[Nix] Add documentation around setting yourself as a trusted user
AbandonedPublic
Actions

Authored by • jon on Aug 11 2022, 3:38 PM.

Details

Reviewers

atul
• abosh
ashoat

Summary

In order to use binary caches through flakes, the user needs to
be listed as a trusted user in nix.conf.

trusted-users was implemented so that any arbitrary
user on a machine doesn't add a malicious cache and start downloading potentially
modified packages.

Test Plan

Follow steps, then do test plan from D4816

Diff Detail

Repository

rCOMM Comm

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

• jon created this revision.Aug 11 2022, 3:38 PM

Herald added subscribers: • adrian, tomek, ashoat. · View Herald TranscriptAug 11 2022, 3:38 PM

Add documentation around adding a group

• jon mentioned this in D4816: [Nix] Add comm binary cache to flake.Aug 11 2022, 3:43 PM

• jon added a child revision: D4816: [Nix] Add comm binary cache to flake.

Harbormaster failed remote builds in B11324: Diff 15581!Aug 11 2022, 3:47 PM

Harbormaster completed remote builds in B11325: Diff 15582.Aug 11 2022, 3:50 PM

• jon requested review of this revision.Aug 11 2022, 3:50 PM

ashoat requested changes to this revision.Aug 11 2022, 9:58 PM

ashoat added inline comments.

docs/nix_dev_env.md
30	Can we just wrap the script that gets run when you run `sh <(curl -L https://nixos.org/nix/install)` on macOS and handle the rest of the config in that script? Seems like we could set up `/etc/nix/nix.conf` for the user. Additionally, the same script could fix up your font after installing Powerline by directly editing `~/Library/Preferences/com.googlecode.iterm2.plist`, and the equivalent in macOS Terminal. (We would prompt you before doing it though.) @jon, what do you think? Can you create a task for this? Also curious for other people's perspectives.
58–60	What's this about groups? Do we need to include this? Why do we need to include this? Explain in the documentation

This revision now requires changes to proceed.Aug 11 2022, 9:58 PM

• jon added inline comments.Aug 11 2022, 11:49 PM

docs/nix_dev_env.md
58–60	Another option would be to just do this as part of `nix develop` and do something like `if grep trusted-users /etc/nix/nix.conf; then <add text> fi` Not sure how much of a "guided prompt" we want to make `nix develop` to be.

Don't understand the response, please try explaining in more detail

• jon marked 2 inline comments as done.Aug 12 2022, 11:05 AM

• jon added inline comments.

docs/nix_dev_env.md
30	Can we just wrap the script that gets run when you run sh <(curl -L https://nixos.org/nix/install) on macOS and handle the rest of the config in that script? Seems like we could set up /etc/nix/nix.conf for the user. Yea, I could create a `install_nix.sh` type thing for developers. Additionally, the same script could fix up your font after installing Powerline by directly editing ~/Library/Preferences/com.googlecode.iterm2.plist, and the equivalent in macOS Terminal. (We would prompt you before doing it though.) Possible, but I'm on the fence of unilaterally making this decision. However, do something like "Would you like to install powerline as your default bash prompt [y/n]: " I can get behind. I just don't want to be "you will now have this shell behavior" @jon, what do you think? Can you create a task for this? Also curious for other people's perspectives. cc @abosh @atul
58–60	What's this about groups? Instead of specifying individual users, you can also just have a user group mentioned through `@`. On MacOS, the `admin` group are people with the ability to do `sudo` commands; on linux, this is usually the `wheel` group. Do we need to include this? "Need", no, but probably most preferrable. Another option would be to just do this as part of nix develop and do something like if grep trusted-users /etc/nix/nix.conf; then <add text> fi This would be better suited for the `install_nix.sh` script I mention in another comment

• abosh added inline comments.Aug 12 2022, 11:09 AM

docs/nix_dev_env.md
30	(We would prompt you before doing it though.) I think @ashoat agrees with you that unilaterally doing this decision would be bad without a prompt with a `[y/n]`. On the topic of if we should do this, I agree. I think it would be cool to have the script fix the font after installing Powerline. Also, you can create a Linear task to track this either way, and we can cancel if you find that it's not something we want to do.

ashoat added inline comments.Aug 12 2022, 11:09 AM

docs/nix_dev_env.md
30	Possible, but I'm on the fence of unilaterally making this decision. However, do something like "Would you like to install powerline as your default bash prompt [y/n]: " I can get behind. I just don't want to be "you will now have this shell behavior" Yeah, agree on that. *Can you create a task for this?* <--- please do this...
58–60	Let's exclude it, these lines are really confusing to the reader

See my comment before:

(We would prompt you before doing it though.)

No need to ask me to respond with that again...

going to abandon this and just put up a diff with a install_nix.sh workflow.

docs/nix_dev_env.md
30	task: https://linear.app/comm/issue/ENG-1605/create-a-install-nixsh-to-facilitate-installing-nix I can throw up a separate diff, in linear we can outline what the script would do, but I added some initial items
58–60	Agreed