Use QueueDirectories to wait for /nix/store for keepalived services

This allows to get rid of wait4path and sh from the execution path for the services. Which simplifies permissions configuration for nix-daemon, among other things. (No longer needed to grant Full Disk Access / App Management to /bin/sh for nix-daemon to deal with .app bundles.) Related: https://github.com/NixOS/nix/issues/6765 Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
2025-03-31 04:04:45 +00:00 · 2025-03-14 22:48:32 -04:00 · 2025-03-14 22:48:32 -04:00 · fc4e22f5d4
commit fc4e22f5d4
parent adf5c88ba1
4 changed files with 17 additions and 15 deletions
--- a/modules/launchd/default.nix
+++ b/modules/launchd/default.nix
@ -79,19 +79,26 @@ let
        };
      };

-      config = {
+      config = let
+        keepAlive = (config.serviceConfig.KeepAlive != false && config.serviceConfig.KeepAlive != null);
+      in {
        command = mkIf (config.script != "") (pkgs.writeScript "${name}-start" ''
          #! ${stdenv.shell}

          ${config.script}
        '');

+        serviceConfig.QueueDirectories = mkIf keepAlive [ "/nix/store" ];
        serviceConfig.Label = mkDefault "${cfg.labelPrefix}.${name}";
-        serviceConfig.ProgramArguments = mkIf (config.command != "") [
-          "/bin/sh"
-          "-c"
-          "/bin/wait4path /nix/store &amp;&amp; exec ${config.command}"
-        ];
+        serviceConfig.ProgramArguments = mkIf (config.command != "") (
+          if keepAlive then [
+            "${config.command}"
+          ] else [
+            "/bin/sh"
+            "-c"
+            "/bin/wait4path /nix/store &amp;&amp; exec ${config.command}"
+          ]
+        );
        serviceConfig.EnvironmentVariables = mkIf (env != {}) env;
      };
    };
--- a/tests/autossh.nix
+++ b/tests/autossh.nix
@ -12,8 +12,7 @@
  test = ''
    plist=${config.out}/Library/LaunchDaemons/org.nixos.autossh-foo.plist
    test -f $plist
-    grep '<string>/bin/wait4path /nix/store &amp;&amp; exec /nix/store/.*/bin/autossh ' $plist
-    grep '<string>/bin/wait4path /nix/store &amp;&amp; exec.*-i /some/key ' $plist
+    grep '<string>/nix/store/.*/bin/autossh.*-i /some/key' $plist
    tr -d '\n\t ' <$plist |grep '<key>KeepAlive</key><true */>'
  '';
 }
--- a/tests/services-lorri.nix
+++ b/tests/services-lorri.nix
@ -33,10 +33,8 @@ in
    <service.json jq -e ".KeepAlive                     == true"
    <service.json jq -e ".Label                         == \"org.nixos.lorri\""
    <service.json jq -e ".ProcessType                   == \"Background\""
-    <service.json jq -e ".ProgramArguments|length       == 3"
-    <service.json jq -e ".ProgramArguments[0]           == \"/bin/sh\""
-    <service.json jq -e ".ProgramArguments[1]           == \"-c\""
-    <service.json jq -e ".ProgramArguments[2]           == \"/bin/wait4path /nix/store && exec ${pkgs.lorri}/bin/lorri daemon\""
+    <service.json jq -e ".ProgramArguments|length       == 1"
+    <service.json jq -e ".ProgramArguments[0]           == \"${pkgs.lorri}/bin/lorri daemon\""
    <service.json jq -e ".RunAtLoad                     == true"
  '';
 }
--- a/tests/services-nix-daemon.nix
+++ b/tests/services-nix-daemon.nix
@ -14,9 +14,7 @@ in
  test = ''
    echo checking nix-daemon service in /Library/LaunchDaemons >&2
    grep "<string>org.nixos.nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
-    grep "<string>/bin/wait4path" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
-    grep "&amp;&amp;" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
-    grep "exec ${nix}/bin/nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
+    grep "${nix}/bin/nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
    grep "<key>KeepAlive</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
    (! grep "<key>Sockets</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist)