Merge pull request #5212 from mkenigs/auto-uid-allocation

Merge master into #3600

12 files changed, 472 insertions, 0 deletions

diff --git a/doc/manual/src/installation/building-source.md b/doc/manual/src/installation/building-source.md
new file mode 100644
index 000000000..d21a51a82
--- /dev/null
+++ b/doc/manual/src/installation/building-source.md
@@ -0,0 +1,38 @@
+# Building Nix from Source
+
+After unpacking or checking out the Nix sources, issue the following
+commands:
+
+```console
+$ ./configure options...
+$ make
+$ make install
+```
+
+Nix requires GNU Make so you may need to invoke `gmake` instead.
+
+When building from the Git repository, these should be preceded by the
+command:
+
+```console
+$ ./bootstrap.sh
+```
+
+The installation path can be specified by passing the `--prefix=prefix`
+to `configure`. The default installation directory is `/usr/local`. You
+can change this to any location you like. You must have write permission
+to the *prefix* path.
+
+Nix keeps its *store* (the place where packages are stored) in
+`/nix/store` by default. This can be changed using
+`--with-store-dir=path`.
+
+> **Warning**
+> 
+> It is best *not* to change the Nix store from its default, since doing
+> so makes it impossible to use pre-built binaries from the standard
+> Nixpkgs channels — that is, all packages will need to be built from
+> source.
+
+Nix keeps state (such as its database and log files) in `/nix/var` by
+default. This can be changed using `--localstatedir=path`.
diff --git a/doc/manual/src/installation/env-variables.md b/doc/manual/src/installation/env-variables.md
new file mode 100644
index 000000000..4a49897e4
--- /dev/null
+++ b/doc/manual/src/installation/env-variables.md
@@ -0,0 +1,64 @@
+# Environment Variables
+
+To use Nix, some environment variables should be set. In particular,
+`PATH` should contain the directories `prefix/bin` and
+`~/.nix-profile/bin`. The first directory contains the Nix tools
+themselves, while `~/.nix-profile` is a symbolic link to the current
+*user environment* (an automatically generated package consisting of
+symlinks to installed packages). The simplest way to set the required
+environment variables is to include the file
+`prefix/etc/profile.d/nix.sh` in your `~/.profile` (or similar), like
+this:
+
+```bash
+source prefix/etc/profile.d/nix.sh
+```
+
+# `NIX_SSL_CERT_FILE`
+
+If you need to specify a custom certificate bundle to account for an
+HTTPS-intercepting man in the middle proxy, you must specify the path to
+the certificate bundle in the environment variable `NIX_SSL_CERT_FILE`.
+
+If you don't specify a `NIX_SSL_CERT_FILE` manually, Nix will install
+and use its own certificate bundle.
+
+Set the environment variable and install Nix
+
+```console
+$ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
+$ sh <(curl -L https://nixos.org/nix/install)
+```
+
+In the shell profile and rc files (for example, `/etc/bashrc`,
+`/etc/zshrc`), add the following line:
+
+```bash
+export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
+```
+
+> **Note**
+> 
+> You must not add the export and then do the install, as the Nix
+> installer will detect the presense of Nix configuration, and abort.
+
+## `NIX_SSL_CERT_FILE` with macOS and the Nix daemon
+
+On macOS you must specify the environment variable for the Nix daemon
+service, then restart it:
+
+```console
+$ sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/my-certificate-bundle.crt
+$ sudo launchctl kickstart -k system/org.nixos.nix-daemon
+```
+
+## Proxy Environment Variables
+
+The Nix installer has special handling for these proxy-related
+environment variables: `http_proxy`, `https_proxy`, `ftp_proxy`,
+`no_proxy`, `HTTP_PROXY`, `HTTPS_PROXY`, `FTP_PROXY`, `NO_PROXY`.
