summaryrefslogtreecommitdiff
path: root/modules/system
diff options
context:
space:
mode:
Diffstat (limited to 'modules/system')
-rw-r--r--modules/system/checks.nix62
-rw-r--r--modules/system/version.nix2
2 files changed, 63 insertions, 1 deletions
diff --git a/modules/system/checks.nix b/modules/system/checks.nix
index f2971c4..5ef9e52 100644
--- a/modules/system/checks.nix
+++ b/modules/system/checks.nix
@@ -57,7 +57,41 @@ let
echo " system.checks.verifyBuildUsers = false;" >&2
echo >&2
exit 2
+ fi
+ '';
+
+ preSequoiaBuildUsers = ''
+ ${lib.optionalString config.nix.configureBuildUsers ''
+ # Don’t complain when we’re about to migrate old‐style build users…
+ if ! dscl . -list /Users | grep -q '^nixbld'; then
+ ''}
+ firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}')
+ if [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]]; then
+ printf >&2 '\e[1;31merror: Build users have unexpected UIDs, aborting activation\e[0m\n'
+ printf >&2 'The default Nix build user ID range has been adjusted for\n'
+ printf >&2 'compatibility with macOS Sequoia 15. Your _nixbld1 user currently has\n'
+ printf >&2 'UID %d rather than the new default of 351.\n' "$firstBuildUserID"
+ printf >&2 '\n'
+ printf >&2 'You can automatically migrate your users using the following script\n'
+ printf >&2 'from the Nix repository:\n'
+ printf >&2 '\n'
+ printf >&2 ' https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh\n'
+ printf >&2 '\n'
+ printf >&2 'This should work even if you installed Nix with the Determinate\n'
+ printf >&2 'Systems installer or are using Lix. If you are comfortable using the\n'
+ printf >&2 'script without review, you can run:\n'
+ printf >&2 '\n'
+ printf >&2 " curl --proto '=https' --tlsv1.2 -sSf -L https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh | bash -\n"
+ printf >&2 '\n'
+ printf >&2 'If you have no intention of upgrading to macOS Sequoia 15, or already\n'
+ printf >&2 'have a custom UID range that you know is compatible with Sequoia, you\n'
+ printf >&2 'can disable this check by setting:\n'
+ printf >&2 '\n'
+ printf >&2 ' ids.uids.nixbld = %d;\n' "$((firstBuildUserID - 1))"
+ printf >&2 '\n'
+ exit 2
fi
+ ${lib.optionalString config.nix.configureBuildUsers "fi"}
'';
buildUsers = ''
@@ -75,6 +109,32 @@ let
fi
'';
+ buildGroupID = ''
+ buildGroupID=$(dscl . -read /Groups/nixbld PrimaryGroupID | awk '{print $2}')
+ expectedBuildGroupID=${toString config.ids.gids.nixbld}
+ if [[ $buildGroupID != $expectedBuildGroupID ]]; then
+ printf >&2 '\e[1;31merror: Build user group has mismatching GID, aborting activation\e[0m\n'
+ printf >&2 'The default Nix build user group ID was changed from 30000 to 350.\n'
+ printf >&2 'You are currently managing Nix build users with nix-darwin, but your\n'
+ printf >&2 'nixbld group has GID %d, whereas we expected %d.\n' \
+ "$buildGroupID" "$expectedBuildGroupID"
+ printf >&2 '\n'
+ printf >&2 'Possible causes include setting up a new Nix installation with an\n'
+ printf >&2 'existing nix-darwin configuration, setting up a new nix-darwin\n'
+ printf >&2 'installation with an existing Nix installation, or manually increasing\n'
+ printf >&2 'your `system.stateVersion` setting.\n'
+ printf >&2 '\n'
+ printf >&2 'You can set the configured group ID to match the actual value:\n'
+ printf >&2 '\n'
+ printf >&2 ' ids.gids.nixbld = %d;\n' "$buildGroupID"
+ printf >&2 '\n'
+ printf >&2 'We do not recommend trying to change the group ID with macOS user\n'
+ printf >&2 'management tools without a complete uninstallation and reinstallation\n'
+ printf >&2 'of Nix.\n'
+ exit 2
+ fi
+ '';
+
singleUser = ''
if grep -q 'build-users-group =' /etc/nix/nix.conf; then
echo "error: The daemon is not enabled but this is a multi-user install, aborting activation" >&2
@@ -267,6 +327,8 @@ in
runLink
(mkIf (cfg.verifyBuildUsers && !config.nix.configureBuildUsers) oldBuildUsers)
(mkIf cfg.verifyBuildUsers buildUsers)
+ (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers)
+ (mkIf config.nix.configureBuildUsers buildGroupID)
(mkIf (!config.nix.useDaemon) singleUser)
nixStore
(mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector)
diff --git a/modules/system/version.nix b/modules/system/version.nix
index fa6ce6e..df8b7a0 100644
--- a/modules/system/version.nix
+++ b/modules/system/version.nix
@@ -35,7 +35,7 @@ in
options = {
system.stateVersion = mkOption {
type = types.int;
- default = 4;
+ default = 5;
description = ''
Every once in a while, a new NixOS release may change
configuration defaults in a way incompatible with stateful
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-12 10:22:49 +0000