Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support installing Nix on macOS on AWS EC2, without requiring a manual full-disk-access approval #1210

Merged
merged 9 commits into from
Oct 1, 2024
Merged

Support installing Nix on macOS on AWS EC2, without requiring a manual full-disk-access approval #1210

merged 9 commits into from
Oct 1, 2024

Commits on Oct 1, 2024

  1. Add support for macOS without requiring FDA on EC2 

    This PR adds a flag to the installer for macOS that allows installing and using Nix on EC2 without a manual process of enabling full disk access.

On EC2, macOS requires the user to grant Full Disk Access to the Nix daemon or determinate-nixd for it to function.
However, the actual permission issue is access to removable volumes.
Users can provide a macOS policy (via MDM or manually) that allows access to removable volumes, but this also requires a manual setup process.

The key insight of this pull request is that by using the internal hard disk, we escape the "removable volume" limitation.

This PR's new flag sets the default root disk target to use the internal disk, instead of the disk that macOS is running from.
Note that this is feature-locked to determinate-nixd, because determinate-nixd accounts for a quirk of AWS's macOS deployment.
AWS's macOS infrastructure assumes all internal disks are unmounted, and will occasionally unmount the Nix Store.
    @grahamc
    grahamc committed Oct 1, 2024
    Configuration menu
    Copy the full SHA
    d54a44b View commit details
    Browse the repository at this point in the history

  2. Drop some unnecessary borrows

    @grahamc
    grahamc committed Oct 1, 2024
    Configuration menu
    Copy the full SHA
    644f217 View commit details
    Browse the repository at this point in the history

  3. Switch to using init away from a stop-after in daemon

    @grahamc
    grahamc committed Oct 1, 2024
    Configuration menu
    Copy the full SHA
    f0c1041 View commit details
    Browse the repository at this point in the history

  4. Drop a few unwraps

    @grahamc
    grahamc committed Oct 1, 2024
    Configuration menu
    Copy the full SHA
    00ebb77 View commit details
    Browse the repository at this point in the history

  5. Tell clap determinate is required by use_ec2_instance_store

    @grahamc
    grahamc committed Oct 1, 2024
    Configuration menu
    Copy the full SHA
    1314f45 View commit details
    Browse the repository at this point in the history

  6. Beef up the caveat

    @grahamc
    grahamc committed Oct 1, 2024
    Configuration menu
    Copy the full SHA
    a7a486e View commit details
    Browse the repository at this point in the history

  7. Explain more about fda

    @grahamc
    grahamc committed Oct 1, 2024
    Configuration menu
    Copy the full SHA
    6048bc3 View commit details
    Browse the repository at this point in the history

  8. fixup fmt

    @grahamc
    grahamc committed Oct 1, 2024
    Configuration menu
    Copy the full SHA
    3727cdd View commit details
    Browse the repository at this point in the history

  9. flake.lock: Update 

    Flake lock file updates:

• Updated input 'determinate':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/0.1.110%2Brev-cb916a7dd1b85d547edd6ba2f782a578ca4ef480/01923596-e372-7668-a456-5b32177e0dda/source.tar.gz?narHash=sha256-M9Z7OMrQHAmZQnuMYxdyqzV%2B7ApIXVbA2GXl62l1GTo%3D' (2024-09-27)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/0.1.136%2Brev-ec5f982bd53acbece1c3a72a0dbf074ab5d79e10/019244a6-0aa7-72b5-9d85-a7bb7885aad3/source.tar.gz?narHash=sha256-sSGQJP7isahkRAzlOiLJjvoz/MijCsoFa6FgQIqbcFE%3D' (2024-09-30)
• Updated input 'determinate/determinate-nixd-aarch64-darwin':
    'https://install.determinate.systems/determinate-nixd/rev/2c18a8f38492d35be64d4e497b720938f17cc9f5/macOS?narHash=sha256-tmW%2BSqn9cautArLTych0mnKXD1abtaAuJGCUCrtUmeo%3D'
  → 'https://install.determinate.systems/determinate-nixd/rev/51ecec5a3148baef87c2015536aa12dd18e4c4ad/macOS?narHash=sha256-OhG8joS/uN3Kdw4h9w8F/6ZIVTFZ8J9Fb4NGn/KK5/s%3D'
• Updated input 'determinate/determinate-nixd-aarch64-linux':
    'https://install.determinate.systems/determinate-nixd/rev/2c18a8f38492d35be64d4e497b720938f17cc9f5/aarch64-linux?narHash=sha256-z5dg%2BqwLOjA4pjiCLReESa9qNYOtMxlaPXQQWNhEymA%3D'
  → 'https://install.determinate.systems/determinate-nixd/rev/51ecec5a3148baef87c2015536aa12dd18e4c4ad/aarch64-linux?narHash=sha256-AGcHQSIdb%2BKEJlhJzMB4YyFxbjdLZEDDf6bv6Zi3wqM%3D'
• Updated input 'determinate/determinate-nixd-x86_64-linux':
    'https://install.determinate.systems/determinate-nixd/rev/2c18a8f38492d35be64d4e497b720938f17cc9f5/x86_64-linux?narHash=sha256-8sENexNuv7gsVAeQx1xuJd8IQtociheylIeEjFRYbQI%3D'
  → 'https://install.determinate.systems/determinate-nixd/rev/51ecec5a3148baef87c2015536aa12dd18e4c4ad/x86_64-linux?narHash=sha256-kU4dqHoYe3sFf4LDAUj4fyl9uGV8IHtE22%2BDdMeRN0s%3D'
• Updated input 'nixpkgs':
    'https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.685764%2Brev-1925c603f17fc89f4c8f6bf6f631a802ad85d784/01923479-4bef-7480-a7b0-72f6d33a5318/source.tar.gz?narHash=sha256-J%2BPeFKSDV%2BpHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI%3D' (2024-09-26)
  → 'https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.687049%2Brev-06cf0e1da4208d3766d898b7fdab6513366d45b9/019243b7-0a9f-79f7-b57a-4e0cfd13a578/source.tar.gz?narHash=sha256-S5kVU7U82LfpEukbn/ihcyNt2%2BEvG7Z5unsKW9H/yFA%3D' (2024-09-29)
    @grahamc
    grahamc committed Oct 1, 2024
    Configuration menu
    Copy the full SHA
    9c28b81 View commit details
    Browse the repository at this point in the history