Darwin Builder Setup

Setup a builder using nix-darwin

The rest of the instructions assume nix was installed with the daemon enabled.

sh <(curl -L https://nixos.org/nix/install) --daemon

Since nix-darwin includes a service module for ofborg it's probably the easiest way too setup a builder on macOS. To get started with follow the installer instructions.

First get the ofborg sources, this can be done with a local clone or using a github channel like this.

# Configure ofborg channel.
nix-channel --add https://github.com/NixOS/ofborg/archive/released.tar.gz ofborg
nix-channel --update

Setup the config file, do not use store paths for this. Without sandboxing builds can potentially read the entire store on the host, exposing secrets in the process.

# Setup config
sudo mkdir -p /var/lib/ofborg
sudo $EDITOR /var/lib/ofborg/config.json

NOTE: Make sure to reference /private/var or /private/tmp in the config instead of their symlinks in /, otherwise strict evaluation will refuse to evaluate expressions of builds.

There's an example darwin configuration.nix that can be used as a starting point. This includes some useful defaults like automatic garbage collecting.

# Install nix-darwin.
mkdir ~/.nixpkgs
curl -o ~/.nixpkgs/darwin-configuration.nix https://raw.githubusercontent.com/LnL7/nix-darwin/master/modules/examples/ofborg.nix
nix-shell https://github.com/LnL7/nix-darwin/archive/master.tar.gz -A installer

NOTE: Some options like nix.buildCores probably don't have a good default value, edit those before or during the install process.

Sandboxing

Sandboxing isn't enabled by default on darwin and still has some quirks when used out of the box with the stable version of nix. The following options loosen the sandbox enough for most things to work while still preventing obvious violations.

{
  nix.useSandbox = true;
  nix.sandboxPaths = [ "/System/Library/Frameworks" "/System/Library/PrivateFrameworks" "/usr/bin/env" "/bin/sh" "/bin/bash" "/usr/lib" "/private/tmp" "/private/var/tmp" ];
}