michaelglass/nixify.sh

## nixify.sh
#!/bin/bash
set -euo pipefail

# uncomment to debug
# set -x

echo "1️⃣. Does catalina know to create the nix directory?"
if ! grep nix /etc/synthetic.conf > /dev/null 2>&1; then
  echo "nix missing from /etc/synthetic.conf. Adding it (will request sudo)"
  echo "nix" | sudo tee -a /etc/synthetic.conf > /dev/null
else
  echo "nix detected in /etc/synthetic.conf. Catalina will autogenerate."
fi


echo "2️⃣. Does the /nix directory exist?"
if [ ! -d "/nix" ]; then
  echo "/nix directory not yet created. please reboot"
  exit 0
else
  echo "/nix exists!"
fi

echo "3️⃣. Is the Nix volume created?"
if ! diskutil info Nix > /dev/null 2>&1; then
  echo "nix volume not created."
  PASSPHRASE=$(openssl rand -base64 32)
  echo "Creating encrypted APFS volume with passphrase: $PASSPHRASE"
  echo "⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇"
  set -x
  sudo diskutil apfs addVolume disk1 'Case-sensitive APFS' Nix -mountpoint /nix -passphrase "$PASSPHRASE"
  set +x
  echo "⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆"

  UUID=$(diskutil info -plist /nix | plutil -extract VolumeUUID xml1 - -o - | plutil -p - | sed -e 's/"//g')

  echo "writing nix passphrase to your keychain"
  echo "⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇"
  set -x
  security add-generic-password -l Nix -a "$UUID" -s "$UUID" -D "Encrypted Volume Password" -w "$PASSPHRASE" \
    -T "/System/Library/CoreServices/APFSUserAgent" -T "/System/Library/CoreServices/CSUserAgent"
  set +x
  echo "⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆"
else
  echo "nix volume already created"
fi

echo "4️⃣. Is ownership enabled on the volume?"
if ! diskutil info /nix | grep -E "Owners:\s+Enabled" > /dev/null; then
  echo "enabling ownership on nix volume (I'm not totally sure why!)"
  echo "⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇"
  set -x
  sudo diskutil enableOwnership /nix
  set +x
  echo "⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆"
else
  echo "ownership on nix volume already enabled "
fi

echo "5️⃣. Will OSX load the volume on boot?"
if ! grep nix /etc/fstab > /dev/null; then
  echo "enabling automount of nix volume"

  # we explicitly want unescaped in this printf, so ignore shellcheck
  # shellcheck disable=SC2016
  printf '$a\nLABEL=Nix /nix apfs rw\n.\nwq\n' |
    EDITOR='ed' sudo vifs >/dev/null
else
  echo "automount of nix volume already enabled"
fi

echo "6️⃣. is nix installed?"
# we use /nix/store existance as a proxy for checking if nix is installed
if [ ! -d /nix/store ]; then
  echo "nix has not yet been initialized ..."
  echo "6️⃣.1️⃣ do we have a previous version of nix?"
  if [ -d /Users/Shared/Relocated\ Items/Security/nix/ ]; then
    echo "detected nix from before catalina upgrade."
    echo "⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇"

    echo "making temp dir"
    set -x
    mkdir -p /nix/temp
    set +x

    echo "copying into temp dir (this will probably take a while!)"
    echo "we use a temp dir to make it more clear when the rsync has finished"
    # we use /nix/store as a proxy for, "nix has been setup"
    # we rsync to /nix/temp to know that only _after_ rsync is done,
    # if rsync is cancelled mid-completion, it can be restarted with this script
    set -x
    sudo rsync -aH /Users/Shared/Relocated\ Items/Security/nix/ /nix/temp
    set +x

    echo "moving from temp dir to parent"
    set -x
    mv /nix/temp/* /nix
    rm -rf /nix/temp
    set +x

    echo "ensuring you're the owner of nix"
    set -x
    sudo chown -R "$(whoami)" /nix
    set +x

    echo "removing pre-relocated items"
    set -x
    sudo rm -rf /Users/Shared/Relocated\ Items/Security/nix
    set +x
    echo "⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆"
  else
    echo "Detected no previous nix. Installing fresh"
    set -x
    curl https://nixos.org/nix/install | sh
    set +x
  fi
else
  echo "Nix has already been installed ..."
fi

echo "🎉done!🎉
please start another terminal and I think you should be good to go.

p.s. Previously, nix started an agent and I couldn't figure it out on my system... If you know more, please dig in.
"
	#!/bin/bash
	set -euo pipefail

