Commit Graph

1021 Commits

Author SHA1 Message Date
Daiderd Jordan
d3df1889a1
installer: don't clobber synthetic.conf 2020-05-21 20:03:09 +02:00
Travis A. Everett
2b0a81d92d
focus on golden-path covering most scenarios
This should handle installation scenarios we can handle with
anything resembling confidence. Goal is approximating the existing
setup--not enforcing a best-practice...

Approaches (+ installer-handled, - manual) and configs each covers:

+ no change needed; /nix OK on boot volume:
  All pre-Catalina (regardless of T2 or FileVault use)

+ create new unencrypted volume:
  Catalina, pre-T2, no FileVault

+ create new encrypted-at-rest volume:
  Catalina, pre-T2, FileVault
  Catalina, T2, no FileVault

- require user to pre-create encrypted volume
  Catalina, T2, FileVault
2020-05-21 19:58:11 +02:00
Daiderd Jordan
477d7c2d07
installer: refuse apfs volume creation when FileVault is enabled 2020-05-21 19:58:11 +02:00
Daiderd Jordan
bc24c09968
install: make synthetic.conf and fstab checks stricter 2020-05-21 19:58:11 +02:00
Daiderd Jordan
04f597c3f4
install: improve output and error handling 2020-05-21 19:58:11 +02:00
Daiderd Jordan
caface1980
install: hide the store volume on darwin 2020-05-21 19:58:11 +02:00
Daiderd Jordan
083bb3bbfc
install: show macOS 10.15 message with --daemon 2020-05-21 19:58:10 +02:00
Daiderd Jordan
10202628b9
install: also configure ~/.zshenv
The default login shell for users on macOS 10.15 changed from bash to
zsh.  So while generally nonstandard we need to configure it to make nix
function out of the box on macOS.
2020-05-21 19:58:10 +02:00
Daiderd Jordan
0726ad5825
install: configure and bootstrap synthetic.conf on darwin
Starting macOS 10.15 /nix can't be creasted directly anymore due to the
readonly filesystem, but synthetic.conf was introduced to enable
creating mountpoints or symlinks for special usecases like package
managers.
2020-05-21 19:58:10 +02:00
Pavol Rusnak
9e12b2f5b8
Expose installer configuration environment variables via command line flags 2020-05-12 19:00:45 +02:00
Pavol Rusnak
46be11b762
Introduce NIX_INSTALLER_NO_CHANNEL_ADD which skips nix-channel --add 2020-05-12 12:13:40 +02:00
Greg Price
7313aa267b installer: Fix terminal colors.
The install-multi-user script uses blue, green, and red colors, as
well as bold and underline, to add helpful formatting that helps
structure its rather voluminous output.

Unfortunately, the terminal escape sequences it uses are not quite
well-formed.  The relevant information is all there, just obscured
by some extra noise, a leading parameter `38`.  Empirically, the
result is:

 * On macOS, in both Terminal.app and iTerm2, the spurious `38` is
   ignored, the rest of the escape sequence is applied, and the colors
   show up as intended.

 * On Linux, in at least gnome-terminal and xterm, the spurious `38`
   and the next parameter after it are ignored, and what's left is
   applied.  So in the sequence `38;4;32`, the 4 (underline) is
   ignored but the 32 (green) takes effect; in a more typical sequence
   like `38;34`, the 34 (blue) is ignored and nothing happens.

These codes are all unchanged since this script's origins as a
Darwin-only script -- so the fact that they work fine in common macOS
terminals goes some way to explain how the bug arose.

Happily, we can make the colors work as intended by just deleting the
extra `38;`.  Tested in all four terminals mentioned above; the new
codes work correctly on all of them, and on the two macOS terminals
they work exactly the same as before.

---

In a bit more technical detail -- perhaps more than anyone, me
included, ever wanted to know, but now that I've gone and learned it
I'll write it down anyway :) -- here's what's happening in these codes:

An ECMA-48 "control sequence" begins with `\033[` aka "CSI", contains
any number of parameters as semicolon-separated decimal numbers (plus
sometimes other wrinkles), and ends with a byte from 0x40..0x7e.  In
our case, with `m` aka "SGR", "Select Graphic Rendition".

An SGR control sequence `\033[...m` sets colors, fonts, text styles,
etc.  In particular a parameter `31` means red, `32` green, `34` blue,
`4` underline, and `0` means reset to normal.  Those are all we use.

There is also a `38`.  This is used for setting colors too... but it
needs arguments.  `38;5;nn` is color nn from a 256-color palette, and
`38;2;rr;gg;bb` has the given RGB values.

There is no meaning defined for `38;1` or `38;34` etc.  On seeing a
parameter `38` followed by an unrecognized argument for it, apparently
some implementations (as seen on macOS) discard only the `38` and
others (as seen on Linux) discard the argument too before resuming.
2020-03-24 21:15:01 -07:00
Greg Price
26851dd2c2 installer: Set files read-only when copying into store
After installing Nix, I found that all the files and directories
initially copied into the store were writable, with mode 644 or 755:

  drwxr-xr-x 9 root root 4096 Dec 31  1969 /nix/store/ddmmzn4ggz1f66lwxjy64n89864yj9w9-nix-2.3.3

The reason is that that's how they were in the unpacked tarball, and
the install-multi-user script used `rsync -p` without doing anything
else to affect the permissions.

The plain `install` script for a single-user install takes care to
do a `chmod -R a-w` on each store path copied.  We could do the same
here with one more command; or we can pass `--chmod` to rsync, to
have it write the files with the desired modes in the first place.

Tested the new `rsync` command on both a Linux machine with a
reasonably-modern rsync (3.1.3) and a Mac with its default, ancient,
rsync 2.6.9, and it works as expected on both.  Thankfully the latter
is just new enough to have `--chmod`, which dates to rsync 2.6.7.
2020-03-22 23:07:20 -07:00
Philipp Middendorf
9450dece24 installer: also test for xz to unpack 2020-03-21 09:31:39 +01:00
Robert Hensing
9080d5d924 README, error msg: http -> https 2020-03-11 19:41:22 +01:00
Eelco Dolstra
e063c71a79
nixos.org/releases -> releases.nixos.org 2020-03-11 10:33:23 +01:00
Rovanion Luckey
a413594baf installer: Handle edge case where the nix-daemon is already running on the system
On a systemd-based Linux distribution: If the user has previously had multi-user Nix installed on the system, removed it and then reinstalled multi-user Nix again the old nix-daemon.service will still be running when `scripts/install-systemd-multi-user.sh` tries to start it which results in nothing being done and the old daemon continuing its run.

