Commit graph

889 commits

Author SHA1 Message Date
Travis A. Everett fe807904e5 adapt to apfs.util flag diff in catalina/big sur
Fixes #3957. Just runs both forms to minimize moving parts.
2020-10-19 12:24:31 -05:00
Travis A. Everett e736f8f6e4 replace xpath with xmllint --xpath; simplify
As mentioned in previous commit, Big Sur changes the syntax for the
xpath command slightly.

In the process of testing out replacements for these, I noticed a few
small simplification wins.
2020-10-19 12:24:04 -05:00
Travis A. Everett 1f02b65c59 fix xpath and conditional bugs; xpath -> xmllint
- xpath -> xmllint: xpath's cli interface changed in Big Sur
  rather than add conditional logic for picking the correct
  syntax for xpath, I'm changing to xmllint --xpath, which
  appears to be consistent across versions I've tested...

- /plist/dict/key[text()='Writable']/following-sibling::true[1]
  doesn't do quite what's expected. It was written to try to
  select a <true /> node paired with the Writable key, but it
  will also select the *next* <true /> node that appears even
  if it was paired with another key.

- I think there's also a logic bug in the conditionals here.
  I'm not sure anyone ever actuall saw it, thanks to the xpath
  bug, though. With the xpath fix, this conditional passes if /nix
  does not exist, / IS writable, and the version is Catalina+.

  I think it meant to test for /nix does not exist, / is NOT
  writable, and the version is Catalina+. I reworked this lightly
  to make it a little clearer at the code level.
2020-10-19 12:23:29 -05:00
Travis A. Everett 9c3dc9d7ca update macOS version handling for Big Sur
Keeping this commit narrow for reviewability, but some of these
conditionals will change in subsequent commits in this PR.

Fixes #3852.
2020-10-19 12:22:30 -05:00
Eelco Dolstra 3e30710d95
Merge pull request #3788 from crinklywrappr/master
Add a script to install nix on non-systemd systems.
2020-07-31 16:44:26 +02:00
Alex Kovar 3294b0a4b0 Add newline to profile sourcing line #3393 2020-07-18 10:24:22 -05:00
Daniel Fitzpatrick 39859b853c merged systemd installer with non-systemd installer. 2020-07-07 15:08:23 -05:00
Daniel Fitzpatrick fd42176a21 Add a script to install nix on non-systemd systems. 2020-07-06 21:59:18 -05:00
Jörg Thalheim 3685f4eec6
docs/installer: add correct curl flags
also see https://nixos.org/download.html
2020-06-23 23:04:10 +01:00
Daiderd Jordan 4e6d7cb55a
installer: don't require xz on darwin
On macOS the system tar has builtin support for lzma while xz isn't
available as a separate binary.  There's no builtin package manager
there available either so having to install lzma (without nix) would be
rather painful.
2020-05-27 20:58:42 +02:00
Eelco Dolstra 228857efc6 Merge pull request #3608 from surajbarkale/patch-1
Use /etc/zshenv instead of /etc/zshrc for profile
2020-05-27 11:10:08 +02:00
Domen Kožar 3d3c219d91
installer: fix unused variable 2020-05-26 16:23:03 +02:00
Domen Kožar 1a5ac894e9
Fix installer script bugs
- --no-channel-add didn't have effect on multi-user installation
- some new flags didn't work at all
- document all installer flags
2020-05-26 15:49:26 +02:00
Domen Kožar 909bdfb4b4
Merge pull request #3375 from domenkozar/multi-user-count
install-multi-user: allow overriding user count
2020-05-25 17:53:24 +02:00
Domen Kožar 573ff8dfca
Allow passing extra nix.conf to installer 2020-05-25 17:31:46 +02:00
Domen Kožar 90b0c630a0
install-multi-user: allow overriding user count 2020-05-25 17:16:38 +02:00
Domen Kožar 2a7ea2eb6c
scripts/create-darwin-volume.sh: remove unused variable 2020-05-23 11:12:05 +02:00
Suraj Barkale 909d8cb293
Use /etc/zshenv instead of /etc/zshrc for profile
As noted in https://github.com/NixOS/nix/issues/3456 the `/etc/zshenv` file provides a better place for sourcing the nix environment.
2020-05-22 11:05:25 +10:00
Daiderd Jordan d3df1889a1
installer: don't clobber synthetic.conf 2020-05-21 20:03:09 +02:00
Travis A. Everett 2b0a81d92d
focus on golden-path covering most scenarios
This should handle installation scenarios we can handle with
anything resembling confidence. Goal is approximating the existing
setup--not enforcing a best-practice...

