.mkForce { enable = false; text = ""; }; - system.activationScripts.launchd.text = lib.mkBefore '' - if test -e /Library/LaunchDaemons/org.nixos.nix-daemon.plist; then - echo "Unloading org.nixos.nix-daemon" - launchctl bootout system /Library/LaunchDaemons/org.nixos.nix-daemon.plist || true - mv /Library/LaunchDaemons/org.nixos.nix-daemon.plist /Library/LaunchDaemons/.before-determinate-nixd.org.nixos.nix-daemon.plist.skip - fi + postMigrationInstructions = '' + You have successfully migrated your Determinate installation. + Please remove `determinate.darwinModules.default` from your + nix-darwin configuration, and ensure that you have nix-darwin’s own + Nix installation management disabled by setting: - if test -e /Library/LaunchDaemons/org.nixos.darwin-store.plist; then - echo "Unloading org.nixos.darwin-store" - launchctl bootout system /Library/LaunchDaemons/org.nixos.darwin-store.plist || true - mv /Library/LaunchDaemons/org.nixos.darwin-store.plist /Library/LaunchDaemons/.before-determinate-nixd.org.nixos.darwin-store.plist.skip - fi + nix.enable = false; - install -d -m 755 -o root -g wheel /usr/local/bin - cp ${inputs.self.packages.${pkgs.stdenv.system}.default}/bin/determinate-nixd /usr/local/bin/.determinate-nixd.next - chmod +x /usr/local/bin/.determinate-nixd.next - mv /usr/local/bin/.determinate-nixd.next /usr/local/bin/determinate-nixd - ''; + Then run `darwin-rebuild switch` again. + ''; +in +{ + config = + # Check if nix-darwin is new enough for the `nix.enable` option. + if options.nix.enable.visible or true then + { + nix.enable = false; - launchd.daemons.determinate-nixd-store.serviceConfig = { - Label = "systems.determinate.nix-store"; - RunAtLoad = true; + system.activationScripts.checks.text = lib.mkBefore '' + if [[ ! -e /usr/local/bin/determinate-nixd ]]; then + printf >&2 '\e[1;31merror: Determinate not installed, aborting activation\e[0m\n' + printf >&2 'The Determinate nix-darwin module is no longer necessary. To install\n' + printf >&2 'Determinate, remove `determinate.darwinModules.default` from your\n' + printf >&2 'configuration and follow the installation installations at\n' + printf >&2 '.\n' + exit 2 + fi - StandardErrorPath = lib.mkForce "/var/log/determinate-nix-init.log"; - StandardOutPath = lib.mkForce "/var/log/determinate-nix-init.log"; + # Hack: Detect the version of the `.plist` set up by the old + # version of the module. + if grep -- '--nix-bin' /Library/LaunchDaemons/systems.determinate.nix-daemon.plist >/dev/null; then + printf >&2 '\e[1;31merror: Determinate needs migration, aborting activation\e[0m\n' + printf >&2 'Determinate now manages the Nix installation independently of the\n' + printf >&2 'nix-darwin module.\n' + printf >&2 '\n' + printf >&2 'Please download and run the macOS installer from\n' + printf >&2 ' and then\n' + printf >&2 'run `darwin-rebuild switch` again to migrate your installation.\n' + exit 2 + fi - ProgramArguments = lib.mkForce [ - "/usr/local/bin/determinate-nixd" - "--nix-bin" - "${config.nix.package}/bin" - "init" - ]; - }; + if [[ ! -e /run/current-system/Library/LaunchDaemons/systems.determinate.nix-daemon.plist ]]; then + printf >&2 '\e[1;31merror: deprecated Determinate module present, aborting activation\e[0m\n' + printf >&2 '%s' ${lib.escapeShellArg postMigrationInstructions} + exit 2 + fi + ''; - launchd.daemons.determinate-nixd.serviceConfig = { - Label = "systems.determinate.nix-daemon"; + system.activationScripts.extraActivation.text = lib.mkBefore '' + # Hack: Make sure nix-darwin doesn’t clobber the Determinate + # launchd daemons after they become unmanaged. - StandardErrorPath = lib.mkForce "/var/log/determinate-nix-daemon.log"; - StandardOutPath = lib.mkForce "/var/log/determinate-nix-daemon.log"; + determinateDaemonsStash=$(mktemp -d --suffix=determinate-daemons) + cp -a /Library/LaunchDaemons/systems.determinate.