update lock file

CHANGELOG.md

@@ -4,6 +4,16 @@
 
 Changes yet to be released are documented here.
 
+## v0.3.0
+
+- Stop setting `nix.settings.netrc-file` from the Home Manager module
+- Document `netrc_path` in `config.toml` as the path operators should wire into their daemon configuration
+- Add a module evaluation check to prevent the Home Manager module from reintroducing `nix.settings.netrc-file`
+
+These changes are made to support both cppnix and detsysnix. The latter has [special requirements][additionalnetrcsources] around the `netrc` files.
+
+[additionalnetrcsources]: https://docs.determinate.systems/determinate-nix/#additionalnetrcsources
+
 ## v0.2.1
 
 - Fix netrc parsing for one-line entries such as `machine ... login ... password ...`

README.md

@@ -58,6 +58,14 @@ netrc_path = "$XDG_CONFIG_HOME/nix/netrc"
 
 Path values support environment variable expansion (`$VAR` and `${VAR}`).
 
+`netrc_path` is the path this tool writes tokens to.
+
+Configure Nix to read that same path.
+
+This supports both cppnix and detsysnix. The latter has [special
+requirements][additionalnetrcsources] around `netrc` files, so set
+`additionalNetrcSources` to include the configured `netrc_path`.
+
 ## Usage
 
 ```bash
@@ -78,6 +86,15 @@ Config path resolution order:
 The NixOS server module exports `NIX_CACHE_LOGIN_CONFIG` and installs
 `/etc/nix-cache-login/config.toml` from `services.nix-cache-login-server.configFile`.
 
+## Module Integration
+
+The Home Manager and NixOS modules in this repo install the package and refresh
+services.
+
+Nix and detsysnix daemon configuration stays outside these modules.
+
+Set your daemon to read the `netrc_path` configured in `config.toml`.
+
 ## Maintenance
 
 This tool is actively maintained by [Guardian Project](https://guardianproject.info).
@@ -92,6 +109,7 @@ For security-related issues, please contact us through our [security policy][sec
 
 [issues]: https://guardianproject.dev/ops/nix-cache-login/issues
 [sec]: https://guardianproject.info/contact/
+[additionalnetrcsources]: https://docs.determinate.systems/determinate-nix/#additionalnetrcsources
 
 ## License
 

flake.lock

@@ -2,12 +2,12 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1771848320,
-        "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
-        "rev": "2fc6539b481e1d2569f25f8799236694180c0993",
-        "revCount": 953160,
+        "lastModified": 1775423009,
+        "narHash": "sha256-vPKLpjhIVWdDrfiUM8atW6YkIggCEKdSAlJPzzhkQlw=",
+        "rev": "68d8aa3d661f0e6bd5862291b5bb263b2a6595c9",
+        "revCount": 975402,
         "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.953160%2Brev-2fc6539b481e1d2569f25f8799236694180c0993/019c8e05-d2f6-7c7e-9ead-612154b18bfb/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.975402%2Brev-68d8aa3d661f0e6bd5862291b5bb263b2a6595c9/019d657b-b3b7-7288-b3c0-42d420df206b/source.tar.gz"
       },
       "original": {
         "type": "tarball",

flake.nix

@@ -36,6 +36,7 @@
             '';
             doCheck = true;
           });
+          module-checks = import ./module-checks.nix { inherit self pkgs; };
           devShell = self.devShells.${pkgs.stdenv.hostPlatform.system}.default;
         }
         // pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {

home-module.nix

@@ -26,7 +26,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    nix.settings.netrc-file = "${config.xdg.configHome}/nix/netrc";
     home.packages = [ cfg.package ];
     systemd.user.services.nix-cache-login = {
       Unit.Description = "Nix cache login - refresh access token";

module-checks.nix

@@ -0,0 +1,65 @@
+{ self, pkgs }:
+let
+  lib = pkgs.lib;
+  fakePackage = pkgs.runCommand "nix-cache-login-fake-package" { } ''
+    mkdir -p "$out/bin"
+    touch "$out/bin/nix-cache-login"
+    chmod +x "$out/bin/nix-cache-login"
+  '';
+
+  hmStubModule =
+    { lib, ... }:
+    {
+      options = {
+        home.packages = lib.mkOption {
+          type = lib.types.listOf lib.types.package;
+          default = [ ];
+        };
+        home.homeDirectory = lib.mkOption {
+          type = lib.types.str;
+          default = "/home/tester";
+        };
+        xdg.configHome = lib.mkOption {
+          type = lib.types.str;
+          default = "/home/tester/.config";
+        };
+        nix.settings = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+        systemd.user.services = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+        systemd.user.timers = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+        launchd.agents = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+      };
+    };
+
+  evalHome =
+    extraConfig:
+    lib.evalModules {
+      modules = [
+        hmStubModule
+        ./home-module.nix
+        {
+          services.nix-cache-login.enable = true;
+          services.nix-cache-login.package = fakePackage;
+        }
+        extraConfig
+      ];
+    };
+
+  homeDefault = evalHome { };
+in
+pkgs.runCommand "nix-cache-login-module-checks" { } ''
+  test ${lib.escapeShellArg (builtins.toJSON (builtins.hasAttr "netrc-file" homeDefault.config.nix.settings))} = ${lib.escapeShellArg "false"}
+  test ${lib.escapeShellArg homeDefault.config.systemd.user.services.nix-cache-login.Service.ExecStart} = ${lib.escapeShellArg "${fakePackage}/bin/nix-cache-login refresh"}
+  touch "$out"
+''

package.nix

@@ -6,7 +6,7 @@
 
 buildGoModule {
   pname = "nix-cache-login";
-  version = "0.2.1";
+  version = "0.3.0";
   src = ./.;
   # src = fetchgit {
   #   url = "https://guardianproject.dev/ops/nix-cache-login.git";