Merge pull request #3628 from domenkozar/2.3-installer-fixes

2.3 installer fixes
2025-07-08 11:03:54 +02:00 · 2020-05-27 11:02:23 +02:00 · 2020-05-27 11:02:23 +02:00 · 44d0897ac8
commit 44d0897ac8
parent 90b3b31dc2 e15dc6783a
13 changed files with 629 additions and 81 deletions
--- a/README.md
+++ b/README.md
@ -9,11 +9,11 @@ appear with Nix.
 To find out more about the tool, usage and installation instructions, please
 read the manual, which is available on the Nix website at
-<http://nixos.org/nix/manual>.
+<https://nixos.org/nix/manual>.
 ## Contributing
-Take a look at the [Hacking Section](http://nixos.org/nix/manual/#chap-hacking)
+Take a look at the [Hacking Section](https://nixos.org/nix/manual/#chap-hacking)
 of the manual. It helps you to get started with building Nix from source.
 ## License
@ -21,4 +21,4 @@ of the manual. It helps you to get started with building Nix from source.
 Nix is released under the LGPL v2.1
 This product includes software developed by the OpenSSL Project for
-use in the [OpenSSL Toolkit](http://www.OpenSSL.org/).
+use in the [OpenSSL Toolkit](https://www.OpenSSL.org/).
--- a/doc/manual/installation/installing-binary.xml
+++ b/doc/manual/installation/installing-binary.xml
@ -6,16 +6,30 @@
 <title>Installing a Binary Distribution</title>
-<para>If you are using Linux or macOS, the easiest way to install Nix
+<para>
-is to run the following command:
+  If you are using Linux or macOS versions up to 10.14 (Mojave), the
  easiest way to install Nix is to run the following command:
 </para>
 <screen>
  $ sh &lt;(curl https://nixos.org/nix/install)
 </screen>
 <para>
  If you're using macOS 10.15 (Catalina) or newer, consult
  <link linkend="sect-macos-installation">the macOS installation instructions</link>
  before installing.
 </para>
 <para>
  As of Nix 2.1.0, the Nix installer will always default to creating a
  single-user installation, however opting in to the multi-user
  installation is highly recommended.
  <!-- TODO: this explains *neither* why the default version is
  single-user, nor why we'd recommend multi-user over the default.
  True prospective users don't have much basis for evaluating this.
  What's it to me? Who should pick which? Why? What if I pick wrong?
  -->
 </para>
 <section xml:id="sect-single-user-installation">
@ -36,7 +50,7 @@ run this under your usual user account, <emphasis>not</emphasis> as
 root.  The script will invoke <command>sudo</command> to create
 <filename>/nix</filename> if it doesn’t already exist.  If you don’t
 have <command>sudo</command>, you should manually create
-<command>/nix</command> first as root, e.g.:
+<filename>/nix</filename> first as root, e.g.:
 <screen>
 $ mkdir /nix
@ -47,7 +61,7 @@ The install script will modify the first writable file from amongst
 <filename>.bash_profile</filename>, <filename>.bash_login</filename>
 and <filename>.profile</filename> to source
 <filename>~/.nix-profile/etc/profile.d/nix.sh</filename>. You can set
-the <command>NIX_INSTALLER_NO_MODIFY_PROFILE</command> environment
+the <envar>NIX_INSTALLER_NO_MODIFY_PROFILE</envar> environment
 variable before executing the install script to disable this
 behaviour.
 </para>
@ -81,12 +95,10 @@ $ rm -rf /nix
  <para>
    You can instruct the installer to perform a multi-user
    installation on your system:
    <screen>
  sh &lt;(curl https://nixos.org/nix/install) --daemon
 </screen>
  </para>
  <screen>sh &lt;(curl https://nixos.org/nix/install) --daemon</screen>
  <para>
    The multi-user installation of Nix will create build users between
    the user IDs 30001 and 30032, and a group with the group ID 30000.
@ -136,13 +148,280 @@ sudo rm /Library/LaunchDaemons/org.nixos.nix-daemon.plist
 </section>
 <section xml:id="sect-macos-installation">
  <title>macOS Installation</title>
  <para>
    Starting with macOS 10.15 (Catalina), the root filesystem is read-only.
    This means <filename>/nix</filename> can no longer live on your system
    volume, and that you'll need a workaround to install Nix.
  </para>
  <para>
    The recommended approach, which creates an unencrypted APFS volume
    for your Nix store and a "synthetic" empty directory to mount it
    over at <filename>/nix</filename>, is least likely to impair Nix
    or your system.
