nixos/systemd/shutdown: make shutdown ramfs bashless

nixos/modules/profiles/bashless.nix

@@ -32,8 +32,6 @@
   boot.kexec.enable = lib.mkDefault false;
   # Relies on bash scripts
   powerManagement.enable = lib.mkDefault false;
-  # Has some bash inside
-  systemd.shutdownRamfs.enable = lib.mkDefault false;
   # Relies on the gzip command which depends on bash
   services.logrotate.enable = lib.mkDefault false;
 

nixos/modules/system/boot/systemd/shutdown.nix

@@ -17,6 +17,7 @@ in
     enable = lib.mkEnableOption "pivoting back to an initramfs for shutdown" // {
       default = true;
     };
+
     contents = lib.mkOption {
       description = "Set of files that have to be linked into the shutdown ramfs";
       example = lib.literalExpression ''
@@ -34,6 +35,22 @@ in
       type = utils.systemdUtils.types.initrdStorePath;
       default = [ ];
     };
+
+    shell.enable = lib.mkEnableOption "" // {
+      default = config.environment.shell.enable;
+      internal = true;
+      description = ''
+        Whether to enable a shell in the shutdown ramfs.
+
+        In contrast to `environment.shell.enable`, this option actually
+        strictly disables all shells in the shutdown ramfs because they're not
+        copied into it anymore. Paths that use a shell (e.g. via the `script`
+        option), will break if this option is set.
+
+        Only set this option if you're sure that you can recover from potential
+        issues.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -43,9 +60,11 @@ in
       "/etc/os-release".source = config.environment.etc.os-release.source;
     };
     systemd.shutdownRamfs.storePaths = [
-      pkgs.runtimeShell
       "${pkgs.coreutils}/bin"
     ]
+    ++ lib.optionals cfg.shell.enable [
+      pkgs.runtimeShell
+    ]
     ++ map (c: builtins.removeAttrs c [ "text" ]) (builtins.attrValues cfg.contents);
 
     systemd.mounts = [

nixos/tests/activation/bashless.nix

@@ -19,6 +19,7 @@
       # work.
       environment.binsh = lib.mkForce null;
       boot.initrd.systemd.shell.enable = false;
+      systemd.shutdownRamfs.shell.enable = false;
 
       # This ensures that we only have the store paths of our closure in the
       # in the guest. This is necessary so we can grep in the store.
@@ -31,6 +32,7 @@
       environment.systemPackages = [
         pkgs.coreutils
         pkgs.gnugrep
+        pkgs.findutils
       ];
 
       # Unset the regex because the tests instrumentation needs bash.
@@ -43,6 +45,12 @@
     with subtest("/bin/sh doesn't exist"):
       machine.fail("stat /bin/sh")
 
+    with subtest("shutdown ramfs is bashless"):
+      machine.systemctl("start generate-shutdown-ramfs.service")
+      shutdown_ramfs_bash_paths = machine.succeed("find /run/initramfs -type d,f -name '*bash*'")
+      print(shutdown_ramfs_bash_paths)
+      t.assertNotIn("bash", shutdown_ramfs_bash_paths)
+
     bash_store_paths = machine.succeed("ls /nix/store | grep bash || true")
     print(bash_store_paths)
   '';