nixos/wrappers: use normal mount for /run/wrappers

We want to get rid of specialFileSystems / earlyMountScript eventually and there is no need to run this before systemd anymore now that the wrappers themselves are set up in a systemd unit since NixOS#263203 Also this is needed to make soft-reboot work. We want to make sure that we remount /run/wrappers with the nosuid bit removed on soft-reboot but because @earlyMountScript@ happens in initrd, this wouldn't happen
arianvp · Jul 20, 2024 · 8afba66 · 8afba66
1 parent e7279da
commit 8afba66
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
@@ -255,11 +255,6 @@ in
         umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
       };
 
-    boot.specialFileSystems.${parentWrapperDir} = {
-      fsType = "tmpfs";
-      options = [ "nodev" "mode=755" "size=${config.security.wrapperDirSize}" ];
-    };
-
     # Make sure our wrapperDir exports to the PATH env variable when
     # initializing the shell
     environment.extraInit = ''
@@ -275,6 +270,17 @@ in
       mrpx ${wrap.source},
     '') wrappers;
 
+    systemd.mounts = [{
+      where = parentWrapperDir;
+      what = "tmpfs";
+      type = "tmpfs";
+      options = lib.concatStringsSep "," ([
+        "nodev"
+        "mode=755"
+        "size=${config.security.wrapperDirSize}"
+      ]);
+    }];
+
     systemd.services.suid-sgid-wrappers = {
       description = "Create SUID/SGID Wrappers";
       wantedBy = [ "sysinit.target" ];