home: Add buildEnvWithNoChroot to help avoid darwin sandbox failures

Allows setting `__noChroot = true` on select derivations that assemble
large numbers of paths. This may be used to avoid sandbox failures on
darwin, see NixOS/nix#4119 and the `sandbox`
option in `man nix.conf`.

I wish there was a way to do something akin to overlays for config, alas
there is not afaik, so the only way is to add an option. Since this is
opt-in, anyone enabling it thus understands the “risks” of disabling the
sandbox, however the risk for these derivations should be fairly low,
and this allows enabling the sandbox more generally on Darwin, which is
beneficial.

I have only added to the derivations that started giving me problems,
others may suffer from others but these are definitely likely to have
huge dependency lists therefore exposing the problem.

Despite this being intended only for use on Darwin, it is left somewhat
generic and thus up to the user to do set it to e.g.
`stdenv.hostPlatform.isDarwin`.

modules/home-environment.nix

@@ -475,6 +475,14 @@ in
       '';
     };
 
+    home.buildEnvWithNoChroot = mkEnableOption ''
+      Sets <code>__noChroot = true</code> on select <code>buildEnv</code>
+      derivations that assemble large numbers of paths, as well the activation
+      script derivations. This may be used to avoid sandbox failures on Darwin,
+      see https://github.com/NixOS/nix/issues/4119 and the <code>sandbox</code>
+      option in <command>man nix.conf</command>.
+    '';
+
     home.preferXdgDirectories = mkEnableOption "" // {
       description = ''
         Whether to make programs use XDG directories whenever supported.
@@ -710,7 +718,7 @@ in
         )
         + optionalString (!cfg.emptyActivationPath) "\${PATH:+:}$PATH";
 
-        activationScript = pkgs.writeShellScript "activation-script" ''
+        activationScript = (pkgs.writeShellScript "activation-script" ''
           set -eu
           set -o pipefail
 
@@ -740,9 +748,11 @@ in
               run rm $VERBOSE_ARG "$legacyGenGcPath"
             fi
           ''}
-        '';
+        '').overrideAttrs (old: {
+          __noChroot = cfg.buildEnvWithNoChroot;
+        });
       in
-        pkgs.runCommand
+        (pkgs.runCommand
           "home-manager-generation"
           {
             preferLocalBuild = true;
@@ -764,9 +774,11 @@ in
             ln -s ${cfg.path} $out/home-path
 
             ${cfg.extraBuilderCommands}
-          '';
+          '').overrideAttrs (old: {
+            __noChroot = cfg.buildEnvWithNoChroot;
+          });
 
-    home.path = pkgs.buildEnv {
+    home.path = (pkgs.buildEnv {
       name = "home-manager-path";
 
       paths = cfg.packages;
@@ -777,6 +789,8 @@ in
       meta = {
         description = "Environment of packages installed through home-manager";
       };
-    };
+    }).overrideAttrs (old: {
+      __noChroot = cfg.buildEnvWithNoChroot;
+    });
   };
 }

modules/targets/darwin/fonts.nix

@@ -4,11 +4,11 @@ with lib;
 
 let
   homeDir = config.home.homeDirectory;
-  fontsEnv = pkgs.buildEnv {
+  fontsEnv = (pkgs.buildEnv {
     name = "home-manager-fonts";
     paths = config.home.packages;
     pathsToLink = "/share/fonts";
-  };
+  }).overrideAttrs (old: { __noChroot = config.home.buildEnvWithNoChroot; });
   fonts = "${fontsEnv}/share/fonts";
   installDir = "${homeDir}/Library/Fonts/HomeManager";
 in {

modules/targets/darwin/linkapps.nix

@@ -4,11 +4,12 @@
   config = lib.mkIf pkgs.stdenv.hostPlatform.isDarwin {
     # Install MacOS applications to the user environment.
     home.file."Applications/Home Manager Apps".source = let
-      apps = pkgs.buildEnv {
+      apps = (pkgs.buildEnv {
         name = "home-manager-applications";
         paths = config.home.packages;
         pathsToLink = "/Applications";
-      };
+      }).overrideAttrs
+        (old: { __noChroot = config.home.buildEnvWithNoChroot; });
     in "${apps}/Applications";
   };
 }