My nix-darwin and NixOS config
fix: allow nixos-upgrade to read user-owned flake repo as root
Add a nixosUpgradeGitSafeDir activation script that writes the nix-config
path to /root/.gitconfig as a safe.directory entry. The autoUpgrade service
runs as root but the repo is owned by ewan, which git 2.35.2+ refuses to
open without this (CVE-2022-24765 mitigation).
+7
+7
modules/common.nix
+7
modules/common.nix
···
24
24
25
25
programs.zsh.enable = true;
26
26
27
+
# Allow the nixos-upgrade service (runs as root) to read the flake repo
28
+
# owned by the regular user. Without this, git 2.35.2+ refuses to open
29
+
# repos not owned by the calling user (CVE-2022-24765 mitigation).
30
+
system.activationScripts.nixosUpgradeGitSafeDir = ''
31
+
${pkgs.git}/bin/git config --global --add safe.directory /home/${cfg.user.username}/.config/nix-config
32
+
'';
33
+
27
34
# Symlink tracked hooks into .git/hooks so they're always up to date.
28
35
system.activationScripts.installGitHooks = ''
29
36
REPO="/home/${cfg.user.username}/.config/nix-config"