From c2142de399ce7f0218e0122a3b3bf81b1c69755c Mon Sep 17 00:00:00 2001 From: Linnnus Date: Sun, 19 Jan 2025 19:55:25 +0100 Subject: Enable sandbox on Darwin (with some caveats) --- shared/darwin/common-nix-settings/default.nix | 3 +-- shared/darwin/common-nix-settings/sandbox.nix | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 shared/darwin/common-nix-settings/sandbox.nix diff --git a/shared/darwin/common-nix-settings/default.nix b/shared/darwin/common-nix-settings/default.nix index 16d0fd6..efba07e 100644 --- a/shared/darwin/common-nix-settings/default.nix +++ b/shared/darwin/common-nix-settings/default.nix @@ -6,7 +6,6 @@ { imports = [ ../../nixos-and-darwin/common-nix-settings + ./sandbox.nix ]; - - nix.settings.sandbox = "relaxed"; } diff --git a/shared/darwin/common-nix-settings/sandbox.nix b/shared/darwin/common-nix-settings/sandbox.nix new file mode 100644 index 0000000..71c9d57 --- /dev/null +++ b/shared/darwin/common-nix-settings/sandbox.nix @@ -0,0 +1,20 @@ +# This module enables building using the sandbox on Darwin. +{ + nix.settings.sandbox = "relaxed"; + + # Fixes "pattern serialization length ┅ exceeds maximum (65535)" error when + # building derivations that use a lot of paths. + # + # In the thread linked below, someone also suggested just building the + # top-level system derivation with more lax sandboxing (via the hidden option + # `system.systemBuilderArgs`), but that doesn't fix the large derivations + # that HM builds. When nix-community/home-manager#3729 is merged, this + # approach might become appropriate. + # + # The more selective approach described above would be preferable, since the + # current solution partially negates the value of the store. + # + # See: https://github.com/NixOS/nix/issues/4119#issuecomment-2561973914 + # FIXME: Use the approach above when #3729 is merged. + nix.settings.extra-sandbox-paths = [builtins.storeDir]; +} -- cgit v1.2.3