Silly, should just have one activation script

nixos/modules/security/permissions-wrappers/default.nix

@@ -61,37 +61,7 @@ let
     '';
 
     mkActivationScript = programsToWrap:
-      lib.stringAfter [ "users" ]
-        ''
-          # Look in the system path and in the default profile for
-          # programs to be wrapped.
-          PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
-
-          mkdir -p /run/permissions-wrapper-dirs
-          permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX)
-          chmod a+rx $permissionsWrapperDir
-
-          ${programsToWrap}
-
-          if [ -L ${permissionsWrapperDir} ]; then
-            # Atomically replace the symlink
-            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
-            old=$(readlink ${permissionsWrapperDir})
-            ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
-            mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
-            rm --force --recursive $old
-          elif [ -d ${permissionsWrapperDir} ]; then
-            # Compatibility with old state, just remove the folder and symlink
-            rm -f ${permissionsWrapperDir}/*
-            # if it happens to be a tmpfs
-            ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
-            rm -d ${permissionsWrapperDir}
-            ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
-          else
-            # For initial setup
-            ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
-          fi
-        '';
+;
 in
 {
 
@@ -184,11 +154,38 @@ in
     '';
 
     ###### setcap activation script
-    system.activationScripts.setcap =
-      mkActivationScript (lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap));
+    system.activationScripts.permissions-wrappers =
+      lib.stringAfter [ "users" ]
+        ''
+          # Look in the system path and in the default profile for
+          # programs to be wrapped.
+          PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
 
-    ###### setuid activation script
-    system.activationScripts.setuid =
-      mkActivationScript (lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid));
+          mkdir -p /run/permissions-wrapper-dirs
+          permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX)
+          chmod a+rx $permissionsWrapperDir
+
+          ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
+          ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
+
+          if [ -L ${permissionsWrapperDir} ]; then
+            # Atomically replace the symlink
+            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
+            old=$(readlink ${permissionsWrapperDir})
+            ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
+            mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
+            rm --force --recursive $old
+          elif [ -d ${permissionsWrapperDir} ]; then
+            # Compatibility with old state, just remove the folder and symlink
+            rm -f ${permissionsWrapperDir}/*
+            # if it happens to be a tmpfs
+            ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
+            rm -d ${permissionsWrapperDir}
+            ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
+          else
+            # For initial setup
+            ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
+          fi
+        '';
   };
 }