When a normal user then tries to use Nix through the daemon the nix binary will fail to connect to the nix-daemon as it does not belong to the currently installed Nix system. See below for steps to reproduce the issue that motivated this change.

$ sh <(curl https://nixos.org/nix/install) --daemon

$ sudo rm -rf /etc/nix /nix /root/.nix-profile /root/.nix-defexpr /root/.nix-channels /home/nix-installer/.nix-profile /home/nix-installer/.nix-defexpr /home/nix-installer/.nix-channels ~/.nix-channels ~/.nix-defexpr/ ~/.nix-profile /etc/profile.d/nix.sh.backup-before-nix /etc/profile.d/nix.sh; sed -i '/added by Nix installer$/d' ~/.bash_profile

$ unset NIX_REMOTE

$ sh <(curl https://nixos.org/nix/install) --daemon

└$ export NIX_REMOTE=daemon

└$ nix-env -iA nixpkgs.hello
installing 'hello-2.10'
error: cannot connect to daemon at '/nix/var/nix/daemon-socket/socket': No such file or directory
(use '--show-trace' to show detailed location information)

└$ sudo systemctl restart nix-daemon.service

└$ nix-env -iA nixpkgs.hello
installing 'hello-2.10'
these paths will be fetched (6.09 MiB download, 27.04 MiB unpacked):
  /nix/store/2g75chlbpxlrqn15zlby2dfh8hr9qwbk-hello-2.10
  /nix/store/aag9d1y4wcddzzrpfmfp9lcmc7skd7jk-glibc-2.27
copying path '/nix/store/aag9d1y4wcddzzrpfmfp9lcmc7skd7jk-glibc-2.27' from 'https://cache.nixos.org'...
copying path '/nix/store/2g75chlbpxlrqn15zlby2dfh8hr9qwbk-hello-2.10' from 'https://cache.nixos.org'...
building '/nix/store/w9adagg6vlikr799nkkqc9la5hbbpgmi-user-environment.drv'...
created 2 symlinks in user environment
2020-01-23 14:48:53 +01:00
Michael Forney
43eb7b6756 Pass -J to tar for xz decompression
Some tar implementations can't auto-detect compression formats, so
they must be specified explicitly.
2019-12-22 17:17:14 -08:00
Michael Forney
10414d467b Pass -P to cp to preserve symlinks
This is commonly the default behavior with -R, but POSIX leaves the
default unspecified.
2019-12-21 21:30:38 -08:00
Eelco Dolstra
ec9dd9a5ae
Provide a default value for NIX_PATH 2019-11-22 22:08:51 +01:00
Eelco Dolstra
1c3ccba0f5
Remove $NIX_USER_PROFILE_DIR
This is not used anywhere.
2019-11-22 16:27:48 +01:00
Eelco Dolstra
2f96a89646 install-multi-user.sh: Remove unused variables
https://hydra.nixos.org/build/104119659
2019-10-23 21:24:21 +02:00
Steven Shaw
f0ec4b4ce4
Fix unset variable in installer 2019-10-19 13:26:06 +10:00
Eelco Dolstra
9277e72cb0
Typo 2019-10-09 23:35:02 +02:00
Eelco Dolstra
c9159f86cc
nix-env: Create ~/.nix-defexpr automatically 2019-10-09 23:35:02 +02:00
Eelco Dolstra
61a6176aca
nix-profile.sh: Remove coreutils dependency 2019-10-09 23:35:02 +02:00
Eelco Dolstra
9348f9291e
nix-env: Create ~/.nix-profile automatically 2019-10-09 23:35:01 +02:00
Eelco Dolstra
26762ceb86
nix-profile.sh: Don't create .nix-channels
This is already done by the installer, so no need to do it again.
2019-10-09 23:35:01 +02:00
Eelco Dolstra
c43d9f6131
Remove some redundant initialization 2019-10-09 23:35:01 +02:00
Eelco Dolstra
5a303093dc
Remove world-writability from per-user directories
'nix-daemon' now creates subdirectories for users when they first
connect.

Fixes #509 (CVE-2019-17365).
Should also fix #3127.
2019-10-09 23:34:48 +02:00
Matthew Bauer
d4e51aac08 Make preexisting Nix install a warning, not a failure
In the multi-user install script, we originally made sure no previous
references to Nix existed. This prevented any previous installs from
contaminating the new install. However, some users need the ability to
repair their existing Nix installation without uninstalling all
references to Nix. This change allows users with existing Nix
installations to use the installer, while still outputing a warning
message on the dangers of this. As a result, the multi-user install
script work much more like the single-user install script has worked
in the past.

This is a requirement for macOS Catalina users now that
/Library/LaunchDaemons/org.nixos.nix-daemon.plisg is not managed by
the Nix store. If there is ever a change to the .plist, all users will
need to rerun this install script to get the new changes. Otherwise,
changes to the launch daemon will require manual interventions.
2019-10-08 21:53:06 -04:00
Matthew Bauer
0847f2f1b3 Copy instead of linking launch agent
On Catalina, the /nix filesystem might not be mounted at start time.
To avoid this service not starting, we need to keep the launch agent
outside of the Nix store. A wait4pid will hold for our /nix dir to be
mounted.

Fixes #3125.
2019-10-08 21:52:17 -04:00
Eelco Dolstra
ad03159e25
Merge pull request #2745 from samueldr/install/detect-systemd-separately
install-multi-user: Detect and fail lack of systemd separately
2019-08-28 11:34:23 +02:00
Eelco Dolstra
bd285849ed
Merge pull request #3054 from matthewbauer/nix-dir-macos
Allow empty /nix directory in multi-user installer
2019-08-28 11:29:43 +02:00
Eelco Dolstra
ceefddafe8 Compress binary tarballs using xz
Fixes https://github.com/NixOS/nix/issues/240.

