Add migration logic to nix-darwin module

README.md

@@ -13,15 +13,14 @@ You can get started with Determinate in one of two ways:
 | Situation                            | How to install                                                               |
 | :----------------------------------- | :--------------------------------------------------------------------------- |
 | **Linux** but not using [NixOS]      | [Determinate Nix Installer](#installing-using-the-determinate-nix-installer) |
-| **macOS** but not using [nix-darwin] | [Determinate Nix Installer](#installing-using-the-determinate-nix-installer) |
+| **macOS**                            | [Determinate Nix Installer](#installing-using-the-determinate-nix-installer) |
 | **Linux** and using [NixOS]          | The [NixOS module](#nixos) provided by this flake                            |
-| **macOS** and using [nix-darwin]     | The [nix-darwin module](#nix-darwin) provided by this flake                  |
 
 ## Installing using the Determinate Nix Installer
 
 If you use...
 
-- **macOS** (not [nix-darwin]) or
+- **macOS** (including [nix-darwin]) or
 - **Linux** (not [NixOS])
 
 ...you can install Determinate using the [Determinate Nix Installer][installer] with the `--determinate` flag:
@@ -33,7 +32,7 @@ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix
 
 ## Installing using our Nix flake
 
-If you use [nix-darwin] or [NixOS] you can install Determinate using this [Nix flake][flakes].
+If you use [NixOS] you can install Determinate using this [Nix flake][flakes].
 To add the `determinate` flake as a [flake input][flake-inputs]:
 
 ```nix
@@ -44,9 +43,7 @@ To add the `determinate` flake as a [flake input][flake-inputs]:
 
 > We recommend not using a [`follows`][follows] directive for [Nixpkgs] (`inputs.nixpkgs.follows = "nixpkgs"`) in conjunction with the Determinate flake, as it leads to cache misses for artifacts otherwise available from [FlakeHub Cache][cache].
 
-### NixOS
-
-If you're a [NixOS] user, you can quickly set up Determinate using the `nixosModules.default` module output from this flake.
+You can quickly set up Determinate using the `nixosModules.default` module output from this flake.
 Here's an example NixOS configuration:
 
