libstore: despecialcase protocol version check

protocol versions are sent as u64. on the peer we read them as uint64,
check that the upper half is 0, and throw an exception if not. we then
read an arbitrary amount of data from the peer and dump it to the user
terminal. this is a little bit ridiculous, can never happen in correct
implementation, and is severly untested. let us just drop it entirely.

Change-Id: Ibd2f53a765341ed6439d40d9d1eac11e79c6b5e3

.clang-format

@@ -0,0 +1,51 @@
+---
+BasedOnStyle: LLVM
+AccessModifierOffset: -4
+AlignAfterOpenBracket: BlockIndent
+AlignEscapedNewlines: Left
+AlignOperands: DontAlign
+AllowShortBlocksOnASingleLine: Always
+AllowShortFunctionsOnASingleLine: Empty
+AllowShortIfStatementsOnASingleLine: WithoutElse
+AlwaysBreakBeforeMultilineStrings: true
+AlwaysBreakTemplateDeclarations: Yes
+BinPackArguments: false
+BinPackParameters: false
+BitFieldColonSpacing: None
+BraceWrapping:
+  AfterCaseLabel: false
+  AfterClass: true
+  AfterControlStatement: MultiLine
+  AfterEnum: false
+  AfterFunction: true
+  AfterNamespace: false
+  AfterObjCDeclaration: false
+  AfterStruct: true
+  AfterUnion: true
+  AfterExternBlock: false
+  BeforeCatch: false
+  BeforeElse: false
+  BeforeLambdaBody: false
+  BeforeWhile: false
+  IndentBraces: false
+  SplitEmptyFunction: true
+  SplitEmptyRecord: false
+  SplitEmptyNamespace: true
+BreakAfterAttributes: Always
+BreakBeforeBinaryOperators: NonAssignment
+BreakBeforeBraces: Custom
+BreakConstructorInitializers: BeforeComma
+ColumnLimit: 100
+EmptyLineAfterAccessModifier: Leave
+EmptyLineBeforeAccessModifier: Leave
+FixNamespaceComments: false
+IndentWidth: 4
+InsertBraces: true
+InsertTrailingCommas: Wrapped
+LambdaBodyIndentation: Signature
+PackConstructorInitializers: CurrentLine
+PointerAlignment: Middle
+SortIncludes: Never
+SpaceAfterCStyleCast: true
+SpaceAfterTemplateKeyword: false
+

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,30 +7,26 @@ assignees: ''
 
 ---
 
-**Describe the bug**
+## Describe the bug
 
 A clear and concise description of what the bug is.
 
 If you have a problem with a specific package or NixOS,
-you probably want to file an issue at https://github.com/NixOS/nixpkgs/issues. 
+you probably want to file an issue at https://github.com/NixOS/nixpkgs/issues.
 
-**Steps To Reproduce**
+## Steps To Reproduce
 
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
 
-**Expected behavior**
+## Expected behavior
 
 A clear and concise description of what you expected to happen.
 
-**`nix-env --version` output**
+## `nix-env --version` output
 
-**Additional context**
+## Additional context
 
 Add any other context about the problem here.
-
-**Priorities**
-
-Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -7,18 +7,18 @@ assignees: ''
 
 ---
 
-**Is your feature request related to a problem? Please describe.**
+## Is your feature request related to a problem? Please describe.
+
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 
-**Describe the solution you'd like**
+## Describe the solution you'd like
+
 A clear and concise description of what you want to happen.
 
-**Describe alternatives you've considered**
+## Describe alternatives you've considered
+
 A clear and concise description of any alternative solutions or features you've considered.
 
-**Additional context**
+## Additional context
+
 Add any other context or screenshots about the feature request here.
-
-**Priorities**
-
-Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/ISSUE_TEMPLATE/installer.md

@@ -30,7 +30,3 @@ assignees: ''
 ```
 
 </details>
-
-## Priorities
-
-Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/ISSUE_TEMPLATE/missing_documentation.md

@@ -25,7 +25,3 @@ assignees: ''
 [latest Nix manual]: https://nixos.org/manual/nix/unstable/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/src
 [open documentation issues and pull requests]: https://github.com/NixOS/nix/labels/documentation
-
-## Priorities
-
-Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/PULL_REQUEST_TEMPLATE.md

@@ -9,7 +9,3 @@
 <!-- Invasive change: Discuss alternative designs or approaches you considered. -->
 
 <!-- Large change: Provide instructions to reviewers how to read the diff. -->
-
-# Priorities
-
-Add :+1: to [pull requests you find important](https://github.com/NixOS/nix/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc).

.gitignore

@@ -21,12 +21,14 @@ perl/Makefile.config
 /doc/manual/language.json
 /doc/manual/xp-features.json
 /doc/manual/src/SUMMARY.md
+/doc/manual/src/SUMMARY-rl-next.md
 /doc/manual/src/command-ref/new-cli
 /doc/manual/src/command-ref/conf-file.md
 /doc/manual/src/command-ref/experimental-features-shortlist.md
 /doc/manual/src/contributing/experimental-feature-descriptions.md
 /doc/manual/src/language/builtins.md
 /doc/manual/src/language/builtin-constants.md
+/doc/manual/src/release-notes/rl-next.md
 
 # /scripts/
 /scripts/nix-profile.sh
@@ -41,13 +43,16 @@ perl/Makefile.config
 /src/libexpr/parser-tab.hh
 /src/libexpr/parser-tab.output
 /src/libexpr/nix.tbl
+/src/libexpr/tests
 /tests/unit/libexpr/libnixexpr-tests
 
 # /src/libstore/
 *.gen.*
+/src/libstore/tests
 /tests/unit/libstore/libnixstore-tests
 
 # /src/libutil/
+/src/libutil/tests
 /tests/unit/libutil/libnixutil-tests
 
 /src/nix/nix
@@ -90,6 +95,7 @@ perl/Makefile.config
 /tests/functional/ca/config.nix
 /tests/functional/dyn-drv/config.nix
 /tests/functional/repl-result-out
+/tests/functional/debugger-test-out
 /tests/functional/test-libstoreconsumer/test-libstoreconsumer
 
 # /tests/functional/lang/
@@ -137,8 +143,12 @@ compile_commands.json
 nix-rust/target
 
 result
+result-*
 
 .vscode/
 
 # clangd and possibly more
 .cache/
+
+# Mac OS
+.DS_Store

.version

@@ -1 +1 @@
-2.18.1
+2.90.0

Makefile

@@ -1,3 +1,9 @@
+include mk/build-dir.mk
+
+-include $(buildprefix)Makefile.config
+clean-files += $(buildprefix)Makefile.config
+
+ifeq ($(ENABLE_BUILD), yes)
 makefiles = \
   mk/precompiled-headers.mk \
   local.mk \
@@ -14,18 +20,19 @@ makefiles = \
   misc/fish/local.mk \
   misc/zsh/local.mk \
   misc/systemd/local.mk \
-  misc/launchd/local.mk \
-  misc/upstart/local.mk \
-  doc/manual/local.mk \
-  doc/internal-api/local.mk
+  misc/launchd/local.mk
+endif
 
--include Makefile.config
-
-ifeq ($(tests), yes)
+ifeq ($(ENABLE_BUILD)_$(ENABLE_TESTS), yes_yes)
+UNIT_TEST_ENV = _NIX_TEST_UNIT_DATA=unit-test-data
 makefiles += \
   tests/unit/libutil/local.mk \
   tests/unit/libutil-support/local.mk \
-  tests/unit/libstore/local.mk \
+  tests/unit/libstore/local.mk
+endif
+
+ifeq ($(ENABLE_TESTS), yes)
+makefiles += \
   tests/unit/libstore-support/local.mk \
   tests/unit/libexpr/local.mk \
   tests/unit/libexpr-support/local.mk \
@@ -33,16 +40,27 @@ makefiles += \
   tests/functional/ca/local.mk \
   tests/functional/dyn-drv/local.mk \
   tests/functional/test-libstoreconsumer/local.mk \
+  tests/functional/repl_characterization/local.mk \
   tests/functional/plugins/local.mk
 else
 makefiles += \
   mk/disable-tests.mk
 endif
 
+# Some makefiles require access to built programs and must be included late.
+makefiles-late =
+
+ifeq ($(ENABLE_BUILD), yes)
+makefiles-late += doc/manual/local.mk
+makefiles-late += doc/internal-api/local.mk
+endif
+
+# Miscellaneous global Flags
+
 OPTIMIZE = 1
 
 ifeq ($(OPTIMIZE), 1)
-  GLOBAL_CXXFLAGS += -O3 $(CXXLTO)
+  GLOBAL_CXXFLAGS += -O2 $(CXXLTO)
   GLOBAL_LDFLAGS += $(CXXLTO)
 else
   GLOBAL_CXXFLAGS += -O0 -U_FORTIFY_SOURCE
@@ -50,4 +68,4 @@ endif
 
 include mk/lib.mk
 
-GLOBAL_CXXFLAGS += -g -Wall -include config.h -std=c++2a -I src
+GLOBAL_CXXFLAGS += -g -Wall -Wimplicit-fallthrough -include $(buildprefix)config.h -std=c++2a -I src

Makefile.config.in

@@ -46,5 +46,6 @@ sandbox_shell = @sandbox_shell@
 storedir = @storedir@
 sysconfdir = @sysconfdir@
 system = @system@
-tests = @tests@
+ENABLE_BUILD = @ENABLE_BUILD@
+ENABLE_TESTS = @ENABLE_TESTS@
 internal_api_docs = @internal_api_docs@

boehmgc-coroutine-sp-fallback.diff

@@ -59,12 +59,18 @@ index b5d71e62..aed7b0bf 100644
      GC_bool found_me = FALSE;
      size_t nthreads = 0;
      int i;
-@@ -851,6 +853,31 @@ GC_INNER void GC_push_all_stacks(void)
+@@ -851,6 +853,37 @@ GC_INNER void GC_push_all_stacks(void)
            hi = p->altstack + p->altstack_size;
            /* FIXME: Need to scan the normal stack too, but how ? */
            /* FIXME: Assume stack grows down */
 +        } else {
-+          if (pthread_getattr_np(p->id, &pattr)) {
++#ifdef HAVE_PTHREAD_ATTR_GET_NP
++          if (!pthread_attr_init(&pattr)
++              || !pthread_attr_get_np(p->id, &pattr))
++#else /* HAVE_PTHREAD_GETATTR_NP */
++          if (pthread_getattr_np(p->id, &pattr))
++#endif
++          {
 +            ABORT("GC_push_all_stacks: pthread_getattr_np failed!");
 +          }
 +          if (pthread_attr_getstacksize(&pattr, &stack_limit)) {

boehmgc-traceable_allocator-public.diff

@@ -0,0 +1,12 @@
+diff --git a/include/gc_allocator.h b/include/gc_allocator.h
+index 597c7f13..587286be 100644
+--- a/include/gc_allocator.h
++++ b/include/gc_allocator.h
+@@ -312,6 +312,7 @@ public:
+ 
+ template<>
+ class traceable_allocator<void> {
++public:
+   typedef size_t      size_type;
+   typedef ptrdiff_t   difference_type;
+   typedef void*       pointer;

bootstrap.sh

@@ -1,4 +0,0 @@
-#! /bin/sh -e
-rm -f aclocal.m4
-mkdir -p config
-exec autoreconf -vfi

clang-tidy/.clang-format

@@ -0,0 +1 @@
+BasedOnStyle: llvm

clang-tidy/HasPrefixSuffix.cc

@@ -0,0 +1,80 @@
+#include "HasPrefixSuffix.hh"
+#include <clang/AST/ASTTypeTraits.h>
+#include <clang/AST/Expr.h>
+#include <clang/AST/PrettyPrinter.h>
+#include <clang/AST/Type.h>
+#include <clang/ASTMatchers/ASTMatchers.h>
+#include <clang/Basic/Diagnostic.h>
+#include <clang/Frontend/FrontendAction.h>
+#include <clang/Frontend/FrontendPluginRegistry.h>
+#include <clang/Tooling/Transformer/SourceCode.h>
+#include <clang/Tooling/Transformer/SourceCodeBuilders.h>
+#include <iostream>
+
+namespace nix::clang_tidy {
+using namespace clang::ast_matchers;
+using namespace clang;
+
+void HasPrefixSuffixCheck::registerMatchers(ast_matchers::MatchFinder *Finder) {
+  Finder->addMatcher(
+      traverse(clang::TK_AsIs,
+               callExpr(callee(functionDecl(anyOf(hasName("hasPrefix"),
+                                                  hasName("hasSuffix")))
+                                   .bind("callee-decl")),
+                        optionally(hasArgument(
+                            0, cxxConstructExpr(
+                                   hasDeclaration(functionDecl(hasParameter(
+                                       0, parmVarDecl(hasType(
+                                              asString("const char *")))))))
+                                   .bind("implicit-cast"))))
+                   .bind("call")),
+      this);
+}
+
+void HasPrefixSuffixCheck::check(
+    const ast_matchers::MatchFinder::MatchResult &Result) {
+
+  const auto *CalleeDecl = Result.Nodes.getNodeAs<FunctionDecl>("callee-decl");
+  auto FuncName = std::string(CalleeDecl->getName());
+  std::string NewName;
+  if (FuncName == "hasPrefix") {
+    NewName = "starts_with";
+  } else if (FuncName == "hasSuffix") {
+    NewName = "ends_with";
+  } else {
+    llvm_unreachable("nix-has-prefix: invalid callee");
+  }
+
+  const auto *MatchedDecl = Result.Nodes.getNodeAs<CallExpr>("call");
+  const auto *ImplicitConvertArg =
+      Result.Nodes.getNodeAs<CXXConstructExpr>("implicit-cast");
+
+  const auto *Lhs = MatchedDecl->getArg(0);
+  const auto *Rhs = MatchedDecl->getArg(1);
+  auto Diag = diag(MatchedDecl->getExprLoc(), FuncName + " is deprecated");
+
+  std::string Text = "";
+
+  // Form possible cast to string_view, or nothing.
+  if (ImplicitConvertArg) {
+    Text = "std::string_view(";
+    Text.append(tooling::getText(*Lhs, *Result.Context));
+    Text.append(").");
+  } else {
+    Text.append(*tooling::buildAccess(*Lhs, *Result.Context));
+  }
+
+  // Call .starts_with.
+  Text.append(NewName);
+  Text.push_back('(');
+  Text.append(tooling::getText(*Rhs, *Result.Context));
+  Text.push_back(')');
+
+  Diag << FixItHint::CreateReplacement(MatchedDecl->getSourceRange(), Text);
+
+  // for (const auto *arg : MatchedDecl->arguments()) {
+  //   arg->dumpColor();
+  //   arg->getType().dump();
+  // }
+}
+}; // namespace nix::clang_tidy

clang-tidy/HasPrefixSuffix.hh

@@ -0,0 +1,25 @@
+#pragma once
+///@file
+/// This is an example of a clang-tidy automated refactoring against the Nix
+/// codebase. The refactoring has been completed in
+/// https://gerrit.lix.systems/c/lix/+/565 so this code is around as
+/// an example.
+
+#include <clang-tidy/ClangTidyCheck.h>
+#include <clang/ASTMatchers/ASTMatchFinder.h>
+#include <llvm/ADT/StringRef.h>
+
+namespace nix::clang_tidy {
+
+using namespace clang;
+using namespace clang::tidy;
+using namespace llvm;
+
+class HasPrefixSuffixCheck : public ClangTidyCheck {
+public:
+  HasPrefixSuffixCheck(StringRef Name, ClangTidyContext *Context)
+      : ClangTidyCheck(Name, Context) {}
+  void registerMatchers(ast_matchers::MatchFinder *Finder) override;
+  void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
+};
+}; // namespace nix::clang_tidy

clang-tidy/NixClangTidyChecks.cc

@@ -0,0 +1,17 @@
+#include <clang-tidy/ClangTidyModule.h>
+#include <clang-tidy/ClangTidyModuleRegistry.h>
+#include "HasPrefixSuffix.hh"
+
+namespace nix::clang_tidy {
+using namespace clang;
+using namespace clang::tidy;
+
+class NixClangTidyChecks : public ClangTidyModule {
+    public:
+        void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {
+            CheckFactories.registerCheck<HasPrefixSuffixCheck>("nix-hasprefixsuffix");
+        }
+};
+
+static ClangTidyModuleRegistry::Add<NixClangTidyChecks> X("nix-module", "Adds nix specific checks");
+};

clang-tidy/README.md

@@ -0,0 +1,56 @@
+# Clang tidy lints for Nix
+
+This is a skeleton of a clang-tidy lints library for Nix.
+
+Currently there is one check (which is already obsolete as it has served its
+goal and is there as an example), `HasPrefixSuffixCheck`.
+
+## Running fixes/checks
+
+One file:
+
+```
+ninja -C build && clang-tidy --checks='-*,nix-*' --load=build/libnix-clang-tidy.so -p ../compile_commands.json --fix ../src/libcmd/installables.cc
+```
+
+Several files, in parallel:
+
+```
+ninja -C build && run-clang-tidy -checks='-*,nix-*' -load=build/libnix-clang-tidy.so -p .. -fix ../src | tee -a clang-tidy-result
+```
+
+## Resources
+
+* https://firefox-source-docs.mozilla.org/code-quality/static-analysis/writing-new/clang-query.html
+* https://clang.llvm.org/docs/LibASTMatchersReference.html
+* https://devblogs.microsoft.com/cppblog/exploring-clang-tooling-part-3-rewriting-code-with-clang-tidy/
+
+## Developing new checks
+
+Put something like so in `myquery.txt`:
+
+```
+set traversal     IgnoreUnlessSpelledInSource
+# ^ Ignore implicit AST nodes. May need to use AsIs depending on how you are
+# working.
+set bind-root     true
+# ^ true unless you use any .bind("foo") commands
+set print-matcher true
+enable output     dump
+match callExpr(callee(functionDecl(hasName("hasPrefix"))), optionally(hasArgument( 0, cxxConstructExpr(hasDeclaration(functionDecl(hasParameter(0, parmVarDecl(hasType(asString("const char *"))).bind("meow2"))))))))
+```
+
+Then run, e.g. `clang-query --preload hasprefix.query -p compile_commands.json src/libcmd/installables.cc`.
+
+With this you can iterate a query before writing it in C++ and suffering from
+C++.
+
+### Tips and tricks for the C++
+
+There is a function `dump()` on many things that will dump to stderr. Also
+`llvm::errs()` lets you print to stderr.
+
+When I wrote `HasPrefixSuffixCheck`, I was not really able to figure out how
+the structured replacement system was supposed to work. In principle you can
+describe the replacement with a nice DSL. Look up the Stencil system in Clang
+for details.

clang-tidy/meson.build

@@ -0,0 +1,8 @@
+project('nix-clang-tidy', ['cpp', 'c'],
+  version : '0.1',
+  default_options : ['warning_level=3', 'cpp_std=c++20'])
+
+llvm = dependency('Clang', version: '>= 14', modules: ['libclang'])
+sources = ['HasPrefixSuffix.cc', 'NixClangTidyChecks.cc']
+shared_module('nix-clang-tidy', sources,
+  dependencies: llvm)

configure.ac

@@ -47,6 +47,10 @@ AC_DEFINE_UNQUOTED(SYSTEM, ["$system"], [platform identifier ('cpu-os')])
 # State should be stored in /nix/var, unless the user overrides it explicitly.
 test "$localstatedir" = '${prefix}/var' && localstatedir=/nix/var
 
+# Assign a default value to C{,XX}FLAGS as the default configure script sets them
+# to -O2 otherwise, which we don't want to have hardcoded
+CFLAGS=${CFLAGS-""}
+CXXFLAGS=${CXXFLAGS-""}
 
 AC_PROG_CC
 AC_PROG_CXX
@@ -68,6 +72,9 @@ case "$host_os" in
 esac
 
 
+ENSURE_NO_GCC_BUG_80431
+
+
 # Check for pubsetbuf.
 AC_MSG_CHECKING([for pubsetbuf])
 AC_LANG_PUSH(C++)
@@ -152,12 +159,17 @@ if test "x$GCC_ATOMIC_BUILTINS_NEED_LIBATOMIC" = xyes; then
     LDFLAGS="-latomic $LDFLAGS"
 fi
 
+# Running the functional tests without building Nix is useful for testing
+# different pre-built versions of Nix against each other.
+AC_ARG_ENABLE(build, AS_HELP_STRING([--disable-build],[Do not build nix]),
+  ENABLE_BUILD=$enableval, ENABLE_BUILD=yes)
+AC_SUBST(ENABLE_BUILD)
 # Building without tests is useful for bootstrapping with a smaller footprint
 # or running the tests in a separate derivation. Otherwise, we do compile and
 # run them.
 AC_ARG_ENABLE(tests, AS_HELP_STRING([--disable-tests],[Do not build the tests]),
-  tests=$enableval, tests=yes)
-AC_SUBST(tests)
+  ENABLE_TESTS=$enableval, ENABLE_TESTS=yes)
+AC_SUBST(ENABLE_TESTS)
 
 # Building without API docs is the default as Nix' C++ interfaces are internal and unstable.
 AC_ARG_ENABLE(internal_api_docs, AS_HELP_STRING([--enable-internal-api-docs],[Build API docs for Nix's internal unstable C++ interfaces]),
@@ -289,10 +301,10 @@ if test "$gc" = yes; then
 fi
 
 
-if test "$tests" = yes; then
+if test "$ENABLE_TESTS" = yes; then
 
 # Look for gtest.
-PKG_CHECK_MODULES([GTEST], [gtest_main])
+PKG_CHECK_MODULES([GTEST], [gtest_main gmock_main])
 
 
 # Look for rapidcheck.

doc/internal-api/doxygen.cfg.in

@@ -58,6 +58,23 @@ INPUT                  = \
   src/nix-env \
   src/nix-store
 
+# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# in the source code. If set to NO, only conditional compilation will be
+# performed. Macro expansion can be done in a controlled way by setting
+# EXPAND_ONLY_PREDEF to YES.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+MACRO_EXPANSION        = YES
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then
+# the macro expansion is limited to the macros specified with the PREDEFINED and
+# EXPAND_AS_DEFINED tags.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+EXPAND_ONLY_PREDEF     = YES
+
 # The INCLUDE_PATH tag can be used to specify one or more directories that
 # contain include files that are not input files but should be processed by the
 # preprocessor. Note that the INCLUDE_PATH is not recursive, so the setting of
@@ -65,3 +82,16 @@ INPUT                  = \
 # This tag requires that the tag SEARCH_INCLUDES is set to YES.
 
 INCLUDE_PATH           = @RAPIDCHECK_HEADERS@
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
+# tag can be used to specify a list of macro names that should be expanded. The
+# macro definition that is found in the sources will be used. Use the PREDEFINED
+# tag if you want to use a different macro definition that overrules the
+# definition found in the source code.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+EXPAND_AS_DEFINED      = \
+  DECLARE_COMMON_SERIALISER \
+  DECLARE_WORKER_SERIALISER \
+  DECLARE_SERVE_SERIALISER \
+  LENGTH_PREFIXED_PROTO_HELPER

doc/manual/generate-manpage.nix

@@ -70,6 +70,7 @@ let
         * [`${command} ${name}`](./${appendName filename name}.md) - ${subcmd.description}
       '';
 
+      # TODO: move this confusing special case out of here when implementing #8496
       maybeStoreDocs = optionalString
         (details ? doc)
         (replaceStrings ["@stores@"] [storeDocs] details.doc);
@@ -78,6 +79,10 @@ let
         # Options
 
         ${showOptions details.flags toplevel.flags}
+
+        > **Note**
+        >
+        > See [`man nix.conf`](@docroot@/command-ref/conf-file.md#command-line-flags) for overriding configuration settings with command line flags.
       '';
 
       showOptions = options: commonOptions:
@@ -150,7 +155,7 @@ let
             To use this store, you need to make sure the corresponding experimental feature,
             [`${experimentalFeature}`](@docroot@/contributing/experimental-features.md#xp-feature-${experimentalFeature}),
             is enabled.
-            For example, include the following in [`nix.conf`](#):
+            For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
 
             ```
             extra-experimental-features = ${experimentalFeature}

doc/manual/local.mk

@@ -1,5 +1,10 @@
 ifeq ($(doc_generate),yes)
 
+# The version of Nix used to generate the doc. Can also be
+# `$(nix_INSTALL_PATH)` or just `nix` (to grap ambient from the `PATH`),
+# if one prefers.
+doc_nix = $(nix_PATH)
+
 MANUAL_SRCS := \
 	$(call rwildcard, $(d)/src, *.md) \
 	$(call rwildcard, $(d)/src, */*.md)
@@ -32,7 +37,7 @@ dummy-env = env -i \
 	NIX_STATE_DIR=/dummy \
 	NIX_CONFIG='cores = 0'
 
-nix-eval = $(dummy-env) $(bindir)/nix eval --experimental-features nix-command -I nix/corepkgs=corepkgs --store dummy:// --impure --raw
+nix-eval = $(dummy-env) $(doc_nix) eval --experimental-features nix-command -I nix/corepkgs=corepkgs --store dummy:// --impure --raw
 
 # re-implement mdBook's include directive to make it usable for terminal output and for proper @docroot@ substitution
 define process-includes
@@ -92,58 +97,76 @@ $(d)/nix-profiles.5: $(d)/src/command-ref/files/profiles.md
 	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=5 $^.tmp -o $@
 	@rm $^.tmp
 
-$(d)/src/SUMMARY.md: $(d)/src/SUMMARY.md.in $(d)/src/command-ref/new-cli $(d)/src/contributing/experimental-feature-descriptions.md
+$(d)/src/SUMMARY.md: $(d)/src/SUMMARY.md.in $(d)/src/SUMMARY-rl-next.md $(d)/src/command-ref/new-cli $(d)/src/contributing/experimental-feature-descriptions.md
 	@cp $< $@
 	@$(call process-includes,$@,$@)
 
-$(d)/src/command-ref/new-cli: $(d)/nix.json $(d)/utils.nix $(d)/generate-manpage.nix $(bindir)/nix
+$(d)/src/command-ref/new-cli: $(d)/nix.json $(d)/utils.nix $(d)/generate-manpage.nix $(doc_nix)
 	@rm -rf $@ $@.tmp
 	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-manpage.nix true (builtins.readFile $<)'
 	@mv $@.tmp $@
 
-$(d)/src/command-ref/conf-file.md: $(d)/conf-file.json $(d)/utils.nix $(d)/src/command-ref/conf-file-prefix.md $(d)/src/command-ref/experimental-features-shortlist.md $(bindir)/nix
+$(d)/src/command-ref/conf-file.md: $(d)/conf-file.json $(d)/utils.nix $(d)/src/command-ref/conf-file-prefix.md $(d)/src/command-ref/experimental-features-shortlist.md $(doc_nix)
 	@cat doc/manual/src/command-ref/conf-file-prefix.md > $@.tmp
 	$(trace-gen) $(nix-eval) --expr '(import doc/manual/utils.nix).showSettings { inlineHTML = true; } (builtins.fromJSON (builtins.readFile $<))' >> $@.tmp;
 	@mv $@.tmp $@
 
-$(d)/nix.json: $(bindir)/nix
-	$(trace-gen) $(dummy-env) $(bindir)/nix __dump-cli > $@.tmp
+$(d)/nix.json: $(doc_nix)
+	$(trace-gen) $(dummy-env) $(doc_nix) __dump-cli > $@.tmp
 	@mv $@.tmp $@
 
-$(d)/conf-file.json: $(bindir)/nix
-	$(trace-gen) $(dummy-env) $(bindir)/nix show-config --json --experimental-features nix-command > $@.tmp
+$(d)/conf-file.json: $(doc_nix)
+	$(trace-gen) $(dummy-env) $(doc_nix) show-config --json --experimental-features nix-command > $@.tmp
 	@mv $@.tmp $@
 
-$(d)/src/contributing/experimental-feature-descriptions.md: $(d)/xp-features.json $(d)/utils.nix $(d)/generate-xp-features.nix $(bindir)/nix
+$(d)/src/contributing/experimental-feature-descriptions.md: $(d)/xp-features.json $(d)/utils.nix $(d)/generate-xp-features.nix $(doc_nix)
 	@rm -rf $@ $@.tmp
 	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-xp-features.nix (builtins.fromJSON (builtins.readFile $<))'
 	@mv $@.tmp $@
 
-$(d)/src/command-ref/experimental-features-shortlist.md: $(d)/xp-features.json $(d)/utils.nix $(d)/generate-xp-features-shortlist.nix $(bindir)/nix
+$(d)/src/command-ref/experimental-features-shortlist.md: $(d)/xp-features.json $(d)/utils.nix $(d)/generate-xp-features-shortlist.nix $(doc_nix)
 	@rm -rf $@ $@.tmp
 	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-xp-features-shortlist.nix (builtins.fromJSON (builtins.readFile $<))'
 	@mv $@.tmp $@
 
-$(d)/xp-features.json: $(bindir)/nix
-	$(trace-gen) $(dummy-env) NIX_PATH=nix/corepkgs=corepkgs $(bindir)/nix __dump-xp-features > $@.tmp
+$(d)/xp-features.json: $(doc_nix)
+	$(trace-gen) $(dummy-env) NIX_PATH=nix/corepkgs=corepkgs $(doc_nix) __dump-xp-features > $@.tmp
 	@mv $@.tmp $@
 
-$(d)/src/language/builtins.md: $(d)/language.json $(d)/generate-builtins.nix $(d)/src/language/builtins-prefix.md $(bindir)/nix
+$(d)/src/language/builtins.md: $(d)/language.json $(d)/generate-builtins.nix $(d)/src/language/builtins-prefix.md $(doc_nix)
 	@cat doc/manual/src/language/builtins-prefix.md > $@.tmp
 	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtins.nix (builtins.fromJSON (builtins.readFile $<)).builtins' >> $@.tmp;
 	@cat doc/manual/src/language/builtins-suffix.md >> $@.tmp
 	@mv $@.tmp $@
 
-$(d)/src/language/builtin-constants.md: $(d)/language.json $(d)/generate-builtin-constants.nix $(d)/src/language/builtin-constants-prefix.md $(bindir)/nix
+$(d)/src/language/builtin-constants.md: $(d)/language.json $(d)/generate-builtin-constants.nix $(d)/src/language/builtin-constants-prefix.md $(doc_nix)
 	@cat doc/manual/src/language/builtin-constants-prefix.md > $@.tmp
 	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtin-constants.nix (builtins.fromJSON (builtins.readFile $<)).constants' >> $@.tmp;
 	@cat doc/manual/src/language/builtin-constants-suffix.md >> $@.tmp
 	@mv $@.tmp $@
 
-$(d)/language.json: $(bindir)/nix
-	$(trace-gen) $(dummy-env) NIX_PATH=nix/corepkgs=corepkgs $(bindir)/nix __dump-language > $@.tmp
+$(d)/language.json: $(doc_nix)
+	$(trace-gen) $(dummy-env) NIX_PATH=nix/corepkgs=corepkgs $(doc_nix) __dump-language > $@.tmp
 	@mv $@.tmp $@
 
+# Generate "Upcoming release" notes (or clear it and remove from menu)
+$(d)/src/release-notes/rl-next.md: $(d)/rl-next $(d)/rl-next/*
+	@if type -p changelog-d > /dev/null; then \
+		echo "  GEN   " $@; \
+		changelog-d doc/manual/rl-next > $@; \
+	else \
+		echo "  NULL  " $@; \
+		true > $@; \
+	fi
+
+$(d)/src/SUMMARY-rl-next.md: $(d)/src/release-notes/rl-next.md
+	$(trace-gen) true
+	@if [ -s $< ]; then \
+		echo '  - [Upcoming release](release-notes/rl-next.md)' > $@; \
+	else \
+	  true > $@; \
+	fi
+
 # Generate the HTML manual.
 .PHONY: manual-html
 manual-html: $(docdir)/manual/index.html
@@ -173,7 +196,7 @@ doc/manual/generated/man1/nix3-manpages: $(d)/src/command-ref/new-cli
 	done
 	@touch $@
 
-$(docdir)/manual/index.html: $(MANUAL_SRCS) $(d)/book.toml $(d)/anchors.jq $(d)/custom.css $(d)/src/SUMMARY.md $(d)/src/command-ref/new-cli $(d)/src/contributing/experimental-feature-descriptions.md $(d)/src/command-ref/conf-file.md $(d)/src/language/builtins.md $(d)/src/language/builtin-constants.md
+$(docdir)/manual/index.html: $(MANUAL_SRCS) $(d)/book.toml $(d)/anchors.jq $(d)/custom.css $(d)/src/SUMMARY.md $(d)/src/command-ref/new-cli $(d)/src/contributing/experimental-feature-descriptions.md $(d)/src/command-ref/conf-file.md $(d)/src/language/builtins.md $(d)/src/language/builtin-constants.md $(d)/src/release-notes/rl-next.md
 	$(trace-gen) \
 		tmp="$$(mktemp -d)"; \
 		cp -r doc/manual "$$tmp"; \

doc/manual/rl-next/better-errors-in-nix-repl.md

@@ -0,0 +1,40 @@
+---
+synopsis: Concise error printing in `nix repl`
+prs: 9928
+---
+
+Previously, if an element of a list or attribute set threw an error while
+evaluating, `nix repl` would print the entire error (including source location
+information) inline. This output was clumsy and difficult to parse:
+
+```
+nix-repl> { err = builtins.throw "uh oh!"; }
+{ err = «error:
+       … while calling the 'throw' builtin
+         at «string»:1:9:
+            1| { err = builtins.throw "uh oh!"; }
+             |         ^
+
+       error: uh oh!»; }
+```
+
+Now, only the error message is displayed, making the output much more readable.
+```
+nix-repl> { err = builtins.throw "uh oh!"; }
+{ err = «error: uh oh!»; }
+```
+
+However, if the whole expression being evaluated throws an error, source
+locations and (if applicable) a stack trace are printed, just like you'd expect:
+
+```
+nix-repl> builtins.throw "uh oh!"
+error:
+       … while calling the 'throw' builtin
+         at «string»:1:1:
+            1| builtins.throw "uh oh!"
+             | ^
+
+       error: uh oh!
+```
+

doc/manual/rl-next/config

@@ -0,0 +1,2 @@
+organization: NixOS
+repository: nix

doc/manual/rl-next/debugger-locals-for-let-expressions.md

@@ -0,0 +1,9 @@
+---
+synopsis: "`--debugger` can now access bindings from `let` expressions"
+prs: 9918
+issues: 8827.
+---
+
+Breakpoints and errors in the bindings of a `let` expression can now access
+those bindings in the debugger. Previously, only the body of `let` expressions
+could access those bindings.

doc/manual/rl-next/debugger-on-trace.md

@@ -0,0 +1,9 @@
+---
+synopsis: Enter the `--debugger` when `builtins.trace` is called if `debugger-on-trace` is set
+prs: 9914
+---
+
+If the `debugger-on-trace` option is set and `--debugger` is given,
+`builtins.trace` calls will behave similarly to `builtins.break` and will enter
+the debug REPL. This is useful for determining where warnings are being emitted
+from.

doc/manual/rl-next/drv-string-parse-hang.md

@@ -0,0 +1,6 @@
+---
+synopsis: Fix handling of truncated `.drv` files.
+prs: 9673
+---
+
+Previously a `.drv` that was truncated in the middle of a string would case nix to enter an infinite loop, eventually exhausting all memory and crashing.

doc/manual/rl-next/dup-attr-errors.md

@@ -0,0 +1,22 @@
+---
+synopsis: Duplicate attribute reports are more accurate
+# prs: cl 557
+---
+
+Duplicate attribute errors are now more accurate, showing the path at which an error was detected rather than the full, possibly longer, path that caused the error.
+Error reports are now
+```ShellSession
+$ nix eval --expr '{ a.b = 1; a.b.c.d = 1; }'
+error: attribute 'a.b' already defined at «string»:1:3
+       at «string»:1:12:
+            1| { a.b = 1; a.b.c.d = 1;
+             |            ^
+```
+instead of
+```ShellSession
+$ nix eval --expr '{ a.b = 1; a.b.c.d = 1; }'
+error: attribute 'a.b.c.d' already defined at «string»:1:3
+       at «string»:1:12:
+            1| { a.b = 1; a.b.c.d = 1;
+             |            ^
+```

doc/manual/rl-next/empty-search-regex.md

@@ -0,0 +1,8 @@
+synopsis: Disallow empty search regex in `nix search`
+prs: #9481
+description: {
+
+[`nix search`](@docroot@/command-ref/new-cli/nix3-search.md) now requires a search regex to be passed. To show all packages, use `^`.
+
+}
+

doc/manual/rl-next/enter-debugger-more-reliably-in-let-and-calls.md

@@ -0,0 +1,25 @@
+---
+synopsis: The `--debugger` will start more reliably in `let` expressions and function calls
+prs: 9917
+issues: 6649
+---
+
+Previously, if you attempted to evaluate this file with the debugger:
+
+```nix
+let
+  a = builtins.trace "before inner break" (
+    builtins.break "hello"
+  );
+  b = builtins.trace "before outer break" (
+    builtins.break a
+  );
+in
+  b
+```
+
+Nix would correctly enter the debugger at `builtins.break a`, but if you asked
+it to `:continue`, it would skip over the `builtins.break "hello"` expression
+entirely.
+
+Now, Nix will correctly enter the debugger at both breakpoints.

doc/manual/rl-next/env-size-reduction.md

@@ -0,0 +1,7 @@
+---
+synopsis: Reduce eval memory usage and wall time
+prs: 9658
+---
+
+Reduce the size of the `Env` struct used in the evaluator by a pointer, or 8 bytes on most modern machines.
+This reduces memory usage during eval by around 2% and wall time by around 3%.

doc/manual/rl-next/eval-system.md

@@ -0,0 +1,12 @@
+---
+synopsis: Add new `eval-system` setting
+prs: 4093
+---
+
+Add a new `eval-system` option.
+Unlike `system`, it just overrides the value of `builtins.currentSystem`.
+This is more useful than overriding `system`, because you can build these derivations on remote builders which can work on the given system.
+In contrast, `system` also effects scheduling which will cause Nix to build those derivations locally even if that doesn't make sense.
+
+`eval-system` only takes effect if it is non-empty.
+If empty (the default) `system` is used as before, so there is no breakage.

doc/manual/rl-next/formal-order.md

@@ -0,0 +1,7 @@
+---
+synopsis: consistent order of lambda formals in printed expressions
+prs: 9874
+---
+
+Always print lambda formals in lexicographic order rather than the internal, creation-time based symbol order.
+This makes printed formals independent of the context they appear in.

doc/manual/rl-next/inherit-error-positions.md

@@ -0,0 +1,6 @@
+---
+synopsis: fix duplicate attribute error positions for `inherit`
+prs: 9874
+---
+
+When an inherit caused a duplicate attribute error the position of the error was not reported correctly, placing the error with the inherit itself or at the start of the bindings block instead of the offending attribute name.

doc/manual/rl-next/inherit-from-by-need.md

@@ -0,0 +1,7 @@
+---
+synopsis: "`inherit (x) ...` evaluates `x` only once"
+prs: 9847
+---
+
+`inherit (x) a b ...` now evaluates the expression `x` only once for all inherited attributes rather than once for each inherited attribute.
+This does not usually have a measurable impact, but side-effects (such as `builtins.trace`) would be duplicated and expensive expressions (such as derivations) could cause a measurable slowdown.

doc/manual/rl-next/nix-env-json-drv-path.md

@@ -0,0 +1,6 @@
+---
+synopsis: Fix `nix-env --query --drv-path --json`
+prs: 9257
+---
+
+Fixed a bug where `nix-env --query` ignored `--drv-path` when `--json` was set.

doc/manual/rl-next/nix-flake-check-logs-actions.md

@@ -0,0 +1,33 @@
+---
+synopsis: "`nix flake check` logs the checks"
+issues: 8882
+prs: 8893
+---
+
+`nix flake check` now logs the checks it runs and the derivations it evaluates:
+
+```
+$ nix flake check -v
+evaluating flake...
+checking flake output 'checks'...
+checking derivation 'checks.aarch64-darwin.ghciwatch-tests'...
+derivation evaluated to /nix/store/nh7dlvsrhds4cxl91mvgj4h5cbq6skmq-ghciwatch-test-0.3.0.drv
+checking derivation 'checks.aarch64-darwin.ghciwatch-clippy'...
+derivation evaluated to /nix/store/9cb5a6wmp6kf6hidqw9wphidvb8bshym-ghciwatch-clippy-0.3.0.drv
+checking derivation 'checks.aarch64-darwin.ghciwatch-doc'...
+derivation evaluated to /nix/store/8brdd3jbawfszpbs7vdpsrhy80as1il8-ghciwatch-doc-0.3.0.drv
+checking derivation 'checks.aarch64-darwin.ghciwatch-fmt'...
+derivation evaluated to /nix/store/wjhs0l1njl5pyji53xlmfjrlya0wmz8p-ghciwatch-fmt-0.3.0.drv
+checking derivation 'checks.aarch64-darwin.ghciwatch-audit'...
+derivation evaluated to /nix/store/z0mps8dyj2ds7c0fn0819y5h5611033z-ghciwatch-audit-0.3.0.drv
+checking flake output 'packages'...
+checking derivation 'packages.aarch64-darwin.default'...
+derivation evaluated to /nix/store/41abbdyglw5x9vcsvd89xan3ydjf8d7r-ghciwatch-0.3.0.drv
+checking flake output 'apps'...
+checking flake output 'devShells'...
+checking derivation 'devShells.aarch64-darwin.default'...
+derivation evaluated to /nix/store/bc935gz7dylzmcpdb5cczr8gngv8pmdb-nix-shell.drv
+running 5 flake checks...
+warning: The check omitted these incompatible systems: aarch64-linux, x86_64-darwin, x86_64-linux
+Use '--all-systems' to check all.
+```

doc/manual/rl-next/nixversion-fake.md

@@ -0,0 +1,11 @@
+---
+synopsis: "`builtins.nixVersion` now returns a fixed value \"2.18.3-lix\""
+# prs: cl 558
+---
+
+`builtins.nixVersion` now returns a fixed value `"2.18.3-lix"`. This prevents
+feature detection assuming that features that exist in Nix post-Lix-branch-off
+might exist, even though the Lix version is greater than the Nix version.
+
+In the future, check for builtins for feature detection. If a feature cannot be
+detected by *those* means, please file a Lix bug.

doc/manual/rl-next/print-value-in-coercion-error.md

@@ -0,0 +1,24 @@
+---
+synopsis: Coercion errors include the failing value
+issues: #561
+prs: #9754
+---
+
+The `error: cannot coerce a <TYPE> to a string` message now includes the value
+which caused the error.
+
+Before:
+
+```
+       error: cannot coerce a set to a string
+```
+
+After:
+
+```
+       error: cannot coerce a set to a string: { aesSupport = «thunk»;
+       avx2Support = «thunk»; avx512Support = «thunk»; avxSupport = «thunk»;
+       canExecute = «thunk»; config = «thunk»; darwinArch = «thunk»; darwinMinVersion
+       = «thunk»; darwinMinVersionVariable = «thunk»; darwinPlatform = «thunk»; «84
+       attributes elided»}
+```

doc/manual/rl-next/print-value-in-type-error.md

@@ -0,0 +1,23 @@
+---
+synopsis: Type errors include the failing value
+issues: #561
+prs: #9753
+---
+
+In errors like `value is an integer while a list was expected`, the message now
+includes the failing value.
+
+Before:
+
+```
+       error: value is a set while a string was expected
+```
+
+After:
+
+```
+       error: expected a string but found a set: { ghc810 = «thunk»;
+       ghc8102Binary = «thunk»; ghc8107 = «thunk»; ghc8107Binary = «thunk»;
+       ghc865Binary = «thunk»; ghc90 = «thunk»; ghc902 = «thunk»; ghc92 = «thunk»;
+       ghc924Binary = «thunk»; ghc925 = «thunk»;  «17 attributes elided»}
+```

doc/manual/rl-next/reduce-debugger-clutter.md

@@ -0,0 +1,37 @@
+---
+synopsis: "Visual clutter in `--debugger` is reduced"
+prs: 9919
+---
+
+Before:
+```
+info: breakpoint reached
+
+
+Starting REPL to allow you to inspect the current state of the evaluator.
+
+Welcome to Nix 2.20.0pre20231222_dirty. Type :? for help.
+
+nix-repl> :continue
+error: uh oh
+
+
+Starting REPL to allow you to inspect the current state of the evaluator.
+
+Welcome to Nix 2.20.0pre20231222_dirty. Type :? for help.
+
+nix-repl>
+```
+
+After:
+
+```
+info: breakpoint reached
+
+Nix 2.20.0pre20231222_dirty debugger
+Type :? for help.
+nix-repl> :continue
+error: uh oh
+
+nix-repl>
+```

doc/manual/rl-next/source-location-in-while-evaluating-attribute.md

@@ -0,0 +1,23 @@
+---
+synopsis: "In the debugger, `while evaluating the attribute` errors now include position information"
+prs: 9915
+---
+
+Before:
+
+```
+0: while evaluating the attribute 'python311.pythonForBuild.pkgs'
+0x600001522598
+```
+
+After:
+
+```
+0: while evaluating the attribute 'python311.pythonForBuild.pkgs'
+/nix/store/hg65h51xnp74ikahns9hyf3py5mlbbqq-source/overrides/default.nix:132:27
+
+   131|
+   132|       bootstrappingBase = pkgs.${self.python.pythonAttr}.pythonForBuild.pkgs;
+      |                           ^
+   133|     in
+```

doc/manual/rl-next/source-positions-in-errors.md

@@ -0,0 +1,42 @@
+---
+synopsis: Source locations are printed more consistently in errors
+issues: 561
+prs: 9555
+---
+
+Source location information is now included in error messages more
+consistently. Given this code:
+
+```nix
+let
+  attr = {foo = "bar";};
+  key = {};
+in
+  attr.${key}
+```
+
+Previously, Nix would show this unhelpful message when attempting to evaluate
+it:
+
+```
+error:
+       … while evaluating an attribute name
+
+       error: value is a set while a string was expected
+```
+
+Now, the error message displays where the problematic value was found:
+
+```
+error:
+       … while evaluating an attribute name
+
+         at bad.nix:4:11:
+
+            3|   key = {};
+            4| in attr.${key}
+             |           ^
+            5|
+
+       error: expected a string but found a set: { }
+```

doc/manual/rl-next/stack-overflow-segfaults.md

@@ -0,0 +1,32 @@
+---
+synopsis: Some stack overflow segfaults are fixed
+issues: 9616
+prs: 9617
+---
+
+The number of nested function calls has been restricted, to detect and report
+infinite function call recursions. The default maximum call depth is 10,000 and
+can be set with [the `max-call-depth`
+option](@docroot@/command-ref/conf-file.md#conf-max-call-depth).
+
+This fixes segfaults or the following unhelpful error message in many cases:
+
+    error: stack overflow (possible infinite recursion)
+
+Before:
+
+```
+$ nix-instantiate --eval --expr '(x: x x) (x: x x)'
+Segmentation fault: 11
+```
+
+After:
+
+```
+$ nix-instantiate --eval --expr '(x: x x) (x: x x)'
+error: stack overflow
+
+       at «string»:1:14:
+            1| (x: x x) (x: x x)
+             |              ^
+```

doc/manual/rl-next/upstart-removal.md

@@ -0,0 +1,8 @@
+---
+synopsis: Upstart scripts removed
+# prs: cl 574
+---
+
+Upstart scripts have been removed from Lix, since Upstart is obsolete and has
+not been shipped by any major distributions for many years. If these are
+necessary to your use case, please back port them to your packaging.

doc/manual/rl-next/with-error-reporting.md

@@ -0,0 +1,31 @@
+---
+synopsis: Better error reporting for `with` expressions
+prs: 9658
+---
+
+`with` expressions using non-attrset values to resolve variables are now reported with proper positions.
+
+Previously an incorrect `with` expression would report no position at all, making it hard to determine where the error originated:
+
+```
+nix-repl> with 1; a
+error:
+       … <borked>
+
+         at «none»:0: (source not available)
+
+       error: value is an integer while a set was expected
+```
+
+Now position information is preserved and reported as with most other errors:
+
+```
+nix-repl> with 1; a
+error:
+       … while evaluating the first subexpression of a with expression
+         at «string»:1:1:
+            1| with 1; a
+             | ^
+
+       error: expected a set but found an integer: 1
+```

doc/manual/src/SUMMARY.md.in

@@ -109,6 +109,7 @@
   - [CLI guideline](contributing/cli-guideline.md)
   - [C++ style guide](contributing/cxx.md)
 - [Release Notes](release-notes/release-notes.md)
+{{#include ./SUMMARY-rl-next.md}}
   - [Release 2.18 (2023-09-20)](release-notes/rl-2.18.md)
   - [Release 2.17 (2023-07-24)](release-notes/rl-2.17.md)
   - [Release 2.16 (2023-05-31)](release-notes/rl-2.16.md)

doc/manual/src/command-ref/nix-instantiate.md

@@ -35,13 +35,51 @@ standard input.
 
   - `--parse`\
     Just parse the input files, and print their abstract syntax trees on
-    standard output in ATerm format.
+    standard output as a Nix expression.
 
   - `--eval`\
     Just parse and evaluate the input files, and print the resulting
     values on standard output. No instantiation of store derivations
     takes place.
 
+    > **Warning**
+    >
+    > This option produces output which can be parsed as a Nix expression which
+    > will produce a different result than the input expression when evaluated.
+    > For example, these two Nix expressions print the same result despite
+    > having different meaning:
+    >
+    > ```console
+    > $ nix-instantiate --eval --expr '{ a = {}; }'
+    > { a = <CODE>; }
+    > $ nix-instantiate --eval --expr '{ a = <CODE>; }'
+    > { a = <CODE>; }
+    > ```
+    >
+    > For human-readable output, `nix eval` (experimental) is more informative:
+    >
+    > ```console
+    > $ nix-instantiate --eval --expr 'a: a'
+    > <LAMBDA>
+    > $ nix eval --expr 'a: a'
+    > «lambda @ «string»:1:1»
+    > ```
+    >
+    > For machine-readable output, the `--xml` option produces unambiguous
+    > output:
+    >
+    > ```console
+    > $ nix-instantiate --eval --xml --expr '{ foo = <CODE>; }'
+    > <?xml version='1.0' encoding='utf-8'?>
+    > <expr>
+    >   <attrs>
+    >     <attr column="3" line="1" name="foo">
+    >       <unevaluated />
+    >     </attr>
+    >   </attrs>
+    > </expr>
+    > ```
+
   - `--find-file`\
     Look up the given files in Nix’s search path (as specified by the
     `NIX_PATH` environment variable). If found, print the corresponding
@@ -61,11 +99,11 @@ standard input.
 
   - `--json`\
     When used with `--eval`, print the resulting value as an JSON
-    representation of the abstract syntax tree rather than as an ATerm.
+    representation of the abstract syntax tree rather than as a Nix expression.
 
   - `--xml`\
     When used with `--eval`, print the resulting value as an XML
-    representation of the abstract syntax tree rather than as an ATerm.
+    representation of the abstract syntax tree rather than as a Nix expression.
     The schema is the same as that used by the [`toXML`
     built-in](../language/builtins.md).
 
@@ -133,28 +171,24 @@ $ nix-instantiate --eval --xml --expr '1 + 2'
 The difference between non-strict and strict evaluation:
 
