nix-daemon: update for new builder UID/GID values

CHANGELOG

@@ -1,3 +1,17 @@
+2024-09-10
+- The default Nix build user group ID is now set to 350 when
+  `system.stateVersion` ≥ 5, to reflect the default for new Nix
+  installations. This only affects installations that enable
+  `nix.configureBuildUsers`, and any divergence will be detected on
+  system activation. To use `nix.configureBuildUsers` with a higher
+  `system.stateVersion` on installations using the old group ID, set:
+
+      ids.gids.nixbld = 30000;
+
+  We do not recommend trying to change the group ID with macOS user
+  management tools without a complete uninstallation and reinstallation
+  of Nix.
+
 2024-06-15
 - SECURITY NOTICE: The previous implementation of the
   `users.users.<name>.openssh.authorizedKeys.*` options would not delete

modules/examples/flake/flake.nix

@@ -32,7 +32,7 @@
 
       # Used for backwards compatibility, please read the changelog before changing.
       # $ darwin-rebuild changelog
-      system.stateVersion = 4;
+      system.stateVersion = 5;
 
       # The platform the configuration will be used on.
       nixpkgs.hostPlatform = "x86_64-darwin";

modules/examples/ofborg.nix

@@ -25,5 +25,5 @@ with lib;
 
   # Used for backwards compatibility, please read the changelog before changing.
   # $ darwin-rebuild changelog
-  system.stateVersion = 4;
+  system.stateVersion = 5;
 }

modules/examples/simple.nix

@@ -21,5 +21,5 @@
 
   # Used for backwards compatibility, please read the changelog before changing.
   # $ darwin-rebuild changelog
-  system.stateVersion = 4;
+  system.stateVersion = 5;
 }

modules/misc/ids.nix

@@ -8,7 +8,7 @@
 # to change uids/gids on service start, in example a service with a lot of
 # files.
 
-{ lib, ... }:
+{ lib, config, ... }:
 
 let
   inherit (lib) types;
@@ -34,15 +34,14 @@ in
 
   };
 
-
   config = {
 
     ids.uids = {
-      nixbld = 300;
+      nixbld = lib.mkDefault 350;
     };
 
     ids.gids = {
-      nixbld = 30000;
+      nixbld = lib.mkDefault (if config.system.stateVersion < 5 then 30000 else 350);
     };
 
   };

modules/system/checks.nix

@@ -55,6 +55,32 @@ let
     fi
   '';
 
+  preSequoiaBuildUsers = ''
+    firstBuildUserID=$(dscl . -read /Users/_nixbld1 UniqueID | awk '{print $2}')
+    if [[ $firstBuildUserID != ${toString (config.ids.uids.nixbld + 1)} ]]; then
+        printf >&2 '\e[1;31merror: Build users have outdated UIDs, aborting activation\e[0m\n'
+        printf >&2 'The default Nix build user ID range has been adjusted for\n'
+        printf >&2 'compatibility with macOS Sequoia 15. Your system needs migration.\n'
+        printf >&2 '\n'
+        printf >&2 'You can automatically migrate your users using the following script\n'
+        printf >&2 'from the Nix repository:\n'
+        printf >&2 '\n'
+        printf >&2 '    https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh\n'
+        printf >&2 '\n'
+        printf >&2 'This should work even if you installed Nix with the Determinate\n'
+        printf >&2 'Systems installer or are using Lix. If you are comfortable using the\n'
+        printf >&2 'script without review, you can run:\n'
+        printf >&2 '\n'
+        printf >&2 "    curl --proto '=https' --tlsv1.2 -sSf -L https://github.com/NixOS/nix/raw/master/scripts/sequoia-nixbld-user-migration.sh | bash -\n"
+        printf >&2 '\n'
+        printf >&2 'If you have no intention of upgrading to macOS Sequoia, you can\n'
+        printf >&2 'disable this error by setting:\n'
+        printf >&2 '\n'
+        printf >&2 '    ids.uids.nixbld = 300;\n'
+        exit 2
+    fi
+  '';
+
   buildUsers = ''
     buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true
     if [ -z $buildUser ]; then
@@ -70,6 +96,31 @@ let
     fi
   '';
 
+  buildGroupID = ''
+    buildGroupID=$(dscl . -read /Groups/nixbld PrimaryGroupID | awk '{print $2}')
+    expectedBuildGroupID=${toString config.ids.gids.nixbld}
+    if [[ $buildGroupID != ${toString config.ids.gids.nixbld}) ]]; then
+        printf >&2 '\e[1;31merror: Build user group has mismatching GID, aborting activation\e[0m\n'
+        printf >&2 'The default Nix build user group ID was changed from 30000 to 350.\n'
+        printf >&2 'You are currently managing Nix build users with nix-darwin, but your\n'
+        printf >&2 'nixbld group has ID %d, whereas we expected %d.\n' \
+          "$buildGroupID" "$expectedBuildGroupID"
+        printf >&2 '\n'
+        printf >&2 'Possible causes include setting up a new Nix installation with an\n'
+        printf >&2 'existing nix-darwin configuration, or increasing your\n'
+        printf >&2 '`system.stateVersion` setting.'
+        printf >&2 '\n'
+        printf >&2 'You can either set the group ID to match the actual value:\n'
+        printf >&2 '\n'
+        printf >&2 '    ids.gids.nixbld = %d;\n' "$buildGroupID"
+        printf >&2 '\n'
+        printf >&2 'or disable `nix.configureBuildUsers`. We do not recommend trying to\n'
+        printf >&2 'change the group ID with macOS user management tools without a\n'
+        printf >&2 'complete uninstallation and reinstallation of Nix.\n'
+        exit 2
+    fi
+  '';
+
   singleUser = ''
     if grep -q 'build-users-group =' /etc/nix/nix.conf; then
         echo "error: The daemon is not enabled but this is a multi-user install, aborting activation" >&2
@@ -242,7 +293,9 @@ in
 
     system.checks.verifyBuildUsers = mkOption {
       type = types.bool;
-      default = !(config.nix.settings.auto-allocate-uids or false);
+      default =
+        (config.nix.useDaemon && !(config.nix.settings.auto-allocate-uids or false))
+        || config.nix.configureBuildUsers;
       description = "Whether to run the Nix build users validation checks.";
     };
 
@@ -259,7 +312,9 @@ in
       darwinChanges
       runLink
       oldBuildUsers
-      (mkIf (config.nix.useDaemon && cfg.verifyBuildUsers) buildUsers)
+      (mkIf cfg.verifyBuildUsers preSequoiaBuildUsers)
+      (mkIf cfg.verifyBuildUsers buildUsers)
+      (mkIf config.nix.configureBuildUsers buildGroupID)
       (mkIf (!config.nix.useDaemon) singleUser)
       nixStore
       (mkIf (config.nix.gc.automatic && config.nix.gc.user == null) nixGarbageCollector)

modules/system/version.nix

@@ -35,7 +35,7 @@ in
   options = {
     system.stateVersion = mkOption {
       type = types.int;
-      default = 4;
+      default = 5;
       description = ''
         Every once in a while, a new NixOS release may change
         configuration defaults in a way incompatible with stateful