Merge pull request #1069 from emilazy/push-mmluvksnvxpy

{ids,checks}: update for new builder UID/GID values

8 files changed, 120 insertions, 25 deletions

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a494fd6..6583817 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,7 +4,7 @@ on:
   push:
 
 env:
-  CURRENT_STABLE_CHANNEL: nixpkgs-23.11-darwin
+  CURRENT_STABLE_CHANNEL: nixpkgs-24.05-darwin
 
 jobs:
   test-stable:
@@ -12,10 +12,13 @@ jobs:
     timeout-minutes: 30
     steps:
     - uses: actions/checkout@v3
+    # We use the Determinate Systems installer for 2.18 because the
+    # Sequoia UID/GID changes have not yet been backported to the
+    # official installer for that version.
     - name: Install nix corresponding to latest stable channel
-      uses: cachix/install-nix-action@v23
+      uses: DeterminateSystems/nix-installer-action@main
       with:
-        install_url: https://releases.nixos.org/nix/nix-2.13.6/install
+        nix-package-url: https://releases.nixos.org/nix/nix-2.18.5/nix-2.18.5-x86_64-darwin.tar.xz
     - run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A tests
     - run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A manpages
     - run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A examples.simple
@@ -26,7 +29,9 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: Install nix from current unstable channel
-      uses: cachix/install-nix-action@v23
+      uses: cachix/install-nix-action@v27
+      with:
+        install_url: https://releases.nixos.org/nix/nix-2.24.6/install
     - run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A tests
     - run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A manpages
     - run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A examples.simple
@@ -36,18 +41,20 @@ jobs:
     timeout-minutes: 30
     steps:
     - uses: actions/checkout@v3
+    # We use the Determinate Systems installer for 2.18 because the
+    # Sequoia UID/GID changes have not yet been backported to the
+    # official installer for that version.
     - name: Install nix corresponding to latest stable channel
-      uses: cachix/install-nix-action@v23
+      uses: DeterminateSystems/nix-installer-action@main
       with:
-        install_url: https://releases.nixos.org/nix/nix-2.13.6/install
-        nix_path: nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }}
+        nix-package-url: https://releases.nixos.org/nix/nix-2.18.5/nix-2.18.5-x86_64-darwin.tar.xz
     - name: Install ${{ env.CURRENT_STABLE_CHANNEL }} channel
       run: |
         nix-channel --add https://nixos.org/channels/${{ env.CURRENT_STABLE_CHANNEL }} nixpkgs
         nix-channel --update
     - name: Install nix-darwin and test
       run: |
-        export NIX_PATH=$HOME/.nix-defexpr/channels
+        export NIX_PATH=nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }}
 
         # We run nix-darwin twice to test that it can create darwin-configuration correctly for us
         # but we expect it to fail setting up /etc/nix/nix.conf
@@ -82,8 +89,9 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: Install nix from current unstable channel
-      uses: cachix/install-nix-action@v23
+      uses: cachix/install-nix-action@v27
       with:
+        install_url: https://releases.nixos.org/nix/nix-2.24.6/install
         nix_path: nixpkgs=channel:nixpkgs-unstable
     - name: Install nixpkgs-unstable channel
       run: |
@@ -125,10 +133,13 @@ jobs:
     timeout-minutes: 30
     steps:
     - uses: actions/checkout@v3
-    - name: Install nix version corresponding to latest stable channel
-      uses: cachix/install-nix-action@v23
+    # We use the Determinate Systems installer for 2.18 because the
+    # Sequoia UID/GID changes have not yet been backported to the
+    # official installer for that version.
+    - name: Install nix corresponding to latest stable channel
+      uses: DeterminateSystems/nix-installer-action@main
       with:
-        install_url: https://releases.nixos.org/nix/nix-2.13.6/install
+        nix-package-url: https://releases.nixos.org/nix/nix-2.18.5/nix-2.18.5-x86_64-darwin.tar.xz
     - name: Install nix-darwin
       run: |
         mkdir -p ~/.config/nix-darwin
@@ -209,7 +220,9 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: Install nix from current unstable channel
-      uses: cachix/install-nix-action@v23
+      uses: cachix/install-nix-action@v27
+      with:
+        install_url: https://releases.nixos.org/nix/nix-2.24.6/install
     - name: Install nix-darwin
       run: |
         mkdir -p ~/.config/nix-darwin
diff --git a/CHANGELOG b/CHANGELOG
index 6523ef1..b9a9adc 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,17 @@
+2024-09-10
+- The default Nix build user group ID is now set to 350 when
+  `system.stateVersion` ≥ 5, to reflect the default for new Nix
+  installations. This only affects installations that enable
+  `nix.configureBuildUsers`, and any divergence will be detected on
+  system activation. To use `nix.configureBuildUsers` with a higher
+  `system.stateVersion` on installations using the old group ID, set:
+
+      ids.gids.nixbld = 30000;
+
+  We do not recommend trying to change the group ID with macOS user
+  management tools without a complete uninstallation and reinstallation
+  of Nix.
+
 2024-06-15
 - SECURITY NOTICE: The previous implementation of the
   `users.users.<name>.openssh.authorizedKeys.*` options would not delete
diff --git a/modules/examples/flake/flake.nix b/modules/examples/flake/flake.nix
index 8650562..94c600e 100644
--- a/modules/examples/flake/flake.nix
+++ b/modules/examples/flake/flake.nix
@@ -32,7 +32,7 @@
 