 ```console
-$ nix-instantiate --eval --xml --expr 'rec { x = "foo"; y = x; }'
-...
-  <attr name="x">
-    <string value="foo" />
-  </attr>
-  <attr name="y">
-    <unevaluated />
-  </attr>
-...
-```
+$ nix-instantiate --eval --xml --expr '{ x = {}; }'
+<?xml version='1.0' encoding='utf-8'?>
+<expr>
+  <attrs>
+    <attr column="3" line="1" name="x">
+      <unevaluated />
+    </attr>
+  </attrs>
+</expr>
 
-Note that `y` is left unevaluated (the XML representation doesn’t
-attempt to show non-normal forms).
-
-```console
-$ nix-instantiate --eval --xml --strict --expr 'rec { x = "foo"; y = x; }'
-...
-  <attr name="x">
-    <string value="foo" />
-  </attr>
-  <attr name="y">
-    <string value="foo" />
-  </attr>
-...
+$ nix-instantiate --eval --xml --strict --expr '{ x = {}; }'
+<?xml version='1.0' encoding='utf-8'?>
+<expr>
+  <attrs>
+    <attr column="3" line="1" name="x">
+      <attrs>
+      </attrs>
+    </attr>
+  </attrs>
+</expr>
 ```

doc/manual/src/command-ref/nix-shell.md

@@ -235,14 +235,14 @@ package like Terraform:
 
 ```bash
 #! /usr/bin/env nix-shell
-#! nix-shell -i bash --packages "terraform.withPlugins (plugins: [ plugins.openstack ])"
+#! nix-shell -i bash --packages 'terraform.withPlugins (plugins: [ plugins.openstack ])'
 
 terraform apply
 ```
 
 > **Note**
 >
-> You must use double quotes (`"`) when passing a simple Nix expression
+> You must use single or double quotes (`'`, `"`) when passing a simple Nix expression
 > in a nix-shell shebang.
 
 Finally, using the merging of multiple nix-shell shebangs the following
@@ -251,7 +251,7 @@ branch):
 
 ```haskell
 #! /usr/bin/env nix-shell
-#! nix-shell -i runghc --packages "haskellPackages.ghcWithPackages (ps: [ps.download-curl ps.tagsoup])"
+#! nix-shell -i runghc --packages 'haskellPackages.ghcWithPackages (ps: [ps.download-curl ps.tagsoup])'
 #! nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/nixos-20.03.tar.gz
 
 import Network.Curl.Download

doc/manual/src/command-ref/opt-common.md

@@ -203,3 +203,7 @@ Most Nix commands accept the following command-line options:
   Fix corrupted or missing store paths by redownloading or rebuilding them.
   Note that this is slow because it requires computing a cryptographic hash of the contents of every path in the closure of the build.
   Also note the warning under `nix-store --repair-path`.
+
+> **Note**
+>
+> See [`man nix.conf`](@docroot@/command-ref/conf-file.md#command-line-flags) for overriding configuration settings with command line flags.

doc/manual/src/contributing/hacking.md

@@ -31,7 +31,7 @@ This shell also adds `./outputs/bin/nix` to your `$PATH` so you can run `nix` im
 To get a shell with one of the other [supported compilation environments](#compilation-environments):
 
 ```console
-$ nix develop .#native-clang11StdenvPackages
+$ nix develop .#native-clangStdenvPackages
 ```
 
 > **Note**
@@ -42,8 +42,8 @@ $ nix develop .#native-clang11StdenvPackages
 To build Nix itself in this shell:
 
 ```console
-[nix-shell]$ ./bootstrap.sh
-[nix-shell]$ ./configure $configureFlags --prefix=$(pwd)/outputs/out
+[nix-shell]$ autoreconfPhase
+[nix-shell]$ configurePhase
 [nix-shell]$ make -j $NIX_BUILD_CORES
 ```
 
@@ -75,7 +75,7 @@ $ nix-shell
 To get a shell with one of the other [supported compilation environments](#compilation-environments):
 
 ```console
-$ nix-shell --attr devShells.x86_64-linux.native-clang11StdenvPackages
+$ nix-shell --attr devShells.x86_64-linux.native-clangStdenvPackages
 ```
 
 > **Note**
@@ -86,7 +86,7 @@ $ nix-shell --attr devShells.x86_64-linux.native-clang11StdenvPackages
 To build Nix itself in this shell:
 
 ```console
-[nix-shell]$ ./bootstrap.sh
+[nix-shell]$ autoreconfPhase
 [nix-shell]$ ./configure $configureFlags --prefix=$(pwd)/outputs/out
 [nix-shell]$ make -j $NIX_BUILD_CORES
 ```
@@ -146,6 +146,31 @@ $ nix build .#packages.aarch64-linux.default
 Cross-compiled builds are available for ARMv6 (`armv6l-linux`) and ARMv7 (`armv7l-linux`).
 Add more [system types](#system-type) to `crossSystems` in `flake.nix` to bootstrap Nix on unsupported platforms.
 
+### Building for multiple platforms at once
+
+It is useful to perform multiple cross and native builds on the same source tree,
+for example to ensure that better support for one platform doesn't break the build for another.
+In order to facilitate this, Nix has some support for being built out of tree – that is, placing build artefacts in a different directory than the source code:
+
+1. Create a directory for the build, e.g.
+
+   ```bash
+   mkdir build
+   ```
+
+2. Run the configure script from that directory, e.g.
+
+   ```bash
+   cd build
+   ../configure <configure flags>
+   ```
+
+3. Run make from the source directory, but with the build directory specified, e.g.
+
+   ```bash
+   make builddir=build <make flags>
+   ```
+
 ## System type
 
 Nix uses a string with he following format to identify the *system type* or *platform* it runs on:
@@ -285,3 +310,40 @@ can build it yourself:
 
 Metrics about the change in line/function coverage over time are also
 [available](https://hydra.nixos.org/job/nix/master/coverage#tabs-charts).
+
+## Add a release note
+
+`doc/manual/rl-next` contains release notes entries for all unreleased changes.
+
+User-visible changes should come with a release note.
+
+### Add an entry
+
+Here's what a complete entry looks like. The file name is not incorporated in the document.
+
+```
+---
+synopsis: Basically a title
+issues: 1234
+prs: 1238
+---
+
+Here's one or more paragraphs that describe the change.
+
+- It's markdown
+- Add references to the manual using @docroot@
+```
+
+Significant changes should add the following header, which moves them to the top.
+
+```
+significance: significant
+```
+
+<!-- Keep an eye on https://codeberg.org/fgaz/changelog-d/issues/1 -->
+See also the [format documentation](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#changelog).
+
+### Build process
+
+Releases have a precomputed `rl-MAJOR.MINOR.md`, and no `rl-next.md`.
+Set `buildUnreleasedNotes = true;` in `flake.nix` to build the release notes on the fly.

doc/manual/src/contributing/testing.md

@@ -2,10 +2,48 @@
 
 ## Unit-tests
 
-The unit-tests for each Nix library (`libexpr`, `libstore`, etc..) are defined
-under `tests/unit/{library_name}/tests` using the
-[googletest](https://google.github.io/googletest/) and
-[rapidcheck](https://github.com/emil-e/rapidcheck) frameworks.
+The unit tests are defined using the [googletest] and [rapidcheck] frameworks.
+
+[googletest]: https://google.github.io/googletest/
+[rapidcheck]: https://github.com/emil-e/rapidcheck
+
+### Source and header layout
+
+> An example of some files, demonstrating much of what is described below
+>
+> ```
+> src
+> ├── libexpr
+> │   ├── value/context.hh
+> │   ├── value/context.cc
+> │   │
+> │   …
+>     └── tests
+> │       ├── value/context.hh
+> │       ├── value/context.cc
+> │       │
+> │       …
+> │
+> ├── unit-test-data
+> │   ├── libstore
+> │   │   ├── worker-protocol/content-address.bin
+> │   │   …
+> │   …
+> …
+> ```
+
+The unit tests for each Nix library (`libnixexpr`, `libnixstore`, etc..) live inside a directory `src/${library_shortname}/tests` within the directory for the library (`src/${library_shortname}`).
+
+The data is in `unit-test-data`, with one subdir per library, with the same name as where the code goes.
+For example, `libnixstore` code is in `src/libstore`, and its test data is in `unit-test-data/libstore`.
+The path to the `unit-test-data` directory is passed to the unit test executable with the environment variable `_NIX_TEST_UNIT_DATA`.
+
+> **Note**
+> Due to the way googletest works, downstream unit test executables will actually include and re-run upstream library tests.
+> Therefore it is important that the same value for `_NIX_TEST_UNIT_DATA` be used with the tests for each library.
+> That is why we have the test data nested within a single `unit-test-data` directory.
+
+### Running tests
 
 You can run the whole testsuite with `make check`, or the tests for a specific component with `make libfoo-tests_RUN`.
 Finer-grained filtering is also possible using the [--gtest_filter](https://google.github.io/googletest/advanced.html#running-a-subset-of-the-tests) command-line option, or the `GTEST_FILTER` environment variable.
@@ -22,6 +60,24 @@ It is important that these testing libraries don't contain any actual tests them
 On some platforms they would be run as part of every test executable that uses them, which is redundant.
 On other platforms they wouldn't be run at all.
 
