The Plan, phase 1 #1341
The Plan, phase 1 #1341
Conversation
f2bd544 to
454a716
Compare
There was a problem hiding this comment.
in practice, it may be useful for us to
nest this intousers.users.*.homebrewinstead, at the expense of
being an unsupported setup if used to its full potential. Since
that would be a breaking change to the inteface anyway, I think
addinghomebrew.userfor now is acceptable.
I understand the motive here, but are you sure it's not better to make more breaking changes in one go? I'm worried that going through another great migration would agitate some.
|
I previously thought that too – that we should figure out the correct interfaces and write good migration documentation and tools and get all the breaking changes over with in one go – but the end result was that this work stalled out for years because there’s a lot of API design and implementation work to get things to a good state: we need to decide which things should be global or per‐user; we need to decide what should stay in nix-darwin and what should be deduplicated with Home Manager; for things like our If we tried to do it all at once, this work would have spent even longer in development hell and be unreviewably big. For the longest time i wasn’t sure how to resolve that, but after discussing on Matrix I realized that introducing a In the case of Homebrew, |
229a7c6 to
a387b4b
Compare
|
Most of the system.defaults stuff should really move to home-manager anyway, as you said. It's a natural fit and it works well. |
|
I've been running this branch on my machine for the past week and had zero issues with it, thanks for these great improvements! |
|
Been running this for a few days since I got back from vacation. Noticing issues with nix store on reboots, haven't pinned down what's going on atm. Not sure if I need to do something different, I just tested copying the branch and rebasing it on master. Running my normal rebuild mentions the sudo requirement, doing a sudo rebuild mentions I need a primary user, adding a primary user and then it rebuilds. Just noting symptoms:
2025-03-08 14:57:39.712350 <Warning> Could not find and/or execute program specified by service: 2: No such file or directory: /nix/store/fa3jr2wxgbiyk37h0imzhhj13c3p6gqv-yabai-7.1.10/bin/yabai
2025-03-08 14:57:39.712351 <Error> Service could not initialize: access(/nix/store/fa3jr2wxgbiyk37h0imzhhj13c3p6gqv-yabai-7.1.10/bin/yabai, X_OK) failed with errno 2 - No such file or directory, error 0x6f - Invalid or missing Program/ProgramArguments
2025-03-08 14:57:39.712352 <Error> initialization failure: 24D70: xpcproxy + 36768 [1088][E4C3A3C3-0D57-3E4D-8388-880BC7F5F19E]: 0x6f
2025-03-08 14:57:39.712353 <Notice> Service setup event to handle failure and will not launch until it fires.
2025-03-08 14:57:39.712354 <Error> Missing executable detected. Job: 'org.nixos.yabai' Executable: '/nix/store/fa3jr2wxgbiyk37h0imzhhj13c3p6gqv-yabai-7.1.10/bin/yabai' |
|
That’s very confusing. I’m not sure how that could result from these changes. Are you sure you get the same result if you run the base commit that you rebased on top of? Were there any conflicts during the rebase that you had to resolve? |
Yeah, sorry... not a lot of information, I know... Probably can just disregard it for now... I'll try bisecting and see where it might have come from. Even switching back to master I get the behavior still. |
This is the exact reason |
This is using the nix-darwin service. I do see that it doesn't contain |
| @@ -1,6 +1,8 @@ | |||
| { config, pkgs, lib, ... }: | |||
|
|
|||
| { | |||
| system.primaryUser = "test-defaults-user"; | |||
There was a problem hiding this comment.
same concern about the user needing to exist
modules/system/launchd.nix
Outdated
| # Set up user launchd services in ~/Library/LaunchAgents | ||
| echo "setting up user launchd services..." | ||
|
|
||
| ${concatStringsSep "\n" (launchdVariables config.launchd.user.envVariables)} | ||
| ${concatStringsSep "\n" (launchdVariables "sudo -u ${user} --" config.launchd.user.envVariables)} |
There was a problem hiding this comment.
Using sudo -u ${user} does feel like one of those weird corner-cases where launchd will just fail to do what you expect it to — I like the idea of using launchctl asuser, especially considering it hasn't been replaced with anything else (other than using a domain target for the given user), but I do notice the man page says
This executes the given command in as similar an execution context as possible to that of the target user's bootstrap. Adopted attributes include the Mach bootstrap namespace, exception server and security audit session. It does not modify the process' credentials (UID, GID, etc.) or adopt any user-specific environment variables. It affects only the Mach bootstrap context and directly- related attributes.
(emphasis mine). This might mean that the way to do it is
sudo -u ${user} -- launchctl asuser $(id -u ${user})
which is ugly but seems like it carries over more of the appropriate context.
