diff options
Diffstat (limited to 'doc/manual/installation')
| -rw-r--r-- | doc/manual/installation/building-source.xml | 49 | ||||
| -rw-r--r-- | doc/manual/installation/env-variables.xml | 89 | ||||
| -rw-r--r-- | doc/manual/installation/installation.xml | 34 | ||||
| -rw-r--r-- | doc/manual/installation/installing-binary.xml | 469 | ||||
| -rw-r--r-- | doc/manual/installation/installing-source.xml | 16 | ||||
| -rw-r--r-- | doc/manual/installation/multi-user.xml | 107 | ||||
| -rw-r--r-- | doc/manual/installation/nix-security.xml | 27 | ||||
| -rw-r--r-- | doc/manual/installation/obtaining-source.xml | 30 | ||||
| -rw-r--r-- | doc/manual/installation/prerequisites-source.xml | 113 | ||||
| -rw-r--r-- | doc/manual/installation/single-user.xml | 21 | ||||
| -rw-r--r-- | doc/manual/installation/supported-platforms.xml | 36 | ||||
| -rw-r--r-- | doc/manual/installation/upgrading.xml | 27 |
12 files changed, 0 insertions, 1018 deletions
diff --git a/doc/manual/installation/building-source.xml b/doc/manual/installation/building-source.xml deleted file mode 100644 index 772cda9cc..000000000 --- a/doc/manual/installation/building-source.xml +++ /dev/null @@ -1,49 +0,0 @@ -<section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-building-source"> - -<title>Building Nix from Source</title> - -<para>After unpacking or checking out the Nix sources, issue the -following commands: - -<screen> -$ ./configure <replaceable>options...</replaceable> -$ make -$ make install</screen> - -Nix requires GNU Make so you may need to invoke -<command>gmake</command> instead.</para> - -<para>When building from the Git repository, these should be preceded -by the command: - -<screen> -$ ./bootstrap.sh</screen> - -</para> - -<para>The installation path can be specified by passing the -<option>--prefix=<replaceable>prefix</replaceable></option> to -<command>configure</command>. The default installation directory is -<filename>/usr/local</filename>. You can change this to any location -you like. You must have write permission to the -<replaceable>prefix</replaceable> path.</para> - -<para>Nix keeps its <emphasis>store</emphasis> (the place where -packages are stored) in <filename>/nix/store</filename> by default. -This can be changed using -<option>--with-store-dir=<replaceable>path</replaceable></option>.</para> - -<warning><para>It is best <emphasis>not</emphasis> to change the Nix -store from its default, since doing so makes it impossible to use -pre-built binaries from the standard Nixpkgs channels — that is, all -packages will need to be built from source.</para></warning> - -<para>Nix keeps state (such as its database and log files) in -<filename>/nix/var</filename> by default. This can be changed using -<option>--localstatedir=<replaceable>path</replaceable></option>.</para> - -</section> diff --git a/doc/manual/installation/env-variables.xml b/doc/manual/installation/env-variables.xml deleted file mode 100644 index cc52f5b4a..000000000 --- a/doc/manual/installation/env-variables.xml +++ /dev/null @@ -1,89 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="ch-env-variables"> - -<title>Environment Variables</title> - -<para>To use Nix, some environment variables should be set. In -particular, <envar>PATH</envar> should contain the directories -<filename><replaceable>prefix</replaceable>/bin</filename> and -<filename>~/.nix-profile/bin</filename>. The first directory contains -the Nix tools themselves, while <filename>~/.nix-profile</filename> is -a symbolic link to the current <emphasis>user environment</emphasis> -(an automatically generated package consisting of symlinks to -installed packages). The simplest way to set the required environment -variables is to include the file -<filename><replaceable>prefix</replaceable>/etc/profile.d/nix.sh</filename> -in your <filename>~/.profile</filename> (or similar), like this:</para> - -<screen> -source <replaceable>prefix</replaceable>/etc/profile.d/nix.sh</screen> - -<section xml:id="sec-nix-ssl-cert-file"> - -<title><envar>NIX_SSL_CERT_FILE</envar></title> - -<para>If you need to specify a custom certificate bundle to account -for an HTTPS-intercepting man in the middle proxy, you must specify -the path to the certificate bundle in the environment variable -<envar>NIX_SSL_CERT_FILE</envar>.</para> - - -<para>If you don't specify a <envar>NIX_SSL_CERT_FILE</envar> -manually, Nix will install and use its own certificate -bundle.