Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

checks: check /etc/nix/nix.custom.conf hash #1266

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+53 −1
Open

checks: check /etc/nix/nix.custom.conf hash #1266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d09ca21
nix: check `/etc/nix/nix.custom.conf` hash
emilazy Jan 13, 2025
f9eefa6
nix: add hash for Determinate Systems installer v0.33.0
emilazy Jan 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions doc/known-files/53712b4335030e2dbfb46bb235f8cffcac83fea404bd32dc99417ac89e2dd7c5
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@

# Generated by https://github.com/DeterminateSystems/nix-installer.
# See `/nix/nix-installer --version` for the version details.

!include nix.custom.conf
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be at the bottom to be able to override their defaults?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably, yeah. This is what’s shipped in the wild in v0.33.0, though, so I think we have to handle this version of the file anyway.


experimental-features = nix-command flakes
always-allow-substitutes = true
extra-trusted-substituters = https://cache.flakehub.com
extra-trusted-public-keys = cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM= cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio= cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU= cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU= cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8= cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ= cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o= cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y=
bash-prompt-prefix = (nix:$name)\040
max-jobs = auto
extra-nix-path = nixpkgs=flake:nixpkgs
upgrade-nix-store-path-url = https://install.determinate.systems/nix-upgrade/stable/universal
4 changes: 4 additions & 0 deletions doc/known-files/6787fade1cf934f82db554e78e1fc788705c2c5257fddf9b59bdd963ca6fec63
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@

# Written by https://github.com/DeterminateSystems/nix-installer.
# The contents below are based on options specified at installation time.

36 changes: 35 additions & 1 deletion modules/nix/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -703,6 +703,7 @@ in
"5d23e6d7015756c6f300f8cd558ec4d9234ca61deefd4f2478e91a49760b0747" # DeterminateSystems Nix installer 0.16.0
"e4974acb79c56148cb8e92137fa4f2de9b7356e897b332fc4e6769e8c0b83e18" # DeterminateSystems Nix installer 0.20.0
"966d22ef5bb9b56d481e8e0d5f7ca2deaf4d24c0f0fc969b2eeaa7ae0aa42907" # DeterminateSystems Nix installer 0.22.0
"53712b4335030e2dbfb46bb235f8cffcac83fea404bd32dc99417ac89e2dd7c5" # DeterminateSystems Nix installer 0.33.0
"24797ac05542ff8b52910efc77870faa5f9e3275097227ea4e50c430a5f72916" # lix-installer 0.17.1 with flakes
"b027b5cad320b5b8123d9d0db9f815c3f3921596c26dc3c471457098e4d3cc40" # lix-installer 0.17.1 without flakes
];
Expand Down Expand Up @@ -823,8 +824,41 @@ in
]);
users.knownGroups = mkIf cfg.configureBuildUsers [ "nixbld" ];

# The Determinate Systems installer puts user‐specified settings in
# `/etc/nix/nix.custom.conf` since vX.YY.Z. Supplement the
# `/etc/nix/nix.conf` hash check so that we don’t accidentally
# clobber user configuration.
#
# TODO: Maybe this could use a more general file placement mechanism
# to express that we want it deleted and know only one hash?
system.activationScripts.etcChecks.text = mkAfter ''
nixCustomConfEmptySha256Hash=6787fade1cf934f82db554e78e1fc788705c2c5257fddf9b59bdd963ca6fec63
if [[ -e /etc/nix/nix.custom.conf ]]; then
nixCustomConfSha256Output=$(shasum -a 256 /etc/nix/nix.custom.conf)
nixCustomConfSha256Hash=''${nixCustomConfSha256Output%% *}
if [[ $nixCustomConfSha256Hash != "$nixCustomConfEmptySha256Hash" ]]; then
printf >&2 '\e[1;31merror: custom settings in /etc/nix/nix.custom.conf, aborting activation\e[0m\n'
# shellcheck disable=SC2016
printf >&2 'You will need to migrate these to nix-darwin `nix.*` settings if you\n'
printf >&2 'wish to keep them. Check the manual for the appropriate settings and\n'
printf >&2 'add them to your system configuration, then run:\n'
printf >&2 '\n'
printf >&2 ' $ sudo mv /etc/nix/nix.custom.conf{,.before-nix-darwin}\n'
printf >&2 '\n'
printf >&2 'and activate your system again.\n'
exit 2
fi
fi
'';

# Unrelated to use in NixOS module
system.activationScripts.nix-daemon.text = mkIf cfg.useDaemon ''
system.activationScripts.nix-daemon.text = ''
# Follow up on the `/etc/nix/nix.custom.conf` check.
# TODO: Use a more generalized file placement mechanism for this.
if [[ -e /etc/nix/nix.custom.conf ]]; then
mv /etc/nix/nix.custom.conf{,.before-nix-darwin}
fi
'' + optionalString cfg.useDaemon ''
if ! diff /etc/nix/nix.conf /run/current-system/etc/nix/nix.conf &> /dev/null || ! diff /etc/nix/machines /run/current-system/etc/nix/machines &> /dev/null; then
echo "reloading nix-daemon..." >&2
launchctl kill HUP system/org.nixos.nix-daemon
Expand Down