Merge branch 'master' into kabir/one-sudo

# Conflicts:
#	pkgs/nix-tools/darwin-rebuild.sh

.git-blame-ignore-revs

@@ -0,0 +1,2 @@
+# nixpkgs: format with `nixfmt`
+dc1c716ded39758062ed7e6bc410ad274119de9f

.github/workflows/test.yml

@@ -6,67 +6,73 @@ on:
       - master
 
 env:
-  CURRENT_STABLE_CHANNEL: nixpkgs-24.11-darwin
+  NIXPKGS_BRANCH: nixpkgs-unstable
+  NIX_VERSION: 2.24.11
 
 jobs:
-  test-stable:
-    runs-on: macos-13
-    steps:
-    - uses: actions/checkout@v4
-    - name: Install nix corresponding to latest stable channel
-      uses: cachix/install-nix-action@v30
-      with:
-        install_url: https://releases.nixos.org/nix/nix-2.18.8/install
-    - run: nix flake check --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }}
+  # The `test-stable` and `install-against-stable` job names are
+  # load‐bearing, despite their inaccuracy on the unstable branch, as
+  # they are set as required checks in the repository configuration,
+  # which only repository admins can change.
+  #
+  # TODO: Change them once the repository configuration is updated.
 
-  test-unstable:
+  test-stable:
     runs-on: macos-13
     steps:
     - uses: actions/checkout@v4
-    - name: Install nix from current unstable channel
+    - name: Install Nix
       uses: cachix/install-nix-action@v30
       with:
-        install_url: https://releases.nixos.org/nix/nix-2.24.9/install
-    - run: nix flake check --override-input nixpkgs nixpkgs/nixpkgs-unstable
+        install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
+    - run: nix flake check --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
 
   install-against-stable:
     runs-on: macos-13
+    timeout-minutes: 30
     steps:
     - uses: actions/checkout@v4
-    - name: Install nix corresponding to latest stable channel
+    - name: Install Nix
       uses: cachix/install-nix-action@v30
       with:
-        install_url: https://releases.nixos.org/nix/nix-2.18.8/install
-        nix_path: nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }}
+        install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
+        nix_path: nixpkgs=channel:${{ env.NIXPKGS_BRANCH }}
     - name: Install channels
       run: |
-        nix-channel --add https://github.com/LnL7/nix-darwin/archive/master.tar.gz darwin
-        nix-channel --add https://nixos.org/channels/${{ env.CURRENT_STABLE_CHANNEL }} nixpkgs
+        nix-channel --add https://nixos.org/channels/${{ env.NIXPKGS_BRANCH }} nixpkgs
         nix-channel --update
     - name: Install nix-darwin
       run: |
-        export NIX_PATH=$HOME/.nix-defexpr/channels
-
-        mkdir -p ~/.config/nix-darwin
-        cp modules/examples/simple.nix ~/.config/nix-darwin/configuration.nix
+        sudo mkdir -p /etc/nix-darwin
+        sudo cp modules/examples/simple.nix /etc/nix-darwin/configuration.nix
 
         nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1)
-        /usr/bin/sed -i.bak \
-          "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \
-          ~/.config/nix-darwin/configuration.nix
-
-        nix run .#darwin-rebuild \
-          -- switch \
-          -I darwin-config=$HOME/.config/nix-darwin/configuration.nix
+        sudo /usr/bin/sed -i.bak \
+          "s/# programs.fish.enable = true;/ \
+            imports = [ \
+              ({ options, ... }: { \
+                nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; \
+                environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ]; \
+                nix.nixPath = \
+                  [ { darwin = \"${PWD////\/}\"; } ] \
+                  ++ options.nix.nixPath.default; \
+              }) \
+            ]; \
+          /" \
+          /etc/nix-darwin/configuration.nix
+
+        nix run .#darwin-rebuild -- switch \
+          -I darwin=. \
+          -I darwin-config=/etc/nix-darwin/configuration.nix
     - name: Switch to new configuration
       run: |
         . /etc/bashrc
 