Approaches (+ installer-handled, - manual) and configs each covers:

+ no change needed; /nix OK on boot volume:
  All pre-Catalina (regardless of T2 or FileVault use)

+ create new unencrypted volume:
  Catalina, pre-T2, no FileVault

+ create new encrypted-at-rest volume:
  Catalina, pre-T2, FileVault
  Catalina, T2, no FileVault

- require user to pre-create encrypted volume
  Catalina, T2, FileVault
2020-05-21 19:58:11 +02:00
Daiderd Jordan 477d7c2d07
installer: refuse apfs volume creation when FileVault is enabled 2020-05-21 19:58:11 +02:00
Daiderd Jordan bc24c09968
install: make synthetic.conf and fstab checks stricter 2020-05-21 19:58:11 +02:00
Daiderd Jordan 04f597c3f4
install: improve output and error handling 2020-05-21 19:58:11 +02:00
Daiderd Jordan caface1980
install: hide the store volume on darwin 2020-05-21 19:58:11 +02:00
Daiderd Jordan 083bb3bbfc
install: show macOS 10.15 message with --daemon 2020-05-21 19:58:10 +02:00
Daiderd Jordan 10202628b9
install: also configure ~/.zshenv
The default login shell for users on macOS 10.15 changed from bash to
zsh.  So while generally nonstandard we need to configure it to make nix
function out of the box on macOS.
2020-05-21 19:58:10 +02:00
Daiderd Jordan 0726ad5825
install: configure and bootstrap synthetic.conf on darwin
Starting macOS 10.15 /nix can't be creasted directly anymore due to the
readonly filesystem, but synthetic.conf was introduced to enable
creating mountpoints or symlinks for special usecases like package
managers.
2020-05-21 19:58:10 +02:00
Pavol Rusnak 9e12b2f5b8
Expose installer configuration environment variables via command line flags 2020-05-12 19:00:45 +02:00
Pavol Rusnak 46be11b762
Introduce NIX_INSTALLER_NO_CHANNEL_ADD which skips nix-channel --add 2020-05-12 12:13:40 +02:00
Greg Price 7313aa267b installer: Fix terminal colors.
The install-multi-user script uses blue, green, and red colors, as
well as bold and underline, to add helpful formatting that helps
structure its rather voluminous output.

Unfortunately, the terminal escape sequences it uses are not quite
well-formed.  The relevant information is all there, just obscured
by some extra noise, a leading parameter `38`.  Empirically, the
result is:

 * On macOS, in both Terminal.app and iTerm2, the spurious `38` is
   ignored, the rest of the escape sequence is applied, and the colors
   show up as intended.

 * On Linux, in at least gnome-terminal and xterm, the spurious `38`
   and the next parameter after it are ignored, and what's left is
   applied.  So in the sequence `38;4;32`, the 4 (underline) is
   ignored but the 32 (green) takes effect; in a more typical sequence
   like `38;34`, the 34 (blue) is ignored and nothing happens.

These codes are all unchanged since this script's origins as a
Darwin-only script -- so the fact that they work fine in common macOS
terminals goes some way to explain how the bug arose.

Happily, we can make the colors work as intended by just deleting the
extra `38;`.  Tested in all four terminals mentioned above; the new
codes work correctly on all of them, and on the two macOS terminals
they work exactly the same as before.