+### Characterization testing
+
+See [below](#characterization-testing-1) for a broader discussion of characterization testing.
+
+Like with the functional characterization, `_NIX_TEST_ACCEPT=1` is also used.
+For example:
+```shell-session
+$ _NIX_TEST_ACCEPT=1 make libstore-tests-exe_RUN
+...
+[  SKIPPED ] WorkerProtoTest.string_read
+[  SKIPPED ] WorkerProtoTest.string_write
+[  SKIPPED ] WorkerProtoTest.storePath_read
+[  SKIPPED ] WorkerProtoTest.storePath_write
+...
+```
+will regenerate the "golden master" expected result for the `libnixstore` characterization tests.
+The characterization tests will mark themselves "skipped" since they regenerated the expected result instead of actually testing anything.
+
 ## Functional tests
 
 The functional tests reside under the `tests/functional` directory and are listed in `tests/functional/local.mk`.

doc/manual/src/installation/building-source.md

@@ -3,7 +3,7 @@
 After cloning Nix's Git repository, issue the following commands:
 
 ```console
-$ ./bootstrap.sh
+$ autoreconf -vfi
 $ ./configure options...
 $ make
 $ make install

doc/manual/src/language/advanced-attributes.md

@@ -261,6 +261,9 @@ Derivations can declare some infrequently used optional attributes.
     useful for very trivial derivations (such as `writeText` in Nixpkgs)
     that are cheaper to build than to substitute from a binary cache.
 
+    You may disable the effects of this attibute by enabling the
+    `always-allow-substitutes` configuration option in Nix.
+
     > **Note**
     >
     > You need to have a builder configured which satisfies the
@@ -271,18 +274,21 @@ Derivations can declare some infrequently used optional attributes.
 
   - [`__structuredAttrs`]{#adv-attr-structuredAttrs}\
     If the special attribute `__structuredAttrs` is set to `true`, the other derivation
-    attributes are serialised in JSON format and made available to the
-    builder via the file `.attrs.json` in the builder’s temporary
-    directory. This obviates the need for [`passAsFile`](#adv-attr-passAsFile) since JSON files
-    have no size restrictions, unlike process environments.
+    attributes are serialised into a file in JSON format. The environment variable
+    `NIX_ATTRS_JSON_FILE` points to the exact location of that file both in a build
+    and a [`nix-shell`](../command-ref/nix-shell.md). This obviates the need for
+    [`passAsFile`](#adv-attr-passAsFile) since JSON files have no size restrictions,
+    unlike process environments.
 
     It also makes it possible to tweak derivation settings in a structured way; see
     [`outputChecks`](#adv-attr-outputChecks) for example.
 
     As a convenience to Bash builders,
-    Nix writes a script named `.attrs.sh` to the builder’s directory
-    that initialises shell variables corresponding to all attributes
-    that are representable in Bash. This includes non-nested
+    Nix writes a script that initialises shell variables
+    corresponding to all attributes that are representable in Bash. The
+    environment variable `NIX_ATTRS_SH_FILE` points to the exact
+    location of the script, both in a build and a
+    [`nix-shell`](../command-ref/nix-shell.md). This includes non-nested
     (associative) arrays. For example, the attribute `hardening.format = true`
     ends up as the Bash associative array element `${hardening[format]}`.
 

doc/manual/src/language/derivations.md

@@ -123,6 +123,11 @@ The builder is executed as follows:
     
       - `NIX_STORE` is set to the path of the top-level Nix store
         directory (typically, `/nix/store`).
+
+      - `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs`
+        is set to `true` for the dervation. A detailed explanation of this
+        behavior can be found in the
+        [section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs).
     
       - For each output declared in `outputs`, the corresponding
         environment variable is set to point to the intended path in the

doc/manual/src/release-notes/rl-next.md

@@ -1 +0,0 @@
-# Release X.Y (202?-??-??)

flake.lock

@@ -16,34 +16,18 @@
         "type": "github"
       }
     },
-    "lowdown-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1633514407,
-        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
-        "owner": "kristapsdz",
-        "repo": "lowdown",
-        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "kristapsdz",
-        "repo": "lowdown",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1700748986,
-        "narHash": "sha256-/nqLrNU297h3PCw4QyDpZKZEUHmialJdZW2ceYFobds=",
+        "lastModified": 1709884566,
+        "narHash": "sha256-NSYJg2sfdO/XS3L8XN/59Zhzn0dqWm7XtVnKI2mHq3w=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9ba29e2346bc542e9909d1021e8fd7d4b3f64db0",
+        "rev": "2be119add7b37dc535da2dd4cba68e2cf8d1517e",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.05-small",
+        "ref": "nixos-23.11-small",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -67,7 +51,6 @@
     "root": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "lowdown-src": "lowdown-src",
         "nixpkgs": "nixpkgs",
         "nixpkgs-regression": "nixpkgs-regression"
       }

flake.nix

@@ -1,18 +1,21 @@
 {
   description = "The purely functional package manager";
 
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small";
   inputs.nixpkgs-regression.url = "github:NixOS/nixpkgs/215d4d0fd80ca5163643b03a33fde804a29cc1e2";
-  inputs.lowdown-src = { url = "github:kristapsdz/lowdown"; flake = false; };
   inputs.flake-compat = { url = "github:edolstra/flake-compat"; flake = false; };
 
-  outputs = { self, nixpkgs, nixpkgs-regression, lowdown-src, flake-compat }:
+  outputs = { self, nixpkgs, nixpkgs-regression, flake-compat }:
 
     let
       inherit (nixpkgs) lib;
+      inherit (lib) fileset;
 
       officialRelease = true;
 
+      # Set to true to build the release notes for the next release.
+      buildUnreleasedNotes = false;
+
       version = lib.fileContents ./.version + versionSuffix;
       versionSuffix =
         if officialRelease
@@ -25,9 +28,12 @@
       darwinSystems = [ "x86_64-darwin" "aarch64-darwin" ];
       systems = linuxSystems ++ darwinSystems;
 
-      crossSystems = [ "armv6l-linux" "armv7l-linux" ];
+      crossSystems = [
+        "armv6l-linux" "armv7l-linux"
+        "x86_64-freebsd13" "x86_64-netbsd"
+      ];
 
-      stdenvs = [ "gccStdenv" "clangStdenv" "clang11Stdenv" "stdenv" "libcxxStdenv" "ccacheStdenv" ];
+      stdenvs = [ "gccStdenv" "clangStdenv" "stdenv" "libcxxStdenv" "ccacheStdenv" ];
 
       forAllSystems = lib.genAttrs systems;
 
@@ -42,54 +48,23 @@
             })
             stdenvs);
 
-      # Experimental fileset library: https://github.com/NixOS/nixpkgs/pull/222981
-      # Not an "idiomatic" flake input because:
-      #  - Propagation to dependent locks: https://github.com/NixOS/nix/issues/7730
-      #  - Subflake would download redundant and huge parent flake
-      #  - No git tree hash support: https://github.com/NixOS/nix/issues/6044
-      inherit (import (builtins.fetchTarball { url = "https://github.com/NixOS/nix/archive/1bdcd7fc8a6a40b2e805bad759b36e64e911036b.tar.gz"; sha256 = "sha256:14ljlpdsp4x7h1fkhbmc4bd3vsqnx8zdql4h3037wh09ad6a0893"; }))
-        fileset;
-
-      baseFiles =
-        # .gitignore has already been processed, so any changes in it are irrelevant
-        # at this point. It is not represented verbatim for test purposes because
-        # that would interfere with repo semantics.
-        fileset.fileFilter (f: f.name != ".gitignore") ./.;
-
-      nixSrc = fileset.toSource {
-        root = ./.;
-        fileset = fileset.intersect baseFiles (fileset.unions [
-          ./.version
-          ./boehmgc-coroutine-sp-fallback.diff
-          ./bootstrap.sh
-          ./configure.ac
-          ./doc
-          ./local.mk
-          ./m4
-          ./Makefile
-          ./Makefile.config.in
-          ./misc
-          ./mk
-          ./precompiled-headers.h
-          ./src
-          ./tests/functional
-          ./tests/unit
-          ./COPYING
-          ./scripts/local.mk
-          (fileset.fileFilter (f: lib.strings.hasPrefix "nix-profile" f.name) ./scripts)
-          # TODO: do we really need README.md? It doesn't seem used in the build.
-          ./README.md
-        ]);
-      };
-
       # Memoize nixpkgs for different platforms for efficiency.
       nixpkgsFor = forAllSystems
         (system: let
           make-pkgs = crossSystem: stdenv: import nixpkgs {
-            inherit system crossSystem;
+            localSystem = {
+              inherit system;
+            };
+            crossSystem = if crossSystem == null then null else {
+              system = crossSystem;
+            } // lib.optionalAttrs (crossSystem == "x86_64-freebsd13") {
+              useLLVM = true;
+            };
             overlays = [
               (overlayFor (p: p.${stdenv}))
             ];
+
+            config.permittedInsecurePackages = [ "nix-2.13.6" ];
           };
           stdenvs = forAllStdenvs (make-pkgs null);
           native = stdenvs.stdenvPackages;
@@ -99,183 +74,45 @@
           cross = forAllCrossSystems (crossSystem: make-pkgs crossSystem "stdenv");
         });
 
-      commonDeps =
-        { pkgs
-        , isStatic ? pkgs.stdenv.hostPlatform.isStatic
-        }:
-        with pkgs; rec {
-        # Use "busybox-sandbox-shell" if present,
-        # if not (legacy) fallback and hope it's sufficient.
-        sh = pkgs.busybox-sandbox-shell or (busybox.override {
-          useMusl = true;
-          enableStatic = true;
-          enableMinimal = true;
-          extraConfig = ''
-            CONFIG_FEATURE_FANCY_ECHO y
-            CONFIG_FEATURE_SH_MATH y
-            CONFIG_FEATURE_SH_MATH_64 y
+      testNixVersions = pkgs: client: daemon: let
+        nix = pkgs.callPackage ./package.nix {
+          pname =
+            "nix-tests"
+            + lib.optionalString
+            (lib.versionAtLeast daemon.version "2.4pre20211005" &&
+            lib.versionAtLeast client.version "2.4pre20211005")
+            "-${client.version}-against-${daemon.version}";
 
-            CONFIG_ASH y
-            CONFIG_ASH_OPTIMIZE_FOR_SIZE y
-
-            CONFIG_ASH_ALIAS y
-            CONFIG_ASH_BASH_COMPAT y
-            CONFIG_ASH_CMDCMD y
-            CONFIG_ASH_ECHO y
-            CONFIG_ASH_GETOPTS y
-            CONFIG_ASH_INTERNAL_GLOB y
-            CONFIG_ASH_JOB_CONTROL y
-            CONFIG_ASH_PRINTF y
-            CONFIG_ASH_TEST y
-          '';
-        });
-
-        configureFlags =
-          lib.optionals stdenv.isLinux [
-            "--with-boost=${boost}/lib"
-            "--with-sandbox-shell=${sh}/bin/busybox"
-          ]
-          ++ lib.optionals (stdenv.isLinux && !(isStatic && stdenv.system == "aarch64-linux")) [
-            "LDFLAGS=-fuse-ld=gold"
-          ];
-
-        testConfigureFlags = [
-          "RAPIDCHECK_HEADERS=${lib.getDev rapidcheck}/extras/gtest/include"
-        ];
-
-        internalApiDocsConfigureFlags = [
-          "--enable-internal-api-docs"
-        ];
-
-        nativeBuildDeps =
-          [
-            buildPackages.bison
-            buildPackages.flex
-            (lib.getBin buildPackages.lowdown-nix)
-            buildPackages.mdbook
-            buildPackages.mdbook-linkcheck
-            buildPackages.autoconf-archive
-            buildPackages.autoreconfHook
-            buildPackages.pkg-config
-
-            # Tests
-            buildPackages.git
-            buildPackages.mercurial # FIXME: remove? only needed for tests
-            buildPackages.jq # Also for custom mdBook preprocessor.
-          ]
-          ++ lib.optionals stdenv.hostPlatform.isLinux [(buildPackages.util-linuxMinimal or buildPackages.utillinuxMinimal)];
-
-        buildDeps =
-          [ curl
-            bzip2 xz brotli editline
-            openssl sqlite
-            libarchive
-            boost
-            lowdown-nix
-          ]
-          ++ lib.optionals stdenv.isLinux [libseccomp]
-          ++ lib.optional (stdenv.isLinux || stdenv.isDarwin) libsodium
-          ++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid;
-
-        checkDeps = [
-          gtest
-          rapidcheck
-        ];
-
-        internalApiDocsDeps = [
-          buildPackages.doxygen
-        ];
-
-        awsDeps = lib.optional (stdenv.isLinux || stdenv.isDarwin)
-          (aws-sdk-cpp.override {
-            apis = ["s3" "transfer"];
-            customMemoryManagement = false;
-          });
-
-        propagatedDeps =
-          [ ((boehmgc.override {
-              enableLargeConfig = true;
-            }).overrideAttrs(o: {
-              patches = (o.patches or []) ++ [
-                ./boehmgc-coroutine-sp-fallback.diff
-              ];
-            })
-            )
-            nlohmann_json
-          ];
-      };
-
-      installScriptFor = systems:
-        with nixpkgsFor.x86_64-linux.native;
-        runCommand "installer-script"
-          { buildInputs = [ nix ];
-          }
-          ''
-            mkdir -p $out/nix-support
-
-            # Converts /nix/store/50p3qk8k...-nix-2.4pre20201102_550e11f/bin/nix to 50p3qk8k.../bin/nix.
-            tarballPath() {
-              # Remove the store prefix
-              local path=''${1#${builtins.storeDir}/}
-              # Get the path relative to the derivation root
-              local rest=''${path#*/}
-              # Get the derivation hash
-              local drvHash=''${path%%-*}
-              echo "$drvHash/$rest"
-            }
-
-            substitute ${./scripts/install.in} $out/install \
-              ${pkgs.lib.concatMapStrings
-                (system: let
-                    tarball = if builtins.elem system crossSystems then self.hydraJobs.binaryTarballCross.x86_64-linux.${system} else self.hydraJobs.binaryTarball.${system};
-                  in '' \
-                  --replace '@tarballHash_${system}@' $(nix --experimental-features nix-command hash-file --base16 --type sha256 ${tarball}/*.tar.xz) \
-                  --replace '@tarballPath_${system}@' $(tarballPath ${tarball}/*.tar.xz) \
-                  ''
-                )
-                systems
-              } --replace '@nixVersion@' ${version}
-
-            echo "file installer $out/install" >> $out/nix-support/hydra-build-products
-          '';
-
-      testNixVersions = pkgs: client: daemon: with commonDeps { inherit pkgs; }; with pkgs.lib; pkgs.stdenv.mkDerivation {
+            inherit fileset;
+        };
+      in nix.overrideAttrs (prevAttrs: {
         NIX_DAEMON_PACKAGE = daemon;
         NIX_CLIENT_PACKAGE = client;
-        name =
-          "nix-tests"
-          + optionalString
-            (versionAtLeast daemon.version "2.4pre20211005" &&
-             versionAtLeast client.version "2.4pre20211005")
-            "-${client.version}-against-${daemon.version}";
-        inherit version;
 
-        src = nixSrc;
-
-        VERSION_SUFFIX = versionSuffix;
-
-        nativeBuildInputs = nativeBuildDeps;
-        buildInputs = buildDeps ++ awsDeps ++ checkDeps;
-        propagatedBuildInputs = propagatedDeps;
-
-        enableParallelBuilding = true;
-
-        configureFlags = testConfigureFlags; # otherwise configure fails
         dontBuild = true;
         doInstallCheck = true;
 
+        configureFlags = prevAttrs.configureFlags ++ [
+          # We don't need the actual build here.
+          "--disable-build"
+        ];
+
         installPhase = ''
           mkdir -p $out
         '';
 
-        installCheckPhase = "make installcheck -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES";
-      };
+        installCheckPhase = lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
+          export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
+        '' + ''
+          mkdir -p src/nix-channel
+          make installcheck -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES
+        '';
+      });
 
       binaryTarball = nix: pkgs:
         let
           inherit (pkgs) buildPackages;
-          inherit (pkgs) cacert;
-          installerClosureInfo = buildPackages.closureInfo { rootPaths = [ nix cacert ]; };
+          installerClosureInfo = buildPackages.closureInfo { rootPaths = [ nix ]; };
         in
 
         buildPackages.runCommand "nix-binary-tarball-${version}"
@@ -284,45 +121,7 @@
           }
           ''
             cp ${installerClosureInfo}/registration $TMPDIR/reginfo
-            cp ${./scripts/create-darwin-volume.sh} $TMPDIR/create-darwin-volume.sh
-            substitute ${./scripts/install-nix-from-closure.sh} $TMPDIR/install \
-              --subst-var-by nix ${nix} \
-              --subst-var-by cacert ${cacert}
 
-            substitute ${./scripts/install-darwin-multi-user.sh} $TMPDIR/install-darwin-multi-user.sh \
-              --subst-var-by nix ${nix} \
-              --subst-var-by cacert ${cacert}
-            substitute ${./scripts/install-systemd-multi-user.sh} $TMPDIR/install-systemd-multi-user.sh \
-              --subst-var-by nix ${nix} \
-              --subst-var-by cacert ${cacert}
-            substitute ${./scripts/install-multi-user.sh} $TMPDIR/install-multi-user \
-              --subst-var-by nix ${nix} \
-              --subst-var-by cacert ${cacert}
-
-            if type -p shellcheck; then
-              # SC1090: Don't worry about not being able to find
-              #         $nix/etc/profile.d/nix.sh
-              shellcheck --exclude SC1090 $TMPDIR/install
-              shellcheck $TMPDIR/create-darwin-volume.sh
-              shellcheck $TMPDIR/install-darwin-multi-user.sh
-              shellcheck $TMPDIR/install-systemd-multi-user.sh
-
-              # SC1091: Don't panic about not being able to source
-              #         /etc/profile
-              # SC2002: Ignore "useless cat" "error", when loading
-              #         .reginfo, as the cat is a much cleaner
-              #         implementation, even though it is "useless"
-              # SC2116: Allow ROOT_HOME=$(echo ~root) for resolving
-              #         root's home directory
-              shellcheck --external-sources \
-                --exclude SC1091,SC2002,SC2116 $TMPDIR/install-multi-user
-            fi
-
-            chmod +x $TMPDIR/install
-            chmod +x $TMPDIR/create-darwin-volume.sh
-            chmod +x $TMPDIR/install-darwin-multi-user.sh
-            chmod +x $TMPDIR/install-systemd-multi-user.sh
-            chmod +x $TMPDIR/install-multi-user
             dir=nix-${version}-${pkgs.system}
             fn=$out/$dir.tar.xz
             mkdir -p $out/nix-support
@@ -332,179 +131,68 @@
               --mtime='1970-01-01' \
               --absolute-names \
               --hard-dereference \
-              --transform "s,$TMPDIR/install,$dir/install," \
-              --transform "s,$TMPDIR/create-darwin-volume.sh,$dir/create-darwin-volume.sh," \
               --transform "s,$TMPDIR/reginfo,$dir/.reginfo," \
               --transform "s,$NIX_STORE,$dir/store,S" \
-              $TMPDIR/install \
-              $TMPDIR/create-darwin-volume.sh \
-              $TMPDIR/install-darwin-multi-user.sh \
-              $TMPDIR/install-systemd-multi-user.sh \
-              $TMPDIR/install-multi-user \
               $TMPDIR/reginfo \
               $(cat ${installerClosureInfo}/store-paths)
           '';
 
       overlayFor = getStdenv: final: prev:
-        let currentStdenv = getStdenv final; in
-        {
+        let
+          currentStdenv = getStdenv final;
+          comDeps = with final; commonDeps {
+            inherit pkgs;
+            inherit (currentStdenv.hostPlatform) isStatic;
+          };
+        in {
           nixStable = prev.nix;
 
           # Forward from the previous stage as we don’t want it to pick the lowdown override
           nixUnstable = prev.nixUnstable;
 
-          nix =
-          with final;
-          with commonDeps {
-            inherit pkgs;
-            inherit (currentStdenv.hostPlatform) isStatic;
-          };
-          let
-            canRunInstalled = currentStdenv.buildPlatform.canExecute currentStdenv.hostPlatform;
-          in currentStdenv.mkDerivation (finalAttrs: {
-            name = "nix-${version}";
-            inherit version;
+          changelog-d = final.buildPackages.callPackage ./misc/changelog-d.nix { };
+          boehmgc-nix = (final.boehmgc.override {
+            enableLargeConfig = true;
+          }).overrideAttrs (o: {
+            patches = (o.patches or [ ]) ++ [
+              ./boehmgc-coroutine-sp-fallback.diff
 
-            src = nixSrc;
-            VERSION_SUFFIX = versionSuffix;
-
-            outputs = [ "out" "dev" "doc" ];
-
-            nativeBuildInputs = nativeBuildDeps;
-            buildInputs = buildDeps
-              # There have been issues building these dependencies
-              ++ lib.optionals (currentStdenv.hostPlatform == currentStdenv.buildPlatform) awsDeps
-              ++ lib.optionals finalAttrs.doCheck checkDeps;
-
-            propagatedBuildInputs = propagatedDeps;
-
-            disallowedReferences = [ boost ];
-
-            preConfigure = lib.optionalString (! currentStdenv.hostPlatform.isStatic)
-              ''
-                # Copy libboost_context so we don't get all of Boost in our closure.
-                # https://github.com/NixOS/nixpkgs/issues/45462
-                mkdir -p $out/lib
-                cp -pd ${boost}/lib/{libboost_context*,libboost_thread*,libboost_system*} $out/lib
-                rm -f $out/lib/*.a
-                ${lib.optionalString currentStdenv.hostPlatform.isLinux ''
-                  chmod u+w $out/lib/*.so.*
-                  patchelf --set-rpath $out/lib:${currentStdenv.cc.cc.lib}/lib $out/lib/libboost_thread.so.*
-                ''}
-                ${lib.optionalString currentStdenv.hostPlatform.isDarwin ''
-                  for LIB in $out/lib/*.dylib; do
-                    chmod u+w $LIB
-                    install_name_tool -id $LIB $LIB
-                    install_name_tool -delete_rpath ${boost}/lib/ $LIB || true
-                  done
-                  install_name_tool -change ${boost}/lib/libboost_system.dylib $out/lib/libboost_system.dylib $out/lib/libboost_thread.dylib
-                ''}
-              '';
-
-            configureFlags = configureFlags ++
-              [ "--sysconfdir=/etc" ] ++
-              lib.optional stdenv.hostPlatform.isStatic "--enable-embedded-sandbox-shell" ++
-              [ (lib.enableFeature finalAttrs.doCheck "tests") ] ++
-              lib.optionals finalAttrs.doCheck testConfigureFlags ++
-              lib.optional (!canRunInstalled) "--disable-doc-gen";
-
-            enableParallelBuilding = true;
-
-            makeFlags = "profiledir=$(out)/etc/profile.d PRECOMPILE_HEADERS=1";
-
-            doCheck = true;
-
-            installFlags = "sysconfdir=$(out)/etc";
-
-            postInstall = ''
-              mkdir -p $doc/nix-support
-              echo "doc manual $doc/share/doc/nix/manual" >> $doc/nix-support/hydra-build-products
-              ${lib.optionalString currentStdenv.hostPlatform.isStatic ''
-              mkdir -p $out/nix-support
-              echo "file binary-dist $out/bin/nix" >> $out/nix-support/hydra-build-products
-              ''}
-              ${lib.optionalString currentStdenv.isDarwin ''
-              install_name_tool \
-                -change ${boost}/lib/libboost_context.dylib \
-                $out/lib/libboost_context.dylib \
-                $out/lib/libnixutil.dylib
-              ''}
-            '';
-
-            doInstallCheck = finalAttrs.doCheck;
-            installCheckFlags = "sysconfdir=$(out)/etc";
-            installCheckTarget = "installcheck"; # work around buggy detection in stdenv
-
-            separateDebugInfo = !currentStdenv.hostPlatform.isStatic;
-
-            strictDeps = true;
-
-            hardeningDisable = lib.optional stdenv.hostPlatform.isStatic "pie";
-
-            passthru.perl-bindings = with final; perl.pkgs.toPerlModule (currentStdenv.mkDerivation {
-              name = "nix-perl-${version}";
-
-              src = self;
-
-              nativeBuildInputs =
-                [ buildPackages.autoconf-archive
-                  buildPackages.autoreconfHook
-                  buildPackages.pkg-config
-                ];
-
-              buildInputs =
-                [ nix
-                  curl
-                  bzip2
-                  xz
-                  pkgs.perl
-                  boost
-                ]
-                ++ lib.optional (currentStdenv.isLinux || currentStdenv.isDarwin) libsodium
-                ++ lib.optional currentStdenv.isDarwin darwin.apple_sdk.frameworks.Security;
-
-              configureFlags = [
-                "--with-dbi=${perlPackages.DBI}/${pkgs.perl.libPrefix}"
-                "--with-dbd-sqlite=${perlPackages.DBDSQLite}/${pkgs.perl.libPrefix}"
-              ];
-
-              enableParallelBuilding = true;
-
-              postUnpack = "sourceRoot=$sourceRoot/perl";
-            });
-
-            meta.platforms = lib.platforms.unix;
+              # https://github.com/ivmai/bdwgc/pull/586
+              ./boehmgc-traceable_allocator-public.diff
+            ];
           });
 
-          lowdown-nix = with final; currentStdenv.mkDerivation rec {
-            name = "lowdown-0.9.0";
+          default-busybox-sandbox-shell = final.busybox.override {
+            useMusl = true;
+            enableStatic = true;
+            enableMinimal = true;
+            extraConfig = ''
+              CONFIG_FEATURE_FANCY_ECHO y
+              CONFIG_FEATURE_SH_MATH y
+              CONFIG_FEATURE_SH_MATH_64 y
 
-            src = lowdown-src;
+              CONFIG_ASH y
+              CONFIG_ASH_OPTIMIZE_FOR_SIZE y
 
-            outputs = [ "out" "bin" "dev" ];
-
-            nativeBuildInputs = [ buildPackages.which ];
-
-            configurePhase = ''
-                ${if (currentStdenv.isDarwin && currentStdenv.isAarch64) then "echo \"HAVE_SANDBOX_INIT=false\" > configure.local" else ""}
-                ./configure \
-                  PREFIX=${placeholder "dev"} \
-                  BINDIR=${placeholder "bin"}/bin
+              CONFIG_ASH_ALIAS y
+              CONFIG_ASH_BASH_COMPAT y
+              CONFIG_ASH_CMDCMD y
+              CONFIG_ASH_ECHO y
+              CONFIG_ASH_GETOPTS y
+              CONFIG_ASH_INTERNAL_GLOB y
+              CONFIG_ASH_JOB_CONTROL y
+              CONFIG_ASH_PRINTF y
+              CONFIG_ASH_TEST y
             '';
           };
-        };
 
-      nixos-lib = import (nixpkgs + "/nixos/lib") { };
-
-      # https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests
