From 0d198e7a52c71db7b607bbcab91b3b28f7786587 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Fri, 18 Mar 2022 16:22:38 +0100 Subject: [PATCH] nixos/nix-daemon: workaround NixOS/nix#6285 The Nix-provided `nix-daemon.socket` file has a > ConditionPathIsReadWrite=/nix/var/nix/daemon-socket/socket line, to skip that unit if /nix/var/nix/daemon-socket/socket is read-only (which is the case in some nixos-containers with that folder bind-ro-mounted from the host). In these cases, the unit was skipped. Systemd 250 (rightfully) started to also skip in these cases: > [ 237.187747] systemd[1]: Nix Daemon Socket was skipped because of a failed condition check (ConditionPathIsReadWrite=/nix/var/nix/daemon-socket). However, systemd < 250 didn't skip if /nix/var/nix/daemon-socket/socket didn't /exist at all/, and we were relying on this bug in the case for fresh NixOS systems, to have /nix/var/nix/daemon-socket/socket created initially. Move the creation of that folder to systemd-tmpfiles, by shipping an appropriate file in `${nixPackage}/lib/tmpfiles.d/nix-daemon.conf` (NixOS/nix#6285). In the meantime, set a systemd tmpfiles rule manually in NixOS. This has been tested to still work with read-only bind-mounted /nix/var/nix/daemon-socket/socket in containers, it'll keep them read-only ;-) --- nixos/modules/services/misc/nix-daemon.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 2b21df91b82f7..0c3435ce70b60 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -708,6 +708,14 @@ in systemd.packages = [ nixPackage ]; + # Will only work once https://github.com/NixOS/nix/pull/6285 is merged + # systemd.tmpfiles.packages = [ nixPackage ]; + + # Can be dropped for Nix > https://github.com/NixOS/nix/pull/6285 + systemd.tmpfiles.rules = [ + "d /nix/var/nix/daemon-socket 0755 root root - -" + ]; + systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; systemd.services.nix-daemon =