nixos/systemd/shutdown: make shutdown ramfs bashless

2025-11-09 16:18:34 +01:00 · 2025-10-11 00:53:17 +02:00 · 2025-10-11 00:53:17 +02:00 · 653fd8c995
parent b9d0fd8be4
commit 653fd8c995
3 changed files with 28 additions and 3 deletions
--- a/nixos/modules/profiles/bashless.nix
+++ b/nixos/modules/profiles/bashless.nix
@ -32,8 +32,6 @@
  boot.kexec.enable = lib.mkDefault false;
  # Relies on bash scripts
  powerManagement.enable = lib.mkDefault false;
-  # Has some bash inside
-  systemd.shutdownRamfs.enable = lib.mkDefault false;
  # Relies on the gzip command which depends on bash
  services.logrotate.enable = lib.mkDefault false;

--- a/nixos/modules/system/boot/systemd/shutdown.nix
+++ b/nixos/modules/system/boot/systemd/shutdown.nix
@ -17,6 +17,7 @@ in
    enable = lib.mkEnableOption "pivoting back to an initramfs for shutdown" // {
      default = true;
    };
+
    contents = lib.mkOption {
      description = "Set of files that have to be linked into the shutdown ramfs";
      example = lib.literalExpression ''
@ -34,6 +35,22 @@ in
      type = utils.systemdUtils.types.initrdStorePath;
      default = [ ];
    };
+
+    shell.enable = lib.mkEnableOption "" // {
+      default = config.environment.shell.enable;
+      internal = true;
+      description = ''
+        Whether to enable a shell in the shutdown ramfs.
+
+        In contrast to `environment.shell.enable`, this option actually
+        strictly disables all shells in the shutdown ramfs because they're not
+        copied into it anymore. Paths that use a shell (e.g. via the `script`
+        option), will break if this option is set.
+
+        Only set this option if you're sure that you can recover from potential
+        issues.
+      '';
+    };
  };

  config = lib.mkIf cfg.enable {
@ -43,9 +60,11 @@ in
      "/etc/os-release".source = config.environment.etc.os-release.source;
    };
    systemd.shutdownRamfs.storePaths = [
-      pkgs.runtimeShell
      "${pkgs.coreutils}/bin"
    ]
+    ++ lib.optionals cfg.shell.enable [
+      pkgs.runtimeShell
+    ]
    ++ map (c: builtins.removeAttrs c [ "text" ]) (builtins.attrValues cfg.contents);

    systemd.mounts = [
--- a/nixos/tests/activation/bashless.nix
+++ b/nixos/tests/activation/bashless.nix
@ -19,6 +19,7 @@
      # work.
      environment.binsh = lib.mkForce null;
      boot.initrd.systemd.shell.enable = false;
+      systemd.shutdownRamfs.shell.enable = false;

      # This ensures that we only have the store paths of our closure in the
      # in the guest. This is necessary so we can grep in the store.
@ -31,6 +32,7 @@
      environment.systemPackages = [
        pkgs.coreutils
        pkgs.gnugrep
+        pkgs.findutils
      ];

      # Unset the regex because the tests instrumentation needs bash.
@ -43,6 +45,12 @@
    with subtest("/bin/sh doesn't exist"):
      machine.fail("stat /bin/sh")

+    with subtest("shutdown ramfs is bashless"):
+      machine.systemctl("start generate-shutdown-ramfs.service")
+      shutdown_ramfs_bash_paths = machine.succeed("find /run/initramfs -type d,f -name '*bash*'")
+      print(shutdown_ramfs_bash_paths)
+      t.assertNotIn("bash", shutdown_ramfs_bash_paths)
+
    bash_store_paths = machine.succeed("ls /nix/store | grep bash || true")
    print(bash_store_paths)
  '';