lix-installer/README.md
Graham Christensen dac0adca28
Support remote-building to macOS hosts (#714)
* Support remote-building to macOS hosts

Our README has long featured a snippet to add to the zshenv, with a
caevat that it might behave strangely if you're writing a script with an
empty PATH.

It is pretty straightforward to eliminate those caveats while still
providing remote building for Nix to macOS hosts.

Co-authored-by: Ana Hobden <operator@hoverbear.org>
2023-11-10 19:02:19 +00:00

475 lines
18 KiB
Markdown

# The Determinate Nix Installer
[![Crates.io](https://img.shields.io/crates/v/nix-installer)](https://crates.io/crates/nix-installer)
[![Docs.rs](https://img.shields.io/docsrs/nix-installer)](https://docs.rs/nix-installer/latest/nix_installer/)
A fast, friendly, and reliable tool to help you use Nix with Flakes everywhere.
```bash
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
```
The `nix-installer` has successfully completed over 1,000,000 installs in a number of environments, including [Github Actions](#as-a-github-action):
| Platform | Multi User | `root` only | Maturity |
|------------------------------|:------------------:|:-----------:|:-----------------:|
| Linux (x86_64 & aarch64) | ✓ (via [systemd]) | ✓ | Stable |
| MacOS (x86_64 & aarch64) | ✓ | | Stable (See note) |
| Valve Steam Deck (SteamOS) | ✓ | | Stable |
| WSL2 (x86_64 & aarch64) | ✓ (via [systemd]) | ✓ | Stable |
| Podman Linux Containers | ✓ (via [systemd]) | ✓ | Stable |
| Docker Containers | | ✓ | Stable |
| Linux (i686) | ✓ (via [systemd]) | ✓ | Unstable |
> **Note**
> On **MacOS only**, removing users and/or groups may fail if there are no users who are logged in graphically.
## Usage
Install Nix with the default planner and options:
```bash
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
```
Or, to download a platform specific Installer binary yourself:
```bash
$ curl -sL -o nix-installer https://install.determinate.systems/nix/nix-installer-x86_64-linux
$ chmod +x nix-installer
$ ./nix-installer
```
`nix-installer` installs Nix by following a *plan* made by a *planner*. Review the available planners:
```bash
$ ./nix-installer install --help
Execute an install (possibly using an existing plan)
To pass custom options, select a planner, for example `nix-installer install linux-multi --help`
Usage: nix-installer install [OPTIONS] [PLAN]
nix-installer install <COMMAND>
Commands:
linux
A planner for Linux installs
steam-deck
A planner suitable for the Valve Steam Deck running SteamOS
help
Print this message or the help of the given subcommand(s)
# ...
```
Planners have their own options and defaults, sharing most of them in common:
```bash
$ ./nix-installer install linux --help
A planner for Linux installs
Usage: nix-installer install linux [OPTIONS]
Options:
# ...
--nix-build-group-name <NIX_BUILD_GROUP_NAME>
The Nix build group name
[env: NIX_INSTALLER_NIX_BUILD_GROUP_NAME=]
[default: nixbld]
--nix-build-group-id <NIX_BUILD_GROUP_ID>
The Nix build group GID
[env: NIX_INSTALLER_NIX_BUILD_GROUP_ID=]
[default: 3000]
# ...
```
Planners can be configured via environment variable or command arguments:
```bash
$ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | NIX_BUILD_GROUP_NAME=nixbuilder sh -s -- install linux-multi --nix-build-group-id 4000
# Or...
$ NIX_BUILD_GROUP_NAME=nixbuilder ./nix-installer install linux-multi --nix-build-group-id 4000
```
### Upgrading Nix
You can upgrade Nix (to the version specified [here](https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/installer/tools/nix-fallback-paths.nix)) by running:
```
sudo -i nix upgrade-nix
```
Alternatively, you can [uninstall](#uninstalling) and [reinstall](#usage) with a different version of the `nix-installer`.
### Uninstalling
You can remove a `nix-installer`-installed Nix by running
```bash
/nix/nix-installer uninstall
```
### As a Github Action
You can use the [`nix-installer-action`](https://github.com/DeterminateSystems/nix-installer-action) Github Action like so:
```yaml
on:
pull_request:
push:
branches: [main]
jobs:
lints:
name: Build
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
- name: Run `nix build`
run: nix build .
