Workaround a sandboxing issues

https://github.com/NixOS/nix/issues/4119
2023-12-26 21:40:20 -06:00 · 2023-12-26 21:40:20 -06:00 · ff8a7082ed
commit ff8a7082ed
parent eac01c9ab3
1 changed files with 8 additions and 2 deletions
--- a/nix/darwin/darwin-configuration.nix
+++ b/nix/darwin/darwin-configuration.nix
@ -1,9 +1,10 @@
-{ pkgs, ... }:
+{ pkgs, config, lib, ... }:
 {

  nix = {
    package = pkgs.nix;
-    settings.sandbox = true;
+    # SEE: https://github.com/NixOS/nix/issues/4119#issuecomment-1734738812
+    settings.sandbox = "relaxed";
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
@ -52,6 +53,11 @@
  # programs.bash.enable = true;  # default shell on catalina
  # programs.fish.enable = true;

+   system.systemBuilderArgs = lib.mkIf (config.nix.settings.sandbox == "relaxed") {
+      sandboxProfile = ''
+        (allow file-read* file-write* process-exec mach-lookup (subpath "${builtins.storeDir}"))
+      '';
+    };
  # Used for backwards compatibility, please read the changelog before changing.
  # $ darwin-rebuild changelog
  system.stateVersion = 4;