</para> - -<procedure> - <step><para>Set the environment variable and install Nix</para> - <screen> -$ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt -$ sh <(curl -L https://nixos.org/nix/install) -</screen></step> - - <step><para>In the shell profile and rc files (for example, - <filename>/etc/bashrc</filename>, <filename>/etc/zshrc</filename>), - add the following line:</para> -<programlisting> -export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt -</programlisting> -</step> -</procedure> - -<note><para>You must not add the export and then do the install, as -the Nix installer will detect the presense of Nix configuration, and -abort.</para></note> - -<section xml:id="sec-nix-ssl-cert-file-with-nix-daemon-and-macos"> -<title><envar>NIX_SSL_CERT_FILE</envar> with macOS and the Nix daemon</title> - -<para>On macOS you must specify the environment variable for the Nix -daemon service, then restart it:</para> - -<screen> -$ sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/my-certificate-bundle.crt -$ sudo launchctl kickstart -k system/org.nixos.nix-daemon -</screen> -</section> - -<section xml:id="sec-installer-proxy-settings"> - -<title>Proxy Environment Variables</title> - -<para>The Nix installer has special handling for these proxy-related -environment variables: -<varname>http_proxy</varname>, <varname>https_proxy</varname>, -<varname>ftp_proxy</varname>, <varname>no_proxy</varname>, -<varname>HTTP_PROXY</varname>, <varname>HTTPS_PROXY</varname>, -<varname>FTP_PROXY</varname>, <varname>NO_PROXY</varname>. -</para> -<para>If any of these variables are set when running the Nix installer, -then the installer will create an override file at -<filename>/etc/systemd/system/nix-daemon.service.d/override.conf</filename> -so <command>nix-daemon</command> will use them. -</para> -</section> - -</section> -</chapter> diff --git a/doc/manual/installation/installation.xml b/doc/manual/installation/installation.xml deleted file mode 100644 index 878959352..000000000 --- a/doc/manual/installation/installation.xml +++ /dev/null @@ -1,34 +0,0 @@ -<part xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="chap-installation"> - -<title>Installation</title> - -<partintro> -<para>This section describes how to install and configure Nix for first-time use.</para> -</partintro> - -<xi:include href="supported-platforms.xml" /> -<xi:include href="installing-binary.xml" /> -<xi:include href="installing-source.xml" /> -<xi:include href="nix-security.xml" /> -<xi:include href="env-variables.xml" /> - -<!-- TODO: should be updated -<section><title>Upgrading Nix through Nix</title> - -<para>You can install the latest stable version of Nix through Nix -itself by subscribing to the channel <link -xlink:href="http://nixos.org/releases/nix/channels/nix-stable" />, -or the latest unstable version by subscribing to the channel <link -xlink:href="http://nixos.org/releases/nix/channels/nix-unstable" />. -You can also do a <link linkend="sec-one-click">one-click -installation</link> by clicking on the package links at <link -xlink:href="http://nixos.org/releases/full-index-nix.html" />.</para> - -</section> ---> - -</part> diff --git a/doc/manual/installation/installing-binary.xml b/doc/manual/installation/installing-binary.xml deleted file mode 100644 index 64c7a37fb..000000000 --- a/doc/manual/installation/installing-binary.xml +++ /dev/null @@ -1,469 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="ch-installing-binary"> - -<title>Installing a Binary Distribution</title> - -<para> - If you are using Linux or macOS versions up to 10.14 (Mojave), the - easiest way to install Nix is to run the following command: -</para> - -<screen> - $ sh <(curl -L https://nixos.org/nix/install) -</screen> - -<para> - If you're using macOS 10.15 (Catalina) or newer, consult - <link linkend="sect-macos-installation">the macOS installation instructions</link> - before installing. -</para> - -<para> - As of Nix 2.1.0, the Nix installer will always default to creating a - single-user installation, however opting in to the multi-user - installation is highly recommended. - <!-- TODO: this explains *neither* why the default version is - single-user, nor why we'd recommend multi-user over the default. - True prospective users don't have much basis for evaluating this. - What's it to me? Who should pick which? Why? What if I pick wrong? - --> -</para> - -<section xml:id="sect-single-user-installation"> - <title>Single User Installation</title> - - <para> - To explicitly select a single-user installation on your system: - - <screen> - sh <(curl -L https://nixos.org/nix/install) --no-daemon -</screen> - </para> - -<para> -This will perform a single-user installation of Nix, meaning that -<filename>/nix</filename> is owned by the invoking user. You should -run this under your usual user account, <emphasis>not</emphasis> as -root. The script will invoke <command>sudo</command> to create -<filename>/nix</filename> if it doesn’t already exist. If you don’t -have <command>sudo</command>, you should manually create -<filename>/nix</filename> first