That said, if this is working as-is in multi-user setups I'm also inclined to leave it as is until we swap to the new launchctl commands. My concern is mostly around activation for users who aren't graphically logged-in. This is already sometimes a pain point for me when I darwin-rebuild over SSH, and so I imagine that we may run into similar issues here if user A (logged in graphically) runs darwin-rebuild and the launchd activation doesn't work properly for user B (maybe not logged in, maybe logged in in a separate graphical session, etc.)
There was a problem hiding this comment.
Right. I haven’t tested this extensively; if someone can confirm that it seems to work as‐is then I’d be inclined to just leave it until we start using the recommended commands rather than adding more deprecated ones. I’m certainly curious how this goes with actiavtion over SSH.
There was a problem hiding this comment.
@mirkolenz @khaneliman and anyone else who's running this branch: any chance you manage any multi-user nix-darwin systems? Have you noticed any strangeness with launchd activation, especially if you've happened to run activations as one user while a different user is actively signed in?
There was a problem hiding this comment.
It's also occurring to me that even if this doesn't work perfectly, it should continue to work at least as well as the situation before this PR. I'd say that if anyone reports an issue with this, we can try and track it down, but otherwise we can just leave it as you have it here
There was a problem hiding this comment.
All systems I tested this on are single-user only, sorry...
There was a problem hiding this comment.
As in, because people will usually be doing sudo darwin-rebuild … as their primary user, and so the sudo sudo --user=primary-user will cancel out the UID stuff and the Mach bootstrap context will be inherited from their graphical session? I suppose so. But ideally this should work even if you set a different primary user, too, so it’d be good to know one way or another. I just haven’t had the time to set up a VM to test a separate admin user, or SSH activation, or whatever. (I tested all this on my development machine because I love danger.)
| @@ -9,6 +9,10 @@ let | |||
| "defaults write ${domain} '${key}' $'${strings.escape [ "'" ] (generators.toPlist { } value)}'"; | |||
|
|
|||
| defaultsToList = domain: attrs: mapAttrsToList (writeDefault domain) (filterAttrs (n: v: v != null) attrs); | |||
| userDefaultsToList = domain: attrs: map | |||
| (cmd: "sudo --user=${escapeShellArg config.system.primaryUser} -- ${cmd}") | |||
There was a problem hiding this comment.
Is there a reason you use sudo -u ${user} for launchctl but sudo --user=${user} here?
There was a problem hiding this comment.
No reason at all. I’ve moved to --user= across the board.
| config.nix.enable | ||
| && !config.nixpkgs.flake.setNixPath | ||
| && config.system.stateVersion < 6 | ||
| && options.environment.darwinConfig.highestPrio == (mkOptionDefault {}).priority |
There was a problem hiding this comment.
I hate that I can't think of a better way to check that this option wasn't changed from the default
There was a problem hiding this comment.
This is the only way I've done it, too.
There was a problem hiding this comment.
Yeah it’s awful and I hate it. But I hate not giving good error messages when doing complicated migrations even more.
| default = | ||
| config.users.users.${config.system.primaryUser}.home or "/Users/${config.system.primaryUser}"; | ||
| }; |
There was a problem hiding this comment.
Will this break anything if config.system.primaryUser is set to null (the default)? If I'm reading it correctly, it's only an issue if primaryUserHome is read by something, in which case primaryUser needs to be set anyway, but I wonder what the error message would look like. Maybe it's caught by nix.nixPath requiring primaryUser to be set? Not sure that works for environment.darwinConfig though
There was a problem hiding this comment.
It’ll be an evaluation error if anything depends on it. But, yes, that stuff should set system.requiresPrimaryUser (as environment.darwinConfig does) and therefore hopefully give a helpful error message before anything that uses it would get evaluated. "${null}" is also an error so I’m not sure allowing it to be null would improve anything. Maybe this could be a more descriptive throw in that case? But I haven’t triggered it so far in testing.
There was a problem hiding this comment.
Maybe
lib.warnIf (config.system.primaryUser == null) "`system.primaryUser` is unset but `system.primaryUserHome` is being read" config.users.users.${config.system.primaryUser}.home or "/Users/${config.system.primaryUser}";?
On the other hand, it seems like this problem will only be hit due to a future mistake on our part (reading primaryUserHome in an option without adding that option to requiresPrimaryUser), so we could just leave this as is.
There was a problem hiding this comment.
Making it a throwIf might be a good idea, and seems pretty harmless. I’ll think about it. The main thing is that I wish we could make incorrect uses of config.system.primaryUser fail loudly in the same way, but that’s harder.
| system.activationScripts.postActivation.text = mkAfter '' | ||
| nix-channel --remove darwin || true | ||
|
|
||
| ${optionalString (config.system.primaryUser != null) '' | ||
| sudo \ | ||
| --user=${config.system.primaryUser} \ |
There was a problem hiding this comment.
not shell escaping the primary user
There was a problem hiding this comment.