Apparently 'tar -xf' can decompress xz files on macOS nowadays.
2019-08-27 22:18:34 +02:00
Venkateswara Rao Mandela
6dab42a551
installer: handle network proxy in systemd install
If a network proxy configuration is detected, setup an override
systemd unit file for nix-daemon service with the non-empty
proxy variables.

Proxy detection is performed by looking for http/https/ftp proxy and no
proxy variables in user environment
2019-08-24 09:08:41 -04:00
Matthew Bauer
0463d5e36f Allow empty /nix directory in multi-user installer
With macOS catalina, we can no longer modify the root system
volume (#2925). macOS provides a system configuration file in
synthetic.conf(5) to create empty root directories. This can be used
to mount /nix to a separate volume. As a result, this directory will
need to already exist prior to installation. Instead, check for
/nix/store and /nix/var for a live Nix installation.
2019-08-22 23:38:52 -04:00
Matthew Bauer
c82a856b36 Add default for USER when unset
uses $(id -u -n) when USER is unset, this is needed on some weird
setups in Docker. Fixes #971
2019-07-25 09:39:44 -04:00
Eelco Dolstra
38a4d38bc3
Merge pull request #2746 from bjornfor/install-multi-user-defaults
install-multi-user: reduce max-jobs from 32 to 1
2019-06-17 10:17:40 +02:00
Johannes Climacus
a8251ba2ed Replace type with command -v in install script
In POSIX sh, `type` is undefined.

cf. https://pubs.opengroup.org/onlinepubs/9699919799/utilities/command.html#tag_20_22_04
2019-05-29 10:08:21 -04:00
Matthew Bauer
92f461e4f4 Don’t set NIX_REMOTE=daemon in daemon profile
This is now autodetected. There is no need to put it in the profile.
2019-05-15 22:24:24 -04:00
Matthew Bauer
7c20ee448f Sync NIX_PROFILES between single-user and multi-user modes
When we are in single user mode, we still want to have access to
profiles. This way things in Nixpkgs that rely on them getting set
accurately are done in both cases. The point where I hit this is with
using aspell which looks in NIX_PROFILES:

https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/aspell/default.nix

Before this patch, NIX_PROFILES was never set in single user mode!
This corrects that.
2019-05-15 22:04:39 -04:00
Eelco Dolstra
b6eb8a2d7e
nix-profile: Add all channels to $NIX_PATH
Fixes #2709.
2019-05-15 14:30:09 +02:00
Eelco Dolstra
3fd5425f94
Fix shellcheck error
https://hydra.nixos.org/build/93359951
2019-05-15 13:13:14 +02:00
Graham Christensen
5713772568
Merge pull request #2594 from LnL7/darwin-10.12.6
installer: update macOS version check to 10.12.2
2019-05-08 07:16:06 -04:00
Eelco Dolstra
989cb37777
Merge pull request #2679 from bjornfor/offline-install
install script: don't abort when "nix-channel --update" fails
2019-05-01 15:48:39 +02:00
Bjørn Forsman
07d9981f34 install-multi-user: remove unneeded settings from nix.conf
Hardcoding the "max-jobs" and "cores" settings in nix.conf at install
time, to the same value as Nix' built-in default, makes little sense to
me.
2019-03-27 16:26:14 +01:00
Bjørn Forsman
dbe4c043d7 install-multi-user: reduce max-jobs from 32 to 1
Having max-jobs = 32 ($NIX_USER_COUNT is hardcoded to that value) may
severely overload the machine. The nix.conf(5) manual page says max-jobs
defaults to 1, so let's use that value.

NOTE: Both max-jobs and cores are now being set to their default value,
so they can be removed alltogether.
2019-03-27 16:23:35 +01:00
Samuel Dionne-Riel
d854e7dfd6 install-multi-user: Detect and fail lack of systemd separately
Otherwise, the user is shown:

```
Sorry, I don't know what to do on Linux
```

Which is... not exactly right.
2019-03-26 21:08:22 -04:00
Domen Kožar
6f0359012c
Merge pull request #2693 from thoughtpolice/scripts/multi-user-sandbox
scripts: remove default 'sandbox = false' from multi-user installer
2019-03-24 19:45:56 +07:00
Austin Seipp
d7a7a029ff
scripts: remove default 'sandbox = false' from multi-user installer
Sandboxing is now enabled by default on Linux, but is still disabled on
macOS. However, the installer always turned it off to ensure consistent
behavior.

Remove this default configuration, so we fall back to the default
platform-specific value.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2019-02-23 08:35:26 -06:00
zimbatm
b402148d8f
remove noop uses of nix-store --init
the nix-store --init command is a noop apparently
2019-02-22 21:07:53 +01:00
Bjørn Forsman
b9567aa8b6 install script: don't abort when "nix-channel --update" fails
Instead, print a message about what happened and tell the user what can
be done (run "[sudo -i] nix-channel --update nixpkgs" again at a later
time). This change allows installing Nix when you're offline.

Since the multi-user installer is so verbose, the message isn't printed
until the end.

Fixes issue #2650 ("installation without internet connection").
2019-02-20 09:35:01 +01:00
Shea Levy
e58a71442a
nix.sh: Be set -u compliant. 2019-02-14 13:24:16 -05:00
Daiderd Jordan
82f054d7d5
installer: update macOS version check to 10.12.2
Nixpkgs will drop support for <10.12 soon and thus a nix release built
using the 19.03 channel will also require a newer version of macOS.
2018-12-20 20:12:20 +01:00
Eelco Dolstra
32a0a223d5
Merge pull request #2432 from luke-clifton/fixssl
SSL certificate search failed to find user profile certificates.
2018-11-15 13:07:43 +01:00
Graham Christensen (Target)
ea41838ae0
install script: remove unportable command check, fixup errant escape
`which` isn't necessarily portable, but `command -v` is an equivalent form.