as root, e.g.: - -<screen> -$ mkdir /nix -$ chown alice /nix -</screen> - -The install script will modify the first writable file from amongst -<filename>.bash_profile</filename>, <filename>.bash_login</filename> -and <filename>.profile</filename> to source -<filename>~/.nix-profile/etc/profile.d/nix.sh</filename>. You can set -the <envar>NIX_INSTALLER_NO_MODIFY_PROFILE</envar> environment -variable before executing the install script to disable this -behaviour. -</para> - - -<para>You can uninstall Nix simply by running: - -<screen> -$ rm -rf /nix -</screen> - -</para> -</section> - -<section xml:id="sect-multi-user-installation"> - <title>Multi User Installation</title> - <para> - The multi-user Nix installation creates system users, and a system - service for the Nix daemon. - </para> - - <itemizedlist> - <title>Supported Systems</title> - - <listitem> - <para>Linux running systemd, with SELinux disabled</para> - </listitem> - <listitem><para>macOS</para></listitem> - </itemizedlist> - - <para> - You can instruct the installer to perform a multi-user - installation on your system: - </para> - - <screen>sh <(curl -L https://nixos.org/nix/install) --daemon</screen> - - <para> - The multi-user installation of Nix will create build users between - the user IDs 30001 and 30032, and a group with the group ID 30000. - - You should run this under your usual user account, - <emphasis>not</emphasis> as root. The script will invoke - <command>sudo</command> as needed. - </para> - - <note><para> - If you need Nix to use a different group ID or user ID set, you - will have to download the tarball manually and <link - linkend="sect-nix-install-binary-tarball">edit the install - script</link>. - </para></note> - - <para> - The installer will modify <filename>/etc/bashrc</filename>, and - <filename>/etc/zshrc</filename> if they exist. The installer will - first back up these files with a - <literal>.backup-before-nix</literal> extension. The installer - will also create <filename>/etc/profile.d/nix.sh</filename>. - </para> - - <para>You can uninstall Nix with the following commands: - -<screen> -sudo rm -rf /etc/profile/nix.sh /etc/nix /nix ~root/.nix-profile ~root/.nix-defexpr ~root/.nix-channels ~/.nix-profile ~/.nix-defexpr ~/.nix-channels - -# If you are on Linux with systemd, you will need to run: -sudo systemctl stop nix-daemon.socket -sudo systemctl stop nix-daemon.service -sudo systemctl disable nix-daemon.socket -sudo systemctl disable nix-daemon.service -sudo systemctl daemon-reload - -# If you are on macOS, you will need to run: -sudo launchctl unload /Library/LaunchDaemons/org.nixos.nix-daemon.plist -sudo rm /Library/LaunchDaemons/org.nixos.nix-daemon.plist -</screen> - - There may also be references to Nix in - <filename>/etc/profile</filename>, - <filename>/etc/bashrc</filename>, and - <filename>/etc/zshrc</filename> which you may remove. - </para> - -</section> - -<section xml:id="sect-macos-installation"> - <title>macOS Installation</title> - - <para> - Starting with macOS 10.15 (Catalina), the root filesystem is read-only. - This means <filename>/nix</filename> can no longer live on your system - volume, and that you'll need a workaround to install Nix. - </para> - - <para> - The recommended approach, which creates an unencrypted APFS volume - for your Nix store and a "synthetic" empty directory to mount it - over at <filename>/nix</filename>, is least likely to impair Nix - or your system. - </para> - - <note><para> - With all separate-volume approaches, it's possible something on - your system (particularly daemons/services and restored apps) may - need access to your Nix store before the volume is mounted. Adding - additional encryption makes this more likely. - </para></note> - - <para> - If you're using a recent Mac with a - <link xlink:href="https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf">T2 chip</link>, - your drive will still be encrypted at rest (in which case "unencrypted" - is a bit of a misnomer). To use this approach, just install Nix with: - </para> - - <screen>$ sh <(curl -L https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume</screen> - - <para> - If you don't like the sound of this, you'll want to weigh the - other approaches and tradeoffs detailed in this section. - </para> - - <note> - <title>Eventual solutions?