Axklen · March 18, 2023 17:44 · Dec 18, 2022 · Jul 14, 2022 · Jun 30, 2022 · Jun 30, 2022
diff --git a/README.md b/README.md
@@ -29,6 +29,21 @@ If you are running Fedora Silverblue, you will need to follow these extra steps.
 sudo mkdir /var/nix
 ```
 
+### SELinux
+
+You will want to the SELinux contexts for the mounted directory paths as well, it seems to help avoid some weird issues periodically.
+
+```bash
+sudo semanage fcontext -a -t etc_t '/var/nix/store/[^/]+/etc(/.*)?'
+sudo semanage fcontext -a -t lib_t '/var/nix/store/[^/]+/lib(/.*)?'
+sudo semanage fcontext -a -t systemd_unit_file_t '/var/nix/store/[^/]+/lib/systemd/system(/.*)?'
+sudo semanage fcontext -a -t man_t '/var/nix/store/[^/]+/man(/.*)?'
+sudo semanage fcontext -a -t bin_t '/var/nix/store/[^/]+/s?bin(/.*)?'
+sudo semanage fcontext -a -t usr_t '/var/nix/store/[^/]+/share(/.*)?'
+sudo semanage fcontext -a -t var_run_t '/var/nix/var/nix/daemon-socket(/.*)?'
+sudo semanage fcontext -a -t usr_t '/var/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
+```
+
 ### `/etc/systemd/system/[email protected]`
 ```unit file (systemd)
 [Unit]
@@ -89,6 +104,8 @@ If you are running Fedora Workstation, you are now ready to rock!  If you are ru
 
 If you are running Fedora Silverblue, you will need to run these additional steps.  Most likely the installation errored out while setting up systemd.  SELinux on Silverblue prevents systemd from loading the units linked by Nix, while the best solution would be to add a policy or package Nix as an RPM, we will just manually copy the units ourselves.
 
+*TODO: Find a way to link the units, that way whenever Nix is updated you don't need to manually edit or copy the units.*
+
 ```bash
 # Remove the linked services
 sudo rm -f /etc/systemd/system/nix-daemon.{service,socket}

diff --git a/README.md b/README.md
@@ -33,8 +33,10 @@ sudo mkdir /var/nix
 ```unit file (systemd)
 [Unit]
 Description=Enable mount points in / for ostree
-DefaultDependencies=no
 ConditionPathExists=!%f
+DefaultDependencies=no
+Requires=local-fs-pre.target
+After=local-fs-pre.target
 
 [Service]
 Type=oneshot
@@ -47,19 +49,18 @@ ExecStopPost=chattr +i /
 ```unit file (systemd)
 [Unit]
 Description=Nix Package Manager
+DefaultDependencies=no
 [email protected]
 [email protected]
-Requires=var.mount
-Before=nix-daemon.socket
+Before=sockets.target
+After=ostree-remount.service
+BindsTo=var.mount
 
 [Mount]
 What=/var/nix
 Where=/nix
 Options=bind
 Type=none
-
-[Install]
-WantedBy=local-fs.target
 ```
 
 Enable and mount the nix mount and reset the SELinux context. 
@@ -99,6 +100,13 @@ sudo systemctl daemon-reload
 sudo systemctl enable --now nix-daemon.socket
 ```
 
+Optionally, you may manually modify the `nix-daemon` units to add a bind to `nix.mount` to ensure the units activate and deactivate properly if the mount fails or if the mount is unmounted while the daemon is running.  Place the following at the bottom of the `[Unit]` section in both the `nix-daemon.socket` and `nix-daemon.service` units.
+
+```
+After=nix.mount
+BindsTo=nix.mount
+```
+
 You have just installed Nix and should be ready to rock!
 
 NOTE: the `nix-daemon.socket` unit will automatically start `nix-daemon.service` whenever it is needed, there is no need to enable or manually start the service.
diff --git a/README.md b/README.md
@@ -50,6 +50,7 @@ Description=Nix Package Manager
 [email protected]
 [email protected]
 Requires=var.mount
+Before=nix-daemon.socket
 
 [Mount]
 What=/var/nix

diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ ExecStopPost=chattr +i /
 Description=Nix Package Manager
 [email protected]
 [email protected]
+Requires=var.mount
 
 [Mount]
 What=/var/nix

diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@ ExecStopPost=chattr +i /
 ### `/etc/systemd/system/nix.mount`
 ```unit file (systemd)
 [Unit]
+Description=Nix Package Manager
 [email protected]
 [email protected]
 

