Setup multi user nix for Arch Linux

2-minute read

Here we are setting up nix for Arch Linux.

Multi User Setup

From nix’s page:

To allow a Nix store to be shared safely among multiple users, it is important that users are not able to run builders that modify the Nix store or database in arbitrary ways, or that interfere with builds started by other users. If they could do so, they could install a Trojan horse in some package and compromise the accounts of other users.

To prevent this, the Nix store and database are owned by some privileged user (usually root) and builders are executed under special user accounts (usually named nixbld1, nixbld2, etc.). When a unprivileged user runs a Nix command, actions that operate on the Nix store (such as builds) are forwarded to a Nix daemon running under the owner of the Nix store/database that performs the operation

Steps:

  • Install nix via yay (AUR helper)

    yay -S nix
    

    If encounter error:
    error while loading shared libraries: libboost_context.so.1.69.0: cannot open shared object file: No such file or directory
    edit PKGBUILD for nix and in depends replace boost with boost<=1.69. This happens because nix package has a hard dependency on boost1.69 version, more info here.

  • Add nix builder groups

    sudo groupadd -r nixbld
    for n in $(seq 1 10); do sudo useradd -c "Nix build user $n" \
        -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
        nixbld$n; done
    
  • Source env variables

    . /etc/profile.d/nix.sh
    
  • Running the daemon

    sudo nix-daemon & disown
    export NIX_REMOTE=daemon
    
  • Add and update channel

    nix-channel --add https://nixos.org/channels/nixpkgs-unstable
    sudo nix-channel --update
    nix-env -u
    

We are all done, run following to check if nix-deamon is running:

nix-shell -p hello --run hello