From 5e6d488a3e203874a0c3980f3b13ba711afe3ae5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= <jakub@status.im>
Date: Wed, 21 Jun 2023 21:34:13 +0200
Subject: [PATCH] nix: fix cache usage by modifying global config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Otherwise Nix produces warnings like this:
```
warning: ignoring untrusted substituter 'https://nix-cache.status.im/', you are not a trusted user.
```
Since adding users to `trusted-users` essentially gives them `root`:

>Adding a user to trusted-users is essentially equivalent to giving that user root access to the system.
> — https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-trusted-users

A more kosher approach might be to just add the cache config itself globally.

Signed-off-by: Jakub Sokołowski <jakub@status.im>
---
 nix/scripts/lib.sh     | 36 ++++++++++++++++++++++++++++++++++++
 nix/scripts/setup.sh   | 16 ++++++++++++++++
 nix/scripts/upgrade.sh | 11 ++---------
 3 files changed, 54 insertions(+), 9 deletions(-)

diff --git a/nix/scripts/lib.sh b/nix/scripts/lib.sh
index 84623c4fd9..e4c0e64e10 100755
--- a/nix/scripts/lib.sh
+++ b/nix/scripts/lib.sh
@@ -1,4 +1,6 @@
 #!/usr/bin/env bash
+set -eo pipefail
+GIT_ROOT=$(cd "${BASH_SOURCE%/*}" && git rev-parse --show-toplevel)
 
 # Checking group ownership to identify installation type.
 file_group() {
@@ -52,3 +54,37 @@ nix_root() {
 nix_current_version() {
     nix-env --version | awk '{print $3}'
 }
+
+nix_get_local_setting() {
+    local NIX_LOCAL_CONFIG="${GIT_ROOT}/nix/nix.conf"
+    local KEY="${1}"
+    awk -F' = ' "/^${KEY} *=/{print \$2}" nix/nix.conf
+}
+
+nix_set_global_setting() {
+    local NIX_GLOBAL_CONFIG="/etc/nix/nix.conf"
+    local KEY="${1}"
+    local VAL="${2}"
+    if grep "${KEY}" "${NIX_GLOBAL_CONFIG}" 2>/dev/null; then
+        sed -i "s/${KEY} = \(.*\)$/${KEY} = ${VAL}/" "${NIX_GLOBAL_CONFIG}"
+    else
+        echo "${KEY} = ${VAL}" | sudo tee -a "${NIX_GLOBAL_CONFIG}" >/dev/null
+    fi
+}
+
+nix_daemon_restart() {
+    # Restarting Nix Daemon makes sense only on a multi-user install.
+    [[ $(nix_install_type) != "multi" ]] && return
+    if [[ "$(uname -s)" == "Darwin" ]]; then
+        echo "Restarting Nix daemon Launchd service..." >&2
+        sudo launchctl unload /Library/LaunchDaemons/org.nixos.nix-daemon.plist
+        sudo launchctl load   /Library/LaunchDaemons/org.nixos.nix-daemon.plist
+    elif [[ "$(uname -s)" == "Linux" ]] && [[ "$(nix_install_type)" == "multi" ]]; then
+        echo "Restarting Nix daemon Systemd service..." >&2
+        sudo systemctl daemon-reload
+        sudo systemctl restart nix-daemon
+    else
+        echo "Unknown platform! Unable to restart daemon!" >&2
+        exit 1
+    fi
+}
diff --git a/nix/scripts/setup.sh b/nix/scripts/setup.sh
index 51f89b5f2a..00843d6b06 100755
--- a/nix/scripts/setup.sh
+++ b/nix/scripts/setup.sh
@@ -38,6 +38,22 @@ nix_install() {
         echo "Please see: https://nixos.org/nix/manual/#chap-installation" >&2
         exit 1
     fi
+
+    # Additional fixes
+    nix_add_extra_cache
+    nix_daemon_restart
+}
+
+# Adding directly to global config to avoid warnings like this:
+# "ignoring untrusted substituter 'https://nix-cache.status.im/', you are not a trusted user."
+nix_add_extra_cache() {
+    # Single-user installations do not have this issue.
+    [[ ! -f /etc/nix/nix.conf ]] && return
+    echo -e 'Adding our cache to Nix daemon config...' >&2
+    local NIX_SETTINGS=('substituters' 'trusted-substituters' 'trusted-public-keys')
+    for NIX_SETTING in "${NIX_SETTINGS[@]}"; do
+        nix_set_global_setting "${NIX_SETTING}" "$(nix_get_local_setting "${NIX_SETTING}")"
+    done
 }
 
 if [[ ! -x "$(command -v sha256sum)" ]]; then
diff --git a/nix/scripts/upgrade.sh b/nix/scripts/upgrade.sh
index 361132f961..4597e81f59 100755
--- a/nix/scripts/upgrade.sh
+++ b/nix/scripts/upgrade.sh
@@ -5,6 +5,7 @@ set -eo pipefail
 
 GIT_ROOT=$(cd "${BASH_SOURCE%/*}" && git rev-parse --show-toplevel)
 source "${GIT_ROOT}/scripts/colors.sh"
+source "${GIT_ROOT}/nix/scripts/lib.sh"
 source "${GIT_ROOT}/nix/scripts/source.sh"
 source "${GIT_ROOT}/nix/scripts/version.sh"
 
@@ -12,15 +13,7 @@ nix_upgrade() {
     echo -e "Upgrading Nix interpreter to: ${GRN}${NIX_VERSION}${RST}" >&2
     nix-channel --update
     nix-env --install --attr "nixpkgs.${NIX_PACKAGE}" "nixpkgs.cacert"
-    if [[ "$(uname -s)" == "Darwin" ]]; then
-        echo "Restarting Nix daemon Launchd service" >&2
-        launchctl unload /Library/LaunchDaemons/org.nixos.nix-daemon.plist
-        launchctl load   /Library/LaunchDaemons/org.nixos.nix-daemon.plist
-    elif [[ "$(uname -s)" == "Linux" ]] && [[ "$(nix_install_type)" == "multi" ]]; then
-        echo "Restarting Nix daemon Systemd service" >&2
-        systemctl daemon-reload
-        systemctl restart nix-daemon
-    fi
+    nix_daemon_restart
 }
 
 # Allow for sourcing the script