burrow/Scripts/ci/ensure-nix.sh

#!/usr/bin/env bash
set -euo pipefail

source_nix_profile() {
  local candidate
  for candidate in \
    "/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh" \
    "${HOME}/.nix-profile/etc/profile.d/nix.sh"
  do
    if [[ -f "${candidate}" ]]; then
      # shellcheck disable=SC1090
      . "${candidate}"
      return 0
    fi
  done
  return 1
}

linux_cp_supports_preserve() {
  cp --help 2>&1 | grep -q -- '--preserve'
}

ensure_root_owned_home() {
  if [[ "$(id -u)" -ne 0 ]]; then
    return 0
  fi

  if [[ ! -d "${HOME}" ]] || [[ ! -O "${HOME}" ]]; then
    export HOME="/root"
  fi

  mkdir -p "${HOME}"
}

ensure_linux_nixbld_accounts() {
  if [[ "$(id -u)" -ne 0 ]]; then
    return 0
  fi

  if command -v getent >/dev/null 2>&1 && getent group nixbld >/dev/null 2>&1; then
    return 0
  fi

  if command -v addgroup >/dev/null 2>&1 && ! command -v groupadd >/dev/null 2>&1; then
    addgroup -S nixbld >/dev/null 2>&1 || true
    for i in $(seq 1 10); do
      adduser -S -D -H -h /var/empty -s /sbin/nologin -G nixbld "nixbld${i}" >/dev/null 2>&1 || true
    done
    return 0
  fi

  if command -v groupadd >/dev/null 2>&1; then
    groupadd -r nixbld >/dev/null 2>&1 || true
    for i in $(seq 1 10); do
      useradd \
        --system \
        --no-create-home \
        --home-dir /var/empty \
        --shell /usr/sbin/nologin \
        --gid nixbld \
        "nixbld${i}" >/dev/null 2>&1 || true
    done
    return 0
  fi

  echo "linux nix bootstrap requires nixbld group creation support" >&2
  exit 1
}

ensure_linux_nix_bootstrap_prereqs() {
  if linux_cp_supports_preserve; then
    ensure_root_owned_home
    ensure_linux_nixbld_accounts
    return 0
  fi

  if command -v apk >/dev/null 2>&1; then
    apk add --no-cache coreutils xz >/dev/null
  elif command -v apt-get >/dev/null 2>&1; then
    export DEBIAN_FRONTEND=noninteractive
    apt-get update -y >/dev/null
    apt-get install -y coreutils xz-utils >/dev/null
  elif command -v dnf >/dev/null 2>&1; then
    dnf install -y coreutils xz >/dev/null
  elif command -v yum >/dev/null 2>&1; then
    yum install -y coreutils xz >/dev/null
  else
    echo "linux nix bootstrap requires GNU cp but no supported package manager was found" >&2
    exit 1
  fi

  linux_cp_supports_preserve || {
    echo "linux nix bootstrap still lacks GNU cp after installing prerequisites" >&2
    exit 1
  }

  ensure_root_owned_home
  ensure_linux_nixbld_accounts
}

if ! command -v nix >/dev/null 2>&1; then
  if ! command -v curl >/dev/null 2>&1; then
    echo "curl is required to install nix" >&2
    exit 1
  fi

  case "$(uname -s)" in
    Linux)
      ensure_linux_nix_bootstrap_prereqs
      curl -fsSL https://nixos.org/nix/install | sh -s -- --no-daemon
      ;;
    Darwin)
      installer="$(mktemp -t burrow-nix.XXXXXX)"
      trap 'rm -f "${installer}"' EXIT
      curl -fsSL -o "${installer}" https://install.determinate.systems/nix
      chmod +x "${installer}"
      if command -v sudo >/dev/null 2>&1; then
        if sudo -n true 2>/dev/null; then
          sudo -n sh "${installer}" install --no-confirm
        else
          sudo sh "${installer}" install --no-confirm
        fi
      else
        sh "${installer}" install --no-confirm
      fi
      ;;
    *)
      echo "unsupported platform for nix bootstrap: $(uname -s)" >&2
      exit 1
      ;;
  esac
fi

source_nix_profile || true
export PATH="${HOME}/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:${PATH}"

config_root="${XDG_CONFIG_HOME:-$HOME/.config}"
config_file="${config_root}/nix/nix.conf"
if [[ -e "${config_file}" && ! -w "${config_file}" ]]; then
  config_root="$(mktemp -d -t burrow-nix-config.XXXXXX)"
  export XDG_CONFIG_HOME="${config_root}"
  config_file="${XDG_CONFIG_HOME}/nix/nix.conf"
fi

mkdir -p "$(dirname -- "${config_file}")"
cat > "${config_file}" <<'EOF'
experimental-features = nix-command flakes
sandbox = true
fallback = true
substituters = https://cache.nixos.org
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
EOF

command -v nix >/dev/null 2>&1 || {
  echo "nix is still unavailable after bootstrap" >&2
  exit 1
}