[microtonal]

The separate volume is still required. As far as I understand if you use an encrypted volume, it does not mount early enough in the login process and you have resort to more hacks to make it work.

Ideally the Nix store would be in some non-root location. But that requires a completely new binary cache among other things (since /nix store paths are hardcoded in binaries, scripts, etc).

Also making /nix a symlink doesn't really work in some cases, since realpath reports the actual path and that may break builds/applications.

It used to work so nicely out of the box :(, but I can also understand why Apple wants to enforce read-only system volumes, since it blocks nastier rootkits, etc.

[Wicher]

I don't have any OSX boxes, but wouldn't bind-mounting the real the /some/where/nix to /nix solve the realpath problem? No need to write to / either (as you would have to do with the symlink approach).

[takeda]

If it is possible, then I think it should work. I believe this might be the way they are planning to go, because someone mentioned about a separate partition.

Honestly, I think they should just relocate it to a different location that can be persisted and rebuild the packages. I don't think people care about the location as long as they don't have to recompile every single thing. This could also be useful to catch all bugs where /nix was assumed.