nixos-rebuild-ng: run nix build commands in temporary directory

[thiagokokada]

This is to avoid a nasty bug in nix, that together with another issue in systemd-boot-builder.py causes a broken generation to be created that causes further new activations to also be broken.

Fix issue #144811.

Alternative for #417191.

Before:

/run/opengl-driver/lib
❯ sudo nixos-rebuild switch
[sudo] password for thiagoko:
warning: could not re-exec in a newer version of nixos-rebuild, using current version
warning:nixos_rebuild:could not re-exec in a newer version of nixos-rebuild, using current version
building the system configuration...
Failed to find executable /nix/store/ijz8g3gibqyr2zqfkrhshb5f50a46dv5-mesa-25.1.3/bin/switch-to-configuration: No such file or directory
Command '['systemd-run', '-E', 'LOCALE_ARCHIVE', '-E', 'NIXOS_INSTALL_BOOTLOADER', '--collect', '--no-ask-password', '--pipe', '--quiet', '--service-type=exec', '--unit=nixos-rebuild-switch-to-configuration', PosixPath('/nix/store/ijz8g3gibqyr2zqfkrhshb5f50a46dv5-mesa-25.1.3/bin/switch-to-configuration'), 'switch']' returned non-zero exit status 1.

After:

/run/opengl-driver/lib
❯ sudo ~/Projects/nixpkgs/result/bin/nixos-rebuild-ng switch
[sudo] password for thiagoko:
building the system configuration...
activating the configuration...
showing changes compared to /run/current-system...
<<< /run/current-system
>>> /nix/store/fbgjjkgwpg6cgzyv8sq7rxvnnvgha91h-nixos-system-sankyuu-nixos-25.11.20250613.ee930f9
No version or selection state changes.
Closure size: 3679 -> 3679 (0 paths added, 0 paths removed, delta +0, disk usage +0B).
setting up /etc...
reloading user units for thiagoko...
restarting sysinit-reactivation.target
the following new units were started: libvirtd.service, NetworkManager-dispatcher.service
Done. The new configuration is /nix/store/fbgjjkgwpg6cgzyv8sq7rxvnnvgha91h-nixos-system-sankyuu-nixos-25.11.20250613.ee930f9

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• Nixpkgs 25.11 Release Notes (or backporting 24.11 and 25.05 Nixpkgs Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
• NixOS 25.11 Release Notes (or backporting 24.11 and 25.05 NixOS Release notes)
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other contributing documentation in corresponding paths.

---

Add a 👍 reaction to pull requests you find important.

[thiagokokada]

CC @Mic92 @tejing1 @colemickens, this is an alternative for #417191.

[tejing1]

Does this really handle things right if someone runs nixos-rebuild --flake path:./foo? Or any other similar construction? That's what I was talking about when I said it was error prone.

[thiagokokada]

Does this really handle things right if someone runs nixos-rebuild --flake path:./foo? Or any other similar construction? That's what I was talking about when I said it was error prone.

Fair, it doesn't. Thanks for giving an example, it is much easier to understand what you mean.