Tagging release 2.26.2

-----BEGIN PGP SIGNATURE----- iQFHBAABCAAxFiEEtUHVUwEnDgvPFcpdgXC0cm1xmN4FAmetA5oTHGVkb2xzdHJh QGdtYWlsLmNvbQAKCRCBcLRybXGY3g2pB/9JAFyjmaXuccbMTO/6x9qwsWuuXNLk OQWzfbdUekvsihZZSFZg1r7KqqXHCi64f0nxLPsJ/0oeDWZktJ5KnbV630nuUlDj ulLCpKdvhWFa8dVx9LiziGwQw4KLx8PjOfwThtQ4DqCWxWEmu6lKkijag9cE+ai4 3mw9YtUjBRxlXyhYLzWz3whLbv37c/m+R8iGS8xm8W260pmei6D0beOIPdfXYBQF PzPlPORyI08A06uqyA3z7bTxzmSMnzvu0QInCPCKSHzFUnTZPHUYuYStFl28NrZS fXKK59L0G7QEfdTRAmqQkdHdtPj2RlYFiMN0kQiNLflvKfGGWdi/kvdx =rRix -----END PGP SIGNATURE----- Merge tag '2.26.2' into sync-2.26.2 Tagging release 2.26.2
2025-07-07 18:31:49 +02:00 · 2025-02-18 19:56:22 +01:00 · 2025-02-18 19:56:22 +01:00 · 4055239936
commit 4055239936
parent 67bc4afd26 b3e9204833
1395 changed files with 24694 additions and 16040 deletions
--- a/scripts/bigsur-nixbld-user-migration.sh
+++ b/scripts/bigsur-nixbld-user-migration.sh
@ -2,7 +2,7 @@

 ((NEW_NIX_FIRST_BUILD_UID=351))

-id_available(){
+id_unavailable(){
 	dscl . list /Users UniqueID | grep -E '\b'"$1"'\b' >/dev/null
 }

@ -15,7 +15,7 @@ change_nixbld_names_and_ids(){
 	while read -r name uid; do
 		echo "   Checking $name (uid: $uid)"
 		# iterate for a clean ID
-		while id_available "$next_id"; do
+		while id_unavailable "$next_id"; do
 			((next_id++))
 			if ((next_id >= 400)); then
 				echo "We've hit UID 400 without placing all of your users :("
--- a/scripts/binary-tarball.nix
+++ b/scripts/binary-tarball.nix
@ -1,14 +1,18 @@
-{ runCommand
-, system
-, buildPackages
-, cacert
-, nix
+{
+  runCommand,
+  system,
+  buildPackages,
+  cacert,
+  nix,
 }:

 let

  installerClosureInfo = buildPackages.closureInfo {
-    rootPaths = [ nix cacert ];
+    rootPaths = [
+      nix
+      cacert
+    ];
  };

  inherit (nix) version;
@ -23,7 +27,7 @@ in
 runCommand "nix-binary-tarball-${version}" env ''
  cp ${installerClosureInfo}/registration $TMPDIR/reginfo
  cp ${./create-darwin-volume.sh} $TMPDIR/create-darwin-volume.sh
-  substitute ${./install-nix-from-closure.sh} $TMPDIR/install \
+  substitute ${./install-nix-from-tarball.sh} $TMPDIR/install \
    --subst-var-by nix ${nix} \
    --subst-var-by cacert ${cacert}

@ -65,7 +69,7 @@ runCommand "nix-binary-tarball-${version}" env ''
  fn=$out/$dir.tar.xz
  mkdir -p $out/nix-support
  echo "file binary-dist $fn" >> $out/nix-support/hydra-build-products
-  tar cvfJ $fn \
+  tar cfJ $fn \
    --owner=0 --group=0 --mode=u+rw,uga+r \
    --mtime='1970-01-01' \
    --absolute-names \
--- a/scripts/build-checks
+++ b/scripts/build-checks
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+system=$(nix eval --raw --impure --expr builtins.currentSystem)
+nix eval --json ".#checks.$system" --apply builtins.attrNames | \
+  jq -r '.[]' | \
+  xargs -P0 -I '{}' sh -c "nix build -L .#checks.$system.{} || { echo 'FAILED: \033[0;31mnix build -L .#checks.$system.{}\\033[0m'; kill 0; }"
--- a/scripts/create-darwin-volume.sh
+++ b/scripts/create-darwin-volume.sh
@ -463,7 +463,7 @@ EOF