---

In a bit more technical detail -- perhaps more than anyone, me
included, ever wanted to know, but now that I've gone and learned it
I'll write it down anyway :) -- here's what's happening in these codes:

An ECMA-48 "control sequence" begins with `\033[` aka "CSI", contains
any number of parameters as semicolon-separated decimal numbers (plus
sometimes other wrinkles), and ends with a byte from 0x40..0x7e.  In
our case, with `m` aka "SGR", "Select Graphic Rendition".

An SGR control sequence `\033[...m` sets colors, fonts, text styles,
etc.  In particular a parameter `31` means red, `32` green, `34` blue,
`4` underline, and `0` means reset to normal.  Those are all we use.

There is also a `38`.  This is used for setting colors too... but it
needs arguments.  `38;5;nn` is color nn from a 256-color palette, and
`38;2;rr;gg;bb` has the given RGB values.

There is no meaning defined for `38;1` or `38;34` etc.  On seeing a
parameter `38` followed by an unrecognized argument for it, apparently
some implementations (as seen on macOS) discard only the `38` and
others (as seen on Linux) discard the argument too before resuming.
2020-03-24 21:15:01 -07:00
Greg Price 26851dd2c2 installer: Set files read-only when copying into store
After installing Nix, I found that all the files and directories
initially copied into the store were writable, with mode 644 or 755:

  drwxr-xr-x 9 root root 4096 Dec 31  1969 /nix/store/ddmmzn4ggz1f66lwxjy64n89864yj9w9-nix-2.3.3

The reason is that that's how they were in the unpacked tarball, and
the install-multi-user script used `rsync -p` without doing anything
else to affect the permissions.

The plain `install` script for a single-user install takes care to
do a `chmod -R a-w` on each store path copied.  We could do the same
here with one more command; or we can pass `--chmod` to rsync, to
have it write the files with the desired modes in the first place.

Tested the new `rsync` command on both a Linux machine with a
reasonably-modern rsync (3.1.3) and a Mac with its default, ancient,
rsync 2.6.9, and it works as expected on both.  Thankfully the latter
is just new enough to have `--chmod`, which dates to rsync 2.6.7.
2020-03-22 23:07:20 -07:00
Philipp Middendorf 9450dece24 installer: also test for xz to unpack 2020-03-21 09:31:39 +01:00
Robert Hensing 9080d5d924 README, error msg: http -> https 2020-03-11 19:41:22 +01:00
Eelco Dolstra e063c71a79
nixos.org/releases -> releases.nixos.org 2020-03-11 10:33:23 +01:00
Rovanion Luckey a413594baf installer: Handle edge case where the nix-daemon is already running on the system
On a systemd-based Linux distribution: If the user has previously had multi-user Nix installed on the system, removed it and then reinstalled multi-user Nix again the old nix-daemon.service will still be running when `scripts/install-systemd-multi-user.sh` tries to start it which results in nothing being done and the old daemon continuing its run.

When a normal user then tries to use Nix through the daemon the nix binary will fail to connect to the nix-daemon as it does not belong to the currently installed Nix system. See below for steps to reproduce the issue that motivated this change.

$ sh <(curl https://nixos.org/nix/install) --daemon

$ sudo rm -rf /etc/nix /nix /root/.nix-profile /root/.nix-defexpr /root/.nix-channels /home/nix-installer/.nix-profile /home/nix-installer/.nix-defexpr /home/nix-installer/.nix-channels ~/.nix-channels ~/.nix-defexpr/ ~/.nix-profile /etc/profile.d/nix.sh.backup-before-nix /etc/profile.d/nix.sh; sed -i '/added by Nix installer$/d' ~/.bash_profile

$ unset NIX_REMOTE

$ sh <(curl https://nixos.org/nix/install) --daemon

└$ export NIX_REMOTE=daemon

└$ nix-env -iA nixpkgs.hello
installing 'hello-2.10'
error: cannot connect to daemon at '/nix/var/nix/daemon-socket/socket': No such file or directory
(use '--show-trace' to show detailed location information)