Additionally, the `\'` is not necessary, as it is already quoted by `"`.
2018-10-16 10:22:36 -04:00
Matthew Bauer
9cc876fb11
nix-profile-daemon: remove cruft
This removes part of the PATH that were being added automatically in multi-user installs:

- $HOME/.nix-profile/lib/kde4/libexec - shouldn't be needed anymore, we are now using kde5
- @localstatedir@/nix/profiles/default/lib/kde4/libexec - same as above
- @localstatedir@/nix/profiles/default - shouldn't ever contain binaries
2018-10-01 13:26:59 -05:00
Luke Clifton
fb72104b80 Search NIX_PROFILE for SSL CA 2018-09-20 07:33:35 +08:00
Luke Clifton
1241a58975 Look inside the user profile 2018-09-19 15:22:39 +08:00
Graham Christensen
51f9682a8b
Default to single-user install 2018-09-01 10:45:56 -04:00
Eelco Dolstra
7c3c635d4f
release.nix: Generate the installer script 2018-05-30 17:40:08 +02:00
Eelco Dolstra
4caaa4c5fe
Move installer script from nixos-homepage 2018-05-30 17:17:50 +02:00
Graham Christensen
6ba1726eeb
install-multi-user: support 'set -u' runs, closes #2193 2018-05-30 09:35:21 -04:00
Graham Christensen
d459d3307c
nix-daemon.sh profile script: operate under set -u
If the profile is sourced inside a script with `set -u`, the check for
__ETC_PROFILE_NIX_SOURCED and NIX_SSL_CERT_FILE would raise an error.
A simple guard around this check allows the script to operate under
standard environments (where it is fairly reasonable to assume USER
and HOME are set.)
2018-05-30 09:15:46 -04:00
Graham Christensen
cad903b634
multi-user profile: borrow single user profiles' NIX_SSL_CERT_FILE finding logic 2018-05-25 15:59:10 -04:00
Graham Christensen
c4b9486f9b
install-multi-user: don't force NIX_SSL_CERT_FILE
Following the lead of the single user installer, if NIX_SSL_CERT_FILE is explicitly set prior to running, accept the user-provided version.
2018-05-25 15:54:55 -04:00
Eelco Dolstra
1df32c7d7c
Merge pull request #1664 from matthewbauer/patch-4
Setup NIX_PATH correctly in nix-profile-daemon
2018-05-25 13:36:04 +02:00
Graham Christensen
51cbe99104
installer: default to the daemon installor for Linux with systemd
Note: don't backport to 2.0-maintenance
2018-04-19 13:45:17 -04:00
Graham Christensen
17b158af85
installer: allow opting in / out to the daemon installer
By passing --daemon or --no-daemon, the installer can be forced to
select one or the other installation options, despite what the
automatic detection can provide.

This commit can be backported to 2.0-maintenance because it explicitly
turns off the daemon installation for Linux under systemd.
2018-04-19 13:45:11 -04:00
Matthew Justin Bauer
d7a84d330c Setup nix_path correctly in nix-profile-daemon
We need nixpkgs to be set in NIX_PATH for Nix 1.12 to work correctly
2018-04-04 18:02:59 -05:00
Graham Christensen
4eb40c72ed
macos: Handle when a build user doesn't have a user ID 2018-03-30 13:57:00 -04:00
Graham Christensen
f06f8102bd
Use a looser comparison for the 'user note' check
We use grep instead of an equality check because it is difficult
to extract _just_ the user's note, instead it is prefixed with
some plist junk. This was causing the user note to always be set,
even if there was no reason for it.
2018-03-30 11:38:08 -04:00
Graham Christensen
4ba91f5bae
Check for the existence of a profile target before seeing if it mentions Nix
Grep would ignore files that didn't exist, but would complain
about files in a directory if the directory didn't exist. Simply check
for the directory first, prior to grepping it.
2018-03-30 11:37:32 -04:00
Graham Christensen
2921165a9d
Expand the multi-user installer to support Linuxes with systemd
- darwin installer: delete hardware report, not necessary
 - moves os-specific code from the darwin installer to to `poly_*`
   functions
 - adds profile.d support to the profile targets, which automatically
   handles many distros which don't have a /etc/bashrc but do have an
   /etc/profile.d
 - /bin/bash -> /usr/bin/env bash
 - document why each excluded shellcheck check is excluded
 - rename the multi-user to Daemon-based
2018-03-29 15:38:01 -04:00
Eelco Dolstra
f471aacff2
Merge pull request #1775 from LnL7/darwin-build-users
installer: create 'enough' build users
2018-02-13 12:31:53 +01:00
Giorgio Gallo
9f9393df55 solves #1582 2018-01-29 21:33:17 +01:00
Eelco Dolstra
5647e55f65
Merge pull request #1793 from peterstuart/fix-extra-space
Remove extra space in chat_about_sudo()
2018-01-18 16:19:44 +01:00
Iavael
ebc42f8b59
Fix manpath detection
Checking for MANPATH without quotes always returns true, so that it breaks bash-completion for man pages on modern systems without MANPATH environment variable.
2018-01-15 00:43:39 +03:00
Peter Stuart
a65376b01d
Remove extra space. 2018-01-12 14:27:29 -05:00
Daiderd Jordan
d15826164c
installer: create 'enough' build users 2018-01-03 22:34:34 +01:00
Daiderd Jordan
27788f4060
installer: don't touch /etc/profile
The default profile already loads /etc/bashrc.
2018-01-03 22:29:54 +01:00
Frederik Rietdijk
ab8ba71205 Do not export ASPELL_CONF
This does not belong in Nix. Setting this env var is already done by the aspell derivation found in Nixpkgs.
2017-12-29 13:45:54 +01:00
Frederik Rietdijk
af1e2ffca1 Fix escaping, fixes build 2017-12-20 13:24:39 +01:00
Graham Christensen
1db034364a
replace lolcat with nix-info 2017-12-08 07:19:32 -05:00
Graham Christensen
be79d1f189
darwin installer: fix on High Sierra 2017-12-08 07:19:26 -05:00
Eelco Dolstra
ea94a87493
install-darwin-multi-user.sh: Remove superfluous nix.conf settings 2017-11-20 17:32:34 +01:00
Shea Levy
6a037a738a
Pull nix-profile-daemon from 1.11 2017-10-16 14:51:39 -04:00
Eelco Dolstra
73252aef18 Merge pull request #1591 from shlevy/darwin-installer-no-sudo-i
darwin installer: Fix on systems where sudo -i is disabled.
2017-10-12 13:08:15 +02:00
Shea Levy
fb98e29067 darwin installer: Fix on systems where sudo -i is disabled. 2017-10-05 09:07:55 -07:00
Anthony Cowley
92f9d18aa0 install-darwin-multi-user: relax assumption check
The installer will error out if a user's shell configuration includes any mention of ~nix-profile~, even if this is in a comment. This change is designed to do the bare minimum to ignore lines beginning with a `#`.
2017-10-02 20:07:56 -04:00
Eelco Dolstra
c2154d4c84
Rename a few configuration options
In particular, drop the "build-" and "gc-" prefixes which are
pointless. So now you can say

  nix build --no-sandbox

instead of

  nix build --no-build-use-sandbox
2017-08-31 14:28:25 +02:00
Jörg Thalheim
2fd8f8bb99 Replace Unicode quotes in user-facing strings by ASCII
Relevant RFC: NixOS/rfcs#4

