From 8b196b54cb1ed7bfa66b636dac84a445e8347021 Mon Sep 17 00:00:00 2001
From: Andrew Marshall <andrew@johnandrewmarshall.com>
Date: Wed, 1 Mar 2023 21:26:39 -0500
Subject: [PATCH] home: Add buildEnvWithNoChroot to help avoid darwin sandbox
 failures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Allows setting `__noChroot = true` on select derivations that assemble
large numbers of paths. This may be used to avoid sandbox failures on
darwin, see https://github.com/NixOS/nix/issues/4119 and the `sandbox`
option in `man nix.conf`.

I wish there was a way to do something akin to overlays for config, alas
there is not afaik, so the only way is to add an option. Since this is
opt-in, anyone enabling it thus understands the “risks” of disabling the
sandbox, however the risk for these derivations should be fairly low,
and this allows enabling the sandbox more generally on Darwin, which is
beneficial.

I have only added to the derivations that started giving me problems,
others may suffer from others but these are definitely likely to have
huge dependency lists therefore exposing the problem.

Despite this being intended only for use on Darwin, it is left somewhat
generic and thus up to the user to do set it to e.g.
`stdenv.hostPlatform.isDarwin`.
---
 modules/home-environment.nix        | 26 ++++++++++++++++++++------
 modules/targets/darwin/fonts.nix    |  4 ++--
 modules/targets/darwin/linkapps.nix |  5 +++--
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/modules/home-environment.nix b/modules/home-environment.nix
index 59497ec4..773d8a79 100644
--- a/modules/home-environment.nix
+++ b/modules/home-environment.nix
@@ -474,6 +474,14 @@ in
       '';
     };
 
+    home.buildEnvWithNoChroot = mkEnableOption ''
+      Sets <code>__noChroot = true</code> on select <code>buildEnv</code>
+      derivations that assemble large numbers of paths, as well the activation
+      script derivations. This may be used to avoid sandbox failures on Darwin,
+      see https://github.com/NixOS/nix/issues/4119 and the <code>sandbox</code>
+      option in <command>man nix.conf</command>.
+    '';
+
     home.preferXdgDirectories = mkEnableOption "" // {
       description = ''
         Whether to make programs use XDG directories whenever supported.
@@ -701,7 +709,7 @@ in
         )
         + optionalString (!cfg.emptyActivationPath) "\${PATH:+:}$PATH";
 
-        activationScript = pkgs.writeShellScript "activation-script" ''
+        activationScript = (pkgs.writeShellScript "activation-script" ''
           set -eu
           set -o pipefail
 
@@ -718,9 +726,11 @@ in
           fi
 
           ${activationCmds}
-        '';
+        '').overrideAttrs (old: {
+          __noChroot = cfg.buildEnvWithNoChroot;
+        });
       in
-        pkgs.runCommand
+        (pkgs.runCommand
           "home-manager-generation"
           {
             preferLocalBuild = true;
@@ -742,9 +752,11 @@ in
             ln -s ${cfg.path} $out/home-path
 
             ${cfg.extraBuilderCommands}
-          '';
+          '').overrideAttrs (old: {
+            __noChroot = cfg.buildEnvWithNoChroot;
+          });
 
-    home.path = pkgs.buildEnv {
+    home.path = (pkgs.buildEnv {
       name = "home-manager-path";
 
       paths = cfg.packages;
@@ -755,6 +767,8 @@ in
       meta = {
         description = "Environment of packages installed through home-manager";
       };
-    };
+    }).overrideAttrs (old: {
+      __noChroot = cfg.buildEnvWithNoChroot;
+    });
   };
 }
diff --git a/modules/targets/darwin/fonts.nix b/modules/targets/darwin/fonts.nix
index 988c5edc..e1f905de 100644
--- a/modules/targets/darwin/fonts.nix
+++ b/modules/targets/darwin/fonts.nix
@@ -4,11 +4,11 @@ with lib;
 
 let
   homeDir = config.home.homeDirectory;
-  fontsEnv = pkgs.buildEnv {
+  fontsEnv = (pkgs.buildEnv {
     name = "home-manager-fonts";
     paths = config.home.packages;
     pathsToLink = "/share/fonts";
-  };
+  }).overrideAttrs (old: { __noChroot = config.home.buildEnvWithNoChroot; });
   fonts = "${fontsEnv}/share/fonts";
   installDir = "${homeDir}/Library/Fonts/HomeManager";
 in {
diff --git a/modules/targets/darwin/linkapps.nix b/modules/targets/darwin/linkapps.nix
index 0d434234..871d33d6 100644
--- a/modules/targets/darwin/linkapps.nix
+++ b/modules/targets/darwin/linkapps.nix
@@ -4,11 +4,12 @@
   config = lib.mkIf pkgs.stdenv.hostPlatform.isDarwin {
     # Install MacOS applications to the user environment.
     home.file."Applications/Home Manager Apps".source = let
-      apps = pkgs.buildEnv {
+      apps = (pkgs.buildEnv {
         name = "home-manager-applications";
         paths = config.home.packages;
         pathsToLink = "/Applications";
-      };
+      }).overrideAttrs
+        (old: { __noChroot = config.home.buildEnvWithNoChroot; });
     in "${apps}/Applications";
   };
 }