-      runNixOSTestFor = system: test: nixos-lib.runTest {
-        imports = [ test ];
-        hostPkgs = nixpkgsFor.${system}.native;
-        defaults = {
-          nixpkgs.pkgs = nixpkgsFor.${system}.native;
+          nix = final.callPackage ./package.nix {
+            inherit versionSuffix fileset;
+            stdenv = currentStdenv;
+            boehmgc = final.boehmgc-nix;
+            busybox-sandbox-shell = final.busybox-sandbox-shell or final.default-busybox-sandbox-shell;
+          };
         };
-        _module.args.nixpkgs = nixpkgs;
-      };
 
     in {
       # A Nixpkgs overlay that overrides the 'nix' and
@@ -516,177 +204,85 @@
         # Binary package for various platforms.
         build = forAllSystems (system: self.packages.${system}.nix);
 
-        buildStatic = lib.genAttrs linux64BitSystems (system: self.packages.${system}.nix-static);
-
-        buildCross = forAllCrossSystems (crossSystem:
-          lib.genAttrs ["x86_64-linux"] (system: self.packages.${system}."nix-${crossSystem}"));
-
-        buildNoGc = forAllSystems (system: self.packages.${system}.nix.overrideAttrs (a: { configureFlags = (a.configureFlags or []) ++ ["--enable-gc=no"];}));
-
-        buildNoTests = forAllSystems (system:
-          self.packages.${system}.nix.overrideAttrs (a: {
-            doCheck =
-              assert ! a?dontCheck;
-              false;
-          })
+        # FIXME(Qyriad): remove this when the migration to Meson has been completed.
+        mesonBuild = forAllSystems (system: self.packages.${system}.nix.override {
+          buildWithMeson = true;
+        });
+        mesonBuildClang = forAllSystems (system:
+            nixpkgsFor.${system}.stdenvs.clangStdenvPackages.nix.override {
+              buildWithMeson = true;
+            }
         );
 
         # Perl bindings for various platforms.
         perlBindings = forAllSystems (system: nixpkgsFor.${system}.native.nix.perl-bindings);
 
         # Binary tarball for various platforms, containing a Nix store
-        # with the closure of 'nix' package, and the second half of
-        # the installation script.
+        # with the closure of 'nix' package.
         binaryTarball = forAllSystems (system: binaryTarball nixpkgsFor.${system}.native.nix nixpkgsFor.${system}.native);
 
-        binaryTarballCross = lib.genAttrs ["x86_64-linux"] (system:
-          forAllCrossSystems (crossSystem:
-            binaryTarball
-              self.packages.${system}."nix-${crossSystem}"
-              nixpkgsFor.${system}.cross.${crossSystem}));
-
-        # The first half of the installation script. This is uploaded
-        # to https://nixos.org/nix/install. It downloads the binary
-        # tarball for the user's system and calls the second half of the
-        # installation script.
-        installerScript = installScriptFor [ "x86_64-linux" "i686-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" "armv6l-linux" "armv7l-linux" ];
-        installerScriptForGHA = installScriptFor [ "x86_64-linux" "x86_64-darwin" "armv6l-linux" "armv7l-linux"];
-
         # docker image with Nix inside
         dockerImage = lib.genAttrs linux64BitSystems (system: self.packages.${system}.dockerImage);
 
-        # Line coverage analysis.
-        coverage =
-          with nixpkgsFor.x86_64-linux.native;
-          with commonDeps { inherit pkgs; };
-
-          releaseTools.coverageAnalysis {
-            name = "nix-coverage-${version}";
-
-            src = nixSrc;
-
-            configureFlags = testConfigureFlags;
-
-            enableParallelBuilding = true;
-
-            nativeBuildInputs = nativeBuildDeps;
-            buildInputs = buildDeps ++ propagatedDeps ++ awsDeps ++ checkDeps;
-
-            dontInstall = false;
-
-            doInstallCheck = true;
-            installCheckTarget = "installcheck"; # work around buggy detection in stdenv
-
-            lcovFilter = [ "*/boost/*" "*-tab.*" ];
-
-            hardeningDisable = ["fortify"];
-
-            NIX_CFLAGS_COMPILE = "-DCOVERAGE=1";
-          };
-
         # API docs for Nix's unstable internal C++ interfaces.
-        internal-api-docs =
-          with nixpkgsFor.x86_64-linux.native;
-          with commonDeps { inherit pkgs; };
+        internal-api-docs = let
+          nixpkgs = nixpkgsFor.x86_64-linux.native;
+          inherit (nixpkgs) pkgs;
 
-          stdenv.mkDerivation {
-            pname = "nix-internal-api-docs";
-            inherit version;
-
-            src = nixSrc;
-
-            configureFlags = testConfigureFlags ++ internalApiDocsConfigureFlags;
-
-            nativeBuildInputs = nativeBuildDeps;
-            buildInputs = buildDeps ++ propagatedDeps
-              ++ awsDeps ++ checkDeps ++ internalApiDocsDeps;
-
-            dontBuild = true;
-
-            installTargets = [ "internal-api-html" ];
-
-            postInstall = ''
-              mkdir -p $out/nix-support
-              echo "doc internal-api-docs $out/share/doc/nix/internal-api/html" >> $out/nix-support/hydra-build-products
-            '';
+          nix = pkgs.callPackage ./package.nix {
+            inherit versionSuffix fileset officialRelease buildUnreleasedNotes;
+            inherit (pkgs) changelog-d;
+            internalApiDocs = true;
+            boehmgc = pkgs.boehmgc-nix;
+            busybox-sandbox-shell = pkgs.busybox-sandbox-shell;
           };
+        in
+          nix.overrideAttrs (prev: {
+            # This Hydra job is just for the internal API docs.
+            # We don't need the build artifacts here.
+            dontBuild = true;
+            doCheck = false;
+            doInstallCheck = false;
+          });
 
         # System tests.
-        tests.authorization = runNixOSTestFor "x86_64-linux" ./tests/nixos/authorization.nix;
+        tests = import ./tests/nixos { inherit lib nixpkgs nixpkgsFor; } // {
 
-        tests.remoteBuilds = runNixOSTestFor "x86_64-linux" ./tests/nixos/remote-builds.nix;
+          # Make sure that nix-env still produces the exact same result
+          # on a particular version of Nixpkgs.
+          evalNixpkgs =
+            with nixpkgsFor.x86_64-linux.native;
+            runCommand "eval-nixos" { buildInputs = [ nix ]; }
+              ''
+                type -p nix-env
+                # Note: we're filtering out nixos-install-tools because https://github.com/NixOS/nixpkgs/pull/153594#issuecomment-1020530593.
+                time nix-env --store dummy:// -f ${nixpkgs-regression} -qaP --drv-path | sort | grep -v nixos-install-tools > packages
+                [[ $(sha1sum < packages | cut -c1-40) = 402242fca90874112b34718b8199d844e8b03d12 ]]
+                mkdir $out
+              '';
 
-        tests.nix-copy-closure = runNixOSTestFor "x86_64-linux" ./tests/nixos/nix-copy-closure.nix;
-
-        tests.nix-copy = runNixOSTestFor "x86_64-linux" ./tests/nixos/nix-copy.nix;
-
-        tests.nssPreload = runNixOSTestFor "x86_64-linux" ./tests/nixos/nss-preload.nix;
-
-        tests.githubFlakes = runNixOSTestFor "x86_64-linux" ./tests/nixos/github-flakes.nix;
-
-        tests.sourcehutFlakes = runNixOSTestFor "x86_64-linux" ./tests/nixos/sourcehut-flakes.nix;
-
-        tests.tarballFlakes = runNixOSTestFor "x86_64-linux" ./tests/nixos/tarball-flakes.nix;
-
-        tests.containers = runNixOSTestFor "x86_64-linux" ./tests/nixos/containers/containers.nix;
-
-        tests.setuid = lib.genAttrs
-          ["i686-linux" "x86_64-linux"]
-          (system: runNixOSTestFor system ./tests/nixos/setuid.nix);
-
-
-        # Make sure that nix-env still produces the exact same result
-        # on a particular version of Nixpkgs.
-        tests.evalNixpkgs =
-          with nixpkgsFor.x86_64-linux.native;
-          runCommand "eval-nixos" { buildInputs = [ nix ]; }
-            ''
-              type -p nix-env
-              # Note: we're filtering out nixos-install-tools because https://github.com/NixOS/nixpkgs/pull/153594#issuecomment-1020530593.
-              time nix-env --store dummy:// -f ${nixpkgs-regression} -qaP --drv-path | sort | grep -v nixos-install-tools > packages
-              [[ $(sha1sum < packages | cut -c1-40) = ff451c521e61e4fe72bdbe2d0ca5d1809affa733 ]]
-              mkdir $out
-            '';
-
-        tests.nixpkgsLibTests =
-          forAllSystems (system:
-            import (nixpkgs + "/lib/tests/release.nix")
-              { pkgs = nixpkgsFor.${system}.native;
-                nixVersions = [ self.packages.${system}.nix ];
-              }
-          );
-
-        metrics.nixpkgs = import "${nixpkgs-regression}/pkgs/top-level/metrics.nix" {
-          pkgs = nixpkgsFor.x86_64-linux.native;
-          nixpkgs = nixpkgs-regression;
+          nixpkgsLibTests =
+            forAllSystems (system:
+              import (nixpkgs + "/lib/tests/release.nix")
+                { pkgs = nixpkgsFor.${system}.native;
+                  nixVersions = [ self.packages.${system}.nix ];
+                }
+            );
         };
-
-        installTests = forAllSystems (system:
-          let pkgs = nixpkgsFor.${system}.native; in
-          pkgs.runCommand "install-tests" {
-            againstSelf = testNixVersions pkgs pkgs.nix pkgs.pkgs.nix;
-            againstCurrentUnstable =
-              # FIXME: temporarily disable this on macOS because of #3605.
-              if system == "x86_64-linux"
-              then testNixVersions pkgs pkgs.nix pkgs.nixUnstable
-              else null;
-            # Disabled because the latest stable version doesn't handle
-            # `NIX_DAEMON_SOCKET_PATH` which is required for the tests to work
-            # againstLatestStable = testNixVersions pkgs pkgs.nix pkgs.nixStable;
-          } "touch $out");
-
-        installerTests = import ./tests/installer {
-          binaryTarballs = self.hydraJobs.binaryTarball;
-          inherit nixpkgsFor;
-        };
-
       };
 
       checks = forAllSystems (system: {
+        # FIXME(Qyriad): remove this when the migration to Meson has been completed.
+        mesonBuild = self.hydraJobs.mesonBuild.${system};
+        mesonBuildClang = self.hydraJobs.mesonBuildClang.${system};
         binaryTarball = self.hydraJobs.binaryTarball.${system};
         perlBindings = self.hydraJobs.perlBindings.${system};
-        installTests = self.hydraJobs.installTests.${system};
         nixpkgsLibTests = self.hydraJobs.tests.nixpkgsLibTests.${system};
+        rl-next =
+          let pkgs = nixpkgsFor.${system}.native;
+          in pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
+          LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${./doc/manual/rl-next} >$out
+        '';
       } // (lib.optionalAttrs (builtins.elem system linux64BitSystems)) {
         dockerImage = self.hydraJobs.dockerImage.${system};
       });
@@ -725,27 +321,39 @@
 
       devShells = let
         makeShell = pkgs: stdenv:
-          with commonDeps { inherit pkgs; };
-          stdenv.mkDerivation {
-            name = "nix";
+          let
+            nix = pkgs.callPackage ./package.nix {
+              inherit stdenv versionSuffix fileset;
+              boehmgc = pkgs.boehmgc-nix;
+              busybox-sandbox-shell = pkgs.busybox-sandbox-shell or pkgs.default-busybox-sandbox;
+              forDevShell = true;
+            };
+          in
+            nix.overrideAttrs (prev: {
+              # Required for clang-tidy checks
+              buildInputs = prev.buildInputs ++ lib.optionals (stdenv.cc.isClang) [ pkgs.llvmPackages.llvm pkgs.llvmPackages.clang-unwrapped.dev ];
+              nativeBuildInputs = prev.nativeBuildInputs
+                ++ lib.optional (stdenv.cc.isClang && !stdenv.buildPlatform.isDarwin) pkgs.buildPackages.bear
+                # Required for clang-tidy checks
+                ++ lib.optionals (stdenv.cc.isClang) [ pkgs.buildPackages.cmake pkgs.buildPackages.ninja pkgs.buildPackages.llvmPackages.llvm.dev ]
+                ++ lib.optional
+                  (stdenv.cc.isClang && stdenv.hostPlatform == stdenv.buildPlatform)
+                  # for some reason that seems accidental and was changed in
+                  # NixOS 24.05-pre, clang-tools is pinned to LLVM 14 when
+                  # default LLVM is newer.
+                  (pkgs.buildPackages.clang-tools.override { inherit (pkgs.buildPackages) llvmPackages; })
+                ++ [
+                  # FIXME(Qyriad): remove once the migration to Meson is complete.
+                  pkgs.buildPackages.meson
+                  pkgs.buildPackages.ninja
+                ];
 
-            outputs = [ "out" "dev" "doc" ];
+              src = null;
 
-            nativeBuildInputs = nativeBuildDeps
-                                ++ (lib.optionals stdenv.cc.isClang [ pkgs.bear pkgs.clang-tools ]);
+              installFlags = "sysconfdir=$(out)/etc";
+              strictDeps = false;
 
-            buildInputs = buildDeps ++ propagatedDeps
-              ++ awsDeps ++ checkDeps ++ internalApiDocsDeps;
-
-            configureFlags = configureFlags
-              ++ testConfigureFlags ++ internalApiDocsConfigureFlags;
-
-            enableParallelBuilding = true;
-
-            installFlags = "sysconfdir=$(out)/etc";
-
-            shellHook =
-              ''
+              shellHook = ''
                 PATH=$prefix/bin:$PATH
                 unset PYTHONPATH
                 export MANPATH=$out/share/man:$MANPATH
@@ -753,7 +361,10 @@
                 # Make bash completion work.
                 XDG_DATA_DIRS+=:$out/share
               '';
-          };
+            } // lib.optionalAttrs (stdenv.buildPlatform.isLinux && pkgs.glibcLocales != null) {
+              # Required to make non-NixOS Linux not complain about missing locale files during configure in a dev shell
+              LOCALE_ARCHIVE = "${lib.getLib pkgs.glibcLocales}/lib/locale/locale-archive";
+            });
         in
         forAllSystems (system:
           let

local.mk

@@ -1,5 +1,3 @@
-clean-files += Makefile.config
-
 GLOBAL_CXXFLAGS += -Wno-deprecated-declarations -Werror=switch
 # Allow switch-enum to be overridden for files that do not support it, usually because of dependency headers.
 ERROR_SWITCH_ENUM = -Werror=switch-enum

m4/gcc_bug_80431.m4

@@ -0,0 +1,64 @@
+# Ensure that this bug is not present in the C++ toolchain we are using.
+#
+# URL for bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80431
+#
+# The test program is from that issue, with only a slight modification
+# to set an exit status instead of printing strings.
+AC_DEFUN([ENSURE_NO_GCC_BUG_80431],
+[
+  AC_MSG_CHECKING([that GCC bug 80431 is fixed])
+  AC_LANG_PUSH(C++)
+  AC_RUN_IFELSE(
+    [AC_LANG_PROGRAM(
+      [[
+        #include <cstdio>
+
+        static bool a = true;
+        static bool b = true;
+
+        struct Options { };
+
+        struct Option
+        {
+            Option(Options * options)
+            {
+                a = false;
+            }
+
+            ~Option()
+            {
+                b = false;
+            }
+        };
+
+        struct MyOptions : Options { };
+
+        struct MyOptions2 : virtual MyOptions
+        {
+            Option foo{this};
+        };
+      ]],
+      [[
+        {
+            MyOptions2 opts;
+        }
+        return (a << 1) | b;
+      ]])],
+    [status_80431=0],
+    [status_80431=$?],
+    [
+      # Assume we're bug-free when cross-compiling
+    ])
+  AC_LANG_POP(C++)
+  AS_CASE([$status_80431],
+    [0],[
+      AC_MSG_RESULT(yes)
+    ],
+    [2],[
+      AC_MSG_RESULT(no)
+      AC_MSG_ERROR(Cannot build Nix with C++ compiler with this bug)
+    ],
+    [
+      AC_MSG_RESULT(unexpected result $status_80431: not expected failure with bug, ignoring)
+    ])
+])

maintainers/issue_import.py

@@ -0,0 +1,152 @@
+import requests
+import textwrap
+import dataclasses
+import logging
+import re
+import os
+
+API_BASE = 'https://git.lix.systems/api/v1'
+API_KEY = os.environ['FORGEJO_API_KEY']
+
+log = logging.getLogger(__name__)
+log.setLevel(logging.INFO)
+
+fmt = logging.Formatter('{asctime} {levelname} {name}: {message}',
+                        datefmt='%b %d %H:%M:%S',
+                        style='{')
+
+if not any(isinstance(h, logging.StreamHandler) for h in log.handlers):
+    hand = logging.StreamHandler()
+    hand.setFormatter(fmt)
+    log.addHandler(hand)
+
+# These are erring in the direction of re-triage, rather than necessarily
+# mapping all metadata of the issue
+LABEL_MAPPING = {
+    'lix-import': 153, # 'imported',
+    'contributor-experience': 148, # 'devx',
+    'bug': 150, # 'bug',
+    'UX': 149, # 'ux',
+    'error-messages': 149, # 'ux',
+    'lix-stability': 146, # 'stability',
+    'performance': 147, # 'performance',
+    'tests': 121, # 'tests',
+}
+
+def api(method, endpoint: str, resp_json=True, **kwargs):
+    log.info('http %s %s', method, endpoint)
+    if not endpoint.startswith('https'):
+        endpoint = API_BASE + endpoint
+    resp = requests.request(method,
+                            endpoint,
+                            headers={'Authorization': f'Bearer {API_KEY}'},
+                            **kwargs)
+    resp.raise_for_status()
+    if resp_json:
+        return resp.json()
+    else:
+        return resp
+
+def paginate(method: str, url: str):
+    while True:
+        resp = api(method, url, resp_json=False)
+        yield from resp.json()
+        next_one = resp.links.get('next')
+        if not next_one:
+            return
+        url = next_one.get('url')
+        if not url:
+            return
+
+class DataClassUnpack:
+    """Taken from: https://stackoverflow.com/a/72164665"""
+    classFieldCache = {}
+
+    @classmethod
+    def instantiate(cls, classToInstantiate, argDict):
+        if classToInstantiate not in cls.classFieldCache:
+            cls.classFieldCache[classToInstantiate] = {
+                f.name
+                for f in getattr(classToInstantiate, dataclasses._FIELDS).values() if f._field_type is not dataclasses._FIELD_CLASSVAR # type: ignore
+            }
+
+        fieldSet = cls.classFieldCache[classToInstantiate]
+        filteredArgDict = {k: v for k, v in argDict.items() if k in fieldSet}
+        return classToInstantiate(**filteredArgDict)
+
+@dataclasses.dataclass
+class Label:
+    name: str
+    description: str
+
+@dataclasses.dataclass
+class Issue:
+    number: int
+    url: str
+    html_url: str
+    title: str
+    body: str
+    labels: dataclasses.InitVar[list[dict]]
+    labels_clean: list[Label] = dataclasses.field(init=False)
+
+    def __post_init__(self, labels):
+        self.labels_clean = [DataClassUnpack.instantiate(Label, l) for l in labels]
+
+def issues_to_import():
+    yield from paginate('GET', '/repos/nixos/nix/issues?state=open&labels=lix-import')
+
+def issues_already_imported():
+    yield from paginate('GET', '/repos/lix-project/lix/issues?state=all&labels=imported')
+
+
+UPSTREAM_ISSUE_RE = re.compile(r'^Upstream-Issue: https://git\.lix\.systems/NixOS/nix/issues/(\d+)$', re.MULTILINE)
+
+def make_already_imported():
+    d = {}
+    for issue in issues_already_imported():
+        iss = DataClassUnpack.instantiate(Issue, issue)
+        print(iss)
+        match = UPSTREAM_ISSUE_RE.search(iss.body)
+        if match:
+            d[int(match.group(1))] = iss
+
+    return d
+
+def new_issue(title, body, labels):
+    api('POST', '/repos/lix-project/lix/issues', resp_json=True, json={
+        'labels': labels,
+        'body': body,
+        'title': title,
+    })
+
+already_imported = make_already_imported()
+
+def import_issue(iss: Issue):
+    if iss.number in already_imported:
+        log.info('Skipping already imported %d', iss.number)
+        return
+    new_body = textwrap.dedent('''
+        Upstream-Issue: {iss}
+
+        {original_body}
+    ''').format(iss=iss.html_url, original_body=iss.body)
+
+    new_labels = [LABEL_MAPPING[l.name] for l in iss.labels_clean if l.name in LABEL_MAPPING]
+
+    new_title = '[Nix#{num}] {title}'.format(num=iss.number, title=iss.title)
+
+    log.info('%s', f'create issue with: {new_labels} {new_title} {new_body}')
+    new_issue(new_title, new_body, new_labels)
+
+def go():
+    print('Have you turned off the forgejo mailer? Enter "We have" if so:')
+    answer = input('> ')
+    if answer != 'We have':
+        return
+
+    log.info('Importing issues!')
+    for issue in issues_to_import():
+        import_issue(DataClassUnpack.instantiate(Issue, issue))
+
+if __name__ == '__main__':
+    go()

maintainers/release-notes

@@ -0,0 +1,179 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash ../shell.nix -I nixpkgs=channel:nixos-unstable-small
+#                                   ^^^^^^^
+#                Only used for bash. shell.nix goes to the flake.
+
+# --- CONFIGURATION ---
+
+# This does double duty for
+# - including rl-next
+# - marking where to insert new links (right after)
+SUMMARY_MARKER_LINE='{{#include ./SUMMARY-rl-next.md}}'
+
+# --- LIB ---
+
+log() {
+  echo 1>&2 "release-notes:" "$@"
+}
+logcmd() {
+  local cmd="$1"
+  shift
+  logcmd2 "$cmd" "${*@Q}" "$cmd" "$@"
+}
+logcmd2() {
+  local fakecmd="$1"
+  local fakeargs="$2"
+  shift
+  shift
+  printf 1>&2 "release-notes: \033[34;1m$fakecmd\033[0m "
+  echo "$fakeargs" 1>&2
+  "$@"
+}
+die() {
+  # ANSI red
+  printf 1>&2 "release-notes: \033[31;1merror:\033[0m"
+  echo 1>&2 "" "$@"
+  exit 1
+}
+confirm() {
+  local answer
+  echo 1>&2 "$@" "[y/n]"
+  read -r answer
+  case "$answer" in
+    y|Y|yes|Yes|YES)
+      return 0
+      ;;
+    n|N|no|No|NO)
+      return 1
+      ;;
+    *)
+      echo 1>&2 "please answer y or n"
+      confirm "$@"
+      ;;
+  esac
+}
+report_done() {
+  logcmd2 "git" "show" git -c pager.show=false show
+  printf 1>&2 "release-notes: \033[32;1mdone\033[0m\n"
+}
+
+# --- PARSE ARGS ---
+
+if [[ $# -gt 0 ]]; then
+  die "Release notes takes no arguments, but make sure to set VERSION."
+fi
+
+# --- CHECKS ---
+
+if [[ ! -e flake.nix ]] || [[ ! -e .git ]]; then
+  die "must run in repo root"
+  exit 1
+fi
+
+# repo must be clean
+if ! git diff --quiet; then
+  die "repo is dirty, please commit or stash changes"
+fi
+
+if ! git diff --quiet --cached; then
+  die "repo has staged changes, please commit or stash them"
+fi
+
+if ! grep "$SUMMARY_MARKER_LINE" doc/manual/src/SUMMARY.md.in >/dev/null; then
+  # would have been nice to catch this early, but won't be worth the extra infra
+  die "SUMMARY.md.in is missing the marker line '$SUMMARY_MARKER_LINE', which would be used for inserting a new release notes page. Please fix the script."
+fi
+
+if [[ ! -n "${VERSION:-}" ]]; then
+  die "please set the VERSION environment variable before invoking this script"
+  exit 1
+fi
+
+# version_major_minor:      MAJOR.MINOR
+# version_full:             MAJOR.MINOR.PATCH
+# IS_PATCH:                 true if this is a patch release; append instead of create
+if grep -E '^[0-9]+\.[0-9]+$' <<< "$VERSION" >/dev/null; then
+  log 'is minor'
+  IS_PATCH=false
+  version_full="$VERSION.0"
+  version_major_minor="$VERSION"
+elif grep -E '^[0-9]+\.[0-9]+\.0$' <<< "$VERSION" >/dev/null; then
+  log 'is minor (.0)'
+  IS_PATCH=false
+  version_full="$VERSION"
+  version_major_minor="$(echo "$VERSION" | sed -e 's/\.0$//')"
+elif grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' <<< "$VERSION" >/dev/null; then
+  log 'is patch'
+  IS_PATCH=true
+  version_full="$VERSION"
+  version_major_minor="$(echo "$VERSION" | sed -e 's/\.[0-9]*$//')"
+else
+  die "VERSION must be MAJOR.MINOR[.PATCH], where each is a number, e.g. 2.20 or 2.20.1 (VERSION was set to $VERSION)"
+fi
+
+unset VERSION
+
+log "version_major_minor=$version_major_minor"
+log "version_full=$version_full"
+log "IS_PATCH=$IS_PATCH"
+
+basename=rl-${version_major_minor}.md
+file=doc/manual/src/release-notes/$basename
+
+if ! $IS_PATCH; then
+  if [[ -e $file ]]; then
+    die "release notes file $file already exists. If you'd like to make a minor release, pass a patch version, e.g. 2.20.1"
+  fi
+fi
+
+# --- DEFAULTS ---
+
+if [[ ! -n "${DATE:-}" ]]; then
+  DATE="$(date +%Y-%m-%d)"
+  log "DATE not set, using $DATE"
+fi
+
+case "$DATE" in
+  [0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])
+    ;;
+  *)
+    die "DATE must be YYYY-MM-DD, e.g. 2021-12-31 (DATE was set to $DATE)"
+    ;;
+esac
+
+# --- DO THE WORK ---
+
+# menu
+title="Release $version_major_minor ($DATE)"
+# section on page
+section_title="Release $version_full ($DATE)"
+
+(
+  # TODO add minor number, and append?
+  echo "# $section_title"
+  echo
+  changelog-d doc/manual/rl-next | sed -e 's/ *$//'
+) | tee -a $file
+
+log "Wrote $file"
+
+if ! $IS_PATCH; then
+  NEW_SUMMARY_LINE="  - [$title](release-notes/$basename)"
+
+  # find the marker line, insert new link after it
+  escaped_marker="$(echo "$SUMMARY_MARKER_LINE" | sed -e 's/\//\\\//g' -e 's/ /\\ /g')"
+  escaped_line="$(echo "$NEW_SUMMARY_LINE" | sed -e 's/\//\\\//g' -e 's/ /\\ /g')"
+  logcmd sed -i -e "/$escaped_marker/a $escaped_line" doc/manual/src/SUMMARY.md.in
+fi
+
+for f in doc/manual/rl-next/*.md; do
+  if [[ config != "$(basename $f)" ]]; then
+    logcmd git rm $f
+  fi
+done
+
+logcmd git add $file doc/manual/src/SUMMARY.md.in
+logcmd git status
+logcmd git commit -m "release notes: $version_full"
+
+report_done

maintainers/release-process.md

@@ -24,34 +24,23 @@ release:
 * In a checkout of the Nix repo, make sure you're on `master` and run
   `git pull`.
 
-* Move the contents of `doc/manual/src/release-notes/rl-next.md`
-  (except the first line) to
-  `doc/manual/src/release-notes/rl-$VERSION.md` (where `$VERSION` is
-  the contents of `.version` *without* the patch level, e.g. `2.12`
-  rather than `2.12.0`).
-
-* Add a header to `doc/manual/src/release-notes/rl-$VERSION.md` like
-
-  ```
-  # Release 2.12 (2022-12-06)
-  ```
-
-* Proof-read / edit / rearrange the release notes. Breaking changes
-  and highlights should go to the top.
-
-* Add a link to the release notes to `doc/manual/src/SUMMARY.md.in`
-  (*not* `SUMMARY.md`), e.g.
-
-  ```
-  - [Release 2.12 (2022-12-06)](release-notes/rl-2.12.md)
-  ```
-
-* Run
+* Compile the release notes by running
 
   ```console
   $ git checkout -b release-notes
-  $ git add doc/manual/src/release-notes/rl-$VERSION.md
-  $ git commit -a -m 'Release notes'
+  $ VERSION=X.YY ./maintainers/release-notes
+  ```
+
+  where `X.YY` is *without* the patch level, e.g. `2.12` rather than ~~`2.12.0`~~.
+
+  A commit is created.
+
+* Proof-read / edit / rearrange the release notes if needed. Breaking changes
+  and highlights should go to the top.
+
+* Push.
+
+  ```console
   $ git push --set-upstream $REMOTE release-notes
   ```
 
@@ -67,15 +56,17 @@ release:
   $ git checkout -b $VERSION-maintenance
   ```
 