       # Used for backwards compatibility, please read the changelog before changing.
       # $ darwin-rebuild changelog
-      system.stateVersion = 4;
+      system.stateVersion = 5;
 
       # The platform the configuration will be used on.
       nixpkgs.hostPlatform = "x86_64-darwin";
diff --git a/modules/examples/ofborg.nix b/modules/examples/ofborg.nix
index 1054c57..6cef6e7 100644
--- a/modules/examples/ofborg.nix
+++ b/modules/examples/ofborg.nix
@@ -25,5 +25,5 @@ with lib;
 
   # Used for backwards compatibility, please read the changelog before changing.
   # $ darwin-rebuild changelog
-  system.stateVersion = 4;
+  system.stateVersion = 5;
 }
diff --git a/modules/examples/simple.nix b/modules/examples/simple.nix
index d146fde..1133da8 100644
--- a/modules/examples/simple.nix
+++ b/modules/examples/simple.nix
@@ -21,5 +21,5 @@
 
   # Used for backwards compatibility, please read the changelog before changing.
   # $ darwin-rebuild changelog
-  system.stateVersion = 4;
+  system.stateVersion = 5;
 }
diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index 07f1240..c0f3a19 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -8,7 +8,7 @@
 # to change uids/gids on service start, in example a service with a lot of
 # files.
 
-{ lib, ... }:
+{ lib, config, ... }:
 
 let
   inherit (lib) types;
@@ -34,15 +34,14 @@ in
 
   };
 
-
   config = {
 
     ids.uids = {
-      nixbld = 300;
+      nixbld = lib.mkDefault 350;
     };
 
     ids.gids = {
-      nixbld = 30000;
+      nixbld = lib.mkDefault (if config.system.stateVersion < 5 then 30000 else 350);
     };
 
   };
diff --git a/modules/system/checks.nix b/modules/system/checks.nix
index 6afce81..5ef9e52 100644
--- a/modules/system/checks.nix
+++ b/modules/system/checks.nix
@@ -46,13 +46,52 @@ let
 
   oldBuildUsers = ''
     if dscl . -list /Users | grep -q '^nixbld'; then
-        echo "warning: Detected old style nixbld users" >&2
+        echo "error: Detected old style nixbld users, aborting activation" >&2
         echo "These can cause migration problems when upgrading to certain macOS versions" >&2
         echo "You can enable the following option to migrate to new style nixbld users" >&2
         echo >&2
         echo "    nix.configureBuildUsers = true;" >&2
         echo >&2
+        echo "or disable this check with" >&2
+        echo >&2
+        echo "    system.checks.verifyBuildUsers = false;" >&2
+        echo >&2
+        exit 2
+     fi
+   '';
+ 
+  preSequoiaBuildUsers = ''
+    ${lib.optionalString config.nix.configureBuildUsers ''
+      # Don’t complain when we’re about to migrate old‐style build users…
+      if ! dscl . -list /Users | grep -q '^nixbld'; then
+    ''}
+    firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}')
+    if [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]]; then
+        printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n'
+        printf >&2 'The default Nix build user ID range has been adjusted for\n'
+        printf >&2 'compatibility with macOS Sequoia 15. Your _nixbld1 user currently has\n'
+        printf >&2 'UID %d rather than the new default of 351.\n' "$firstBuildUserID"
+        printf >&2 '\n'
+        printf >&2 'You can automatically migrate your users using the following script\n'
+        printf >&2 'from the Nix repository:\n'
+        printf >&2 '\n'
+        printf >&2 '    https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh\n'
+        printf >&2 '\n'
+        printf >&2 'This should work even if you installed Nix with the Determinate\n'
+        printf >&2 'Systems installer or are using Lix. If you are comfortable using the\n'
+        printf >&2 'script without review, you can run:\n'
+        printf >&2 '\n'
+        printf >&2 "    curl --proto '=https' --tlsv1.2 -sSf -L https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh | bash -\n"
+        printf >&2 '\n'
+        printf >&2 'If you have no intention of upgrading to macOS Sequoia 15, or already\n'
+        printf >&2 'have a custom UID range that you know is compatible with Sequoia, you\n'
+        printf >&2 'can disable this check by setting:\n'
+        printf >&2 '\n'
+        printf >&2 '    ids.uids.nixbld = %d;\n' "$((firstBuildUserID - 1))"
+        printf >&2 '\n'
+        exit 2
     fi
+    ${lib.optionalString config.nix.configureBuildUsers "fi"}
   '';
 
