viperML
commented
5 months ago nh doesn't run nix as root, only the activation scripts
Open Yucklys opened 5 months ago
viperML
commented
5 months ago nh doesn't run nix as root, only the activation scripts
Yucklys
commented
5 months ago I just want to know if this is the intended behavior, as it requires another command to upgrade. I write a wrapper for the commands and now it work perfectly.
viperML
commented
5 months ago It's weird behaviour nonetheless
painsucker6k
commented
5 months ago
Same issue.
painsucker6k
commented
5 months ago nh doesn't run nix as root, only the activation scripts
I'm guessing that's the issue, as flakes are updated by the nix command? I'm not that experienced in nix, so excuse me if I'm wrong.
viperML
commented
5 months ago I know the issue but not the cleanest way to handle it. And my NixOS flake is not owned by root, so I don't need to fix this immediately
painsucker6k
commented
5 months ago So the temporary fix is changing the ownership of flake.nix and flake.lock?
viperML
commented
5 months ago I'd say not using nh's --update is the correct way
different-name
commented
3 months ago I am also struggling with this, nh os switch fails whenever I update my flake inputs, shouldn't nh ask for sudo like it does at other times it is required?
viperML
commented
3 months ago No, because I want to keep the evaluation apart from root
different-name
commented
3 months ago Do you suggest permanently changing ownership then?
viperML
commented
3 months ago Running nix flake update as the same user that owns the flake
gepbird
commented
2 months ago I have a similar issue: using agenix the quick and dirty way and putting a builtins.readFile config.age.secrets.foo.path in the config, I get a permission error: error: opening file '/run/agenix/foo': Permission denied
And sudo -E nh os switch doesn't work: Don't run nh os as root. I will call sudo internally as needed. Whats the reason for this sudo check?
viperML
commented
2 months ago Well readFile secret is certainly a usecase I want to block, so nh was working as intended.
Edit: + if anything, nix would not let you read files outside the flake because of the evaluation-time sandbox.
I put my flake.nix under
/etc/nixos, as this is where thesudo nixos-rebuild switchdefault to. However, when I try to update the flake inputs bynh os switch --update, it successfully pulls the updates, but failed to update the flake.lock file due to permission denied. I have to manually update the flake inputs before I run this command. I think nh should ask for sudo permission to update the lock, as/etc/nixos/flake.nixis a common place that people will store their flake files.