Warning when running nh os switch

[gigamonster256]

I get a warning when running nh os switch:

DEBUG nh::commands:56: cmd=Exec { /usr/bin/sudo nix-env --profile /nix/var/nix/profiles/system --set /var/folders/xm/t9x8767d1p73___d71x35j8r0000gn/T/nh-os-mWyem4/result }
warning: $HOME ('/Users/caleb') is not owned by you, falling back to the one defined in the 'passwd' file ('/var/root')

however the same warning does not appear when running darwin-rebuild switch

It seems to be related to the check that darwin-rebuild has in its script:

if [ "$action" = switch ]; then
  if [ "$USER" != root ] && [ ! -w $(dirname "$profile") ]; then
    sudo nix-env -p "$profile" --set "$systemConfig"
  else
    nix-env -p "$profile" --set "$systemConfig"
  fi
fi

[ToyVo]

I have also noticed this when building. I just wasn't sure what the issue was. Thanks for pointing that out I'll try to dig into it at some point.

[ToyVo]

The equivalent check is here https://github.com/ToyVo/nh-darwin/blob/main/src/nixos.rs#L173 Where only user is checked if they are root, but there is no check for if they are not root, if they have write permissions

We already get the metadata of the flake and check if it is owned by root https://github.com/ToyVo/nh-darwin/blob/main/src/nixos.rs#L45-L48

Should just need to add another check if flake_uid is effective_uid, or add checks for group permissions too, but it looks like there is flake_metadata.permissions().readonly() that I can look at too

[ToyVo]

On Unix-based platforms this checks if any of the owner, group or others write permission bits are set. It does not check if the current user is in the file's assigned group. It also does not check ACLs. Therefore the return value of this function cannot be relied upon to predict whether attempts to read or write the file will actually succeed. The [PermissionsExt] trait gives direct access to the permission bits but also does not read ACLs.

It doesn't look like this function will do what I want, flake_metadata.permissions().readonly()

[ToyVo]

I've updated some code https://github.com/ToyVo/nh-darwin/blob/main/src/nixos.rs#L196-L204, but it doesn't work yet, debugging will be needed

[ToyVo]

Ok after doing some debugging, I believe the problem is with how sudo is excuted, in nh we are just using bare sudo, but nix-darwin will use the flags -H and --preserve-env https://github.com/LnL7/nix-darwin/blob/master/pkgs/nix-tools/darwin-rebuild.sh#L22 and I think that might be the issue

[ToyVo]

ah -H means set-home on sudo, this is definitely the issue

[ToyVo]

This has been fixed by adding additional arguments with sudo, I'm not guaranteeing that the other elevation programs like doas or pkexec work