| 16 Nov 2025 |
 Óli | How might I make something like this test work on darwin too?
{ pkgs }:
let
postgresConf = pkgs.writeText "postgresql.conf" ''
unix_socket_directories = '/tmp'
'';
pgSetup = ''
CREATE USER postgres WITH PASSWORD 'postgres' CREATEDB SUPERUSER;
CREATE DATABASE nix_phoenix_template_dev;
'';
in
pkgs.writeShellApplication {
name = "postgres-dev";
runtimeInputs = with pkgs; [
postgresql
];
runtimeEnv = {
PGDATA = ".database";
};
text = ''
if [ ! -d $PGDATA ]; then
initdb -D $PGDATA
cat "${postgresConf}" >> $PGDATA/postgresql.conf
postgres --single -E postgres <<< "${pgSetup}"
fi
exec postgres
'';
}
| 15:56:55 |
| Óli | I get these types of errors when building
install> 2025-11-16 16:45:42.248 UTC [70440] FATAL: could not open lock file "/tmp/.s.PGSQL.5432.lock": Permission denied
| 16:46:01 |
 WeetHet | DNS resolution broke with sandbox enabled on unstable | 19:46:25 |
| WeetHet | nix-run> exporting https://tangled.org/@weethet.bsky.social/nix-run (rev 73d7bf6b58848fb8f42e3a69816e0847f041c689) into /nix/store/m4m951648wmipxgwrgsml9gzjwfpfhm7-nix-run-73d7bf6
nix-run> Initialized empty Git repository in /nix/store/m4m951648wmipxgwrgsml9gzjwfpfhm7-nix-run-73d7bf6/.git/
nix-run> fatal: unable to access 'https://tangled.org/@weethet.bsky.social/nix-run/': Could not resolve host: tangled.org (Could not contact DNS servers)
nix-run> fatal: unable to access 'https://tangled.org/@weethet.bsky.social/nix-run/': Could not resolve host: tangled.org (Could not contact DNS servers)
nix-run> fatal: unable to access 'https://tangled.org/@weethet.bsky.social/nix-run/': Could not resolve host: tangled.org (Could not contact DNS servers)
nix-run> Unable to checkout 73d7bf6b58848fb8f42e3a69816e0847f041c689 from https://tangled.org/@weethet.bsky.social/nix-run.
| 19:46:28 |
| WeetHet | Works with relaxed because it disables sandbox for FODs entirely | 19:47:01 |
 Winter | probably because of c-ares? cc Randy Eckenrode | 19:47:47 |
| WeetHet | I don't have IPv6 though | 19:48:07 |
| Winter | tbh i don’t know anyone who uses darwin w/ sandbox=true, sandbox=relaxed is more usable for Reasons | 19:48:11 |
| Winter | just CCing him because he looked at c-ares stuff yesterday even if it’s probably not the same issue | 19:48:29 |
| WeetHet | I'm using sandbox = true for the last year | 19:48:32 |
| WeetHet | * I'm using sandbox = true for the last ~year | 19:48:44 |
| Winter | you’ve never run into a drv with a sandboxProfile? | 19:48:51 |
 samasaur | iirc there are fairly fundamental darwin deps that fail with the sandbox enabled, so i think sandbox = true only works when you get those from cache.nixos.org | 19:49:31 |
| WeetHet | I use true by default and pass relaxed if needed | 19:49:47 |
| samasaur | ah drat I was really hoping using terminal.app would fix this :( | 19:52:07 |
| samasaur | it's Really Weird that home-manager switch is removing terminal.app from the list of programs with app management permissions... | 19:52:31 |
| samasaur | ah and what i meant by "first time using copying instead of linking" is that home-manager recently changed to copying applications into ~/Applications/Home Manager Apps instead of symlinking them there (following a nix-darwin PR), and the app management check only runs if you are copying | 19:53:38 |
| WeetHet | Realistically we should probably make bootstrap work with sandbox = true at one point | 19:57:03 |
| WeetHet | I would really like if hydra was running with sandbox = true | 19:57:14 |
| samasaur | oh yeah i def agree | 19:57:23 |
| samasaur | unfortunately there are many goals like that and only so much time | 19:57:36 |
| WeetHet | 26.05 maybe? | 19:57:44 |
| WeetHet | I mean this is kinda fundamental | 19:57:52 |
| WeetHet | Maybe we can even add a way to wrap packages to run in their own sandboxes so we can deliver pre-sandboxed executables | 20:01:03 |
| WeetHet | Why am I building fish... | 20:04:07 |
| WeetHet | You know what, I'll pass on updating nixpkgs rn let's wait a bit for this stuff to be fixed | 20:04:26 |
| samasaur | yeah fish is broken rn | 20:24:28 |
| samasaur | keeping me from updating as well :( | 20:24:35 |
| samasaur | and it's some transitive issues from python not resolving argv0? i believe it was posted in this room | 20:25:10 |
 Randy Eckenrode | My PR only addressed the link-local issue. I didn’t look at other issues. The question I’d have is if there’s anything unusual about the DNS config. It’s also possible using private APIs to get the system’s DNS server needs a sandbox exemption. | 20:42:37 |
