Skip to content

nixos/nix: Add support for running an unprivileged daemon#491809

Merged
Ericson2314 merged 2 commits intoNixOS:masterfrom
obsidiansystems:nix-daemon-unprivileged
Feb 23, 2026
Merged

nixos/nix: Add support for running an unprivileged daemon#491809
Ericson2314 merged 2 commits intoNixOS:masterfrom
obsidiansystems:nix-daemon-unprivileged

Conversation

@artemist
Copy link
Member

@artemist artemist commented Feb 18, 2026

Things done

Upstream Nix recently added support for the features required to run an unprivileged nix. This PR adds support and a basic test for running nix unprivileged with full sandboxing.

This new configuration is based off those used in its VM test. If I have implemented this correctly there should be no actual nix changes if the daemon is running as root.

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

github-actions[bot]

This comment was marked as outdated.

Sign in to view

@nixpkgs-ci nixpkgs-ci bot added 8.has: package (update) This PR updates a package to a newer version 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-nixos-tests This PR causes rebuilds for all NixOS tests and should normally target the staging branches. labels Feb 18, 2026
@artemist artemist force-pushed the nix-daemon-unprivileged branch 3 times, most recently from e1b89e2 to ae286eb Compare February 18, 2026 18:24
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` and removed 8.has: package (update) This PR updates a package to a newer version 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-nixos-tests This PR causes rebuilds for all NixOS tests and should normally target the staging branches. labels Feb 18, 2026
@artemist artemist force-pushed the nix-daemon-unprivileged branch 2 times, most recently from 33dc5ed to 0ae9a93 Compare February 19, 2026 14:47
@artemist artemist marked this pull request as ready for review February 19, 2026 14:47
artemist
artemist commented Feb 19, 2026
View reviewed changes
@nixpkgs-ci nixpkgs-ci bot added the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Feb 19, 2026
@artemist artemist force-pushed the nix-daemon-unprivileged branch from 0ae9a93 to 3d028fe Compare February 19, 2026 21:01
@artemist artemist force-pushed the nix-daemon-unprivileged branch from 3d028fe to 795c26d Compare February 19, 2026 21:03
@Ericson2314 Ericson2314 added the backport release-25.11 Backport PR automatically label Feb 23, 2026
Ericson2314
Ericson2314 approved these changes Feb 23, 2026
View reviewed changes
Copy link
Member

@Ericson2314 Ericson2314 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be experimental at least as long as the underlying nix features as stable, but by that token, the barrier to merge should not be too high.

We're backporting this because want to use it in the preexisting test for this in the Nix repo --- that test is currently handrolling it downstream. Having it dogfooded upstream will make it more robust.

@Ericson2314 Ericson2314 added this pull request to the merge queue Feb 23, 2026
@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 1 This PR was reviewed and approved by one person. and removed 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Feb 23, 2026
Merged via the queue into NixOS:master with commit bc0021e Feb 23, 2026
31 of 33 checks passed
@Ericson2314 Ericson2314 deleted the nix-daemon-unprivileged branch February 23, 2026 17:09
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Feb 23, 2026

Backport failed for release-25.11, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-25.11
git worktree add -d .worktree/backport-491809-to-release-25.11 origin/release-25.11
cd .worktree/backport-491809-to-release-25.11
git switch --create backport-491809-to-release-25.11
git cherry-pick -x bd49e43206e92312906bb5a9e7a32157c3d9d3d1 795c26dca5d17874fc0a08899776f48b33e6cf4c

This was referenced Feb 23, 2026
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@Ericson2314 Ericson2314 Ericson2314 approved these changes

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person. backport release-25.11 Backport PR automatically

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@artemist @Ericson2314