3 files changed, 46 insertions, 20 deletions
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 5f0fddb..7391b11 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -16,8 +16,6 @@ jobs:
       uses: cachix/install-nix-action@v22
       with:
         install_url: https://github.com/nix-community/nix-unstable-installer/releases/download/nix-2.10.0pre20220822_7c3ab57/install
-        extra_nix_config: |
-          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
     - run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A tests
     - run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A manpages
     - run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A examples.simple
@@ -29,10 +27,6 @@ jobs:
     - uses: actions/checkout@v3
     - name: Install nix from current unstable channel
       uses: cachix/install-nix-action@v22
-      with:
-        nix_path: nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }}
-        extra_nix_config: |
-          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
     - run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A tests
     - run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A manpages
     - run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A examples.simple
@@ -47,8 +41,6 @@ jobs:
       with:
         install_url: https://github.com/nix-community/nix-unstable-installer/releases/download/nix-2.10.0pre20220822_7c3ab57/install
         nix_path: nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }}
-        extra_nix_config: |
-          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
     - name: Install ${{ env.CURRENT_STABLE_CHANNEL }} channel
       run: |
         nix-channel --add https://nixos.org/channels/${{ env.CURRENT_STABLE_CHANNEL }} nixpkgs
@@ -56,6 +48,16 @@ jobs:
     - name: Install nix-darwin and test
       run: |
         export NIX_PATH=$HOME/.nix-defexpr/channels
+
+        # We run nix-darwin twice to test that it can create darwin-configuration correctly for us
+        # but we expect it to fail setting up /etc/nix/nix.conf
+        nix-shell -A installer || true
+
+        nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1)
+        /usr/bin/sed -i.bak \
+          "s/# nix.package = pkgs.nix;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \
+          ~/.nixpkgs/darwin-configuration.nix
+
         nix-shell -A installer
         nix-shell -A installer.check
     - name: Build and activate default derivation
@@ -83,8 +85,6 @@ jobs:
       uses: cachix/install-nix-action@v22
       with:
         nix_path: nixpkgs=channel:nixpkgs-unstable
-        extra_nix_config: |
-          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
     - name: Install nixpkgs-unstable channel
       run: |
         nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgs
@@ -92,6 +92,16 @@ jobs:
     - name: Install nix-darwin and test
       run: |
         export NIX_PATH=$HOME/.nix-defexpr/channels
+
+        # We run nix-darwin twice to test that it can create darwin-configuration correctly for us
+        # but we expect it to fail setting up /etc/nix/nix.conf
+        nix-shell -A installer || true
+
+        nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1)
+        /usr/bin/sed -i.bak \
+          "s/# nix.package = pkgs.nix;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \
+          ~/.nixpkgs/darwin-configuration.nix
+
         nix-shell -A installer
         nix-shell -A installer.check
     - name: Build and activate default derivation
@@ -119,12 +129,19 @@ jobs:
       uses: cachix/install-nix-action@v22
       with:
         install_url: https://github.com/nix-community/nix-unstable-installer/releases/download/nix-2.10.0pre20220822_7c3ab57/install
-        extra_nix_config: |
-          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
     - name: Install nix-darwin
       run: |
+        mkdir -p ~/.config/nix-darwin
+        darwin=$(pwd)
+        pushd ~/.config/nix-darwin
+          nix flake init -t $darwin
+          nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1)
+          /usr/bin/sed -i.bak \
+            "s/# nix.package = pkgs.nix;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \
+            flake.nix
+        popd
         nix run .#darwin-rebuild -- \
-          switch --flake ./modules/examples/flake#simple \
+          switch --flake ~/.config/nix-darwin#simple \
           --override-input darwin . \
           --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }}
     - name: Rebuild and activate simple flake, but this time using nix-darwin's flake interface
@@ -193,13 +210,19 @@ jobs:
     - uses: actions/checkout@v3
     - name: Install nix from current unstable channel
       uses: cachix/install-nix-action@v22
-      with:
-        extra_nix_config: |
-          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
     - name: Install nix-darwin
       run: |
+        mkdir -p ~/.config/nix-darwin
+        darwin=$(pwd)
+        pushd ~/.config/nix-darwin
+          nix flake init -t $darwin
+          nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1)
+          /usr/bin/sed -i.bak \
+            "s/# nix.package = pkgs.nix;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \
+            flake.nix
+        popd
         nix run .#darwin-rebuild -- \
-          switch --flake ./modules/examples/flake#simple \
+          switch --flake ~/.config/nix-darwin#simple \
           --override-input darwin . \
           --override-input nixpkgs nixpkgs/nixpkgs-unstable
     - name: Rebuild and activate simple flake, but this time using nix-darwin's flake interface
diff --git a/.github/workflows/update-manual.yml b/.github/workflows/update-manual.yml
index ed608d9..60cb362 100644
--- a/.github/workflows/update-manual.yml
+++ b/.github/workflows/update-manual.yml
@@ -18,9 +18,6 @@ jobs:
 
     - name: Install Nix
       uses: cachix/install-nix-action@v22
-      with:
-        extra_nix_config: |
-          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
 
     - name: Build manual
       run: |
diff --git a/modules/system/etc.nix b/modules/system/etc.nix
index b6c5827..d26c45e 100644
--- a/modules/system/etc.nix
+++ b/modules/system/etc.nix
@@ -51,6 +51,7 @@ in
 
       ln -sfn "$(readlink -f $systemConfig/etc)" /etc/static
 
+      errorOccurred=false
       for f in $(find /etc/static/* -type l); do
         l=/etc/''${f#/etc/static/}
         d=''${l%/*}
@@ -79,6 +80,7 @@ in
               if [ -z "$h" ]; then
                 echo "[1;31merror: not linking environment.etc.\"''${l#/etc/}\" because $l already exists, skipping...[0m" >&2
                 echo "[1;31mexisting file has unknown content $o, move and activate again to apply[0m" >&2
+                errorOccurred=true
               fi
             fi
           fi
@@ -87,6 +89,10 @@ in
         fi
       done
 
+      if [ "$errorOccurred" != "false" ]; then
+        exit 1
+      fi
+
       for l in $(find /etc/* -type l 2> /dev/null); do
         f="$(echo $l | sed 's,/etc/,/etc/static/,')"
         f=/etc/static/''${l#/etc/}