Releases: DeterminateSystems/nix-installer
v0.10.0
This release includes a number of small features (notably for Mac and SteamOS) as well as additional install validation.
We now support nix
's new ssl-cert-file
option (NixOS/nix#8062) through our ssl-cert-file
option, instead of modifying your shell profiles. This improves install consistency between operating systems and should improve the robustness of SSL support. (#527)
Before completing installation, we now perform a robust self-test. The installer invokes something like this to make sure your system works (#506):
nix build --no-link --expr '
derivation {
name = "self-test-{executable}-{timestamp_millis}";
system = "x86_64-linux";
builder = "/bin/sh"; args = ["-c" "echo hello > \$out"];
}'
For Steam Deck users, if you've been exploring the new main
channel releases of the Steam Deck, you may have noticed the appearance of a /home/.steamos/offload/nix
folder! We now support the offload if we detect it, otherwise sticking to the old method of creating our own bind mount. (#495)
Primarily benefiting Steam Deck users for now (but also to support #389 in the future) we now do some /etc/os-release
heuristics to determine which planner should used by default on your system. This means Steam Deck users shouldn't need to specify the steam-deck
planner anymore. (#501)
For Mac users, we added time machine exclusions for /nix
since you most likely don't want to back up your Nix store with Time Machine (#480). We were further motivated because it was possible for users to be unable to uninstall Nix because time machine was making a backup. We also now better handle cases where diskutil
does not return a volume name (#490).
Unfortunately, our experiment in 0.9.x with the new auto-uid-allocation
was not as successful on Mac as it was on Linux. While we've not found any issues with the feature on Linux, on Mac is creates issues in any builds that use something like whoami
. For Mac users, the _nixbld
user creation has returned, and your Mac installs will feel as fast as they were in 0.8.0. (#524)
Bug fixes
- APFS volumes don't necessarily have names by @Hoverbear in #490
- Restore user creation on Mac by @Hoverbear in #524
- Uninstalling should change directory if in nix by @Hoverbear in #526
What's Changed
- Add time machine exclusions for Mac by @Hoverbear in #480
- Improve messaging when /nix/receipt.json is already found by @Hoverbear in #491
- Add full path to nix-installer in bug report instructions by @cole-h in #499
- Support for SteamOS Nix Offload in SteamOS 20230522.1000 by @Hoverbear in #495
- Use os-release to determine appropriate planner by @Hoverbear in #501
- Fix uninstalling on latest steam deck with offload by @Hoverbear in #502
- typo fix for auto-allocate-uids by @georgyo in #505
- Add self test functionality by @Hoverbear in #506
- Fix darwin devShell by @mkenigs in #514
- swap fortune for hello in CI workflow by @abathur in #525
- Add flake checker action to GHA lints by @lucperkins in #515
- Use ssl-cert-file config by @Hoverbear in #527
- ci: use our cacher action by @cole-h in #532
- Fix devshell on i686 by @Hoverbear in #533
New Contributors
- @georgyo made their first contribution in #505
- @mkenigs made their first contribution in #514
- @abathur made their first contribution in #525
Full Changelog: v0.9.1...v0.10.0
v0.9.1
This release builds on v0.9.0, and includes a minor fix for the GITHUB_PATH
support on Github Actions for Macs only.
It turns out, we were accidentally looking for the path appropriate for Linux on Macs too! This meant that if you ran nix profile install nixpkgs#hello
and tried to run hello
, it wouldn't work! That's super frustrating and if you met this issue, sorry about that!
What's Changed
- Fixup GHA home directory on Mac by @Hoverbear in #482
Full Changelog: v0.9.0...v0.9.1
v0.9.0
This release includes few big features, as well as several bug fixes (notably for the Steam Deck), we've highlighted below.
Nix 2.15 and newly enabled features
We're excited to adopt Nix 2.15!
