DEV Community

૮༼⚆︿⚆༽つ
૮༼⚆︿⚆༽つ

Posted on • Edited on

Nix Multi-User Installation Without Default Channel

Why do this?

Let's just say I want to restrict all users from polluting /nix/store but still allow them to use Nix toolchains.

Installation

fish

sh (curl -L https://nixos.org/nix/install | psub) --daemon
Enter fullscreen mode Exit fullscreen mode

zsh

sh =(curl -L https://nixos.org/nix/install) --daemon
Enter fullscreen mode Exit fullscreen mode

bash

sh <(curl -L https://nixos.org/nix/install) --daemon
Enter fullscreen mode Exit fullscreen mode

Replace channel

When you list the channel in a normal way you will get an empty list.

nix-channel --list
Enter fullscreen mode Exit fullscreen mode

However, when you run it as a superuser then you will see nixpkgs channel.

This channel is available to all users. Let's make this channel only accessible to you!

1. Remove default channel

sudo nix-channel --remove nixpkgs
Enter fullscreen mode Exit fullscreen mode

2. Re-add channel

nix-channel --add https://nixos.org/channels/nixpkgs-unstable
Enter fullscreen mode Exit fullscreen mode

3. Add yourself to the group

sudo groupadd -r nixbld
sudo useradd -c "Nix build user $USER" \
  -d /var/empty -g nixbld -G nixbld \
  -M -N -r -s "$(which nologin)" \
  nixbld_$USER
Enter fullscreen mode Exit fullscreen mode

For fish user: remove " and $ so that it would be (which nologin)

4. Update nix channel and toolchains

To update channel

nix-channel --update
Enter fullscreen mode Exit fullscreen mode

if you get a permission error and sysemctl status nix-daemon has FAIL messages, try rebooting your system

Optionally, upgrade all Nix toolchains

nix-env -iA nixpkgs.nix nixpkgs.cacert
systemctl daemon-reload
systemctl restart nix-daemon
Enter fullscreen mode Exit fullscreen mode

5. Fixing NIX_PATH

Comment for #2033

If I understand things correctly I believe your issues could be solved by adding the following line (which this issue is proposing should be included by default) to your $HOME/.zshrc (or other startup file depending on your preferences):

export NIX_PATH=$NIX_PATH:$HOME/.nix-defexpr/channels
Enter fullscreen mode Exit fullscreen mode

I'm still learning Nix myself so I don't have context on why that is not the default already. Let me know if that doesn't work and we can try to keep debugging things 😄


echo "export NIX_PATH=$NIX_PATH:$HOME/.nix-defexpr/channels" >> ~/.profile
Enter fullscreen mode Exit fullscreen mode

(in my case, I add it to my .xprofile)

if you don't do this, nix-shell will complain:

Default Nix installations don't include user channels in NIX_PATH, causing inconsistent tool behavior #2033

Should Nix installations include $HOME/.nix-defexpr/channels in the NIX_PATH? Should it appear before or after root channels?

nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels

$ nix-channel --list             
nixpkgsunstable https://nixos.org/channels/nixpkgs-unstable

$ nix-env -iA nixpkgsunstable.git
installing 'git-minimal-2.16.2'

$ nix-shell -p nixpkgsunstable.git
error: undefined variable 'nixpkgsunstable' at (string):1:94
(use '--show-trace' to show detailed location information)

$ nix-shell '<nixpkgsunstable>' -p git
error: file 'nixpkgsunstable' was not found in the Nix search path (add it using $NIX_PATH or -I), at (string):1:94
(use '--show-trace' to show detailed location information)

$ nix-build '<nixpkgsunstable>' -A git
error: file 'nixpkgsunstable' was not found in the Nix search path (add it using $NIX_PATH or -I)

vs:

$ export NIX_PATH=$NIX_PATH:$HOME/.nix-defexpr/channels

$ nix-env -iA nixpkgsunstable.git    
replacing old 'git-minimal-2.16.2'
installing 'git-minimal-2.16.2'

$ nix-shell -p nixpkgsunstable.git    
error: undefined variable 'nixpkgsunstable' at (string):1:94
(use '--show-trace' to show detailed location information)

$ nix-shell '<nixpkgsunstable>' -p git

[nix-shell:~]$ exit

$ nix-build '<nixpkgsunstable>' -A git
/nix/store/jaani1kx4a4kvz11d0myfkjjiiklfl7w-git-2.16.2

With this configuration, and the explicitly specified nixpkgs, is it possible for users to override nixpkgs without redefining the NIX_PATH? Does it matter?

TIPS: use nix-direnv for this

References

Top comments (0)