From 4de40fc8a8b25ca07769806d169662780845f6d0 Mon Sep 17 00:00:00 2001
From: Nikita Uvarov <uv.nikita@gmail.com>
Date: Thu, 2 Sep 2021 00:05:44 +0200
Subject: [PATCH] nixos/filesystems: fix special file-systems for
 systemd-nspawn

This is a subset of aba55d1b960b4b1817bc2a32deeba447ae51f0a3 (#67336)[1]
that I (Ma27) am using for quite a while in my systemd-nspawn setup
(without `nixos-container`) to have unprivileged containers.

Recently, Linus reminded me that this isn't part of upstream NixOS and
their setup fails like this when activating config in an nspawn
instance (no shared store):

    stderr) activating the configuration...
    stdout) setting up /etc...
    stderr) mount: /dev: permission denied.
    stderr)        dmesg(1) may have more information after failed mount system call.
    stderr) mount: /dev/pts: permission denied.
    stderr)        dmesg(1) may have more information after failed mount system call.
    stderr) mount: /dev/shm: permission denied.
    stderr)        dmesg(1) may have more information after failed mount system call.
    stderr) mount: /run: permission denied.
    stderr)        dmesg(1) may have more information after failed mount system call.
    stdout) Activation script snippet 'specialfs' failed (32)

So I decided to submit this portion again.

[1] Hence I retained the original authorship.

Co-authored-by: Maximilian Bosch <maximilian@mbosch.me>
---
 nixos/modules/tasks/filesystems.nix | 46 ++++++++++++++---------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix
index 84b66404f6f9..ce6fbefaea52 100644
--- a/nixos/modules/tasks/filesystems.nix
+++ b/nixos/modules/tasks/filesystems.nix
@@ -545,6 +545,29 @@ in
 
     # Sync mount options with systemd's src/core/mount-setup.c: mount_table.
     boot.specialFileSystems = {
+      # To hold secrets that shouldn't be written to disk
+      "/run/keys" = {
+        fsType = "ramfs";
+        options = [
+          "nosuid"
+          "nodev"
+          "mode=750"
+        ];
+      };
+    }
+    // optionalAttrs (!config.boot.isContainer) {
+      # systemd-nspawn populates /sys by itself, and remounting it causes all
+      # kinds of weird issues (most noticeably, waiting for host disk device
+      # nodes).
+      "/sys" = {
+        fsType = "sysfs";
+        options = [
+          "nosuid"
+          "noexec"
+          "nodev"
+        ];
+      };
+
       "/proc" = {
         fsType = "proc";
         options = [
@@ -592,29 +615,6 @@ in
           "gid=${toString config.ids.gids.tty}"
         ];
       };
-
-      # To hold secrets that shouldn't be written to disk
-      "/run/keys" = {
-        fsType = "ramfs";
-        options = [
-          "nosuid"
-          "nodev"
-          "mode=750"
-        ];
-      };
-    }
-    // optionalAttrs (!config.boot.isContainer) {
-      # systemd-nspawn populates /sys by itself, and remounting it causes all
-      # kinds of weird issues (most noticeably, waiting for host disk device
-      # nodes).
-      "/sys" = {
-        fsType = "sysfs";
-        options = [
-          "nosuid"
-          "noexec"
-          "nodev"
-        ];
-      };
     };
 
   };