systemd: remove bash

pkgs/by-name/kb/kbd/package.nix

@@ -9,19 +9,23 @@
   check,
   pam,
   bash,
+  bashNonInteractive,
   coreutils,
   gzip,
   bzip2,
   xz,
   zstd,
   gitUpdater,
   withVlock ? true,
+  compress ? false,
 }:
 
 stdenv.mkDerivation rec {
   pname = "kbd";
   version = "2.8.0";
 
+  __structuredAttrs = true;
+
   src = fetchurl {
     url = "mirror://kernel/linux/utils/kbd/${pname}-${version}.tar.xz";
     hash = "sha256-AfWAbafR009ZS3sqauGrIyFTRM8QZOjtzTqQ/vl3ahE=";
@@ -48,6 +52,9 @@ stdenv.mkDerivation rec {
   ++ lib.optionals (!lib.systems.equals stdenv.buildPlatform stdenv.hostPlatform) [
     "ac_cv_func_malloc_0_nonnull=yes"
     "ac_cv_func_realloc_0_nonnull=yes"
+  ]
+  ++ lib.optionals (!compress) [
+    "--disable-compress"
   ];
 
   patches = [
@@ -67,18 +74,19 @@ stdenv.mkDerivation rec {
     mv colemak/{en-latin9,colemak}.map
     popd
 
+    sed -i '
+      1i prefix:=$(vlock)
+      1i bindir := $(vlock)/bin' \
+      src/vlock/Makefile.in \
+      src/vlock/Makefile.am
+  ''
+  + lib.optionalString compress ''
     # Fix paths to decompressors. Trailing space to avoid replacing `xz` in `".xz"`.
     substituteInPlace src/libkbdfile/kbdfile.c \
       --replace-fail 'gzip '  '${gzip}/bin/gzip ' \
       --replace-fail 'bzip2 ' '${bzip2.bin}/bin/bzip2 ' \
       --replace-fail 'xz '    '${xz.bin}/bin/xz ' \
       --replace-fail 'zstd '  '${zstd.bin}/bin/zstd '
-
-    sed -i '
-      1i prefix:=$(vlock)
-      1i bindir := $(vlock)/bin' \
-      src/vlock/Makefile.in \
-      src/vlock/Makefile.am
   '';
 
   enableParallelBuilding = true;
@@ -105,6 +113,11 @@ stdenv.mkDerivation rec {
   ];
   strictDeps = true;
 
+  outputChecks.out.disallowedRequisites = lib.optionals (!compress) [
+    bash
+    bashNonInteractive
+  ];
+
   passthru.tests = {
     inherit (nixosTests) keymap kbd-setfont-decompress kbd-update-search-paths-patch;
   };

pkgs/by-name/li/libpcap/package.nix

@@ -4,6 +4,8 @@
   fetchurl,
   flex,
   bison,
+  bash,
+  bashNonInteractive,
   bluez,
   libnl,
   libxcrypt,
@@ -26,13 +28,25 @@ stdenv.mkDerivation rec {
   pname = "libpcap";
   version = "1.10.5";
 
+  __structuredAttrs = true;
+
   src = fetchurl {
     url = "https://www.tcpdump.org/release/${pname}-${version}.tar.gz";
     hash = "sha256-N87ZChmjAqfzLkWCJKAMNlwReQXCzTWsVEtogKgUiPA=";
   };
 
-  buildInputs =
-    lib.optionals stdenv.hostPlatform.isLinux [ libnl ] ++ lib.optionals withRemote [ libxcrypt ];
+  outputs = [
+    "out"
+    "lib"
+  ];
+
+  strictDeps = true;
+
+  buildInputs = [
+    bash
+  ]
+  ++ lib.optionals stdenv.hostPlatform.isLinux [ libnl ]
+  ++ lib.optionals withRemote [ libxcrypt ];
 
   nativeBuildInputs = [
     flex
@@ -62,6 +76,11 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  outputChecks.lib.disallowedRequisites = [
+    bash
+    bashNonInteractive
+  ];
+
   passthru.tests = {
     inherit
       ettercap

pkgs/by-name/li/linux-pam/package.nix

@@ -9,6 +9,8 @@
   ninja,
   audit,
   libxcrypt,
+  bash,
+  bashNonInteractive,
   nixosTests,
   meson,
   pkg-config,
@@ -31,8 +33,11 @@ stdenv.mkDerivation (finalAttrs: {
     repo = "linux-pam";
     tag = "v${finalAttrs.version}";
     hash = "sha256-kANcwxifQz2tYPSrSBSFiYNTm51Gr10L/zroCqm8ZHQ=";
+
   };
 
+  __structuredAttrs = true;
+
   # patching unix_chkpwd is required as the nix store entry does not have the necessary bits
   postPatch = ''
     substituteInPlace modules/module-meson.build \
@@ -43,9 +48,12 @@ stdenv.mkDerivation (finalAttrs: {
     "out"
     "doc"
     "man"
+    "scripts"
     # "modules"
   ];
 
