nixie-dev / nixie Goto Github PK

This is a tough one, specifically because the Darwin operating system, which constitutes the underpinnings of both macOS and iOS, has no support for what in the Linux world is called "namespaces", and on the BSDs "jails".

The ability for Nix to "mount" the Nix store at the system root with no privileges or directory creation is very similar to what I used in this script. This relies heavily on two features: bind mounts (which syncs a subdirectory with a virtual location elsewhere), and mount namespacing (which prevents a process's mounts from reflecting in the rest of the system), neither of which exist on Darwin.

There is a way to emulate this, by leveraging an overlay or union mount, but that somehow got nuked ages ago???, and restoring it would require making macFUSE a hard dependency, which is both uncommon and invasive. Reflinking the system root elsewhere takes ages and does not carry the user's home over, so that's also a no-go, and loopback NFS mounts constitute a fundamental change to the system configuration, which is unacceptable for us.

So I tried another approach entirely: spinning up a macOS virtual machine, ideally sharing the host's root filesystem, but where the /nix mountpoint exists (through a modified /etc/synthetic.conf in the VM) and is mounted to a sparse image in the user's home.

So far, I haven't been able to find an unprivileged method to spin up a virtual machine reliably. QEMU is out of the question, both due to massive dependencies, and the lack of Mac-to-Mac paravirtualization support making a potential macOS VM way more fragile.
Even the recommended approach, Virtualization requires an entitlement, which is impossible given our single-file format. Oh, and that only works on Apple Silicon.

Finally, modifying /etc/synthetic.conf and mounting a disk image directly onto /nix would clobber an eventual system-wide Nix install afterwards, which kinda goes against our intent to take over the world, and requiring superuser rights at launch is very bad security practice, very bad UX and reduces our potential user base by a lot. If you're going to bother with root, might as well install Nix proper anyway.

Therefore, the current placeholder function, _macos_workaround_nix(), currently errors out and tells the user to install system-wide Nix. I really hope we figure out a low-dependency, lightweight approach to macOS virtualization, but in the mean time, this project will remain fundamentally incompatible with Darwin.

This also means that, contrary to the initial plan, no static binaries for Darwin will be provided upon install.

Whenever this issue is closed, nix scripts generated using nix-wrap will have to be regenerated using the latest version of the tool.

Here's a checklist that an eventual fix will have to fulfill:

Requirements:

• Mount the Nix store at the script's effective root
• Do not clobber the system-wide Nix install process
• Be buildable from sources shipped in the resource archive
• Be frugal in resources (compiling aside)

Bonuses:

• Do not require root access
• Do not require binaries not built into macOS
• Be portable across Intel and Apple Silicon

I need to look into and integrate NixOS/nixpkgs#235990 with Nixie's static Nix binary source to simplify derivations and make them more easily maintainable.

In the current state of things, macOS support is currently untested and put on hold due to an unfortunate combination of circumstances:

• Nixpkgs cross-compilation targeting Darwin is currently broken (NixOS/nixpkgs#219866)
• The local build scripts bundled with the generated Nixie script also fail, due to a broken Boost detection script in Nix's Automake configuration

As per #1, I already have fakedir Universal binaries ready on the Cachix server, but the failing build workflows are currently disabled.

Once a solution has been found, all scripts generated beforehand will need to be updated with nixie update.

Hello,

I'm trying to replace my usage of nix-portable with Nixie, but have stumbled upon a problem that the nix script can't download the cache:

$ ./nix shell nixpkgs#hello
warning: error: unable to download 'https://channels.nixos.org/flake-registry.json': SSL connect error (35); retrying in 259 ms
warning: error: unable to download 'https://channels.nixos.org/flake-registry.json': SSL connect error (35); retrying in 576 ms
warning: error: unable to download 'https://channels.nixos.org/flake-registry.json': SSL connect error (35); retrying in 1102 ms
warning: error: unable to download 'https://channels.nixos.org/flake-registry.json': SSL connect error (35); retrying in 2446 ms
error: unable to download 'https://channels.nixos.org/flake-registry.json': SSL connect error (35)

Is there a known workaround for it? or do you have any ideas how I could debug it further?

Thanks!

this project seems to build static binaries for aarch64-darwin,
can those binaries made discoverable to install as standalone binaries without requiring to preinstall nix on the system

This issue tracks all blockers for proper unprivileged support on macOS, which is a primary goal of the project.

• nixie-dev/fakedir#2
• nixie-dev/fakedir#3
• NixOS/nixpkgs#256590
• #10
• #11

This would allow us to transparently delete the single-user store and carry over the user's work.

Hey.

This project looks quite interesting. Thank you for working on it!
I played around with the project to get nix on a locked-down server and would like to know if it is possible to install home-manager.
I am following the official home-manager documentation -- nix flakes with nixos-stable as the target.
When running the rebuild ./nix run .#homeConfigurations.<name>.activationPackage I get the following error message:

/nix/store/j333lfi0wk1f2yd1bg2qnrp0hp43cway-home-manager-generation/bin/home-manager-generation: line 68: nix-build: command not found

If I understand the README correctly, the idea is to link all nix command calls to ~/.cache/nix-static.
So I linked nix-build to nix-static and added it to my PATH at the top of my bashrc.
Though, I still get an error.

I am not that experienced with the internals of nix but if you give me some pointers, I will try my best to help with this issue :)

Not sure if this is supported or even intended to work, but right off the bat I hit:

% ./nix --help
readlink: illegal option -- f
usage: readlink [-n] [file ...]
./nix: line 55: : No such file or directory
Could not find or decompress resource archive.
This script can be rebuilt using the nixie tool
tar: Error opening archive: Unrecognized archive format
zsh: abort      ./nix --help
The resource archive is missing or malformed.
This script can be rebuilt using the nixie tool
./nix: line 50: kill: (19685) - No such process

because bsd readlink doesn't support -f like gnu coreutils readlink does.

These are features that I intend to add to Nixie, but haven't gotten around to yet.

Some of these features' description may not cover all the information needed to implement them, but that is not a mistake.

• .gitignore and .gitattributes should be set up
• Implement project templates
• --nixie-* command line options
• Choose nix or nix-shell filename depending on other .nix files
• Check if local nixpkgs/nixos channel is more recent on update

Pre-configuration is no longer necessary, as Brotli is no longer shipped with Automake scripts, instead using CMake.

This however raises the question of including CMake as a mandatory dependency to build Nix from source, reducing portability on bare macOS as originally envisioned.