From bf405334693b079b8ae6ef8653203e44382e0e68 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 9 Dec 2025 16:33:22 +0100
Subject: [PATCH] fix(init-nix): ensure /nix is always owned by nix:nixbld in
 container root mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In GitHub's Fedora-based CI containers the directory /nix may already exist
(e.g. from the base image or a previous build layer) and is often owned by
root:root. In this situation the Nix single-user installer aborts with:

    "directory /nix exists, but is not writable by you"

This caused the container build to fail during `init-nix.sh`, leaving no
working `nix` binary on PATH. As a result, the runtime wrapper
(pkmgr-wrapper.sh) reported:

    "[pkgmgr-wrapper] ERROR: 'nix' binary not found on PATH."

Local runs did not show the issue because a previous installation had already
created /nix with correct ownership.

This commit makes container-mode Nix initialization fully idempotent:

  • If /nix does not exist → create it with owner nix:nixbld (existing logic).
  • If /nix exists but has wrong owner/group → forcibly chown -R nix:nixbld.
  • A warning is emitted if /nix remains non-writable after correction.

This guarantees that the Nix installer always has writable access to /nix
and prevents the installer from aborting in CI. As a result, `pkgmgr --help`
works again inside Fedora CI containers.

https://chatgpt.com/share/69384149-9dc8-800f-8148-55817ece8e21
---
 scripts/init-nix.sh | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/scripts/init-nix.sh b/scripts/init-nix.sh
index c13f374..8169e4f 100755
--- a/scripts/init-nix.sh
+++ b/scripts/init-nix.sh
@@ -97,11 +97,32 @@ if [[ "${IN_CONTAINER}" -eq 1 && "${EUID:-0}" -eq 0 ]]; then
     useradd -m -r -g nixbld -s /usr/bin/bash nix
   fi
 
-  # Create /nix directory and hand it to nix user (prevents installer sudo prompt)
+  # Ensure /nix exists and is writable by the "nix" user.
+  #
+  # In some base images (or previous runs), /nix may already exist and be
+  # owned by root. In that case the Nix single-user installer will abort with:
+  #
+  #   "directory /nix exists, but is not writable by you"
+  #
+  # To keep container runs idempotent and robust, we always enforce
+  # ownership nix:nixbld here.
   if [[ ! -d /nix ]]; then
     echo "[init-nix] Creating /nix with owner nix:nixbld..."
     mkdir -m 0755 /nix
     chown nix:nixbld /nix
+  else
+    current_owner="$(stat -c '%U' /nix 2>/dev/null || echo '?')"
+    current_group="$(stat -c '%G' /nix 2>/dev/null || echo '?')"
+    if [[ "${current_owner}" != "nix" || "${current_group}" != "nixbld" ]]; then
+      echo "[init-nix] /nix already exists with owner ${current_owner}:${current_group} – fixing to nix:nixbld..."
+      chown -R nix:nixbld /nix
+    else
+      echo "[init-nix] /nix already exists with correct owner nix:nixbld."
+    fi
+
+    if [[ ! -w /nix ]]; then
+      echo "[init-nix] WARNING: /nix is still not writable after chown; Nix installer may fail."
+    fi
   fi
 
   # Run Nix single-user installer as "nix"