2.15 includes the new auto-allocate-uids
feature! While we still need to create a system group, This removes a significant portion of the installer complexity, especially on Mac. It also makes things a bit faster:
ana@ubuntu-22:~/Downloads$ hyperfine --warmup 2 "./v0.8.0 install --no-confirm && /nix/nix-installer uninstall --no-confirm" "./v0.9.0 install --no-confirm && /nix/nix-installer uninstall --no-confirm"
Benchmark 1: ./v0.8.0 install --no-confirm && /nix/nix-installer uninstall --no-confirm
Time (mean ± σ): 7.722 s ± 0.414 s [User: 0.007 s, System: 0.009 s]
Range (min … max): 7.343 s … 8.537 s 10 runs
Benchmark 2: ./v0.9.0 install --no-confirm && /nix/nix-installer uninstall --no-confirm
Time (mean ± σ): 3.774 s ± 0.047 s [User: 0.006 s, System: 0.010 s]
Range (min … max): 3.706 s … 3.836 s 10 runs
Summary
'./v0.9.0 install --no-confirm && /nix/nix-installer uninstall --no-confirm' ran
2.05 ± 0.11 times faster than './v0.8.0 install --no-confirm && /nix/nix-installer uninstall --no-confirm'
SELinux Support
This release also includes support for SELinux based off https://github.com/nix-community/nix-installers/tree/master/selinux.
Here's an example of a Fedora install with SELinux set to Enforce
:
[ana@fedora ~]$ getenforce
Enforcing
[ana@fedora ~]$ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/tag/v0.9.0 | sh -s -- install --no-confirm --log-directive nix_installer=warn
info: downloading installer https://install.determinate.systems/nix/tag/v0.9.0/nix-installer-x86_64-linux
`nix-installer` needs to run as `root`, attempting to escalate now via `sudo`...
Nix was installed successfully!
To get started using Nix, open a new shell or run `. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh`
[ana@fedora ~]$ . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
[ana@fedora ~]$ nix run nixpkgs#hello
[37.3 MiB DL]
Hello, world!
[ana@fedora ~]$ getenforce
Enforcing
Infrastructure friendliness
We had some users reporting that they wanted to blindly run nix-installer
during CI without having to check for a /nix
. So, we now exit 0 and print a warning if the same version of Nix seems to be already installed.
If you're relying on this feature, we do advise picking a specific tag of the nix-installer
instead of pinning to latest:
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/tag/v0.9.0 | sh -s -- install --no-confirm
We also improved the container documentation to provide a unified feel for both Docker and Podman users.
What's Changed
- Nix 2.13.3 -> 2.15.0 by @grahamc in #428
- Add SELinux support by @Hoverbear in #465
- Adopted the new auto-uid-allocation feature by @Hoverbear in #196
- fsync after writing Nix config to attempt to fix the flaky preserves_comment test by @Hoverbear in #448
- Don't error if already installed with same settings, just warn by @Hoverbear in #454
- Improve failure chain on revert by @Hoverbear in #467
- Improve messaging around version incompatability by @Hoverbear in #457
- Improve the SELinux heuristic to look for sestatus by @Hoverbear in #470
- Improve container docs somewhat by @Hoverbear in #472
Bug Fixes
- Set permissions on unpacked Nix store paths more carefully by @Hoverbear in #451
- Fixup multiple --extra-conf usages by @Hoverbear in #456
- Improve WSL systemd detection by @Hoverbear in #469
- RequiredBy items in the nix.mount of steam-deck planner in [Install] by @Hoverbear in #455
Full Changelog: v0.8.0...v0.9.0
v0.8.0
This release fixes several bug fixes as well as functionality to continue uninstalling with best effort, even if errors occur.
What's Changed
- Fixup create_volume_service action tag by @Hoverbear in #398
- Uninstall shouldn't fail fast by @Hoverbear in #382
- Trim fdesetup output, remove accidently committed SSL related settings by @Hoverbear in #403
- Split output docs by @Hoverbear in #407
- Only stop the nix daemon if it's actually active, not just enabled by @Hoverbear in #410
- Handle the APFS volume not existing but the Service and Fstab being present by @Hoverbear in #405
- Provide users a better error message if systemd is not active by @Hoverbear in #412
- Avoid globbing issues by using symlinks and readlink by @Hoverbear in #413
- Check user group commands exist during plan by @Hoverbear in #411
- Fixup a cure case where a store path already exists so we never make a symlink by @Hoverbear in #414
Full Changelog: v0.7.0...v0.8.0
v0.7.0
This release is mostly a release of bug fixes and documentation updates, containing no major features.