-* Mark the release as stable:
+* Mark the release as official:
 
   ```console
-  $ git cherry-pick f673551e71942a52b6d7ae66af8b67140904a76a
+  $ sed -e 's/officialRelease = false;/officialRelease = true;/' -i flake.nix
   ```
 
   This removes the link to `rl-next.md` from the manual and sets
   `officialRelease = true` in `flake.nix`.
 
+* Commit
+
 * Push the release branch:
 
   ```console
@@ -159,6 +150,30 @@ release:
 
 ## Creating a point release
 
+* Checkout.
+
+  ```console
+  $ git checkout XX.YY-maintenance
+  ```
+
+* Determine the next patch version.
+
+  ```console
+  $ export VERSION=XX.YY.ZZ
+  ```
+
+* Update release notes.
+
+  ```console
+  $ ./maintainers/release-notes
+  ```
+
+* Push.
+
+  ```console
+  $ git push
+  ```
+
 * Wait for the desired evaluation of the maintenance jobset to finish
   building.
 

meson.build

@@ -0,0 +1,287 @@
+#
+# OUTLINE:
+#
+# The top-level meson.build file (this file) handles general logic for build options,
+# generation of config.h (which is put in the build directory, not the source root
+# like the previous, autoconf-based build system did), the mechanism for header
+# generation, and the few global C++ compiler arguments that are added to all targets in Lix.
+#
+# src/meson.build coordinates each of Lix's subcomponents (the lib dirs in ./src),
+# which each have their own meson.build. Lix's components depend on each other,
+# so each of `src/lib{util,store,fetchers,expr,main,cmd}/meson.build` rely on variables
+# set in earlier `meson.build` files. Each of these also defines the install targets for
+# their headers.
+#
+# src/meson.build also collects the miscellaneous source files that are in further subdirectories
+# that become part of the final Nix command (things like `src/nix-build/*.cc`).
+#
+# Finally, src/nix/meson.build defines the Nix command itself, relying on all prior meson files.
+
+project('lix', 'cpp',
+  version : run_command('bash', '-c', 'echo -n $(cat ./.version)$VERSION_SUFFIX', check : true).stdout().strip(),
+  default_options : [
+    'cpp_std=c++2a',
+    # TODO(Qyriad): increase the warning level
+    'warning_level=1',
+    'debug=true',
+    'optimization=2',
+  ],
+)
+
+fs = import('fs')
+
+prefix = get_option('prefix')
+# For each of these paths, assume that it is relative to the prefix unless
+# it is already an absolute path (which is the default for store-dir, state-dir, and log-dir).
+path_opts = [
+  # Meson built-ins.
+  'datadir',
+  'sysconfdir',
+  'bindir',
+  'mandir',
+  'libdir',
+  'includedir',
+  # Homecooked Lix directories.
+  'store-dir',
+  'state-dir',
+  'log-dir',
+]
+foreach optname : path_opts
+  varname = optname.replace('-', '_')
+  path = get_option(optname)
+  if fs.is_absolute(path)
+    set_variable(varname, path)
+  else
+    set_variable(varname, prefix / path)
+  endif
+endforeach
+
+cxx = meson.get_compiler('cpp')
+
+host_system = host_machine.cpu_family() + '-' + host_machine.system()
+message('canonical Nix system name:', host_system)
+
+is_linux = host_machine.system() == 'linux'
+is_x64 = host_machine.cpu_family() == 'x86_64'
+
+deps = [ ]
+configdata = { }
+
+#
+# Dependencies
+#
+
+boehm = dependency('bdw-gc', required : get_option('gc'))
+if boehm.found()
+  deps += boehm
+endif
+configdata += {
+  'HAVE_BOEHMGC': boehm.found().to_int(),
+}
+
+boost = dependency('boost', required : true, modules : ['context', 'coroutine', 'container'])
+deps += boost
+
+# cpuid only makes sense on x86_64
+cpuid_required = is_x64 ? get_option('cpuid') : false
+cpuid = dependency('libcpuid', 'cpuid', required : cpuid_required)
+configdata += {
+  'HAVE_LIBCPUID': cpuid.found().to_int(),
+}
+deps += cpuid
+
+# seccomp only makes sense on Linux
+seccomp_required = is_linux ? get_option('seccomp-sandboxing') : false
+seccomp = dependency('libseccomp', 'seccomp', required : seccomp_required)
+configdata += {
+  'HAVE_SECCOMP': seccomp.found().to_int(),
+}
+
+libarchive = dependency('libarchive', required : true)
+deps += libarchive
+
+brotli = [
+  dependency('libbrotlicommon', required : true),
+  dependency('libbrotlidec', required : true),
+  dependency('libbrotlienc', required : true),
+]
+deps += brotli
+
+openssl = dependency('libcrypto', 'openssl', required : true)
+deps += openssl
+
+aws_sdk = dependency('aws-cpp-sdk-core', required : false)
+if aws_sdk.found()
+  # The AWS pkg-config adds -std=c++11.
+  # https://github.com/aws/aws-sdk-cpp/issues/2673
+  aws_sdk = aws_sdk.partial_dependency(
+    compile_args : false,
+    includes : true,
+    link_args : true,
+    links : true,
+    sources : true,
+  )
+  deps += aws_sdk
+  s = aws_sdk.version().split('.')
+  configdata += {
+    'AWS_VERSION_MAJOR': s[0].to_int(),
+    'AWS_VERSION_MINOR': s[1].to_int(),
+    'AWS_VERSION_PATCH': s[2].to_int(),
+  }
+  aws_sdk_transfer = dependency('aws-cpp-sdk-transfer', required : true).partial_dependency(
+    compile_args : false,
+    includes : true,
+    link_args : true,
+    links : true,
+    sources : true,
+  )
+endif
+
+aws_s3 = dependency('aws-cpp-sdk-s3', required : false)
+if aws_s3.found()
+  # The AWS pkg-config adds -std=c++11.
+  # https://github.com/aws/aws-sdk-cpp/issues/2673
+  aws_s3 = aws_s3.partial_dependency(
+    compile_args : false,
+    includes : true,
+    link_args : true,
+    links : true,
+    sources : true,
+  )
+  deps += aws_s3
+endif
+
+configdata += {
+  'ENABLE_S3': aws_s3.found().to_int(),
+}
+
+sqlite = dependency('sqlite3', 'sqlite', version : '>=3.6.19', required : true)
+deps += sqlite
+
+sodium = dependency('libsodium', 'sodium', required : true)
+deps += sodium
+
+curl = dependency('libcurl', 'curl', required : true)
+deps += curl
+
+editline = dependency('libeditline', 'editline', version : '>=1.14', required : true)
+deps += editline
+
+lowdown = dependency('lowdown', version : '>=0.9.0', required : true)
+deps += lowdown
+
+rapidcheck = dependency('rapidcheck', required : false)
+deps += rapidcheck
+
+gtest = dependency('gtest', required : false)
+deps += gtest
+
+#
+# Build-time tools
+#
+bash = find_program('bash')
+
+# Used to workaround https://github.com/mesonbuild/meson/issues/2320 in src/nix/meson.build.
+installcmd = find_program('install')
+
+sandbox_shell = get_option('sandbox-shell')
+# Consider it required if we're on Linux and the user explicitly specified a non-default value.
+sandbox_shell_required = sandbox_shell != 'busybox' and host_machine.system() == 'linux'
+# NOTE(Qyriad): package.nix puts busybox in buildInputs for Linux.
+# Most builds should not require setting this.
+busybox = find_program(sandbox_shell, required : sandbox_shell_required, native : false)
+if not busybox.found() and host_machine.system() == 'linux' and sandbox_shell_required
+  warning('busybox not found and other sandbox shell was specified')
+  warning('a sandbox shell is recommended on Linux -- configure with -Dsandbox-shell=/path/to/shell to set')
+endif
+# FIXME(Qyriad): the autoconf system checks that busybox has the "standalone" feature, indicating
+# that busybox sh won't run busybox applets as builtins (which would break our sandbox).
+
+lsof = find_program('lsof')
+bison = find_program('bison')
+flex = find_program('flex')
+
+# This is how Nix does generated headers...
+# FIXME(Qyriad): do we really need to use the shell for this?
+gen_header = generator(
+  bash,
+  arguments : [
+    '-c',
+    'echo \'R"__NIX_STR(\' | cat - @INPUT@ && echo \')__NIX_STR"\'',
+  ],
+  capture : true,
+  output : '@PLAINNAME@.gen.hh',
+)
+
+#
+# Configuration
+#
+
+run_command('ln', '-s',
+  meson.project_build_root() / '__nothing_link_target',
+  meson.project_build_root() / '__nothing_symlink',
+  check : true,
+)
+can_link_symlink = run_command('ln',
+  meson.project_build_root() / '__nothing_symlink',
+  meson.project_build_root() / '__nothing_hardlink',
+  check : false,
+).returncode() == 0
+run_command('rm', '-f',
+  meson.project_build_root() / '__nothing_symlink',
+  meson.project_build_root() / '__nothing_hardlink',
+  check : true,
+)
+summary('can hardlink to symlink', can_link_symlink, bool_yn : true)
+configdata += { 'CAN_LINK_SYMLINK': can_link_symlink.to_int() }
+
+
+# Check for each of these functions, and create a define like `#define HAVE_LCHOWN 1`.
+check_funcs = [
+  'lchown',
+  'lutimes',
+  'pipe2',
+  'posix_fallocate',
+  'statvfs',
+  'strsignal',
+  'sysconf',
+]
+foreach funcspec : check_funcs
+  define_name = 'HAVE_' + funcspec.underscorify().to_upper()
+  define_value = cxx.has_function(funcspec).to_int()
+  configdata += {
+    define_name: define_value,
+  }
+endforeach
+
+config_h = configure_file(
+  configuration : {
+    'PACKAGE_NAME': '"' + meson.project_name() + '"',
+    'PACKAGE_VERSION': '"' + meson.project_version() + '"',
+    'PACKAGE_TARNAME': '"' + meson.project_name() + '"',
+    'PACKAGE_STRING': '"' + meson.project_name() + ' ' + meson.project_version() + '"',
+    'HAVE_STRUCT_DIRENT_D_TYPE': 1, # FIXME: actually check this for solaris
+    'SYSTEM': '"' + host_system + '"',
+  } + configdata,
+  output : 'config.h',
+)
+
+install_headers(config_h, subdir : 'nix')
+
+add_project_arguments(
+  # TODO(Qyriad): Yes this is how the autoconf+Make system did it.
+  # It would be nice for our headers to be idempotent instead.
+  '-include', 'config.h',
+  '-Wno-deprecated-declarations',
+  '-Wimplicit-fallthrough',
+  '-Werror=switch',
+  '-Werror=switch-enum',
+  language : 'cpp',
+)
+
+add_project_link_arguments('-pthread', language : 'cpp')
+if cxx.get_linker_id() in ['ld.bfd', 'ld.gold']
+  add_project_link_arguments('-Wl,--no-copy-dt-needed-entries', language : 'cpp')
+endif
+
+subdir('src')

meson.options

@@ -0,0 +1,32 @@
+# vim: filetype=meson
+option('gc', type : 'feature',
+  description : 'enable garbage collection in the Nix expression evaluator (requires Boehm GC)',
+)
+# TODO(Qyriad): is this feature maintained?
+option('embedded-sandbox-shell', type : 'feature',
+  description : 'include the sandbox shell in the Nix binary',
+)
+
+option('cpuid', type : 'feature',
+  description : 'determine microarchitecture levels with libcpuid (only relevant on x86_64)',
+)
+
+option('seccomp-sandboxing', type : 'feature',
+  description : 'build support for seccomp sandboxing (recommended unless your arch doesn\'t support libseccomp, only relevant on Linux)',
+)
+
+option('sandbox-shell', type : 'string', value : 'busybox',
+  description : 'path to a statically-linked shell to use as /bin/sh in sandboxes (usually busybox)',
+)
+
+option('store-dir', type : 'string', value : '/nix/store',
+  description : 'path of the Nix store',
+)
+
+option('state-dir', type : 'string', value : '/nix/var/nix',
+  description : 'path to store state in for Nix',
+)
+
+option('log-dir', type : 'string', value : '/nix/var/log',
+  description : 'path to store logs in for Nix',
+)

meson/cleanup-install.bash

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Meson will call this with an absolute path to Bash.
+# The shebang is just for convenience.
+
+# The parser and lexer tab are generated via custom Meson targets in src/libexpr/meson.build,
+# but Meson doesn't support marking only part of a target for install. The generation creates
+# both headers (parser-tab.hh, lexer-tab.hh) and source files (parser-tab.cc, lexer-tab.cc),
+# and we definitely want the former installed, but not the latter. This script is added to
+# Meson's install steps to correct this, as the logic for it is just complex enough to
+# warrant separate and careful handling, because both Meson's configured include directory
+# may or may not be an absolute path, and DESTDIR may or may not be set at all, but can't be
+# manipulated in Meson logic.
+
+set -euo pipefail
+
+echo "cleanup-install: removing Meson-placed C++ sources from dest includedir"
+
+if [[ "${1/--help/}" != "$1" ]]; then
+	echo "cleanup-install: this script should only be called from the Meson build system"
+	exit 1
+fi
+
+# Ensure the includedir was passed as the first argument
+# (set -u will make this fail otherwise).
+includedir="$1"
+# And then ensure that first argument is a directory that exists.
+if ! [[ -d "$1" ]]; then
+	echo "cleanup-install: this script should only be called from the Meson build system"
+	echo "argv[1] (${1@Q}) is not a directory"
+	exit 2
+fi
+
+# If DESTDIR environment variable is set, prepend it to the include dir.
+# Unfortunately, we cannot do this on the Meson side. We do have an environment variable
+# `MESON_INSTALL_DESTDIR_PREFIX`, but that will not refer to the include directory if
+# includedir has been set separately, which Lix's split-output derivation does.
+# We also cannot simply do an inline bash conditional like "${DESTDIR:=}" or similar,
+# because we need to specifically *join* DESTDIR and includedir with a slash, and *not*
+# have a slash if DESTDIR isn't set at all, since $includedir could be a relative directory.
+# Finally, DESTDIR is only available to us as an environment variable in these install scripts,
+# not in Meson logic.
+# Therefore, our best option is to have Meson pass this script the configured includedir,
+# and perform this dance with it and $DESTDIR.
+if [[ -n "${DESTDIR:-}" ]]; then
+	includedir="$DESTDIR/$includedir"
+fi
+
+# Intentionally not using -f.
+# If these files don't exist then our assumptions have been violated and we should fail.
+rm -v "$includedir/nix/parser-tab.cc" "$includedir/nix/lexer-tab.cc"

misc/changelog-d.cabal.nix

@@ -0,0 +1,31 @@
+{ mkDerivation, aeson, base, bytestring, cabal-install-parsers
+, Cabal-syntax, containers, directory, filepath, frontmatter
+, generic-lens-lite, lib, mtl, optparse-applicative, parsec, pretty
+, regex-applicative, text, pkgs
+}:
+let rev = "f30f6969e9cd8b56242309639d58acea21c99d06";
+in
+mkDerivation {
+  pname = "changelog-d";
+  version = "0.1";
+  src = pkgs.fetchurl {
+    name = "changelog-d-${rev}.tar.gz";
+    url = "https://codeberg.org/roberth/changelog-d/archive/${rev}.tar.gz";
+    hash = "sha256-8a2+i5u7YoszAgd5OIEW0eYUcP8yfhtoOIhLJkylYJ4=";
+  } // { inherit rev; };
+  isLibrary = false;
+  isExecutable = true;
+  libraryHaskellDepends = [
+    aeson base bytestring cabal-install-parsers Cabal-syntax containers
+    directory filepath frontmatter generic-lens-lite mtl parsec pretty
+    regex-applicative text
+  ];
+  executableHaskellDepends = [
+    base bytestring Cabal-syntax directory filepath
+    optparse-applicative
+  ];
+  doHaddock = false;
+  description = "Concatenate changelog entries into a single one";
+  license = lib.licenses.gpl3Plus;
+  mainProgram = "changelog-d";
+}

misc/changelog-d.nix

@@ -0,0 +1,31 @@
+# Taken temporarily from <nixpkgs/pkgs/by-name/ch/changelog-d/package.nix>
+{
+  callPackage,
+  lib,
+  haskell,
+  haskellPackages,
+}:
+
+let
+  hsPkg = haskellPackages.callPackage ./changelog-d.cabal.nix { };
+
+  addCompletions = haskellPackages.generateOptparseApplicativeCompletions ["changelog-d"];
+
+  haskellModifications =
+    lib.flip lib.pipe [
+      addCompletions
+      haskell.lib.justStaticExecutables
+    ];
+
+  mkDerivationOverrides = finalAttrs: oldAttrs: {
+
+    version = oldAttrs.version + "-git-${lib.strings.substring 0 7 oldAttrs.src.rev}";
+
+    meta = oldAttrs.meta // {
+      homepage = "https://codeberg.org/roberth/changelog-d";
+      maintainers = [ lib.maintainers.roberth ];
+    };
+
+  };
+in
+  (haskellModifications hsPkg).overrideAttrs mkDerivationOverrides

misc/upstart/local.mk

@@ -1,7 +0,0 @@
-ifdef HOST_LINUX
-
-  $(foreach n, nix-daemon.conf, $(eval $(call install-file-in, $(d)/$(n), $(sysconfdir)/init, 0644)))
-
-  clean-files += $(d)/nix-daemon.conf
-
-endif

misc/upstart/nix-daemon.conf.in

@@ -1,5 +0,0 @@
-description "Nix Daemon"
-start on filesystem
-stop on shutdown
-respawn
-exec @bindir@/nix-daemon --daemon

mk/build-dir.mk

@@ -0,0 +1,10 @@
+# Initialise support for build directories.
+builddir ?=
+
+ifdef builddir
+  buildprefix = $(builddir)/
+  buildprefixrel = $(builddir)
+else
+  buildprefix =
+  buildprefixrel = .
+endif

mk/cxx-big-literal.mk

@@ -1,5 +1,5 @@
 %.gen.hh: %
-	@echo 'R"foo(' >> $@.tmp
+	@echo 'R"__NIX_STR(' >> $@.tmp
 	$(trace-gen) cat $< >> $@.tmp
-	@echo ')foo"' >> $@.tmp
+	@echo ')__NIX_STR"' >> $@.tmp
 	@mv $@.tmp $@

mk/install-dirs.mk

@@ -0,0 +1,11 @@
+# Default installation paths.
+prefix ?= /usr/local
+libdir ?= $(prefix)/lib
+bindir ?= $(prefix)/bin
+libexecdir ?= $(prefix)/libexec
+datadir ?= $(prefix)/share
+localstatedir ?= $(prefix)/var
+sysconfdir ?= $(prefix)/etc
+mandir ?= $(prefix)/share/man
+
+DESTDIR ?=

mk/lib.mk

@@ -43,27 +43,6 @@ define newline
 endef
 
 
-# Default installation paths.
-prefix ?= /usr/local
-libdir ?= $(prefix)/lib
-bindir ?= $(prefix)/bin
-libexecdir ?= $(prefix)/libexec
-datadir ?= $(prefix)/share
-localstatedir ?= $(prefix)/var
-sysconfdir ?= $(prefix)/etc
-mandir ?= $(prefix)/share/man
-
-
-# Initialise support for build directories.
-builddir ?=
-
-ifdef builddir
-  buildprefix = $(builddir)/
-else
-  buildprefix =
-endif
-
-
 # Pass -fPIC if we're building dynamic libraries.
 BUILD_SHARED_LIBS ?= 1
 
@@ -94,6 +73,8 @@ ifeq ($(BUILD_DEBUG), 1)
 endif
 
 
+include mk/build-dir.mk
+include mk/install-dirs.mk
 include mk/functions.mk
 include mk/tracing.mk
 include mk/clean.mk
@@ -112,7 +93,7 @@ define include-sub-makefile
   include $(1)
 endef
 
-$(foreach mf, $(makefiles), $(eval $(call include-sub-makefile, $(mf))))
+$(foreach mf, $(makefiles), $(eval $(call include-sub-makefile,$(mf))))
 
 
 # Instantiate stuff.
@@ -132,6 +113,10 @@ $(foreach test-group, $(install-tests-groups), \
     $(eval $(call run-install-test,$(test))) \
     $(eval $(test-group).test-group: $(test).test)))
 
+# Include makefiles requiring built programs.
+$(foreach mf, $(makefiles-late), $(eval $(call include-sub-makefile,$(mf))))
+
+
 $(foreach file, $(man-pages), $(eval $(call install-data-in, $(file), $(mandir)/man$(patsubst .%,%,$(suffix $(file))))))
 
 

mk/programs.mk

@@ -6,6 +6,9 @@ programs-list :=
 # - $(1)_NAME: the name of the program (e.g. ‘foo’); defaults to
 #   $(1).
 #
+# - $(1)_ENV: environment variables to set when running the program
+#   from the Makefile using the $(1)_RUN target.
+#
 # - $(1)_DIR: the directory where the (non-installed) program will be
 #   placed.
 #
@@ -87,6 +90,6 @@ define build-program
   # Phony target to run this program (typically as a dependency of 'check').
   .PHONY: $(1)_RUN
   $(1)_RUN: $$($(1)_PATH)
-	$(trace-test) $$($(1)_PATH)
+	$(trace-test) $$($(1)_ENV) $$($(1)_PATH)
 
 endef

mk/templates.mk

@@ -10,10 +10,10 @@ endef
 
 ifneq ($(MAKECMDGOALS), clean)
 
-%.h: %.h.in
-	$(trace-gen) rm -f $@ && ./config.status --quiet --header=$@
+$(buildprefix)%.h: %.h.in
+	$(trace-gen) rm -f $@ && cd $(buildprefixrel) && ./config.status --quiet --header=$(@:$(buildprefix)%=%)
 
-%: %.in
-	$(trace-gen) rm -f $@ && ./config.status --quiet --file=$@
+$(buildprefix)%: %.in
+	$(trace-gen) rm -f $@ && cd $(buildprefixrel) && ./config.status --quiet --file=$(@:$(buildprefix)%=%)
 
 endif

package.nix

@@ -0,0 +1,293 @@
+{
+  pkgs,
+  lib,
+  stdenv,
+  autoconf-archive,
+  autoreconfHook,
+  aws-sdk-cpp,
+  boehmgc,
+  nlohmann_json,
+  bison,
+  changelog-d,
+  boost,
+  brotli,
+  bzip2,
+  curl,
+  doxygen,
+  editline,
+  fileset,
+  flex,
+  git,
+  gtest,
+  jq,
+  libarchive,
+  libcpuid,
+  libseccomp,
+  libsodium,
+  lsof,
+  lowdown,
+  mdbook,
+  mdbook-linkcheck,
+  mercurial,
+  meson,
+  ninja,
+  openssl,
+  pkg-config,
+  rapidcheck,
+  sqlite,
+  util-linuxMinimal ? utillinuxMinimal,
+  utillinuxMinimal ? null,
+  xz,
+
+  busybox-sandbox-shell,
+
+  pname ? "nix",
+  versionSuffix ? "",
+  officialRelease ? true,
+  # Set to true to build the release notes for the next release.
+  buildUnreleasedNotes ? false,
+  internalApiDocs ? false,
+  # Avoid setting things that would interfere with a functioning devShell
+  forDevShell ? false,
+
+  # FIXME(Qyriad): build Lix using Meson instead of autoconf and make.
+  # This flag will be removed when the migration to Meson is complete.
+  buildWithMeson ? false,
+
+  # Not a real argument, just the only way to approximate let-binding some
+  # stuff for argument defaults.
+  __forDefaults ? {
+    canRunInstalled = stdenv.buildPlatform.canExecute stdenv.hostPlatform;
+  },
+}: let
+  inherit (__forDefaults) canRunInstalled;
+
+  version = lib.fileContents ./.version + versionSuffix;
+
+  aws-sdk-cpp-nix = aws-sdk-cpp.override {
+    apis = [ "s3" "transfer" ];
+    customMemoryManagement = false;
+  };
+
+  testConfigureFlags = [
+    "RAPIDCHECK_HEADERS=${lib.getDev rapidcheck}/extras/gtest/include"
+  ];
+
+  # The internal API docs need these for the build, but if we're not building
+  # Nix itself, then these don't need to be propagated.
+  maybePropagatedInputs = [
+    boehmgc
+    nlohmann_json
+  ];
+
+  # .gitignore has already been processed, so any changes in it are irrelevant
+  # at this point. It is not represented verbatim for test purposes because
+  # that would interfere with repo semantics.
+  baseFiles = fileset.fileFilter (f: f.name != ".gitignore") ./.;
+
+  configureFiles = fileset.unions [
+    ./.version
+    ./configure.ac
+    ./m4
+    # TODO: do we really need README.md? It doesn't seem used in the build.
+    ./README.md
+  ];
+
+  topLevelBuildFiles = fileset.unions ([
+    ./local.mk
+    ./Makefile
+    ./Makefile.config.in
+    ./mk
+  ] ++ lib.optionals buildWithMeson [
+    ./meson.build
+    ./meson.options
+    ./meson/cleanup-install.bash
+  ]);
+
+ functionalTestFiles = fileset.unions [
+    ./tests/functional
+    ./tests/unit
+    (fileset.fileFilter (f: lib.strings.hasPrefix "nix-profile" f.name) ./scripts)
+ ];
+
+in stdenv.mkDerivation (finalAttrs: {
+  inherit pname version;
+
+  src = fileset.toSource {
+    root = ./.;
+    fileset = fileset.intersection baseFiles (fileset.unions ([
+      configureFiles
+      topLevelBuildFiles
+      functionalTestFiles
+    ] ++ lib.optionals (!finalAttrs.dontBuild || internalApiDocs) [
+      ./boehmgc-coroutine-sp-fallback.diff
+      ./doc
+      ./misc
+      ./precompiled-headers.h
+      ./src
+      ./COPYING
+      ./scripts/local.mk
+    ]));
+  };
+
+  VERSION_SUFFIX = versionSuffix;
+
+  outputs = [ "out" ]
+    ++ lib.optionals (!finalAttrs.dontBuild) [ "dev" "doc" ];
+
+  dontBuild = false;
+
+  # FIXME(Qyriad): see if this is still needed once the migration to Meson is completed.
+  mesonFlags = lib.optionals (buildWithMeson && stdenv.hostPlatform.isLinux) [
+    "-Dsandbox-shell=${lib.getBin busybox-sandbox-shell}/bin/busybox"
+  ];
+
+  nativeBuildInputs = [
+    bison
+    flex
+  ] ++ [
+    (lib.getBin lowdown)
+    mdbook
+    mdbook-linkcheck
+    autoconf-archive
+  ] ++ lib.optional (!buildWithMeson) autoreconfHook ++ [
+    pkg-config
+
+    # Tests
+    git
+    mercurial
+    jq
+    lsof
+  ] ++ lib.optional stdenv.hostPlatform.isLinux util-linuxMinimal
+    ++ lib.optional (!officialRelease && buildUnreleasedNotes) changelog-d
+    ++ lib.optional internalApiDocs doxygen
+    ++ lib.optionals buildWithMeson [
+      meson
+      ninja
+  ];
+
+  buildInputs = [
+    curl
+    bzip2
+    xz
+    brotli
+    editline
+    openssl
+    sqlite
+    libarchive
+    boost
+    lowdown
+    libsodium
+  ]
+    ++ lib.optionals stdenv.hostPlatform.isLinux [ libseccomp busybox-sandbox-shell ]
+    ++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid
+    # There have been issues building these dependencies
+    ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) aws-sdk-cpp-nix
+    ++ lib.optionals (finalAttrs.dontBuild) maybePropagatedInputs
+  ;
+
+  checkInputs = [
+    gtest
+    rapidcheck
+  ];
+
+  propagatedBuildInputs = lib.optionals (!finalAttrs.dontBuild) maybePropagatedInputs;
+
+  disallowedReferences = [
+    boost
+  ];
+
+  # Needed for Meson to find Boost.
+  # https://github.com/NixOS/nixpkgs/issues/86131.
+  env = lib.optionalAttrs (buildWithMeson || forDevShell) {
+    BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
+    BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
+  };
+
+  preConfigure = lib.optionalString (!finalAttrs.dontBuild && !stdenv.hostPlatform.isStatic) ''
+    # Copy libboost_context so we don't get all of Boost in our closure.
+    # https://github.com/NixOS/nixpkgs/issues/45462
+    mkdir -p $out/lib
+    cp -pd ${boost}/lib/{libboost_context*,libboost_thread*,libboost_system*} $out/lib
+    rm -f $out/lib/*.a
+  '' + lib.optionalString (!finalAttrs.dontBuild && stdenv.hostPlatform.isLinux) ''
+    chmod u+w $out/lib/*.so.*
+    patchelf --set-rpath $out/lib:${stdenv.cc.cc.lib}/lib $out/lib/libboost_thread.so.*
+  '' + lib.optionalString (!finalAttrs.dontBuild && stdenv.hostPlatform.isDarwin) ''
+    for LIB in $out/lib/*.dylib; do
+      chmod u+w $LIB
+      install_name_tool -id $LIB $LIB
+      install_name_tool -delete_rpath ${boost}/lib/ $LIB || true
+    done
+    install_name_tool -change ${boost}/lib/libboost_system.dylib $out/lib/libboost_system.dylib $out/lib/libboost_thread.dylib
+  '' + ''
+    # Workaround https://github.com/NixOS/nixpkgs/issues/294890.
+    if [[ -n "''${doCheck:-}" ]]; then
+      appendToVar configureFlags "--enable-tests"
+    else
+      appendToVar configureFlags "--disable-tests"
+    fi
+  '';
+
+  configureFlags = lib.optionals stdenv.isLinux [
+    "--with-boost=${boost}/lib"
+    "--with-sandbox-shell=${busybox-sandbox-shell}/bin/busybox"
+  ] ++ lib.optionals (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) [
+    "LDFLAGS=-fuse-ld=gold"
+  ]
+    ++ lib.optional stdenv.hostPlatform.isStatic "--enable-embedded-sandbox-shell"
+    ++ lib.optionals (finalAttrs.doCheck || internalApiDocs) testConfigureFlags
+    ++ lib.optional (!canRunInstalled) "--disable-doc-gen"
+    ++ [ (lib.enableFeature internalApiDocs "internal-api-docs") ]
+    ++ lib.optional (!forDevShell) "--sysconfdir=/etc";
+
+  mesonBuildType = lib.optional (buildWithMeson || forDevShell) "debugoptimized";
+
+  installTargets = lib.optional internalApiDocs "internal-api-html";
+
+  enableParallelBuilding = true;
+
+  makeFlags = "profiledir=$(out)/etc/profile.d PRECOMPILE_HEADERS=1";
+
+  doCheck = true;
+
+  installFlags = "sysconfdir=$(out)/etc";
+
+  postInstall = lib.optionalString (!finalAttrs.dontBuild) ''
+    mkdir -p $doc/nix-support
+    echo "doc manual $doc/share/doc/nix/manual" >> $doc/nix-support/hydra-build-products
+  '' + lib.optionalString stdenv.hostPlatform.isStatic ''
+    mkdir -p $out/nix-support
+    echo "file binary-dist $out/bin/nix" >> $out/nix-support/hydra-build-products
+  '' + lib.optionalString stdenv.isDarwin ''
+    for lib in libnixutil.dylib libnixexpr.dylib; do
+      install_name_tool \
+        -change "${lib.getLib boost}/lib/libboost_context.dylib" \
+        "$out/lib/libboost_context.dylib" \
+        "$out/lib/$lib"
+    done
+  '' + lib.optionalString internalApiDocs ''
+    mkdir -p $out/nix-support
+    echo "doc internal-api-docs $out/share/doc/nix/internal-api/html" >> "$out/nix-support/hydra-build-products"
+  '';
+
+  doInstallCheck = finalAttrs.doCheck;
+  installCheckFlags = "sysconfdir=$(out)/etc";
+  installCheckTarget = "installcheck"; # work around buggy detection in stdenv
+
+  preInstallCheck = lib.optionalString stdenv.hostPlatform.isDarwin ''
+    export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
+  '';
+
