fe807904e5
Fixes #3957. Just runs both forms to minimize moving parts.
169 lines
6.2 KiB
Bash
Executable file
169 lines
6.2 KiB
Bash
Executable file
#!/bin/sh
|
|
set -e
|
|
|
|
root_disk() {
|
|
diskutil info -plist /
|
|
}
|
|
|
|
# i.e., "disk1"
|
|
root_disk_identifier() {
|
|
diskutil info -plist / | xmllint --xpath "/plist/dict/key[text()='ParentWholeDisk']/following-sibling::string[1]/text()" -
|
|
}
|
|
|
|
find_nix_volume() {
|
|
diskutil apfs list -plist "$1" | xmllint --xpath "(/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict/key[text()='Name']/following-sibling::string[starts-with(translate(text(),'N','n'),'nix')]/text())[1]" - 2>/dev/null || true
|
|
}
|
|
|
|
test_fstab() {
|
|
grep -q "/nix apfs rw" /etc/fstab 2>/dev/null
|
|
}
|
|
|
|
test_nix_symlink() {
|
|
[ -L "/nix" ] || grep -q "^nix." /etc/synthetic.conf 2>/dev/null
|
|
}
|
|
|
|
test_synthetic_conf() {
|
|
grep -q "^nix$" /etc/synthetic.conf 2>/dev/null
|
|
}
|
|
|
|
# Create the paths defined in synthetic.conf, saving us a reboot.
|
|
create_synthetic_objects(){
|
|
# Big Sur takes away the -B flag we were using and replaces it
|
|
# with a -t flag that appears to do the same thing (but they
|
|
# don't behave exactly the same way in terms of return values).
|
|
# This feels a little dirty, but as far as I can tell the
|
|
# simplest way to get the right one is to just throw away stderr
|
|
# and call both... :]
|
|
{
|
|
/System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t || true # Big Sur
|
|
/System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B || true # Catalina
|
|
} >/dev/null 2>&1
|
|
}
|
|
|
|
test_nix() {
|
|
test -d "/nix"
|
|
}
|
|
|
|
test_t2_chip_present(){
|
|
# Use xartutil to see if system has a t2 chip.
|
|
#
|
|
# This isn't well-documented on its own; until it is,
|
|
# let's keep track of knowledge/assumptions.
|
|
#
|
|
# Warnings:
|
|
# - Don't search "xart" if porn will cause you trouble :)
|
|
# - Other xartutil flags do dangerous things. Don't run them
|
|
# naively. If you must, search "xartutil" first.
|
|
#
|
|
# Assumptions:
|
|
# - the "xART session seeds recovery utility"
|
|
# appears to interact with xartstorageremoted
|
|
# - `sudo xartutil --list` lists xART sessions
|
|
# and their seeds and exits 0 if successful. If
|
|
# not, it exits 1 and prints an error such as:
|
|
# xartutil: ERROR: No supported link to the SEP present
|
|
# - xART sessions/seeds are present when a T2 chip is
|
|
# (and not, otherwise)
|
|
# - the presence of a T2 chip means a newly-created
|
|
# volume on the primary drive will be
|
|
# encrypted at rest
|
|
# - all together: `sudo xartutil --list`
|
|
# should exit 0 if a new Nix Store volume will
|
|
# be encrypted at rest, and exit 1 if not.
|
|
sudo xartutil --list >/dev/null 2>/dev/null
|
|
}
|
|
|
|
test_filevault_in_use() {
|
|
fdesetup isactive >/dev/null
|
|
}
|
|
|
|
# use after error msg for conditions we don't understand
|
|
suggest_report_error(){
|
|
# ex "error: something sad happened :(" >&2
|
|
echo " please report this @ https://github.com/nixos/nix/issues" >&2
|
|
}
|
|
|
|
main() {
|
|
(
|
|
echo ""
|
|
echo " ------------------------------------------------------------------ "
|
|
echo " | This installer will create a volume for the nix store and |"
|
|
echo " | configure it to mount at /nix. Follow these steps to uninstall. |"
|
|
echo " ------------------------------------------------------------------ "
|
|
echo ""
|
|
echo " 1. Remove the entry from fstab using 'sudo vifs'"
|
|
echo " 2. Destroy the data volume using 'diskutil apfs deleteVolume'"
|
|
echo " 3. Remove the 'nix' line from /etc/synthetic.conf or the file"
|
|
echo ""
|
|
) >&2
|
|
|
|
if test_nix_symlink; then
|
|
echo "error: /nix is a symlink, please remove it and make sure it's not in synthetic.conf (in which case a reboot is required)" >&2
|
|
echo " /nix -> $(readlink "/nix")" >&2
|
|
exit 2
|
|
fi
|
|
|
|
if ! test_synthetic_conf; then
|
|
echo "Configuring /etc/synthetic.conf..." >&2
|
|
echo nix | sudo tee -a /etc/synthetic.conf
|
|
if ! test_synthetic_conf; then
|
|
echo "error: failed to configure synthetic.conf;" >&2
|
|
suggest_report_error
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if ! test_nix; then
|
|
echo "Creating mountpoint for /nix..." >&2
|
|
create_synthetic_objects # the ones we defined in synthetic.conf
|
|
if ! test_nix; then
|
|
sudo mkdir -p /nix 2>/dev/null || true
|
|
fi
|
|
if ! test_nix; then
|
|
echo "error: failed to bootstrap /nix; if a reboot doesn't help," >&2
|
|
suggest_report_error
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
disk="$(root_disk_identifier)"
|
|
volume=$(find_nix_volume "$disk")
|
|
if [ -z "$volume" ]; then
|
|
echo "Creating a Nix Store volume..." >&2
|
|
|
|
if test_filevault_in_use; then
|
|
# TODO: Not sure if it's in-scope now, but `diskutil apfs list`
|
|
# shows both filevault and encrypted at rest status, and it
|
|
# may be the more semantic way to test for this? It'll show
|
|
# `FileVault: No (Encrypted at rest)`
|
|
# `FileVault: No`
|
|
# `FileVault: Yes (Unlocked)`
|
|
# and so on.
|
|
if test_t2_chip_present; then
|
|
echo "warning: boot volume is FileVault-encrypted, but the Nix store volume" >&2
|
|
echo " is only encrypted at rest." >&2
|
|
echo " See https://nixos.org/nix/manual/#sect-macos-installation" >&2
|
|
else
|
|
echo "error: refusing to create Nix store volume because the boot volume is" >&2
|
|
echo " FileVault encrypted, but encryption-at-rest is not available." >&2
|
|
echo " Manually create a volume for the store and re-run this script." >&2
|
|
echo " See https://nixos.org/nix/manual/#sect-macos-installation" >&2
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
sudo diskutil apfs addVolume "$disk" APFS 'Nix Store' -mountpoint /nix
|
|
volume="Nix Store"
|
|
else
|
|
echo "Using existing '$volume' volume" >&2
|
|
fi
|
|
|
|
if ! test_fstab; then
|
|
echo "Configuring /etc/fstab..." >&2
|
|
label=$(echo "$volume" | sed 's/ /\\040/g')
|
|
# shellcheck disable=SC2209
|
|
printf "\$a\nLABEL=%s /nix apfs rw,nobrowse\n.\nwq\n" "$label" | EDITOR=ed sudo vifs
|
|
fi
|
|
}
|
|
|
|
main "$@"
|