  </para>
  <note><para>
    With all separate-volume approaches, it's possible something on
    your system (particularly daemons/services and restored apps) may
    need access to your Nix store before the volume is mounted. Adding
    additional encryption makes this more likely.
  </para></note>
  <para>
    If you're using a recent Mac with a
    <link xlink:href="https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf">T2 chip</link>,
    your drive will still be encrypted at rest (in which case "unencrypted"
    is a bit of a misnomer). To use this approach, just install Nix with:
  </para>
  <screen>$ sh &lt;(curl https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume</screen>
  <para>
    If you don't like the sound of this, you'll want to weigh the
    other approaches and tradeoffs detailed in this section.
  </para>
  <note>
    <title>Eventual solutions?</title>
    <para>
      All of the known workarounds have drawbacks, but we hope
      better solutions will be available in the future. Some that
      we have our eye on are:
    </para>
    <orderedlist>
      <listitem>
        <para>
          A true firmlink would enable the Nix store to live on the
          primary data volume without the build problems caused by
          the symlink approach. End users cannot currently
          create true firmlinks.
        </para>
      </listitem>
      <listitem>
        <para>
          If the Nix store volume shared FileVault encryption
          with the primary data volume (probably by using the same
          volume group and role), FileVault encryption could be
          easily supported by the installer without requiring
          manual setup by each user.
        </para>
      </listitem>
    </orderedlist>
  </note>
  <section xml:id="sect-macos-installation-change-store-prefix">
    <title>Change the Nix store path prefix</title>
    <para>
      Changing the default prefix for the Nix store is a simple
      approach which enables you to leave it on your root volume,
      where it can take full advantage of FileVault encryption if
      enabled. Unfortunately, this approach also opts your device out
      of some benefits that are enabled by using the same prefix
      across systems:
      <itemizedlist>
        <listitem>
          <para>
            Your system won't be able to take advantage of the binary
            cache (unless someone is able to stand up and support
            duplicate caching infrastructure), which means you'll
            spend more time waiting for builds.
          </para>
        </listitem>
        <listitem>
          <para>
            It's harder to build and deploy packages to Linux systems.
          </para>
        </listitem>
        <!-- TODO: may be more here -->
      </itemizedlist>
      <!-- TODO: Yes, but how?! -->
      It would also possible (and often requested) to just apply this
      change ecosystem-wide, but it's an intrusive process that has
      side effects we want to avoid for now.
      <!-- magnificent hand-wavy gesture -->
    </para>
    <para>
    </para>
  </section>
  <section xml:id="sect-macos-installation-encrypted-volume">
    <title>Use a separate encrypted volume</title>
    <para>
      If you like, you can also add encryption to the recommended
      approach taken by the installer. You can do this by pre-creating
      an encrypted volume before you run the installer--or you can
      run the installer and encrypt the volume it creates later.
      <!-- TODO: see later note about whether this needs both add-encryption and from-scratch directions -->
    </para>
    <para>
      In either case, adding encryption to a second volume isn't quite
      as simple as enabling FileVault for your boot volume. Before you
      dive in, there are a few things to weigh:
    </para>
    <orderedlist>
      <listitem>
        <para>
          The additional volume won't be encrypted with your existing
          FileVault key, so you'll need another mechanism to decrypt
          the volume.
        </para>
      </listitem>
      <listitem>
        <para>
          You can store the password in Keychain to automatically
          decrypt the volume on boot--but it'll have to wait on Keychain
          and may not mount before your GUI apps restore. If any of
          your launchd agents or apps depend on Nix-installed software
          (for example, if you use a Nix-installed login shell), the
          restore may fail or break.
        </para>
        <para>
          On a case-by-case basis, you may be able to work around this
          problem by using <command>wait4path</command> to block
          execution until your executable is available.
        </para>
        <para>
          It's also possible to decrypt and mount the volume earlier
          with a login hook--but this mechanism appears to be
          deprecated and its future is unclear.
        </para>
      </listitem>
      <listitem>
        <para>
          You can hard-code the password in the clear, so that your
          store volume can be decrypted before Keychain is available.
        </para>
      </listitem>
    </orderedlist>
    <para>
      If you are comfortable navigating these tradeoffs, you can encrypt the volume with
      something along the lines of:
      <!-- TODO:
      I don't know if this also needs from-scratch instructions?
      can we just recommend use-the-installer-and-then-encrypt?
