Merge pull request #687 from Enzime/flaky

Install nix-darwin on flake-based systems

12 files changed, 67 insertions, 54 deletions

diff --git a/modules/examples/flake/flake.nix b/modules/examples/flake/flake.nix
index bacdcf5..af149b4 100644
--- a/modules/examples/flake/flake.nix
+++ b/modules/examples/flake/flake.nix
@@ -7,7 +7,7 @@
     darwin.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, darwin, nixpkgs }:
+  outputs = inputs@{ self, darwin, nixpkgs }:
   let
     configuration = { pkgs, ... }: {
       # List packages installed in system profile. To search by name, run:
diff --git a/modules/module-list.nix b/modules/module-list.nix
index 2844c91..582421b 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -8,6 +8,7 @@
   ./security/pki
   ./security/sandbox
   ./system
+  ./system/base.nix
   ./system/checks.nix
   ./system/activation-scripts.nix
   ./system/applications.nix
diff --git a/modules/nix/default.nix b/modules/nix/default.nix
index b63195b..ace3fdd 100644
--- a/modules/nix/default.nix
+++ b/modules/nix/default.nix
@@ -664,9 +664,13 @@ in
 
     # Not in NixOS module
     environment.etc."nix/nix.conf".knownSha256Hashes = [
-      "7c2d80499b39256b03ee9abd3d6258343718306aca8d472c26ac32c9b0949093"  # nix installer
+      "7c2d80499b39256b03ee9abd3d6258343718306aca8d472c26ac32c9b0949093"  # official Nix installer
       "19299897fa312d9d32b3c968c2872dd143085aa727140cec51f57c59083e93b9"
       "c4ecc3d541c163c8fcc954ccae6b8cab28c973dc283fea5995c69aaabcdf785f"
+      "ef78f401a9b5a42fd15e967c50da384f99ec62f9dbc66ea38f1390b46b63e1ff"  # official Nix installer 2.0
+      "c06b0c6080dd1d62e61a30cfad100c0cfed2d3bcd378e296632dc3b28b31dc69"  # official Nix installer as of 2.0.1
+      "ff08c12813680da98c4240328f828647b67a65ba7aa89c022bd8072cba862cf1"  # official Nix installer as of 2.4
+      "f3e03d851c240c1aa7daccd144ee929f0f5971982424c868c434eb6030e961d4"  # DeterminateSystems Nix installer 0.10.0
     ];
 
     environment.etc."nix/registry.json".text = builtins.toJSON {
diff --git a/modules/nix/nix-darwin.nix b/modules/nix/nix-darwin.nix
index fceecc2..ee17af2 100644
--- a/modules/nix/nix-darwin.nix
+++ b/modules/nix/nix-darwin.nix
@@ -1,33 +1,13 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
+{ config, pkgs, ... }:
 
 let
-  inherit (pkgs) stdenv;
-
-  extraPath = lib.makeBinPath [ config.nix.package pkgs.coreutils pkgs.jq pkgs.git ];
-
-  writeProgram = name: env: src:
-    pkgs.substituteAll ({
-      inherit name src;
-      dir = "bin";
-      isExecutable = true;
-    } // env);
-
-  darwin-option = writeProgram "darwin-option"
-    {
-      inherit (stdenv) shell;
-      path = "${extraPath}:${config.environment.systemPath}";
-    }
-    ../../pkgs/nix-tools/darwin-option.sh;
+  nix-tools = pkgs.callPackage ../../pkgs/nix-tools {
+    inherit (config.system) profile;
+    inherit (config.environment) systemPath;
+    nixPackage = config.nix.package;
+  };
 
-  darwin-rebuild = writeProgram "darwin-rebuild"
-    {
-      inherit (config.system) profile;
-      inherit (stdenv) shell;
-      path = "${extraPath}:${config.environment.systemPath}";
-    }
-    ../../pkgs/nix-tools/darwin-rebuild.sh;
+  inherit (nix-tools) darwin-option darwin-rebuild;
 in
 
 {
@@ -39,5 +19,9 @@ in
         darwin-rebuild
       ];
 