</title> - <para> - All of the known workarounds have drawbacks, but we hope - better solutions will be available in the future. Some that - we have our eye on are: - </para> - <orderedlist> - <listitem> - <para> - A true firmlink would enable the Nix store to live on the - primary data volume without the build problems caused by - the symlink approach. End users cannot currently - create true firmlinks. - </para> - </listitem> - <listitem> - <para> - If the Nix store volume shared FileVault encryption - with the primary data volume (probably by using the same - volume group and role), FileVault encryption could be - easily supported by the installer without requiring - manual setup by each user. - </para> - </listitem> - </orderedlist> - </note> - - <section xml:id="sect-macos-installation-change-store-prefix"> - <title>Change the Nix store path prefix</title> - <para> - Changing the default prefix for the Nix store is a simple - approach which enables you to leave it on your root volume, - where it can take full advantage of FileVault encryption if - enabled. Unfortunately, this approach also opts your device out - of some benefits that are enabled by using the same prefix - across systems: - - <itemizedlist> - <listitem> - <para> - Your system won't be able to take advantage of the binary - cache (unless someone is able to stand up and support - duplicate caching infrastructure), which means you'll - spend more time waiting for builds. - </para> - </listitem> - <listitem> - <para> - It's harder to build and deploy packages to Linux systems. - </para> - </listitem> - <!-- TODO: may be more here --> - </itemizedlist> - - <!-- TODO: Yes, but how?! --> - - It would also possible (and often requested) to just apply this - change ecosystem-wide, but it's an intrusive process that has - side effects we want to avoid for now. - <!-- magnificent hand-wavy gesture --> - </para> - <para> - </para> - </section> - - <section xml:id="sect-macos-installation-encrypted-volume"> - <title>Use a separate encrypted volume</title> - <para> - If you like, you can also add encryption to the recommended - approach taken by the installer. You can do this by pre-creating - an encrypted volume before you run the installer--or you can - run the installer and encrypt the volume it creates later. - <!-- TODO: see later note about whether this needs both add-encryption and from-scratch directions --> - </para> - <para> - In either case, adding encryption to a second volume isn't quite - as simple as enabling FileVault for your boot volume. Before you - dive in, there are a few things to weigh: - </para> - <orderedlist> - <listitem> - <para> - The additional volume won't be encrypted with your existing - FileVault key, so you'll need another mechanism to decrypt - the volume. - </para> - </listitem> - <listitem> - <para> - You can store the password in Keychain to automatically - decrypt the volume on boot--but it'll have to wait on Keychain - and may not mount before your GUI apps restore. If any of - your launchd agents or apps depend on Nix-installed software - (for example, if you use a Nix-installed login shell), the - restore may fail or break. - </para> - <para> - On a case-by-case basis, you may be able to work around this - problem by using <command>wait4path</command> to block - execution until your executable is available. - </para> - <para> - It's also possible to decrypt and mount the volume earlier - with a login hook--but this mechanism appears to be - deprecated and its future is unclear. - </para> - </listitem> - <listitem> - <para> - You can hard-code the password in the clear, so that your - store volume can be decrypted before Keychain is available. - </para> - </listitem> - </orderedlist> - <para> - If you are comfortable navigating these tradeoffs, you can encrypt the volume with - something along the lines of: - <!-- TODO: - I don't know if this also needs from-scratch instructions? - can we just recommend use-the-installer-and-then-encrypt? - --> - </para> - <!-- - TODO: it looks like this option can be encryptVolume|encrypt|enableFileVault - - It may be more clear to use encryptVolume, here? FileVault seems - heavily associated with the boot-volume behavior; I worry - a little that it can mislead here, especially as it gets - copied around minus doc context...? - --> - <screen>alice$ diskutil apfs enableFileVault /nix -user disk</screen> - - <!-- TODO: and then go into detail on the mount/decrypt approaches? --> - </section> - - <section xml:id="sect-macos-installation-symlink"> - <!-- - Maybe a good razor is: if we'd hate having to support someone who - installed Nix this way, it shouldn't even be detailed? - --> - <title>Symlink the Nix store to a custom location</title> - <para> - Another simple approach is using <filename>/etc/synthetic.conf</filename> - to symlink the Nix store to the data volume. This option also - enables your store to share any configured FileVault encryption. - Unfortunately, builds that resolve the symlink may leak the - canonical path or even fail. - </para> - <para> - Because of these downsides, we can't recommend this approach. - </para> - <!