      -->
    </para>
    <!--
    TODO: it looks like this option can be encryptVolume|encrypt|enableFileVault
    It may be more clear to use encryptVolume, here? FileVault seems
    heavily associated with the boot-volume behavior; I worry
    a little that it can mislead here, especially as it gets
    copied around minus doc context...?
    -->
    <screen>alice$ diskutil apfs enableFileVault /nix -user disk</screen>
    <!-- TODO: and then go into detail on the mount/decrypt approaches? -->
  </section>
  <section xml:id="sect-macos-installation-symlink">
    <!--
    Maybe a good razor is: if we'd hate having to support someone who
    installed Nix this way, it shouldn't even be detailed?
    -->
    <title>Symlink the Nix store to a custom location</title>
    <para>
      Another simple approach is using <filename>/etc/synthetic.conf</filename>
      to symlink the Nix store to the data volume. This option also
      enables your store to share any configured FileVault encryption.
      Unfortunately, builds that resolve the symlink may leak the
      canonical path or even fail.
    </para>
    <para>
      Because of these downsides, we can't recommend this approach.
    </para>
    <!-- Leaving out instructions for this one. -->
  </section>
  <section xml:id="sect-macos-installation-recommended-notes">
    <title>Notes on the recommended approach</title>
    <para>
      This section goes into a little more detail on the recommended
      approach. You don't need to understand it to run the installer,
      but it can serve as a helpful reference if you run into trouble.
    </para>
    <orderedlist>
      <listitem>
        <para>
          In order to compose user-writable locations into the new
          read-only system root, Apple introduced a new concept called
          <literal>firmlinks</literal>, which it describes as a
          "bi-directional wormhole" between two filesystems. You can
          see the current firmlinks in <filename>/usr/share/firmlinks</filename>.
          Unfortunately, firmlinks aren't (currently?) user-configurable.
        </para>
        <para>
          For special cases like NFS mount points or package manager roots,
          <link xlink:href="https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man5/synthetic.conf.5.html">synthetic.conf(5)</link>
          supports limited user-controlled file-creation (of symlinks,
          and synthetic empty directories) at <filename>/</filename>.
          To create a synthetic empty directory for mounting at <filename>/nix</filename>,
          add the following line to <filename>/etc/synthetic.conf</filename>
          (create it if necessary):
        </para>
        <screen>nix</screen>
      </listitem>
      <listitem>
        <para>
          This configuration is applied at boot time, but you can use
          <command>apfs.util</command> to trigger creation (not deletion)
          of new entries without a reboot:
        </para>
        <screen>alice$ /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B</screen>
      </listitem>
      <listitem>
        <para>
          Create the new APFS volume with diskutil:
        </para>
        <screen>alice$ sudo diskutil apfs addVolume diskX APFS 'Nix Store' -mountpoint /nix</screen>
      </listitem>
      <listitem>
        <para>
          Using <command>vifs</command>, add the new mount to
          <filename>/etc/fstab</filename>. If it doesn't already have
          other entries, it should look something like:
        </para>
 <screen>
 #
 # Warning - this file should only be modified with vifs(8)
 #
 # Failure to do so is unsupported and may be destructive.
 #
 LABEL=Nix\040Store /nix apfs rw,nobrowse
 </screen>
        <para>
          The nobrowse setting will keep Spotlight from indexing this
          volume, and keep it from showing up on your desktop.
        </para>
      </listitem>
    </orderedlist>
  </section>
 </section>
 <section xml:id="sect-nix-install-pinned-version-url">
  <title>Installing a pinned Nix version from a URL</title>
  <para>
    NixOS.org hosts version-specific installation URLs for all Nix
    versions since 1.11.16, at
-    <literal>https://nixos.org/releases/nix/nix-VERSION/install</literal>.
+    <literal>https://releases.nixos.org/nix/nix-<replaceable>version</replaceable>/install</literal>.
