From fc4e22f5d40ff2aa9ed53b4705d3304c92b9003b Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
Date: Fri, 14 Mar 2025 22:48:32 -0400
Subject: [PATCH] Use QueueDirectories to wait for /nix/store for keepalived
 services

This allows to get rid of wait4path and sh from the execution path for
the services. Which simplifies permissions configuration for nix-daemon,
among other things. (No longer needed to grant Full Disk Access / App
Management to /bin/sh for nix-daemon to deal with .app bundles.)

Related: https://github.com/NixOS/nix/issues/6765

Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
---
 modules/launchd/default.nix   | 19 +++++++++++++------
 tests/autossh.nix             |  3 +--
 tests/services-lorri.nix      |  6 ++----
 tests/services-nix-daemon.nix |  4 +---
 4 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/modules/launchd/default.nix b/modules/launchd/default.nix
index 64b6af70..3ee777be 100644
--- a/modules/launchd/default.nix
+++ b/modules/launchd/default.nix
@@ -79,19 +79,26 @@ let
         };
       };
 
-      config = {
+      config = let
+        keepAlive = (config.serviceConfig.KeepAlive != false && config.serviceConfig.KeepAlive != null);
+      in {
         command = mkIf (config.script != "") (pkgs.writeScript "${name}-start" ''
           #! ${stdenv.shell}
 
           ${config.script}
         '');
 
+        serviceConfig.QueueDirectories = mkIf keepAlive [ "/nix/store" ];
         serviceConfig.Label = mkDefault "${cfg.labelPrefix}.${name}";
-        serviceConfig.ProgramArguments = mkIf (config.command != "") [
-          "/bin/sh"
-          "-c"
-          "/bin/wait4path /nix/store &amp;&amp; exec ${config.command}"
-        ];
+        serviceConfig.ProgramArguments = mkIf (config.command != "") (
+          if keepAlive then [
+            "${config.command}"
+          ] else [
+            "/bin/sh"
+            "-c"
+            "/bin/wait4path /nix/store &amp;&amp; exec ${config.command}"
+          ]
+        );
         serviceConfig.EnvironmentVariables = mkIf (env != {}) env;
       };
     };
diff --git a/tests/autossh.nix b/tests/autossh.nix
index 5279bf9d..404bddab 100644
--- a/tests/autossh.nix
+++ b/tests/autossh.nix
@@ -12,8 +12,7 @@
   test = ''
     plist=${config.out}/Library/LaunchDaemons/org.nixos.autossh-foo.plist
     test -f $plist
-    grep '<string>/bin/wait4path /nix/store &amp;&amp; exec /nix/store/.*/bin/autossh ' $plist
-    grep '<string>/bin/wait4path /nix/store &amp;&amp; exec.*-i /some/key ' $plist
+    grep '<string>/nix/store/.*/bin/autossh.*-i /some/key' $plist
     tr -d '\n\t ' <$plist |grep '<key>KeepAlive</key><true */>'
   '';
 }
diff --git a/tests/services-lorri.nix b/tests/services-lorri.nix
index 7d301524..94503e0f 100644
--- a/tests/services-lorri.nix
+++ b/tests/services-lorri.nix
@@ -33,10 +33,8 @@ in
     <service.json jq -e ".KeepAlive                     == true"
     <service.json jq -e ".Label                         == \"org.nixos.lorri\""
     <service.json jq -e ".ProcessType                   == \"Background\""
-    <service.json jq -e ".ProgramArguments|length       == 3"
-    <service.json jq -e ".ProgramArguments[0]           == \"/bin/sh\""
-    <service.json jq -e ".ProgramArguments[1]           == \"-c\""
-    <service.json jq -e ".ProgramArguments[2]           == \"/bin/wait4path /nix/store && exec ${pkgs.lorri}/bin/lorri daemon\""
+    <service.json jq -e ".ProgramArguments|length       == 1"
+    <service.json jq -e ".ProgramArguments[0]           == \"${pkgs.lorri}/bin/lorri daemon\""
     <service.json jq -e ".RunAtLoad                     == true"
   '';
 }
diff --git a/tests/services-nix-daemon.nix b/tests/services-nix-daemon.nix
index f8f06e5d..627fe29c 100644
--- a/tests/services-nix-daemon.nix
+++ b/tests/services-nix-daemon.nix
@@ -14,9 +14,7 @@ in
   test = ''
     echo checking nix-daemon service in /Library/LaunchDaemons >&2
     grep "<string>org.nixos.nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
-    grep "<string>/bin/wait4path" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
-    grep "&amp;&amp;" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
-    grep "exec ${nix}/bin/nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
+    grep "${nix}/bin/nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
     grep "<key>KeepAlive</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
     (! grep "<key>Sockets</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist)