modules/programs: enforce that user services don't accidentally override PATH

2024-02-12 08:44:55 +00:00
parent b19492ba23
commit e81df0ac86
4 changed files with 6 additions and 6 deletions
--- a/hosts/common/programs/ntfy-sh.nix
+++ b/hosts/common/programs/ntfy-sh.nix
@@ -25,7 +25,6 @@ in
    services.ntfy-sub = {
      description = "listen for push-notifications";
      wantedBy = lib.mkIf cfg.config.autostart [ "default.target" ];
-      path = [ cfg.package ];
      script = ''
        topic=$(cat ~/.config/ntfy-sh/topic)
        ntfy sub "https://ntfy.uninsane.org:2587/$topic"
--- a/hosts/common/programs/wob/default.nix
+++ b/hosts/common/programs/wob/default.nix
@@ -67,7 +67,6 @@ in
        Restart = "always";
        RestartSec = "20s";
      };
-      path = [ cfg.package ];
      script = ''
        wobsock="$XDG_RUNTIME_DIR/${cfg.config.sock}"
        rm -f "$wobsock" || true
--- a/hosts/modules/gui/sxmo/default.nix
+++ b/hosts/modules/gui/sxmo/default.nix
@@ -615,11 +615,10 @@ in
            source "$XDG_CONFIG_HOME/sxmo/profile"
            source ${package}/etc/profile.d/sxmo_init.sh
            source "$XDG_CONFIG_HOME/sxmo/profile"
-            export PATH="$XDG_CONFIG_HOME/sxmo/hooks:$PATH"
+            export PATH="$XDG_CONFIG_HOME/sxmo/hooks:$PATH:${lib.makeBinPath sxmoPath}"
          '';
          sxmoService = name: {
            description = "sxmo ${name}";
-            path = sxmoPath;
            script = ''
              ${sxmoEnvSetup}
              exec sxmo_${name}.sh
@@ -644,7 +643,6 @@ in
          # sxmo_wob = sxmoService "wob";
          sxmo-x11-status = sxmoService "status_xsetroot";

-          bonsaid.path = sxmoPath;
          bonsaid.script = lib.mkBefore sxmoEnvSetup;
        };
      }
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -133,12 +133,16 @@ let
            # see: <repo:nix-community/home-manager:modules/systemd.nix>
            cleanName = utils.systemdUtils.lib.mkPathSafeName serviceName;
            generatedUnit = utils.systemdUtils.lib.serviceToUnit serviceName (value // {
-              environment = {
+              environment = lib.throwIf (value.path != []) "user service ${serviceName} specifies unsupported 'path' attribute (${builtins.toString value.path})" {
                # clear PATH to allow inheriting it from environment.
                # otherwise, nixos would force it to `systemd.globalEnvironment.PATH`, which is mostly tools like sed/find/etc.
                # clearing PATH here allows user services to inherit whatever PATH the graphical session sets
                # (see `dbus-update-activation-environment` call in ~/.config/sway/config),
                # which is critical to making it so user services can see user *programs*/packages.
+                #
+                # note that systemd provides no way to *append* to the PATH, only to override it (or not).
+                # nor do they intend to ever support that:
+                # - <https://github.com/systemd/systemd/issues/1082>
                PATH = null;
              } // (value.environment or {});
            });