Where does /etc/nix/nix.conf come from?

I can’t figure out where my /etc/nix/nix.conf file comes from. I looked at the install script and tarball it downloads and I don’t see it there, and searching through GitHub I can’t find any references to code that writes this out, except for the NixOS module that defines it for NixOS (which doesn’t apply to me).

Specifically, I have a single-user Darwin install, but I noticed today that the /etc/nix/nix.conf on this machine appears to date from an older multi-user install (based on the build-users-group entry). It also didn’t have extra-sandbox-paths defined, so the darwin system framework impurities (e.g. the fact that we need to link against system-supplied CoreFoundation, etc) was causing build failures once I turned on the sandbox.

I compared my file against the same file on my other computer and that file looked correct (no build-users-group, and it whitelisted /System/Library/Frameworks, among other paths, in extra-sandbox-paths). For the time being I’m just copying that nix.conf, but I’d really like to confirm that this nix.conf matches what I should get on a fresh single-user install (obviously without wiping my Nix and reinstalling).

I think I’ve figured it out.

For a single-user install, there is no default nix.conf.

A multi-user install sets up a default nix.conf. Today it only contains build-users-group = nixbld, but in the past it defined max-jobs and cores. On both of my machines I had a multi-user install at some point that I replaced with a single-user install. In both cases I must have forgotten to delete this file first. Similarly, on my desktop I must have edited it to remove build-users-group = nixbld and forgotten.

The extra-sandbox-paths comes from a recommendation by @LnL7 on an issue I filed 5 months ago, which I completely forgot about.

In any case, regarding sandboxing on Darwin, I’ve filed an issue about using __impureHostDeps for the system frameworks.