nixie-dev / nixie Goto Github PK
View Code? Open in Web Editor NEWPut Nix in everything!
License: GNU General Public License v2.0
Put Nix in everything!
License: GNU General Public License v2.0
This is a tough one, specifically because the Darwin operating system, which constitutes the underpinnings of both macOS and iOS, has no support for what in the Linux world is called "namespaces", and on the BSDs "jails".
The ability for Nix to "mount" the Nix store at the system root with no privileges or directory creation is very similar to what I used in this script. This relies heavily on two features: bind mounts (which syncs a subdirectory with a virtual location elsewhere), and mount namespacing (which prevents a process's mounts from reflecting in the rest of the system), neither of which exist on Darwin.
There is a way to emulate this, by leveraging an overlay or union mount, but that somehow got nuked ages ago???, and restoring it would require making macFUSE a hard dependency, which is both uncommon and invasive. Reflinking the system root elsewhere takes ages and does not carry the user's home over, so that's also a no-go, and loopback NFS mounts constitute a fundamental change to the system configuration, which is unacceptable for us.
So I tried another approach entirely: spinning up a macOS virtual machine, ideally sharing the host's root filesystem, but where the /nix
mountpoint exists (through a modified /etc/synthetic.conf
in the VM) and is mounted to a sparse image in the user's home.
So far, I haven't been able to find an unprivileged method to spin up a virtual machine reliably. QEMU is out of the question, both due to massive dependencies, and the lack of Mac-to-Mac paravirtualization support making a potential macOS VM way more fragile.
Even the recommended approach, Virtualization requires an entitlement, which is impossible given our single-file format. Oh, and that only works on Apple Silicon.
Finally, modifying /etc/synthetic.conf
and mounting a disk image directly onto /nix
would clobber an eventual system-wide Nix install afterwards, which kinda goes against our intent to take over the world, and requiring superuser rights at launch is very bad security practice, very bad UX and reduces our potential user base by a lot. If you're going to bother with root, might as well install Nix proper anyway.
Therefore, the current placeholder function, _macos_workaround_nix()
, currently errors out and tells the user to install system-wide Nix. I really hope we figure out a low-dependency, lightweight approach to macOS virtualization, but in the mean time, this project will remain fundamentally incompatible with Darwin.
This also means that, contrary to the initial plan, no static binaries for Darwin will be provided upon install.
Whenever this issue is closed, nix
scripts generated using nix-wrap
will have to be regenerated using the latest version of the tool.
Here's a checklist that an eventual fix will have to fulfill:
Requirements:
Bonuses:
I need to look into and integrate NixOS/nixpkgs#235990 with Nixie's static Nix binary source to simplify derivations and make them more easily maintainable.
In the current state of things, macOS support is currently untested and put on hold due to an unfortunate combination of circumstances:
As per #1, I already have fakedir
Universal binaries ready on the Cachix server, but the failing build workflows are currently disabled.
Once a solution has been found, all scripts generated beforehand will need to be updated with nixie update
.
Hello,
I'm trying to replace my usage of nix-portable with Nixie, but have stumbled upon a problem that the nix
script can't download the cache:
$ ./nix shell nixpkgs#hello
warning: error: unable to download 'https://channels.nixos.org/flake-registry.json': SSL connect error (35); retrying in 259 ms
warning: error: unable to download 'https://channels.nixos.org/flake-registry.json': SSL connect error (35); retrying in 576 ms
warning: error: unable to download 'https://channels.nixos.org/flake-registry.json': SSL connect error (35); retrying in 1102 ms
warning: error: unable to download 'https://channels.nixos.org/flake-registry.json': SSL connect error (35); retrying in 2446 ms
error: unable to download 'https://channels.nixos.org/flake-registry.json': SSL connect error (35)
Is there a known workaround for it? or do you have any ideas how I could debug it further?
Thanks!
this project seems to build static binaries for aarch64-darwin,
can those binaries made discoverable to install as standalone binaries without requiring to preinstall nix on the system
This issue tracks all blockers for proper unprivileged support on macOS, which is a primary goal of the project.
This would allow us to transparently delete the single-user store and carry over the user's work.
Hey.
This project looks quite interesting. Thank you for working on it!
I played around with the project to get nix
on a locked-down server and would like to know if it is possible to install home-manager
.
I am following the official home-manager documentation -- nix flakes with nixos-stable
as the target.
When running the rebuild ./nix run .#homeConfigurations.<name>.activationPackage
I get the following error message:
/nix/store/j333lfi0wk1f2yd1bg2qnrp0hp43cway-home-manager-generation/bin/home-manager-generation: line 68: nix-build: command not found
If I understand the README correctly, the idea is to link all nix
command calls to ~/.cache/nix-static
.
So I linked nix-build
to nix-static
and added it to my PATH at the top of my bashrc
.
Though, I still get an error.
I am not that experienced with the internals of nix
but if you give me some pointers, I will try my best to help with this issue :)
Not sure if this is supported or even intended to work, but right off the bat I hit:
% ./nix --help
readlink: illegal option -- f
usage: readlink [-n] [file ...]
./nix: line 55: : No such file or directory
Could not find or decompress resource archive.
This script can be rebuilt using the nixie tool
tar: Error opening archive: Unrecognized archive format
zsh: abort ./nix --help
The resource archive is missing or malformed.
This script can be rebuilt using the nixie tool
./nix: line 50: kill: (19685) - No such process
because bsd readlink doesn't support -f
like gnu coreutils readlink does.
These are features that I intend to add to Nixie, but haven't gotten around to yet.
Some of these features' description may not cover all the information needed to implement them, but that is not a mistake.
.gitignore
and .gitattributes
should be set up--nixie-*
command line optionsnix
or nix-shell
filename depending on other .nix
filesnixpkgs
/nixos
channel is more recent on update
Pre-configuration is no longer necessary, as Brotli is no longer shipped with Automake scripts, instead using CMake.
This however raises the question of including CMake as a mandatory dependency to build Nix from source, reducing portability on bare macOS as originally envisioned.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.