nix-installer icon indicating copy to clipboard operation
nix-installer copied to clipboard
verified publisher icon DeterminateSystems

Nix spam about nix.conf issue since update

Open pinage404 opened this issue 11 months ago • 4 comments

Hello,

I have things like this in my config that used to work

{
  nix.settings = {
    substituters = [ "https://nix-community.cachix.org" ];
    trusted-substituters = [ "https://nix-community.cachix.org" ];
    trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
    settings.trusted-users = [
      "@wheel"
    ];
  };
}

Fews days ago, i updated my system

I didn't changed my config files

Since the update, every Nix commands spam the following messages

warning: ignoring untrusted substituter 'https://nix-community.cachix.org', you are not a trusted user.
Run `man nix.conf` for more information on the `substituters` configuration option.
warning: ignoring untrusted substituter 'https://numtide.cachix.org', you are not a trusted user.
Run `man nix.conf` for more information on the `substituters` configuration option.
warning: ignoring untrusted substituter 'https://nix-on-droid.cachix.org', you are not a trusted user.
Run `man nix.conf` for more information on the `substituters` configuration option.
warning: ignoring untrusted substituter 'https://pinage404-nix-sandboxes.cachix.org', you are not a trusted user.
Run `man nix.conf` for more information on the `substituters` configuration option.
warning: ignoring untrusted substituter 'https://git-gamble.cachix.org', you are not a trusted user.
Run `man nix.conf` for more information on the `substituters` configuration option.
warning: ignoring untrusted substituter 'https://pinage404.cachix.org', you are not a trusted user.
Run `man nix.conf` for more information on the `substituters` configuration option.
warning: ignoring the client-specified setting 'trusted-public-keys', because it is a restricted setting and you are not a trusted user
warning: ignoring the client-specified setting 'trusted-substituters', because it is a restricted setting and you are not a trusted user

/etc/nix/nix.conf

# DETERMINATE NIX CONFIG
# do not modify! this file will be replaced!
# user modification can go in nix.custom.conf

!include nix.custom.conf

max-jobs = auto
bash-prompt-prefix = (nix:$name)\040
extra-experimental-features = nix-command flakes

netrc-file = /nix/var/determinate/netrc
post-build-hook = /nix/var/determinate/post-build-hook.sh

always-allow-substitutes = true
extra-substituters = https://cache.flakehub.com
extra-trusted-public-keys = cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM= cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio= cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU= cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU= cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8= cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ= cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o= cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y=

upgrade-nix-store-path-url = https://install.determinate.systems/nix-upgrade/stable/universal

extra-nix-path = nixpkgs=flake:https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/*.tar.gz

I don't have /etc/nix/nix.custom.conf

It seems that my user is in the group wheel

groups
pinage404 wheel networkmanager vboxusers docker

It should be a trusted user

~/.config/nix/nix.conf

# WARNING: this file is generated from the nix.settings option in
# your Home Manager configuration at $XDG_CONFIG_HOME/nix/nix.conf.
# Do not edit it!
substituters = https://cache.nixos.org https://nix-community.cachix.org https://numtide.cachix.org https://nix-on-droid.cachix.org https://pinage404-nix-sandboxes.cachix.org https://git-gamble.cachix.org https://pinage404.cachix.org
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE= nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU= pinage404-nix-sandboxes.cachix.org-1:5zGRK2Ou+C27E7AdlYo/s4pow/w39afir+KRz9iWsZA= git-gamble.cachix.org-1:afbVJAcYMKSs3//uXw3HFdyKLV66/KvI4sjehkdMM/I= pinage404.cachix.org-1:pHeqko9YZ1p49z4pn/UbI7KBIlbHBLENRmZHuC8gQD0=
trusted-substituters = https://cache.nixos.org https://nix-community.cachix.org https://numtide.cachix.org https://nix-on-droid.cachix.org https://pinage404-nix-sandboxes.cachix.org https://git-gamble.cachix.org https://pinage404.cachix.org
experimental-features = nix-command flakes

nix --version
nix (Nix) 2.25.3

determinate-nixd --version
determinate-nixd 0.3.0

Why my config stop worked ?

Why the config is not retro compatible ?

How to get back a not spamming Nix ?

pinage404 avatar Jan 19 '25 13:01 pinage404

Thanks for this catch, and sorry for the inconvenience!

Would you mind testing out https://github.com/DeterminateSystems/determinate/pull/57 to see if it fixes your issue? Specifically, that would mean replacing the determinate flake input URL with github:DeterminateSystems/determinate/custom-conf.

(It will essentially relocate the nix.conf, where NixOS would have written those settings before determinate-nixd overwrote it with our config, to nix.custom.conf, where the config that determinate-nixd writes will load from.)

cole-h avatar Jan 21 '25 17:01 cole-h

Thanks for the quick reply !

