home-manager icon indicating copy to clipboard operation
home-manager copied to clipboard

Published 20 hours ago verified publisher icon nix-community

Can't install NixOs and Home Manager with flake error access to /mnt/nix/store/<hash>-nmd source/flake.nix is forbidden in restricted mode

Open mudrii opened this issue 3 years ago • 13 comments

Issue description

Try to install NisOs with flakes.

Flake.nix configuration

{
  description = "NixOS configuration";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { home-manager, nixpkgs, nixpkgs-unstable, ... }: {
    nixosConfigurations = {
      nixtst = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./configuration.nix
          home-manager.nixosModules.home-manager
          {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
            home-manager.users.mudrii = import ./users/mudrii/home.nix;
          }
        ];
      };
    };
  };
}

Error during installation

/mnt/nix/store/<hash>-nmd source/flake.nix is forbidden in restricted mode

The issue seems to be related to nmd package requirements.

The workaround is to comment out HM configuration in flake.nix and redeploy post instrall.

mudrii avatar Jun 05 '21 14:06 mudrii

Same here. If re-starting installation, it works the 2nd time.

robertoschwald avatar Jun 09 '21 20:06 robertoschwald

I don't have the setup to reproduce the issue, can you point the home-manager input to your fork and update this line:

https://github.com/nix-community/home-manager/blob/db00b39a9abec04245486a01b236b8d9734c9ad0/doc/default.nix#L16

to

nmd = import (/. + nmdSrc) { inherit lib pkgs; };

just to see if it resolves the issue?

berbiche avatar Jun 17 '21 01:06 berbiche

I hit the same issue and tried that fix, but that gave the following error:

error: a string that refers to a store path cannot be appended to a path

Maybe we can somehow prevent the doc module from being evaluated when importing home-manager via flakes? Otherwise I'm not sure how to fix this while still supporting both flake and non-flake installs.

kristoff3r avatar Aug 24 '21 12:08 kristoff3r

The best workaround for this problem is to use --impure flag when installing, this will result with correct installation, at least from my tests.

It seems like it is a fetchFromGitLab issue, as the path should be in allowedPaths and it looks like it is not for some reason.

Mazurel avatar Aug 31 '21 09:08 Mazurel

Ran into this yesterday. Just tried nixos-rebuild dry-build --impure and it didn't change anything. Am I doing it wrong? 21.05 on aarch64. Thanks.

lordcirth avatar Sep 13 '21 22:09 lordcirth

@lordcirth Do you mean nixos-install --impure --flake ... ?

Actually, either way it should work as --impure should disable all restricted mode issues. I was installing my system about two weeks ago and --impure worked fine, but maybe there were some new changes to Nix in the meanwhile.

Mazurel avatar Sep 14 '21 21:09 Mazurel

@Mazurel Thanks for that, I was also running into this issue. It seems the --impure flag MUST come before the --flake ... flag or you will get the same issue.

#nixos-install --flake ... --impure  # Doesn't work
nixos-install --impure --flake ...

That solved this for me!

chayward1 avatar Sep 19 '21 14:09 chayward1

Thank you for your contribution! I marked this issue as stale due to inactivity. If this remains inactive for another 7 days, I will close this issue. Please read the relevant sections below before commenting.

If you are the original author of the issue

  • If this is resolved, please consider closing it so that the maintainers know not to focus on this.
  • If this might still be an issue, but you are not interested in promoting its resolution, please consider closing it while encouraging others to take over and reopen an issue if they care enough.
  • If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.
If you are not the original author of the issue

  • If you are also experiencing this issue, please add details of your situation to help with the debugging process.
  • If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.
Memorandum on closing issues

If you have nothing of substance to add, please refrain from commenting and allow the bot close the issue. Also, don't be afraid to manually close an issue, even if it holds valuable information.

Closed issues stay in the system for people to search, read, cross-reference, or even reopen--nothing is lost! Closing obsolete issues is an important way to help maintainers focus their time and effort.

stale[bot] avatar Dec 18 '21 14:12 stale[bot]

@rycee recently made some changes related to nmd. The bug needs to be reinvestigated.

berbiche avatar Dec 27 '21 23:12 berbiche

Still finding this issue, on nixpkgs/nixos-21.11

edit: the build does not fail if I try it in a nix-shell with nixUnstable installed

civts avatar Mar 17 '22 14:03 civts

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/how-to-install-a-flake-onto-a-raspberry-pi/18200/7

nixos-discourse avatar Mar 22 '22 12:03 nixos-discourse

Thank you for your contribution! I marked this issue as stale due to inactivity. Please be considerate of people watching this issue and receiving notifications before commenting 'I have this issue too'. We welcome additional information that will help resolve this issue. Please read the relevant sections below before commenting.