{nix-daemon,nix-store}.plist "$determinateDaemonsStash" - ProgramArguments = lib.mkForce [ - "/usr/local/bin/determinate-nixd" - "--nix-bin" - "${config.nix.package}/bin" - "daemon" - ]; + # shellcheck disable=SC2317 + restoreDeterminateDaemons() { + printf >&2 'restoring Determinate daemons...\n' + mv "$determinateDaemonsStash"/*.plist /Library/LaunchDaemons + rmdir "$determinateDaemonsStash" + launchctl load -w /Library/LaunchDaemons/systems.determinate.nix-daemon.plist + launchctl load -w /Library/LaunchDaemons/systems.determinate.nix-store.plist + printf >&2 '\n' + printf >&2 '%s' ${lib.escapeShellArg postMigrationInstructions} + } - Sockets = { - "determinate-nixd.socket" = { - # We'd set `SockFamily = "Unix";`, but nix-darwin automatically sets it with SockPathName - SockPassive = true; - SockPathName = "/var/run/determinate-nixd.socket"; - }; + trap restoreDeterminateDaemons EXIT + ''; + } + else + { + assertions = [ + { + assertion = false; + message = '' + Determinate now manages the Nix installation independently of + the nix-darwin module. - "nix-daemon.socket" = { - # We'd set `SockFamily = "Unix";`, but nix-darwin automatically sets it with SockPathName - SockPassive = true; - SockPathName = "/var/run/nix-daemon.socket"; - }; - }; - - SoftResourceLimits = { - NumberOfFiles = mkPreferable 1048576; - NumberOfProcesses = mkPreferable 1048576; - Stack = mkPreferable 67108864; - }; - HardResourceLimits = { - NumberOfFiles = mkPreferable 1048576; - NumberOfProcesses = mkPreferable 1048576; - Stack = mkPreferable 67108864; + Please download and run the macOS installer from + , + update nix-darwin, and then run `darwin-rebuild switch` + again to migrate your installation. + ''; + } + ]; }; - }; - }; } diff --git a/modules/nixos.nix b/modules/nixos.nix index 657945d..0a586bf 100644 --- a/modules/nixos.nix +++ b/modules/nixos.nix @@ -1,12 +1,64 @@ inputs: { lib, pkgs, config, ... }: let - inherit (import ./shared.nix inputs) - commonNixSettingsModule - restrictedNixSettingsModule - mkPreferable - mkMorePreferable - ; + # Stronger than mkDefault (1000), weaker than mkForce (50) and the "default override priority" + # (100). + mkPreferable = lib.mkOverride 750; + + # Stronger than the "default override priority", as the upstream module uses that, and weaker than mkForce (50). + mkMorePreferable = lib.mkOverride 75; + + # The settings configured in this module must be generally settable by users both trusted and + # untrusted by the Nix daemon. Settings that require being a trusted user belong in the + # `restrictedSettingsModule` below. + commonNixSettingsModule = { config, pkgs, lib, ... }: { + nix.package = inputs.nix.packages."${pkgs.stdenv.system}".default; + + nix.registry.nixpkgs = { + exact = true; + + from = { + type = "indirect"; + id = "nixpkgs"; + }; + + # NOTE(cole-h): The NixOS module exposes a `flake` option that is a fancy wrapper around + # setting `to` -- we don't want to clobber this if users have set it on their own + to = lib.mkIf (config.nix.registry.nixpkgs.flake or null == null) (mkPreferable { + type = "tarball"; + url = "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1.0.tar.gz"; + }); + }; + + nix.settings = { + bash-prompt-prefix = "(nix:$name)\\040"; + extra-experimental-features = [ "nix-command" "flakes" ]; + extra-nix-path = [ "nixpkgs=flake:nixpkgs" ]; + extra-substituters = [ "https://cache.flakehub.com" ]; + }; + }; + + # The settings configured in this module require being a user trusted by the Nix daemon. + restrictedNixSettingsModule = { ... }: { + nix.settings = restrictedNixSettings; + }; + + # Nix settings that require