```
### Without systemd (Linux only)
> **Warning**
> When `--init none` is used, _only_ `root` or users who can elevate to `root` privileges can run Nix:
>
> ```bash
> sudo -i nix run nixpkgs#hello
> ```
If you don't use [systemd], you can still install Nix by explicitly specifying the `linux` plan and `--init none`:
```bash
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --init none
```
### In a container
In Docker/Podman containers or WSL2 instances where an init (like `systemd`) is not present, pass `--init none`.
For containers (without an init):
> **Warning**
> When `--init none` is used, _only_ `root` or users who can elevate to `root` privileges can run Nix:
>
> ```bash
> sudo -i nix run nixpkgs#hello
> ```
```dockerfile
# Dockerfile
FROM ubuntu:latest
RUN apt update -y
RUN apt install curl -y
RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \
--extra-conf "sandbox = false" \
--init none \
--no-confirm
ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
RUN nix run nixpkgs#hello
```
```bash
docker build -t ubuntu-with-nix .
docker run --rm -ti ubuntu-with-nix
docker rmi ubuntu-with-nix
# or
podman build -t ubuntu-with-nix .
podman run --rm -ti ubuntu-with-nix
podman rmi ubuntu-with-nix
```
For containers with a systemd init:
```dockerfile
# Dockerfile
FROM ubuntu:latest
RUN apt update -y
RUN apt install curl systemd -y
RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \
--extra-conf "sandbox = false" \
--no-start-daemon \
--no-confirm
ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
RUN nix run nixpkgs#hello
CMD [ "/bin/systemd" ]
```
```bash
podman build -t ubuntu-systemd-with-nix .
IMAGE=$(podman create ubuntu-systemd-with-nix)
CONTAINER=$(podman start $IMAGE)
podman exec -ti $CONTAINER /bin/bash
podman rm -f $CONTAINER
podman rmi $IMAGE
```
On some container tools, such as `docker`, `sandbox = false` can be omitted. Omitting it will negatively impact compatibility with container tools like `podman`.
### In WSL2
We **strongly recommend** [enabling systemd](https://ubuntu.com/blog/ubuntu-wsl-enable-systemd), then installing Nix as normal:
```bash
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
```
If [WSLg][wslg] is enabled, you can do things like open a Linux Firefox from Windows on Powershell:
```powershell
wsl nix run nixpkgs#firefox
```
To use some OpenGL applications, you can use [`nixGL`][nixgl] (note that some applications, such as `blender`, may not work):
```powershell
wsl nix run --impure github:guibou/nixGL nix run nixpkgs#obs-studio
```
If enabling system is not an option, pass `--init none` at the end of the command:
> **Warning**
> When `--init none` is used, _only_ `root` or users who can elevate to `root` privileges can run Nix:
>
> ```bash
> sudo -i nix run nixpkgs#hello
> ```
```bash
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --init none
```
### Skip confirmation
If you'd like to bypass the confirmation step, you can apply the `--no-confirm` flag:
```bash
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm
```
This is especially useful when using the installer in non-interactive scripts.
## Quirks
While `nix-installer` tries to provide a comprehensive and unquirky experience, there are unfortunately some issues which may require manual intervention or operator choices.
### Using MacOS after removing `nix` while `nix-darwin` was still installed, network requests fail
If `nix` was previously uninstalled without uninstalling `nix-darwin` first, users may experience errors similar to this:
```bash
$ nix shell nixpkgs#curl
error: unable to download 'https://cache.nixos.org/g8bqlgmpa4yg601w561qy2n576i6g0vh.narinfo': Problem with the SSL CA cert (path? access rights?) (77)
```
This occurs because `nix-darwin` provisions an `org.nixos.activate-system` service which remains after Nix is uninstalled.
The `org.nixos.activate-system` service in this state interacts with the newly installed Nix and changes the SSL certificates it uses to be a broken symlink.