 ```nix
@@ -66,28 +63,6 @@ Here's an example NixOS configuration:
 }
 ```
 
-### nix-darwin
-
-If you're a [nix-darwin] user on macOS, you can quickly set up Determinate using the `darwinModules.default` module output from this flake.
-Here's an example nix-darwin configuration:
-
-```nix
-{
-  inputs.determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/0.1";
-  inputs.nix-darwin.url = "github:LnL7/nix-darwin";
-
-  outputs = { determinate, nix-darwin, ... }: {
-    darwinConfigurations.my-workstation-aarch64-darwin = nix-darwin.lib.darwinSystem {
-      system = "aarch64-darwin";
-      modules = [
-        # Load the Determinate module
-        determinate.darwinModules.default
-      ];
-    };
-  };
-}
-```
-
 [actions]: https://github.com/features/actions
 [cache]: https://determinate.systems/posts/flakehub-cache-beta
 [det-nix]: https://determinate.systems/nix

flake.nix

@@ -62,7 +62,8 @@
           };
         });
 
-      darwinModules.default = import ./modules/nix-darwin.nix inputs;
+      # Stub for migration.
+      darwinModules.default = ./modules/nix-darwin.nix;
 
       nixosModules.default = import ./modules/nixos.nix inputs;
     };

modules/nix-darwin.nix

@@ -1,97 +1,89 @@
-inputs:
-{ lib, config, pkgs, ... }:
+{ lib, options, ... }:
 let
-  inherit (import ./shared.nix inputs)
-    commonNixSettingsModule
-    restrictedNixSettingsModule
-    mkPreferable
-  ;
-in
-{
-  imports = [
-    commonNixSettingsModule
-    restrictedNixSettingsModule
-  ];
-
-  config = {
-    # Make Nix use the Nix daemon
-    nix.useDaemon = true;
-
-    # Make sure that the user can't enable the nix-daemon in their own nix-darwin config
-    services.nix-daemon.enable = lib.mkForce false;
-
-    system.activationScripts.nix-daemon = lib.mkForce { enable = false; text = ""; };
-    system.activationScripts.launchd.text = lib.mkBefore ''
-      if test -e /Library/LaunchDaemons/org.nixos.nix-daemon.plist; then
-        echo "Unloading org.nixos.nix-daemon"
-        launchctl bootout system /Library/LaunchDaemons/org.nixos.nix-daemon.plist || true
-        mv /Library/LaunchDaemons/org.nixos.nix-daemon.plist /Library/LaunchDaemons/.before-determinate-nixd.org.nixos.nix-daemon.plist.skip
-      fi
+  postMigrationInstructions = ''
+    You have successfully migrated your Determinate installation.
+    Please remove `determinate.darwinModules.default` from your
+    nix-darwin configuration, and ensure that you have nix-darwin’s own
+    Nix installation management disabled by setting:
 
-      if test -e /Library/LaunchDaemons/org.nixos.darwin-store.plist; then
-        echo "Unloading org.nixos.darwin-store"
-        launchctl bootout system /Library/LaunchDaemons/org.nixos.darwin-store.plist || true
-        mv /Library/LaunchDaemons/org.nixos.darwin-store.plist /Library/LaunchDaemons/.before-determinate-nixd.org.nixos.darwin-store.plist.skip
-      fi
+        nix.enable = false;
 
-      install -d -m 755 -o root -g wheel /usr/local/bin
-      cp ${inputs.self.packages.${pkgs.stdenv.system}.default}/bin/determinate-nixd /usr/local/bin/.determinate-nixd.next
-      chmod +x /usr/local/bin/.determinate-nixd.next
-      mv /usr/local/bin/.determinate-nixd.next /usr/local/bin/determinate-nixd
-    '';
+    Then run `darwin-rebuild switch` again.
+  '';
+in
+{
+  config =
+    # Check if nix-darwin is new enough for the `nix.enable` option.
+    if options.nix.enable.visible or true then
+      {
+        nix.enable = false;
 
-    launchd.daemons.determinate-nixd-store.serviceConfig = {
-      Label = "systems.determinate.nix-store";
-      RunAtLoad = true;
+        system.activationScripts.checks.text = lib.mkBefore ''
+          if [[ ! -e /usr/local/bin/determinate-nixd ]]; then
+            printf >&2 '\e[1;31merror: Determinate not installed, aborting activation\e[0m\n'
+            printf >&2 'The Determinate nix-darwin module is no longer necessary. To install\n'
+            printf >&2 'Determinate, remove `determinate.darwinModules.default` from your\n'
+            printf >&2 'configuration and follow the installation installations at\n'
+            printf >&2 '<https://docs.determinate.systems/getting-started/individuals>.\n'
+            exit 2
+          fi
 
-      StandardErrorPath = lib.mkForce "/var/log/determinate-nix-init.log";
-      StandardOutPath = lib.mkForce "/var/log/determinate-nix-init.log";
+          # Hack: Detect the version of the `.plist` set up by the old
+          # version of the module.
+          if grep -- '--nix-bin' /Library/LaunchDaemons/systems.determinate.nix-daemon.plist >/dev/null; then
+            printf >&2 '\e[1;31merror: Determinate needs migration, aborting activation\e[0m\n'
+            printf >&2 'Determinate now manages the Nix installation independently of the\n'
+            printf >&2 'nix-darwin module.\n'
+            printf >&2 '\n'
+            printf >&2 'Please download and run the macOS installer from\n'
+            printf >&2 '<https://docs.determinate.systems/getting-started/individuals> and then\n'
+            printf >&2 'run `darwin-rebuild switch` again to migrate your installation.\n'
+            exit 2
+          fi
 
-      ProgramArguments = lib.mkForce [
-        "/usr/local/bin/determinate-nixd"
-        "--nix-bin"
-        "${config.nix.package}/bin"
-        "init"
-      ];
-    };
+          if [[ ! -e /run/current-system/Library/LaunchDaemons/systems.determinate.nix-daemon.plist ]]; then
+            printf >&2 '\e[1;31merror: deprecated Determinate module present, aborting activation\e[0m\n'
+            printf >&2 '%s' ${lib.escapeShellArg postMigrationInstructions}
+            exit 2
+          fi
+        '';
 
-    launchd.daemons.determinate-nixd.serviceConfig = {
