5a303093dc
'nix-daemon' now creates subdirectories for users when they first connect. Fixes #509 (CVE-2019-17365). Should also fix #3127.
69 lines
3 KiB
Bash
69 lines
3 KiB
Bash
if [ -n "$HOME" ] && [ -n "$USER" ]; then
|
|
__savedpath="$PATH"
|
|
export PATH=@coreutils@
|
|
|
|
# Set up the per-user profile.
|
|
# This part should be kept in sync with nixpkgs:nixos/modules/programs/shell.nix
|
|
|
|
NIX_LINK=$HOME/.nix-profile
|
|
|
|
NIX_USER_PROFILE_DIR=@localstatedir@/nix/profiles/per-user/$USER
|
|
|
|
if [ -w "$HOME" ]; then
|
|
if ! [ -L "$NIX_LINK" ]; then
|
|
echo "Nix: creating $NIX_LINK" >&2
|
|
if [ "$USER" != root ]; then
|
|
if ! ln -s "$NIX_USER_PROFILE_DIR"/profile "$NIX_LINK"; then
|
|
echo "Nix: WARNING: could not create $NIX_LINK -> $NIX_USER_PROFILE_DIR/profile" >&2
|
|
fi
|
|
else
|
|
# Root installs in the system-wide profile by default.
|
|
ln -s @localstatedir@/nix/profiles/default "$NIX_LINK"
|
|
fi
|
|
fi
|
|
|
|
# Subscribe the user to the unstable Nixpkgs channel by default.
|
|
if [ ! -e "$HOME/.nix-channels" ]; then
|
|
echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > "$HOME/.nix-channels"
|
|
fi
|
|
|
|
# Set up a default Nix expression from which to install stuff.
|
|
__nix_defexpr="$HOME"/.nix-defexpr
|
|
[ -L "$__nix_defexpr" ] && rm -f "$__nix_defexpr"
|
|
mkdir -m 0755 -p "$__nix_defexpr"
|
|
if [ "$USER" != root ] && [ ! -L "$__nix_defexpr"/channels_root ]; then
|
|
ln -s @localstatedir@/nix/profiles/per-user/root/channels "$__nix_defexpr"/channels_root
|
|
fi
|
|
unset __nix_defexpr
|
|
fi
|
|
|
|
# Append ~/.nix-defexpr/channels to $NIX_PATH so that <nixpkgs>
|
|
# paths work when the user has fetched the Nixpkgs channel.
|
|
export NIX_PATH=${NIX_PATH:+$NIX_PATH:}$HOME/.nix-defexpr/channels
|
|
|
|
# Set up environment.
|
|
# This part should be kept in sync with nixpkgs:nixos/modules/programs/environment.nix
|
|
export NIX_PROFILES="@localstatedir@/nix/profiles/default $HOME/.nix-profile"
|
|
|
|
# Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
|
|
if [ -e /etc/ssl/certs/ca-certificates.crt ]; then # NixOS, Ubuntu, Debian, Gentoo, Arch
|
|
export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
|
|
elif [ -e /etc/ssl/ca-bundle.pem ]; then # openSUSE Tumbleweed
|
|
export NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem
|
|
elif [ -e /etc/ssl/certs/ca-bundle.crt ]; then # Old NixOS
|
|
export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
|
|
elif [ -e /etc/pki/tls/certs/ca-bundle.crt ]; then # Fedora, CentOS
|
|
export NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt
|
|
elif [ -e "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" ]; then # fall back to cacert in Nix profile
|
|
export NIX_SSL_CERT_FILE="$NIX_LINK/etc/ssl/certs/ca-bundle.crt"
|
|
elif [ -e "$NIX_LINK/etc/ca-bundle.crt" ]; then # old cacert in Nix profile
|
|
export NIX_SSL_CERT_FILE="$NIX_LINK/etc/ca-bundle.crt"
|
|
fi
|
|
|
|
if [ -n "${MANPATH-}" ]; then
|
|
export MANPATH="$NIX_LINK/share/man:$MANPATH"
|
|
fi
|
|
|
|
export PATH="$NIX_LINK/bin:$__savedpath"
|
|
unset __savedpath NIX_LINK NIX_USER_PROFILE_DIR
|
|
fi
|