switch-to-configuration: Better handling of socket-activated units

[antifuchs]

Previously, if any unit had a socket associated with it, stc-ng counted it as "socket-activated", meaning that the unit would get stopped and the socket get restarted. That can wreak havoc on units like systemd-udevd and systemd-networkd.

Instead, let units set the new flag notSocketActivated, which sets a boolean on the unit indicating to stc-ng that the unit wants to be treated like any other non-socket-activated unit instead. That will stop/start or restart these units on upgrades, without unnecessarily tearing down any machinery that the system needs to run.

This addresses what @ElvishJerricco and I thought was a systemd bug (systemd/systemd#35371) but is really a bug in how socket-activated services are handled in stc (and -ng).

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[antifuchs]

I believe this doesn't 100% entirely resolve the issue: While on one machine, explicitly starting udevd & networkd again did allow the switch to go through without issue, on another, the original problem occurred: tailscale0 turned pending (from unmanaged).

Maybe the logic around stopping/starting these critical services is wrong entirely?

[jmbaur]

Can you please implement the perl side of this as well? We will need to have both prior to merge.

[antifuchs]

Can you please implement the perl side of this as well? We will need to have both prior to merge.

Added, thanks for the note!

[ElvishJerricco]

Looks good, but probably needs to update nixos/doc/manual/development/unit-handling.section.md.

[antifuchs]

Looks good, but probably needs to update nixos/doc/manual/development/unit-handling.section.md.

Updated, thanks for the pointer!

[ElvishJerricco]

Just a few little nitpicks but otherwise seems fine to me.