    EDITOR="$SCRATCH/ex_cleanroom_wrapper" _sudo "to add nix to fstab" "$@" <<EOF
 :a
-UUID=$uuid $escaped_mountpoint apfs rw,noauto,nobrowse,suid,owners
+UUID=$uuid $escaped_mountpoint apfs rw,noauto,nobrowse,nosuid,noatime,owners
 .
 :x
 EOF
--- a/scripts/install-darwin-multi-user.sh
+++ b/scripts/install-darwin-multi-user.sh
@ -145,13 +145,28 @@ poly_user_id_get() {
    dsclattr "/Users/$1" "UniqueID"
 }

+dscl_create() {
+    # workaround a bug in dscl where it sometimes fails with eNotYetImplemented:
+    # https://github.com/NixOS/nix/issues/12140
+    while ! _sudo "$1" /usr/bin/dscl . -create "$2" "$3" "$4" 2> "$SCRATCH/dscl.err"; do
+        local err=$?
+        if [[ $err -eq 140 ]] && grep -q "-14988 (eNotYetImplemented)" "$SCRATCH/dscl.err"; then
+            echo "dscl failed with eNotYetImplemented, retrying..."
+            sleep 1
+            continue
+        fi
+        cat "$SCRATCH/dscl.err"
+        return $err
+    done
+}
+
 poly_user_hidden_get() {
    dsclattr "/Users/$1" "IsHidden"
 }

 poly_user_hidden_set() {
-    _sudo "in order to make $1 a hidden user" \
-          /usr/bin/dscl . -create "/Users/$1" "IsHidden" "1"
+    dscl_create "in order to make $1 a hidden user" \
+          "/Users/$1" "IsHidden" "1"
 }

 poly_user_home_get() {
@ -161,8 +176,8 @@ poly_user_home_get() {
 poly_user_home_set() {
    # This can trigger a permission prompt now:
    # "Terminal" would like to administer your computer. Administration can include modifying passwords, networking, and system settings.
-    _sudo "in order to give $1 a safe home directory" \
-          /usr/bin/dscl . -create "/Users/$1" "NFSHomeDirectory" "$2"
+    dscl_create "in order to give $1 a safe home directory" \
+          "/Users/$1" "NFSHomeDirectory" "$2"
 }

 poly_user_note_get() {
@ -170,8 +185,8 @@ poly_user_note_get() {
 }

 poly_user_note_set() {
-    _sudo "in order to give $username a useful note" \
-          /usr/bin/dscl . -create "/Users/$1" "RealName" "$2"
+    dscl_create "in order to give $1 a useful note" \
+          "/Users/$1" "RealName" "$2"
 }

 poly_user_shell_get() {
@ -179,8 +194,8 @@ poly_user_shell_get() {
 }

 poly_user_shell_set() {
-    _sudo "in order to give $1 a safe shell" \
-          /usr/bin/dscl . -create "/Users/$1" "UserShell" "$2"
+    dscl_create "in order to give $1 a safe shell" \
+          "/Users/$1" "UserShell" "$2"
 }

 poly_user_in_group_check() {
--- a/scripts/install-multi-user.sh
+++ b/scripts/install-multi-user.sh
@ -56,6 +56,9 @@ readonly NIX_INSTALLED_CACERT="@cacert@"
 #readonly NIX_INSTALLED_CACERT="/nix/store/7dxhzymvy330i28ii676fl1pqwcahv2f-nss-cacert-3.49.2"
 readonly EXTRACTED_NIX_PATH="$(dirname "$0")"