-- Leaving out instructions for this one. --> - </section> - - <section xml:id="sect-macos-installation-recommended-notes"> - <title>Notes on the recommended approach</title> - <para> - This section goes into a little more detail on the recommended - approach. You don't need to understand it to run the installer, - but it can serve as a helpful reference if you run into trouble. - </para> - <orderedlist> - <listitem> - <para> - In order to compose user-writable locations into the new - read-only system root, Apple introduced a new concept called - <literal>firmlinks</literal>, which it describes as a - "bi-directional wormhole" between two filesystems. You can - see the current firmlinks in <filename>/usr/share/firmlinks</filename>. - Unfortunately, firmlinks aren't (currently?) user-configurable. - </para> - - <para> - For special cases like NFS mount points or package manager roots, - <link xlink:href="https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man5/synthetic.conf.5.html">synthetic.conf(5)</link> - supports limited user-controlled file-creation (of symlinks, - and synthetic empty directories) at <filename>/</filename>. - To create a synthetic empty directory for mounting at <filename>/nix</filename>, - add the following line to <filename>/etc/synthetic.conf</filename> - (create it if necessary): - </para> - - <screen>nix</screen> - </listitem> - - <listitem> - <para> - This configuration is applied at boot time, but you can use - <command>apfs.util</command> to trigger creation (not deletion) - of new entries without a reboot: - </para> - - <screen>alice$ /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B</screen> - </listitem> - - <listitem> - <para> - Create the new APFS volume with diskutil: - </para> - - <screen>alice$ sudo diskutil apfs addVolume diskX APFS 'Nix Store' -mountpoint /nix</screen> - </listitem> - - <listitem> - <para> - Using <command>vifs</command>, add the new mount to - <filename>/etc/fstab</filename>. If it doesn't already have - other entries, it should look something like: - </para> - -<screen> -# -# Warning - this file should only be modified with vifs(8) -# -# Failure to do so is unsupported and may be destructive. -# -LABEL=Nix\040Store /nix apfs rw,nobrowse -</screen> - - <para> - The nobrowse setting will keep Spotlight from indexing this - volume, and keep it from showing up on your desktop. - </para> - </listitem> - </orderedlist> - </section> - -</section> - -<section xml:id="sect-nix-install-pinned-version-url"> - <title>Installing a pinned Nix version from a URL</title> - - <para> - NixOS.org hosts version-specific installation URLs for all Nix - versions since 1.11.16, at - <literal>https://releases.nixos.org/nix/nix-<replaceable>version</replaceable>/install</literal>. - </para> - - <para> - These install scripts can be used the same as the main - NixOS.org installation script: - - <screen> - sh <(curl -L https://nixos.org/nix/install) -</screen> - </para> - - <para> - In the same directory of the install script are sha256 sums, and - gpg signature files. - </para> -</section> - -<section xml:id="sect-nix-install-binary-tarball"> - <title>Installing from a binary tarball</title> - - <para> - You can also download a binary tarball that contains Nix and all - its dependencies. (This is what the install script at - <uri>https://nixos.org/nix/install</uri> does automatically.) You - should unpack it somewhere (e.g. in <filename>/tmp</filename>), - and then run the script named <command>install</command> inside - the binary tarball: - - -<screen> -alice$ cd /tmp -alice$ tar xfj nix-1.8-x86_64-darwin.tar.bz2 -alice$ cd nix-1.8-x86_64-darwin -alice$ ./install -</screen> - </para> - - <para> - If you need to edit the multi-user installation script to use - different group ID or a different user ID range, modify the - variables set in the file named - <filename>install-multi-user</filename>. - </para> -</section> -</chapter> diff --git a/doc/manual/installation/installing-source.xml b/doc/manual/installation/installing-source.xml deleted file mode 100644 index c261a109d..000000000 --- a/doc/manual/installation/installing-source.xml +++ /dev/null @@ -1,16 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="ch-installing-source"> - -<title>Installing Nix from Source</title> - -<para>If no binary package is available, you can download and compile -a source distribution.