$ ag -l | xargs sed -i -e "/\"/s/’/'/g;/\"/s/‘/'/g"
2017-07-30 12:32:45 +01:00
Graham Christensen
e0d39c8dc4
Rename PINCH_ME_IM_SILLY to ALLOW_PREEXISTING_INSTALLATION 2017-07-14 12:11:33 -04:00
Graham Christensen
12f6bb33d2
If there is no TTY, also skip verbose sudo messages 2017-07-14 12:11:30 -04:00
Graham Christensen
ce2281e6d8
Ensure PINCH_ME_IM_SILLY allows a /nix/store to stick around between builds
Also output in the status report that the user is very silly
2017-07-14 12:11:26 -04:00
Graham Christensen
1c7ce2a018
Assume yes if we have no TTY
Starve the TTY of input to ensure this works, but provide yes to the
current installer to handle the current broken case.
2017-07-14 12:11:23 -04:00
Graham Christensen
657b47e1b3
Address feedback around printf & exec 2017-07-14 12:11:00 -04:00
Graham Christensen
6a4037ca05
Don't install a second nix after the initial installation, and the rsync change fixes a bug hidden by the nix replacement where the store files were being owned by the installing user due to rsync's -a implying -og. 2017-07-14 12:10:57 -04:00
Graham Christensen
092f447c6d
Clean up issues around uninstall directions, and only show
relevant directions
2017-07-14 12:10:54 -04:00
Graham Christensen
6f639943c2
Prompt for sudo before validating assumptions, and check ourselves for root-owned files instead of making a scary warning. 2017-07-14 12:10:51 -04:00
Graham Christensen
2b5ab03524
multi-user install: move the profile in to the nix etc/profiles.d output 2017-07-14 12:10:47 -04:00
Graham Christensen
fb40d73e23
Switch to a fancy multi-user installer on Darwin 2017-07-14 12:10:44 -04:00
Jörg Thalheim
542fe0d8f3 nix-profile.sh: remove sbin from PATH
sbin is a symlink to bin. 
profiles only contains packages, which have this symlink. 
It is a subset of bin.

related to https://github.com/NixOS/nixpkgs/pull/25550
2017-05-07 07:41:19 +01:00
Eelco Dolstra
6f4682ad36
Merge branch 'nix-copy-closure-c++' of https://github.com/shlevy/nix 2017-02-07 20:47:45 +01:00
Eelco Dolstra
27dc76c1a5
Remove build-remote.pl.in 2017-02-07 18:49:17 +01:00
Domen Kožar
48d4a23aa0
bail out if macOS 10.9 or lower is used during installer 2017-01-25 07:28:49 +01:00
Shea Levy
bfa41eb671 nix-copy-closure: Implement in C++.
Tests fail currently because the database is not given proper hashes in the VM
2017-01-20 09:47:58 -05:00
James Broadhead
9ce3fa2b2d shellcheck scripts/install-nix-from-closure.sh 2016-12-19 15:04:10 +00:00
Eelco Dolstra
215b70f51e
Revert "Get rid of unicode quotes (#1140)"
This reverts commit f78126bfd6. There
really is no need for such a massive change...
2016-11-26 00:38:01 +01:00
Guillaume Maudoux
f78126bfd6 Get rid of unicode quotes (#1140) 2016-11-25 15:48:27 +01:00
Manav Rathi
eec5409a69 installation: allow profile modification to be skipped (#1072)
The current behaviour modifies the first writeable file from amongst
.bash_profile, .bash_login and .profile.  So .bash_profile (if it is
writable) would be modified even if a user has already sourced nix.sh
in, say, .profile.

This commit introduces a new environment variable,
NIX_INSTALLER_NO_MODIFY_PROFILE.  If this is set during installation,
then the modifications are unconditionally skipped.

This is useful for users who have a manually curated set of dotfiles
that they are porting to a new machine. In such scenarios, nix.sh is
already sourced at a place where the user prefers.  Without this
change, the nix installer would insist on modifying .bash_profile if
it exists.

This commit also add documentations for both the current behaviour and
the new override.
2016-11-03 18:02:29 +01:00
Eelco Dolstra
fb2dd32100 SSL_CERT_FILE -> NIX_SSL_CERT_FILE
This prevents collisions with the "native" OpenSSL, in particular on
OS X.

Fixes #921.
2016-10-13 17:09:10 +02:00
Shea Levy
87b189c2b3 Merge branch 'nix-build-c++' 2016-08-31 12:10:21 -04:00
Shea Levy
572aba284a Merge branch 'nix-channel-c++' 2016-08-31 09:49:24 -04:00
Jude Taylor
596e4a5693 remove old traces of resolve-system-dependencies 2016-08-13 15:27:49 -07:00
Shea Levy
59124228b3 nix-channel: implement in c++ 2016-08-11 11:34:43 -04:00
Shea Levy
6e51af8023 Nuke nix-push.
Rarely used, nix copy replaces it.
2016-08-10 11:13:11 -04:00
Shea Levy
a6eed133c5 Remove download-from-binary-cache.pl.in.
We have BinaryCacheStore now
2016-08-10 08:43:33 -04:00
Shea Levy
e3128014db Remove scripts/show-duplication.pl
Was added in 2006 to "measure the cost of the Nix approach".

