nix: fix auto-allocate-uids

A few days ago, there was a change [^1] that removed the `nix.configureBuildUsers` option, and made it so that the build users and group was always managed. Unfortunately this broke the `auto-allocate-uids` option: 1. `configureBuildUsers` (internal variable) is set to false if `auto-allocate-uids` is set to true. (Line 15) 2. The users and groups are configured when `configureBuildUsers` is true (so `auto-allocate-uids` is false)... (Line 841) 3. ...but the users and groups are added to `knownUsers` and `knownGroups` regardless... (Line 846) 4. ...which leads to the assertions on Line 798 always being false, and also leads to nix-darwin attempt to delete the `nixbld` group. The error shown when rebuilding with the problematic change and `auto-allocate-uids` enabled is this: ``` error: Failed assertions: - refusing to delete group nixbld in users.knownGroups, this would break nix - refusing to delete user _nixbld1 in users.knownUsers, this would break nix ``` This PR fixes both of these issues (failed assertion and attempt to delete `nixbld` group, which is still necessary for `auto-allocate-uids` despite no users being in the group), by only adding the user assertions when `configureBuildUsers` is true, and updating the `users.knownUsers` to also only be set in that case. Additionally, the `nixbld` group is now always created. [^1]: Commit adc989f
LnL7 · Feb 13, 2025 · 7f6a969 · 7f6a969
1 parent a674621
commit 7f6a969
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 11 deletions.
diff --git a/modules/nix/default.nix b/modules/nix/default.nix
@@ -795,8 +795,8 @@ in
 
         # Not in NixOS module
         { assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; }
-        { assertion = elem "_nixbld1" config.users.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
-        { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
+        { assertion = configureBuildUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
+        { assertion = configureBuildUsers -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
 
         {
           # Should be fixed in Lix by https://gerrit.lix.systems/c/lix/+/2100
@@ -836,7 +836,7 @@ in
     users.users = mkIf configureBuildUsers nixbldUsers;
 
     # Not in NixOS module
-    users.groups.nixbld = mkIf configureBuildUsers {
+    users.groups.nixbld = {
       description = "Nix build group for nix-daemon";
       gid = config.ids.gids.nixbld;
       members = attrNames nixbldUsers;

diff --git a/modules/system/checks.nix b/modules/system/checks.nix
@@ -50,10 +50,11 @@ let
   '';
 
   preSequoiaBuildUsers = ''
-    firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}')
+    firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID 2>/dev/null | awk '{print $2}' || echo 0)
     if
       # Don’t complain when we’re about to migrate old‐style build users…
       [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]] \
+      && [[ $firstBuildUserID != 0 ]] \
       && ! dscl . -list /Users | grep -q '^nixbld'
     then
         printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n'
@@ -258,6 +259,12 @@ in
       description = "Whether to run the Nix build users validation checks.";
     };
 
+    system.checks.verifyBuildGroup = mkOption {
+      type = types.bool;
+      default = config.nix.enable;
+      description = "Whether to run the Nix build group validation checks.";
+    };
+
     system.checks.verifyMacOSVersion = mkOption {
       type = types.bool;
       default = true;
@@ -277,7 +284,7 @@ in
       (mkIf cfg.verifyMacOSVersion macOSVersion)
       (mkIf config.nix.enable determinate)
       (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers)
-      (mkIf cfg.verifyBuildUsers buildGroupID)
+      (mkIf cfg.verifyBuildGroup buildGroupID)
       (mkIf config.nix.enable nixDaemon)
       nixInstaller
       (mkIf cfg.verifyNixPath nixPath)

diff --git a/modules/users/default.nix b/modules/users/default.nix
@@ -317,12 +317,8 @@ in
       ${concatMapStringsSep "\n" (name: ''
         u=$(id -u ${escapeShellArg name} 2> /dev/null) || true
         if [ -n "$u" ]; then
-          if [ "$u" -gt 501 ]; then
-            echo "deleting user ${name}..." >&2
-            dscl . -delete ${escapeShellArg "/Users/${name}"}
-          else
-            echo "[1;31mwarning: existing user '${name}' has unexpected uid $u, skipping...[0m" >&2
-          fi
+          echo "deleting user ${name}..." >&2
+          dscl . -delete ${escapeShellArg "/Users/${name}"}
         fi
       '') deletedUsers}
     '';