+
+If any of these variables are set when running the Nix installer, then
+the installer will create an override file at
+`/etc/systemd/system/nix-daemon.service.d/override.conf` so `nix-daemon`
+will use them.
diff --git a/doc/manual/src/installation/installation.md b/doc/manual/src/installation/installation.md
new file mode 100644
index 000000000..b40c5b95f
--- /dev/null
+++ b/doc/manual/src/installation/installation.md
@@ -0,0 +1,2 @@
+This section describes how to install and configure Nix for first-time
+use.
diff --git a/doc/manual/src/installation/installing-binary.md b/doc/manual/src/installation/installing-binary.md
new file mode 100644
index 000000000..96fa34635
--- /dev/null
+++ b/doc/manual/src/installation/installing-binary.md
@@ -0,0 +1,162 @@
+# Installing a Binary Distribution
+
+The easiest way to install Nix is to run the following command:
+
+```console
+$ sh <(curl -L https://nixos.org/nix/install)
+```
+
+This will run the installer interactively (causing it to explain what
+it is doing more explicitly), and perform the default "type" of install
+for your platform:
+- single-user on Linux
+- multi-user on macOS
+
+  > **Notes on read-only filesystem root in macOS 10.15 Catalina +**
+  > 
+  > - It took some time to support this cleanly. You may see posts,
+  >   examples, and tutorials using obsolete workarounds.
+  > - Supporting it cleanly made macOS installs too complex to qualify
+  >   as single-user, so this type is no longer supported on macOS.
+
+We recommend the multi-user install if it supports your platform and
+you can authenticate with `sudo`.
+
+# Single User Installation
+
+To explicitly select a single-user installation on your system:
+
+```console
+$ sh <(curl -L https://nixos.org/nix/install) --no-daemon
+```
+
+This will perform a single-user installation of Nix, meaning that `/nix`
+is owned by the invoking user. You should run this under your usual user
+account, *not* as root. The script will invoke `sudo` to create `/nix`
+if it doesn’t already exist. If you don’t have `sudo`, you should
+manually create `/nix` first as root, e.g.:
+
+```console
+$ mkdir /nix
+$ chown alice /nix
+```
+
+The install script will modify the first writable file from amongst
+`.bash_profile`, `.bash_login` and `.profile` to source
+`~/.nix-profile/etc/profile.d/nix.sh`. You can set the
+`NIX_INSTALLER_NO_MODIFY_PROFILE` environment variable before executing
+the install script to disable this behaviour.
+
+You can uninstall Nix simply by running:
+
+```console
+$ rm -rf /nix
+```
+
+# Multi User Installation
+
+The multi-user Nix installation creates system users, and a system
+service for the Nix daemon.
+
+**Supported Systems**
+- Linux running systemd, with SELinux disabled
+- macOS
+
+You can instruct the installer to perform a multi-user installation on
+your system:
+
+```console
+$ sh <(curl -L https://nixos.org/nix/install) --daemon
+```
+
+The multi-user installation of Nix will create build users between the
+user IDs 30001 and 30032, and a group with the group ID 30000. You
+should run this under your usual user account, *not* as root. The script
+will invoke `sudo` as needed.
+
+> **Note**
+> 
+> If you need Nix to use a different group ID or user ID set, you will
+> have to download the tarball manually and [edit the install
+> script](#installing-from-a-binary-tarball).
+
+The installer will modify `/etc/bashrc`, and `/etc/zshrc` if they exist.
+The installer will first back up these files with a `.backup-before-nix`
+extension. The installer will also create `/etc/profile.d/nix.sh`.
+
+You can uninstall Nix with the following commands:
+
+```console
+sudo rm -rf /etc/profile/nix.sh /etc/nix /nix ~root/.nix-profile ~root/.nix-defexpr ~root/.nix-channels ~/.nix-profile ~/.nix-defexpr ~/.nix-channels
+
+# If you are on Linux with systemd, you will need to run:
+sudo systemctl stop nix-daemon.socket
+sudo systemctl stop nix-daemon.service
+sudo systemctl disable nix-daemon.socket
+sudo systemctl disable nix-daemon.service
+sudo systemctl daemon-reload
+
+# If you are on macOS, you will need to run:
+sudo launchctl unload /Library/LaunchDaemons/org.nixos.nix-daemon.plist
+sudo rm /Library/LaunchDaemons/org.nixos.nix-daemon.plist
+```
+
+There may also be references to Nix in `/etc/profile`, `/etc/bashrc`,
+and `/etc/zshrc` which you may remove.