+# allow to override identity change command
+readonly NIX_BECOME=${NIX_BECOME:-sudo}
+
 readonly ROOT_HOME=~root

 if [ -t 0 ] && [ -z "${NIX_INSTALLER_YES:-}" ]; then
@ -123,7 +126,7 @@ uninstall_directions() {
            cat <<EOF
 $step. Restore $profile_target$PROFILE_BACKUP_SUFFIX back to $profile_target

-  sudo mv $profile_target$PROFILE_BACKUP_SUFFIX $profile_target
+  $NIX_BECOME mv $profile_target$PROFILE_BACKUP_SUFFIX $profile_target

 (after this one, you may need to re-open any terminals that were
 opened while it existed.)
@ -136,7 +139,7 @@ EOF
    cat <<EOF
 $step. Delete the files Nix added to your system:

-  sudo rm -rf "/etc/nix" "$NIX_ROOT" "$ROOT_HOME/.nix-profile" "$ROOT_HOME/.nix-defexpr" "$ROOT_HOME/.nix-channels" "$ROOT_HOME/.local/state/nix" "$ROOT_HOME/.cache/nix" "$HOME/.nix-profile" "$HOME/.nix-defexpr" "$HOME/.nix-channels" "$HOME/.local/state/nix" "$HOME/.cache/nix"
+  $NIX_BECOME rm -rf "/etc/nix" "$NIX_ROOT" "$ROOT_HOME/.nix-profile" "$ROOT_HOME/.nix-defexpr" "$ROOT_HOME/.nix-channels" "$ROOT_HOME/.local/state/nix" "$ROOT_HOME/.cache/nix" "$HOME/.nix-profile" "$HOME/.nix-defexpr" "$HOME/.nix-channels" "$HOME/.local/state/nix" "$HOME/.cache/nix"

 and that is it.

@ -343,7 +346,7 @@ __sudo() {

    echo "I am executing:"
    echo ""
-    printf "    $ sudo %s\\n" "$cmd"
+    printf "    $ $NIX_BECOME %s\\n" "$cmd"
    echo ""
    echo "$expl"
    echo ""
@ -361,7 +364,9 @@ _sudo() {
    if is_root; then
        env "$@"
    else
-        sudo "$@"
+        # env sets environment variables for sudo alternatives
+        # that don't support "VAR=value command" syntax
+        $NIX_BECOME env "$@"
    fi
 }

@ -557,7 +562,7 @@ create_build_user_for_core() {
        if [ "$actual_uid" != "$uid" ]; then
            failure <<EOF
 It seems the build user $username already exists, but with the UID
-with the UID '$actual_uid'. This script can't really handle that right
+'$actual_uid'. This script can't really handle that right
 now, so I'm going to give up.

 If you already created the users and you know they start from
@ -690,7 +695,7 @@ place_channel_configuration() {
    if [ -z "${NIX_INSTALLER_NO_CHANNEL_ADD:-}" ]; then
        echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > "$SCRATCH/.nix-channels"
        _sudo "to set up the default system channel (part 1)" \
-            install -m 0664 "$SCRATCH/.nix-channels" "$ROOT_HOME/.nix-channels"
+            install -m 0644 "$SCRATCH/.nix-channels" "$ROOT_HOME/.nix-channels"
    fi
 }

@ -964,7 +969,7 @@ $NIX_EXTRA_CONF
 build-users-group = $NIX_BUILD_GROUP_NAME
 EOF
    _sudo "to place the default nix daemon configuration (part 2)" \
-          install -m 0664 "$SCRATCH/nix.conf" /etc/nix/nix.conf
+          install -m 0644 "$SCRATCH/nix.conf" /etc/nix/nix.conf
 }


--- a/scripts/install-nix-from-tarball.sh
+++ b/scripts/install-nix-from-tarball.sh
@ -9,6 +9,8 @@ self="$(dirname "$0")"
 nix="@nix@"
 cacert="@cacert@"

