Skip to content

Commit

Permalink
Fix #116: trusted-users allows running commands as root without pas…
Browse files Browse the repository at this point in the history
…sword (#130)

Update `README.md` to rather suggest user to directly put the
`extra-substituters` in `/etc/nix/nix.conf` and remove `nixConfig`
attribute from the `flake.nix`.
  • Loading branch information
yvan-sraka authored Mar 26, 2024
1 parent eba5f8d commit 6049c0f
Show file tree
Hide file tree
Showing 4 changed files with 60 additions and 51 deletions.
40 changes: 28 additions & 12 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,25 +1,41 @@
# The Developer Experience Shell

This repo contains a `nix develop` shell for haskell. Its primary purpose is to
help get a development shell for haskell quickly and across multiple
This repository contains a `nix develop` shell for Haskell. Its primary purpose
is to help get a development shell for Haskell quickly and across multiple
operating systems (and architectures).

It requires [`nix` to be installed](https://nixos.org/download.html).

Once you have `nix` installed, you can check that everything is working correctly:
* Make sure to add `experimental-features = nix-command flakes` and `accept-flake-config = true` lines to `$XDG_CONFIG_HOME/nix/nix.conf` file ;
* Make sure your `$USER` is trusted `nix show-config | grep trusted-users`, otherwise add it to `/etc/nix/nix.conf` and restart `nix-daemon` ;
* Make sure the `nix-daemon` is running using `systemctl status nix-daemon` (if your OS is `systemd`-based).

Once you have `nix`, (Linux, macOS, windows WSL) you can use:
> [!IMPORTANT]
> The README previously suggested to add your current user to `trusted-users`,
> but this is essentially equivalent to giving that user root access to the
> system.
## Getting Started

Once you have `nix` installed:
- Add `experimental-features = nix-command flakes` to your
`$XDG_CONFIG_HOME/nix/nix.conf` file to enable Nix flakes.
- You should manually add necessary substituters and trusted public keys to your
`/etc/nix/nix.conf`:
```
allow-import-from-derivation = "true";
extra-substituters = https://cache.iog.io https://cache.zw3rk.com
extra-trusted-public-keys = "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" "loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk="
```
- Ensure that `nix-daemon` is running (`systemctl status nix-daemon` on
`systemd`-based systems).

Then, (on Linux, macOS, windows WSL) you can use:
```bash
nix develop github:input-output-hk/devx#ghc96 --no-write-lock-file --refresh
```

