nix-community / nix-installers Goto Github PK

Nix installers for legacy distributions (rpm & deb & pacman) [maintainer=@adisbladis]

Nix 83.81% Shell 13.94% Makefile 2.25%

nix-installers's Introduction

Nix-installers for legacy (imperative) distributions

Getting Nix onto legacy distributions can be difficult and the official installer is not always a viable option, especially when considering reproducibility and automation.

This approach is different from others in that we:

Package using distribution-native packaging formats (deb/rpm). And use these packages to manage systemd and environment integrations.
Create a /nix/store imperatively as a postinstall hook. This uses a prepopulated Nix store embedded inside the distribution-native packaging format.
Properly cleans up after uninstallation. We use package manager hooks to cleanly remove any traces of Nix post removal.

To achieve a reproducible setup for these distributions that doesn't rely on pulling files from the internet at install-time.

These installer packages are intended to be used in a one-shot fashion to bootstrap the Nix installation, and then let Nix deal with managing itself from that point on.

Usage

Prebuilt installers

We provide prebuilt installers at https://nix-community.github.io/nix-installers/

Flakes

# Remote flake
$ nix build github:nix-community/nix-installers#deb
$ nix build github:nix-community/nix-installers#pacman
$ nix build github:nix-community/nix-installers#rpm

# In a cloned repository
$ nix build .#deb
$ nix build .#pacman
$ nix build .#rpm

Classic Nix

# In a cloned repository
$ nix-build ./. -A deb
$ nix-build ./. -A pacman
$ nix-build ./. -A rpm

Contributing

https://github.com/nix-community/nix-installers

nix-installers's People

Contributors

Stargazers

Watchers

Forkers

moduon gmacon dnkmmr69420 terlar bb010g sheeeng eliw6503 iwanb twtech87

nix-installers's Issues

Nix itself should be installed in /usr

Nix is still installs in /nix/store instead of /usr. That means that it will be part of the system just like everything else in the installer

Storage optimization seems to break nix under rpm

After running commands like nix-store --optimise, nix-store --gc, and/or nix-collect-garbage -d, there seems to be a large risk of the nix-daemon.socket breaking with permission style errors. This makes all nix commands break, and a reboot does not help the socket to come back to a working state.

I have attempted to fix this manually in the past, using the SELinux policies shipped in this repo together with relabeling using restorecon. But these steps did not seem to help the socket to come back after becoming unavailable.

This may be a nix problem, but i have not seen this be an issue when i used to run nix through the official installer shell file.

Option to set up nix through a systemd service instead of post-install hook

I would like to use the installer for VMs and containers where the nix store is on an external (to the VM/container image) mount which could be empty on first use. I think it should be possible by essentially executing the post-install hook as a systemd service before starting the nix daemon. I still need to try it out, but would there be interest in supporting that?

Silverblue support for RPM

The rpm should do the same thing as this guide https://gitlab.com/ahayzen/silverblue-nix except instead of disabling selinux, it adds a policy just like the normal rpm.

"uid 30001 is greater than SYS_UID_MAX 999" when installing on Fedora 37

It appears to be just a warning, but I couldn't find it already reported, so I just wanted to make sure people are aware. I don't recall any configuration changes I might have made to trigger this warning.

Full installation log:

$ sudo dnf localinstall nix-multi-user-2.9.1.rpm 
Dependencies resolved.
================================================================================================================================
 Package                           Architecture              Version                      Repository                       Size
================================================================================================================================
Installing:
 nix-multi-user                    x86_64                    2.9.1-1                      @commandline                     40 M

Transaction Summary
================================================================================================================================
Install  1 Package

Total size: 40 M
Installed size: 40 M
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                        1/1 
  Installing       : nix-multi-user-2.9.1-1.x86_64                                                                          1/1 
  Running scriptlet: nix-multi-user-2.9.1-1.x86_64                                                                          1/1 
useradd warning: nixbld1's uid 30001 is greater than SYS_UID_MAX 999
useradd warning: nixbld2's uid 30002 is greater than SYS_UID_MAX 999
useradd warning: nixbld3's uid 30003 is greater than SYS_UID_MAX 999
useradd warning: nixbld4's uid 30004 is greater than SYS_UID_MAX 999
useradd warning: nixbld5's uid 30005 is greater than SYS_UID_MAX 999
useradd warning: nixbld6's uid 30006 is greater than SYS_UID_MAX 999
useradd warning: nixbld7's uid 30007 is greater than SYS_UID_MAX 999
useradd warning: nixbld8's uid 30008 is greater than SYS_UID_MAX 999
useradd warning: nixbld9's uid 30009 is greater than SYS_UID_MAX 999
useradd warning: nixbld10's uid 30010 is greater than SYS_UID_MAX 999
useradd warning: nixbld11's uid 30011 is greater than SYS_UID_MAX 999
useradd warning: nixbld12's uid 30012 is greater than SYS_UID_MAX 999
useradd warning: nixbld13's uid 30013 is greater than SYS_UID_MAX 999
useradd warning: nixbld14's uid 30014 is greater than SYS_UID_MAX 999
useradd warning: nixbld15's uid 30015 is greater than SYS_UID_MAX 999
useradd warning: nixbld16's uid 30016 is greater than SYS_UID_MAX 999
useradd warning: nixbld17's uid 30017 is greater than SYS_UID_MAX 999
useradd warning: nixbld18's uid 30018 is greater than SYS_UID_MAX 999
useradd warning: nixbld19's uid 30019 is greater than SYS_UID_MAX 999
useradd warning: nixbld20's uid 30020 is greater than SYS_UID_MAX 999
useradd warning: nixbld21's uid 30021 is greater than SYS_UID_MAX 999
useradd warning: nixbld22's uid 30022 is greater than SYS_UID_MAX 999
useradd warning: nixbld23's uid 30023 is greater than SYS_UID_MAX 999
useradd warning: nixbld24's uid 30024 is greater than SYS_UID_MAX 999
useradd warning: nixbld25's uid 30025 is greater than SYS_UID_MAX 999
useradd warning: nixbld26's uid 30026 is greater than SYS_UID_MAX 999
useradd warning: nixbld27's uid 30027 is greater than SYS_UID_MAX 999
useradd warning: nixbld28's uid 30028 is greater than SYS_UID_MAX 999
useradd warning: nixbld29's uid 30029 is greater than SYS_UID_MAX 999
useradd warning: nixbld30's uid 30030 is greater than SYS_UID_MAX 999
useradd warning: nixbld31's uid 30031 is greater than SYS_UID_MAX 999
useradd warning: nixbld32's uid 30032 is greater than SYS_UID_MAX 999