+# allow to override identity change command
+readonly NIX_BECOME="${NIX_BECOME:-sudo}"

 if ! [ -e "$self/.reginfo" ]; then
    echo "$0: incomplete installer (.reginfo is missing)" >&2
@ -48,15 +50,14 @@ case "$(uname -s)" in
        INSTALL_MODE=no-daemon;;
 esac

-# space-separated string
-ACTIONS=
+ACTION=

 # handle the command line flags
 while [ $# -gt 0 ]; do
    case $1 in
        --daemon)
            INSTALL_MODE=daemon
-            ACTIONS="${ACTIONS}install "
+            ACTION=install
            ;;
        --no-daemon)
            if [ "$(uname -s)" = "Darwin" ]; then
@ -64,19 +65,14 @@ while [ $# -gt 0 ]; do
                exit 1
            fi
            INSTALL_MODE=no-daemon
-            # intentional tail space
-            ACTIONS="${ACTIONS}install "
+            ACTION=install
            ;;
-        # --uninstall)
-        #     # intentional tail space
-        #     ACTIONS="${ACTIONS}uninstall "
-        #     ;;
        --yes)
            export NIX_INSTALLER_YES=1;;
        --no-channel-add)
            export NIX_INSTALLER_NO_CHANNEL_ADD=1;;
        --daemon-user-count)
-            export NIX_USER_COUNT=$2
+            export NIX_USER_COUNT="$2"
            shift;;
        --no-modify-profile)
            NIX_INSTALLER_NO_MODIFY_PROFILE=1;;
@ -128,7 +124,7 @@ done

 if [ "$INSTALL_MODE" = "daemon" ]; then
    printf '\e[1;31mSwitching to the Multi-user Installer\e[0m\n'
-    exec "$self/install-multi-user" $ACTIONS # let ACTIONS split
+    exec "$self/install-multi-user" $ACTION
    exit 0
 fi

@ -140,8 +136,8 @@ echo "performing a single-user installation of Nix..." >&2

 if ! [ -e "$dest" ]; then
    cmd="mkdir -m 0755 $dest && chown $USER $dest"
-    echo "directory $dest does not exist; creating it by running '$cmd' using sudo" >&2
-    if ! sudo sh -c "$cmd"; then
+    echo "directory $dest does not exist; creating it by running '$cmd' using $NIX_BECOME" >&2
+    if ! $NIX_BECOME sh -c "$cmd"; then
        echo "$0: please manually run '$cmd' as root to create $dest" >&2
        exit 1
    fi
--- a/scripts/install-systemd-multi-user.sh
+++ b/scripts/install-systemd-multi-user.sh
@ -96,6 +96,9 @@ poly_configure_nix_daemon_service() {
    if [ -e /run/systemd/system ]; then
        task "Setting up the nix-daemon systemd service"

+        _sudo "to create parent of the nix-daemon tmpfiles config" \
+              mkdir -p "$(dirname "$TMPFILES_DEST")"
+
        _sudo "to create the nix-daemon tmpfiles config" \
              ln -sfn "/nix/var/nix/profiles/default$TMPFILES_SRC" "$TMPFILES_DEST"

--- a/scripts/installer.nix
+++ b/scripts/installer.nix
@ -1,36 +1,42 @@
-{ lib
-, runCommand
-, nix
-, tarballs
+{
+  lib,
+  runCommand,
+  nix,
+  tarballs,
 }:

-runCommand "installer-script" {
-  buildInputs = [ nix ];
-} ''
-  mkdir -p $out/nix-support
-
-  # Converts /nix/store/50p3qk8k...-nix-2.4pre20201102_550e11f/bin/nix to 50p3qk8k.../bin/nix.
-  tarballPath() {
-    # Remove the store prefix
-    local path=''${1#${builtins.storeDir}/}
-    # Get the path relative to the derivation root
-    local rest=''${path#*/}
-    # Get the derivation hash
-    local drvHash=''${path%%-*}
-    echo "$drvHash/$rest"
+runCommand "installer-script"
+  {
+    buildInputs = [ nix ];
  }
+  ''
+    mkdir -p $out/nix-support