Users should notice less errors in the MacOS volume creation step, automatic Rosetta detection, and better encryption detection. Steam Deck users, we fixed the install read-only issue. During curing we are now less strict about file permissions.
What's Changed
- Be less grumpy about existing file permissions. by @Hoverbear in #359
- Add Rosetta check for Mac by @Hoverbear in #355
- Detect fdesetup properly by @Hoverbear in #361
- Do not try to reload the systemd daemon when we are using --no-start-daemon by @Hoverbear in #365
- Fixup diagnostic_endpoint setting to be more flexible by @Hoverbear in #374
- Improve Mac Volume Curing by @Hoverbear in #362
- Add Fedora v37 tests by @Hoverbear in #364
- Make shell profile locations chosen by planner by @Hoverbear in #375
- Use retry strategy after diskutil create by @Hoverbear in #376
- Revert
default_missing_value
todefault_value
by @Hoverbear in #380 - Bump dependencies by @Hoverbear in #385
- Add semver check by @Hoverbear in #156
- Add a bit of issue metadata by @Hoverbear in #386
- Document version pinning by @Hoverbear in #388
Full Changelog: v0.6.0...v0.7.0
v0.6.0
With this release the installer can now support limited 'curing'.
More specifically, installing over an existing partial install (either from nix-installer
or the official scripts) should, in many cases, result in a working install. Cured installations include uninstallation via /nix/nix-installer uninstall
, just like normal installations.
We're very curious to find cases where curing breaks! If you find a case, please share it with us! along with any reproduction steps!
The command line prompts have undergone some minor trimming and now will only show you settings you've configured, instead of all settings.
For users of busybox
, the adduser
and addgroup
commands.
For users working with proxies and custom certificates, there is now support for HTTPS_PROXY
style variables as well as a --proxy
flag. For certificates, the --ssl-cert-file
flag can be used to set up a custom SSL certificate to use. We also now support your system CA certificates instead of only a static set.
For users using remote MacOS builders over SSH, please see the quirks section of the README.md
for instructions how to workaround some zsh
behavior which may prevent nix-shell
or other tools from being on your $PATH
. Previously we wrote to /etc/zshenv
but discovered a $PATH
ordering bug which caused us to revert this behavior.
What's Changed
- Make CreateUser idempotent by @Hoverbear in #306
- Remove nix channel placement by @Hoverbear in #304
- README: clarify WSL means WSL2 by @cole-h in #315
- Curing existing /nix by @Hoverbear in #310
- Fix vm/container tests after #304 by @Hoverbear in #316
- Cure existing systemd units by @cole-h in #313
- Fixup a couple differences with the official installer scripts by @Hoverbear in #311
- Cure APFS/Fstabs on Mac by @Hoverbear in #246
- Only symlink if the link doesn't already exist by @Hoverbear in #317
- Add curing vm tests by @Hoverbear in #312
- Tweak the logging levels in CI and in some instrumentation by @Hoverbear in #318
- Add test for missing users and groups by @Hoverbear in #321
- Support busybox user/group modification, more informational errors by @cole-h in #319
- Repair /nix removal test by @Hoverbear in #320
- Include user index in the user comment by @cole-h in #330
- Make
nix-installer plan invalid-plan
fail by @cole-h in #331 - Add install script cure tests by @Hoverbear in #322
- Only list changed plan settings in summary by @cole-h in #333
- Be more positive in help output about our software working and not failing by @Hoverbear in #334
- Default to systemd, refer to documentation if systemd is not available by @cole-h in #336
- Use rustls-tls-native-roots by @Hoverbear in #332
- Add fish vendor_conf.d support by @Hoverbear in #335
- Explicit proxy support by @Hoverbear in #337
- Proxy envs need to get elevated by @Hoverbear in #342
- Groom plan synopsis by @Hoverbear in #338
- Update the install differences in the readme by @Hoverbear in #340
- In the README, recommend a git url by @Hoverbear in #343
- Add ssl-cert-file option by @Hoverbear in #341
- Update zshrc, not zshenv by @Hoverbear in #339
- Fancy-fy the README a bit by @Hoverbear in #345
- Update dependencies by @Hoverbear in #346
- Set NIX_SSL_CERT_FILE in the daemon by @Hoverbear in #347
- Use nixpkgs-unstable by @Hoverbear in #351
Full Changelog: v0.5.0...v0.6.0
v0.5.0
This release includes some more work towards supporting installing over existing installations (see #126 for more information on our curing effort). Specifically, an existing /etc/nix/nix.conf
file will no longer be a hard error1 and will instead be merged with the settings that we desire.