+
+# macOS Installation <a name="sect-macos-installation-change-store-prefix"></a><a name="sect-macos-installation-encrypted-volume"></a><a name="sect-macos-installation-symlink"></a><a name="sect-macos-installation-recommended-notes"></a>
+<!-- Note: anchors above to catch permalinks to old explanations -->
+
+We believe we have ironed out how to cleanly support the read-only root
+on modern macOS. New installs will do this automatically, and you can
+also re-run a new installer to convert your existing setup.
+
+This section previously detailed the situation, options, and trade-offs,
+but it now only outlines what the installer does. You don't need to know
+this to run the installer, but it may help if you run into trouble:
+
+- create a new APFS volume for your Nix store
+- update `/etc/synthetic.conf` to direct macOS to create a "synthetic"
+  empty root directory to mount your volume
+- specify mount options for the volume in `/etc/fstab`
+- if you have FileVault enabled
+    - generate an encryption password
+    - put it in your system Keychain
+    - use it to encrypt the volume
+- create a system LaunchDaemon to mount this volume early enough in the
+  boot process to avoid problems loading or restoring any programs that
+  need access to your Nix store
+
+# Installing a pinned Nix version from a URL
+
+NixOS.org hosts version-specific installation URLs for all Nix versions
+since 1.11.16, at `https://releases.nixos.org/nix/nix-version/install`.
+
+These install scripts can be used the same as the main NixOS.org
+installation script:
+
+```console
+$ sh <(curl -L https://nixos.org/nix/install)
+```
+
+In the same directory of the install script are sha256 sums, and gpg
+signature files.
+
+# Installing from a binary tarball
+
+You can also download a binary tarball that contains Nix and all its
+dependencies. (This is what the install script at
+<https://nixos.org/nix/install> does automatically.) You should unpack
+it somewhere (e.g. in `/tmp`), and then run the script named `install`
+inside the binary tarball:
+
+```console
+$ cd /tmp
+$ tar xfj nix-1.8-x86_64-darwin.tar.bz2
+$ cd nix-1.8-x86_64-darwin
+$ ./install
+```
+
+If you need to edit the multi-user installation script to use different
+group ID or a different user ID range, modify the variables set in the
+file named `install-multi-user`.
diff --git a/doc/manual/src/installation/installing-source.md b/doc/manual/src/installation/installing-source.md
new file mode 100644
index 000000000..e52d38a03
--- /dev/null
+++ b/doc/manual/src/installation/installing-source.md
@@ -0,0 +1,4 @@
+# Installing Nix from Source
+
+If no binary package is available, you can download and compile a source
+distribution.
diff --git a/doc/manual/src/installation/multi-user.md b/doc/manual/src/installation/multi-user.md
new file mode 100644
index 000000000..6920591c4
--- /dev/null
+++ b/doc/manual/src/installation/multi-user.md
@@ -0,0 +1,77 @@
+# Multi-User Mode
+
+To allow a Nix store to be shared safely among multiple users, it is
+important that users are not able to run builders that modify the Nix
+store or database in arbitrary ways, or that interfere with builds
+started by other users. If they could do so, they could install a Trojan
+horse in some package and compromise the accounts of other users.
+
+To prevent this, the Nix store and database are owned by some privileged
+user (usually `root`) and builders are executed under special user
+accounts (usually named `nixbld1`, `nixbld2`, etc.). When a unprivileged
+user runs a Nix command, actions that operate on the Nix store (such as
+builds) are forwarded to a *Nix daemon* running under the owner of the
+Nix store/database that performs the operation.
+
+> **Note**
+> 
+> Multi-user mode has one important limitation: only root and a set of
+> trusted users specified in `nix.conf` can specify arbitrary binary
+> caches. So while unprivileged users may install packages from
+> arbitrary Nix expressions, they may not get pre-built binaries.
+
+## Setting up the build users
+
+The *build users* are the special UIDs under which builds are performed.
+They should all be members of the *build users group* `nixbld`. This
+group should have no other members. The build users should not be
+members of any other group. On Linux, you can create the group and users
+as follows:
+
+```console
+$ groupadd -r nixbld
+$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \
+    -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
+    nixbld$n; done
+```
+
+This creates 10 build users. There can never be more concurrent builds
+than the number of build users, so you may want to increase this if you
+expect to do many builds at the same time.