-  substitute ${./install.in} $out/install \
-    ${lib.concatMapStrings
-      (tarball: let
-          inherit (tarball.stdenv.hostPlatform) system;
-        in '' \
-        --replace '@tarballHash_${system}@' $(nix hash-file --base16 --type sha256 ${tarball}/*.tar.xz) \
-        --replace '@tarballPath_${system}@' $(tarballPath ${tarball}/*.tar.xz) \
-        ''
-      )
-      tarballs
-    } --replace '@nixVersion@' ${nix.version}
+    # Converts /nix/store/50p3qk8k...-nix-2.4pre20201102_550e11f/bin/nix to 50p3qk8k.../bin/nix.
+    tarballPath() {
+      # Remove the store prefix
+      local path=''${1#${builtins.storeDir}/}
+      # Get the path relative to the derivation root
+      local rest=''${path#*/}
+      # Get the derivation hash
+      local drvHash=''${path%%-*}
+      echo "$drvHash/$rest"
+    }

-  echo "file installer $out/install" >> $out/nix-support/hydra-build-products
-''
+    substitute ${./install.in} $out/install \
+      ${
+        lib.concatMapStrings (
+          tarball:
+          let
+            inherit (tarball.stdenv.hostPlatform) system;
+          in
+          ''
+            \
+                   --replace '@tarballHash_${system}@' $(nix hash-file --base16 --type sha256 ${tarball}/*.tar.xz) \
+                   --replace '@tarballPath_${system}@' $(tarballPath ${tarball}/*.tar.xz) \
+          ''
+        ) tarballs
+      } --replace '@nixVersion@' ${nix.version}
+
+    echo "file installer $out/install" >> $out/nix-support/hydra-build-products
+  ''
--- a/scripts/local.mk
+++ b/scripts/local.mk
@ -1,13 +0,0 @@
-nix_noinst_scripts := \
-  $(d)/nix-profile.sh
-
-noinst-scripts += $(nix_noinst_scripts)
-
-profiledir = $(sysconfdir)/profile.d
-
-$(eval $(call install-file-as, $(d)/nix-profile.sh, $(profiledir)/nix.sh, 0644))
-$(eval $(call install-file-as, $(d)/nix-profile.fish, $(profiledir)/nix.fish, 0644))
-$(eval $(call install-file-as, $(d)/nix-profile-daemon.sh, $(profiledir)/nix-daemon.sh, 0644))
-$(eval $(call install-file-as, $(d)/nix-profile-daemon.fish, $(profiledir)/nix-daemon.fish, 0644))
-
-clean-files += $(nix_noinst_scripts)
--- a/scripts/meson.build
+++ b/scripts/meson.build
@ -0,0 +1,20 @@
+configure_file(
+  input : 'nix-profile.sh.in',
+  output : 'nix-profile.sh',
+  configuration : {
+    'localstatedir': localstatedir,
+  }
+)
+
+foreach rc : [ '.sh', '.fish', '-daemon.sh', '-daemon.fish' ]
+  configure_file(
+    input : 'nix-profile' + rc  + '.in',
+    output : 'nix' + rc,
+    install : true,
+    install_dir : get_option('profile-dir'),
+    install_mode : 'rw-r--r--',
+    configuration : {
+      'localstatedir': localstatedir,
+    },
+  )
+endforeach
--- a/scripts/nix-profile-daemon.sh.in
+++ b/scripts/nix-profile-daemon.sh.in
@ -52,7 +52,7 @@ elif [ -e /etc/pki/tls/certs/ca-bundle.crt ]; then # Fedora, CentOS
 else
  # Fall back to what is in the nix profiles, favouring whatever is defined last.
  check_nix_profiles() {
-    if [ -n "$ZSH_VERSION" ]; then
+    if [ -n "${ZSH_VERSION:-}" ]; then
      # Zsh by default doesn't split words in unquoted parameter expansion.
      # Set local_options for these options to be reverted at the end of the function
      # and shwordsplit to force splitting words in $NIX_PROFILES below.
--- a/scripts/nix-profile.fish.in
+++ b/scripts/nix-profile.fish.in
@ -29,7 +29,7 @@ if test -n "$HOME" && test -n "$USER"
    end

    # Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
-    if test -n "$NIX_SSH_CERT_FILE"
+    if test -n "$NIX_SSL_CERT_FILE"
        : # Allow users to override the NIX_SSL_CERT_FILE
    else if test -e /etc/ssl/certs/ca-certificates.crt # NixOS, Ubuntu, Debian, Gentoo, Arch
        set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
--- a/scripts/nix-profile.sh.in
+++ b/scripts/nix-profile.sh.in
@ -1,31 +1,35 @@
 # This file is tested by tests/installer/default.nix.
-if [ -n "$HOME" ] && [ -n "$USER" ]; then
+if [ -n "${HOME-}" ] && [ -n "${USER-}" ]; then

    # Set up the per-user profile.

-    NIX_LINK="$HOME/.nix-profile"
-    if [ -n "${XDG_STATE_HOME-}" ]; then
-        NIX_LINK_NEW="$XDG_STATE_HOME/nix/profile"
+    if [ -n "${NIX_STATE_HOME-}" ]; then
+        NIX_LINK="$NIX_STATE_HOME/profile"
    else
-        NIX_LINK_NEW="$HOME/.local/state/nix/profile"
-    fi
-    if [ -e "$NIX_LINK_NEW" ]; then
-        if [ -t 2 ] && [ -e "$NIX_LINK" ]; then
-            warning="\033[1;35mwarning:\033[0m"
-            printf "$warning Both %s and legacy %s exist; using the former.\n" "$NIX_LINK_NEW" "$NIX_LINK" 1>&2
-            if [ "$(realpath "$NIX_LINK")" = "$(realpath "$NIX_LINK_NEW")" ]; then
-                printf "         Since the profiles match, you can safely delete either of them.\n" 1>&2
-            else
-                # This should be an exceptionally rare occasion: the only way to get it would be to
-                # 1. Update to newer Nix;
-                # 2. Remove .nix-profile;
-                # 3. Set the $NIX_LINK_NEW to something other than the default user profile;
-                # 4. Roll back to older Nix.
-                # If someone did all that, they can probably figure out how to migrate the profile.
-                printf "$warning Profiles do not match. You should manually migrate from %s to %s.\n" "$NIX_LINK" "$NIX_LINK_NEW" 1>&2
-            fi
+        NIX_LINK="$HOME/.nix-profile"
+        if [ -n "${XDG_STATE_HOME-}" ]; then
+            NIX_LINK_NEW="$XDG_STATE_HOME/nix/profile"
+        else
+            NIX_LINK_NEW="$HOME/.local/state/nix/profile"
+        fi
+        if [ -e "$NIX_LINK_NEW" ]; then
+            if [ -t 2 ] && [ -e "$NIX_LINK" ]; then
+                warning="\033[1;35mwarning:\033[0m"
+                printf "$warning Both %s and legacy %s exist; using the former.\n" "$NIX_LINK_NEW" "$NIX_LINK" 1>&2
+                if [ "$(realpath "$NIX_LINK")" = "$(realpath "$NIX_LINK_NEW")" ]; then
+                    printf "         Since the profiles match, you can safely delete either of them.\n" 1>&2
+                else
+                    # This should be an exceptionally rare occasion: the only way to get it would be to
+                    # 1. Update to newer Nix;
+                    # 2. Remove .nix-profile;
+                    # 3. Set the $NIX_LINK_NEW to something other than the default user profile;
+                    # 4. Roll back to older Nix.
+                    # If someone did all that, they can probably figure out how to migrate the profile.
+                    printf "$warning Profiles do not match. You should manually migrate from %s to %s.\n" "$NIX_LINK" "$NIX_LINK_NEW" 1>&2
+                fi
+            fi
+            NIX_LINK="$NIX_LINK_NEW"
        fi
-        NIX_LINK="$NIX_LINK_NEW"
    fi