It also fixes a few bugs, like a typo in a permissions check (checking a file had a mode of 664
instead of 644
), a macOS installation bug that affected some setups (see #295 and #298 for more information), and explicitly erroring on WSL1 as unsupported.
If you rely on us as a library, the change that will impact you the most is that we made all of our error enum
s #[non_exhaustive]
, so that adding new variants in the future won't require a new major version.
The diagnostics report also saw a slight rework to be somewhat more useful in actually diagnosing issues. A diagnostic report now looks like this:
{
"version": "0.5.0",
"planner": "linux",
"configured_settings": [
"modify_profile"
],
"os_name": "Ubuntu",
"os_version": "22.04.1 LTS (Jammy Jellyfish)",
"triple": "x86_64-unknown-linux-musl",
"is_ci": false,
"action": "Install",
"status": "Failure",
"failure_chain": [
"Action(\"configure_nix\")",
"Child(\"place_nix_configuration\")",
"Child(\"create_directory\")",
"CreateDirectory(\"/etc/nix\")"
]
}
What's Changed
- Describe Diagnostics by @grahamc in #276
- Use 0o644 for files, not 0o664 by @cole-h in #278
- Update default nix_package_url to Nix 2.13.3 by @cole-h in #279
- Add newline to end of plan json output by @cole-h in #283
- Use
launchctl load -w
on macOS by @cole-h in #298 - Detect WSL1 and error by @cole-h in #297
- Make errors non-exhaustive by @cole-h in #299
- Add more failure context / Improve error structure by @Hoverbear in #296
- Update some dependencies by @Hoverbear in #303
- Integrate nix-config-parser by @cole-h in #263
Full Changelog: v0.4.0...v0.5.0
-
Currently, only
experimental-features
will be merged (please file an issue if you would like to see other options supported!); any other conflict between our desired settings and an existingnix.conf
will still cause an error. In other words, if the setting is not one that we are trying to set (see the list here: https://github.com/DeterminateSystems/nix-installer/blob/v0.5.0/src/action/common/place_nix_configuration.rs#L32-L45), it will be seamlessly merged into the resultingnix.conf
file. ↩
v0.4.0
With 0.4.0, we're feeling like the Determinate Nix Installer is ready for general usage.
It's pretty exciting and we invite you to enjoy a cupcake to celebrate with us! 🧁
As part of this step up in stability, we managed to re-enable deleting users on Macs. We originally disabled this feature because our test Macs were giving strange errors. Turns out, it's because we weren't logged in graphically, so even though our user had a secure token, they still couldn't remove users! For more details, check out #33.
We also got feedback from some users (thanks!) that the permission mode checking we added last version was too strict and in some places just plain wrong. Those should be fixed up and the errors related to them greatly improved.
This release also includes a diagnostic reporting tool, allowing adopters to report back the status of installs. This is handy if you're deploying Nix across an organization and want to catch problems with deployments. The reporter is configurable and can write small reports to files or URLs that look like this:
{
"version": "0.4.0",
"planner": "linux",
"configured_settings": [ "modify_profile" ],
"os_name": "Ubuntu",
"os_version": "22.04.1 LTS (Jammy Jellyfish)",
"triple": "x86_64-unknown-linux-gnu",
"action": "Install",
"status": "Failure",
"failure_variant": "Symlink"
}
If your organization starts using them, please let us know! We'd like to know more about how to make them useful. The default options of the installer drop a diagnostic to us to help us root out problems. Diagnostic reporting can always be disabled by adding --diagnostic-endpoint=
to the end of the install command.
We also fixed an issue with nix-shell -p
not working when it should have! We now add extra-nix-path = nixpkgs=flake:nixpkgs
to the nix.conf
.