+  strictDeps = true;
+
   depsBuildBuild = [ buildPackages.stdenv.cc ];
   nativeBuildInputs = [
     flex
@@ -65,6 +73,7 @@ stdenv.mkDerivation (finalAttrs: {
   buildInputs = [
     db4
     libxcrypt
+    bash
   ]
   ++ lib.optionals stdenv.buildPlatform.isLinux [
     audit
@@ -89,8 +98,18 @@ stdenv.mkDerivation (finalAttrs: {
     (lib.mesonBool "examples" false)
   ];
 
+  postInstall = ''
+    moveToOutput sbin/pam_namespace_helper $scripts
+    moveToOutput etc/security/namespace.init $scripts
+  '';
+
   doCheck = false; # fails
 
+  outputChecks.out.disallowedRequisites = [
+    bash
+    bashNonInteractive
+  ];
+
   passthru = {
     tests = {
       inherit (nixosTests)

pkgs/development/libraries/kerberos/krb5.nix

@@ -6,6 +6,7 @@
   byacc, # can also use bison, but byacc has fewer dependencies
   keyutils,
   openssl,
+  bashNonInteractive,
   perl,
   pkg-config,
 
@@ -34,6 +35,8 @@ stdenv.mkDerivation rec {
   pname = "krb5";
   version = "1.21.3";
 
+  __structuredAttrs = true;
+
   src = fetchurl {
     url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor version}/krb5-${version}.tar.gz";
     hash = "sha256-t6TNXq1n+wi5gLIavRUP9yF+heoyDJ7QxtrdMEhArTU=";
@@ -73,6 +76,8 @@ stdenv.mkDerivation rec {
     "ac_cv_printf_positional=yes"
   ];
 
+  strictDeps = true;
+
   nativeBuildInputs = [
     byacc
     perl
@@ -83,6 +88,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
     openssl
+    bashNonInteractive # cannot use bashInteractive because of a dependency cycle
   ]
   ++ lib.optionals (
     stdenv.hostPlatform.isLinux
@@ -116,7 +122,7 @@ stdenv.mkDerivation rec {
   # options don't give us enough granularity to specify that, so we have to override the generated
   # Makefiles manually.
   postConfigure = ''
-    find $libFolders -type f -name Makefile -print0 | while IFS= read -rd "" f; do
+    find "''${libFolders[@]}" -type f -name Makefile -print0 | while IFS= read -rd "" f; do
       substituteInPlace "$f" --replace-fail "$out" "$lib"
     done
   '';
@@ -125,9 +131,11 @@ stdenv.mkDerivation rec {
     mkdir -p "$lib"/{bin,sbin,lib/pkgconfig,share/{et,man/man1}}
   '';
 
-  # not via outputBin, due to reference from libkrb5.so
   postInstall = ''
+    # not via outputBin, due to reference from libkrb5.so
     moveToOutput bin/krb5-config "$dev"
+    moveToOutput sbin/krb5-send-pr "$out"
+    moveToOutput bin/compile_et "$out"
   '';
 
   # Disable _multioutDocs in stdenv by overriding it to be a no-op.
@@ -141,6 +149,11 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
   doCheck = false; # fails with "No suitable file for testing purposes"
 
+  outputChecks.lib.disallowedRequisites = [
+    # bash cannot be here because of a dependency cycle
+    bashNonInteractive
+  ];
+
   meta = with lib; {
     description = "MIT Kerberos 5";
     homepage = "http://web.mit.edu/kerberos/";

pkgs/os-specific/linux/iptables/default.nix

@@ -12,6 +12,8 @@
   libnfnetlink,
   libnftnl,
   libpcap,
+  bash,
+  bashNonInteractive,
   nftablesCompat ? true,
   gitUpdater,
 }:
@@ -20,17 +22,22 @@ stdenv.mkDerivation rec {
   version = "1.8.11";
   pname = "iptables";
 
+  __structuredAttrs = true;
+
   src = fetchurl {
     url = "https://www.netfilter.org/projects/${pname}/files/${pname}-${version}.tar.xz";
     sha256 = "2HMD1V74ySvK1N0/l4sm0nIBNkKwKUJXdfW60QCf57I=";
   };
 
   outputs = [
     "out"
+    "lib"
     "dev"
     "man"
   ];
 
+  strictDeps = true;
+
   nativeBuildInputs = [
     autoreconfHook
     pkg-config
@@ -45,6 +52,7 @@ stdenv.mkDerivation rec {
     libnfnetlink
     libnftnl
     libpcap
+    bash
   ];
 
   configureFlags = [
@@ -68,6 +76,11 @@ stdenv.mkDerivation rec {
     ln -sv xtables-nft-multi $out/bin/ip6tables-save
   '';
 
+  outputChecks.lib.disallowedRequisites = [
+    bash
+    bashNonInteractive
+  ];
+
   passthru = {
     updateScript = gitUpdater {
       url = "https://git.netfilter.org/iptables";