Can i run `nixos-rebuild switch --flake` rootless?

Mdsp9070 · August 19, 2021, 9:30pm

I’m very new to flakes and I recently moved my main config to use it. I also use home-manager and I added as specified in it’s github readme.

Also, in the readme says that I can run nixos-rebuild switch --flake <path> as a normal user (as i understand) to generate the home config derivation.

However I have permissions issues when running as a normal user, as:

nixnad git(main)+
ﬦ nixos-rebuild switch --flake .
warning: Git tree '/home/matdsoupe/documents/privy/nixnad' is dirty
building the system configuration...
warning: Git tree '/home/matdsoupe/documents/privy/nixnad' is dirty
error: creating symlink from '/nix/var/nix/profiles/.0_system' to 'system-70-link': Permission denied

So, I need to run and switch my home/system config always with root? I need to set up in such a correct way to perform derivations as a normal user?

My complete config is here: GitHub - matdsoupe/nixnad: Config files to set up a Software development workstation!

jonringer · August 19, 2021, 9:58pm

Yes, for modifying your system, it makes sense to ensure the user has root privileges.

Or said another way, it doesn’t make sense for non-privileged users to determine the system profiles, boot entries, and system services.

Also, /nix/var is owned by root, so you need to have root privileges to change it:

$ ls -l /nix/var/
drwxr-xr-x - root  9 Sep  2019 log
drwxr-xr-x - root 14 Aug 00:00 nix

NobbZ · August 20, 2021, 5:23am

As Jon said, switching the system requires root permissions, this is as expected. building it is safe as non root though.

I’m using a wrapper that first uses nix build .#nixosConfigurations.$(hostname).config.system.build.toplevel .#homeConfigurations.$(whoami)@$(hostname).activationScript to build both, system and HM profiles.

Then I run ./result-1/activate to activate the HM profile.

Last but not least the script prints some explanation about switching system profiles and that I need to enter my password, then it runs sudo nixos-rebuild switch --flake .#$(hostname).

Currently the script is not public, as I am rewriting it in xz, which is not really as I want it so far.

Current state of the conversion can be seen at flake.lock: Update by NobbZ · Pull Request #10 · NobbZ/nixos-config · GitHub

TLATER · August 20, 2021, 9:12am

If you used to use the home-manager command to do this rootlessly, you can use the new-ish --flake switch from that: home-manager: Add --flake option to home-manager by ant-arctica · Pull Request #1856 · nix-community/home-manager · GitHub

It does mean it won’t be part of your system config though.

Mdsp9070 · August 21, 2021, 3:24am

yeah, that’s makes total sense and I agree with it, i only got confused because with legacy nix (specially home-manager) i was able to safely generate derivations as a normal user

Mdsp9070 · August 21, 2021, 3:27am

that’s awesome! i will take a look

Mdsp9070 · August 21, 2021, 3:29am

oh, that’s how was supposed to be haha

initially i wanted to split my home of my system config, as i did with legacy nix. however didn’t understand how to switch only the home config and then i chose to merge the configs.

now that i know of this option, i will split my config

jonringer · August 21, 2021, 3:31am

Creating a build, and applying changes are two different things

NobbZ · August 21, 2021, 7:12am

Even with “legacy” one had to use sudo to do a switch. In contrast nixos-rebuild build could always be used without.