Lastly, this release includes a number of minor "curing" functionality, meaning things like a /nix
folder already existing won't immediately cause an error. These items will still cleanly get removed on uninstall. It's intended that this functionality helps repair existing partial installs (from any source).
What's Next
Next release we plan to focus more on "curing". It's our hope we can offer users the ability to repair existing installs, complete previous partial install attempts, and offer users a chance to uninstall an existing (non nix-installer
created) install. As part of that we've been hacking on nix-config-parser
and it's been a lot of fun!
What's Changed
- Mac support note by @Hoverbear in #251
- Remove some bad merge code by @Hoverbear in #252
- Improve error message guidance by @Hoverbear in #258
- Don't specify chmod on synthetic.conf by @Hoverbear in #259
- Don't parallelize user creation by @Hoverbear in #260
- Add suggestion on --no-confirm flag by @lucperkins in #261
- Set the correct permissions on the zshenv by @Hoverbear in #257
- Enable deleting users and groups on Mac by @Hoverbear in #253
- Improve permissions checking when dealing with existing files by @cole-h in #267
- README: upgrade MacOS stability and note by @cole-h in #269
- Add diagnostics reporting by @Hoverbear in #264
- gitignore: ignore Nix result directories by @cole-h in #272
- Use extra-nix-path to resolve nix-shell -p not working by @Hoverbear in #270
- Prelease tidy and add is_ci to Diagnostics by @Hoverbear in #271
- Repair is_ci handling, sudo was erasing the variables by @Hoverbear in #274
Full Changelog: v0.3.0...v0.4.0
v0.3.0
This release includes some fixes for issues users were experiencing on the Steam Deck, as well as some improved error messages. Several actions can now recognize existing partial installs and transparently take ownership of them.
We decided on the phrasing "The Determinate Nix Installer" when regarding this project and not wanting to use the binary name. We also adopted an increased software maturity stance.
We also noted that the planners felt awkwardly named given that linux-multi
was able to install the root
only mode. We renamed them from linux-multi
to linux
, and darwin-multi
to macos
. (steam-deck
is unchanged) You may need to adjust your scripts to compensate for this.
Bug fixes
- Attempt to minimize steam deck display manager restart risk by @Hoverbear in #237
What's Changed
- Add 32 bit support by @Hoverbear in #229
- Bump Nix to 2.13.2 by @Hoverbear in #236
- Better support users/groups existing before install by @Hoverbear in #238
- Better support existing files with CreateFile and CreateorInsertIntoFile by @Hoverbear in #239
- It's the Determinate Nix Installer by @Hoverbear in #242
- Rename some of the planners by @Hoverbear in #243
- Make systemd unit start detect already running unit by @Hoverbear in #240
- Offer users better error if fstab entries exist by @Hoverbear in #241
- Workaround some Mac issues in CI by @Hoverbear in #247
- Clarify stability by @Hoverbear in #244
- Repair some tests by @Hoverbear in #248
- How about a CI API call reduction? by @Hoverbear in #245
- Release v0.3.0 by @Hoverbear in #249
Full Changelog: v0.2.0...v0.3.0
v0.2.0
This release includes some fixes users reported on Macs (notably #212) and introduces a new init-less option for Linux.
Using --init none
lets users enjoy Nix in places where an init system is not present. Since the darwin-multi
and the steam-deck
planners require the init system for mounting /nix
, they did not receive a similar option. --init none
permits use cases such as WSL2 (without Systemd) or inside running Docker containers.
Users of the linux-multi
planner can also try --no-start-daemon
which allows for Nix to be installed during a docker build
command.
Bugfixes
- Use a UUID instead of volume name for fstab on Mac by @Hoverbear in #215
What's Changed
- Add a friendly top comment about
nix-installer.sh
by @Hoverbear in #216 - Verify the apfs volume doesn't already exist before trying to create it by @Hoverbear in #217
- Add plist use to the CreateFstabEntry action by @Hoverbear in #221
- Use 30k range not 3k range for UIDs on Linux and 30k for a GID on all by @Hoverbear in #222
- init-less install by @Hoverbear in #188
Full Changelog: v0.1.0...v0.2.0