{activation-scripts,activate-system}: purify environment again

modules/services/activate-system/default.nix

@@ -1,5 +1,35 @@
 { config, lib, pkgs, ... }:
 
+let
+  activationPath =
+    lib.makeBinPath (
+      [
+        pkgs.gnugrep
+        pkgs.coreutils
+      ] ++ lib.optionals config.nix.enable [ config.nix.package ]
+    )
+    + lib.optionalString (!config.nix.enable) ''
+      $(
+        # If `nix.enable` is off, there might be an unmanaged Nix
+        # installation (say in `/nix/var/nix/profiles/default`) that
+        # activation scripts (such as Home Manager) want to find on the
+        # `$PATH`. Search for it directly to avoid polluting the
+        # activation script environment with everything on the
+        # `environment.systemPath`.
+        if nixEnvPath=$(
+          PATH="${config.environment.systemPath}" command -v nix-env
+        ); then
+          printf ':'
+          ${lib.getExe' pkgs.coreutils "dirname"} -- "$(
+            ${lib.getExe' pkgs.coreutils "readlink"} \
+              --canonicalize-missing \
+              -- "$nixEnvPath"
+          )"
+        fi
+      )''
+    + ":/usr/bin:/bin:/usr/sbin:/sbin";
+in
+
 {
   imports = [
     (lib.mkRemovedOptionModule [ "services" "activate-system" "enable" ] "The `activate-system` service is now always enabled as it is necessary for a working `nix-darwin` setup.")
@@ -10,7 +40,17 @@
       script = ''
         set -e
         set -o pipefail
-        export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
+
+        PATH="${activationPath}"
+
+        export PATH
+        export USER=root
+        export LOGNAME=root
+        export HOME=~root
+        export MAIL=/var/mail/root
+        export SHELL=$BASH
+        export LANG=C
+        export LC_CTYPE=UTF-8
 
         systemConfig=$(cat ${config.system.profile}/systemConfig)
 

modules/system/activation-scripts.nix

@@ -14,10 +14,12 @@ let
   };
 
   activationPath =
-    lib.makeBinPath [
-      pkgs.gnugrep
-      pkgs.coreutils
-    ]
+    lib.makeBinPath (
+      [
+        pkgs.gnugrep
+        pkgs.coreutils
+      ] ++ lib.optionals config.nix.enable [ config.nix.package ]
+    )
     + lib.optionalString (!config.nix.enable) ''
       $(
         # If `nix.enable` is off, there might be an unmanaged Nix
@@ -37,8 +39,7 @@ let
           )"
         fi
       )''
-    + ":@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin";
-
+    + ":/usr/bin:/bin:/usr/sbin:/sbin";
 in
 
 {
@@ -80,18 +81,36 @@ in
         ];
 
     system.activationScripts.script.text = ''
-      #! ${stdenv.shell}
+      #!/usr/bin/env -i ${stdenv.shell}
+      # shellcheck shell=bash
+      # shellcheck disable=SC2096
+
       set -e
       set -o pipefail
 
       PATH="${activationPath}"
+
       export PATH
+      export USER=root
+      export LOGNAME=root
+      export HOME=~root
+      export MAIL=/var/mail/root
+      export SHELL=$BASH
+      export LANG=C
+      export LC_CTYPE=UTF-8
 
       systemConfig=@out@
 
       # Ensure a consistent umask.
       umask 0022
 
+      cd /
+
+      if [[ $(id -u) -ne 0 ]]; then
+        printf >&2 '\e[1;31merror: `activate` must be run as root\e[0m\n'
+        exit 2
+      fi
+
       ${cfg.activationScripts.preActivation.text}
 
       ${cfg.activationScripts.etcChecks.text}

tests/nix-enable.nix

@@ -12,5 +12,9 @@
 
     printf >&2 'checking for late‐bound Nix lookup in /activate\n'
     grep nixEnvPath= ${config.out}/activate
+
+    printf >&2 'checking for late‐bound Nix lookup in activation service\n'
+    script=$(cat ${config.out}/Library/LaunchDaemons/org.nixos.activate-system.plist | awk -F'[< ]' '$6 ~ "^/nix/store/.*" {print $6}')
+    grep nixEnvPath= "$script"
   '';
 }