From e8f9cf2e2e1d63c62a962190f34a70f5263bd02e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=AErekc=C3=A4H=20nitraM=E2=80=AE?=
 <spamfaenger@gmx.de>
Date: Mon, 24 Mar 2025 21:44:21 +0100
Subject: [PATCH] linux-builder: remove /nix/store external directory when
 disabled

When /nix/store internal directories get renamed, they just don't get
into the next version of your system closure and are thus no problem to
rename. But state in the system is a problem, as there is no process to
remov eit. Thus we need to do it ourselves.
---
 modules/nix/linux-builder.nix | 113 ++++++++++++++++++----------------
 1 file changed, 61 insertions(+), 52 deletions(-)

diff --git a/modules/nix/linux-builder.nix b/modules/nix/linux-builder.nix
index 5b1e1c2e..d91734e0 100644
--- a/modules/nix/linux-builder.nix
+++ b/modules/nix/linux-builder.nix
@@ -159,69 +159,78 @@ in
     '';
   };
 
-  config = mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = config.nix.enable;
-        message = ''`nix.linux-builder.enable` requires `nix.enable`'';
-      }
-    ];
+  config = mkMerge [
+    # get rid of /nix/store external directory when disabled
+    (mkIf (!cfg.enable) {
+      system.activationScripts.preActivation.text = ''
+        rm -rf ${cfg.workingDirectory}
+      '';
+    })
+    # normal config when enabled
+    (mkIf cfg.enable {
+      assertions = [
+        {
+          assertion = config.nix.enable;
+          message = ''`nix.linux-builder.enable` requires `nix.enable`'';
+        }
+      ];
 
-    system.activationScripts.preActivation.text = ''
-      # upgrade old path
-      if [ -e /var/lib/darwin-builder ] && [ ! -e ${cfg.workingDirectory} ]; then
-        mv /var/lib/darwin-builder ${cfg.workingDirectory}
-      fi
+      system.activationScripts.preActivation.text = ''
+          # upgrade old path
+          if [ -e /var/lib/darwin-builder ] && [ ! -e ${cfg.workingDirectory} ]; then
+          mv /var/lib/darwin-builder ${cfg.workingDirectory}
+          fi
 
-      mkdir -p ${cfg.workingDirectory}
-    '';
-
-    launchd.daemons.linux-builder = {
-      environment = {
-        inherit (config.environment.variables) NIX_SSL_CERT_FILE;
-      };
-
-      # create-builder uses TMPDIR to share files with the builder, notably certs.
-      # macOS will clean up files in /tmp automatically that haven't been accessed in 3+ days.
-      # If we let it use /tmp, leaving the computer asleep for 3 days makes the certs vanish.
-      # So we'll use /run/org.nixos.linux-builder instead and clean it up ourselves.
-      script = ''
-        export TMPDIR=/run/org.nixos.linux-builder USE_TMPDIR=1
-        rm -rf $TMPDIR
-        mkdir -p $TMPDIR
-        trap "rm -rf $TMPDIR" EXIT
-        ${lib.optionalString cfg.ephemeral ''
-          rm -f ${cfg.workingDirectory}/${cfg.package.nixosConfig.networking.hostName}.qcow2
-        ''}
-        ${cfg.package}/bin/create-builder
+          mkdir -p ${cfg.workingDirectory}
       '';
 
-      serviceConfig = {
-        KeepAlive = true;
-        RunAtLoad = true;
-        WorkingDirectory = cfg.workingDirectory;
-      };
-    };
+      launchd.daemons.linux-builder = {
+        environment = {
+          inherit (config.environment.variables) NIX_SSL_CERT_FILE;
+        };
 
-    environment.etc."ssh/ssh_config.d/100-linux-builder.conf".text = ''
-      Host linux-builder
+        # create-builder uses TMPDIR to share files with the builder, notably certs.
+        # macOS will clean up files in /tmp automatically that haven't been accessed in 3+ days.
+        # If we let it use /tmp, leaving the computer asleep for 3 days makes the certs vanish.
+        # So we'll use /run/org.nixos.linux-builder instead and clean it up ourselves.
+        script = ''
+            export TMPDIR=/run/org.nixos.linux-builder USE_TMPDIR=1
+            rm -rf $TMPDIR
+            mkdir -p $TMPDIR
+            trap "rm -rf $TMPDIR" EXIT
+            ${lib.optionalString cfg.ephemeral ''
+              rm -f ${cfg.workingDirectory}/${cfg.package.nixosConfig.networking.hostName}.qcow2
+            ''}
+            ${cfg.package}/bin/create-builder
+        '';
+
+        serviceConfig = {
+          KeepAlive = true;
+          RunAtLoad = true;
+          WorkingDirectory = cfg.workingDirectory;
+        };
+      };
+
+      environment.etc."ssh/ssh_config.d/100-linux-builder.conf".text = ''
+        Host linux-builder
         User builder
         Hostname localhost
         HostKeyAlias linux-builder
         Port 31022
         IdentityFile /etc/nix/builder_ed25519
-    '';
+      '';
 
-    nix.distributedBuilds = true;
+      nix.distributedBuilds = true;
 
-    nix.buildMachines = [{
-      hostName = "linux-builder";
-      sshUser = "builder";
-      sshKey = "/etc/nix/builder_ed25519";
-      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo=";
-      inherit (cfg) mandatoryFeatures maxJobs protocol speedFactor supportedFeatures systems;
-    }];
+      nix.buildMachines = [{
+        hostName = "linux-builder";
+        sshUser = "builder";
+        sshKey = "/etc/nix/builder_ed25519";
+        publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo=";
+        inherit (cfg) mandatoryFeatures maxJobs protocol speedFactor supportedFeatures systems;
+      }];
 
-    nix.settings.builders-use-substitutes = true;
-  };
+      nix.settings.builders-use-substitutes = true;
+    })
+  ];
 }