</para> - -<xi:include href="prerequisites-source.xml" /> -<xi:include href="obtaining-source.xml" /> -<xi:include href="building-source.xml" /> - -</chapter> diff --git a/doc/manual/installation/multi-user.xml b/doc/manual/installation/multi-user.xml deleted file mode 100644 index 69ae1ef27..000000000 --- a/doc/manual/installation/multi-user.xml +++ /dev/null @@ -1,107 +0,0 @@ -<section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="ssec-multi-user"> - -<title>Multi-User Mode</title> - -<para>To allow a Nix store to be shared safely among multiple users, -it is important that users are not able to run builders that modify -the Nix store or database in arbitrary ways, or that interfere with -builds started by other users. If they could do so, they could -install a Trojan horse in some package and compromise the accounts of -other users.</para> - -<para>To prevent this, the Nix store and database are owned by some -privileged user (usually <literal>root</literal>) and builders are -executed under special user accounts (usually named -<literal>nixbld1</literal>, <literal>nixbld2</literal>, etc.). When a -unprivileged user runs a Nix command, actions that operate on the Nix -store (such as builds) are forwarded to a <emphasis>Nix -daemon</emphasis> running under the owner of the Nix store/database -that performs the operation.</para> - -<note><para>Multi-user mode has one important limitation: only -<systemitem class="username">root</systemitem> and a set of trusted -users specified in <filename>nix.conf</filename> can specify arbitrary -binary caches. So while unprivileged users may install packages from -arbitrary Nix expressions, they may not get pre-built -binaries.</para></note> - - -<simplesect> - -<title>Setting up the build users</title> - -<para>The <emphasis>build users</emphasis> are the special UIDs under -which builds are performed. They should all be members of the -<emphasis>build users group</emphasis> <literal>nixbld</literal>. -This group should have no other members. The build users should not -be members of any other group. On Linux, you can create the group and -users as follows: - -<screen> -$ groupadd -r nixbld -$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \ - -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \ - nixbld$n; done -</screen> - -This creates 10 build users. There can never be more concurrent builds -than the number of build users, so you may want to increase this if -you expect to do many builds at the same time.</para> - -</simplesect> - - -<simplesect> - -<title>Running the daemon</title> - -<para>The <link linkend="sec-nix-daemon">Nix daemon</link> should be -started as follows (as <literal>root</literal>): - -<screen> -$ nix-daemon</screen> - -You’ll want to put that line somewhere in your system’s boot -scripts.</para> - -<para>To let unprivileged users use the daemon, they should set the -<link linkend="envar-remote"><envar>NIX_REMOTE</envar> environment -variable</link> to <literal>daemon</literal>. So you should put a -line like - -<programlisting> -export NIX_REMOTE=daemon</programlisting> - -into the users’ login scripts.</para> - -</simplesect> - - -<simplesect> - -<title>Restricting access</title> - -<para>To limit which users can perform Nix operations, you can use the -permissions on the directory -<filename>/nix/var/nix/daemon-socket</filename>. For instance, if you -want to restrict the use of Nix to the members of a group called -<literal>nix-users</literal>, do - -<screen> -$ chgrp nix-users /nix/var/nix/daemon-socket -$ chmod ug=rwx,o= /nix/var/nix/daemon-socket -</screen> - -This way, users who are not in the <literal>nix-users</literal> group -cannot connect to the Unix domain socket -<filename>/nix/var/nix/daemon-socket/socket</filename>, so they cannot -perform Nix operations.</para> - -</simplesect> - - -</section> diff --git a/doc/manual/installation/nix-security.xml b/doc/manual/installation/nix-security.xml deleted file mode 100644 index d888ff14d..000000000 --- a/doc/manual/installation/nix-security.xml +++ /dev/null @@ -1,27 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="ch-nix-security"> - -<title>Security</title> - -<para>Nix has two basic security models. First, it can be used in -“single-user mode”, which is similar to what most other package -management tools do: there is a single user (typically <systemitem -class="username">root</systemitem>) who performs all package -management operations. All other users can then use the installed -packages, but they cannot perform package management operations -themselves.</para> - -<para>Alternatively, you can configure Nix in “multi-user mode”. In -this model, all users can perform package management operations — for -instance, every user can install software without requiring root -privileges. Nix ensures that this is secure. For instance, it’s not -possible for one user to overwrite a package used by another user with -a Trojan horse.</para> - -<xi:include href="single-user.xml" /> -<xi:include href="multi-user.xml" /> - -</chapter>