Given that it uses /usr/bin/perl, I think this is safe to remove.
2016-08-10 08:40:58 -04:00
Shea Levy
15c035c13f Remove nix-install-package.
Refs #831
2016-08-10 08:20:51 -04:00
Shea Levy
80ebc553ec nix-build: Port to c++
This was a dumb line-for-line rewrite, because nix build/nix run/etc.
will replace it.
2016-08-09 07:42:20 -04:00
Alexey Shmalko
eef754813f Set $MANPATH (#1005)
Currently, man has issues finding man pages for Nix-installed
application (also, `nix-env --help` doesn't work). The issue is caused
by custom `$MANPATH` set by my system. That makes man use it instead of
searching in default location.

Either of next lines workaround the issue:
```sh
unset MANPATH

export MANPATH=$HOME/.nix-profile/share/man:$MANPATH
```

This patch adds the later line to the `nix-profile.sh` if user has
`MANPATH` set. (Not clearing `MANPATH` as that would be disrespect of
user's preferences.)

As a side-effect, host's man might find man pages installed by Nix.
2016-07-29 12:00:11 +02:00
Shea Levy
ee3032e4de Merge branch 'find-runtime-roots-c++' 2016-07-24 07:33:49 -04:00
Shea Levy
3c68a661f2 resolve-system-dependencies.pl: Only install on darwin 2016-07-21 19:00:54 -04:00
Shea Levy
3c46fe62b8 find-runtime-roots: fold into gc.cc 2016-07-21 07:04:41 -04:00
Eelco Dolstra
4494000e04 LocalStore: Allow the physical and logical store directories to differ
This is primarily to subsume the functionality of the
copy-from-other-stores substituter. For example, in the NixOS
installer, we can now do (assuming we're in the target chroot, and the
Nix store of the installation CD is bind-mounted on /tmp/nix):

  $ nix-build ... --option substituters 'local?state=/tmp/nix/var&real=/tmp/nix/store'

However, unlike copy-from-other-stores, this also allows write access
to such a store. One application might be fetching substitutes for
/nix/store in a situation where the user doesn't have sufficient
privileges to create /nix, e.g.:

  $ NIX_REMOTE="local?state=/home/alice/nix/var&real=/home/alice/nix/store" nix-build ...
2016-06-02 16:02:48 +02:00
Eelco Dolstra
33664f0e8d Fix reference to $NIX_LINK 2016-05-31 15:14:24 +02:00
Eelco Dolstra
c9ff3747db nix-profile.sh: Don't pollute the environment 2016-05-31 13:07:10 +02:00
Eelco Dolstra
c2d27d30cf nix-copy-closure / build-remote.pl: Disable signature checking
This restores the Nix 1.11 behaviour.
2016-05-31 11:48:05 +02:00
Gabriel Gonzalez
3889415bf8 Fix ?? in Nix warning message
Nix sometimes outputs a warning message like this:

```
directory /nix does not exist; creating it by running ‘?? using sudo
```

... when it really meant to output something that looked like this:

```
directory /nix does not exist; creating it by running 'mkdir -m 0755 /nix && chown gabriel /nix' using sudo
```

The reason why is due to some bizarre behavior in Bash where it will translate anything of the form `$x’` to `??`, leading to the incorrect warning message.  I don't know what is the origin of this Bash behavior, but the easiest fix is to just use ASCII quotes instead of unicode quotes.
2016-05-18 12:02:48 -07:00
Eelco Dolstra
f435f82475 Remove OpenSSL-based signing 2016-05-04 11:01:48 +02:00
Eelco Dolstra
80f739b571 Merge pull request #883 from sheenobu/bugfix/ruby_shebang
Workaround to support ruby as an interpreter
2016-05-03 11:14:21 +02:00
Eelco Dolstra
aa3bc3d5dc Eliminate the substituter mechanism
Substitution is now simply a Store -> Store copy operation, most
typically from BinaryCacheStore to LocalStore.
2016-04-29 13:57:08 +02:00
Eelco Dolstra
6e1b099279 Remove --print-build-trace
This was added to support Hydra, but Hydra no longer uses it.
2016-04-25 19:18:45 +02:00
Eelco Dolstra
41633f9f73 Improved logging abstraction
This also gets rid of --log-type, since the nested log type isn't
useful in a multi-threaded situation, and nobody cares about the
"pretty" log type.
2016-04-25 19:18:45 +02:00
Sheena Artrip
2989783f64
Workaround to support ruby as an interpreter 2016-04-18 13:16:59 -04:00
Eelco Dolstra
a54736355a install-nix-from-closure: Don't run nix-store --verify
Verification is slow. Also, we really shouldn't advise users to nuke
their store.
2016-04-14 12:50:01 +02:00
Shea Levy
1b3e704fb9 Merge branch 'patch-2' of git://github.com/wmertens/nix
install-nix-from-closure improvments
2016-04-12 07:33:04 -04:00
Eelco Dolstra
867967265b Remove manifest support
Manifests have been superseded by binary caches for years. This also
gets rid of nix-pull, nix-generate-patches and bsdiff/bspatch.
2016-04-11 16:20:15 +02:00
Wout Mertens
af4fb6ef61 Bring nix-profile.sh in line with NixOS
Use the same logic as NixOS' profile and environment setup. Closes #414
2016-04-10 23:45:52 +02:00
Wout Mertens
ef00999fb7 Remove information about nix-store --optimise 2016-04-10 21:55:26 +02:00
wmertens
4916d92092 Always verify nix store on install
Just wasted a couple hours chasing shadows because the nix store got
corrupted and there was no indication of that anywhere.

Since an install is one-time only, might as well verify.  Optimization
showed that the copied files aren't read-only; fixed that as well.