-        /usr/bin/sed -i.bak \
+        sudo /usr/bin/sed -i.bak \
           "s/pkgs.vim/pkgs.hello/" \
-          ~/.config/nix-darwin/configuration.nix
+          /etc/nix-darwin/configuration.nix
 
-        darwin-rebuild switch -I darwin=.
+        darwin-rebuild switch
 
         hello
     - name: Test uninstallation of nix-darwin
@@ -75,148 +81,54 @@ jobs:
         # `cachix/install-nix-action` but not by our default config above
         nix run .#darwin-uninstaller \
           --extra-experimental-features "nix-command flakes" \
-          --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }}
+          --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
         nix run .#darwin-uninstaller.tests.uninstaller \
           --extra-experimental-features "nix-command flakes" \
-          --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }}
+          --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
 
-  install-against-unstable:
+  install-flake:
     runs-on: macos-13
     timeout-minutes: 30
     steps:
     - uses: actions/checkout@v4
-    - name: Install nix from current unstable channel
-      uses: cachix/install-nix-action@v30
-      with:
-        install_url: https://releases.nixos.org/nix/nix-2.24.9/install
-        nix_path: nixpkgs=channel:nixpkgs-unstable
-    - name: Install channels
-      run: |
-        nix-channel --add https://github.com/LnL7/nix-darwin/archive/master.tar.gz darwin
-        nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgs
-        nix-channel --update
-    - name: Install nix-darwin
-      run: |
-        export NIX_PATH=$HOME/.nix-defexpr/channels
-
-        mkdir -p ~/.config/nix-darwin
-        cp modules/examples/simple.nix ~/.config/nix-darwin/configuration.nix
-
-        nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1)
-        /usr/bin/sed -i.bak \
-          "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \
-          ~/.config/nix-darwin/configuration.nix
-
-        nix run .#darwin-rebuild \
-          -- switch \
-          -I darwin-config=$HOME/.config/nix-darwin/configuration.nix
-    - name: Switch to new configuration
-      run: |
-        . /etc/bashrc
-
-        /usr/bin/sed -i.bak \
-          "s/pkgs.vim/pkgs.hello/" \
-          ~/.config/nix-darwin/configuration.nix
-
-        darwin-rebuild switch -I darwin=.
-
-        hello
-    - name: Test uninstallation of nix-darwin
-      run: |
-        # We need to specify `--extra-experimental-features` because `experimental-features` is set by
-        # `cachix/install-nix-action` but not by our default config above
-        nix run .#darwin-uninstaller \
-           --extra-experimental-features "nix-command flakes" \
-           --override-input nixpkgs nixpkgs/nixpkgs-unstable
-        nix run .#darwin-uninstaller.tests.uninstaller \
-           --extra-experimental-features "nix-command flakes" \
-           --override-input nixpkgs nixpkgs/nixpkgs-unstable
-
-  install-flake-against-stable:
-    runs-on: macos-13
-    steps:
-    - uses: actions/checkout@v4
-    - name: Install nix version corresponding to latest stable channel
+    - name: Install Nix
       uses: cachix/install-nix-action@v30
       with:
-        install_url: https://releases.nixos.org/nix/nix-2.18.8/install
+        install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
     - name: Install nix-darwin
       run: |
-        mkdir -p ~/.config/nix-darwin
+        sudo mkdir -p /etc/nix-darwin
         darwin=$(pwd)
-        pushd ~/.config/nix-darwin
-          nix flake init -t $darwin
+        pushd /etc/nix-darwin
+          sudo nix flake init -t $darwin
           nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1)
-          /usr/bin/sed -i.bak \
+          sudo /usr/bin/sed -i.bak \
             "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \
             flake.nix
-          /usr/bin/sed -i.bak \
-            's/nixpkgs.hostPlatform = "aarch64-darwin";/nixpkgs.hostPlatform = "'$(nix eval --expr builtins.currentSystem --impure --raw)'";/' \
-            flake.nix
-        popd
-        nix run .#darwin-rebuild -- \
-          switch --flake ~/.config/nix-darwin#simple \
-          --override-input nix-darwin . \
-          --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }}
-    - name: Switch to new configuration
-      run: |
-        . /etc/bashrc
-
-        /usr/bin/sed -i.bak \
-          "s/pkgs.vim/pkgs.hello/" \
-          ~/.config/nix-darwin/flake.nix
-
-        darwin-rebuild switch --flake ~/.config/nix-darwin#simple \
-          --override-input nix-darwin . \
-          --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }}
-
-        hello
-    - name: Test uninstallation of nix-darwin
-      run: |
-        nix run .#darwin-uninstaller --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }}
-        nix run .#darwin-uninstaller.tests.uninstaller --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }}
-
-  install-flake-against-unstable:
-    runs-on: macos-13
-    timeout-minutes: 30
-    steps:
-    - uses: actions/checkout@v4
-    - name: Install nix from current unstable channel
-      uses: cachix/install-nix-action@v30
-      with:
-        install_url: https://releases.nixos.org/nix/nix-2.24.9/install
-    - name: Install nix-darwin
-      run: |
-        mkdir -p ~/.config/nix-darwin
-        darwin=$(pwd)
-        pushd ~/.config/nix-darwin
-          nix flake init -t $darwin
-          nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1)
-          /usr/bin/sed -i.bak \
-            "s/# programs.fish.enable = true;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \
+          sudo /usr/bin/sed -i.bak \
+            's/darwinConfigurations."simple"/darwinConfigurations."'$(scutil --get LocalHostName)'"/g' \
             flake.nix
-          /usr/bin/sed -i.bak \
+          sudo /usr/bin/sed -i.bak \
             's/nixpkgs.hostPlatform = "aarch64-darwin";/nixpkgs.hostPlatform = "'$(nix eval --expr builtins.currentSystem --impure --raw)'";/' \
             flake.nix
         popd
-        nix run .#darwin-rebuild -- \
-          switch --flake ~/.config/nix-darwin#simple \
+        nix run .#darwin-rebuild -- switch \
           --override-input nix-darwin . \
-          --override-input nixpkgs nixpkgs/nixpkgs-unstable
+          --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
     - name: Switch to new configuration
       run: |
         . /etc/bashrc
 
