diff options
Diffstat (limited to 'scripts/create-darwin-volume.sh')
| -rwxr-xr-x | scripts/create-darwin-volume.sh | 54 |
1 files changed, 45 insertions, 9 deletions
diff --git a/scripts/create-darwin-volume.sh b/scripts/create-darwin-volume.sh index 8aff03199..103e1e391 100755 --- a/scripts/create-darwin-volume.sh +++ b/scripts/create-darwin-volume.sh @@ -246,7 +246,8 @@ get_volume_pass() { verify_volume_pass() { local volume_special="$1" # (i.e., disk1s7) local volume_uuid="$2" - /usr/sbin/diskutil apfs unlockVolume "$volume_special" -verify -stdinpassphrase -user "$volume_uuid" + _sudo "to confirm the password actually unlocks the volume" \ + /usr/sbin/diskutil apfs unlockVolume "$volume_special" -verify -stdinpassphrase -user "$volume_uuid" } volume_pass_works() { @@ -440,7 +441,27 @@ add_nix_vol_fstab_line() { # shellcheck disable=SC1003,SC2026 local escaped_mountpoint="${NIX_ROOT/ /'\\\'040}" shift - EDITOR="/usr/bin/ex" _sudo "to add nix to fstab" "$@" <<EOF + + # wrap `ex` to work around problems w/ vim features breaking exit codes + # - plugins (see github.com/NixOS/nix/issues/5468): -u NONE + # - swap file: -n + # + # the first draft used `--noplugin`, but github.com/NixOS/nix/issues/6462 + # suggests we need the less-semantic `-u NONE` + # + # we'd prefer EDITOR="/usr/bin/ex -u NONE" but vifs doesn't word-split + # the EDITOR env. + # + # TODO: at some point we should switch to `--clean`, but it wasn't added + # until https://github.com/vim/vim/releases/tag/v8.0.1554 while the macOS + # minver 10.12.6 seems to have released with vim 7.4 + cat > "$SCRATCH/ex_cleanroom_wrapper" <<EOF +#!/bin/sh +/usr/bin/ex -u NONE -n "\$@" +EOF + chmod 755 "$SCRATCH/ex_cleanroom_wrapper" + + EDITOR="$SCRATCH/ex_cleanroom_wrapper" _sudo "to add nix to fstab" "$@" <<EOF :a UUID=$uuid $escaped_mountpoint apfs rw,noauto,nobrowse,suid,owners . @@ -630,8 +651,9 @@ EOF task "Configuring /etc/synthetic.conf to make a mount-point at $NIX_ROOT" >&2 # technically /etc/synthetic.d/nix is supported in Big Sur+ # but handling both takes even more code... + # See earlier note; `-u NONE` disables vim plugins/rc, `-n` skips swapfile _sudo "to add Nix to /etc/synthetic.conf" \ - /usr/bin/ex /etc/synthetic.conf <<EOF + /usr/bin/ex -u NONE -n /etc/synthetic.conf <<EOF :a ${NIX_ROOT:1} . @@ -670,22 +692,27 @@ encrypt_volume() { local volume_uuid="$1" local volume_label="$2" local password + + task "Encrypt the Nix volume" >&2 + # Note: mount/unmount are late additions to support the right order # of operations for creating the volume and then baking its uuid into # other artifacts; not as well-trod wrt to potential errors, race # conditions, etc. - /usr/sbin/diskutil mount "$volume_label" + _sudo "to mount your Nix volume for encrypting" \ + /usr/sbin/diskutil mount "$volume_label" password="$(/usr/bin/xxd -l 32 -p -c 256 /dev/random)" _sudo "to add your Nix volume's password to Keychain" \ /usr/bin/security -i <<EOF add-generic-password -a "$volume_label" -s "$volume_uuid" -l "$volume_label encryption password" -D "Encrypted volume password" -j "Added automatically by the Nix installer for use by $NIX_VOLUME_MOUNTD_DEST" -w "$password" -T /System/Library/CoreServices/APFSUserAgent -T /System/Library/CoreServices/CSUserAgent -T /usr/bin/security "/Library/Keychains/System.keychain" EOF - builtin printf "%s" "$password" | _sudo "to encrypt your Nix volume" \ + builtin printf "%s" "$password" | _sudo "to actually encrypt your Nix volume" \ /usr/sbin/diskutil apfs encryptVolume "$volume_label" -user disk -stdinpassphrase - /usr/sbin/diskutil unmount force "$volume_label" + _sudo "to unmount the encrypted volume" \ + /usr/sbin/diskutil unmount force "$volume_label" } create_volume() { @@ -715,7 +742,8 @@ create_volume() { # 6) getting special w/ awk may be fragile, but doing it to: # - save time over running slow diskutil commands # - skirt risk we grab wrong volume if multiple match - /usr/sbin/diskutil apfs addVolume "$NIX_VOLUME_USE_DISK" "$NIX_VOLUME_FS" "$NIX_VOLUME_LABEL" -nomount | /usr/bin/awk '/Created new APFS Volume/ {print $5}' + _sudo "to create a new APFS volume '$NIX_VOLUME_LABEL' on $NIX_VOLUME_USE_DISK" \ + /usr/sbin/diskutil apfs addVolume "$NIX_VOLUME_USE_DISK" "$NIX_VOLUME_FS" "$NIX_VOLUME_LABEL" -nomount | /usr/bin/awk '/Created new APFS Volume/ {print $5}' } volume_uuid_from_special() { @@ -738,10 +766,12 @@ await_volume() { setup_volume() { local use_special use_uuid profile_packages task "Creating a Nix volume" >&2 - # DOING: I'm tempted to wrap this call in a grep to get the new disk special without doing anything too complex, but this sudo wrapper *is* a little complex, so it'll be a PITA unless maybe we can skip sudo on this. Let's just try it without. use_special="${NIX_VOLUME_USE_SPECIAL:-$(create_volume)}" + _sudo "to ensure the Nix volume is not mounted" \ + /usr/sbin/diskutil unmount force "$use_special" || true # might not be mounted + use_uuid=${NIX_VOLUME_USE_UUID:-$(volume_uuid_from_special "$use_special")} setup_fstab "$use_uuid" @@ -759,6 +789,11 @@ setup_volume() { await_volume + if [ "$(/usr/sbin/diskutil info -plist "$NIX_ROOT" | xmllint --xpath "(/plist/dict/key[text()='GlobalPermissionsEnabled'])/following-sibling::*[1]" -)" = "<false/>" ]; then + _sudo "to set enableOwnership (enabling users to own files)" \ + /usr/sbin/diskutil enableOwnership "$NIX_ROOT" + fi + # TODO: below is a vague kludge for now; I just don't know # what if any safe action there is to take here. Also, the # reminder isn't very helpful. @@ -786,7 +821,8 @@ setup_volume_daemon() { local volume_uuid="$2" if ! test_voldaemon; then task "Configuring LaunchDaemon to mount '$NIX_VOLUME_LABEL'" >&2 - _sudo "to install the Nix volume mounter" /usr/bin/ex "$NIX_VOLUME_MOUNTD_DEST" <<EOF + # See earlier note; `-u NONE` disables vim plugins/rc, `-n` skips swapfile + _sudo "to install the Nix volume mounter" /usr/bin/ex -u NONE -n "$NIX_VOLUME_MOUNTD_DEST" <<EOF :a $(generate_mount_daemon "$cmd_type" "$volume_uuid") . |