  </para>
  <para>
--- a/release.nix
+++ b/release.nix
@ -137,10 +137,10 @@ let
        }
        ''
          cp ${installerClosureInfo}/registration $TMPDIR/reginfo
          cp ${./scripts/create-darwin-volume.sh} $TMPDIR/create-darwin-volume.sh
          substitute ${./scripts/install-nix-from-closure.sh} $TMPDIR/install \
            --subst-var-by nix ${toplevel} \
            --subst-var-by cacert ${cacert}
          substitute ${./scripts/install-darwin-multi-user.sh} $TMPDIR/install-darwin-multi-user.sh \
            --subst-var-by nix ${toplevel} \
            --subst-var-by cacert ${cacert}
@ -155,6 +155,7 @@ let
            # SC1090: Don't worry about not being able to find
            #         $nix/etc/profile.d/nix.sh
            shellcheck --exclude SC1090 $TMPDIR/install
            shellcheck $TMPDIR/create-darwin-volume.sh
            shellcheck $TMPDIR/install-darwin-multi-user.sh
            shellcheck $TMPDIR/install-systemd-multi-user.sh
@ -170,6 +171,7 @@ let
          fi
          chmod +x $TMPDIR/install
          chmod +x $TMPDIR/create-darwin-volume.sh
          chmod +x $TMPDIR/install-darwin-multi-user.sh
          chmod +x $TMPDIR/install-systemd-multi-user.sh
          chmod +x $TMPDIR/install-multi-user
@ -182,11 +184,15 @@ let
            --absolute-names \
            --hard-dereference \
            --transform "s,$TMPDIR/install,$dir/install," \
            --transform "s,$TMPDIR/create-darwin-volume.sh,$dir/create-darwin-volume.sh," \
            --transform "s,$TMPDIR/reginfo,$dir/.reginfo," \
            --transform "s,$NIX_STORE,$dir/store,S" \
-            $TMPDIR/install $TMPDIR/install-darwin-multi-user.sh \
+            $TMPDIR/install \
            $TMPDIR/create-darwin-volume.sh \
            $TMPDIR/install-darwin-multi-user.sh \
            $TMPDIR/install-systemd-multi-user.sh \
-            $TMPDIR/install-multi-user $TMPDIR/reginfo \
+            $TMPDIR/install-multi-user \
            $TMPDIR/reginfo \
            $(cat ${installerClosureInfo}/store-paths)
        '');
--- a/scripts/create-darwin-volume.sh
+++ b/scripts/create-darwin-volume.sh
@ -0,0 +1,185 @@
 #!/bin/sh
 set -e
 root_disk() {
    diskutil info -plist /
 }
 apfs_volumes_for() {
    disk=$1
    diskutil apfs list -plist "$disk"
 }
 disk_identifier() {
    xpath "/plist/dict/key[text()='ParentWholeDisk']/following-sibling::string[1]/text()" 2>/dev/null
 }
 volume_list_true() {
    key=$1
    xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict/key[text()='$key']/following-sibling::true[1]" 2> /dev/null
 }
 volume_get_string() {
    key=$1 i=$2
    xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict[$i]/key[text()='$key']/following-sibling::string[1]/text()" 2> /dev/null
 }
 find_nix_volume() {
    disk=$1
    i=1
    volumes=$(apfs_volumes_for "$disk")
    while true; do
        name=$(echo "$volumes" | volume_get_string "Name" "$i")
        if [ -z "$name" ]; then
            break
        fi
        case "$name" in
            [Nn]ix*)
                echo "$name"
                break
                ;;
        esac
        i=$((i+1))
    done
 }
 test_fstab() {
    grep -q "/nix apfs rw" /etc/fstab 2>/dev/null
 }
 test_nix_symlink() {
    [ -L "/nix" ] || grep -q "^nix." /etc/synthetic.conf 2>/dev/null
 }
 test_synthetic_conf() {
    grep -q "^nix$" /etc/synthetic.conf 2>/dev/null
 }
 test_nix() {
    test -d "/nix"