+  separateDebugInfo = !stdenv.hostPlatform.isStatic && !finalAttrs.dontBuild;
+
+  strictDeps = true;
+
+  hardeningDisable = lib.optional stdenv.hostPlatform.isStatic "pie";
+
+  meta.platforms = lib.platforms.unix;
+
+  passthru.perl-bindings = pkgs.callPackage ./perl {
+    inherit fileset stdenv;
+  };
+})

perl/Makefile

@@ -1,6 +1,12 @@
 makefiles = local.mk
 
-GLOBAL_CXXFLAGS += -g -Wall -std=c++2a -I ../src
+GLOBAL_CXXFLAGS += -g -Wall -std=c++2a
+
+# A convenience for concurrent development of Nix and its Perl bindings.
+# Not needed in a standalone build of the Perl bindings.
+ifneq ("$(wildcard ../src)", "")
+  GLOBAL_CXXFLAGS += -I ../src
+endif
 
 -include Makefile.config
 

perl/default.nix

@@ -0,0 +1,51 @@
+{ lib, fileset
+, stdenv
+, perl, perlPackages
+, autoconf-archive, autoreconfHook, pkg-config
+, nix, curl, bzip2, xz, boost, libsodium, darwin
+}:
+
+perl.pkgs.toPerlModule (stdenv.mkDerivation {
+  name = "nix-perl-${nix.version}";
+
+  src = fileset.toSource {
+    root = ../.;
+    fileset = fileset.unions [
+      ../.version
+      ../m4
+      ../mk
+      ./MANIFEST
+      ./Makefile
+      ./Makefile.config.in
+      ./configure.ac
+      ./lib
+      ./local.mk
+    ];
+  };
+
+  nativeBuildInputs =
+    [ autoconf-archive
+      autoreconfHook
+      pkg-config
+    ];
+
+  buildInputs =
+    [ nix
+      curl
+      bzip2
+      xz
+      perl
+      boost
+    ]
+    ++ lib.optional (stdenv.isLinux || stdenv.isDarwin) libsodium
+    ++ lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
+
+  configureFlags = [
+    "--with-dbi=${perlPackages.DBI}/${perl.libPrefix}"
+    "--with-dbd-sqlite=${perlPackages.DBDSQLite}/${perl.libPrefix}"
+  ];
+
+  enableParallelBuilding = true;
+
+  postUnpack = "sourceRoot=$sourceRoot/perl";
+})

scripts/bigsur-nixbld-user-migration.sh

@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-((NEW_NIX_FIRST_BUILD_UID=301))
-
-id_available(){
-	dscl . list /Users UniqueID | grep -E '\b'$1'\b' >/dev/null
-}
-
-change_nixbld_names_and_ids(){
-	local name uid next_id
-	((next_id=NEW_NIX_FIRST_BUILD_UID))
-	echo "Attempting to migrate nixbld users."
-	echo "Each user should change from nixbld# to _nixbld#"
-	echo "and their IDs relocated to $next_id+"
-	while read -r name uid; do
-		echo "   Checking $name (uid: $uid)"
-		# iterate for a clean ID
-		while id_available "$next_id"; do
-			((next_id++))
-			if ((next_id >= 400)); then
-				echo "We've hit UID 400 without placing all of your users :("
-				echo "You should use the commands in this script as a starting"
-				echo "point to review your UID-space and manually move the"
-				echo "remaining users (or delete them, if you don't need them)."
-				exit 1
-			fi
-		done
-
-		if [[ $name == _* ]]; then
-			echo "      It looks like $name has already been renamed--skipping."
-		else
-			# first 3 are cleanup, it's OK if they aren't here
-			sudo dscl . delete /Users/$name dsAttrTypeNative:_writers_passwd &>/dev/null || true
-			sudo dscl . change /Users/$name NFSHomeDirectory "/private/var/empty 1" "/var/empty" &>/dev/null || true
-			# remove existing user from group
-			sudo dseditgroup -o edit -t user -d $name nixbld || true
-			sudo dscl . change /Users/$name UniqueID $uid $next_id
-			sudo dscl . change /Users/$name RecordName $name _$name
-			# add renamed user to group
-			sudo dseditgroup -o edit -t user -a _$name nixbld
-			echo "      $name migrated to _$name (uid: $next_id)"
-		fi
-	done < <(dscl . list /Users UniqueID | grep nixbld | sort -n -k2)
-}
-
-change_nixbld_names_and_ids

scripts/check-hydra-status.sh

@@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-# set -x
-
-
-# mapfile BUILDS_FOR_LATEST_EVAL < <(
-# curl -H 'Accept: application/json' https://hydra.nixos.org/jobset/nix/master/evals | \
-#   jq -r '.evals[0].builds[] | @sh')
-BUILDS_FOR_LATEST_EVAL=$(
-curl -sS -H 'Accept: application/json' https://hydra.nixos.org/jobset/nix/master/evals | \
-  jq -r '.evals[0].builds[]')
-
-someBuildFailed=0
-
-for buildId in $BUILDS_FOR_LATEST_EVAL; do
-  buildInfo=$(curl --fail -sS -H 'Accept: application/json' "https://hydra.nixos.org/build/$buildId")
-
-  finished=$(echo "$buildInfo" | jq -r '.finished')
-
-  if [[ $finished = 0 ]]; then
-    continue
-  fi
-
-  buildStatus=$(echo "$buildInfo" | jq -r '.buildstatus')
-
-  if [[ $buildStatus != 0 ]]; then
-    someBuildFailed=1
-    echo "Job “$(echo "$buildInfo" | jq -r '.job')” failed on hydra: $buildInfo"
-  fi
-done
-
-exit "$someBuildFailed"

scripts/create-darwin-volume.sh

@@ -1,875 +0,0 @@
-#!/usr/bin/env bash
-set -eu
-set -o pipefail
-
-# I'm a little agnostic on the choices, but supporting a wide
-# slate of uses for now, including:
-# - import-only: `. create-darwin-volume.sh no-main[ ...]`
-# - legacy: `./create-darwin-volume.sh` or `. create-darwin-volume.sh`
-#   (both will run main())
-# - external alt-routine: `./create-darwin-volume.sh no-main func[ ...]`
-if [ "${1-}" = "no-main" ]; then
-    shift
-    readonly _CREATE_VOLUME_NO_MAIN=1
-else
-    readonly _CREATE_VOLUME_NO_MAIN=0
-    # declare some things we expect to inherit from install-multi-user
-    # I don't love this (because it's a bit of a kludge).
-    #
-    # CAUTION: (Dec 19 2020)
-    # This is a stopgap. It doesn't cover the full slate of
-    # identifiers we inherit--just those necessary to:
-    # - avoid breaking direct invocations of this script (here/now)
-    # - avoid hard-to-reverse structural changes before the call to rm
-    #   single-user support is verified
-    #
-    # In the near-mid term, I (personally) think we should:
-    # - decide to deprecate the direct call and add a notice
-    # - fold all of this into install-darwin-multi-user.sh
-    # - intentionally remove the old direct-invocation form (kill the
-    #   routine, replace this script w/ deprecation notice and a note
-    #   on the remove-after date)
-    #
-    readonly NIX_ROOT="${NIX_ROOT:-/nix}"
-
-    _sudo() {
-        shift # throw away the 'explanation'
-        /usr/bin/sudo "$@"
-    }
-    failure() {
-        if [ "$*" = "" ]; then
-            cat
-        else
-            echo "$@"
-        fi
-        exit 1
-    }
-    task() {
-        echo "$@"
-    }
-fi
-
-# usually "disk1"
-root_disk_identifier() {
-    # For performance (~10ms vs 280ms) I'm parsing 'diskX' from stat output
-    # (~diskXsY)--but I'm retaining the more-semantic approach since
-    # it documents intent better.
-    # /usr/sbin/diskutil info -plist / | xmllint --xpath "/plist/dict/key[text()='ParentWholeDisk']/following-sibling::string[1]/text()" -
-    #
-    local special_device
-    special_device="$(/usr/bin/stat -f "%Sd" /)"
-    echo "${special_device%s[0-9]*}"
-}
-
-# make it easy to play w/ 'Case-sensitive APFS'
-readonly NIX_VOLUME_FS="${NIX_VOLUME_FS:-APFS}"
-readonly NIX_VOLUME_LABEL="${NIX_VOLUME_LABEL:-Nix Store}"
-# Strongly assuming we'll make a volume on the device / is on
-# But you can override NIX_VOLUME_USE_DISK to create it on some other device
-readonly NIX_VOLUME_USE_DISK="${NIX_VOLUME_USE_DISK:-$(root_disk_identifier)}"
-NIX_VOLUME_USE_SPECIAL="${NIX_VOLUME_USE_SPECIAL:-}"
-NIX_VOLUME_USE_UUID="${NIX_VOLUME_USE_UUID:-}"
-readonly NIX_VOLUME_MOUNTD_DEST="${NIX_VOLUME_MOUNTD_DEST:-/Library/LaunchDaemons/org.nixos.darwin-store.plist}"
-
-if /usr/bin/fdesetup isactive >/dev/null; then
-    test_filevault_in_use() { return 0; }
-    # no readonly; we may modify if user refuses from cure_volume
-    NIX_VOLUME_DO_ENCRYPT="${NIX_VOLUME_DO_ENCRYPT:-1}"
-else
-    test_filevault_in_use() { return 1; }
-    NIX_VOLUME_DO_ENCRYPT="${NIX_VOLUME_DO_ENCRYPT:-0}"
-fi
-
-should_encrypt_volume() {
-    test_filevault_in_use && (( NIX_VOLUME_DO_ENCRYPT == 1 ))
-}
-
-substep() {
-    printf "   %s\n" "" "- $1" "" "${@:2}"
-}
-
-
-volumes_labeled() {
-    local label="$1"
-    xsltproc --novalid --stringparam label "$label" - <(/usr/sbin/ioreg -ra -c "AppleAPFSVolume") <<'EOF'
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-  <xsl:output method="text"/>
-  <xsl:template match="/">
-    <xsl:apply-templates select="/plist/array/dict/key[text()='IORegistryEntryName']/following-sibling::*[1][text()=$label]/.."/>
-  </xsl:template>
-  <xsl:template match="dict">
-    <xsl:apply-templates match="string" select="key[text()='BSD Name']/following-sibling::*[1]"/>
-    <xsl:text>=</xsl:text>
-    <xsl:apply-templates match="string" select="key[text()='UUID']/following-sibling::*[1]"/>
-    <xsl:text>&#xA;</xsl:text>
-  </xsl:template>
-</xsl:stylesheet>
-EOF
-    # I cut label out of the extracted values, but here it is for reference:
-    # <xsl:apply-templates match="string" select="key[text()='IORegistryEntryName']/following-sibling::*[1]"/>
-    # <xsl:text>=</xsl:text>
-}
-
-right_disk() {
-    local volume_special="$1" # (i.e., disk1s7)
-    [[ "$volume_special" == "$NIX_VOLUME_USE_DISK"s* ]]
-}
-
-right_volume() {
-    local volume_special="$1" # (i.e., disk1s7)
-    # if set, it must match; otherwise ensure it's on the right disk
-    if [ -z "$NIX_VOLUME_USE_SPECIAL" ]; then
-        if right_disk "$volume_special"; then
-            NIX_VOLUME_USE_SPECIAL="$volume_special" # latch on
-            return 0
-        else
-            return 1
-        fi
-    else
-        [ "$volume_special" = "$NIX_VOLUME_USE_SPECIAL" ]
-    fi
-}
-
-right_uuid() {
-    local volume_uuid="$1"
-    # if set, it must match; otherwise allow
-    if [ -z "$NIX_VOLUME_USE_UUID" ]; then
-        NIX_VOLUME_USE_UUID="$volume_uuid" # latch on
-        return 0
-    else
-        [ "$volume_uuid" = "$NIX_VOLUME_USE_UUID" ]
-    fi
-}
-
-cure_volumes() {
-    local found volume special uuid
-    # loop just in case they have more than one volume
-    # (nothing stops you from doing this)
-    for volume in $(volumes_labeled "$NIX_VOLUME_LABEL"); do
-        # CAUTION: this could (maybe) be a more normal read
-        # loop like:
-        #   while IFS== read -r special uuid; do
-        #       # ...
-        #   done <<<"$(volumes_labeled "$NIX_VOLUME_LABEL")"
-        #
-        # I did it with for to skirt a problem with the obvious
-        # pattern replacing stdin and causing user prompts
-        # inside (which also use read and access stdin) to skip
-        #
-        # If there's an existing encrypted volume we can't find
-        # in keychain, the user never gets prompted to delete
-        # the volume, and the install fails.
-        #
-        # If you change this, a human needs to test a very
-        # specific scenario: you already have an encrypted
-        # Nix Store volume, and have deleted its credential
-        # from keychain. Ensure the script asks you if it can
-        # delete the volume, and then prompts for your sudo
-        # password to confirm.
-        #
-        # shellcheck disable=SC1097
-        IFS== read -r special uuid <<< "$volume"
-        # take the first one that's on the right disk
-        if [ -z "${found:-}" ]; then
-            if right_volume "$special" && right_uuid "$uuid"; then
-                cure_volume "$special" "$uuid"
-                found="${special} (${uuid})"
-            else
-                warning <<EOF
-Ignoring ${special} (${uuid}) because I am looking for:
-disk=${NIX_VOLUME_USE_DISK} special=${NIX_VOLUME_USE_SPECIAL:-${NIX_VOLUME_USE_DISK}sX} uuid=${NIX_VOLUME_USE_UUID:-any}
-EOF
-                # TODO: give chance to delete if ! headless?
-            fi
-        else
-            warning <<EOF
-Ignoring ${special} (${uuid}), already found target: $found
-EOF
-            # TODO reminder? I feel like I want one
-            # idiom that reminds some warnings, or warns
-            # some reminders?
-            # TODO: if ! headless, chance to delete?
-        fi
-    done
-    if [ -z "${found:-}" ]; then
-        readonly NIX_VOLUME_USE_SPECIAL NIX_VOLUME_USE_UUID
-    fi
-}
-
-volume_encrypted() {
-    local volume_special="$1" # (i.e., disk1s7)
-    # Trying to match the first line of output; known first lines:
-    # No cryptographic users for <special>
-    # Cryptographic user for <special> (1 found)
-    # Cryptographic users for <special> (2 found)
-    /usr/sbin/diskutil apfs listCryptoUsers -plist "$volume_special" | /usr/bin/grep -q APFSCryptoUserUUID
-}
-
-test_fstab() {
-    /usr/bin/grep -q "$NIX_ROOT apfs rw" /etc/fstab 2>/dev/null
-}
-
-test_nix_root_is_symlink() {
-    [ -L "$NIX_ROOT" ]
-}
-
-test_synthetic_conf_either(){
-    /usr/bin/grep -qE "^${NIX_ROOT:1}($|\t.{3,}$)" /etc/synthetic.conf 2>/dev/null
-}
-
-test_synthetic_conf_mountable() {
-    /usr/bin/grep -q "^${NIX_ROOT:1}$" /etc/synthetic.conf 2>/dev/null
-}
-
-test_synthetic_conf_symlinked() {
-    /usr/bin/grep -qE "^${NIX_ROOT:1}\t.{3,}$" /etc/synthetic.conf 2>/dev/null
-}
-
-test_nix_volume_mountd_installed() {
-    test -e "$NIX_VOLUME_MOUNTD_DEST"
-}
-
-# current volume password
-test_keychain_by_uuid() {
-    local volume_uuid="$1"
-    # Note: doesn't need sudo just to check; doesn't output pw
-    security find-generic-password -s "$volume_uuid" &>/dev/null
-}
-
-get_volume_pass() {
-    local volume_uuid="$1"
-    _sudo \
-        "to confirm keychain has a password that unlocks this volume" \
-        security find-generic-password -s "$volume_uuid" -w
-}
-
-verify_volume_pass() {
-    local volume_special="$1" # (i.e., disk1s7)
-    local volume_uuid="$2"
-    _sudo "to confirm the password actually unlocks the volume" \
-        /usr/sbin/diskutil apfs unlockVolume "$volume_special" -verify -stdinpassphrase -user "$volume_uuid"
-}
-
-volume_pass_works() {
-    local volume_special="$1" # (i.e., disk1s7)
-    local volume_uuid="$2"
-    get_volume_pass "$volume_uuid" | verify_volume_pass "$volume_special" "$volume_uuid"
-}
-
-# Create the paths defined in synthetic.conf, saving us a reboot.
-create_synthetic_objects() {
-    # Big Sur takes away the -B flag we were using and replaces it
-    # with a -t flag that appears to do the same thing (but they
-    # don't behave exactly the same way in terms of return values).
-    # This feels a little dirty, but as far as I can tell the
-    # simplest way to get the right one is to just throw away stderr
-    # and call both... :]
-    {
-        /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t || true # Big Sur
-        /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B || true # Catalina
-    } >/dev/null 2>&1
-}
-
-test_nix() {
-    test -d "$NIX_ROOT"
-}
-
-test_voldaemon() {
-    test -f "$NIX_VOLUME_MOUNTD_DEST"
-}
-
-generate_mount_command() {
-    local cmd_type="$1" # encrypted|unencrypted
-    local volume_uuid mountpoint cmd=()
-    printf -v volume_uuid "%q" "$2"
-    printf -v mountpoint "%q" "$NIX_ROOT"
-
-    case "$cmd_type" in
-        encrypted)
-            cmd=(/bin/sh -c "/usr/bin/security find-generic-password -s '$volume_uuid' -w | /usr/sbin/diskutil apfs unlockVolume '$volume_uuid' -mountpoint '$mountpoint' -stdinpassphrase");;
-        unencrypted)
-            cmd=(/usr/sbin/diskutil mount -mountPoint "$mountpoint" "$volume_uuid");;
-        *)
-            failure "Invalid first arg $cmd_type to generate_mount_command";;
-    esac
-
-    printf "    <string>%s</string>\n" "${cmd[@]}"
-}
-
-generate_mount_daemon() {
-    local cmd_type="$1" # encrypted|unencrypted
-    local volume_uuid="$2"
-    cat <<EOF
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-  <key>RunAtLoad</key>
-  <true/>
-  <key>Label</key>
-  <string>org.nixos.darwin-store</string>
-  <key>ProgramArguments</key>
-  <array>
-$(generate_mount_command "$cmd_type" "$volume_uuid")
-  </array>
-</dict>
-</plist>
-EOF
-}
-
-_eat_bootout_err() {
-    /usr/bin/grep -v "Boot-out failed: 36: Operation now in progress"
-}
-
-# TODO: remove with --uninstall?
-uninstall_launch_daemon_directions() {
-    local daemon_label="$1" # i.e., org.nixos.blah-blah
-    local daemon_plist="$2" # abspath
-    substep "Uninstall LaunchDaemon $daemon_label" \
-      "  sudo launchctl bootout system/$daemon_label" \
-      "  sudo rm $daemon_plist"
-}
-
-uninstall_launch_daemon_prompt() {
-    local daemon_label="$1" # i.e., org.nixos.blah-blah
-    local daemon_plist="$2" # abspath
-    local reason_for_daemon="$3"
-    cat <<EOF
-
-The installer adds a LaunchDaemon to $reason_for_daemon: $daemon_label
-EOF
-    if ui_confirm "Can I remove it?"; then
-        _sudo "to terminate the daemon" \
-            launchctl bootout "system/$daemon_label" 2> >(_eat_bootout_err >&2) || true
-            # this can "fail" with a message like:
-            # Boot-out failed: 36: Operation now in progress
-        _sudo "to remove the daemon definition" rm "$daemon_plist"
-    fi
-}
-
-nix_volume_mountd_uninstall_directions() {
-    uninstall_launch_daemon_directions "org.nixos.darwin-store" \
-        "$NIX_VOLUME_MOUNTD_DEST"
-}
-
-nix_volume_mountd_uninstall_prompt() {
-    uninstall_launch_daemon_prompt "org.nixos.darwin-store" \
-        "$NIX_VOLUME_MOUNTD_DEST" \
-        "mount your Nix volume"
-}
-
-# TODO: move nix_daemon to install-darwin-multi-user if/when uninstall_launch_daemon_prompt moves up to install-multi-user
-nix_daemon_uninstall_prompt() {
-    uninstall_launch_daemon_prompt "org.nixos.nix-daemon" \
-        "$NIX_DAEMON_DEST" \
-        "run the nix-daemon"
-}
-
-# TODO: remove with --uninstall?
-nix_daemon_uninstall_directions() {
-    uninstall_launch_daemon_directions "org.nixos.nix-daemon" \
-        "$NIX_DAEMON_DEST"
-}
-
-
-# TODO: remove with --uninstall?
-synthetic_conf_uninstall_directions() {
-    # :1 to strip leading slash
-    substep "Remove ${NIX_ROOT:1} from /etc/synthetic.conf" \
-        "  If nix is the only entry: sudo rm /etc/synthetic.conf" \
-        "  Otherwise: sudo /usr/bin/sed -i '' -e '/^${NIX_ROOT:1}$/d' /etc/synthetic.conf"
-}
-
-synthetic_conf_uninstall_prompt() {
-    cat <<EOF
-
-During install, I add '${NIX_ROOT:1}' to /etc/synthetic.conf, which instructs
-macOS to create an empty root directory for mounting the Nix volume.
-EOF
-    # make the edit to a copy
-    /usr/bin/grep -vE "^${NIX_ROOT:1}($|\t.{3,}$)" /etc/synthetic.conf > "$SCRATCH/synthetic.conf.edit"
-
-    if test_synthetic_conf_symlinked; then
-        warning <<EOF
-
-/etc/synthetic.conf already contains a line instructing your system
-to make '${NIX_ROOT}' as a symlink:
-    $(/usr/bin/grep -nE "^${NIX_ROOT:1}\t.{3,}$" /etc/synthetic.conf)
-
-This may mean your system has/had a non-standard Nix install.
-
-The volume-creation process in this installer is *not* compatible
-with a symlinked store, so I'll have to remove this instruction to
-continue.
-
-If you want/need to keep this instruction, answer 'n' to abort.
-
-EOF
-    fi
-
-    # ask to rm if this left the file empty aside from comments, else edit
-    if /usr/bin/diff -q <(:) <(/usr/bin/grep -v "^#" "$SCRATCH/synthetic.conf.edit") &>/dev/null; then
-        if confirm_rm "/etc/synthetic.conf"; then
-            if test_nix_root_is_symlink; then
-                failure >&2 <<EOF
-I removed /etc/synthetic.conf, but $NIX_ROOT is already a symlink
-(-> $(readlink "$NIX_ROOT")). The system should remove it when you reboot.
-Once you've rebooted, run the installer again.
-EOF
-            fi
-            return 0
-        fi
-    else
-        if confirm_edit "$SCRATCH/synthetic.conf.edit" "/etc/synthetic.conf"; then
-            if test_nix_root_is_symlink; then
-                failure >&2 <<EOF
-I edited Nix out of /etc/synthetic.conf, but $NIX_ROOT is already a symlink
-(-> $(readlink "$NIX_ROOT")). The system should remove it when you reboot.
-Once you've rebooted, run the installer again.
-EOF
-            fi
-            return 0
-        fi
-    fi
-    # fallback instructions
-    echo "Manually remove nix from /etc/synthetic.conf"
-    return 1
-}
-
-add_nix_vol_fstab_line() {
-    local uuid="$1"
-    # shellcheck disable=SC1003,SC2026
-    local escaped_mountpoint="${NIX_ROOT/ /'\\\'040}"
-    shift
-
-    # wrap `ex` to work around problems w/ vim features breaking exit codes
-    # - plugins (see github.com/NixOS/nix/issues/5468): -u NONE
-    # - swap file: -n
-    #
-    # the first draft used `--noplugin`, but github.com/NixOS/nix/issues/6462
-    # suggests we need the less-semantic `-u NONE`
-    #
-    # we'd prefer EDITOR="/usr/bin/ex -u NONE" but vifs doesn't word-split
-    # the EDITOR env.
-    #
-    # TODO: at some point we should switch to `--clean`, but it wasn't added
-    # until https://github.com/vim/vim/releases/tag/v8.0.1554 while the macOS
-    # minver 10.12.6 seems to have released with vim 7.4
-    cat > "$SCRATCH/ex_cleanroom_wrapper" <<EOF
-#!/bin/sh
-/usr/bin/ex -u NONE -n "\$@"
-EOF
-    chmod 755 "$SCRATCH/ex_cleanroom_wrapper"
-
-    EDITOR="$SCRATCH/ex_cleanroom_wrapper" _sudo "to add nix to fstab" "$@" <<EOF
-:a
-UUID=$uuid $escaped_mountpoint apfs rw,noauto,nobrowse,suid,owners
-.
-:x
-EOF
-    # TODO: preserving my notes on suid,owners above until resolved
-    # There *may* be some issue regarding volume ownership, see nix#3156
-    #
-    # It seems like the cheapest fix is adding "suid,owners" to fstab, but:
-    # - We don't have much info on this condition yet
-    # - I'm not certain if these cause other problems?
-    # - There's a "chown" component some people claim to need to fix this
-    #   that I don't understand yet
-    #   (Note however that I've had to add a chown step to handle
-    #   single->multi-user reinstalls, which may cover this)
-    #
-    # I'm not sure if it's safe to approach this way?
-    #
-    # I think I think the most-proper way to test for it is:
-    # diskutil info -plist "$NIX_VOLUME_LABEL" | xmllint --xpath "(/plist/dict/key[text()='GlobalPermissionsEnabled'])/following-sibling::*[1][name()='true']" -; echo $?
-    #
-    # There's also `sudo /usr/sbin/vsdbutil -c /path` (which is much faster, but is also
-    # deprecated and needs minor parsing).
-    #
-    # If no one finds a problem with doing so, I think the simplest approach
-    # is to just eagerly set this. I found a few imperative approaches:
-    # (diskutil enableOwnership, ~100ms), a cheap one (/usr/sbin/vsdbutil -a, ~40-50ms),
-    # a very cheap one (append the internal format to /var/db/volinfo.database).
-    #
-    # But vsdbutil's deprecation notice suggests using fstab, so I want to
-    # give that a whirl first.
-    #
-    # TODO: when this is workable, poke infinisil about reproducing the issue
-    # and confirming this fix?
-}
-
-delete_nix_vol_fstab_line() {
-    # TODO: I'm scaffolding this to handle the new nix volumes
-    # but it might be nice to generalize a smidge further to
-    # go ahead and set up a pattern for curing "old" things
-    # we no longer do?
-    EDITOR="/usr/bin/patch" _sudo "to cut nix from fstab" "$@" < <(/usr/bin/diff /etc/fstab <(/usr/bin/grep -v "$NIX_ROOT apfs rw" /etc/fstab))
-    # leaving some parts out of the grep; people may fiddle this a little?
-}
-
-# TODO: hope to remove with --uninstall
-fstab_uninstall_directions() {
-    substep "Remove ${NIX_ROOT} from /etc/fstab" \
-      "  If nix is the only entry: sudo rm /etc/fstab" \
-      "  Otherwise, run 'sudo /usr/sbin/vifs' to remove the nix line"
-}
-
-fstab_uninstall_prompt() {
-    cat <<EOF
-During install, I add '${NIX_ROOT}' to /etc/fstab so that macOS knows what
-mount options to use for the Nix volume.
-EOF
-    cp /etc/fstab "$SCRATCH/fstab.edit"
-    # technically doesn't need the _sudo path, but throwing away the
-    # output is probably better than mostly-duplicating the code...
-    delete_nix_vol_fstab_line patch "$SCRATCH/fstab.edit" &>/dev/null
-
-    # if the patch test edit, minus comment lines, is equal to empty (:)
-    if /usr/bin/diff -q <(:) <(/usr/bin/grep -v "^#" "$SCRATCH/fstab.edit") &>/dev/null; then
-        # this edit would leave it empty; propose deleting it
-        if confirm_rm "/etc/fstab"; then
-            return 0
-        else
-            echo "Remove nix from /etc/fstab (or remove the file)"
-        fi
-    else
-        echo "I might be able to help you make this edit. Here's the diff:"
-        if ! _diff "/etc/fstab" "$SCRATCH/fstab.edit" && ui_confirm "Does the change above look right?"; then
-            delete_nix_vol_fstab_line /usr/sbin/vifs
-        else
-            echo "Remove nix from /etc/fstab (or remove the file)"
-        fi
-    fi
-}
-
-remove_volume() {
-    local volume_special="$1" # (i.e., disk1s7)
-    _sudo "to unmount the Nix volume" \
-        /usr/sbin/diskutil unmount force "$volume_special" || true # might not be mounted
-    _sudo "to delete the Nix volume" \
-        /usr/sbin/diskutil apfs deleteVolume "$volume_special"
-}
-
-# aspiration: robust enough to both fix problems
-# *and* update older darwin volumes
-cure_volume() {
-    local volume_special="$1" # (i.e., disk1s7)
-    local volume_uuid="$2"
-    header "Found existing Nix volume"
-    row "  special" "$volume_special"
-    row "     uuid" "$volume_uuid"
-
-    if volume_encrypted "$volume_special"; then
-        row "encrypted" "yes"
-        if volume_pass_works "$volume_special" "$volume_uuid"; then
-            NIX_VOLUME_DO_ENCRYPT=0
-            ok "Found a working decryption password in keychain :)"
-            echo ""
-        else
-            # - this is a volume we made, and
-            #   - the user encrypted it on their own
-            #   - something deleted the credential
-            # - this is an old or BYO volume and the pw
-            #   just isn't somewhere we can find it.
-            #
-            # We're going to explain why we're freaking out
-            # and prompt them to either delete the volume
-            # (requiring a sudo auth), or abort to fix
-            warning <<EOF
-
-This volume is encrypted, but I don't see a password to decrypt it.
-The quick fix is to let me delete this volume and make you a new one.
-If that's okay, enter your (sudo) password to continue. If not, you
-can ensure the decryption password is in your system keychain with a
-"Where" (service) field set to this volume's UUID:
-  $volume_uuid
-EOF
-            if password_confirm "delete this volume"; then
-                remove_volume "$volume_special"
-            else
-                # TODO: this is a good design case for a warn-and
-                # remind idiom...
-                failure <<EOF
-Your Nix volume is encrypted, but I couldn't find its password. Either:
-- Delete or rename the volume out of the way
-- Ensure its decryption password is in the system keychain with a
-  "Where" (service) field set to this volume's UUID:
-    $volume_uuid
-EOF
-            fi
-        fi
-    elif test_filevault_in_use; then
-        row "encrypted" "no"
-        warning <<EOF
-FileVault is on, but your $NIX_VOLUME_LABEL volume isn't encrypted.
-EOF
-        # if we're interactive, give them a chance to
-        # encrypt the volume. If not, /shrug
-        if ! headless && (( NIX_VOLUME_DO_ENCRYPT == 1 )); then
-            if ui_confirm "Should I encrypt it and add the decryption key to your keychain?"; then
-                encrypt_volume "$volume_uuid" "$NIX_VOLUME_LABEL"
-                NIX_VOLUME_DO_ENCRYPT=0
-            else
-                NIX_VOLUME_DO_ENCRYPT=0
-                reminder "FileVault is on, but your $NIX_VOLUME_LABEL volume isn't encrypted."
-            fi
-        fi
-    else
-        row "encrypted" "no"
-    fi
-}
-
