From 7f6a9691706c7d6510a29242c939b719f35dc431 Mon Sep 17 00:00:00 2001 From: andre4ik3 Date: Thu, 13 Feb 2025 09:55:56 +0400 Subject: [PATCH] nix: fix auto-allocate-uids A few days ago, there was a change [^1] that removed the `nix.configureBuildUsers` option, and made it so that the build users and group was always managed. Unfortunately this broke the `auto-allocate-uids` option: 1. `configureBuildUsers` (internal variable) is set to false if `auto-allocate-uids` is set to true. (Line 15) 2. The users and groups are configured when `configureBuildUsers` is true (so `auto-allocate-uids` is false)... (Line 841) 3. ...but the users and groups are added to `knownUsers` and `knownGroups` regardless... (Line 846) 4. ...which leads to the assertions on Line 798 always being false, and also leads to nix-darwin attempt to delete the `nixbld` group. The error shown when rebuilding with the problematic change and `auto-allocate-uids` enabled is this: ``` error: Failed assertions: - refusing to delete group nixbld in users.knownGroups, this would break nix - refusing to delete user _nixbld1 in users.knownUsers, this would break nix ``` This PR fixes both of these issues (failed assertion and attempt to delete `nixbld` group, which is still necessary for `auto-allocate-uids` despite no users being in the group), by only adding the user assertions when `configureBuildUsers` is true, and updating the `users.knownUsers` to also only be set in that case. Additionally, the `nixbld` group is now always created. [^1]: Commit adc989f7ec9efd8bb4e1b6b48c15f4c0f41be018 --- modules/nix/default.nix | 6 +++--- modules/system/checks.nix | 11 +++++++++-- modules/users/default.nix | 8 ++------ 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index b201a692e..28db38081 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -795,8 +795,8 @@ in # Not in NixOS module { assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; } - { assertion = elem "_nixbld1" config.users.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } - { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; } + { assertion = configureBuildUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; } + { assertion = configureBuildUsers -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; } { # Should be fixed in Lix by https://gerrit.lix.systems/c/lix/+/2100 @@ -836,7 +836,7 @@ in users.users = mkIf configureBuildUsers nixbldUsers; # Not in NixOS module - users.groups.nixbld = mkIf configureBuildUsers { + users.groups.nixbld = { description = "Nix build group for nix-daemon"; gid = config.ids.gids.nixbld; members = attrNames nixbldUsers; diff --git a/modules/system/checks.nix b/modules/system/checks.nix index 6afe796cb..ea619f955 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -50,10 +50,11 @@ let ''; preSequoiaBuildUsers = '' - firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}') + firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID 2>/dev/null | awk '{print $2}' || echo 0) if # Don’t complain when we’re about to migrate old‐style build users… [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]] \ + && [[ $firstBuildUserID != 0 ]] \ && ! dscl . -list /Users | grep -q '^nixbld' then printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n' @@ -258,6 +259,12 @@ in description = "Whether to run the Nix build users validation checks."; }; + system.checks.verifyBuildGroup = mkOption { + type = types.bool; + default = config.nix.enable; + description = "Whether to run the Nix build group validation checks."; + }; + system.checks.verifyMacOSVersion = mkOption { type = types.bool; default = true; @@ -277,7 +284,7 @@ in (mkIf cfg.verifyMacOSVersion macOSVersion) (mkIf config.nix.enable determinate) (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers) - (mkIf cfg.verifyBuildUsers buildGroupID) + (mkIf cfg.verifyBuildGroup buildGroupID) (mkIf config.nix.enable nixDaemon) nixInstaller (mkIf cfg.verifyNixPath nixPath) diff --git a/modules/users/default.nix b/modules/users/default.nix index 706abbfa7..40da39377 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -317,12 +317,8 @@ in ${concatMapStringsSep "\n" (name: '' u=$(id -u ${escapeShellArg name} 2> /dev/null) || true if [ -n "$u" ]; then - if [ "$u" -gt 501 ]; then - echo "deleting user ${name}..." >&2 - dscl . -delete ${escapeShellArg "/Users/${name}"} - else - echo "warning: existing user '${name}' has unexpected uid $u, skipping..." >&2 - fi + echo "deleting user ${name}..." >&2 + dscl . -delete ${escapeShellArg "/Users/${name}"} fi '') deletedUsers} '';