```bash
$ ls -lah /etc/ssl/certs
total 0
drwxr-xr-x 3 root wheel 96B Oct 17 08:26 .
drwxr-xr-x 6 root wheel 192B Sep 16 06:28 ..
lrwxr-xr-x 1 root wheel 41B Oct 17 08:26 ca-certificates.crt -> /etc/static/ssl/certs/ca-certificates.crt
```
The problem is compounded by the matter that the [`nix-darwin` uninstaller](https://github.com/LnL7/nix-darwin#uninstalling) will not work after uninstalling Nix, since it uses Nix and requires network connectivity.
It's possible to resolve this situation by removing the `org.nixos.activate-system` service and the `ca-certificates`:
```bash
$ sudo rm /Library/LaunchDaemons/org.nixos.activate-system.plist
$ sudo launchctl bootout system/org.nixos.activate-system
$ /nix/nix-installer uninstall
$ sudo rm /etc/ssl/certs/ca-certificates.crt
```
Then run the `nix-installer` again, and it should work.
Up-to-date versions of the `nix-installer` will refuse to uninstall until `nix-darwin` is uninstalled first, helping mitigate this problem.
## Building a binary
Since you'll be using `nix-installer` to install Nix on systems without Nix, the default build is a static binary.
Build a portable Linux binary on a system with Nix:
```bash
# to build a local copy
nix build -L ".#nix-installer-static"
# to build the remote main development branch
nix build -L "github:determinatesystems/nix-installer#nix-installer-static"
# for a specific version of the installer:
export NIX_INSTALLER_TAG="v0.6.0"
nix build -L "github:determinatesystems/nix-installer/$NIX_INSTALLER_TAG#nix-installer-static"
```
On Mac:
```bash
# to build a local copy
nix build -L ".#nix-installer"
# to build the remote main development branch
nix build -L "github:determinatesystems/nix-installer#nix-installer"
# for a specific version of the installer:
export NIX_INSTALLER_TAG="v0.6.0"
nix build -L "github:determinatesystems/nix-installer/$NIX_INSTALLER_TAG#nix-installer"
```
Then copy the `result/bin/nix-installer` to the machine you wish to run it on.
You can also add `nix-installer` to a system without Nix via `cargo`, there are no system dependencies to worry about:
```bash
# to build and run a local copy
RUSTFLAGS="--cfg tokio_unstable" cargo run -- --help
# to build the remote main development branch
RUSTFLAGS="--cfg tokio_unstable" cargo install --git https://github.com/DeterminateSystems/nix-installer
nix-installer --help
# for a specific version of the installer:
export NIX_INSTALLER_TAG="v0.6.0"
RUSTFLAGS="--cfg tokio_unstable" cargo install --git https://github.com/DeterminateSystems/nix-installer --tag $NIX_INSTALLER_TAG
nix-installer --help
```
To make this build portable, pass ` --target x86_64-unknown-linux-musl`.
> **Note**
> We currently require `--cfg tokio_unstable` as we utilize [Tokio's process groups](https://docs.rs/tokio/1.24.1/tokio/process/struct.Command.html#method.process_group), which wrap stable `std` APIs, but are unstable due to it requiring an MSRV bump.
## As a library
> **Warning**
> Use as a library is still experimental. This feature is likely to be removed in the future without an advocate. If you're using this, please let us know and we can make a path to stablization.
Add `nix-installer` to your dependencies:
```bash
cargo add nix-installer
```
If you are **building a CLI**, check out the `cli` feature flag for `clap` integration.
You'll also need to edit your `.cargo/config.toml` to use `tokio_unstable` as we utilize [Tokio's process groups](https://docs.rs/tokio/1.24.1/tokio/process/struct.Command.html#method.process_group), which wrap stable `std` APIs, but are unstable due to it requiring an MSRV bump:
```toml
# .cargo/config.toml
[build]
rustflags=["--cfg", "tokio_unstable"]
```
Then it's possible to review the [documentation](https://docs.rs/nix-installer/latest/nix_installer/):
```bash
cargo doc --open -p nix-installer
```
Documentation is also available via `nix` build:
```bash
nix build github:DeterminateSystems/nix-installer#nix-installer.doc
firefox result-doc/nix-installer/index.html
```
## Accessing other versions
For users who desire version pinning, the version of `nix-installer` to use can be specified in the `curl` command:
```bash
VERSION="v0.6.0"
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/tag/${VERSION} | sh -s -- install
```
To discover which versions are available, or download the binaries for any release, check the [Github Releases](https://github.com/DeterminateSystems/nix-installer/releases).