+    system.build = {
+      inherit darwin-option darwin-rebuild;
+    };
+
   };
 }
diff --git a/modules/programs/bash/default.nix b/modules/programs/bash/default.nix
index 47bd1f3..d5d8004 100644
--- a/modules/programs/bash/default.nix
+++ b/modules/programs/bash/default.nix
@@ -96,9 +96,10 @@ in
     '';
 
     environment.etc."bashrc".knownSha256Hashes = [
-      "444c716ac2ccd9e1e3347858cb08a00d2ea38e8c12fdc5798380dc261e32e9ef"
-      "617b39e36fa69270ddbee19ddc072497dbe7ead840cbd442d9f7c22924f116f4"  # nix installer
-      "6be16cf7c24a3c6f7ae535c913347a3be39508b3426f5ecd413e636e21031e66"  # nix installer
+      "444c716ac2ccd9e1e3347858cb08a00d2ea38e8c12fdc5798380dc261e32e9ef"  # macOS
+      "617b39e36fa69270ddbee19ddc072497dbe7ead840cbd442d9f7c22924f116f4"  # official Nix installer
+      "6be16cf7c24a3c6f7ae535c913347a3be39508b3426f5ecd413e636e21031e66"  # official Nix installer
+      "08ffbf991a9e25839d38b80a0d3bce3b5a6c84b9be53a4b68949df4e7e487bb7"  # DeterminateSystems installer
     ];
 
   };
diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix
index e472d7b..87978e6 100644
--- a/modules/programs/ssh/default.nix
+++ b/modules/programs/ssh/default.nix
@@ -164,9 +164,9 @@ in
         };
       };
 
-    # Clean up .orig file left over from using knownSha256Hashes
+    # Clean up .before-nix-darwin file left over from using knownSha256Hashes
     system.activationScripts.etc.text = ''
-      auth_keys_orig=/etc/ssh/sshd_config.d/101-authorized-keys.conf.orig
+      auth_keys_orig=/etc/ssh/sshd_config.d/101-authorized-keys.conf.before-nix-darwin
 
       if [ -e "$auth_keys_orig" ] && [ "$(shasum -a 256 $auth_keys_orig | cut -d ' ' -f 1)" = "${oldAuthorizedKeysHash}" ]; then
         rm "$auth_keys_orig"
diff --git a/modules/programs/zsh/default.nix b/modules/programs/zsh/default.nix
index d26da0e..4e983e5 100644
--- a/modules/programs/zsh/default.nix
+++ b/modules/programs/zsh/default.nix
@@ -194,14 +194,15 @@ in
 
     environment.etc."zprofile".knownSha256Hashes = [
       "db8422f92d8cff684e418f2dcffbb98c10fe544b5e8cd588b2009c7fa89559c5"
-      "0235d3c1b6cf21e7043fbc98e239ee4bc648048aafaf6be1a94a576300584ef2"
+      "0235d3c1b6cf21e7043fbc98e239ee4bc648048aafaf6be1a94a576300584ef2"  # macOS
     ];
 
     environment.etc."zshrc".knownSha256Hashes = [
       "19a2d673ffd47b8bed71c5218ff6617dfc5e8533b240b9ba79142a45f8823c23"
-      "fb5827cb4712b7e7932d438067ec4852c8955a9ff0f55e282473684623ebdfa1"
-      "c5a00c072c920f46216454978c44df044b2ec6d03409dc492c7bdcd92c94a110"  # nix install
-      "40b0d8751adae5b0100a4f863be5b75613a49f62706427e92604f7e04d2e2261"  # nix install
+      "fb5827cb4712b7e7932d438067ec4852c8955a9ff0f55e282473684623ebdfa1"  # macOS
+      "c5a00c072c920f46216454978c44df044b2ec6d03409dc492c7bdcd92c94a110"  # official Nix installer
+      "40b0d8751adae5b0100a4f863be5b75613a49f62706427e92604f7e04d2e2261"  # official Nix installer
+      "2af1b563e389d11b76a651b446e858116d7a20370d9120a7e9f78991f3e5f336"  # DeterminateSystems installer
     ];
 
   };
diff --git a/modules/services/tailscale.nix b/modules/services/tailscale.nix
index 6603f53..4135ade 100644
--- a/modules/services/tailscale.nix
+++ b/modules/services/tailscale.nix
@@ -74,10 +74,10 @@ in
       "2c28f4fe3b4a958cd86b120e7eb799eee6976daa35b228c885f0630c55ef626c"
     ];
 
-    # Cleaning up the .orig file is necessary as any files in /etc/resolver will be used.
+    # Cleaning up the .before-nix-darwin file is necessary as any files in /etc/resolver will be used.
     system.activationScripts.etc.text = mkAfter ''
-      if [ -e /etc/resolver/ts.net.orig ]; then
-        rm /etc/resolver/ts.net.orig
+      if [ -e /etc/resolver/ts.net.before-nix-darwin ]; then
+        rm /etc/resolver/ts.net.before-nix-darwin
       fi
     '';
   };
diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix
index d5ca292..b92a692 100644
--- a/modules/system/activation-scripts.nix
+++ b/modules/system/activation-scripts.nix
@@ -69,11 +69,6 @@ in
 
