Silly, should just have one activation script
This commit is contained in:
parent
48a0c5a3a7
commit
61fe8de40c
@ -61,37 +61,7 @@ let
|
||||
'';
|
||||
|
||||
mkActivationScript = programsToWrap:
|
||||
lib.stringAfter [ "users" ]
|
||||
''
|
||||
# Look in the system path and in the default profile for
|
||||
# programs to be wrapped.
|
||||
PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
|
||||
|
||||
mkdir -p /run/permissions-wrapper-dirs
|
||||
permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX)
|
||||
chmod a+rx $permissionsWrapperDir
|
||||
|
||||
${programsToWrap}
|
||||
|
||||
if [ -L ${permissionsWrapperDir} ]; then
|
||||
# Atomically replace the symlink
|
||||
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
|
||||
old=$(readlink ${permissionsWrapperDir})
|
||||
ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
|
||||
mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
|
||||
rm --force --recursive $old
|
||||
elif [ -d ${permissionsWrapperDir} ]; then
|
||||
# Compatibility with old state, just remove the folder and symlink
|
||||
rm -f ${permissionsWrapperDir}/*
|
||||
# if it happens to be a tmpfs
|
||||
${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
|
||||
rm -d ${permissionsWrapperDir}
|
||||
ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
|
||||
else
|
||||
# For initial setup
|
||||
ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
|
||||
fi
|
||||
'';
|
||||
;
|
||||
in
|
||||
{
|
||||
|
||||
@ -184,11 +154,38 @@ in
|
||||
'';
|
||||
|
||||
###### setcap activation script
|
||||
system.activationScripts.setcap =
|
||||
mkActivationScript (lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap));
|
||||
system.activationScripts.permissions-wrappers =
|
||||
lib.stringAfter [ "users" ]
|
||||
''
|
||||
# Look in the system path and in the default profile for
|
||||
# programs to be wrapped.
|
||||
PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
|
||||
|
||||
###### setuid activation script
|
||||
system.activationScripts.setuid =
|
||||
mkActivationScript (lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid));
|
||||
mkdir -p /run/permissions-wrapper-dirs
|
||||
permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX)
|
||||
chmod a+rx $permissionsWrapperDir
|
||||
|
||||
${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
|
||||
${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
|
||||
|
||||
if [ -L ${permissionsWrapperDir} ]; then
|
||||
# Atomically replace the symlink
|
||||
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
|
||||
old=$(readlink ${permissionsWrapperDir})
|
||||
ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
|
||||
mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
|
||||
rm --force --recursive $old
|
||||
elif [ -d ${permissionsWrapperDir} ]; then
|
||||
# Compatibility with old state, just remove the folder and symlink
|
||||
rm -f ${permissionsWrapperDir}/*
|
||||
# if it happens to be a tmpfs
|
||||
${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
|
||||
rm -d ${permissionsWrapperDir}
|
||||
ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
|
||||
else
|
||||
# For initial setup
|
||||
ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
|
||||
fi
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user