    # Set up environment.
--- a/scripts/prepare-installer-for-github-actions
+++ b/scripts/prepare-installer-for-github-actions
@ -1,10 +1,11 @@
 #!/usr/bin/env bash

-set -e
+set -euo pipefail

-script=$(nix-build -A outputs.hydraJobs.installerScriptForGHA --no-out-link)
-installerHash=$(echo "$script" | cut -b12-43 -)
+nix build -L ".#installerScriptForGHA" ".#binaryTarball"

-installerURL=https://$CACHIX_NAME.cachix.org/serve/$installerHash/install
-
-echo "::set-output name=installerURL::$installerURL"
+mkdir -p out
+cp ./result/install "out/install"
+name="$(basename "$(realpath ./result-1)")"
+# everything before the first dash
+cp -r ./result-1 "out/${name%%-*}"
--- a/scripts/sequoia-nixbld-user-migration.sh
+++ b/scripts/sequoia-nixbld-user-migration.sh
@ -0,0 +1,172 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+# stock path to avoid unexpected command versions
+PATH="$(/usr/bin/getconf PATH)"
+
+((NEW_NIX_FIRST_BUILD_UID=351))
+((TEMP_NIX_FIRST_BUILD_UID=31000))
+
+nix_user_n() {
+	printf "_nixbld%d" "$1"
+}
+
+id_unavailable(){
+	dscl . list /Users UniqueID | grep -E '\b'"$1"'\b' >/dev/null
+}
+
+any_nixbld(){
+	dscl . list /Users UniqueID | grep -E '\b_nixbld' >/dev/null
+}
+
+dsclattr() {
+	dscl . -read "$1" | awk "/$2/ { print \$2 }"
+}
+
+re_create_nixbld_user(){
+	local name uid
+
+	name="$1"
+	uid="$2"
+	gid="$3"
+
+	sudo /usr/bin/dscl . -create "/Users/$name" "UniqueID" "$uid"
+	sudo /usr/bin/dscl . -create "/Users/$name" "IsHidden" "1"
+	sudo /usr/bin/dscl . -create "/Users/$name" "NFSHomeDirectory" "/var/empty"
+	sudo /usr/bin/dscl . -create "/Users/$name" "RealName" "Nix build user $name"
+	sudo /usr/bin/dscl . -create "/Users/$name" "UserShell" "/sbin/nologin"
+	sudo /usr/bin/dscl . -create "/Users/$name" "PrimaryGroupID" "$gid"
+}
+
+hit_id_cap(){
+	echo "We've hit UID 400 without placing all of your users :("
+	echo "You should use the commands in this script as a starting"
+	echo "point to review your UID-space and manually move the"
+	echo "remaining users (or delete them, if you don't need them)."
+}
+
+# evacuate the role-uid space to simplify final placement logic
+temporarily_move_existing_nixbld_uids(){
+	local name uid next_id user_n
+
+	((next_id=TEMP_NIX_FIRST_BUILD_UID))
+
+	echo ""
+	echo "Step 1: move existing _nixbld users out of the destination UID range."
+
+	while read -r name uid; do
+		# iterate for a clean ID
+		while id_unavailable "$next_id"; do
+			((next_id++))
+			# We really want to get these all placed, but I guess there's
+			# some risk we iterate forever--so we'll give up after 9k uids.
+			if ((next_id >= 40000)); then
+				echo "We've hit UID 40000 without temporarily placing all of your users :("
+				echo "You should use the commands in this script as a starting"
+				echo "point to review your UID-space and manually move the"
+				echo "remaining users to any open UID over 1000."
+				exit 1
+			fi
+		done
+		sudo dscl . -create "/Users/$name" UniqueID "$next_id"
+		echo "   Temporarily moved $name from uid $uid -> $next_id"
+