 }
 test_t2_chip_present(){
    # Use xartutil to see if system has a t2 chip.
    #
    # This isn't well-documented on its own; until it is,
    # let's keep track of knowledge/assumptions.
    #
    # Warnings:
    # - Don't search "xart" if porn will cause you trouble :)
    # - Other xartutil flags do dangerous things. Don't run them
    #   naively. If you must, search "xartutil" first.
    #
    # Assumptions:
    # - the "xART session seeds recovery utility"
    #   appears to interact with xartstorageremoted
    # - `sudo xartutil --list` lists xART sessions
    #   and their seeds and exits 0 if successful. If
    #   not, it exits 1 and prints an error such as:
    #   xartutil: ERROR: No supported link to the SEP present
    # - xART sessions/seeds are present when a T2 chip is
    #   (and not, otherwise)
    # - the presence of a T2 chip means a newly-created
    #   volume on the primary drive will be
    #   encrypted at rest
    # - all together: `sudo xartutil --list`
    #   should exit 0 if a new Nix Store volume will
    #   be encrypted at rest, and exit 1 if not.
    sudo xartutil --list >/dev/null 2>/dev/null
 }
 test_filevault_in_use() {
    disk=$1
    #      list vols on disk | get value of Filevault key | value is true
    apfs_volumes_for "$disk" | volume_list_true FileVault | grep -q true
 }
 # use after error msg for conditions we don't understand
 suggest_report_error(){
    # ex "error: something sad happened :(" >&2
    echo "       please report this @ https://github.com/nixos/nix/issues" >&2
 }
 main() {
    (
        echo ""
        echo "     ------------------------------------------------------------------ "
        echo "    | This installer will create a volume for the nix store and        |"
        echo "    | configure it to mount at /nix.  Follow these steps to uninstall. |"
        echo "     ------------------------------------------------------------------ "
        echo ""
        echo "  1. Remove the entry from fstab using 'sudo vifs'"
        echo "  2. Destroy the data volume using 'diskutil apfs deleteVolume'"
        echo "  3. Remove the 'nix' line from /etc/synthetic.conf or the file"
        echo ""
    ) >&2
    if test_nix_symlink; then
        echo "error: /nix is a symlink, please remove it and make sure it's not in synthetic.conf (in which case a reboot is required)" >&2
        echo "  /nix -> $(readlink "/nix")" >&2
        exit 2
    fi
    if ! test_synthetic_conf; then
        echo "Configuring /etc/synthetic.conf..." >&2
        echo nix | sudo tee -a /etc/synthetic.conf
        if ! test_synthetic_conf; then
            echo "error: failed to configure synthetic.conf;" >&2
            suggest_report_error
            exit 1
        fi
    fi
    if ! test_nix; then
        echo "Creating mountpoint for /nix..." >&2
        /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B || true
        if ! test_nix; then
            sudo mkdir -p /nix 2>/dev/null || true
        fi
        if ! test_nix; then
            echo "error: failed to bootstrap /nix; if a reboot doesn't help," >&2
            suggest_report_error
            exit 1
        fi
    fi
    disk=$(root_disk | disk_identifier)
    volume=$(find_nix_volume "$disk")
    if [ -z "$volume" ]; then
        echo "Creating a Nix Store volume..." >&2
        if test_filevault_in_use "$disk"; then
            # TODO: Not sure if it's in-scope now, but `diskutil apfs list`
            # shows both filevault and encrypted at rest status, and it
            # may be the more semantic way to test for this? It'll show
            # `FileVault:                 No (Encrypted at rest)`
            # `FileVault:                 No`
            # `FileVault:                 Yes (Unlocked)`
            # and so on.
            if test_t2_chip_present; then
                echo "warning: boot volume is FileVault-encrypted, but the Nix store volume" >&2
                echo "         is only encrypted at rest." >&2
                echo "         See https://nixos.org/nix/manual/#sect-macos-installation" >&2
            else
                echo "error: refusing to create Nix store volume because the boot volume is" >&2
                echo "       FileVault encrypted, but encryption-at-rest is not available." >&2
                echo "       Manually create a volume for the store and re-run this script." >&2
                echo "       See https://nixos.org/nix/manual/#sect-macos-installation" >&2
                exit 1
            fi
        fi
        sudo diskutil apfs addVolume "$disk" APFS 'Nix Store' -mountpoint /nix
        volume="Nix Store"
    else
        echo "Using existing '$volume' volume" >&2
    fi
    if ! test_fstab; then
        echo "Configuring /etc/fstab..." >&2
        label=$(echo "$volume" | sed 's/ /\\040/g')
        printf "\$a\nLABEL=%s /nix apfs rw,nobrowse\n.\nwq\n" "$label" | EDITOR=ed sudo vifs
    fi
 }
 main "$@"
--- a/scripts/install-multi-user.sh
+++ b/scripts/install-multi-user.sh
@ -20,13 +20,16 @@ readonly GREEN='\033[32m'
 readonly GREEN_UL='\033[4;32m'
 readonly RED='\033[31m'
-readonly NIX_USER_COUNT="32"
+# installer allows overriding build user count to speed up installation
 # as creating each user takes non-trivial amount of time on macos
 readonly NIX_USER_COUNT=${NIX_USER_COUNT:-32}
 readonly NIX_BUILD_GROUP_ID="30000"
 readonly NIX_BUILD_GROUP_NAME="nixbld"
 readonly NIX_FIRST_BUILD_UID="30001"
