From 928028d3ec959ccc0af5ccd445c7507cae121015 Mon Sep 17 00:00:00 2001 From: Senthil Raja R Date: Tue, 16 Jun 2026 11:07:36 +0530 Subject: [PATCH 1/2] macs: replace deprecated activate-user with darwin-rebuild activate in MDM bootstrap The activate-user script is deprecated in nix-darwin and will be removed in 25.11. The deprecation warning advises using darwin-rebuild activate instead, which handles both user and system activation. This change: - Adds mdm-bootstrap.sh, a proper bootstrap script for MDM-provisioned Mac builders that uses darwin-rebuild activate instead of the legacy activate-user + activate sequence - Updates the macs/README.md with MDM bootstrap documentation Fixes #1043 --- macs/README.md | 16 ++++++++++++++++ macs/mdm-bootstrap.sh | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100755 macs/mdm-bootstrap.sh diff --git a/macs/README.md b/macs/README.md index 14ec4a62..6c4970d3 100644 --- a/macs/README.md +++ b/macs/README.md @@ -65,6 +65,22 @@ These machine are aarch64-darwin hosts. - mac04.ofborg.org - mac05.ofborg.org +## MDM Bootstrap + +Machines provisioned via MDM (e.g. Mosyle) use the `mdm-bootstrap.sh` script +for initial activation. This replaces the legacy `activate-user` + `activate` +sequence with the recommended `darwin-rebuild activate` approach. + +The MDM bootstrap flow is: + +``` +systemConfig="$(readlink -f ./result)" +nix-env -p /nix/var/nix/profiles/system --set "$systemConfig" +./mdm-bootstrap.sh +``` + +See [mdm-bootstrap.sh](./mdm-bootstrap.sh) for details. + ## Install - Login to user hetzner with the given password diff --git a/macs/mdm-bootstrap.sh b/macs/mdm-bootstrap.sh new file mode 100755 index 00000000..d0850ac8 --- /dev/null +++ b/macs/mdm-bootstrap.sh @@ -0,0 +1,43 @@ +#! /usr/bin/env bash + +# MDM Bootstrap script for nix-darwin Mac builders +# +# This script is intended to be run by an MDM solution (e.g. Mosyle) +# during initial machine bootstrap, after building the nix-darwin +# configuration into a ./result symlink. +# +# It replaces the deprecated activate-user step with the recommended +# darwin-rebuild activate approach. + +set -euo pipefail + +if [[ $EUID -ne 0 ]]; then + echo "$0: please run this script as root" + exit 1 +fi + +if [[ ! -e ./result ]]; then + echo "$0: no ./result symlink found. Build your nix-darwin configuration first." + exit 1 +fi + +systemConfig="$(readlink -f ./result)" + +if [[ ! -d "$systemConfig" ]]; then + echo "$0: $systemConfig does not exist or is not a directory" + exit 1 +fi + +nix-env -p /nix/var/nix/profiles/system --set "$systemConfig" + +if [[ -x "$systemConfig/sw/bin/darwin-rebuild" ]]; then + echo "Activating system via darwin-rebuild activate..." + "$systemConfig/sw/bin/darwin-rebuild" activate +else + echo "darwin-rebuild not found; falling back to legacy activation." + if [[ -x "$systemConfig/activate-user" ]]; then + echo "WARNING: activate-user is deprecated and will be removed in nix-darwin 25.11." + "$systemConfig/activate-user" + fi + "$systemConfig/activate" +fi From a1dd6c152e69d56210a9bde5ab01907c7c2a71b1 Mon Sep 17 00:00:00 2001 From: Senthil Raja R Date: Wed, 17 Jun 2026 11:18:21 +0530 Subject: [PATCH 2/2] treefmt: fix formatting in macs/README.md and mdm-bootstrap.sh --- macs/README.md | 4 ++-- macs/mdm-bootstrap.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/macs/README.md b/macs/README.md index 6c4970d3..4a16c103 100644 --- a/macs/README.md +++ b/macs/README.md @@ -67,8 +67,8 @@ These machine are aarch64-darwin hosts. ## MDM Bootstrap -Machines provisioned via MDM (e.g. Mosyle) use the `mdm-bootstrap.sh` script -for initial activation. This replaces the legacy `activate-user` + `activate` +Machines provisioned via MDM (e.g. Mosyle) use the `mdm-bootstrap.sh` script for +initial activation. This replaces the legacy `activate-user` + `activate` sequence with the recommended `darwin-rebuild activate` approach. The MDM bootstrap flow is: diff --git a/macs/mdm-bootstrap.sh b/macs/mdm-bootstrap.sh index d0850ac8..5b7a28c9 100755 --- a/macs/mdm-bootstrap.sh +++ b/macs/mdm-bootstrap.sh @@ -23,7 +23,7 @@ fi systemConfig="$(readlink -f ./result)" -if [[ ! -d "$systemConfig" ]]; then +if [[ ! -d $systemConfig ]]; then echo "$0: $systemConfig does not exist or is not a directory" exit 1 fi