\ No newline at end of file diff --git a/doc/manual/installation/obtaining-source.xml b/doc/manual/installation/obtaining-source.xml deleted file mode 100644 index 968822cc0..000000000 --- a/doc/manual/installation/obtaining-source.xml +++ /dev/null @@ -1,30 +0,0 @@ -<section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-obtaining-source"> - -<title>Obtaining a Source Distribution</title> - -<para>The source tarball of the most recent stable release can be -downloaded from the <link -xlink:href="http://nixos.org/nix/download.html">Nix homepage</link>. -You can also grab the <link -xlink:href="http://hydra.nixos.org/job/nix/master/release/latest-finished#tabs-constituents">most -recent development release</link>.</para> - -<para>Alternatively, the most recent sources of Nix can be obtained -from its <link -xlink:href="https://github.com/NixOS/nix">Git -repository</link>. For example, the following command will check out -the latest revision into a directory called -<filename>nix</filename>:</para> - -<screen> -$ git clone https://github.com/NixOS/nix</screen> - -<para>Likewise, specific releases can be obtained from the <link -xlink:href="https://github.com/NixOS/nix/tags">tags</link> of the -repository.</para> - -</section>
\ No newline at end of file diff --git a/doc/manual/installation/prerequisites-source.xml b/doc/manual/installation/prerequisites-source.xml deleted file mode 100644 index fa6da9b1e..000000000 --- a/doc/manual/installation/prerequisites-source.xml +++ /dev/null @@ -1,113 +0,0 @@ -<section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-prerequisites-source"> - -<title>Prerequisites</title> - -<itemizedlist> - - <listitem><para>GNU Autoconf - (<link xlink:href="https://www.gnu.org/software/autoconf/"/>) - and the autoconf-archive macro collection - (<link xlink:href="https://www.gnu.org/software/autoconf-archive/"/>). - These are only needed to run the bootstrap script, and are not necessary - if your source distribution came with a pre-built - <literal>./configure</literal> script.</para></listitem> - - <listitem><para>GNU Make.</para></listitem> - - <listitem><para>Bash Shell. The <literal>./configure</literal> script - relies on bashisms, so Bash is required.</para></listitem> - - <listitem><para>A version of GCC or Clang that supports C++17.</para></listitem> - - <listitem><para><command>pkg-config</command> to locate - dependencies. If your distribution does not provide it, you can get - it from <link - xlink:href="http://www.freedesktop.org/wiki/Software/pkg-config" - />.</para></listitem> - - <listitem><para>The OpenSSL library to calculate cryptographic hashes. - If your distribution does not provide it, you can get it from <link - xlink:href="https://www.openssl.org"/>.</para></listitem> - - <listitem><para>The <literal>libbrotlienc</literal> and - <literal>libbrotlidec</literal> libraries to provide implementation - of the Brotli compression algorithm. They are available for download - from the official repository <link - xlink:href="https://github.com/google/brotli" />.</para></listitem> - - <listitem><para>The bzip2 compressor program and the - <literal>libbz2</literal> library. Thus you must have bzip2 - installed, including development headers and libraries. If your - distribution does not provide these, you can obtain bzip2 from <link - xlink:href="https://web.archive.org/web/20180624184756/http://www.bzip.org/" - />.</para></listitem> - - <listitem><para><literal>liblzma</literal>, which is provided by - XZ Utils. If your distribution does not provide this, you can - get it from <link xlink:href="https://tukaani.org/xz/"/>.</para></listitem> - - <listitem><para>cURL and its library. If your distribution does not - provide it, you can get it from <link - xlink:href="https://curl.haxx.se/"/>.</para></listitem> - - <listitem><para>The SQLite embedded database library, version 3.6.19 - or higher. If your distribution does not provide it, please install - it from <link xlink:href="http://www.sqlite.org/" />.</para></listitem> - - <listitem><para>The <link - xlink:href="http://www.hboehm.info/gc/">Boehm - garbage collector</link> to reduce the evaluator’s memory - consumption (optional). To enable it, install - <literal>pkgconfig</literal> and the Boehm garbage collector, and - pass the flag <option>--enable-gc</option> to - <command>configure</command>.</para></listitem> - - <listitem><para>The <literal>boost</literal> library of version - 1.66.0 or higher. It can be obtained from the official web site - <link xlink:href="https://www.boost.org/" />.</para></listitem> - - <listitem><para>The <literal>editline</literal> library of version - 1.14.0 or higher. It can be obtained from the its repository - <link xlink:href="https://github.com/troglobit/editline" />.