nix: fix auto-allocate-uids

A few days ago, there was a change [^1] that removed the `nix.configureBuildUsers` option, and made it so that the build users and group was always managed. Unfortunately this broke the `auto-allocate-uids` option: 1. `configureBuildUsers` (internal variable) is set to false if `auto-allocate-uids` is set to true. (Line 15) 2. The users and groups are configured when `configureBuildUsers` is true (so `auto-allocate-uids` is false)... (Line 841) 3. ...but the users and groups are added to `knownUsers` and `knownGroups` regardless... (Line 846) 4. ...which leads to the assertions on Line 798 always being false, and also leads to nix-darwin attempt to delete the `nixbld` group. The error shown when rebuilding with the problematic change and `auto-allocate-uids` enabled is this: ``` error: Failed assertions: - refusing to delete group nixbld in users.knownGroups, this would break nix - refusing to delete user _nixbld1 in users.knownUsers, this would break nix ``` This PR fixes both of these issues (failed assertion and attempt to delete `nixbld` group, which is still necessary for `auto-allocate-uids` despite no users being in the group), by only adding the user assertions when `configureBuildUsers` is true, and updating the `users.knownUsers` to also only be set in that case. Additionally, the `nixbld` group is now always created. [^1]: Commit adc989f
LnL7 · Feb 13, 2025 · c3fe32d · c3fe32d
1 parent a674621
commit c3fe32d
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/modules/nix/default.nix b/modules/nix/default.nix
@@ -795,15 +795,17 @@ in
 
         # Not in NixOS module
         { assertion = elem "nixbld" config.users.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; }
-        { assertion = elem "_nixbld1" config.users.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
-        { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
 
         {
           # Should be fixed in Lix by https://gerrit.lix.systems/c/lix/+/2100
           # Lix 2.92.0 will set `VERSION_SUFFIX` to `""`; `lib.versionAtLeast "" "pre20241107"` will return `true`.
           assertion = cfg.settings.auto-optimise-store -> (cfg.package.pname == "lix" && (isNixAtLeast "2.92.0" && versionAtLeast (strings.removePrefix "-" cfg.package.VERSION_SUFFIX) "pre20241107"));
           message = "`nix.settings.auto-optimise-store` is known to corrupt the Nix Store, please use `nix.optimise.automatic` instead.";
         }
+      ] ++ lib.optionals configureBuildUsers [
+        # Not in NixOS module
+        { assertion = elem "_nixbld1" config.users.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
+        { assertion = config.users.groups ? "nixbld" -> config.users.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
       ];
 
     # Not in NixOS module
@@ -836,18 +838,18 @@ in
     users.users = mkIf configureBuildUsers nixbldUsers;
 
     # Not in NixOS module
-    users.groups.nixbld = mkIf configureBuildUsers {
+    users.groups.nixbld = {
       description = "Nix build group for nix-daemon";
       gid = config.ids.gids.nixbld;
       members = attrNames nixbldUsers;
     };
     users.knownUsers =
       let nixbldUserNames = attrNames nixbldUsers;
       in
-      mkMerge [
+      mkIf configureBuildUsers (mkMerge [
         nixbldUserNames
         (map (removePrefix "_") nixbldUserNames) # delete old style nixbld users
-      ];
+      ]);
     users.knownGroups = [ "nixbld" ];
 
     # The Determinate Systems installer puts user‐specified settings in