diff --git a/README.md b/README.md
@@ -59,21 +59,6 @@ Type=none
 WantedBy=local-fs.target
 ```
 
-### `/etc/systemd/system/nix-boot.service`
-```unit file (systemd)
-[Unit]
-Description=Start nix-daemon.socket after nix.mount
-Requires=nix.mount
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/systemctl daemon-reload
-ExecStartPost=/usr/bin/systemctl start nix-daemon.socket
-
-[Install]
-WantedBy=multi-user.target
-```
-
 Enable and mount the nix mount and reset the SELinux context. 
 ```bash
 # Ensure systemd picks up the newly created units
@@ -82,8 +67,6 @@ sudo systemctl daemon-reload
 sudo systemctl enable nix.mount
 # Mount the nix mount now.
 sudo systemctl start nix.mount
-# Enable the nix-boot service so Nix is loaded by systemd on boot properly
-sudo systemctl enable nix-boot.service
 # R = recurse, F = full context (not just target)
 sudo restorecon -RF /nix
 ```
@@ -96,4 +79,23 @@ After you have configured SELinux (and if you are on Silverblue, configured a `/
 sh <(curl -L https://nixos.org/nix/install) --daemon
 ```
 
-You have just installed Nix and should be ready to rock!
+If you are running Fedora Workstation, you are now ready to rock!  If you are running Fedora Silverblue, you will need to do some additional configuration.
+
+### Fedora Silverblue
+
+If you are running Fedora Silverblue, you will need to run these additional steps.  Most likely the installation errored out while setting up systemd.  SELinux on Silverblue prevents systemd from loading the units linked by Nix, while the best solution would be to add a policy or package Nix as an RPM, we will just manually copy the units ourselves.
+
+```bash
+# Remove the linked services
+sudo rm -f /etc/systemd/system/nix-daemon.{service,socket}
+# Manually copy the services
+sudo cp /var/nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.{service,socket} /etc/systemd/system/
+# Ensure systemd picks up the newly created units
+sudo systemctl daemon-reload
+# Start (and enable) the nix-daemon socket
+sudo systemctl enable --now nix-daemon.socket
+```
+
+You have just installed Nix and should be ready to rock!
+
+NOTE: the `nix-daemon.socket` unit will automatically start `nix-daemon.service` whenever it is needed, there is no need to enable or manually start the service.
diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ sudo mkdir /var/nix
 ```
 
 ### `/etc/systemd/system/[email protected]`
-```
+```unit file (systemd)
 [Unit]
 Description=Enable mount points in / for ostree
 DefaultDependencies=no
@@ -44,7 +44,7 @@ ExecStopPost=chattr +i /
 ```
 
 ### `/etc/systemd/system/nix.mount`
-```
+```unit file (systemd)
 [Unit]
 [email protected]
 [email protected]
@@ -59,6 +59,21 @@ Type=none
 WantedBy=local-fs.target
 ```
 
+### `/etc/systemd/system/nix-boot.service`
+```unit file (systemd)
+[Unit]
+Description=Start nix-daemon.socket after nix.mount
+Requires=nix.mount
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl daemon-reload
+ExecStartPost=/usr/bin/systemctl start nix-daemon.socket
+
+[Install]
+WantedBy=multi-user.target
+```
+
 Enable and mount the nix mount and reset the SELinux context. 
 ```bash
 # Ensure systemd picks up the newly created units
@@ -67,6 +82,8 @@ sudo systemctl daemon-reload
 sudo systemctl enable nix.mount
 # Mount the nix mount now.
 sudo systemctl start nix.mount
+# Enable the nix-boot service so Nix is loaded by systemd on boot properly
+sudo systemctl enable nix-boot.service
 # R = recurse, F = full context (not just target)
 sudo restorecon -RF /nix
 ```
@@ -79,17 +96,4 @@ After you have configured SELinux (and if you are on Silverblue, configured a `/
 sh <(curl -L https://nixos.org/nix/install) --daemon
 ```
 