   buildUsers = ''
@@ -70,6 +109,32 @@ let
     fi
   '';
 
+  buildGroupID = ''
+    buildGroupID=$(dscl . -read /Groups/nixbld PrimaryGroupID | awk '{print $2}')
+    expectedBuildGroupID=${toString config.ids.gids.nixbld}
+    if [[ $buildGroupID != $expectedBuildGroupID ]]; then
+        printf >&2 '\e[1;31merror: Build user group has mismatching GID, aborting activation\e[0m\n'
+        printf >&2 'The default Nix build user group ID was changed from 30000 to 350.\n'
+        printf >&2 'You are currently managing Nix build users with nix-darwin, but your\n'
+        printf >&2 'nixbld group has GID %d, whereas we expected %d.\n' \
+          "$buildGroupID" "$expectedBuildGroupID"
+        printf >&2 '\n'
+        printf >&2 'Possible causes include setting up a new Nix installation with an\n'
+        printf >&2 'existing nix-darwin configuration, setting up a new nix-darwin\n'
+        printf >&2 'installation with an existing Nix installation, or manually increasing\n'
+        printf >&2 'your `system.stateVersion` setting.\n'
+        printf >&2 '\n'
+        printf >&2 'You can set the configured group ID to match the actual value:\n'
+        printf >&2 '\n'
+        printf >&2 '    ids.gids.nixbld = %d;\n' "$buildGroupID"
+        printf >&2 '\n'
+        printf >&2 'We do not recommend trying to change the group ID with macOS user\n'
+        printf >&2 'management tools without a complete uninstallation and reinstallation\n'
+        printf >&2 'of Nix.\n'
+        exit 2
+    fi
+  '';
+
   singleUser = ''
     if grep -q 'build-users-group =' /etc/nix/nix.conf; then
         echo "error: The daemon is not enabled but this is a multi-user install, aborting activation" >&2
@@ -242,7 +307,9 @@ in
 
     system.checks.verifyBuildUsers = mkOption {
       type = types.bool;
-      default = !(config.nix.settings.auto-allocate-uids or false);
+      default =
+        (config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false))
+        || config.nix.configureBuildUsers;
       description = "Whether to run the Nix build users validation checks.";
     };
 
@@ -258,8 +325,10 @@ in
     system.checks.text = mkMerge [
       darwinChanges
       runLink
-      oldBuildUsers
-      (mkIf (config.nix.useDaemon && cfg.verifyBuildUsers) buildUsers)
+      (mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers)
+      (mkIf cfg.verifyBuildUsers buildUsers)
+      (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers)
+      (mkIf config.nix.configureBuildUsers buildGroupID)
       (mkIf (!config.nix.useDaemon) singleUser)
       nixStore
       (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector)
diff --git a/modules/system/version.nix b/modules/system/version.nix
index fa6ce6e..df8b7a0 100644
--- a/modules/system/version.nix
+++ b/modules/system/version.nix
@@ -35,7 +35,7 @@ in
   options = {
     system.stateVersion = mkOption {
       type = types.int;
-      default = 4;
+      default = 5;
       description = ''
         Every once in a while, a new NixOS release may change
         configuration defaults in a way incompatible with stateful