 # Please don't change this. We don't support it, because the
 # default shell profile that comes with Nix doesn't support it.
 readonly NIX_ROOT="/nix"
 readonly NIX_EXTRA_CONF=${NIX_EXTRA_CONF:-}
 readonly PROFILE_TARGETS=("/etc/bashrc" "/etc/profile.d/nix.sh" "/etc/zshrc")
 readonly PROFILE_BACKUP_SUFFIX=".backup-before-nix"
@ -542,9 +545,11 @@ create_directories() {
 }
 place_channel_configuration() {
    if [ -z "${NIX_INSTALLER_NO_CHANNEL_ADD:-}" ]; then
        echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > "$SCRATCH/.nix-channels"
        _sudo "to set up the default system channel (part 1)" \
            install -m 0664 "$SCRATCH/.nix-channels" "$ROOT_HOME/.nix-channels"
    fi
 }
 welcome_to_nix() {
@ -659,7 +664,7 @@ install_from_extracted_nix() {
        cd "$EXTRACTED_NIX_PATH"
        _sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \
-              rsync -rlpt ./store/* "$NIX_ROOT/store/"
+              rsync -rlpt --chmod=-w ./store/* "$NIX_ROOT/store/"
        if [ -d "$NIX_INSTALLED_NIX" ]; then
            echo "      Alright! We have our first nix at $NIX_INSTALLED_NIX"
@ -726,18 +731,20 @@ setup_default_profile() {
        export NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
    fi
    if [ -z "${NIX_INSTALLER_NO_CHANNEL_ADD:-}" ]; then
        # Have to explicitly pass NIX_SSL_CERT_FILE as part of the sudo call,
        # otherwise it will be lost in environments where sudo doesn't pass
        # all the environment variables by default.
        _sudo "to update the default channel in the default profile" \
            HOME="$ROOT_HOME" NIX_SSL_CERT_FILE="$NIX_SSL_CERT_FILE" "$NIX_INSTALLED_NIX/bin/nix-channel" --update nixpkgs \
            || channel_update_failed=1
-
+    fi
 }
 place_nix_configuration() {
    cat <<EOF > "$SCRATCH/nix.conf"
 $NIX_EXTRA_CONF
 build-users-group = $NIX_BUILD_GROUP_NAME
 EOF
    _sudo "to place the default nix daemon configuration (part 2)" \
--- a/scripts/install-nix-from-closure.sh
+++ b/scripts/install-nix-from-closure.sh
@ -40,14 +40,29 @@ elif [ "$(uname -s)" = "Linux" ] && [ -e /run/systemd/system ]; then
 fi
 INSTALL_MODE=no-daemon
-# Trivially handle the --daemon / --no-daemon options
+CREATE_DARWIN_VOLUME=0
-if [ "x${1:-}" = "x--no-daemon" ]; then
+# handle the command line flags
-    INSTALL_MODE=no-daemon
+while [ $# -gt 0 ]; do
-elif [ "x${1:-}" = "x--daemon" ]; then
+    case $1 in
-    INSTALL_MODE=daemon
+        --daemon)
-elif [ "x${1:-}" != "x" ]; then
+            INSTALL_MODE=daemon;;
        --no-daemon)
            INSTALL_MODE=no-daemon;;
        --no-channel-add)
            export NIX_INSTALLER_NO_CHANNEL_ADD=1;;
        --daemon-user-count)
            export NIX_USER_COUNT=$2
            shift;;
        --no-modify-profile)
            NIX_INSTALLER_NO_MODIFY_PROFILE=1;;
        --darwin-use-unencrypted-nix-store-volume)
            CREATE_DARWIN_VOLUME=1;;
        --nix-extra-conf-file)
            export NIX_EXTRA_CONF="$(cat $2)"
            shift;;
        *)
            (
-        echo "Nix Installer [--daemon|--no-daemon]"
+                echo "Nix Installer [--daemon|--no-daemon] [--daemon-user-count INT] [--no-channel-add] [--no-modify-profile] [--darwin-use-unencrypted-nix-store-volume] [--nix-extra-conf-file FILE]"
                echo "Choose installation method."
                echo ""
@ -61,8 +76,49 @@ elif [ "x${1:-}" != "x" ]; then
                echo "              trivial to uninstall."
                echo "              (default)"
                echo ""
                echo " --no-channel-add:    Don't add any channels. nixpkgs-unstable is installed by default."
                echo ""
                echo " --no-modify-profile: Skip channel installation. When not provided nixpkgs-unstable"
                echo "                      is installed by default."
                echo ""
                echo " --daemon-user-count: Number of build users to create. Defaults to 32."
