Hi I’m trying to execute “nixos-rebuild switch --flake .” in a directory that isn’t /etc/nixos but I keep getting this error:
evaluation warning: The option services.samba.securityType' defined in /nix/store/ijp31jijfsn1k7lhzy42r39zj70r81di-source/samba.nix’ has been renamed to `services.samba.settings.global.security’. error: creating symlink ‘/nix/var/nix/profiles/system-54-link.tmp-25595-1804289383’ → ‘/nix/store/30jcwwdxww96hqllv005r06wfs7y9fhh-nixos-system-nixos-25.11.20260207.23d72da’: Permission denied Command ‘nix-env -p /nix/var/nix/profiles/system --set /nix/store/30jcwwdxww96hqllv005r06wfs7y9fhh-nixos-system-nixos-25.11.20260207.23d72da’ returned non-zero exit status 1.
I’ve also tried using “doas” but it then gives this error:
error:
… while fetching the input ‘git+file:///home/anon/.dotfiles’
error: opening Git repository "/home/anon/.dotfiles": repository path '/home/anon/.dotfiles' is not owned by current user
Command ‘nix --extra-experimental-features ‘nix-command flakes’ build --print-out-paths ‘.#nixosConfigurations.“nixos”.config.system.build.nixos-rebuild’ --no-link’ returned non-zero exit status 1.
I’d still like to not have to use doas or completely change the owner of the directory to root just for this one reboot, is there a more sustainable way or going about this? Preferably a solution that only uses doas instead of sudo.
Sorry if this is a bit more of a newbie question, I’m pretty new to NixOS.
Obviously you can’t nixos-rebuild without some way to get root privileges to change out the system profile and run the activation script.
nixos-rebuild takes the --use-remote-sudo option, which is somewhat poorly named, as it also works when doing a local rebuild. This lets the nix build run as your user, getting around the git issue, but still have root privileges when needed. I don’t know of a way to make that use doas, however, except disguising doas as sudo, which isn’t really a good idea for a few reasons.
It should also be possible to change your git repo to accept multiple users, I think, but I’m not clear on exactly how. (EDIT: look into the core.sharedRepository git config option. I think that does it.)
A rather poor solution would also be to use path:. as your flake url, to force nix not to use git. This will copy the whole .git directory to the store during evaluation, though, which is less than ideal.
Maybe you could use a devshell with a wrapper to limit that to your NixOS config project.
Along with any other files in the repo, checked in or not. Keep this in mind; the nix store is world-readable, and remote builds will also get everything, so this is a security risk. It’s also a bad idea to have any large, temprorary files in there.
Please be aware, that doas does “build” the priviliged environment differently than sudo does, it currently does not read them from PAM. This makes it miss out a lot on NixOS.
I appreciate the help a lot, but I think there may be a few issues with your justfile in regards to the directory accessed in the 2nd line of doas-rebuild target to be a read-only file system. Atleast on my fresh install of NixOS.
Got a bit frustrated so I’ve just switched all the files over to “/etc/nixos” and changed the permissions back to root. I might post a solution here if I eventually find it.
Just letting people coming across this thread know, for the record, when I switched over to the .dotfiles directory again, simply using the –sudo seemed like the simplest way to fix the issue.
for what it’s worth, i’ve been using doas nixos-rebuild switch with success myself, with config either in /etc/nixos or (given a NIX_PATH specifying nixos-config’s location) in my home directory.
that said, i haven’t used constructs like the mentioned local input (my current nixos config isn’t flake-based).
