stop setting netrc-file

2026-04-08 08:43:08 +02:00 · 2026-04-08 08:43:08 +02:00 · d6d6721c16
commit d6d6721c16
parent aa4732af7b
6 changed files with 95 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,16 @@

 Changes yet to be released are documented here.

+## v0.3.0
+
+- Stop setting `nix.settings.netrc-file` from the Home Manager module
+- Document `netrc_path` in `config.toml` as the path operators should wire into their daemon configuration
+- Add a module evaluation check to prevent the Home Manager module from reintroducing `nix.settings.netrc-file`
+
+These changes are made to support both cppnix and detsysnix. The latter has [special requirements][additionalnetrcsources] around the `netrc` files.
+
+[additionalnetrcsources]: https://docs.determinate.systems/determinate-nix/#additionalnetrcsources
+
 ## v0.2.1

 - Fix netrc parsing for one-line entries such as `machine ... login ... password ...`
--- a/README.md
+++ b/README.md
@ -58,6 +58,14 @@ netrc_path = "$XDG_CONFIG_HOME/nix/netrc"

 Path values support environment variable expansion (`$VAR` and `${VAR}`).

+`netrc_path` is the path this tool writes tokens to.
+
+Configure Nix to read that same path.
+
+This supports both cppnix and detsysnix. The latter has [special
+requirements][additionalnetrcsources] around `netrc` files, so set
+`additionalNetrcSources` to include the configured `netrc_path`.
+
 ## Usage

 ```bash
@ -78,6 +86,15 @@ Config path resolution order:
 The NixOS server module exports `NIX_CACHE_LOGIN_CONFIG` and installs
 `/etc/nix-cache-login/config.toml` from `services.nix-cache-login-server.configFile`.

+## Module Integration
+
+The Home Manager and NixOS modules in this repo install the package and refresh
+services.
+
+Nix and detsysnix daemon configuration stays outside these modules.
+
+Set your daemon to read the `netrc_path` configured in `config.toml`.
+
 ## Maintenance

 This tool is actively maintained by [Guardian Project](https://guardianproject.info).
@ -92,6 +109,7 @@ For security-related issues, please contact us through our [security policy][sec

 [issues]: https://guardianproject.dev/ops/nix-cache-login/issues
 [sec]: https://guardianproject.info/contact/
+[additionalnetrcsources]: https://docs.determinate.systems/determinate-nix/#additionalnetrcsources

 ## License

--- a/flake.nix
+++ b/flake.nix
@ -36,6 +36,7 @@
            '';
            doCheck = true;
          });
+          module-checks = import ./module-checks.nix { inherit self pkgs; };
          devShell = self.devShells.${pkgs.stdenv.hostPlatform.system}.default;
        }
        // pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
--- a/home-module.nix
+++ b/home-module.nix
@ -26,7 +26,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    nix.settings.netrc-file = "${config.xdg.configHome}/nix/netrc";
    home.packages = [ cfg.package ];
    systemd.user.services.nix-cache-login = {
      Unit.Description = "Nix cache login - refresh access token";
--- a/module-checks.nix
+++ b/module-checks.nix
@ -0,0 +1,65 @@
+{ self, pkgs }:
+let
+  lib = pkgs.lib;
+  fakePackage = pkgs.runCommand "nix-cache-login-fake-package" { } ''
+    mkdir -p "$out/bin"
+    touch "$out/bin/nix-cache-login"
+    chmod +x "$out/bin/nix-cache-login"
+  '';
+
+  hmStubModule =
+    { lib, ... }:
+    {
+      options = {
+        home.packages = lib.mkOption {
+          type = lib.types.listOf lib.types.package;
+          default = [ ];
+        };
+        home.homeDirectory = lib.mkOption {
+          type = lib.types.str;
+          default = "/home/tester";
+        };
+        xdg.configHome = lib.mkOption {
+          type = lib.types.str;
+          default = "/home/tester/.config";
+        };
+        nix.settings = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+        systemd.user.services = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+        systemd.user.timers = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+        launchd.agents = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+      };
+    };
+
+  evalHome =
+    extraConfig:
+    lib.evalModules {
+      modules = [
+        hmStubModule
+        ./home-module.nix
+        {
+          services.nix-cache-login.enable = true;
+          services.nix-cache-login.package = fakePackage;
+        }
+        extraConfig
+      ];
+    };
+
+  homeDefault = evalHome { };
+in
+pkgs.runCommand "nix-cache-login-module-checks" { } ''
+  test ${lib.escapeShellArg (builtins.toJSON (builtins.hasAttr "netrc-file" homeDefault.config.nix.settings))} = ${lib.escapeShellArg "false"}
+  test ${lib.escapeShellArg homeDefault.config.systemd.user.services.nix-cache-login.Service.ExecStart} = ${lib.escapeShellArg "${fakePackage}/bin/nix-cache-login refresh"}
+  touch "$out"
+''
--- a/package.nix
+++ b/package.nix
@ -6,7 +6,7 @@

 buildGoModule {
  pname = "nix-cache-login";
-  version = "0.2.1";
+  version = "0.3.0";
  src = ./.;
  # src = fetchgit {
  #   url = "https://guardianproject.dev/ops/nix-cache-login.git";