                echo ""
                echo " --nix-extra-conf-file: Path to nix.conf to prepend when installing /etc/nix.conf"
                echo ""
            ) >&2
-    exit
+
            # darwin and Catalina+
            if [ "$(uname -s)" = "Darwin" ] && [ "$macos_major" -gt 14 ]; then
                (
                    echo " --darwin-use-unencrypted-nix-store-volume: Create an APFS volume for the Nix"
                    echo "              store and mount it at /nix. This is the recommended way to create"
                    echo "              /nix with a read-only / on macOS >=10.15."
                    echo "              See: https://nixos.org/nix/manual/#sect-macos-installation"
                    echo ""
                ) >&2
            fi
            exit;;
    esac
    shift
 done
 if [ "$(uname -s)" = "Darwin" ]; then
    if [ "$CREATE_DARWIN_VOLUME" = 1 ]; then
        printf '\e[1;31mCreating volume and mountpoint /nix.\e[0m\n'
        "$self/create-darwin-volume.sh"
    fi
    info=$(diskutil info -plist / | xpath "/plist/dict/key[text()='Writable']/following-sibling::true[1]" 2> /dev/null)
    if ! [ -e $dest ] && [ -n "$info" ] && [ "$macos_major" -gt 14 ]; then
        (
            echo ""
            echo "Installing on macOS >=10.15 requires relocating the store to an apfs volume."
            echo "Use sh <(curl https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume or run the preparation steps manually."
            echo "See https://nixos.org/nix/manual/#sect-macos-installation"
            echo ""
        ) >&2
        exit 1
    fi
 fi
 if [ "$INSTALL_MODE" = "daemon" ]; then
@ -87,7 +143,7 @@ if ! [ -e $dest ]; then
 fi
 if ! [ -w $dest ]; then
-    echo "$0: directory $dest exists, but is not writable by you. This could indicate that another user has already performed a single-user installation of Nix on this system. If you wish to enable multi-user support see http://nixos.org/nix/manual/#ssec-multi-user. If you wish to continue with a single-user install for $USER please run 'chown -R $USER $dest' as root." >&2
+    echo "$0: directory $dest exists, but is not writable by you. This could indicate that another user has already performed a single-user installation of Nix on this system. If you wish to enable multi-user support see https://nixos.org/nix/manual/#ssec-multi-user. If you wish to continue with a single-user install for $USER please run 'chown -R $USER $dest' as root." >&2
    exit 1
 fi
@ -102,7 +158,7 @@ for i in $(cd "$self/store" >/dev/null && echo ./*); do
        rm -rf "$i_tmp"
    fi
    if ! [ -e "$dest/store/$i" ]; then
-        cp -Rp "$self/store/$i" "$i_tmp"
+        cp -RPp "$self/store/$i" "$i_tmp"
        chmod -R a-w "$i_tmp"
        chmod +w "$i_tmp"
        mv "$i_tmp" "$dest/store/$i"
@ -130,6 +186,7 @@ if [ -z "$NIX_SSL_CERT_FILE" ] || ! [ -f "$NIX_SSL_CERT_FILE" ]; then
 fi
 # Subscribe the user to the Nixpkgs channel and fetch it.
 if [ -z "$NIX_INSTALLER_NO_CHANNEL_ADD" ]; then
    if ! $nix/bin/nix-channel --list | grep -q "^nixpkgs "; then
        $nix/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
    fi
@ -139,6 +196,7 @@ if [ -z "$_NIX_INSTALLER_TEST" ]; then
            echo "To try again later, run \"nix-channel --update nixpkgs\"."
        fi
    fi
 fi
 added=
 p=$HOME/.nix-profile/etc/profile.d/nix.sh
@ -155,6 +213,17 @@ if [ -z "$NIX_INSTALLER_NO_MODIFY_PROFILE" ]; then
            break
        fi
    done
    for i in .zshenv .zshrc; do
        fn="$HOME/$i"
        if [ -w "$fn" ]; then
            if ! grep -q "$p" "$fn"; then
                echo "modifying $fn..." >&2
                echo "if [ -e $p ]; then . $p; fi # added by Nix installer" >> "$fn"
            fi
            added=1
            break
        fi
    done
 fi
 if [ -z "$added" ]; then
--- a/scripts/install-systemd-multi-user.sh
+++ b/scripts/install-systemd-multi-user.sh
@ -88,7 +88,7 @@ poly_configure_nix_daemon_service() {
          systemctl start nix-daemon.socket
    _sudo "to start the nix-daemon.service" \
-          systemctl start nix-daemon.service
+          systemctl restart nix-daemon.service
 }
--- a/scripts/install.in
+++ b/scripts/install.in
@ -30,12 +30,13 @@ case "$(uname -s).$(uname -m)" in
    *) oops "sorry, there is no binary distribution of Nix for your platform";;
 esac
-url="https://nixos.org/releases/nix/nix-@nixVersion@/nix-@nixVersion@-$system.tar.xz"
+url="https://releases.nixos.org/nix/nix-@nixVersion@/nix-@nixVersion@-$system.tar.xz"
 tarball="$tmpDir/$(basename "$tmpDir/nix-@nixVersion@-$system.tar.xz")"
 require_util curl "download the binary tarball"
 require_util tar "unpack the binary tarball"
 require_util xz "unpack the binary tarball"
 echo "downloading Nix @nixVersion@ binary tarball for $system from '$url' to '$tmpDir'..."