If you are the original author of the issue

  • If this is resolved, please consider closing it so that the maintainers know not to focus on this.
  • If this might still be an issue, but you are not interested in promoting its resolution, please consider closing it while encouraging others to take over and reopen an issue if they care enough.
  • If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.
If you are not the original author of the issue

  • If you are also experiencing this issue, please add details of your situation to help with the debugging process.
  • If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.
Memorandum on closing issues

Don't be afraid to manually close an issue, even if it holds valuable information. Closed issues stay in the system for people to search, read, cross-reference, or even reopen – nothing is lost! Closing obsolete issues is an important way to help maintainers focus their time and effort.

stale[bot] avatar Jun 20 '22 12:06 stale[bot]

Still relevant. Please supply this nmd thing as a flake so that I can build my configuration on Hydra: error: access to URI 'https://gitlab.com/api/v4/projects/rycee%2Fnmd/repository/archive.tar.gz?sha=91dee681dd1c478d6040a00835d73c0f4a4c5c29' is forbidden in restricted mode

t184256 avatar Jul 18 '22 20:07 t184256

Thank you for your contribution! I marked this issue as stale due to inactivity. Please be considerate of people watching this issue and receiving notifications before commenting 'I have this issue too'. We welcome additional information that will help resolve this issue. Please read the relevant sections below before commenting.

If you are the original author of the issue

  • If this is resolved, please consider closing it so that the maintainers know not to focus on this.
  • If this might still be an issue, but you are not interested in promoting its resolution, please consider closing it while encouraging others to take over and reopen an issue if they care enough.
  • If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.
If you are not the original author of the issue

  • If you are also experiencing this issue, please add details of your situation to help with the debugging process.
  • If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.
Memorandum on closing issues

Don't be afraid to manually close an issue, even if it holds valuable information. Closed issues stay in the system for people to search, read, cross-reference, or even reopen – nothing is lost! Closing obsolete issues is an important way to help maintainers focus their time and effort.

stale[bot] avatar Nov 27 '22 22:11 stale[bot]

I'm also experiencing that issue while trying to build with hydra:

error: access to URI 'https://git.sr.ht/~rycee/nmd/archive/abb15317ebd17e5a0a7dd105e2ce52f2700185a8.tar.gz' is forbidden in restricted mode

current flake.lock from home-manager:

    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1682977601,
        "narHash": "sha256-F1Va/Uiw2tVNn27FLqWyBkiqDyIm/eCamw9wA/GK8Fw=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "0e4c33d76006c9080d2f228ba1c2308e3e4d7be6",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }

The pull happend from docs/default.nix:8-12:

  nmdSrc = fetchTarball {
    url =
      "https://git.sr.ht/~rycee/nmd/archive/abb15317ebd17e5a0a7dd105e2ce52f2700185a8.tar.gz";
    sha256 = "0zzrbjxf15hada279irif7s3sb8vs95jn4y4f8694as0j739gd1m";
  };

Besides not beeing part of the input for the flake it still looks like a full-qualified fetch to me, but i'm not profecient enough with nix, flakes and (im)purity.

Also, when building the system-flake locally i don't have that issue.

patchhoernchen avatar May 02 '23 23:05 patchhoernchen

Thank you for your contribution! I marked this issue as stale due to inactivity. Please be considerate of people watching this issue and receiving notifications before commenting 'I have this issue too'. We welcome additional information that will help resolve this issue. Please read the relevant sections below before commenting.

If you are the original author of the issue

  • If this is resolved, please consider closing it so that the maintainers know not to focus on this.
  • If this might still be an issue, but you are not interested in promoting its resolution, please consider closing it while encouraging others to take over and reopen an issue if they care enough.
  • If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.
If you are not the original author of the issue

  • If you are also experiencing this issue, please add details of your situation to help with the debugging process.
  • If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.
Memorandum on closing issues

Don't be afraid to manually close an issue, even if it holds valuable information. Closed issues stay in the system for people to search, read, cross-reference, or even reopen – nothing is lost! Closing obsolete issues is an important way to help maintainers focus their time and effort.

stale[bot] avatar Aug 01 '23 03:08 stale[bot]

Still relevant. Can't run my configs on my Hydra install because of this.

spacekitteh avatar Oct 16 '23 03:10 spacekitteh

@spacekitteh Same here. Unable to build my NixOS configurations (at least the ones using Home Manager) with Hydra.

victormignot avatar Nov 15 '23 21:11 victormignot

I'm pretty certain this is finally fixed with the recent introduction of nmd as a package in Nixpkgs. I'll close the issue, please comment if you think the issue still remains.

rycee avatar Jan 17 '24 21:01 rycee