</para></listitem> - - <listitem><para>The <command>xmllint</command> and - <command>xsltproc</command> programs to build this manual and the - man-pages. These are part of the <literal>libxml2</literal> and - <literal>libxslt</literal> packages, respectively. You also need - the <link - xlink:href="http://docbook.sourceforge.net/projects/xsl/">DocBook - XSL stylesheets</link> and optionally the <link - xlink:href="http://www.docbook.org/schemas/5x"> DocBook 5.0 RELAX NG - schemas</link>. Note that these are only required if you modify the - manual sources or when you are building from the Git - repository.</para></listitem> - - <listitem><para>Recent versions of Bison and Flex to build the - parser. (This is because Nix needs GLR support in Bison and - reentrancy support in Flex.) For Bison, you need version 2.6, which - can be obtained from the <link - xlink:href="ftp://alpha.gnu.org/pub/gnu/bison">GNU FTP - server</link>. For Flex, you need version 2.5.35, which is - available on <link - xlink:href="http://lex.sourceforge.net/">SourceForge</link>. - Slightly older versions may also work, but ancient versions like the - ubiquitous 2.5.4a won't. Note that these are only required if you - modify the parser or when you are building from the Git - repository.</para></listitem> - - <listitem><para>The <literal>libseccomp</literal> is used to provide - syscall filtering on Linux. This is an optional dependency and can - be disabled passing a <option>--disable-seccomp-sandboxing</option> - option to the <command>configure</command> script (Not recommended - unless your system doesn't support - <literal>libseccomp</literal>). To get the library, visit <link - xlink:href="https://github.com/seccomp/libseccomp" - />.</para></listitem> - -</itemizedlist> - -</section> diff --git a/doc/manual/installation/single-user.xml b/doc/manual/installation/single-user.xml deleted file mode 100644 index 09cdaa5d4..000000000 --- a/doc/manual/installation/single-user.xml +++ /dev/null @@ -1,21 +0,0 @@ -<section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-single-user"> - -<title>Single-User Mode</title> - -<para>In single-user mode, all Nix operations that access the database -in <filename><replaceable>prefix</replaceable>/var/nix/db</filename> -or modify the Nix store in -<filename><replaceable>prefix</replaceable>/store</filename> must be -performed under the user ID that owns those directories. This is -typically <systemitem class="username">root</systemitem>. (If you -install from RPM packages, that’s in fact the default ownership.) -However, on single-user machines, it is often convenient to -<command>chown</command> those directories to your normal user account -so that you don’t have to <command>su</command> to <systemitem -class="username">root</systemitem> all the time.</para> - -</section>
\ No newline at end of file diff --git a/doc/manual/installation/supported-platforms.xml b/doc/manual/installation/supported-platforms.xml deleted file mode 100644 index 3e74be49d..000000000 --- a/doc/manual/installation/supported-platforms.xml +++ /dev/null @@ -1,36 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="ch-supported-platforms"> - -<title>Supported Platforms</title> - -<para>Nix is currently supported on the following platforms: - -<itemizedlist> - - <listitem><para>Linux (i686, x86_64, aarch64).</para></listitem> - - <listitem><para>macOS (x86_64).</para></listitem> - - <!-- - <listitem><para>FreeBSD (only tested on Intel).</para></listitem> - --> - - <!-- - <listitem><para>Windows through <link - xlink:href="http://www.cygwin.com/">Cygwin</link>.</para> - - <warning><para>On Cygwin, Nix <emphasis>must</emphasis> be installed - on an NTFS partition. It will not work correctly on a FAT - partition.</para></warning> - - </listitem> - --> - -</itemizedlist> - -</para> - -</chapter> diff --git a/doc/manual/installation/upgrading.xml b/doc/manual/installation/upgrading.xml deleted file mode 100644 index 592f63895..000000000 --- a/doc/manual/installation/upgrading.xml +++ /dev/null @@ -1,27 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="ch-upgrading-nix"> - - <title>Upgrading Nix</title> - - <para> - Multi-user Nix users on macOS can upgrade Nix by running: - <command>sudo -i sh -c 'nix-channel --update && - nix-env -iA nixpkgs.nix && - launchctl remove org.nixos.nix-daemon && - launchctl load /Library/LaunchDaemons/org.nixos.nix-daemon.plist'</command> - </para> - - - <para> - Single-user installations of Nix should run this: - <command>nix-channel --update; nix-env -iA nixpkgs.nix nixpkgs.cacert</command> - </para> - - <para> - Multi-user Nix users on Linux should run this with sudo: - <command>nix-channel --update; nix-env -iA nixpkgs.nix nixpkgs.cacert; systemctl daemon-reload; systemctl restart nix-daemon</command> - </para> -</chapter> |