-If you are on Fedora Workstation, you have just installed Nix and should be ready to rock!
-
----
-
-If you are on Fedora Silverblue, you will need to run a few more commands:
-```bash
-sudo rm /etc/systemd/system/nix-daemon.service
-sudo rm /etc/systemd/system/nix-daemon.socket
-sudo systemctl link /var/nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.service
-sudo systemctl link /var/nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.socket
-sudo systemctl add-requires nix-daemon.socket nix.mount
-```
-
-This links the nix services from `/var/nix` rather than `/nix` which fixes an issue where the units would not start automatically on boot due to systemd not being able to find the services files until `nix.mount` gets mounted.  It also adds a requirement that `nix.mount` be mounted before `nix-daemon.socket` is able to start.
+You have just installed Nix and should be ready to rock!
diff --git a/README.md b/README.md
@@ -92,4 +92,4 @@ sudo systemctl link /var/nix/var/nix/profiles/default/lib/systemd/system/nix-dae
 sudo systemctl add-requires nix-daemon.socket nix.mount
 ```
 
-This links the nix services from `/var/nix` rather than `/nix` which fixes an issue where the units would not start automatically on boot due to systemd not finding the services files due to them missing until `nix.mount` gets mounted.  It also adds a requirement that `nix.mount` be mounted before `nix-daemon.socket` can start.
+This links the nix services from `/var/nix` rather than `/nix` which fixes an issue where the units would not start automatically on boot due to systemd not being able to find the services files until `nix.mount` gets mounted.  It also adds a requirement that `nix.mount` be mounted before `nix-daemon.socket` is able to start.
diff --git a/README.md b/README.md
@@ -18,6 +18,8 @@ sudo semanage fcontext -a -t var_run_t '/nix/var/nix/daemon-socket(/.*)?'
 sudo semanage fcontext -a -t usr_t '/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
 ```
 
+If you are on Fedora Workstation, skip past the [Fedora Silverblue](#fedora-silverblue) section down to [Install Nix](#install-nix)
+
 ## Fedora Silverblue
 
 If you are running Fedora Silverblue, you will need to follow these extra steps.
@@ -71,15 +73,17 @@ sudo restorecon -RF /nix
 
 ## Install Nix
 
+After you have configured SELinux (and if you are on Silverblue, configured a `/nix` mount), it's time to install [Nix](https://github.com/NixOS/nix).
+
 ```bash
-# Install NixOS normally
 sh <(curl -L https://nixos.org/nix/install) --daemon
 ```
 
 If you are on Fedora Workstation, you have just installed Nix and should be ready to rock!
 