└$ sudo systemctl restart nix-daemon.service

└$ nix-env -iA nixpkgs.hello
installing 'hello-2.10'
these paths will be fetched (6.09 MiB download, 27.04 MiB unpacked):
  /nix/store/2g75chlbpxlrqn15zlby2dfh8hr9qwbk-hello-2.10
  /nix/store/aag9d1y4wcddzzrpfmfp9lcmc7skd7jk-glibc-2.27
copying path '/nix/store/aag9d1y4wcddzzrpfmfp9lcmc7skd7jk-glibc-2.27' from 'https://cache.nixos.org'...
copying path '/nix/store/2g75chlbpxlrqn15zlby2dfh8hr9qwbk-hello-2.10' from 'https://cache.nixos.org'...
building '/nix/store/w9adagg6vlikr799nkkqc9la5hbbpgmi-user-environment.drv'...
created 2 symlinks in user environment
2020-01-23 14:48:53 +01:00
Michael Forney 43eb7b6756 Pass -J to tar for xz decompression
Some tar implementations can't auto-detect compression formats, so
they must be specified explicitly.
2019-12-22 17:17:14 -08:00
Michael Forney 10414d467b Pass -P to cp to preserve symlinks
This is commonly the default behavior with -R, but POSIX leaves the
default unspecified.
2019-12-21 21:30:38 -08:00
Eelco Dolstra ec9dd9a5ae
Provide a default value for NIX_PATH 2019-11-22 22:08:51 +01:00
Eelco Dolstra 1c3ccba0f5
Remove $NIX_USER_PROFILE_DIR
This is not used anywhere.
2019-11-22 16:27:48 +01:00
Eelco Dolstra 2f96a89646 install-multi-user.sh: Remove unused variables
https://hydra.nixos.org/build/104119659
2019-10-23 21:24:21 +02:00
Steven Shaw f0ec4b4ce4
Fix unset variable in installer 2019-10-19 13:26:06 +10:00
Eelco Dolstra 9277e72cb0
Typo 2019-10-09 23:35:02 +02:00
Eelco Dolstra c9159f86cc
nix-env: Create ~/.nix-defexpr automatically 2019-10-09 23:35:02 +02:00
Eelco Dolstra 61a6176aca
nix-profile.sh: Remove coreutils dependency 2019-10-09 23:35:02 +02:00
Eelco Dolstra 9348f9291e
nix-env: Create ~/.nix-profile automatically 2019-10-09 23:35:01 +02:00
Eelco Dolstra 26762ceb86
nix-profile.sh: Don't create .nix-channels
This is already done by the installer, so no need to do it again.
2019-10-09 23:35:01 +02:00
Eelco Dolstra c43d9f6131
Remove some redundant initialization 2019-10-09 23:35:01 +02:00
Eelco Dolstra 5a303093dc
Remove world-writability from per-user directories
'nix-daemon' now creates subdirectories for users when they first
connect.

Fixes #509 (CVE-2019-17365).
Should also fix #3127.
2019-10-09 23:34:48 +02:00
Matthew Bauer d4e51aac08 Make preexisting Nix install a warning, not a failure
In the multi-user install script, we originally made sure no previous
references to Nix existed. This prevented any previous installs from
contaminating the new install. However, some users need the ability to
repair their existing Nix installation without uninstalling all
references to Nix. This change allows users with existing Nix
installations to use the installer, while still outputing a warning
message on the dangers of this. As a result, the multi-user install
script work much more like the single-user install script has worked
in the past.

This is a requirement for macOS Catalina users now that
/Library/LaunchDaemons/org.nixos.nix-daemon.plisg is not managed by
the Nix store. If there is ever a change to the .plist, all users will
need to rerun this install script to get the new changes. Otherwise,
changes to the launch daemon will require manual interventions.
2019-10-08 21:53:06 -04:00
Matthew Bauer 0847f2f1b3 Copy instead of linking launch agent
On Catalina, the /nix filesystem might not be mounted at start time.
To avoid this service not starting, we need to keep the launch agent
outside of the Nix store. A wait4pid will hold for our /nix dir to be
mounted.

Fixes #3125.
2019-10-08 21:52:17 -04:00