I use the determinate of the PR, then applyied the config

The nix daemon wasn't reloaded

building the system configuration...
warning: Git tree '/home/pinage404/Project/dotfiles' is dirty
evaluation warning: The ‘gnome.adwaita-icon-theme’ was moved to top-level. Please use ‘pkgs.adwaita-icon-theme’ directly.
evaluation warning: The ‘gnome.adwaita-icon-theme’ was moved to top-level. Please use ‘pkgs.adwaita-icon-theme’ directly.
warning: 'https://cache.flakehub.com' does not appear to be a binary cache
stopping the following units: accounts-daemon.service
activating the configuration...
[agenix] creating new generation in /run/agenix.d/3
[agenix] decrypting secrets...
decrypting '/nix/store/1qlfizd0kmq2y1dajhsh1hm28v02jar4-default.age' to '/run/agenix.d/3/gitlab-runner/default'...
decrypting '/nix/store/pjcj7x9kg9fgb7yasdgm8qjbn6175xpm-default-2.age' to '/run/agenix.d/3/gitlab-runner/default-2'...
decrypting '/nix/store/8a628gg9xwh6irs6667wqinm4zrp2iyy-default-3.age' to '/run/agenix.d/3/gitlab-runner/default-3'...
decrypting '/nix/store/sa56wxvq15q9x9v12lnqnr05wr7aqmzn-nix.age' to '/run/agenix.d/3/gitlab-runner/nix'...
decrypting '/nix/store/mghy0xyzq6943sfy07nzqhmazyqgp29r-personnal_access_token.age' to '/run/agenix.d/3/nix/github/personnal_access_token'...
decrypting '/nix/store/c0drkbfj4mijwfxi81hg0wx2d3n5kl2g-spotifyd.age' to '/run/agenix.d/3/spotifyd'...
[agenix] symlinking new secrets to /run/agenix (generation 3)...
[agenix] removing old secrets (generation 2)...
[agenix] chowning...
setting up /etc...
removing obsolete symlink ‘/etc/nix/nix.conf’...
reloading user units for pinage404...
restarting sysinit-reactivation.target
reloading the following units: dbus.service
restarting the following units: polkit.service
starting the following units: accounts-daemon.service
the following new units were started: local-fs.target, media-game-heroic.automount, media-game-steam.automount, media-game.mount, swapspace.service

The /etc/nix/nix.conf was missing

lsd -l /etc/nix
lrwxrwxrwx root root 31 B a minute ago  nix.custom.conf ➡ /etc/static/nix/nix.custom.conf
lrwxrwxrwx root root 29 B a minute ago  registry.json ➡ /etc/static/nix/registry.json

And the spam was still here

So i manually restart Nix

systemctl stop nix-daemon.service
systemctl stop nix-daemon.socket
systemctl start nix-daemon.socket
systemctl start nix-daemon.service

By magic /etc/nix/nix.conf appeared

lsd -l /etc/nix
.rw-r--r-- root root 1.1 KB a minute ago   nix.conf
lrwxrwxrwx root root  31 B  4 minutes ago  nix.custom.conf ➡ /etc/static/nix/nix.custom.conf
lrwxrwxrwx root root  29 B  4 minutes ago  registry.json ➡ /etc/static/nix/registry.json

The spam has stopped ! 🎉

pinage404 avatar Jan 21 '25 19:01 pinage404

I will close this issue when the main branch will be fixed

pinage404 avatar Feb 09 '25 13:02 pinage404

I use Nixinate to deploy my machines

It used to work, i didn't deploy since few weeks

This executes

NIX_SSHOPTS=-t
/nix/store/gqqzwh7yhvjd0rfdpnar9jvgifmw1lfc-flock-0.4.0/bin/flock -w 60 /dev/shm/nixinate-raspberry-pi-3b-black /nix/store/dhav4whad4m1is8r31x7cnm7zpzqqpkw-nixos-rebuild/bin/nixos-rebuild switch --flake /nix/store/z1d5k3g856cxwc1fq66zj1kl7dc6affa-source#raspberry-pi-3b-black --target-host [email protected] --use-remote-sudo -s

But it fails with

error: a 'aarch64-linux' with features {} is required to build '/nix/store/7rd71fbql3p0jr3hflnisnvvi0g5dh3f-nixos-rebuild.drv', but I am a 'x86_64-linux' with features {benchmark, big-parallel, kvm, nixos-test, uid-range}

But the config should allow it

{
  boot.binfmt.emulatedSystems = [
    "armv6l-linux"
    "armv7l-linux"
    "aarch64-linux"
    "i686-linux"
    "i686-windows"
    "x86_64-windows"
  ];
}

When i remove Determinate Nix from my flake, it works again

If i use Determinate Nix from the PR

{
    determinate.url = "github:DeterminateSystems/determinate/custom-conf";
}

It fails

error: a 'aarch64-linux' with features {} is required to build '/nix/store/7rd71fbql3p0jr3hflnisnvvi0g5dh3f-nixos-rebuild.drv', but I am a 'x86_64-linux' with features {benchmark, big-parallel, kvm, nixos-test, uid-range}

I don't know if i should open another issue

pinage404 avatar Feb 09 '25 22:02 pinage404