-remove_volume_artifacts() {
-    if test_synthetic_conf_either; then
-        # NIX_ROOT is in synthetic.conf
-        if synthetic_conf_uninstall_prompt; then
-            # TODO: moot until we tackle uninstall, but when we're
-            # actually uninstalling, we should issue:
-            # reminder "macOS will clean up the empty mount-point directory at $NIX_ROOT on reboot."
-            :
-        fi
-    fi
-    if test_fstab; then
-        fstab_uninstall_prompt
-    fi
-
-    if test_nix_volume_mountd_installed; then
-        nix_volume_mountd_uninstall_prompt
-    fi
-}
-
-setup_synthetic_conf() {
-    if test_nix_root_is_symlink; then
-        if ! test_synthetic_conf_symlinked; then
-            failure >&2 <<EOF
-error: $NIX_ROOT is a symlink (-> $(readlink "$NIX_ROOT")).
-Please remove it. If nix is in /etc/synthetic.conf, remove it and reboot.
-EOF
-        fi
-    fi
-    if ! test_synthetic_conf_mountable; then
-        task "Configuring /etc/synthetic.conf to make a mount-point at $NIX_ROOT" >&2
-        # technically /etc/synthetic.d/nix is supported in Big Sur+
-        # but handling both takes even more code...
-        # See earlier note; `-u NONE` disables vim plugins/rc, `-n` skips swapfile
-        _sudo "to add Nix to /etc/synthetic.conf" \
-            /usr/bin/ex -u NONE -n /etc/synthetic.conf <<EOF
-:a
-${NIX_ROOT:1}
-.
-:x
-EOF
-        if ! test_synthetic_conf_mountable; then
-            failure "error: failed to configure synthetic.conf" >&2
-        fi
-        create_synthetic_objects
-        if ! test_nix; then
-            failure >&2 <<EOF
-error: failed to bootstrap $NIX_ROOT
-If you enabled FileVault after booting, this is likely a known issue
-with macOS that you'll have to reboot to fix. If you didn't enable FV,
-though, please open an issue describing how the system that you see
-this error on was set up.
-EOF
-        fi
-    fi
-}
-
-setup_fstab() {
-    local volume_uuid="$1"
-    # fstab used to be responsible for mounting the volume. Now the last
-    # step adds a LaunchDaemon responsible for mounting. This is technically
-    # redundant for mounting, but diskutil appears to pick up mount options
-    # from fstab (and diskutil's support for specifying them directly is not
-    # consistent across versions/subcommands).
-    if ! test_fstab; then
-        task "Configuring /etc/fstab to specify volume mount options" >&2
-        add_nix_vol_fstab_line "$volume_uuid" /usr/sbin/vifs
-    fi
-}
-
-encrypt_volume() {
-    local volume_uuid="$1"
-    local volume_label="$2"
-    local password
-
-    task "Encrypt the Nix volume" >&2
-
-    # Note: mount/unmount are late additions to support the right order
-    # of operations for creating the volume and then baking its uuid into
-    # other artifacts; not as well-trod wrt to potential errors, race
-    # conditions, etc.
-
-    _sudo "to mount your Nix volume for encrypting" \
-        /usr/sbin/diskutil mount "$volume_label"
-
-    password="$(/usr/bin/xxd -l 32 -p -c 256 /dev/random)"
-    _sudo "to add your Nix volume's password to Keychain" \
-        /usr/bin/security -i <<EOF
-add-generic-password -a "$volume_label" -s "$volume_uuid" -l "$volume_label encryption password" -D "Encrypted volume password" -j "Added automatically by the Nix installer for use by $NIX_VOLUME_MOUNTD_DEST" -w "$password" -T /System/Library/CoreServices/APFSUserAgent -T /System/Library/CoreServices/CSUserAgent -T /usr/bin/security "/Library/Keychains/System.keychain"
-EOF
-    builtin printf "%s" "$password" | _sudo "to actually encrypt your Nix volume" \
-        /usr/sbin/diskutil apfs encryptVolume "$volume_label" -user disk -stdinpassphrase
-
-    _sudo "to unmount the encrypted volume" \
-        /usr/sbin/diskutil unmount force "$volume_label"
-}
-
-create_volume() {
-    # Notes:
-    # 1) using `-nomount` instead of `-mountpoint "$NIX_ROOT"` to get
-    # its UUID and set mount opts in fstab before first mount
-    #
-    # 2) system is in some sense less secure than user keychain... (it's
-    # possible to read the password for decrypting the keychain) but
-    # the user keychain appears to be available too late. As far as I
-    # can tell, the file with this password (/var/db/SystemKey) is
-    # inside the FileVault envelope. If that isn't true, it may make
-    # sense to store the password inside the envelope?
-    #
-    # 3) At some point it would be ideal to have a small binary to serve
-    # as the daemon itself, and for it to replace /usr/bin/security here.
-    #
-    # 4) *UserAgent exemptions should let the system seamlessly supply the
-    # password if noauto is removed from fstab entry. This is intentional;
-    # the user will hopefully look for help if the volume stops mounting,
-    # rather than failing over into subtle race-condition problems.
-    #
-    # 5) If we ever get users griping about not having space to do
-    # anything useful with Nix, it is possibly to specify
-    # `-reserve 10g` or something, which will fail w/o that much
-    #
-    # 6) getting special w/ awk may be fragile, but doing it to:
-    #    - save time over running slow diskutil commands
-    #    - skirt risk we grab wrong volume if multiple match
-    _sudo "to create a new APFS volume '$NIX_VOLUME_LABEL' on $NIX_VOLUME_USE_DISK" \
-        /usr/sbin/diskutil apfs addVolume "$NIX_VOLUME_USE_DISK" "$NIX_VOLUME_FS" "$NIX_VOLUME_LABEL" -nomount | /usr/bin/awk '/Created new APFS Volume/ {print $5}'
-}
-
-volume_uuid_from_special() {
-    local volume_special="$1" # (i.e., disk1s7)
-    # For reasons I won't pretend to fathom, this returns 253 when it works
-    /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -k "$volume_special" || true
-}
-
-# this sometimes clears immediately, and AFAIK clears
-# within about 1s. diskutil info on an unmounted path
-# fails in around 50-100ms and a match takes about
-# 250-300ms. I suspect it's usually ~250-750ms
-await_volume() {
-    # caution: this could, in theory, get stuck
-    until /usr/sbin/diskutil info "$NIX_ROOT" &>/dev/null; do
-        :
-    done
-}
-
-setup_volume() {
-    local use_special use_uuid profile_packages
-    task "Creating a Nix volume" >&2
-
-    use_special="${NIX_VOLUME_USE_SPECIAL:-$(create_volume)}"
-
-    _sudo "to ensure the Nix volume is not mounted" \
-        /usr/sbin/diskutil unmount force "$use_special" || true # might not be mounted
-
-    use_uuid=${NIX_VOLUME_USE_UUID:-$(volume_uuid_from_special "$use_special")}
-
-    setup_fstab "$use_uuid"
-
-    if should_encrypt_volume; then
-        encrypt_volume "$use_uuid" "$NIX_VOLUME_LABEL"
-        setup_volume_daemon "encrypted" "$use_uuid"
-    # TODO: might be able to save ~60ms by caching or setting
-    # this somewhere rather than re-checking here.
-    elif volume_encrypted "$use_special"; then
-        setup_volume_daemon "encrypted" "$use_uuid"
-    else
-        setup_volume_daemon "unencrypted" "$use_uuid"
-    fi
-
-    await_volume
-
-    if [ "$(/usr/sbin/diskutil info -plist "$NIX_ROOT" | xmllint --xpath "(/plist/dict/key[text()='GlobalPermissionsEnabled'])/following-sibling::*[1]" -)" = "<false/>" ]; then
-        _sudo "to set enableOwnership (enabling users to own files)" \
-            /usr/sbin/diskutil enableOwnership "$NIX_ROOT"
-    fi
-
-    # TODO: below is a vague kludge for now; I just don't know
-    # what if any safe action there is to take here. Also, the
-    # reminder isn't very helpful.
-    # I'm less sure where this belongs, but it also wants mounted, pre-install
-    if type -p nix-env; then
-        profile_packages="$(nix-env --query --installed)"
-        # TODO: can probably do below faster w/ read
-        # intentionally unquoted string to eat whitespace in wc output
-        # shellcheck disable=SC2046,SC2059
-        if ! [ $(printf "$profile_packages" | /usr/bin/wc -l) = "0" ]; then
-            reminder <<EOF
-Nix now supports only multi-user installs on Darwin/macOS, and your user's
-Nix profile has some packages in it. These packages may obscure those in the
-default profile, including the Nix this installer will add. You should
-review these packages:
-$profile_packages
-EOF
-        fi
-    fi
-
-}
-
-setup_volume_daemon() {
-    local cmd_type="$1" # encrypted|unencrypted
-    local volume_uuid="$2"
-    if ! test_voldaemon; then
-        task "Configuring LaunchDaemon to mount '$NIX_VOLUME_LABEL'" >&2
-        # See earlier note; `-u NONE` disables vim plugins/rc, `-n` skips swapfile
-        _sudo "to install the Nix volume mounter" /usr/bin/ex -u NONE -n "$NIX_VOLUME_MOUNTD_DEST" <<EOF
-:a
-$(generate_mount_daemon "$cmd_type" "$volume_uuid")
-.
-:x
-EOF
-
-        # TODO: should probably alert the user if this is disabled?
-        _sudo "to launch the Nix volume mounter" \
-            launchctl bootstrap system "$NIX_VOLUME_MOUNTD_DEST" || true
-        # TODO: confirm whether kickstart is necessesary?
-        # I feel a little superstitous, but it can guard
-        # against multiple problems (doesn't start, old
-        # version still running for some reason...)
-        _sudo "to launch the Nix volume mounter" \
-            launchctl kickstart -k system/org.nixos.darwin-store
-    fi
-}
-
-setup_darwin_volume() {
-    setup_synthetic_conf
-    setup_volume
-}
-
-if [ "$_CREATE_VOLUME_NO_MAIN" = 1 ]; then
-    if [ -n "$*" ]; then
-        "$@" # expose functions in case we want multiple routines?
-    fi
-else
-    # no reason to pay for bash to process this
-    main() {
-        {
-            echo ""
-            echo "     ------------------------------------------------------------------ "
-            echo "    | This installer will create a volume for the nix store and        |"
-            echo "    | configure it to mount at $NIX_ROOT.  Follow these steps to uninstall. |"
-            echo "     ------------------------------------------------------------------ "
-            echo ""
-            echo "  1. Remove the entry from fstab using 'sudo /usr/sbin/vifs'"
-            echo "  2. Run 'sudo launchctl bootout system/org.nixos.darwin-store'"
-            echo "  3. Remove $NIX_VOLUME_MOUNTD_DEST"
-            echo "  4. Destroy the data volume using '/usr/sbin/diskutil apfs deleteVolume'"
-            echo "  5. Remove the 'nix' line from /etc/synthetic.conf (or the file)"
-            echo ""
-        } >&2
-
-        setup_darwin_volume
-    }
-
-    main "$@"
-fi

scripts/install-darwin-multi-user.sh

@@ -1,224 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu
-set -o pipefail
-
-readonly NIX_DAEMON_DEST=/Library/LaunchDaemons/org.nixos.nix-daemon.plist
-# create by default; set 0 to DIY, use a symlink, etc.
-readonly NIX_VOLUME_CREATE=${NIX_VOLUME_CREATE:-1} # now default
-NIX_FIRST_BUILD_UID="301"
-NIX_BUILD_USER_NAME_TEMPLATE="_nixbld%d"
-
-# caution: may update times on / if not run as normal non-root user
-read_only_root() {
-    # this touch command ~should~ always produce an error
-    # as of this change I confirmed /usr/bin/touch emits:
-    # "touch: /: Operation not permitted" Monterey
-    # "touch: /: Read-only file system" Catalina+ and Big Sur
-    # "touch: /: Permission denied" Mojave
-    # (not matching prefix for compat w/ coreutils touch in case using
-    # an explicit path causes problems; its prefix differs)
-    case "$(/usr/bin/touch / 2>&1)" in
-        *"Read-only file system") # Catalina, Big Sur
-            return 0
-            ;;
-        *"Operation not permitted") # Monterey
-            return 0
-            ;;
-        *)
-            return 1
-            ;;
-    esac
-
-    # Avoiding the slow semantic way to get this information (~330ms vs ~8ms)
-    # unless using touch causes problems. Just in case, that approach is:
-    # diskutil info -plist / | <find the Writable or WritableVolume keys>, i.e.
-    # diskutil info -plist / | xmllint --xpath "name(/plist/dict/key[text()='Writable']/following-sibling::*[1])" -
-}
-
-if read_only_root && [ "$NIX_VOLUME_CREATE" = 1 ]; then
-    should_create_volume() { return 0; }
-else
-    should_create_volume() { return 1; }
-fi
-
-# shellcheck source=./create-darwin-volume.sh
-. "$EXTRACTED_NIX_PATH/create-darwin-volume.sh" "no-main"
-
-dsclattr() {
-    /usr/bin/dscl . -read "$1" \
-        | /usr/bin/awk "/$2/ { print \$2 }"
-}
-
-test_nix_daemon_installed() {
-  test -e "$NIX_DAEMON_DEST"
-}
-
-poly_cure_artifacts() {
-    if should_create_volume; then
-        task "Fixing any leftover Nix volume state"
-        cat <<EOF
-Before I try to install, I'll check for any existing Nix volume config
-and ask for your permission to remove it (so that the installer can
-start fresh). I'll also ask for permission to fix any issues I spot.
-EOF
-        cure_volumes
-        remove_volume_artifacts
-    fi
-}
-
-poly_service_installed_check() {
-    if should_create_volume; then
-        test_nix_daemon_installed || test_nix_volume_mountd_installed
-    else
-        test_nix_daemon_installed
-    fi
-}
-
-poly_service_uninstall_directions() {
-    echo "$1. Remove macOS-specific components:"
-    if should_create_volume && test_nix_volume_mountd_installed; then
-        nix_volume_mountd_uninstall_directions
-    fi
-    if test_nix_daemon_installed; then
-        nix_daemon_uninstall_directions
-    fi
-}
-
-poly_service_setup_note() {
-    if should_create_volume; then
-        echo " - create a Nix volume and a LaunchDaemon to mount it"
-    fi
-    echo " - create a LaunchDaemon (at $NIX_DAEMON_DEST) for nix-daemon"
-    echo ""
-}
-
-poly_extra_try_me_commands() {
-    :
-}
-
-poly_configure_nix_daemon_service() {
-    task "Setting up the nix-daemon LaunchDaemon"
-    _sudo "to set up the nix-daemon as a LaunchDaemon" \
-          /usr/bin/install -m -rw-r--r-- "/nix/var/nix/profiles/default$NIX_DAEMON_DEST" "$NIX_DAEMON_DEST"
-
-    _sudo "to load the LaunchDaemon plist for nix-daemon" \
-          launchctl load /Library/LaunchDaemons/org.nixos.nix-daemon.plist
-
-    _sudo "to start the nix-daemon" \
-          launchctl kickstart -k system/org.nixos.nix-daemon
-}
-
-poly_group_exists() {
-    /usr/bin/dscl . -read "/Groups/$1" > /dev/null 2>&1
-}
-
-poly_group_id_get() {
-    dsclattr "/Groups/$1" "PrimaryGroupID"
-}
-
-poly_create_build_group() {
-    _sudo "Create the Nix build group, $NIX_BUILD_GROUP_NAME" \
-          /usr/sbin/dseditgroup -o create \
-          -r "Nix build group for nix-daemon" \
-          -i "$NIX_BUILD_GROUP_ID" \
-          "$NIX_BUILD_GROUP_NAME" >&2
-}
-
-poly_user_exists() {
-    /usr/bin/dscl . -read "/Users/$1" > /dev/null 2>&1
-}
-
-poly_user_id_get() {
-    dsclattr "/Users/$1" "UniqueID"
-}
-
-poly_user_hidden_get() {
-    dsclattr "/Users/$1" "IsHidden"
-}
-
-poly_user_hidden_set() {
-    _sudo "in order to make $1 a hidden user" \
-          /usr/bin/dscl . -create "/Users/$1" "IsHidden" "1"
-}
-
-poly_user_home_get() {
-    dsclattr "/Users/$1" "NFSHomeDirectory"
-}
-
-poly_user_home_set() {
-    # This can trigger a permission prompt now:
-    # "Terminal" would like to administer your computer. Administration can include modifying passwords, networking, and system settings.
-    _sudo "in order to give $1 a safe home directory" \
-          /usr/bin/dscl . -create "/Users/$1" "NFSHomeDirectory" "$2"
-}
-
-poly_user_note_get() {
-    dsclattr "/Users/$1" "RealName"
-}
-
-poly_user_note_set() {
-    _sudo "in order to give $username a useful note" \
-          /usr/bin/dscl . -create "/Users/$1" "RealName" "$2"
-}
-
-poly_user_shell_get() {
-    dsclattr "/Users/$1" "UserShell"
-}
-
-poly_user_shell_set() {
-    _sudo "in order to give $1 a safe shell" \
-          /usr/bin/dscl . -create "/Users/$1" "UserShell" "$2"
-}
-
-poly_user_in_group_check() {
-    username=$1
-    group=$2
-    /usr/sbin/dseditgroup -o checkmember -m "$username" "$group" > /dev/null 2>&1
-}
-
-poly_user_in_group_set() {
-    username=$1
-    group=$2
-
-    _sudo "Add $username to the $group group"\
-          /usr/sbin/dseditgroup -o edit -t user \
-          -a "$username" "$group"
-}
-
-poly_user_primary_group_get() {
-    dsclattr "/Users/$1" "PrimaryGroupID"
-}
-
-poly_user_primary_group_set() {
-    _sudo "to let the nix daemon use this user for builds (this might seem redundant, but there are two concepts of group membership)" \
-          /usr/bin/dscl . -create "/Users/$1" "PrimaryGroupID" "$2"
-}
-
-poly_create_build_user() {
-    username=$1
-    uid=$2
-    builder_num=$3
-
-    _sudo "Creating the Nix build user (#$builder_num), $username" \
-          /usr/bin/dscl . create "/Users/$username" \
-          UniqueID "${uid}"
-}
-
-poly_prepare_to_install() {
-    if should_create_volume; then
-        header "Preparing a Nix volume"
-        # intentional indent below to match task indent
-        cat <<EOF
-    Nix traditionally stores its data in the root directory $NIX_ROOT, but
-    macOS now (starting in 10.15 Catalina) has a read-only root directory.
-    To support Nix, I will create a volume and configure macOS to mount it
-    at $NIX_ROOT.
-EOF
-        setup_darwin_volume
-    fi
-
-    if [ "$(/usr/sbin/diskutil info -plist /nix | xmllint --xpath "(/plist/dict/key[text()='GlobalPermissionsEnabled'])/following-sibling::*[1]" -)" = "<false/>" ]; then
-        failure "This script needs a /nix volume with global permissions! This may require running sudo /usr/sbin/diskutil enableOwnership /nix."
-    fi
-}

scripts/install-nix-from-closure.sh

@@ -1,284 +0,0 @@
-#!/bin/sh
-
-set -e
-
-umask 0022
-
-dest="/nix"
-self="$(dirname "$0")"
-nix="@nix@"
-cacert="@cacert@"
-
-
-if ! [ -e "$self/.reginfo" ]; then
-    echo "$0: incomplete installer (.reginfo is missing)" >&2
-fi
-
-if [ -z "$USER" ] && ! USER=$(id -u -n); then
-    echo "$0: \$USER is not set" >&2
-    exit 1
-fi
-
-if [ -z "$HOME" ]; then
-    echo "$0: \$HOME is not set" >&2
-    exit 1
-fi
-
-# macOS support for 10.12.6 or higher
-if [ "$(uname -s)" = "Darwin" ]; then
-    IFS='.' read -r macos_major macos_minor macos_patch << EOF
-$(sw_vers -productVersion)
-EOF
-    if [ "$macos_major" -lt 10 ] || { [ "$macos_major" -eq 10 ] && [ "$macos_minor" -lt 12 ]; } || { [ "$macos_minor" -eq 12 ] && [ "$macos_patch" -lt 6 ]; }; then
-        # patch may not be present; command substitution for simplicity
-        echo "$0: macOS $(sw_vers -productVersion) is not supported, upgrade to 10.12.6 or higher"
-        exit 1
-    fi
-fi
-
-# Determine if we could use the multi-user installer or not
-if [ "$(uname -s)" = "Linux" ]; then
-    echo "Note: a multi-user installation is possible. See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation" >&2
-fi
-
-case "$(uname -s)" in
-    "Darwin")
-        INSTALL_MODE=daemon;;
-    *)
-        INSTALL_MODE=no-daemon;;
-esac
-
-# space-separated string
-ACTIONS=
-
-# handle the command line flags
-while [ $# -gt 0 ]; do
-    case $1 in
-        --daemon)
-            INSTALL_MODE=daemon
-            ACTIONS="${ACTIONS}install "
-            ;;
-        --no-daemon)
-            if [ "$(uname -s)" = "Darwin" ]; then
-                printf '\e[1;31mError: --no-daemon installs are no-longer supported on Darwin/macOS!\e[0m\n' >&2
-                exit 1
-            fi
-            INSTALL_MODE=no-daemon
-            # intentional tail space
-            ACTIONS="${ACTIONS}install "
-            ;;
-        # --uninstall)
-        #     # intentional tail space
-        #     ACTIONS="${ACTIONS}uninstall "
-        #     ;;
-        --yes)
-            export NIX_INSTALLER_YES=1;;
-        --no-channel-add)
-            export NIX_INSTALLER_NO_CHANNEL_ADD=1;;
-        --daemon-user-count)
-            export NIX_USER_COUNT=$2
-            shift;;
-        --no-modify-profile)
-            NIX_INSTALLER_NO_MODIFY_PROFILE=1;;
-        --darwin-use-unencrypted-nix-store-volume)
-            {
-                echo "Warning: the flag --darwin-use-unencrypted-nix-store-volume"
-                echo "         is no longer needed and will be removed in the future."
-                echo ""
-            } >&2;;
-        --nix-extra-conf-file)
-            # shellcheck disable=SC2155
-            export NIX_EXTRA_CONF="$(cat "$2")"
-            shift;;
-        *)
-            {
-                echo "Nix Installer [--daemon|--no-daemon] [--daemon-user-count INT] [--yes] [--no-channel-add] [--no-modify-profile] [--nix-extra-conf-file FILE]"
-
-                echo "Choose installation method."
-                echo ""
-                echo " --daemon:    Installs and configures a background daemon that manages the store,"
-                echo "              providing multi-user support and better isolation for local builds."
-                echo "              Both for security and reproducibility, this method is recommended if"
-                echo "              supported on your platform."
-                echo "              See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation"
-                echo ""
-                echo " --no-daemon: Simple, single-user installation that does not require root and is"
-                echo "              trivial to uninstall."
-                echo "              (default)"
-                echo ""
-                echo " --yes:               Run the script non-interactively, accepting all prompts."
-                echo ""
-                echo " --no-channel-add:    Don't add any channels. nixpkgs-unstable is installed by default."
-                echo ""
-                echo " --no-modify-profile: Don't modify the user profile to automatically load nix."
-                echo ""
-                echo " --daemon-user-count: Number of build users to create. Defaults to 32."
-                echo ""
-                echo " --nix-extra-conf-file: Path to nix.conf to prepend when installing /etc/nix/nix.conf"
-                echo ""
-                if [ -n "${INVOKED_FROM_INSTALL_IN:-}" ]; then
-                    echo " --tarball-url-prefix URL: Base URL to download the Nix tarball from."
-                fi
-            } >&2
-
-            exit;;
-    esac
-    shift
-done
-
-if [ "$INSTALL_MODE" = "daemon" ]; then
-    printf '\e[1;31mSwitching to the Multi-user Installer\e[0m\n'
-    exec "$self/install-multi-user" $ACTIONS # let ACTIONS split
-    exit 0
-fi
-
-if [ "$(id -u)" -eq 0 ]; then
-    printf '\e[1;31mwarning: installing Nix as root is not supported by this script!\e[0m\n'
-fi
-
-echo "performing a single-user installation of Nix..." >&2
-
-if ! [ -e "$dest" ]; then
-    cmd="mkdir -m 0755 $dest && chown $USER $dest"
-    echo "directory $dest does not exist; creating it by running '$cmd' using sudo" >&2
-    if ! sudo sh -c "$cmd"; then
-        echo "$0: please manually run '$cmd' as root to create $dest" >&2
-        exit 1
-    fi
-fi
-
-if ! [ -w "$dest" ]; then
-    echo "$0: directory $dest exists, but is not writable by you. This could indicate that another user has already performed a single-user installation of Nix on this system. If you wish to enable multi-user support see https://nixos.org/manual/nix/stable/installation/multi-user.html. If you wish to continue with a single-user install for $USER please run 'chown -R $USER $dest' as root." >&2
-    exit 1
-fi
-
-# The auto-chroot code in openFromNonUri() checks for the
-# non-existence of /nix/var/nix, so we need to create it here.
-mkdir -p "$dest/store" "$dest/var/nix"
-
-printf "copying Nix to %s..." "${dest}/store" >&2
-# Insert a newline if no progress is shown.
-if [ ! -t 0 ]; then
-  echo ""
-fi
-
-for i in $(cd "$self/store" >/dev/null && echo ./*); do
-    if [ -t 0 ]; then
-      printf "." >&2
-    fi
-    i_tmp="$dest/store/$i.$$"
-    if [ -e "$i_tmp" ]; then
-        rm -rf "$i_tmp"
-    fi
-    if ! [ -e "$dest/store/$i" ]; then
-        cp -RPp "$self/store/$i" "$i_tmp"
-        chmod -R a-w "$i_tmp"
-        chmod +w "$i_tmp"
-        mv "$i_tmp" "$dest/store/$i"
-        chmod -w "$dest/store/$i"
-    fi
-done
-echo "" >&2
-
-if ! "$nix/bin/nix-store" --load-db < "$self/.reginfo"; then
-    echo "$0: unable to register valid paths" >&2
-    exit 1
-fi
-
-# shellcheck source=./nix-profile.sh.in
-. "$nix/etc/profile.d/nix.sh"
-
-NIX_LINK="$HOME/.nix-profile"
-
-if ! "$nix/bin/nix-env" -i "$nix"; then
-    echo "$0: unable to install Nix into your default profile" >&2
-    exit 1
-fi
-
-# Install an SSL certificate bundle.
-if [ -z "$NIX_SSL_CERT_FILE" ] || ! [ -f "$NIX_SSL_CERT_FILE" ]; then
-    "$nix/bin/nix-env" -i "$cacert"
-    export NIX_SSL_CERT_FILE="$NIX_LINK/etc/ssl/certs/ca-bundle.crt"
-fi
-
-# Subscribe the user to the Nixpkgs channel and fetch it.
-if [ -z "$NIX_INSTALLER_NO_CHANNEL_ADD" ]; then
-    if ! "$nix/bin/nix-channel" --list | grep -q "^nixpkgs "; then
-        "$nix/bin/nix-channel" --add https://nixos.org/channels/nixpkgs-unstable
-    fi
-    if [ -z "$_NIX_INSTALLER_TEST" ]; then
-        if ! "$nix/bin/nix-channel" --update nixpkgs; then
-            echo "Fetching the nixpkgs channel failed. (Are you offline?)"
-            echo "To try again later, run \"nix-channel --update nixpkgs\"."
-        fi
-    fi
-fi
-
-added=
-p=
-p_sh=$NIX_LINK/etc/profile.d/nix.sh
-p_fish=$NIX_LINK/etc/profile.d/nix.fish
-if [ -z "$NIX_INSTALLER_NO_MODIFY_PROFILE" ]; then
-    # Make the shell source nix.sh during login.
-    for i in .bash_profile .bash_login .profile; do
-        fn="$HOME/$i"
-        if [ -w "$fn" ]; then
-            if ! grep -q "$p_sh" "$fn"; then
-                echo "modifying $fn..." >&2
-                printf '\nif [ -e %s ]; then . %s; fi # added by Nix installer\n' "$p_sh" "$p_sh" >> "$fn"
-            fi
-            added=1
-            p=${p_sh}
-            break
-        fi
-    done
-    for i in .zshenv .zshrc; do
-        fn="$HOME/$i"
-        if [ -w "$fn" ]; then
-            if ! grep -q "$p_sh" "$fn"; then
-                echo "modifying $fn..." >&2
-                printf '\nif [ -e %s ]; then . %s; fi # added by Nix installer\n' "$p_sh" "$p_sh" >> "$fn"
-            fi
-            added=1
-            p=${p_sh}
-            break
-        fi
-    done
-
-    if [ -d "$HOME/.config/fish" ]; then
-        fishdir=$HOME/.config/fish/conf.d
-        if [ ! -d "$fishdir" ]; then
-            mkdir -p "$fishdir"
-        fi
-
-        fn="$fishdir/nix.fish"
-        echo "placing $fn..." >&2
-        printf '\nif test -e %s; . %s; end # added by Nix installer\n' "$p_fish" "$p_fish" > "$fn"
-        added=1
-        p=${p_fish}
-    fi
-else
-    p=${p_sh}
-fi
-
-if [ -z "$added" ]; then
-    cat >&2 <<EOF
-
-Installation finished!  To ensure that the necessary environment
-variables are set, please add the line
-
-  . $p
-
-to your shell profile (e.g. ~/.profile).
-EOF
-else
-    cat >&2 <<EOF
-
-Installation finished!  To ensure that the necessary environment
-variables are set, either log in again, or type
-
-  . $p
-
-in your shell.
-EOF
-fi

scripts/install-systemd-multi-user.sh

@@ -1,218 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu
-set -o pipefail
-
-readonly SERVICE_SRC=/lib/systemd/system/nix-daemon.service
-readonly SERVICE_DEST=/etc/systemd/system/nix-daemon.service
-
-readonly SOCKET_SRC=/lib/systemd/system/nix-daemon.socket
-readonly SOCKET_DEST=/etc/systemd/system/nix-daemon.socket
-
-readonly TMPFILES_SRC=/lib/tmpfiles.d/nix-daemon.conf
-readonly TMPFILES_DEST=/etc/tmpfiles.d/nix-daemon.conf
