Introduce micro-activate (RIIR activate script + tiny bit of tmpfiles)

Instead of interpreting all that shell and running actual tmpfiles, use a tiny stage before systemd that mounts a tmpfs at /run (preventing systemd from doing the same), populates it with NixOS symlinks and preserved resolv.conf, and mounts the immutable /etc overlay before passing control over to systemd.
2025-12-04 06:59:50 -03:00 · 2025-12-04 06:59:50 -03:00 · 0bd986f97f
commit 0bd986f97f
parent 3d2f6c4732
5 changed files with 151 additions and 40 deletions
--- a/nixosModules/default.nix
+++ b/nixosModules/default.nix
@ -81,7 +81,6 @@ in {
      "systemd-udevd-kernel.socket"
      "systemd-udevd-control.socket"
      "systemd-udevd.service"
-      "systemd-tmpfiles-setup.service"
      "user.slice"
    ];
    upstreamWants = ["multi-user.target.wants"];
@ -99,24 +98,6 @@ in {
  systemd.services.systemd-pstore.enable = lib.mkForce false;
  systemd.services.lastlog2-import.enable = lib.mkForce false;
  systemd.services.suid-sgid-wrappers.enable = lib.mkForce false;
-  systemd.services.microvm-nixos-activation = {
-    enable = true;
-    description = "NixOS Activation";
-    wantedBy = ["local-fs.target"];
-    before = ["systemd-tmpfiles-setup.service"];
-    requires = ["systemd-tmpfiles-setup.service"];
-    unitConfig.DefaultDependencies = false;
-    serviceConfig = {
-      Type = "oneshot";
-      PassEnvironment = ["MICROVM_CLOSURE" "MICROVM_UID" "MICROVM_GID"];
-    } // useTTY;
-    script = ''
-      PATH=$MICROVM_CLOSURE/sw/bin
-      cp /etc/resolv.conf /run/
-      $MICROVM_CLOSURE/activate || true
-      chown 1337:1337 /run
-    '';
-  };

  # Configure user accounts
  # The immutable overlay wants userborn or sysusers.. we just want baked-in files w/o running a service.
@ -139,7 +120,6 @@ in {
  };
  users.groups.appvm.gid = 1337;
  users.allowNoPasswordLogin = true;
-  systemd.tmpfiles.rules = ["d ${runtimeDir} 0755 1337 1337 -"];

  # Configure services

@ -148,7 +128,6 @@ in {
    description = "microVM Application runner";
    onFailure = ["exit.target"];
    onSuccess = ["exit.target"];
-    after = ["microvm-nixos-activation.service"];
    wantedBy = ["microvm.target"];
    serviceConfig = {
      Type = "exec";