Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encrypt darwin volume fix mount #3

Closed
wants to merge 389 commits into from

Conversation

abathur
Copy link
Owner

@abathur abathur commented Mar 30, 2021

just cheating

sh <(curl -L https://abathur-nix-install-tests.cachix.org/serve/674rjk2mr1rfwzdbmg26s0ayzm05s8r5/install) --tarball-url-prefix https://abathur-nix-install-tests.cachix.org/serve

edolstra and others added 30 commits January 8, 2021 11:40
Allow Flake inputs to accept boolean and integer attributes
This resolves NixOS#3810 by changing the behavior of `max-jobs = 0`, so
that specifying the option also avoids local building of derivations
with the attribute `preferLocalBuild = true`.
By default, once you enter x86_64 Rosetta 2, macOS will try to run
everything in x86_64. So an x86_64 Nix will still try to use x86_64
even when system = aarch64-darwin. To avoid this we can set
kern.curproc_arch_affinity sysctl. With kern.curproc_arch_affinity=0,
we ignore this preference.

This is based on how
https://opensource.apple.com/source/system_cmds/system_cmds-880.40.5/arch.tproj/arch.c.auto.html
works. Completely undocumented, but seems to work!

Note, you can verify this works with this impure Nix expression:

```
  {
    a = derivation {
      name = "a";
      system = "aarch64-darwin";
      builder = "/bin/sh";
      args = [ "-e" (builtins.toFile "builder" ''
        [ "$(/usr/bin/arch)" = arm64 ]
        [ "$(/usr/bin/arch -arch x86_64 /bin/sh -c /usr/bin/arch)" = i386 ]
        [ "$(/usr/bin/arch -arch arm64 /bin/sh -c /usr/bin/arch)" = arm64 ]
        /usr/bin/touch $out
      '') ];
    };

    b = derivation {
      name = "b";
      system = "x86_64-darwin";
      builder = "/bin/sh";
      args = [ "-e" (builtins.toFile "builder" ''
        [ "$(/usr/bin/arch)" = i386 ]
        [ "$(/usr/bin/arch -arch x86_64 /bin/sh -c /usr/bin/arch)" = i386 ]
        [ "$(/usr/bin/arch -arch arm64 /bin/sh -c /usr/bin/arch)" = arm64 ]
        /usr/bin/touch $out
      '') ];
    };
  }
```
Replaces 'nix-env --list-generations'. Similar to 'nix profile
diff-closures' but shows only the changes in top-level packages.
…ct-zero-max-jobs

Don't let 'preferLocalBuild' override 'max-jobs=0'
…finity

Set kern.curproc_arch_affinity=0 to escape Rosetta
Thanks @regnat and @edolstra for catching this and comming up with the
solution.

They way I had generalized those is wrong, because local settings for
non-local stores is confusing default. And due to the nature of C++
inheritance, fixing the defaults is more annoying than it should be.
Additionally, I thought we might just drop the check in the substitution
logic since `Store::addToStore` is now streaming, but @regnat rightfully
pointed out that as it downloads dependencies first, that would still be
too late, and also waste effort on possibly unneeded/unwanted
dependencies.

The simple and correct thing to do is just make a store method for the
boolean logic, keeping all the setting and key stuff the way it was
before. That new method is both used by `LocalStore::addToStore` and the
substitution goal check. Perhaps we might eventually make it fancier,
e.g. sending the ValidPathInfo to remote stores for them to validate,
but this is good enough for now.
2259 error message - "auto-call" error
While interpreting the output is fairly intuitive it would be better to
explicitly specify what a good invocation looks like.

That this isn't completely obvious (or at least causes folks to
second-guess themselves) can be seen in a couple user threads:

- https://discourse.nixos.org/t/nixos-cache-fetching-issue/3575/11
- https://discourse.nixos.org/t/newbie-question-cant-get-trivial-example-of-nixops-to-work-on-my-mac/1125/8
Document expected output of 'nix store ping'.
samueldr and others added 28 commits March 19, 2021 15:20
A few versioning mistakes were corrected:

- In 27b5747, Daemon protocol had some
  version `>= 0xc` that should have been `>= 0x1c`, or `28` since the
  other conditions used decimal.

- In a2b6966, legacy SSH gated new CAS
  info on version 6, but version 5 in the server. It is now 6
  everywhere.

Additionally, legacy ssh was sending over more metadata than the daemon
one was. The daemon now sends that data too.

CC @regnat

Co-authored-by: Cole Helbling <[email protected]>
…alling-cleanup-lighter

Clean up serialization for `BuildResult`
…alling-cleanup-lighter

Fix typos in the last PR NixOS#4656
Fix Nix to properly work with stores using a scoped IPv6 address
…p-builders

improve man page for nix.conf (builders)
Added Debian-based OS's profiles
Use the appropriate config dir for the registry
fix nixbld user name/uid for macOS/darwin
Thanks for your time and attention *again* here.
I know they're scarce resources!
Also thanks to jtojnar and samueldr for clarifying discussion.
I didn't realize shellcheck would object; don't see my reason
as sufficient for disabling the rule.
- the presence of an encrypted volume triggered reminders instead of
  a hard failure for vestigial reasons (at one point the WIP script
  did not support using an existing volume at all, so these were
  just reminders shown alongside *that* hard failure).
- fixed a pretty 😊 bug with `password_confirm` that caused it
  to return true even if the user answered "n" to the initial prompt.
much thanks to the eagle-eyed @lilyball for spotting this
@abathur abathur closed this Mar 30, 2021
@abathur abathur deleted the encrypt_darwin_volume_fix_mount branch March 30, 2021 03:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.