packages/nixos: make interpreter-less

This removes Perl and Python dependencies from our NixOS images. These are used throughout scripts for user generation and setup of volatile directories at boot (like `/etc`). However, this functionality can also be implemented without those interpreters, allowing us to remove them from the system closure. This saves around 168MB in image size.
edgelesssys · Dec 12, 2024 · c3db10a · c3db10a
1 parent f86016e
commit c3db10a
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 6 deletions.
diff --git a/packages/nixos/kata.nix b/packages/nixos/kata.nix
@@ -87,12 +87,8 @@ in
     };
 
     networking.resolvconf.enable = false;
-    systemd.tmpfiles.settings."10-etc-resolvconf"."/etc/resolv.conf".f = {
-      group = "root";
-      mode = "0755";
-      user = "root";
-    };
 
+    environment.etc."resolv.conf".text = "dummy file, to be bind-mounted by the Kata agent when writing network configuration";
     environment.etc."kata-opa/default-policy.rego".source = "${pkgs.kata-runtime.src}/src/kata-opa/allow-set-policy.rego";
   };
 }
diff --git a/packages/nixos/system.nix b/packages/nixos/system.nix
@@ -63,7 +63,6 @@
         })
         [
           "/var"
-          "/etc"
           "/bin"
           "/usr/bin"
           "/tmp"
@@ -78,6 +77,38 @@
   # Images are immutable, so no need to include Nix.
   nix.enable = false;
 
+  # Interpreter-less activation bits, tailored to our needs:
+  # Source: https://github.com/NixOS/nixpkgs/blob/a4741ea333f97cca0680d1eb485907f0e4a0eb3a/nixos/modules/profiles/perlless.nix
+  # We do not include the upstream module as-is, as we don't need sophisticated user generation, for example.
+
+  # Remove perl from activation
+  system.etc.overlay = {
+    enable = true;
+    mutable = false;
+  };
+
+  # simple replacement for update-users-groups.pl
+  systemd.sysusers.enable = true;
+
+  # Random perl remnants
+  system.disableInstallerTools = true;
+  programs.less.lessopen = null;
+  programs.command-not-found.enable = false;
+  boot.enableContainers = false;
+  environment.defaultPackages = [ ];
+  documentation.enable = false;
+
+  # Check that the system does not contain a Nix store path that contains the
+  # string "perl" or "python".
+  system.forbiddenDependenciesRegexes =
+    [
+      "perl"
+    ]
+    ++ lib.optionals (!config.contrast.debug.enable) [
+      # Some of the debug packages need Python.
+      "python"
+    ];
+
   nixpkgs.hostPlatform.system = "x86_64-linux";
   system.switch.enable = false;
   system.stateVersion = "24.05";