Honestly anyone who tries to set a username that requires shell escaping has it coming. But, yeah, fixed.
| @@ -65,7 +65,7 @@ in | |||
| ln -sfn /run/current-system /nix/var/nix/gcroots/current-system | |||
| fi | |||
|
|
|||
| ${config.system.activationScripts.etcChecks.text} | |||
| ${config.system.activationScripts.checks.text} | |||
There was a problem hiding this comment.
The one thing I am concerned about here is if checks has stuff that needs to be run in a graphical context. Based on a quick search through our in-tree checks it seems like this change would cause errors for the activation daemon from modules/users/default.nix in some cases, it might cause errors for our other checks, and might for out-of-tree checks if people were assuming that checks would only run in a graphical session.
There was a problem hiding this comment.
The activation daemon only activates system configurations that were previously current. So in theory it should never be trying to delete users and so on. What other checks do you think might be problematic here?
There was a problem hiding this comment.
Ah, good point. I don't have any problematic checks I can think of, and they should be read-only anyway, so I'm good with this.
| ${cfg.activationScripts.checks.text} | ||
| ${cfg.activationScripts.createRun.text} |
There was a problem hiding this comment.
This is also a potential point where out-of-tree checks could break, if people assume that /run will already exist. I think this is still a worthwhile change to make, but worth pointing out.
There was a problem hiding this comment.
We could put it before checks if this is considered a big problem; I just figured it’s best to change the system as little as possible if any checks are failing.
There was a problem hiding this comment.
I think this is definitely an improvement that we should make, just noting the potential issue here in case we see it in the future.
a387b4b to
0d9daef
Compare
|
Hey, I've just not long ago moved to flakes and don't have a lot of experience here. Could someone give me rough instructions how I would test it with flake setup? I would like to help 🙂 based on what I am seeing in the PR already started migrating away from services and config options which require primaryUser. |
|
You can test it by adding the following snippet to your flake: inputs.nix-darwin = {
url = "github:lnl7/nix-darwin/pull/1341/merge";
inputs.nixpkgs.follows = "nixpkgs"; # if you want to lock it to the same rev as your main nixpkgs instance
}; |
|
So it is a bit strange for me with launch agents 🙂 I've had couple launch agents defined via
|
|
3 sounds like expected behavior. 1, unfortunately, also sounds like expected behavior, since the code to handle removing those LaunchAgents has itself been removed. 2 is surprising to me though, unless the LaunchAgent plists are put at a different path? |
System activation scripts shouldn’t (and soon won’t be able to) rely on `$HOME` being the primary user’s.
These can’t be relied upon in a post‐user‐activation world. Technically a breaking change, if anyone has their home directory outside of `/Users` or is using `root` for this, but, well, I did my best and these are legacy defaults anyway.
(With some tweaks to handle `nix.enable` and order it at a more sensible position in the `$PATH`.) The installers actually install Nix into `root`’s profile for some reason, which means that the path’s prioritization backfires when the script runs as root and we’re managing the Nix installation. When running `darwin-rebuild` as a normal user, this wasn’t a problem. Maybe we should just have a check to make sure there’s no conflicting Nix in `root`’s profile – it seems pretty bad for `root` to get the wrong Nix – but it would trigger for almost everyone, which seems kind of annoying. I guess we could automatically remove it from `root`’s profile if it matches what’s in `/nix/var/nix/profiles/default`… This reverts commit 02232f7.
The `activate-system` daemon will now run all the checks, which seems like probably a good idea anyway?
The checks should no longer depend on `/run`, so this avoids modifying the system before they run.
b569b0f to
fcaa984
Compare
|
@emilazy sorry for taking so long to get back, but you know - life 😄 But today I've tested it again and yeah, launch agents do not get removed for me in a specific case 🙁 My flow:
My launch agent is pretty simple: After testing more - I think the problem is when you fully remove launch agents. Then nothing is being run. I've create two agents docker_host and docker_host_2. If I remove one - it gets removed. If I remove both - it doesn't get removed 🙂 Running Both removed and no agents exist: So it seems that if that config options is not defined - I hope that helps 🤷 |
|
Fixed the merge conflicts, please rebase later when you have a chance 👍 |
| @@ -31,6 +31,18 @@ let | |||
| fi | |||
| ''; | |||
|
|
|||
| primaryUser = '' | |||
| primaryUser=${escapeShellArg config.system.primaryUser} | |||
There was a problem hiding this comment.
| primaryUser=${escapeShellArg config.system.primaryUser} | |
| primaryUser="${config.system.primaryUser}" |
In /nix/store/726gp7jnx7blz46azrds8l28a5zqdqgg-darwin-system-25.05.0653ce2/activate line 63:
primaryUser=admin
^---------^ SC2209 (warning): Use var=$(command) to assign output (or quote to assign string).