Also, use /bin/sh since there's a good chance that this script will be
run on systems without /bin/bash
2016-04-10 21:55:26 +02:00
Shea Levy
4f011bccf8 Merge branch 'master' of git://github.com/stepcut/nix 2016-02-19 18:21:41 -05:00
Eelco Dolstra
c4d22997f3 Add C++ functions for .narinfo processing / signing
This is currently only used by the Hydra queue runner rework, but like
eff5021eaa it presumably will be useful
for the C++ rewrite of nix-push and
download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
Peter Simons
92063851b1 nix-profile.sh.in: find ca-bundle.pem on openSUSE Tumbleweed machines 2016-02-16 10:15:05 +01:00
Peter Simons
bd42510e49 nix-profile.sh.in: quote use of $HOME in shell arguments
All other places in the script do this already, so let's be consistent.
2016-02-12 13:24:25 +01:00
Alex Cruice
ad0dc41899 Check shell profile is writeable before modifying
The `set -e` at the top of the script causes the installation to fail to
complete if the shell profile is not writeable. Checking file existence
only is not enough.
2016-02-10 11:57:50 +01:00
Brian McKenna
3baf8be1d1 Fix broken call to shellwords
nix-shell shebangs were broken by 9018deab
2016-01-20 16:35:16 +01:00
Philip Potter
4f3cf06c97 Verify TLS certificate before downloading binaries
The --insecure flag to curl tells curl not to bother checking if the TLS
certificate presented by the server actually matches the hostname
requested, and actually is issued by a trusted CA chain.  This almost
entirely negates any benefit from using TLS in the first place.

This removes the --insecure flag to ensure we actually have a secure
connection to the intended hostname before downloading binaries.

Manually tested locally within a dev-shell; was able to download
binaries from https://cache.nixos.org without issue.

[Note: --insecure was only used for fetching NARs, whose integrity is
verified by Nix anyway using the hash from the .narinfo. But if we can
fetch the .narinfo without --insecure, we can also fetch the .nar, so
there is not much point to using --insecure. --Eelco]
2016-01-05 14:19:46 +01:00
Fabian Schmitthenner
0eb200e569 propagate NIX_BUILD_SHELL also in pure builds document NIX_BUILD_SHELL in the nix-shell command documentation 2016-01-05 14:11:20 +01:00
Brian McKenna
9018deab6c Use shellwords for nix-shell shebang
Previously we can't have quoted arguments.

This now allows us to use things like `ghcWithPackages`
2015-12-07 11:31:26 +11:00
Jeremy Shaw
3afa16e16f Clarify installation error message that is shown when /nix/store exists but is not writable by the user 2015-12-06 11:00:03 -06:00
Eelco Dolstra
c0d4173263 Set default binary-caches-parallel-connections to 25
Some benchmarking suggested this as a good value. Running

  $ benchmark -f ... -t 25 -- sh -c 'rm -f /nix/var/nix/binary-cache*; nix-store -r /nix/store/x5z8a2yvz8h6ccmhwrwrp9igg03575jg-nixos-15.09.git.5fd87e1M.drv --dry-run --option binary-caches-parallel-connections <N>'

gave the following mean elapsed times for these values of N:

N=10:  3.3541
N=20:  2.9320
N=25:  2.6690
N=30:  2.9417
N=50:  3.2021
N=100: 3.5718
N=150: 4.2079

Memory usage is also reduced (N=150 used 186 MB, N=25 only 68 MB).

Closes #708.
2015-11-25 17:13:11 +01:00
Jude Taylor
279fa8f618 reintroduce host deps in tandem with sandbox profiles 2015-11-21 15:57:06 -08:00
Eelco Dolstra
9ee15abe30 Fix bad characters in "copying 7 missing paths from ..." 2015-11-10 16:12:26 +01:00
Shea Levy
fef8c3a5ab resolve-system-dependencies.pl: Simplify union impl
Patch by @pikajude
2015-10-21 18:18:03 -04:00
Jude Taylor
f5a7739171 appropriately handle lock acquisition failures in resolve-system-dependencies.pl 2015-10-21 14:38:35 -07:00
Jude Taylor
ff6953cb03 Add resolve-system-dependencies.pl 2015-10-21 12:38:52 -07:00
Eelco Dolstra
bec3c31608 nix-prefetch-url: Rewrite in C++ 2015-10-01 16:47:43 +02:00
Utku Demir
a49514a2e2 Also set CURLOPT_SSL_VERIFYHOST=0 when "verify-https-binary-caches" is false
This makes that option even more insecure, by also not checking the SSL host.

But without this parameter, one can still get SSL errors even when
"verify-https-binary-caches" is false, which is unexpected IMO.
2015-09-25 22:34:08 +03:00
Eelco Dolstra
984c5cdc50 Drop newline in error message 2015-08-07 05:32:17 +02:00
Eelco Dolstra
ccf31dbc25 nix-copy-closure: Add -v flag
And make exportPath() less spammy by default.
2015-07-20 01:52:07 +02:00
Eelco Dolstra
e012c126db Revert "add the manpath to the installer"
This reverts commit 76f985b92d. We
shouldn't mess with $MANPATH, because on some "man" implementations
(like NixOS'), the default value on $MANPATH is derived from $PATH. So
if you set $MANPATH, you lose the default locations.
2015-07-01 13:04:15 +02:00
Eelco Dolstra
c48617671d nix-channel: Fix bogus error message caused by 8a84bd8c8b 2015-06-12 01:56:34 +02:00
Eelco Dolstra
f2b67fbf2a nix-push: Support -j
Fixes #548.
2015-06-08 14:16:06 +02:00
Eelco Dolstra
bf8cc4e9b6 Update cacert locations 2015-06-08 11:40:35 +02:00
Eelco Dolstra
b190f771e7 copy-from-other-stores: Use cp 2015-06-04 14:55:40 +02:00
Eelco Dolstra
f0f30f594c Naming 2015-06-03 15:19:26 +02:00
Eelco Dolstra
a80f11bf7b nix-shell: Support multiple "#! nix-shell" lines 2015-06-01 13:48:45 +02:00
Eelco Dolstra
e0a068cb97 nix-shell: Barf if -p and -E are both used
Closes #454, #455.
2015-05-21 17:04:43 +02:00
Eelco Dolstra
deb8668a0e nix-shell: Fix uninitialized value warning 2015-05-05 14:19:58 +02:00
Shea Levy
96dcc006e9 Merge branch 'nix-channel-tarballs' of git://github.com/copumpkin/nix 2015-04-27 19:07:43 -04:00
Luca Bruno
ab2b3d6668 nix-collect-garbage: translate to C++ 2015-04-22 15:08:48 +00:00
Dan Peebles
8a84bd8c8b Support tarballs in nix channel URLs 2015-04-20 00:34:29 -04:00
Michael Merickel
76f985b92d add the manpath to the installer 2015-04-12 20:30:47 -04:00
Eelco Dolstra
9f3eb56b46 Reduce verbosity in build-remote.pl 2015-03-04 16:27:42 +01:00
Shea Levy
47bdc52c1b Merge branch 'gh-476-fix-install-script' of git://github.com/jramnani/nix
sometimes cd prints to stdout
2015-02-22 12:00:51 -05:00
Eelco Dolstra
175935e053 FIXMEs 2015-02-19 14:10:33 +01:00
Eelco Dolstra
1816ac0db1 Escape arguments to nix-shell #! scripts 2015-02-18 20:13:53 +01:00
Eelco Dolstra
dc7e8fae48 Support passing command line arguments to nix-shell #! scripts 2015-02-18 15:55:18 +01:00
Eelco Dolstra
bb10010582 Fix nix-shell shebang scripts if -p is used 2015-02-18 12:40:07 +01:00
Eelco Dolstra
f19b4abfb2 Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
2015-02-17 13:16:58 +01:00
Jeff Ramnani
d53735c823 Nix install script failed when "cd" printed to stdout.
In some cases the bash builtin command "cd" can print the variable $CWD
to stdout.  This caused the install script to fail while copying files
because the source path was wrong.