being a trusted user to configure. + restrictedNixSettings = { + always-allow-substitutes = true; + netrc-file = "/nix/var/determinate/netrc"; + upgrade-nix-store-path-url = "https://install.determinate.systems/nix-upgrade/stable/universal"; + extra-trusted-public-keys = [ + "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=" + "cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio=" + "cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU=" + "cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU=" + "cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8=" + "cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ=" + "cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o=" + "cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y=" + ]; + }; in { imports = [ diff --git a/modules/shared.nix b/modules/shared.nix deleted file mode 100644 index 1aa1dc8..0000000 --- a/modules/shared.nix +++ /dev/null @@ -1,63 +0,0 @@ -inputs: -rec { - # Stronger than mkDefault (1000), weaker than mkForce (50) and the "default override priority" - # (100). - mkPreferable = inputs.nixpkgs.lib.mkOverride 750; - - # Stronger than the "default override priority", as the upstream module uses that, and weaker than mkForce (50). - mkMorePreferable = inputs.nixpkgs.lib.mkOverride 75; - - # Common settings that are shared between NixOS and nix-darwin modules. - # The settings configured in this module must be generally settable by users both trusted and - # untrusted by the Nix daemon. Settings that require being a trusted user belong in the - # `restrictedSettingsModule` below. - commonNixSettingsModule = { config, pkgs, lib, ... }: { - nix.package = inputs.nix.packages."${pkgs.stdenv.system}".default; - - nix.registry.nixpkgs = { - exact = true; - - from = { - type = "indirect"; - id = "nixpkgs"; - }; - - # NOTE(cole-h): The NixOS module exposes a `flake` option that is a fancy wrapper around - # setting `to` -- we don't want to clobber this if users have set it on their own - to = lib.mkIf (config.nix.registry.nixpkgs.flake or null == null) (mkPreferable { - type = "tarball"; - url = "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1.0.tar.gz"; - }); - }; - - nix.settings = { - bash-prompt-prefix = "(nix:$name)\\040"; - extra-experimental-features = [ "nix-command" "flakes" ]; - extra-nix-path = [ "nixpkgs=flake:nixpkgs" ]; - extra-substituters = [ "https://cache.flakehub.com" ]; - }; - }; - - # Restricted settings that are shared between NixOS and nix-darwin modules. - # The settings configured in this module require being a user trusted by the Nix daemon. - restrictedNixSettingsModule = { ... }: { - nix.settings = restrictedNixSettings; - }; - - # Nix settings that require being a trusted user to configure. - restrictedNixSettings = { - always-allow-substitutes = true; - netrc-file = "/nix/var/determinate/netrc"; - upgrade-nix-store-path-url = "https://install.determinate.systems/nix-upgrade/stable/universal"; - extra-trusted-public-keys = [ - "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=" - "cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio=" - "cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU=" - "cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU=" - "cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8=" - "cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ=" - "cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o=" - "cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y=" - ]; - }; -} diff --git a/tests/flake.nix b/tests/flake.nix index 2c77cdb..e0a1674 100644 --- a/tests/flake.nix +++ b/tests/flake.nix @@ -32,8 +32,8 @@ system = "aarch64-darwin"; modules = [ - determinate.darwinModules.default { + nix.enable = false; system.stateVersion = 5; } ];