  Verifying        : nix-multi-user-2.9.1-1.x86_64                                                                          1/1 

Installed:
  nix-multi-user-2.9.1-1.x86_64                                                                                                 

Complete!

Installer breaks XDG_DATA_DIRS and PATH under Fedora 37

I used the rpm to install Nix under Fedora 37, as this seems to be the only installer that supports SELinux.
The good news: The problems I encountered seem to be not caused by SELinux 😄

The bad news:

After a reboot, GNOME did not start. In fact, gnome-session-binary crashes:

Feb 15 19:25:47 elitebook gnome-session[4007]: gnome-session-binary[4007]: GLib-GIO-ERROR: No GSettings schemas are installed on the system
Feb 15 19:25:47 elitebook gnome-session[4007]: aborting...
Feb 15 19:25:47 elitebook audit[4007]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4007 comm="gnome-session-b" exe="/usr/libexe>
Feb 15 19:25:47 elitebook gnome-session-binary[4007]: GLib-GIO-ERROR: No GSettings schemas are installed on the system
                                                      aborting...
<snip>
Feb 15 19:25:47 elitebook systemd[1]: Started [email protected] - Process Core Dump (PID 4022/UID 0).
Feb 15 19:25:47 elitebook audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@5-4022-0 comm="systemd" exe="/usr/lib/>
Feb 15 19:25:47 elitebook systemd-coredump[4025]: [🡕] Process 4007 (gnome-session-b) of user 1000 dumped core.

After running gnome-session --debug manually from a tty and restarting gdm.service, I could log in. I have no idea why that fixes the issue.

While debugging the problem, I wanted to reboot my system, typing reboot into my shell, fish. It responded with reboot: command not found. That should not be the case, /usr/sbin is normally in PATH.

I then noticed that /nix/var/nix/profiles/system/bin was still in the PATH, even though I had removed it from any local config of my shell. That lead me to find /usr/lib/environment.d/nix-daemon.conf, which sets PATH and XDG_DATA_DIRS.

The critical thing, at least for GNOME crashing, seems to be that $HOME/.nix-profile/share is added to XDG_DATA_DIRS. In my case, /home/david/.nix-profile/share is a symlink to /nix/var/nix/profiles/per-user/david/profile, which does not exist. GTK apps seem to have an allergic reaction to XDG_DATA_DIRS containing nonexisting paths, at least that was I could gather from a quick internet search.

After renaming /usr/lib/environment.d/nix-daemon.conf to nix-daemon.conf.disabled and rebooting, everything was back to normal.

I have not tested if creating /nix/var/nix/profiles/per-user/david/profile also fixes the problems.

Remove nix selinux policy module on uninstall

After uninstalling this package on Fedora due to a broken installation, my system was almost bricked because the SELinux policy was broken. Running sudo semodule -r nix and removing /usr/share/selinux/packages/nix.pp fixed it. There should be something in after-remove.sh to mirror this https://github.com/nix-community/nix-installers/blob/master/hooks/after-install.sh#L36-L38

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

chore(deps): lock file maintenance

Detected dependencies

github-actions

.github/workflows/ci.yml

cachix/install-nix-action v25

actions/checkout v4.1.1

cachix/install-nix-action v25

actions/checkout v4.1.1

cachix/install-nix-action v25

actions/checkout v4.1.1

cachix/install-nix-action v25

actions/checkout v4.1.1

actions/upload-artifact v4

actions/download-artifact v4

.github/workflows/gh-pages.yml

cachix/install-nix-action v25

actions/checkout v4.1.1

peaceiris/actions-gh-pages v3

nix

flake.nix

nixpkgs nixos-unstable

Check this box to trigger a request for Renovate to run again on this repository

Fails to install on RHEL 8

I attempted to install nix-multi-user-2.8.0.rpm on RHEL 8, and it threw this error before "succeeding":

libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
nix: libsepol.policydb_read: policydb module version 20 does not match my version range 4-19
nix: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
nix: Failed to read policy package
libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
 (No such file or directory).
semodule:  Failed!

The "obvious" thing to do to fix that is to build with an older version of libsepol, but I'm not sufficiently Nix-fluent yet to know how to do that off the top of my head. I'll try to take a look at this at some point if no one says anything.

I think this may also be revealing that the after-install hook needs set -e or so, if that sounds right to folks I can open a PR for that part.

No license

@adisbladis would you be willing to add a license?

Upload assets to releases

it would be really nice if the installers would be uploaded to releases and the links on the gh-pages branch redirect to there, instead of increasing the size of the repo even further (already at 500MB).