For more information:
https://www.shellcheck.net/wiki/SC2209 -- Use var=$(command) to assign outp...
There was a problem hiding this comment.
This should still be escapeShellArg, right? If only for consistency's sake?
There was a problem hiding this comment.
escapeShellArg will add some single quotes which will mess with the value of primaryUser I believe so best to leave it out here if we're manually quoting
Alternatively we could use escapeShellArgAlways:
nix-darwin/modules/services/github-runner/service.nix
Lines 105 to 108 in 43975d7
There was a problem hiding this comment.
Could we also just do escapeShellArg and disable this warning? Although I don't know if that would be tangibly different from just doing what you suggested here.
There was a problem hiding this comment.
Feels like the linter is wrong here because it doesn't know the value came from a proper escape function. my +1 on silencing the linter. For what that's worth :)
| @@ -31,6 +31,18 @@ let | |||
| fi | |||
| ''; | |||
|
|
|||
| primaryUser = '' | |||
| primaryUser=${escapeShellArg config.system.primaryUser} | |||
| if ! id -- "$primaryUser" >/dev/null 2>&1; then | |||
There was a problem hiding this comment.
| if ! id -- "$primaryUser" >/dev/null 2>&1; then | |
| if ! id -- "$primaryUser" &>/dev/null; then |
Minor nit
| @@ -559,6 +559,17 @@ in | |||
| This module also provides a few options for modifying how Homebrew commands behave when | |||
| you manually invoke them, under [](#opt-homebrew.global)''; | |||
|
|
|||
| user = mkOption { | |||
There was a problem hiding this comment.
Wonder if we should add an assertion/warning against setting this to root
|
Slowly reviewing commit by commit I'll post my review feedback as I go so that it doesn't get stuck in limbo until I'm done reviewing the whole thing |
| @@ -155,7 +155,7 @@ in | |||
| homeDirectory=$(dscl . -read /Users/nobody NFSHomeDirectory) | |||
There was a problem hiding this comment.
The comment above this is no longer necessary 👍
| @@ -9,6 +9,5 @@ | |||
| grep "scutil --set ComputerName 'EVE’s MacBook Pro'" ${config.out}/activate | |||
| grep "scutil --set LocalHostName ${lib.escapeShellArg "EVE"}" ${config.out}/activate | |||
| grep "scutil --set HostName ${lib.escapeShellArg "EVE"}" ${config.out}/activate | |||
| echo checking defaults write in ${config.out}/activate-user >&2 | |||
There was a problem hiding this comment.
Minor nit: could be squashed into the previous commit
| @@ -186,13 +186,13 @@ The documentation is also available as manpages by running `man 5 configuration. | |||
| To run the latest version of the uninstaller, you can run the following command: | |||
|
|
|||
| ``` | |||
| nix --extra-experimental-features "nix-command flakes" run nix-darwin#darwin-uninstaller | |||
| sudo nix --extra-experimental-features "nix-command flakes" run nix-darwin#darwin-uninstaller | |||
There was a problem hiding this comment.
Not a blocker, but this might lead to some issues with system.primaryUser not being set
modules/nix/nix-darwin.nix
Outdated
| @@ -5,6 +5,7 @@ let | |||
| inherit (config.system) profile; | |||
| inherit (config.environment) systemPath; | |||
| nixPath = lib.optionalString config.nix.enable (lib.concatStringsSep ":" config.nix.nixPath); | |||
| nixPackage = if config.nix.enable then config.nix.package else null; | |||
It’s finally time.
This PR eliminates user activation, addressing #96 by following the first phase of the plan from #1016 (comment), fulfilling a goal I started drafting patches for in 2023 before I was even a nix-darwin maintainer.
I strongly recommend reviewing this one commit‐by‐commit. See the commit messages for much more detail and for things I’m still uncertain about. I’ve been running this on my own system for a while now, but it could definitely use a staged roll‐out before we actually hit the merge button. We should also probably also reach out to authors of third‐party modules that will be affected once it’s mostly baked, though at least anything that breaks should mostly break loudly. (Adding text to our existing
activationScripts.{checks,userDefaults,userLaunchd,homebrew}.textdefinitions is an exception – those will run asrootnow. But I can’t think of a particularly graceful way to handle that case, and anyway it’s not exactly something we fully support in the first place.)Closes: #96