+
+## Running the daemon
+
+The [Nix daemon](../command-ref/nix-daemon.md) should be started as
+follows (as `root`):
+
+```console
+$ nix-daemon
+```
+
+You’ll want to put that line somewhere in your system’s boot scripts.
+
+To let unprivileged users use the daemon, they should set the
+[`NIX_REMOTE` environment variable](../command-ref/env-common.md) to
+`daemon`. So you should put a line like
+
+```console
+export NIX_REMOTE=daemon
+```
+
+into the users’ login scripts.
+
+## Restricting access
+
+To limit which users can perform Nix operations, you can use the
+permissions on the directory `/nix/var/nix/daemon-socket`. For instance,
+if you want to restrict the use of Nix to the members of a group called
+`nix-users`, do
+
+```console
+$ chgrp nix-users /nix/var/nix/daemon-socket
+$ chmod ug=rwx,o= /nix/var/nix/daemon-socket
+```
+
+This way, users who are not in the `nix-users` group cannot connect to
+the Unix domain socket `/nix/var/nix/daemon-socket/socket`, so they
+cannot perform Nix operations.
diff --git a/doc/manual/src/installation/nix-security.md b/doc/manual/src/installation/nix-security.md
new file mode 100644
index 000000000..1e9036b68
--- /dev/null
+++ b/doc/manual/src/installation/nix-security.md
@@ -0,0 +1,15 @@
+# Security
+
+Nix has two basic security models. First, it can be used in “single-user
+mode”, which is similar to what most other package management tools do:
+there is a single user (typically root) who performs all package
+management operations. All other users can then use the installed
+packages, but they cannot perform package management operations
+themselves.
+
+Alternatively, you can configure Nix in “multi-user mode”. In this
+model, all users can perform package management operations — for
+instance, every user can install software without requiring root
+privileges. Nix ensures that this is secure. For instance, it’s not
+possible for one user to overwrite a package used by another user with a
+Trojan horse.
diff --git a/doc/manual/src/installation/obtaining-source.md b/doc/manual/src/installation/obtaining-source.md
new file mode 100644
index 000000000..0a906e390
--- /dev/null
+++ b/doc/manual/src/installation/obtaining-source.md
@@ -0,0 +1,18 @@
+# Obtaining a Source Distribution
+
+The source tarball of the most recent stable release can be downloaded
+from the [Nix homepage](http://nixos.org/nix/download.html). You can
+also grab the [most recent development
+release](http://hydra.nixos.org/job/nix/master/release/latest-finished#tabs-constituents).
+
+Alternatively, the most recent sources of Nix can be obtained from its
+[Git repository](https://github.com/NixOS/nix). For example, the
+following command will check out the latest revision into a directory
+called `nix`:
+
+```console
+$ git clone https://github.com/NixOS/nix
+```
+
+Likewise, specific releases can be obtained from the
+[tags](https://github.com/NixOS/nix/tags) of the repository.
diff --git a/doc/manual/src/installation/prerequisites-source.md b/doc/manual/src/installation/prerequisites-source.md
new file mode 100644
index 000000000..40cb79627
--- /dev/null
+++ b/doc/manual/src/installation/prerequisites-source.md
@@ -0,0 +1,62 @@
+# Prerequisites
+
+  - GNU Autoconf (<https://www.gnu.org/software/autoconf/>) and the
+    autoconf-archive macro collection
+    (<https://www.gnu.org/software/autoconf-archive/>). These are only
+    needed to run the bootstrap script, and are not necessary if your
+    source distribution came with a pre-built `./configure` script.
+
+  - GNU Make.
+
+  - Bash Shell. The `./configure` script relies on bashisms, so Bash is
+    required.
+
+  - A version of GCC or Clang that supports C++17.
+
+  - `pkg-config` to locate dependencies. If your distribution does not
+    provide it, you can get it from
+    <http://www.freedesktop.org/wiki/Software/pkg-config>.
+
+  - The OpenSSL library to calculate cryptographic hashes. If your
+    distribution does not provide it, you can get it from
+    <https://www.openssl.org>.
