nix-darwin
nix-darwin copied to clipboard
LnL7
Multiple problems when setting up multiple macos users
I am using nix-darwin on my macbook, I have it configured using flakes for which I mostly followed this gist:
https://gist.github.com/jmatsushita/5c50ef14b4b96cb24ae5268dab613050
I have recently added another user using the MacOS system preferences to better split my system up between work and private usage.
There are multiple issues with the services provided by nix-darwin on that account which do not exist on the user I originally set it up from.
Specifically I have encountered the following problems so far:
- homebrew and any commands installed by it are not present on that user
(casks are present, but only the applications, not the commands, i.e. vscode is installed but thecodecommand cannot be used) - zsh prompts the following every time I open a shell:
zsh compinit: insecure directories and files, run compaudit for list. Ignore insecure directories and files and continue [y] or abort compinit [n]? -
system.defaultsoptions are not set up for that user
Also since the configuration itself resides in the homedir of the other user, I cannot access it by default.
I have since moved it to /opt but I am not sure if that is the right place to keep it.
Is there anything special I need to do to setup nix-darwin for multiple users? The manual seems to be not have any information on it.
I was able to solve most of my issues, but it took a lot of digging.
-
programs.homebrew.enable = true;does not install thebrewcommand. I was under the impression that it did, but I was mislead by a script from work installing the command instead without me noticing.
It can simply be installed for the other user using the usual console command. -
The zhs compinit errors can be ignored by appending a
-uto thecompinitcommand.
To be more complete, I added the following to my nix darwin config:programs.zsh.enableCompletion = false;and this line to myhome.nixwhere zsh is actually configured:programs.zsh.completionInit = "autoload -U compinit && compinit -u";Still no idea why the defaults are not being set up tho.
This issue has been a major pain point for me too. I've found a few things out while messing with nix-darwin.
- nix-darwin has options (ex:
system.defaults) which are red herrings and better left to the scope of a user environment manager like home-manager- These options require per user activation scripts run by each user which can be problematic for nix-darwin as it only runs under one admin user
- The only solution in current nix-darwin is to have an admin user
sudo -ufor each user's activation script (here is a commit I made showcasing this)
- nix-darwin uses older macOS user management tools (
dsclvssysadminctl)-
dsclis how most user management is done right now which can lead to some strange behavior especially on newer systems and with newer Nix installs that utilize FileVault (ex: users without secure tokens so unable to login after boot, missing the ability to modify profile picture in System Settings, and more)
-
- Homebrew itself should only have one admin user manage it. This means no other user should run
darwin-rebuildotherwise they will run into permissions issues on the homebrew directory- Due to previously mentioned issues, having user privilege segregation is difficult
My current solution was to fork the repo and fix these issues for myself as well as bring some parity back between NixOS and nix-darwin user configuration settings (gets rid of knownUsers/knownGroups in favor of mutableUsers setting). It's a bit hacky, but it accomplishes what I need. With this branch I am able to have:
- An admin user that is only there for System Settings changes and to run
darwin-rebuild - A regular user with
sudo.extraConfigapplied to grant them the capability tosudo -Hu <admin> darwin-rebuild - Set initial passwords, configure user as admin, turn on secure tokens for FDE logins, etc.
re home manager for darwin options: for sure, that's where they should live, and if any are missing I recommend creating a PR for the ones you need. I did it, it (eventually, after months) got merged, and now it's "as it should be" at least for that part. I consider system.defaults in nix-darwin obsolete and recommend moving off it entirely.
I was hesitant to create a PR because a lot of what I did might be obsolete by the talks going on in #96, and as you said, system.defaults is essentially obsolete. I also went against @LnL7 there by inserting some admin configuration into the options because for me personally it made the most sense for what I needed. If it's useful though, I should be able to split my develop branch into two others so I can open up two PRs:
- Adding
sudo -uto per user script activation - Modifying user management
We can at least move the discussion there with the code and hopefully share ideas on how to best solve the problem around multiple users; especially in a secure setup with admin/user separation.
I saw your PR while investigating this for myself, and it is also where I got the idea to use sudo -u for myself (thanks for that!). The main need for it comes from the calls to defaults write that I outline in my #1016 PR. I don't know why, but it's impossible (at least on my Mac) to run defaults write as another user other than the one who's domain is in ~/Library/Preferences/. Otherwise, the command runs successfully, but nothing actually sticks. I tried various approaches such as trying to just ensure everything writes to the global /Library/Preferences/ which doesn't work for applying down to users, and then I tried having root write to each user's ~/Library/Preferences/ and that didn't work either. Only sudo -u with defaults write actually applied anything that stuck on a per user basis.
It highlights things perfectly for why this portion should be dropped from nix-darwin entirely since home-manager can do this much better already. I just didn't realize that until I had already done all this as I'm still very new to everything Nix.