	# uncomment to debug
	# set -x

	echo "1️⃣. Does catalina know to create the nix directory?"
	if ! grep nix /etc/synthetic.conf > /dev/null 2>&1; then
	echo "nix missing from /etc/synthetic.conf. Adding it (will request sudo)"
	echo "nix" \| sudo tee -a /etc/synthetic.conf > /dev/null
	else
	echo "nix detected in /etc/synthetic.conf. Catalina will autogenerate."
	fi


	echo "2️⃣. Does the /nix directory exist?"
	if [ ! -d "/nix" ]; then
	echo "/nix directory not yet created. please reboot"
	exit 0
	else
	echo "/nix exists!"
	fi

	echo "3️⃣. Is the Nix volume created?"
	if ! diskutil info Nix > /dev/null 2>&1; then
	echo "nix volume not created."
	PASSPHRASE=$(openssl rand -base64 32)
	echo "Creating encrypted APFS volume with passphrase: $PASSPHRASE"
	echo "⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇"
	set -x
	sudo diskutil apfs addVolume disk1 'Case-sensitive APFS' Nix -mountpoint /nix -passphrase "$PASSPHRASE"
	set +x
	echo "⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆"

	UUID=$(diskutil info -plist /nix \| plutil -extract VolumeUUID xml1 - -o - \| plutil -p - \| sed -e 's/"//g')

	echo "writing nix passphrase to your keychain"
	echo "⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇"
	set -x
	security add-generic-password -l Nix -a "$UUID" -s "$UUID" -D "Encrypted Volume Password" -w "$PASSPHRASE" \
	-T "/System/Library/CoreServices/APFSUserAgent" -T "/System/Library/CoreServices/CSUserAgent"
	set +x
	echo "⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆"
	else
	echo "nix volume already created"
	fi

	echo "4️⃣. Is ownership enabled on the volume?"
	if ! diskutil info /nix \| grep -E "Owners:\s+Enabled" > /dev/null; then
	echo "enabling ownership on nix volume (I'm not totally sure why!)"
	echo "⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇"
	set -x
	sudo diskutil enableOwnership /nix
	set +x
	echo "⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆"
	else
	echo "ownership on nix volume already enabled "
	fi

	echo "5️⃣. Will OSX load the volume on boot?"
	if ! grep nix /etc/fstab > /dev/null; then
	echo "enabling automount of nix volume"

	# we explicitly want unescaped in this printf, so ignore shellcheck
	# shellcheck disable=SC2016
	printf '$a\nLABEL=Nix /nix apfs rw\n.\nwq\n' \|
	EDITOR='ed' sudo vifs >/dev/null
	else
	echo "automount of nix volume already enabled"
	fi

	echo "6️⃣. is nix installed?"
	# we use /nix/store existance as a proxy for checking if nix is installed
	if [ ! -d /nix/store ]; then
	echo "nix has not yet been initialized ..."
	echo "6️⃣.1️⃣ do we have a previous version of nix?"
	if [ -d /Users/Shared/Relocated\ Items/Security/nix/ ]; then
	echo "detected nix from before catalina upgrade."
	echo "⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇ ⬇"

	echo "making temp dir"
	set -x
	mkdir -p /nix/temp
	set +x

	echo "copying into temp dir (this will probably take a while!)"
	echo "we use a temp dir to make it more clear when the rsync has finished"
	# we use /nix/store as a proxy for, "nix has been setup"
	# we rsync to /nix/temp to know that only _after_ rsync is done,
	# if rsync is cancelled mid-completion, it can be restarted with this script
	set -x
	sudo rsync -aH /Users/Shared/Relocated\ Items/Security/nix/ /nix/temp
	set +x

	echo "moving from temp dir to parent"
	set -x
	mv /nix/temp/* /nix
	rm -rf /nix/temp
	set +x

	echo "ensuring you're the owner of nix"
	set -x
	sudo chown -R "$(whoami)" /nix
	set +x

	echo "removing pre-relocated items"
	set -x
	sudo rm -rf /Users/Shared/Relocated\ Items/Security/nix
	set +x
	echo "⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆ ⬆"
	else
	echo "Detected no previous nix. Installing fresh"
	set -x
	curl https://nixos.org/nix/install \| sh
	set +x
	fi
	else
	echo "Nix has already been installed ..."
	fi

	echo "🎉done!🎉
	please start another terminal and I think you should be good to go.

	p.s. Previously, nix started an agent and I couldn't figure it out on my system... If you know more, please dig in.
	"