+
+  - The `libbrotlienc` and `libbrotlidec` libraries to provide
+    implementation of the Brotli compression algorithm. They are
+    available for download from the official repository
+    <https://github.com/google/brotli>.
+
+  - cURL and its library. If your distribution does not provide it, you
+    can get it from <https://curl.haxx.se/>.
+
+  - The SQLite embedded database library, version 3.6.19 or higher. If
+    your distribution does not provide it, please install it from
+    <http://www.sqlite.org/>.
+
+  - The [Boehm garbage collector](http://www.hboehm.info/gc/) to reduce
+    the evaluator’s memory consumption (optional). To enable it, install
+    `pkgconfig` and the Boehm garbage collector, and pass the flag
+    `--enable-gc` to `configure`.
+
+  - The `boost` library of version 1.66.0 or higher. It can be obtained
+    from the official web site <https://www.boost.org/>.
+
+  - The `editline` library of version 1.14.0 or higher. It can be
+    obtained from the its repository
+    <https://github.com/troglobit/editline>.
+
+  - Recent versions of Bison and Flex to build the parser. (This is
+    because Nix needs GLR support in Bison and reentrancy support in
+    Flex.) For Bison, you need version 2.6, which can be obtained from
+    the [GNU FTP server](ftp://alpha.gnu.org/pub/gnu/bison). For Flex,
+    you need version 2.5.35, which is available on
+    [SourceForge](http://lex.sourceforge.net/). Slightly older versions
+    may also work, but ancient versions like the ubiquitous 2.5.4a
+    won't. Note that these are only required if you modify the parser or
+    when you are building from the Git repository.
+
+  - The `libseccomp` is used to provide syscall filtering on Linux. This
+    is an optional dependency and can be disabled passing a
+    `--disable-seccomp-sandboxing` option to the `configure` script (Not
+    recommended unless your system doesn't support `libseccomp`). To get
+    the library, visit <https://github.com/seccomp/libseccomp>.
diff --git a/doc/manual/src/installation/single-user.md b/doc/manual/src/installation/single-user.md
new file mode 100644
index 000000000..f9a3b26ed
--- /dev/null
+++ b/doc/manual/src/installation/single-user.md
@@ -0,0 +1,9 @@
+# Single-User Mode
+
+In single-user mode, all Nix operations that access the database in
+`prefix/var/nix/db` or modify the Nix store in `prefix/store` must be
+performed under the user ID that owns those directories. This is
+typically root. (If you install from RPM packages, that’s in fact the
+default ownership.) However, on single-user machines, it is often
+convenient to `chown` those directories to your normal user account so
+that you don’t have to `su` to root all the time.
diff --git a/doc/manual/src/installation/supported-platforms.md b/doc/manual/src/installation/supported-platforms.md
new file mode 100644
index 000000000..8ef1f0e78
--- /dev/null
+++ b/doc/manual/src/installation/supported-platforms.md
@@ -0,0 +1,7 @@
+# Supported Platforms
+
+Nix is currently supported on the following platforms:
+
+  - Linux (i686, x86\_64, aarch64).
+
+  - macOS (x86\_64).
diff --git a/doc/manual/src/installation/upgrading.md b/doc/manual/src/installation/upgrading.md
new file mode 100644
index 000000000..24efc4681
--- /dev/null
+++ b/doc/manual/src/installation/upgrading.md
@@ -0,0 +1,14 @@
+# Upgrading Nix
+
+Multi-user Nix users on macOS can upgrade Nix by running: `sudo -i sh -c
+'nix-channel --update &&
+nix-env -iA nixpkgs.nix &&
+launchctl remove org.nixos.nix-daemon &&
+launchctl load /Library/LaunchDaemons/org.nixos.nix-daemon.plist'`
+
+Single-user installations of Nix should run this: `nix-channel --update;
+nix-env -iA nixpkgs.nix nixpkgs.cacert`
+
+Multi-user Nix users on Linux should run this with sudo: `nix-channel
+--update; nix-env -iA nixpkgs.nix nixpkgs.cacert; systemctl
+daemon-reload; systemctl restart nix-daemon`