       ${cfg.activationScripts.postActivation.text}
 
-      # Ensure /run exists.
-      if [ ! -e /run ]; then
-        ln -sfn private/var/run /run
-      fi
-
       # Make this configuration the current configuration.
       # The readlink is there to ensure that when $systemConfig = /system
       # (which is a symlink to the store), /run/current-system is still
@@ -102,6 +97,7 @@ in
 
       ${cfg.activationScripts.preUserActivation.text}
 
+      ${cfg.activationScripts.createRun.text}
       ${cfg.activationScripts.checks.text}
       ${cfg.activationScripts.extraUserActivation.text}
       ${cfg.activationScripts.userDefaults.text}
diff --git a/modules/system/base.nix b/modules/system/base.nix
new file mode 100644
index 0000000..44a8d91
--- /dev/null
+++ b/modules/system/base.nix
@@ -0,0 +1,24 @@
+{ ... }:
+
+{
+  system.activationScripts.createRun.text = ''
+    if ! test -L /run; then
+      if ! grep -q '^run\b' /etc/synthetic.conf 2>/dev/null; then
+          echo "setting up /run via /etc/synthetic.conf..."
+          echo -e "run\tprivate/var/run" | sudo tee -a /etc/synthetic.conf >/dev/null
+          sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B &>/dev/null || true
+          sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t &>/dev/null || true
+          if ! test -L /run; then
+            echo "warning: apfs.util failed to symlink /run"
+          fi
+      fi
+      if ! test -L /run; then
+          echo "setting up /run..."
+          sudo ln -sfn private/var/run /run
+      fi
+      if ! test -L /run; then
+        echo "warning: failed to symlink /run"
+      fi
+    fi
+  '';
+}
diff --git a/modules/system/checks.nix b/modules/system/checks.nix
index b1571ab..27188e3 100644
--- a/modules/system/checks.nix
+++ b/modules/system/checks.nix
@@ -28,8 +28,8 @@ let
         if test -e /etc/synthetic.conf; then
             echo >&2
             echo "$ printf 'run\tprivate/var/run\n' | sudo tee -a /etc/synthetic.conf" >&2
-            echo "$ /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B # For Catalina" >&2
-            echo "$ /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t # For Big Sur and later" >&2
+            echo "$ sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B # For Catalina" >&2
+            echo "$ sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t # For Big Sur and later" >&2
             echo >&2
             echo "The current contents of /etc/synthetic.conf is:" >&2
             echo >&2
@@ -48,11 +48,7 @@ let
     if dscl . -list /Users | grep -q '^nixbld'; then
         echo "warning: Detected old style nixbld users" >&2
         echo "These can cause migration problems when upgrading to certain macOS versions" >&2
-        echo "Running the installer again will remove and recreate the users in a way that avoids these problems" >&2
-        echo >&2
-        echo "$ darwin-install" >&2
-        echo >&2
-        echo "or enable to automatically manage the users" >&2
+        echo "You can enable the following option to migrate to new style nixbld users" >&2
         echo >&2
         echo "    nix.configureBuildUsers = true;" >&2
         echo >&2
diff --git a/modules/system/etc.nix b/modules/system/etc.nix
index b6c5827..2dfafcc 100644
--- a/modules/system/etc.nix
+++ b/modules/system/etc.nix
@@ -51,6 +51,7 @@ in
 
       ln -sfn "$(readlink -f $systemConfig/etc)" /etc/static
 
+      errorOccurred=false
       for f in $(find /etc/static/* -type l); do
         l=/etc/''${f#/etc/static/}
         d=''${l%/*}
@@ -68,7 +69,7 @@ in
               o=''${o%% *}
               for h in ''${etcSha256Hashes["$l"]}; do
                 if [ "$o" = "$h" ]; then
-                  mv "$l" "$l.orig"
+                  mv "$l" "$l.before-nix-darwin"
                   ln -s "$f" "$l"
                   break
                 else
@@ -79,6 +80,7 @@ in
               if [ -z "$h" ]; then
                 echo "error: not linking environment.etc.\"''${l#/etc/}\" because $l already exists, skipping..." >&2
                 echo "existing file has unknown content $o, move and activate again to apply" >&2
+                errorOccurred=true
               fi
             fi
           fi
@@ -87,6 +89,10 @@ in
         fi
       done
 
+      if [ "$errorOccurred" != "false" ]; then
+        exit 1
+      fi
+
       for l in $(find /etc/* -type l 2> /dev/null); do
         f="$(echo $l | sed 's,/etc/,/etc/static/,')"
         f=/etc/static/''${l#/etc/}