+	done < <(dscl . list /Users UniqueID | grep _nixbld | sort -n -k2)
+}
+
+change_nixbld_uids(){
+	local existing_gid name next_id user_n
+
+	((next_id=NEW_NIX_FIRST_BUILD_UID))
+	((user_n=1))
+	name="$(nix_user_n "$user_n")"
+	existing_gid="$(dsclattr "/Groups/nixbld" "PrimaryGroupID")"
+
+	# we know that we have *some* nixbld users, but macOS may have
+	# already clobbered the first few users if this system has been
+	# upgraded
+
+	echo ""
+	echo "Step 2: re-create missing early _nixbld# users."
+
+	until dscl . read "/Users/$name" &>/dev/null; do
+		# iterate for a clean ID
+		while id_unavailable "$next_id"; do
+			((next_id++))
+			if ((next_id >= 400)); then
+				hit_id_cap
+				exit 1
+			fi
+		done
+
+		re_create_nixbld_user "$name" "$next_id" "$existing_gid"
+		echo "      $name was missing; created with uid: $next_id"
+
+		((user_n++))
+		name="$(nix_user_n "$user_n")"
+	done
+
+	echo ""
+	echo "Step 3: relocate remaining _nixbld# UIDs to $next_id+"
+
+	# start at first _nixbld# not re-created above and increment
+	# until _nixbld<n> doesn't exist
+	while dscl . read "/Users/$name" &>/dev/null; do
+		# iterate for a clean ID
+		while id_unavailable "$next_id"; do
+			((next_id++))
+			if ((next_id >= 400)); then
+				hit_id_cap
+				exit 1
+			fi
+		done
+
+		sudo dscl . -create "/Users/$name" UniqueID "$next_id"
+		echo "      $name migrated to uid: $next_id"
+
+		((user_n++))
+		name="$(nix_user_n "$user_n")"
+	done
+
+	if ((user_n == 1)); then
+		echo "Didn't find _nixbld1. Perhaps you have single-user Nix?"
+		exit 1
+	else
+		echo "Migrated $((user_n - 1)) users. If you want to double-check, try:"
+		echo "dscl . list /Users UniqueID | grep _nixbld | sort -n -k2"
+	fi
+}
+needs_migration(){
+	local name uid next_id user_n
+
+	((next_id=NEW_NIX_FIRST_BUILD_UID))
+	((user_n=1))
+
+	while read -r name uid; do
+		expected_name="$(nix_user_n "$user_n")"
+		if [[ "$expected_name" != "$name" ]]; then
+			return 0
+		fi
+		if [[ "$next_id" != "$uid" ]]; then
+			return 0
+		fi
+		((next_id++))
+		((user_n++))
+	done < <(dscl . list /Users UniqueID | grep _nixbld | sort -n -k2)
+	return 1
+}
+
+
+if any_nixbld; then
+	if needs_migration; then
+		echo "Attempting to migrate _nixbld users."
+		temporarily_move_existing_nixbld_uids
+		change_nixbld_uids
+	else
+		echo "_nixbld users already appear to be migrated."
+	fi
+else
+	echo "Didn't find any _nixbld users. Perhaps you have single-user Nix?"
+	exit 1
+fi
--- a/scripts/serve-installer-for-github-actions
+++ b/scripts/serve-installer-for-github-actions
@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+if [[ ! -d out ]]; then
+  echo "run prepare-installer-for-github-actions first"
+  exit 1
+fi
+cd out
+PORT=${PORT:-8126}
+nohup python -m http.server "$PORT" >/dev/null 2>&1 &
+pid=$!
+
+while ! curl -s "http://localhost:$PORT"; do
+  sleep 1
+  if ! kill -0 $pid; then
+    echo "Failed to start http server"
+    exit 1
+  fi
+done
+
+echo 'To install nix, run the following command:'
+echo "sh <(curl http://localhost:$PORT/install) --tarball-url-prefix http://localhost:$PORT"