-If you are on Fedora Silverblue, you will need to run the following:
+---
 
+If you are on Fedora Silverblue, you will need to run a few more commands:
 ```bash
 sudo rm /etc/systemd/system/nix-daemon.service
 sudo rm /etc/systemd/system/nix-daemon.socket

diff --git a/README.md b/README.md
@@ -1,6 +1,33 @@
-# NixOS on Fedora Silverblue
+# NixOS on Fedora
 
-/etc/systemd/system/[email protected]
+Please note that these instructions are not offically supported or condoned by Nix and are not guaranteed to always work, but from my testing everything seems to work perfectly fine.
+
+These steps may not be required if https://github.com/NixOS/nix/issues/2374 is resolved.
+
+## SELinux
+
+These commands are required for both Fedora Workstation and Fedora Silverblue
+```bash
+sudo semanage fcontext -a -t etc_t '/nix/store/[^/]+/etc(/.*)?'
+sudo semanage fcontext -a -t lib_t '/nix/store/[^/]+/lib(/.*)?'
+sudo semanage fcontext -a -t systemd_unit_file_t '/nix/store/[^/]+/lib/systemd/system(/.*)?'
+sudo semanage fcontext -a -t man_t '/nix/store/[^/]+/man(/.*)?'
+sudo semanage fcontext -a -t bin_t '/nix/store/[^/]+/s?bin(/.*)?'
+sudo semanage fcontext -a -t usr_t '/nix/store/[^/]+/share(/.*)?'
+sudo semanage fcontext -a -t var_run_t '/nix/var/nix/daemon-socket(/.*)?'
+sudo semanage fcontext -a -t usr_t '/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
+```
+
+## Fedora Silverblue
+
+If you are running Fedora Silverblue, you will need to follow these extra steps.
+
+### Create the nix directory in a persistent location
+```bash
+sudo mkdir /var/nix
+```
+
+### `/etc/systemd/system/[email protected]`
 ```
 [Unit]
 Description=Enable mount points in / for ostree
@@ -14,7 +41,7 @@ ExecStart=mkdir -p '%f'
 ExecStopPost=chattr +i /
 ```
 
-/etc/systemd/system/nix.mount
+### `/etc/systemd/system/nix.mount`
 ```
 [Unit]
 [email protected]
@@ -30,28 +57,35 @@ Type=none
 WantedBy=local-fs.target
 ```
 
-SELinux
-```bash
-sudo semanage fcontext -a -t etc_t '/nix/store/[^/]+/etc(/.*)?'
-sudo semanage fcontext -a -t lib_t '/nix/store/[^/]+/lib(/.*)?'
-sudo semanage fcontext -a -t systemd_unit_file_t '/nix/store/[^/]+/lib/systemd/system(/.*)?'
-sudo semanage fcontext -a -t man_t '/nix/store/[^/]+/man(/.*)?'
-sudo semanage fcontext -a -t bin_t '/nix/store/[^/]+/s?bin(/.*)?'
-sudo semanage fcontext -a -t usr_t '/nix/store/[^/]+/share(/.*)?'
-sudo semanage fcontext -a -t var_run_t '/nix/var/nix/daemon-socket(/.*)?'
-sudo semanage fcontext -a -t usr_t '/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
-```
-
+Enable and mount the nix mount and reset the SELinux context. 
 ```bash
+# Ensure systemd picks up the newly created units
 sudo systemctl daemon-reload
-sudo systemctl enable --now nix.mount
+# Enable the nix mount on boot.
+sudo systemctl enable nix.mount
+# Mount the nix mount now.
+sudo systemctl start nix.mount
 # R = recurse, F = full context (not just target)
 sudo restorecon -RF /nix
 ```
 
+## Install Nix
+
 ```bash
-# Make sure systemd isn't caching any SELinux policies
-sudo systemctl daemon-reload
 # Install NixOS normally
 sh <(curl -L https://nixos.org/nix/install) --daemon
 ```
+
+If you are on Fedora Workstation, you have just installed Nix and should be ready to rock!
+
+If you are on Fedora Silverblue, you will need to run the following:
+
+```bash
+sudo rm /etc/systemd/system/nix-daemon.service
+sudo rm /etc/systemd/system/nix-daemon.socket
+sudo systemctl link /var/nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.service
+sudo systemctl link /var/nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.socket
+sudo systemctl add-requires nix-daemon.socket nix.mount
+```
+
+This links the nix services from `/var/nix` rather than `/nix` which fixes an issue where the units would not start automatically on boot due to systemd not finding the services files due to them missing until `nix.mount` gets mounted.  It also adds a requirement that `nix.mount` be mounted before `nix-daemon.socket` can start.
diff --git a/README.md b/README.md
@@ -0,0 +1,57 @@
+# NixOS on Fedora Silverblue
+
+/etc/systemd/system/[email protected]
+```
+[Unit]
+Description=Enable mount points in / for ostree
+DefaultDependencies=no
+ConditionPathExists=!%f
+
+[Service]
+Type=oneshot
+ExecStartPre=chattr -i /
+ExecStart=mkdir -p '%f'
+ExecStopPost=chattr +i /
+```
+
+/etc/systemd/system/nix.mount
+```
+[Unit]
+[email protected]
+[email protected]
+
+[Mount]
+What=/var/nix
+Where=/nix
+Options=bind
+Type=none
+
+[Install]
+WantedBy=local-fs.target
+```
+
+SELinux
+```bash
+sudo semanage fcontext -a -t etc_t '/nix/store/[^/]+/etc(/.*)?'
+sudo semanage fcontext -a -t lib_t '/nix/store/[^/]+/lib(/.*)?'
+sudo semanage fcontext -a -t systemd_unit_file_t '/nix/store/[^/]+/lib/systemd/system(/.*)?'
+sudo semanage fcontext -a -t man_t '/nix/store/[^/]+/man(/.*)?'
+sudo semanage fcontext -a -t bin_t '/nix/store/[^/]+/s?bin(/.*)?'
+sudo semanage fcontext -a -t usr_t '/nix/store/[^/]+/share(/.*)?'
+sudo semanage fcontext -a -t var_run_t '/nix/var/nix/daemon-socket(/.*)?'
+sudo semanage fcontext -a -t usr_t '/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
+```
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl enable --now nix.mount
+# R = recurse, F = full context (not just target)
+sudo restorecon -RF /nix
+```
+
+```bash
+# Make sure systemd isn't caching any SELinux policies
+sudo systemctl daemon-reload
+# Install NixOS normally
+sh <(curl -L https://nixos.org/nix/install) --daemon
+```