modules/programs: enforce that user services don't accidentally override PATH

This commit is contained in:
2024-02-12 08:44:55 +00:00
parent b19492ba23
commit e81df0ac86
4 changed files with 6 additions and 6 deletions

View File

@@ -25,7 +25,6 @@ in
services.ntfy-sub = { services.ntfy-sub = {
description = "listen for push-notifications"; description = "listen for push-notifications";
wantedBy = lib.mkIf cfg.config.autostart [ "default.target" ]; wantedBy = lib.mkIf cfg.config.autostart [ "default.target" ];
path = [ cfg.package ];
script = '' script = ''
topic=$(cat ~/.config/ntfy-sh/topic) topic=$(cat ~/.config/ntfy-sh/topic)
ntfy sub "https://ntfy.uninsane.org:2587/$topic" ntfy sub "https://ntfy.uninsane.org:2587/$topic"

View File

@@ -67,7 +67,6 @@ in
Restart = "always"; Restart = "always";
RestartSec = "20s"; RestartSec = "20s";
}; };
path = [ cfg.package ];
script = '' script = ''
wobsock="$XDG_RUNTIME_DIR/${cfg.config.sock}" wobsock="$XDG_RUNTIME_DIR/${cfg.config.sock}"
rm -f "$wobsock" || true rm -f "$wobsock" || true

View File

@@ -615,11 +615,10 @@ in
source "$XDG_CONFIG_HOME/sxmo/profile" source "$XDG_CONFIG_HOME/sxmo/profile"
source ${package}/etc/profile.d/sxmo_init.sh source ${package}/etc/profile.d/sxmo_init.sh
source "$XDG_CONFIG_HOME/sxmo/profile" source "$XDG_CONFIG_HOME/sxmo/profile"
export PATH="$XDG_CONFIG_HOME/sxmo/hooks:$PATH" export PATH="$XDG_CONFIG_HOME/sxmo/hooks:$PATH:${lib.makeBinPath sxmoPath}"
''; '';
sxmoService = name: { sxmoService = name: {
description = "sxmo ${name}"; description = "sxmo ${name}";
path = sxmoPath;
script = '' script = ''
${sxmoEnvSetup} ${sxmoEnvSetup}
exec sxmo_${name}.sh exec sxmo_${name}.sh
@@ -644,7 +643,6 @@ in
# sxmo_wob = sxmoService "wob"; # sxmo_wob = sxmoService "wob";
sxmo-x11-status = sxmoService "status_xsetroot"; sxmo-x11-status = sxmoService "status_xsetroot";
bonsaid.path = sxmoPath;
bonsaid.script = lib.mkBefore sxmoEnvSetup; bonsaid.script = lib.mkBefore sxmoEnvSetup;
}; };
} }

View File

@@ -133,12 +133,16 @@ let
# see: <repo:nix-community/home-manager:modules/systemd.nix> # see: <repo:nix-community/home-manager:modules/systemd.nix>
cleanName = utils.systemdUtils.lib.mkPathSafeName serviceName; cleanName = utils.systemdUtils.lib.mkPathSafeName serviceName;
generatedUnit = utils.systemdUtils.lib.serviceToUnit serviceName (value // { generatedUnit = utils.systemdUtils.lib.serviceToUnit serviceName (value // {
environment = { environment = lib.throwIf (value.path != []) "user service ${serviceName} specifies unsupported 'path' attribute (${builtins.toString value.path})" {
# clear PATH to allow inheriting it from environment. # clear PATH to allow inheriting it from environment.
# otherwise, nixos would force it to `systemd.globalEnvironment.PATH`, which is mostly tools like sed/find/etc. # otherwise, nixos would force it to `systemd.globalEnvironment.PATH`, which is mostly tools like sed/find/etc.
# clearing PATH here allows user services to inherit whatever PATH the graphical session sets # clearing PATH here allows user services to inherit whatever PATH the graphical session sets
# (see `dbus-update-activation-environment` call in ~/.config/sway/config), # (see `dbus-update-activation-environment` call in ~/.config/sway/config),
# which is critical to making it so user services can see user *programs*/packages. # which is critical to making it so user services can see user *programs*/packages.
#
# note that systemd provides no way to *append* to the PATH, only to override it (or not).
# nor do they intend to ever support that:
# - <https://github.com/systemd/systemd/issues/1082>
PATH = null; PATH = null;
} // (value.environment or {}); } // (value.environment or {});
}); });