These releases can be downloaded and used directly:
```bash
VERSION="v0.6.0"
ARCH="aarch64-linux"
curl -sSf -L https://github.com/DeterminateSystems/nix-installer/releases/download/${VERSION}/nix-installer-${ARCH} -o nix-installer
./nix-installer install
```
## Installation Differences
Differing from the upstream [Nix](https://github.com/NixOS/nix) installer scripts:
* In `nix.conf`:
+ the `nix-command` and `flakes` features are enabled
+ `bash-prompt-prefix` is set
+ `auto-optimise-store` is set to `true` (On Linux only)
* `extra-nix-path` is set to `nixpkgs=flake:nixpkgs`
* `max-jobs` is set to `auto`
* an installation receipt (for uninstalling) is stored at `/nix/receipt.json` as well as a copy of the install binary at `/nix/nix-installer`
* `nix-channel --update` is not run, `~/.nix-channels` is not provisioned
* `ssl-cert-file` is set in `/etc/nix/nix.conf` if the `ssl-cert-file` argument is used.
## Motivations
The existing upstream scripts do a good job, however they are difficult to maintain.
Subtle differences in the shell implementations and tool used in the scripts make it difficult to make meaningful changes to the installer.
The Determinate Nix installer has numerous advantages:
* survives macOS upgrades
* keeping an installation receipt for easy uninstallation
* offering users a chance to review an accurate, calculated install plan
* having 'planners' which can create appropriate install plans for complicated targets
* offering users with a failing install the chance to do a best-effort revert
* improving performance by maximizing parallel operations
* supporting a expanded test suite including 'curing' cases
* supporting SELinux and OSTree based distributions without asking users to make compromises
* operating as a single, static binary with external dependencies such as `openssl`, only calling existing system tools (like `useradd`) where necessary
* As a MacOS remote build target, ensures `nix` is not absent from path
It has been wonderful to collaborate with other participants in the Nix Installer Working Group and members of the broader community. The working group maintains a [foundation owned fork of the installer](https://github.com/nixos/experimental-nix-installer/).
## Diagnostics
The goal of the Determinate Nix Installer is to successfully and correctly install Nix.
The `curl | sh` pipeline and the installer collects a little bit of diagnostic information to help us make that true.
Here is a table of the [diagnostic data we collect][diagnosticdata]:
| Field | Use |
| --------------------- | ----------------------------------------------------------------------------------------------------- |
| `version` | The version of the Determinate Nix Installer. |
| `planner` | The method of installing Nix (`linux`, `macos`, `steam-deck`) |
| `configured_settings` | The names of planner settings which were changed from their default. Does _not_ include the values. |
| `os_name` | The running operating system. |
| `os_version` | The version of the operating system. |
| `triple` | The architecture/operating system/binary format of your system. |
| `is_ci` | Whether the installer is being used in CI (e.g. GitHub Actions). |
| `action` | Either `Install` or `Uninstall`. |
| `status` | One of `Success`, `Failure`, `Pending`, or `Cancelled`. |
| `attribution` | Optionally defined by the user, associate the diagnostics of this run to the provided value. |
| `failure_chain` | A high level description of what the failure was, if any. For example: `Command("diskutil")` if the command `diskutil list` failed. |
To disable diagnostic reporting, set the diagnostics URL to an empty string by passing `--diagnostic-endpoint=""` or setting `NIX_INSTALLER_DIAGNOSTIC_ENDPOINT=""`.
You can read the full privacy policy for [Determinate Systems][detsys], the creators of the Determinate Nix Installer, [here][privacy].
[detsys]: https://determinate.systems/
[diagnosticdata]: https://github.com/DeterminateSystems/nix-installer/blob/f9f927840d532b71f41670382a30cfcbea2d8a35/src/diagnostics.rs#L29-L43
[privacy]: https://determinate.systems/privacy
[systemd]: https://systemd.io
[wslg]: https://github.com/microsoft/wslg
[nixgl]: https://github.com/guibou/nixGL