-      Label = "systems.determinate.nix-daemon";
+        system.activationScripts.extraActivation.text = lib.mkBefore ''
+          # Hack: Make sure nix-darwin doesn’t clobber the Determinate
+          # launchd daemons after they become unmanaged.
 
-      StandardErrorPath = lib.mkForce "/var/log/determinate-nix-daemon.log";
-      StandardOutPath = lib.mkForce "/var/log/determinate-nix-daemon.log";
+          determinateDaemonsStash=$(mktemp -d --suffix=determinate-daemons)
+          cp -a /Library/LaunchDaemons/systems.determinate.{nix-daemon,nix-store}.plist "$determinateDaemonsStash"
 
-      ProgramArguments = lib.mkForce [
-        "/usr/local/bin/determinate-nixd"
-        "--nix-bin"
-        "${config.nix.package}/bin"
-        "daemon"
-      ];
+          # shellcheck disable=SC2317
+          restoreDeterminateDaemons() {
+            printf >&2 'restoring Determinate daemons...\n'
+            mv "$determinateDaemonsStash"/*.plist /Library/LaunchDaemons
+            rmdir "$determinateDaemonsStash"
+            launchctl load -w /Library/LaunchDaemons/systems.determinate.nix-daemon.plist
+            launchctl load -w /Library/LaunchDaemons/systems.determinate.nix-store.plist
+            printf >&2 '\n'
+            printf >&2 '%s' ${lib.escapeShellArg postMigrationInstructions}
+          }
 
-      Sockets = {
-        "determinate-nixd.socket" = {
-          # We'd set `SockFamily = "Unix";`, but nix-darwin automatically sets it with SockPathName
-          SockPassive = true;
-          SockPathName = "/var/run/determinate-nixd.socket";
-        };
+          trap restoreDeterminateDaemons EXIT
+        '';
+      }
+    else
+      {
+        assertions = [
+          {
+            assertion = false;
+            message = ''
+              Determinate now manages the Nix installation independently of
+              the nix-darwin module.
 
-        "nix-daemon.socket" = {
-          # We'd set `SockFamily = "Unix";`, but nix-darwin automatically sets it with SockPathName
-          SockPassive = true;
-          SockPathName = "/var/run/nix-daemon.socket";
-        };
-      };
-
-      SoftResourceLimits = {
-        NumberOfFiles = mkPreferable 1048576;
-        NumberOfProcesses = mkPreferable 1048576;
-        Stack = mkPreferable 67108864;
-      };
-      HardResourceLimits = {
-        NumberOfFiles = mkPreferable 1048576;
-        NumberOfProcesses = mkPreferable 1048576;
-        Stack = mkPreferable 67108864;
+              Please download and run the macOS installer from
+              <https://docs.determinate.systems/getting-started>,
+              update nix-darwin, and then run `darwin-rebuild switch`
+              again to migrate your installation.
+            '';
+          }
+        ];
       };
-    };
-  };
 }

modules/nixos.nix

@@ -1,12 +1,64 @@
 inputs:
 { lib, pkgs, config, ... }:
 let
-  inherit (import ./shared.nix inputs)
-    commonNixSettingsModule
-    restrictedNixSettingsModule
-    mkPreferable
-    mkMorePreferable
-  ;
+  # Stronger than mkDefault (1000), weaker than mkForce (50) and the "default override priority"
+  # (100).
+  mkPreferable = lib.mkOverride 750;
+
+  # Stronger than the "default override priority", as the upstream module uses that, and weaker than mkForce (50).
+  mkMorePreferable = lib.mkOverride 75;
+
+  # The settings configured in this module must be generally settable by users both trusted and
+  # untrusted by the Nix daemon. Settings that require being a trusted user belong in the
+  # `restrictedSettingsModule` below.
+  commonNixSettingsModule = { config, pkgs, lib, ... }: {
+    nix.package = inputs.nix.packages."${pkgs.stdenv.system}".default;
+
+    nix.registry.nixpkgs = {
+      exact = true;
+
+      from = {
+        type = "indirect";
+        id = "nixpkgs";
+      };
+
+      # NOTE(cole-h): The NixOS module exposes a `flake` option that is a fancy wrapper around
+      # setting `to` -- we don't want to clobber this if users have set it on their own
+      to = lib.mkIf (config.nix.registry.nixpkgs.flake or null == null) (mkPreferable {
+        type = "tarball";
+        url = "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1.0.tar.gz";
+      });
+    };
+
+    nix.settings = {
+      bash-prompt-prefix = "(nix:$name)\\040";
+      extra-experimental-features = [ "nix-command" "flakes" ];
+      extra-nix-path = [ "nixpkgs=flake:nixpkgs" ];
+      extra-substituters = [ "https://cache.flakehub.com" ];
+    };
+  };
+
+  # The settings configured in this module require being a user trusted by the Nix daemon.
+  restrictedNixSettingsModule = { ... }: {
+    nix.settings = restrictedNixSettings;
+  };
+
+  # Nix settings that require being a trusted user to configure.
+  restrictedNixSettings = {
+    always-allow-substitutes = true;
+    netrc-file = "/nix/var/determinate/netrc";
+    upgrade-nix-store-path-url = "https://install.determinate.systems/nix-upgrade/stable/universal";
+    extra-trusted-public-keys = [
+      "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
+      "cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio="
+      "cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU="
+      "cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU="
+      "cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8="
+      "cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ="
+      "cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o="
+      "cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y="
+    ];
+  };
 in
 {
   imports = [

tests/flake.nix

@@ -32,8 +32,8 @@
       system = "aarch64-darwin";
 
       modules = [
-        determinate.darwinModules.default
         {
+          nix.enable = false;
           system.stateVersion = 5;
         }
       ];