diff --git a/packages/nixos/kata.nix b/packages/nixos/kata.nix index fa85326bf..753db3963 100644 --- a/packages/nixos/kata.nix +++ b/packages/nixos/kata.nix @@ -87,12 +87,8 @@ in }; networking.resolvconf.enable = false; - systemd.tmpfiles.settings."10-etc-resolvconf"."/etc/resolv.conf".f = { - group = "root"; - mode = "0755"; - user = "root"; - }; + environment.etc."resolv.conf".text = "dummy file, to be bind-mounted by the Kata agent when writing network configuration"; environment.etc."kata-opa/default-policy.rego".source = "${pkgs.kata-runtime.src}/src/kata-opa/allow-set-policy.rego"; }; } diff --git a/packages/nixos/system.nix b/packages/nixos/system.nix index a6efc880b..5e2015e74 100644 --- a/packages/nixos/system.nix +++ b/packages/nixos/system.nix @@ -63,7 +63,6 @@ }) [ "/var" - "/etc" "/bin" "/usr/bin" "/tmp" @@ -78,6 +77,38 @@ # Images are immutable, so no need to include Nix. nix.enable = false; + # Interpreter-less activation bits, tailored to our needs: + # Source: https://github.com/NixOS/nixpkgs/blob/a4741ea333f97cca0680d1eb485907f0e4a0eb3a/nixos/modules/profiles/perlless.nix + # We do not include the upstream module as-is, as we don't need sophisticated user generation, for example. + + # Remove perl from activation + system.etc.overlay = { + enable = true; + mutable = false; + }; + + # simple replacement for update-users-groups.pl + systemd.sysusers.enable = true; + + # Random perl remnants + system.disableInstallerTools = true; + programs.less.lessopen = null; + programs.command-not-found.enable = false; + boot.enableContainers = false; + environment.defaultPackages = [ ]; + documentation.enable = false; + + # Check that the system does not contain a Nix store path that contains the + # string "perl" or "python". + system.forbiddenDependenciesRegexes = + [ + "perl" + ] + ++ lib.optionals (!config.contrast.debug.enable) [ + # Some of the debug packages need Python. + "python" + ]; + nixpkgs.hostPlatform.system = "x86_64-linux"; system.switch.enable = false; system.stateVersion = "24.05";