Fixes #476.
2015-02-11 12:39:14 -06:00
Shea Levy
70cae879e3 nix-build: Respect -Q during evaluation
Fixes #474
2015-02-08 20:44:05 -05:00
Eelco Dolstra
f3a5930488 Sign a subset of the .narinfo
We only need to sign the store path, NAR hash and references (the
"fingerprint"). Everything else is irrelevant to security. For
instance, the compression algorithm or the hash of the compressed NAR
don't matter as long as the contents of the uncompressed NAR are
correct.

(Maybe we should include derivers in the fingerprint, but they're
broken and nobody cares about them. Also, it might be nice in the
future if .narinfos contained signatures from multiple independent
signers. But that's impossible if the deriver is included in the
fingerprint, since everybody will tend to have a different deriver for
the same store path.)

Also renamed the "Signature" field to "Sig" since the format changed
in an incompatible way.
2015-02-04 17:59:31 +01:00
Eelco Dolstra
e0def5bc4b Use libsodium instead of OpenSSL for binary cache signing
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.
2015-02-04 17:10:31 +01:00
Jaka Hudoklin
3688db3d43 nix-install-package: follow symlinks 2015-01-30 11:30:21 +01:00
Oliver Dunkl
de91a42c6e Moves runHook to a later execution position
It moves runHook to a later position in the rcfile. After that we are
able to set the PS1 environment-variable for a nix-shell environment
e.g.:

  # turn the color of the prompt to blue
  shellHook = ''
    export PS1="\n\[\033[1;34m\][\u@\h:\w]$\[\033[0m\] ";
  '';
2015-01-28 13:39:48 +01:00
Eelco Dolstra
f6716e95bb Shut up "Wide character in print" warning in copy-from-other-stores.pl 2015-01-15 17:56:56 +01:00
Eelco Dolstra
a5e2c8e560 Set correct user agent for NAR downloads from binary caches 2015-01-15 12:05:27 +01:00
Eelco Dolstra
128538ef06 nix-shell: Add --run flag
‘--run’ is like ‘--command’, except that it runs the command in a
non-interactive shell. This is important if you do things like:

  $ nix-shell --command make

Hitting Ctrl-C while make is running drops you into the interactive
Nix shell, which is probably not what you want. So you can now do

  $ nix-shell --run make

instead.
2015-01-08 15:14:38 +01:00
Eelco Dolstra
b76589206a nix-shell: Interpret filenames relative to the #!-script
So you can have a script like:

  #! /usr/bin/env nix-shell
  #! nix-shell script.nix -i python

  import prettytable

  x = prettytable.PrettyTable(["Foo", "Bar"])
  for i in range(1, 10): x.add_row([i, i**2])
  print x

with a ‘script.nix’ in the same directory:

  with import <nixpkgs> {};

  runCommand "dummy" { buildInputs = [ python pythonPackages.prettytable ]; } ""

(Of course, in this particular case, using the ‘-p’ flag is more
convenient.)
2015-01-08 14:56:14 +01:00
Eelco Dolstra
a957893b26 Allow nix-shell to be used as a #! interpreter
This allows scripts to fetch their own dependencies via nix-shell. For
instance, here is a Haskell script that, when executed, pulls in GHC
and the HTTP package:

  #! /usr/bin/env nix-shell
  #! nix-shell -i runghc -p haskellPackages.ghc haskellPackages.HTTP

  import Network.HTTP

  main = do
    resp <- Network.HTTP.simpleHTTP (getRequest "http://nixos.org/")
    body <- getResponseBody resp
    print (take 100 body)

Or a Perl script that pulls in Perl and some CPAN packages:

  #! /usr/bin/env nix-shell
  #! nix-shell -i perl -p perl perlPackages.HTMLTokeParserSimple perlPackages.LWP

  use HTML::TokeParser::Simple;

  my $p = HTML::TokeParser::Simple->new(url => 'http://nixos.org/');

  while (my $token = $p->get_tag("a")) {
      my $href = $token->get_attr("href");
      print "$href\n" if $href;
  }

Note that the options to nix-shell must be given on a separate line
that starts with the magic string ‘#! nix-shell’. This is because
‘env’ does not allow passing arguments to an interpreter directly.
2015-01-08 14:32:45 +01:00
Eelco Dolstra
7ba0e9cb48 nix-shell --command: Remove bogus argument to "exit"
Fixes "exit: Inappropriate: numeric argument required" errors.
2015-01-07 16:10:20 +01:00
Eelco Dolstra
c2a552b075 Install cacert before running nix-channel
Also, make it more robust against incorrent SSL_CERT_FILE values.
2014-12-13 16:53:21 +01:00
Eelco Dolstra
20cf0127f5 Include cacert in the binary tarball
This prevents having to fetch Nixpkgs or cacert over http.
2014-12-10 16:05:08 +01:00
Eelco Dolstra
2f16946064 Always use https to fetch the Nixpkgs channel 2014-12-10 11:35:56 +01:00
Eelco Dolstra
39fe52f7ac Fix bad comment 2014-12-10 11:35:05 +01:00
Eelco Dolstra
af555d7694 Doh 2014-12-09 20:43:12 +01:00