-        /usr/bin/sed -i.bak \
+        sudo /usr/bin/sed -i.bak \
           "s/pkgs.vim/pkgs.hello/" \
-          ~/.config/nix-darwin/flake.nix
+          /etc/nix-darwin/flake.nix
 
-        darwin-rebuild switch --flake ~/.config/nix-darwin#simple \
+        darwin-rebuild switch \
           --override-input nix-darwin . \
-          --override-input nixpkgs nixpkgs/nixpkgs-unstable
+          --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
 
         hello
     - name: Test uninstallation of nix-darwin
       run: |
-        nix run .#darwin-uninstaller --override-input nixpkgs nixpkgs/nixpkgs-unstable
-        nix run .#darwin-uninstaller.tests.uninstaller --override-input nixpkgs nixpkgs/nixpkgs-unstable
+        nix run .#darwin-uninstaller --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
+        nix run .#darwin-uninstaller.tests.uninstaller --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}

CHANGELOG

@@ -1,3 +1,23 @@
+2025-01-29
+- There is now a `nix.enable` toggle to disable management of the Nix
+  installation. Nix installation management has been made more
+  opinionated as a consequence; nix-darwin now only supports managing a
+  multi‐user daemon installation of Nix, and unconditionally takes
+  ownership of the nix-daemon launchd daemon and the `_nixbld*` build
+  users when Nix installation management is enabled.
+
+  If the new constraints do not work with your setup, you can disable
+  the `nix.enable` option to opt out of Nix installation management
+  entirely; see the option documentation for caveats.
+
+2025-01-18
+- The default configuration path for all new installations
+  is `/etc/nix-darwin`. This was already the undocumented
+  default for `darwin-rebuild switch` when using flakes. This
+  is implemented by setting `environment.darwinConfig` to
+  `"/etc/nix-darwin/configuration.nix"` by default when
+  `system.stateVersion` ≥ 6.
+
 2024-09-10
 - The default Nix build user group ID is now set to 350 when
   `system.stateVersion` ≥ 5, to reflect the default for new Nix