 curl -L "$url" -o "$tarball" || oops "failed to download '$url'"
@ -56,7 +57,7 @@ fi
 unpack=$tmpDir/unpack
 mkdir -p "$unpack"
-tar -xf "$tarball" -C "$unpack" || oops "failed to unpack '$url'"
+tar -xJf "$tarball" -C "$unpack" || oops "failed to unpack '$url'"
 script=$(echo "$unpack"/*/install)
--- a/scripts/nix-profile-daemon.sh.in
+++ b/scripts/nix-profile-daemon.sh.in
@ -2,7 +2,6 @@
 if [ -n "${__ETC_PROFILE_NIX_SOURCED:-}" ]; then return; fi
 __ETC_PROFILE_NIX_SOURCED=1
 export NIX_USER_PROFILE_DIR="@localstatedir@/nix/profiles/per-user/$USER"
 export NIX_PROFILES="@localstatedir@/nix/profiles/default $HOME/.nix-profile"
 # Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
--- a/scripts/nix-profile.sh.in
+++ b/scripts/nix-profile.sh.in
@ -5,7 +5,6 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then
    NIX_LINK=$HOME/.nix-profile
    NIX_USER_PROFILE_DIR=@localstatedir@/nix/profiles/per-user/$USER
    # Append ~/.nix-defexpr/channels to $NIX_PATH so that <nixpkgs>
    # paths work when the user has fetched the Nixpkgs channel.
@ -35,5 +34,5 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then
    fi
    export PATH="$NIX_LINK/bin:$PATH"
-    unset NIX_LINK NIX_USER_PROFILE_DIR
+    unset NIX_LINK
 fi
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@ -19,13 +19,6 @@ namespace nix {
   must be deleted and recreated on startup.) */
 #define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
 /* chroot-like behavior from Apple's sandbox */
 #if __APPLE__
    #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
 #else
    #define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
 #endif
 Settings settings;
 static GlobalConfig::Register r1(&settings);
@ -67,7 +60,12 @@ Settings::Settings()
    sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL);
 #endif
-    allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);
+
 /* chroot-like behavior from Apple's sandbox */
 #if __APPLE__
    sandboxPaths = tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib");
    allowedImpureHostPrefixes = tokenizeString<StringSet>("/System/Library /usr/lib /dev /bin/sh");
 #endif
 }
 void loadConfFile()
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@ -309,12 +309,7 @@ public:
    Setting<bool> printMissing{this, true, "print-missing",
        "Whether to print what paths need to be built or downloaded."};
-    Setting<std::string> preBuildHook{this,
+    Setting<std::string> preBuildHook{this, "",
 #if __APPLE__
        nixLibexecDir + "/nix/resolve-system-dependencies",
 #else
        "",
 #endif
        "pre-build-hook",
        "A program to run just before a build to set derivation-specific build settings."};
--- a/src/libstore/sandbox-defaults.sb
+++ b/src/libstore/sandbox-defaults.sb
@ -71,6 +71,12 @@
       (literal "/dev/zero")
       (subpath "/dev/fd"))
 ; Allow pseudo-terminals.
 (allow file*
       (literal "/dev/ptmx")
       (regex #"^/dev/pty[a-z]+")
       (regex #"^/dev/ttys[0-9]+"))
 ; Does nothing, but reduces build noise.
 (allow file* (literal "/dev/dtracehelper"))
@ -85,3 +91,7 @@
       (literal "/etc")
       (literal "/var")
       (literal "/private/var/tmp"))
 ; This is used by /bin/sh on macOS 10.15 and later.
 (allow file*
       (literal "/private/var/select/sh"))