-
-# Path for the systemd override unit file to contain the proxy settings
-readonly SERVICE_OVERRIDE=${SERVICE_DEST}.d/override.conf
-
-create_systemd_override() {
-     header "Configuring proxy for the nix-daemon service"
-    _sudo "create directory for systemd unit override" mkdir -p "$(dirname "$SERVICE_OVERRIDE")"
-    cat <<EOF | _sudo "create systemd unit override" tee "$SERVICE_OVERRIDE"
-[Service]
-$1
-EOF
-}
-
-escape_systemd_env() {
-    temp_var="${1//\'/\\\'}"
-    echo "${temp_var//\%/%%}"
-}
-
-# Gather all non-empty proxy environment variables into a string
-create_systemd_proxy_env() {
-    vars="http_proxy https_proxy ftp_proxy no_proxy HTTP_PROXY HTTPS_PROXY FTP_PROXY NO_PROXY"
-    for v in $vars; do
-        if [ "x${!v:-}" != "x" ]; then
-            echo "Environment=${v}=$(escape_systemd_env ${!v})"
-        fi
-    done
-}
-
-handle_network_proxy() {
-    # Create a systemd unit override with proxy environment variables
-    # if any proxy environment variables are not empty.
-    PROXY_ENV_STRING=$(create_systemd_proxy_env)
-    if [ -n "${PROXY_ENV_STRING}" ]; then
-        create_systemd_override "${PROXY_ENV_STRING}"
-    fi
-}
-
-poly_cure_artifacts() {
-    :
-}
-
-poly_service_installed_check() {
-    [ "$(systemctl is-enabled nix-daemon.service)" = "linked" ] \
-        || [ "$(systemctl is-enabled nix-daemon.socket)" = "enabled" ]
-}
-
-poly_service_uninstall_directions() {
-        cat <<EOF
-$1. Delete the systemd service and socket units
-
-  sudo systemctl stop nix-daemon.socket
-  sudo systemctl stop nix-daemon.service
-  sudo systemctl disable nix-daemon.socket
-  sudo systemctl disable nix-daemon.service
-  sudo systemctl daemon-reload
-EOF
-}
-
-poly_service_setup_note() {
-    cat <<EOF
- - load and start a service (at $SERVICE_DEST
-   and $SOCKET_DEST) for nix-daemon
-
-EOF
-}
-
-poly_extra_try_me_commands() {
-    if [ -e /run/systemd/system ]; then
-        :
-    else
-        cat <<EOF
-  $ sudo nix-daemon
-EOF
-    fi
-}
-
-poly_configure_nix_daemon_service() {
-    if [ -e /run/systemd/system ]; then
-        task "Setting up the nix-daemon systemd service"
-
-        _sudo "to create the nix-daemon tmpfiles config" \
-              ln -sfn "/nix/var/nix/profiles/default$TMPFILES_SRC" "$TMPFILES_DEST"
-
-        _sudo "to run systemd-tmpfiles once to pick that path up" \
-             systemd-tmpfiles --create --prefix=/nix/var/nix
-
-        _sudo "to set up the nix-daemon service" \
-              systemctl link "/nix/var/nix/profiles/default$SERVICE_SRC"
-
-        _sudo "to set up the nix-daemon socket service" \
-              systemctl enable "/nix/var/nix/profiles/default$SOCKET_SRC"
-
-        handle_network_proxy
-
-        _sudo "to load the systemd unit for nix-daemon" \
-              systemctl daemon-reload
-
-        _sudo "to start the nix-daemon.socket" \
-              systemctl start nix-daemon.socket
-
-        _sudo "to start the nix-daemon.service" \
-              systemctl restart nix-daemon.service
-    else
-        reminder "I don't support your init system yet; you may want to add nix-daemon manually."
-    fi
-}
-
-poly_group_exists() {
-    getent group "$1" > /dev/null 2>&1
-}
-
-poly_group_id_get() {
-    getent group "$1" | cut -d: -f3
-}
-
-poly_create_build_group() {
-    _sudo "Create the Nix build group, $NIX_BUILD_GROUP_NAME" \
-          groupadd -g "$NIX_BUILD_GROUP_ID" --system \
-          "$NIX_BUILD_GROUP_NAME" >&2
-}
-
-poly_user_exists() {
-    getent passwd "$1" > /dev/null 2>&1
-}
-
-poly_user_id_get() {
-    getent passwd "$1" | cut -d: -f3
-}
-
-poly_user_hidden_get() {
-    echo "1"
-}
-
-poly_user_hidden_set() {
-    true
-}
-
-poly_user_home_get() {
-    getent passwd "$1" | cut -d: -f6
-}
-
-poly_user_home_set() {
-    _sudo "in order to give $1 a safe home directory" \
-          usermod --home "$2" "$1"
-}
-
-poly_user_note_get() {
-    getent passwd "$1" | cut -d: -f5
-}
-
-poly_user_note_set() {
-    _sudo "in order to give $1 a useful comment" \
-          usermod --comment "$2" "$1"
-}
-
-poly_user_shell_get() {
-    getent passwd "$1" | cut -d: -f7
-}
-
-poly_user_shell_set() {
-    _sudo "in order to prevent $1 from logging in" \
-          usermod --shell "$2" "$1"
-}
-
-poly_user_in_group_check() {
-    groups "$1" | grep -q "$2" > /dev/null 2>&1
-}
-
-poly_user_in_group_set() {
-    _sudo "Add $1 to the $2 group"\
-          usermod --append --groups "$2" "$1"
-}
-
-poly_user_primary_group_get() {
-    getent passwd "$1" | cut -d: -f4
-}
-
-poly_user_primary_group_set() {
-    _sudo "to let the nix daemon use this user for builds (this might seem redundant, but there are two concepts of group membership)" \
-          usermod --gid "$2" "$1"
-
-}
-
-poly_create_build_user() {
-    username=$1
-    uid=$2
-    builder_num=$3
-
-    _sudo "Creating the Nix build user, $username" \
-          useradd \
-          --home-dir /var/empty \
-          --comment "Nix build user $builder_num" \
-          --gid "$NIX_BUILD_GROUP_ID" \
-          --groups "$NIX_BUILD_GROUP_NAME" \
-          --no-user-group \
-          --system \
-          --shell /sbin/nologin \
-          --uid "$uid" \
-          --password "!" \
-          "$username"
-}
-
-poly_prepare_to_install() {
-    :
-}

scripts/install.in

@@ -1,119 +0,0 @@
-#!/bin/sh
-
-# This script installs the Nix package manager on your system by
-# downloading a binary distribution and running its installer script
-# (which in turn creates and populates /nix).
-
-{ # Prevent execution if this script was only partially downloaded
-oops() {
-    echo "$0:" "$@" >&2
-    exit 1
-}
-
-umask 0022
-
-tmpDir="$(mktemp -d -t nix-binary-tarball-unpack.XXXXXXXXXX || \
-          oops "Can't create temporary directory for downloading the Nix binary tarball")"
-cleanup() {
-    rm -rf "$tmpDir"
-}
-trap cleanup EXIT INT QUIT TERM
-
-require_util() {
-    command -v "$1" > /dev/null 2>&1 ||
-        oops "you do not have '$1' installed, which I need to $2"
-}
-
-case "$(uname -s).$(uname -m)" in
-    Linux.x86_64)
-        hash=@tarballHash_x86_64-linux@
-        path=@tarballPath_x86_64-linux@
-        system=x86_64-linux
-        ;;
-    Linux.i?86)
-        hash=@tarballHash_i686-linux@
-        path=@tarballPath_i686-linux@
-        system=i686-linux
-        ;;
-    Linux.aarch64)
-        hash=@tarballHash_aarch64-linux@
-        path=@tarballPath_aarch64-linux@
-        system=aarch64-linux
-        ;;
-    Linux.armv6l)
-        hash=@tarballHash_armv6l-linux@
-        path=@tarballPath_armv6l-linux@
-        system=armv6l-linux
-        ;;
-    Linux.armv7l)
-        hash=@tarballHash_armv7l-linux@
-        path=@tarballPath_armv7l-linux@
-        system=armv7l-linux
-        ;;
-    Darwin.x86_64)
-        hash=@tarballHash_x86_64-darwin@
-        path=@tarballPath_x86_64-darwin@
-        system=x86_64-darwin
-        ;;
-    Darwin.arm64|Darwin.aarch64)
-        hash=@tarballHash_aarch64-darwin@
-        path=@tarballPath_aarch64-darwin@
-        system=aarch64-darwin
-        ;;
-    *) oops "sorry, there is no binary distribution of Nix for your platform";;
-esac
-
-# Use this command-line option to fetch the tarballs using nar-serve or Cachix
-if [ "${1:-}" = "--tarball-url-prefix" ]; then
-    if [ -z "${2:-}" ]; then
-        oops "missing argument for --tarball-url-prefix"
-    fi
-    url=${2}/${path}
-    shift 2
-else
-    url=https://releases.nixos.org/nix/nix-@nixVersion@/nix-@nixVersion@-$system.tar.xz
-fi
-
-tarball=$tmpDir/nix-@nixVersion@-$system.tar.xz
-
-require_util tar "unpack the binary tarball"
-if [ "$(uname -s)" != "Darwin" ]; then
-    require_util xz "unpack the binary tarball"
-fi
-
-if command -v curl > /dev/null 2>&1; then
-    fetch() { curl --fail -L "$1" -o "$2"; }
-elif command -v wget > /dev/null 2>&1; then
-    fetch() { wget "$1" -O "$2"; }
-else
-    oops "you don't have wget or curl installed, which I need to download the binary tarball"
-fi
-
-echo "downloading Nix @nixVersion@ binary tarball for $system from '$url' to '$tmpDir'..."
-fetch "$url" "$tarball" || oops "failed to download '$url'"
-
-if command -v sha256sum > /dev/null 2>&1; then
-    hash2="$(sha256sum -b "$tarball" | cut -c1-64)"
-elif command -v shasum > /dev/null 2>&1; then
-    hash2="$(shasum -a 256 -b "$tarball" | cut -c1-64)"
-elif command -v openssl > /dev/null 2>&1; then
-    hash2="$(openssl dgst -r -sha256 "$tarball" | cut -c1-64)"
-else
-    oops "cannot verify the SHA-256 hash of '$url'; you need one of 'shasum', 'sha256sum', or 'openssl'"
-fi
-
-if [ "$hash" != "$hash2" ]; then
-    oops "SHA-256 hash mismatch in '$url'; expected $hash, got $hash2"
-fi
-
-unpack=$tmpDir/unpack
-mkdir -p "$unpack"
-tar -xJf "$tarball" -C "$unpack" || oops "failed to unpack '$url'"
-
-script=$(echo "$unpack"/*/install)
-
-[ -e "$script" ] || oops "installation script is missing from the binary tarball!"
-export INVOKED_FROM_INSTALL_IN=1
-"$script" "$@"
-
-} # End of wrapping

scripts/local.mk

@@ -7,7 +7,5 @@ profiledir = $(sysconfdir)/profile.d
 
 $(eval $(call install-file-as, $(d)/nix-profile.sh, $(profiledir)/nix.sh, 0644))
 $(eval $(call install-file-as, $(d)/nix-profile.fish, $(profiledir)/nix.fish, 0644))
-$(eval $(call install-file-as, $(d)/nix-profile-daemon.sh, $(profiledir)/nix-daemon.sh, 0644))
-$(eval $(call install-file-as, $(d)/nix-profile-daemon.fish, $(profiledir)/nix-daemon.fish, 0644))
 
 clean-files += $(nix_noinst_scripts)

scripts/nix-profile-daemon.fish.in

@@ -1,49 +0,0 @@
-function add_path --argument-names new_path
-    if type -q fish_add_path
-        # fish 3.2.0 or newer
-	fish_add_path --prepend --global $new_path
-    else
-        # older versions of fish
-        if not contains $new_path $fish_user_paths
-            set --global fish_user_paths $new_path $fish_user_paths
-        end
-    end
-end
-
-# Only execute this file once per shell.
-if test -n "$__ETC_PROFILE_NIX_SOURCED"
-  exit
-end
-
-set __ETC_PROFILE_NIX_SOURCED 1
-
-set --export NIX_PROFILES "@localstatedir@/nix/profiles/default $HOME/.nix-profile"
-
-# Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
-if test -n "$NIX_SSH_CERT_FILE"
-  : # Allow users to override the NIX_SSL_CERT_FILE
-else if test -e /etc/ssl/certs/ca-certificates.crt # NixOS, Ubuntu, Debian, Gentoo, Arch
-  set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
-else if test -e /etc/ssl/ca-bundle.pem # openSUSE Tumbleweed
-  set --export NIX_SSL_CERT_FILE /etc/ssl/ca-bundle.pem
-else if test -e /etc/ssl/certs/ca-bundle.crt # Old NixOS
-  set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-bundle.crt
-else if test -e /etc/pki/tls/certs/ca-bundle.crt # Fedora, CentOS
-  set --export NIX_SSL_CERT_FILE /etc/pki/tls/certs/ca-bundle.crt
-else if test -e "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" # fall back to cacert in Nix profile
-  set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ssl/certs/ca-bundle.crt"
-else if test -e "$NIX_LINK/etc/ca-bundle.crt" # old cacert in Nix profile
-  set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ca-bundle.crt"
-else
-  # Fall back to what is in the nix profiles, favouring whatever is defined last.
-  for i in $NIX_PROFILES
-    if test -e "$i/etc/ssl/certs/ca-bundle.crt"
-      set --export NIX_SSL_CERT_FILE "$i/etc/ssl/certs/ca-bundle.crt"
-    end
-  end
-end
-
-add_path "@localstatedir@/nix/profiles/default/bin"
-add_path "$HOME/.nix-profile/bin"
-
-functions -e add_path

scripts/nix-profile-daemon.sh.in

@@ -1,64 +0,0 @@
-# Only execute this file once per shell.
-if [ -n "${__ETC_PROFILE_NIX_SOURCED:-}" ]; then return; fi
-__ETC_PROFILE_NIX_SOURCED=1
-
-NIX_LINK=$HOME/.nix-profile
-if [ -n "${XDG_STATE_HOME-}" ]; then
-    NIX_LINK_NEW="$XDG_STATE_HOME/nix/profile"
-else
-    NIX_LINK_NEW=$HOME/.local/state/nix/profile
-fi
-if [ -e "$NIX_LINK_NEW" ]; then
-    NIX_LINK="$NIX_LINK_NEW"
-else
-    if [ -t 2 ] && [ -e "$NIX_LINK_NEW" ]; then
-        warning="\033[1;35mwarning:\033[0m"
-        printf "$warning Both %s and legacy %s exist; using the latter.\n" "$NIX_LINK_NEW" "$NIX_LINK" 1>&2
-        if [ "$(realpath "$NIX_LINK")" = "$(realpath "$NIX_LINK_NEW")" ]; then
-            printf "         Since the profiles match, you can safely delete either of them.\n" 1>&2
-        else
-            # This should be an exceptionally rare occasion: the only way to get it would be to
-            # 1. Update to newer Nix;
-            # 2. Remove .nix-profile;
-            # 3. Set the $NIX_LINK_NEW to something other than the default user profile;
-            # 4. Roll back to older Nix.
-            # If someone did all that, they can probably figure out how to migrate the profile.
-            printf "$warning Profiles do not match. You should manually migrate from %s to %s.\n" "$NIX_LINK" "$NIX_LINK_NEW" 1>&2
-        fi
-    fi
-fi
-
-export NIX_PROFILES="@localstatedir@/nix/profiles/default $NIX_LINK"
-
-# Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
-if [ -n "${NIX_SSL_CERT_FILE:-}" ]; then
-    : # Allow users to override the NIX_SSL_CERT_FILE
-elif [ -e /etc/ssl/certs/ca-certificates.crt ]; then # NixOS, Ubuntu, Debian, Gentoo, Arch
-    export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
-elif [ -e /etc/ssl/ca-bundle.pem ]; then # openSUSE Tumbleweed
-    export NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem
-elif [ -e /etc/ssl/certs/ca-bundle.crt ]; then # Old NixOS
-    export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
-elif [ -e /etc/pki/tls/certs/ca-bundle.crt ]; then # Fedora, CentOS
-    export NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt
-else
-  # Fall back to what is in the nix profiles, favouring whatever is defined last.
-  check_nix_profiles() {
-    if [ -n "$ZSH_VERSION" ]; then
-      # Zsh by default doesn't split words in unquoted parameter expansion.
-      # Set local_options for these options to be reverted at the end of the function
-      # and shwordsplit to force splitting words in $NIX_PROFILES below.
-      setopt local_options shwordsplit
-    fi
-    for i in $NIX_PROFILES; do
-      if [ -e "$i/etc/ssl/certs/ca-bundle.crt" ]; then
-        export NIX_SSL_CERT_FILE=$i/etc/ssl/certs/ca-bundle.crt
-      fi
-    done
-  }
-  check_nix_profiles
-  unset -f check_nix_profiles
-fi
-
-export PATH="$NIX_LINK/bin:@localstatedir@/nix/profiles/default/bin:$PATH"
-unset NIX_LINK

scripts/nix-profile.fish.in

@@ -20,6 +20,14 @@ if test -n "$HOME" && test -n "$USER"
     # This part should be kept in sync with nixpkgs:nixos/modules/programs/environment.nix
     set --export NIX_PROFILES "@localstatedir@/nix/profiles/default $HOME/.nix-profile"
 
+    # Populate bash completions, .desktop files, etc
+    if test -z "$XDG_DATA_DIRS"
+        # According to XDG spec the default is /usr/local/share:/usr/share, don't set something that prevents that default
+        set --export XDG_DATA_DIRS "/usr/local/share:/usr/share:$NIX_LINK/share:/nix/var/nix/profiles/default/share"
+    else
+        set --export XDG_DATA_DIRS "$XDG_DATA_DIRS:$NIX_LINK/share:/nix/var/nix/profiles/default/share"
+    end
+
     # Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
     if test -n "$NIX_SSH_CERT_FILE"
         : # Allow users to override the NIX_SSL_CERT_FILE

scripts/nix-profile.sh.in

@@ -32,6 +32,14 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then
     # This part should be kept in sync with nixpkgs:nixos/modules/programs/environment.nix
     export NIX_PROFILES="@localstatedir@/nix/profiles/default $NIX_LINK"
 
+    # Populate bash completions, .desktop files, etc
+    if [ -z "${XDG_DATA_DIRS-}" ]; then
+        # According to XDG spec the default is /usr/local/share:/usr/share, don't set something that prevents that default
+        export XDG_DATA_DIRS="/usr/local/share:/usr/share:$NIX_LINK/share:/nix/var/nix/profiles/default/share"
+    else
+        export XDG_DATA_DIRS="$XDG_DATA_DIRS:$NIX_LINK/share:/nix/var/nix/profiles/default/share"
+    fi
+
     # Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
     if [ -e /etc/ssl/certs/ca-certificates.crt ]; then # NixOS, Ubuntu, Debian, Gentoo, Arch
         export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

scripts/prepare-installer-for-github-actions

@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-script=$(nix-build -A outputs.hydraJobs.installerScriptForGHA --no-out-link)
-installerHash=$(echo "$script" | cut -b12-43 -)
-
-installerURL=https://$CACHIX_NAME.cachix.org/serve/$installerHash/install
-
-echo "::set-output name=installerURL::$installerURL"

src/build-remote/build-remote.cc

@@ -126,7 +126,7 @@ static int main_build_remote(int argc, char * * argv)
             mkdir(currentLoad.c_str(), 0777);
 
             while (true) {
-                bestSlotLock = -1;
+                bestSlotLock.reset();
                 AutoCloseFD lock = openLockFile(currentLoad + "/main-lock", true);
                 lockFile(lock.get(), ltWrite, true);
 
@@ -137,11 +137,8 @@ static int main_build_remote(int argc, char * * argv)
                 for (auto & m : machines) {
                     debug("considering building on remote machine '%s'", m.storeUri);
 
-                    if (m.enabled
-                        && (neededSystem == "builtin"
-                            || std::find(m.systemTypes.begin(),
-                                m.systemTypes.end(),
-                                neededSystem) != m.systemTypes.end()) &&
+                    if (m.enabled &&
+                        m.systemSupported(neededSystem) &&
                         m.allSupported(requiredFeatures) &&
                         m.mandatoryMet(requiredFeatures))
                     {
@@ -205,7 +202,7 @@ static int main_build_remote(int argc, char * * argv)
                         else
                             drvstr = "<unknown>";
 
-                        auto error = hintformat(errorText);
+                        auto error = HintFmt(errorText);
                         error
                             % drvstr
                             % neededSystem
@@ -214,7 +211,7 @@ static int main_build_remote(int argc, char * * argv)
 
                         for (auto & m : machines)
                             error
-                                % concatStringsSep<std::vector<std::string>>(", ", m.systemTypes)
+                                % concatStringsSep<StringSet>(", ", m.systemTypes)
                                 % m.maxJobs
                                 % concatStringsSep<StringSet>(", ", m.supportedFeatures)
                                 % concatStringsSep<StringSet>(", ", m.mandatoryFeatures);
@@ -232,7 +229,7 @@ static int main_build_remote(int argc, char * * argv)
                 futimens(bestSlotLock.get(), NULL);
 #endif
 
-                lock = -1;
+                lock.reset();
 
                 try {
 
@@ -285,7 +282,7 @@ connected:
             copyPaths(*store, *sshStore, store->parseStorePathSet(inputs), NoRepair, NoCheckSigs, substitute);
         }
 
-        uploadLock = -1;
+        uploadLock.reset();
 
         auto drv = store->readDerivation(*drvPath);
 

src/libcmd/built-path.cc

@@ -12,9 +12,9 @@ namespace nix {
     bool MY_TYPE ::operator COMPARATOR (const MY_TYPE & other) const \
     { \
         const MY_TYPE* me = this; \
-        auto fields1 = std::make_tuple<const CHILD_TYPE &, const FIELD_TYPE &>(*me->drvPath, me->FIELD); \
+        auto fields1 = std::tie(*me->drvPath, me->FIELD); \
         me = &other; \
-        auto fields2 = std::make_tuple<const CHILD_TYPE &, const FIELD_TYPE &>(*me->drvPath, me->FIELD); \
+        auto fields2 = std::tie(*me->drvPath, me->FIELD); \
         return fields1 COMPARATOR fields2; \
     }
 #define CMP(CHILD_TYPE, MY_TYPE, FIELD) \

src/libcmd/command.cc

@@ -98,7 +98,7 @@ EvalCommand::EvalCommand()
 EvalCommand::~EvalCommand()
 {
     if (evalState)
-        evalState->printStats();
+        evalState->maybePrintStats();
 }
 
 ref<Store> EvalCommand::getEvalStore()
@@ -175,7 +175,7 @@ void BuiltPathsCommand::run(ref<Store> store, Installables && installables)
             throw UsageError("'--all' does not expect arguments");
         // XXX: Only uses opaque paths, ignores all the realisations
         for (auto & p : store->queryAllValidPaths())
-            paths.push_back(BuiltPath::Opaque{p});
+            paths.emplace_back(BuiltPath::Opaque{p});
     } else {
         paths = Installable::toBuiltPaths(getEvalStore(), store, realiseMode, operateOn, installables);
         if (recursive) {
@@ -188,7 +188,7 @@ void BuiltPathsCommand::run(ref<Store> store, Installables && installables)
             }
             store->computeFSClosure(pathsRoots, pathsClosure);
             for (auto & path : pathsClosure)
-                paths.push_back(BuiltPath::Opaque{path});
+                paths.emplace_back(BuiltPath::Opaque{path});
         }
     }
 

src/libcmd/command.hh

@@ -34,21 +34,28 @@ struct NixMultiCommand : virtual MultiCommand, virtual Command
 // For the overloaded run methods
 #pragma GCC diagnostic ignored "-Woverloaded-virtual"
 
-/* A command that requires a Nix store. */
+/**
+ * A command that requires a \ref Store "Nix store".
+ */
 struct StoreCommand : virtual Command
 {
     StoreCommand();
     void run() override;
     ref<Store> getStore();
     virtual ref<Store> createStore();
+    /**
+     * Main entry point, with a `Store` provided
+     */
     virtual void run(ref<Store>) = 0;
 
 private:
     std::shared_ptr<Store> _store;
 };
 
-/* A command that copies something between `--from` and `--to`
-   stores. */
+/**
+ * A command that copies something between `--from` and `--to` \ref
+ * Store stores.
+ */
 struct CopyCommand : virtual StoreCommand
 {
     std::string srcUri, dstUri;
@@ -60,6 +67,9 @@ struct CopyCommand : virtual StoreCommand
     ref<Store> getDstStore();
 };
 
+/**
+ * A command that needs to evaluate Nix language expressions.
+ */
 struct EvalCommand : virtual StoreCommand, MixEvalArgs
 {
     bool startReplOnEvalErrors = false;
@@ -79,6 +89,10 @@ private:
     std::shared_ptr<EvalState> evalState;
 };
 
+/**
+ * A mixin class for commands that process flakes, adding a few standard
+ * flake-related options/flags.
+ */
 struct MixFlakeOptions : virtual Args, EvalCommand
 {
     flake::LockFlags lockFlags;
@@ -87,6 +101,14 @@ struct MixFlakeOptions : virtual Args, EvalCommand
 
     MixFlakeOptions();
 
+    /**
+     * The completion for some of these flags depends on the flake(s) in
+     * question.
+     *
+     * This method should be implemented to gather all flakerefs the
+     * command is operating with (presumably specified via some other
+     * arguments) so that the completions for these flags can use them.
+     */
     virtual std::vector<std::string> getFlakesForCompletion()
     { return {}; }
 
@@ -112,15 +134,29 @@ struct SourceExprCommand : virtual Args, MixFlakeOptions
 
     virtual Strings getDefaultFlakeAttrPathPrefixes();
 
+    /**
+     * Complete an installable from the given prefix.
+     */
     void completeInstallable(std::string_view prefix);
 };
 
+/**
+ * A mixin class for commands that need a read-only flag.
+ *
+ * What exactly is "read-only" is unspecified, but it will usually be
+ * the \ref Store "Nix store".
+ */
 struct MixReadOnlyOption : virtual Args
 {
     MixReadOnlyOption();
 };
 
-/* Like InstallablesCommand but the installables are not loaded */
+/**
+ * Like InstallablesCommand but the installables are not loaded.
+ *
+ * This is needed by `CmdRepl` which wants to load (and reload) the
+ * installables itself.
+ */
 struct RawInstallablesCommand : virtual Args, SourceExprCommand
 {
     RawInstallablesCommand();
@@ -129,7 +165,7 @@ struct RawInstallablesCommand : virtual Args, SourceExprCommand
 
     void run(ref<Store> store) override;
 
-    // FIXME make const after CmdRepl's override is fixed up
+    // FIXME make const after `CmdRepl`'s override is fixed up
     virtual void applyDefaultInstallables(std::vector<std::string> & rawInstallables);
 
     bool readFromStdIn = false;
@@ -140,8 +176,11 @@ private:
 
     std::vector<std::string> rawInstallables;
 };
-/* A command that operates on a list of "installables", which can be
-   store paths, attribute paths, Nix expressions, etc. */
+
+/**
+ * A command that operates on a list of "installables", which can be
+ * store paths, attribute paths, Nix expressions, etc.
+ */
 struct InstallablesCommand : RawInstallablesCommand
 {
     virtual void run(ref<Store> store, Installables && installables) = 0;
@@ -149,7 +188,9 @@ struct InstallablesCommand : RawInstallablesCommand
     void run(ref<Store> store, std::vector<std::string> && rawInstallables) override;
 };
 
-/* A command that operates on exactly one "installable" */
+/**
+ * A command that operates on exactly one "installable".
+ */
 struct InstallableCommand : virtual Args, SourceExprCommand
 {
     InstallableCommand();
@@ -175,7 +216,12 @@ struct MixOperateOnOptions : virtual Args
     MixOperateOnOptions();
 };
 
-/* A command that operates on zero or more store paths. */
+/**
+ * A command that operates on zero or more extant store paths.
+ *
+ * If the argument the user passes is a some sort of recipe for a path
+ * not yet built, it must be built first.
+ */
 struct BuiltPathsCommand : InstallablesCommand, virtual MixOperateOnOptions
 {
 private:
@@ -207,7 +253,9 @@ struct StorePathsCommand : public BuiltPathsCommand
     void run(ref<Store> store, BuiltPaths && paths) override;
 };
 
-/* A command that operates on exactly one store path. */
+/**
+ * A command that operates on exactly one store path.
+ */
 struct StorePathCommand : public StorePathsCommand
 {
     virtual void run(ref<Store> store, const StorePath & storePath) = 0;
@@ -215,7 +263,9 @@ struct StorePathCommand : public StorePathsCommand
     void run(ref<Store> store, StorePaths && storePaths) override;
 };
 
-/* A helper class for registering commands globally. */
+/**
+ * A helper class for registering \ref Command commands globally.
+ */
 struct RegisterCommand
 {
     typedef std::map<std::vector<std::string>, std::function<ref<Command>()>> Commands;
@@ -271,7 +321,11 @@ struct MixEnvironment : virtual Args {
 
     MixEnvironment();
 
-    /* Modify global environ based on ignoreEnvironment, keep, and unset. It's expected that exec will be called before this class goes out of scope, otherwise environ will become invalid. */
+    /***
+     * Modify global environ based on `ignoreEnvironment`, `keep`, and
+     * `unset`. It's expected that exec will be called before this class
+     * goes out of scope, otherwise `environ` will become invalid.
+     */
     void setEnviron();
 };
 

src/libcmd/common-eval-args.cc

@@ -172,7 +172,7 @@ SourcePath lookupFileArg(EvalState & state, std::string_view s)
         return state.rootPath(CanonPath(state.store->toRealPath(storePath)));
     }
 
-    else if (hasPrefix(s, "flake:")) {
+    else if (s.starts_with("flake:")) {
         experimentalFeatureSettings.require(Xp::Flakes);
         auto flakeRef = parseFlakeRef(std::string(s.substr(6)), {}, true, false);
         auto storePath = flakeRef.resolve(state.store).fetchTree(state.store).first.storePath;

src/libcmd/editor-for.cc

@@ -1,5 +1,6 @@
 #include "util.hh"
 #include "editor-for.hh"
+#include "source-path.hh"
 
 namespace nix {