From f2caa68e3dbbcde6e4eda274c89b601aae06b5e9 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Fri, 12 Dec 2025 18:19:51 +0100
Subject: [PATCH] fix(nix): ensure non-root access to Nix installation with
 strict error handling

Ensure /home/nix and .nix-profile are accessible for non-root users,
create /usr/local/bin/nix symlink with fail-fast behavior, and replace
silent permission fixes with explicit checks, clear error messages,
and deterministic exit codes.

https://chatgpt.com/share/693c29d9-9b28-800f-a549-5661c783d968
---
 scripts/init-nix.sh | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/scripts/init-nix.sh b/scripts/init-nix.sh
index 7044482..e4920f4 100755
--- a/scripts/init-nix.sh
+++ b/scripts/init-nix.sh
@@ -193,7 +193,39 @@ main() {
 
     if [[ -x /home/nix/.nix-profile/bin/nix && ! -e /usr/local/bin/nix ]]; then
       echo "[init-nix] Creating /usr/local/bin/nix symlink -> /home/nix/.nix-profile/bin/nix"
-      ln -s /home/nix/.nix-profile/bin/nix /usr/local/bin/nix
+      if ! ln -s /home/nix/.nix-profile/bin/nix /usr/local/bin/nix; then
+        echo "[init-nix][ERROR] Failed to create /usr/local/bin/nix symlink."
+        exit 9
+      fi
+    fi
+
+    # Always ensure perms once Nix exists (not only when symlink was created)
+    if [[ -x /home/nix/.nix-profile/bin/nix ]]; then
+      echo "[nix] Ensuring non-root users can access Nix installation..."
+
+      if [[ ! -d /home/nix ]]; then
+        echo "[nix][ERROR] /home/nix does not exist – Nix user home missing."
+        exit 10
+      fi
+
+      if ! chmod o+rx /home/nix; then
+        echo "[nix][ERROR] Failed to set o+rx on /home/nix"
+        echo "[nix][HINT] Non-root users cannot traverse the Nix home directory."
+        exit 11
+      fi
+
+      if [[ ! -d /home/nix/.nix-profile ]]; then
+        echo "[nix][ERROR] /home/nix/.nix-profile does not exist – Nix profile missing."
+        exit 12
+      fi
+
+      if ! chmod -R o+rx /home/nix/.nix-profile; then
+        echo "[nix][ERROR] Failed to set o+rx recursively on /home/nix/.nix-profile"
+        echo "[nix][HINT] Nix binaries and profiles will not be executable for non-root users."
+        exit 13
+      fi
+
+      echo "[nix] Permissions for /home/nix and .nix-profile successfully adjusted."
     fi
 
   # -------------------------------------------------------------------------