Then, to obtain a haskell development shell for GHC 8.10.7 including `cabal-install`,
as well as `hls` and `hlint`. If you are on macOS on an Apple Silicon chip (M1, M2, ...),
and want to switch between Intel (x86_64) and Apple Silicon (aarch64), you can do
this by simply passing the corresponding `--system` argument:
To obtain a haskell development shell for GHC 8.10.7 including `cabal-install`,
as well as `hls` and `hlint`. If you are on macOS on an Apple Silicon chip
(M1, M2, ...), and want to switch between Intel (x86_64) and Apple Silicon
(aarch64), you can do this by simply passing the corresponding
`--system` argument:
```bash
nix develop github:input-output-hk/devx#ghc810 --no-write-lock-file --refresh --system x86_64-darwin
# ... or:
Expand Down
36 changes: 18 additions & 18 deletions docs/bootstrap.sh
Original file line number Diff line number Diff line change
Expand Up @@ -90,27 +90,27 @@ else
echo "experimental-features = nix-command flakes" >> "$nix_conf_file"
log "DEBUG" "'experimental-features = nix-command flakes' added to nix configuration."
fi
if grep -q "accept-flake-config" "$nix_conf_file"; then
log "WARN" "The 'accept-flake-config' option already exists in '$nix_conf_file'. Please check that it's set to 'accept-flake-config = true'."
echo "Press ENTER to open $nix_conf_file in $EDITOR:"
read -r confirm
$EDITOR "$nix_conf_file"
else
echo "accept-flake-config = true" >> "$nix_conf_file"
log "DEBUG" "'accept-flake-config = true' added to nix configuration."
fi

nix_conf_file="/etc/nix/nix.conf"
if grep -q "trusted-users" "$nix_conf_file"; then
log "WARN" "The 'trusted-users' option already exists in '$nix_conf_file'. Please ensure that your user is part of 'trusted-users'."
echo "Press ENTER to open $nix_conf_file in $EDITOR:"
read -r confirm
$EDITOR "$nix_conf_file"
else
echo "trusted-users = root $USER" | sudo tee "$nix_conf_file" > /dev/null
log "DEBUG" "'trusted-users = root $USER' added to nix configuration."
fi

check_and_append_config() {
local key="$1"
local value="$2"
if grep -q "^$key" "$nix_conf_file"; then
echo "WARN: The '$key' option already exists in '$nix_conf_file'."
echo "You expected to add '$key = $value'."
echo "Press ENTER to open $nix_conf_file in $EDITOR for manual inspection:"
read -r confirm
sudo $EDITOR "$nix_conf_file"
else
echo "$key = $value" | sudo tee -a "$nix_conf_file" > /dev/null
log "DEBUG" "'$key = $value' added to system-wide nix configuration."
fi
}

check_and_append_config "allow-import-from-derivation" "true"
check_and_append_config "extra-substituters" "https://cache.iog.io https://cache.zw3rk.com"
check_and_append_config "extra-trusted-public-keys" "\"hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=\" \"loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk=\""

log "INFO" "[3/7] Restart nix-daemon (need sudo) ..."

Expand Down
19 changes: 14 additions & 5 deletions docs/direnv.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,20 @@ Ensure you have the following installed on your machine:
- [`direnv`](https://direnv.net/)
- Your choice of editor (VSCode, Emacs, or Vim)

To install `nix`, follow the steps provided on the [Nix installer page](https://nixos.org/download.html). To utilize our cache, it's essential that you're recognized as a trusted user. You can check your `nix` configuration to see if you're listed in `trusted-users` by running `nix show-config | grep 'trusted-users'`.

If you're not listed, you need to add the line `trusted-users = $USER` in your configuration file. Additionally, two more lines should be added: `experimental-features = nix-command flakes` and `accept-flake-config = true` for the convenince of having flake features enabled globaly.

You should add the `trusted-users` line in `/etc/nix/nix.conf`, others options could be added there or in `$XDG_CONFIG_HOME/nix/nix.conf` if you only want to change the configuration of your current user. After making these edits, remember to restart the `nix-daemon`. If you use a Linux distribution based on `systemd`, you can do so by running `sudo systemctl restart nix-daemon`, if you're running macOS, it's `launchctl kickstart -k system/org.nixos.nix-daemon`.
To install `nix`, follow the steps provided on the [Nix installer page](https://nixos.org/download.html).

> [!IMPORTANT]
> This guide previously suggested to add your current user to `trusted-users`, but this is essentially equivalent to giving that user root access to the system.
Once you have `nix` installed:
- Add `experimental-features = nix-command flakes` to your `$XDG_CONFIG_HOME/nix/nix.conf` file to enable Nix flakes.
- You should manually add necessary substituters and trusted public keys to your `/etc/nix/nix.conf`:
```
allow-import-from-derivation = "true";
extra-substituters = https://cache.iog.io https://cache.zw3rk.com
extra-trusted-public-keys = "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" "loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk="
```
- After making these edits, remember to restart the `nix-daemon`. If you use a Linux distribution based on `systemd`, you can do so by running `sudo systemctl restart nix-daemon`, if you're running macOS, it's `launchctl kickstart -k system/org.nixos.nix-daemon`.

## Install and configure `direnv`

Expand Down
16 changes: 0 additions & 16 deletions flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -230,20 +230,4 @@
} "touch $out";
};
};

# --- Flake Local Nix Configuration ----------------------------
nixConfig = {
extra-substituters = [
"https://cache.iog.io"
# We only have zw3rk cache in here, because it provide aarch64-linux and aarch64-darwin.
"https://cache.zw3rk.com"
];
extra-trusted-public-keys = [
"hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ="
"loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk="
];
# post-build-hook = "./upload-to-cache.sh";
allow-import-from-derivation = "true";
};
# --------------------------------------------------------------
}

0 comments on commit 6049c0f

Please sign in to comment.