User account disabled at startup

Problem description

When I define a user’s password in a separate password file with the users.users.<name>.passwordFile attribute and reboot, the user account is disabled. I.e., the entry in /etc/shadow becomes

a12l:!:1::::::

This problem doesn’t occur if I set the password with the initialPassword; password; or hashedPassword attributes directly inside the NixOS configuration file.

When I rebuild my NixOS configuration the /etc/shadow file holds the correct password hash from the password file, and I can lock and unlock the system with that password. But when I reboot my user account entry in /etc/shadow get the entry given above. I check that shadow file before I reboot to ensure that it contains the correct hash, and after rebuilding the configuration from the root user after startup to enable the user account again.

Solutions tried

The problem isn’t solved if I manually run the /run/current-system/activate script as the root user after boot. I’m not comfortable reading Bash scripts, but I can’t find any occurence of the string /etc/shadow, nor a simply shadow that isn’t a reference to some package inside the Nix store inside the activation script.

I’ve done some searching on the web, but I haven’t found any Github issue or forum discussion (here, Reddit, Hacker News, etc.) that discuss this issue. It seems that blessed with a rare problem! :frowning_face:

I first thought that the problem had to do with me encrypting the password file using Ragenix, but when I tested with plain unencrypted password files the problem still occures.

System information

Erase state between startups

I restore root at every startup by rolling back to a black ZFS snapshot, similar to how @grahamc describes in his Erase your darlings post. I save files between reboots using @talyz’s
impermanence. Currently /etc/shadow is not save between startups.

Files

flake.nix (NixOS configuration)

I’ve removed some modules and some application specific, for example Wireshark, for the sake of clarity.

{
  description = "NixOS configuration";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";

    impermanence.url = "github:nix-community/impermanence/master";
    impermanence.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs =
    { self, nixpkgs, impermanence }:
    let
      system = "x86_64-linux";

      pkgs = import nixpkgs {
        inherit system;
        #config.allowUnfree = true;
        overlays = [ ];
      };

      lib = nixpkgs.lib;
    in {
      devShell.${system} = pkgs.mkShell {
        buildInputs = [ pkgs.nixfmt ];
      };

      nixosConfigurations = {
        mobile-p-ep1 = nixpkgs.lib.nixosSystem {
          inherit system;

          modules = [
            ({ config, pkgs, ... }: {
              nix = {
                package = pkgs.nix_2_4;

                extraOptions = ''
                  experimental-features = nix-command flakes
                '';
              };

              # Use the systemd-boot EFI boot loader.
              boot.loader.systemd-boot.enable = true;
              boot.loader.efi.canTouchEfiVariables = true;

              boot.kernelParams = [ "elevator=none" ];

              # Safely erasing the root dataset on each boot
              boot.initrd.postDeviceCommands = lib.mkAfter ''
                zfs rollback -r zroot/HOST/root@blank
              '';

              networking.hostName = "mobile-p-ep1";

              networking.hostId = "173c3cd5";

              networking.networkmanager.enable = true;

              # Enable wireless networking using IWD
              networking.wireless.iwd.enable = true;
              networking.networkmanager.wifi.backend = "iwd";

              # The global useDHCP flag is deprecated, therefore explicitly set to false here.
              # Per-interface useDHCP will be mandatory in the future, so this generated config
              # replicates the default behaviour.
              networking.useDHCP = false;
              networking.interfaces.enp0s25.useDHCP = true;
              networking.interfaces.wlp3s0.useDHCP = true;

              services.openssh.enable = true;

              time.timeZone = "Europe/Stockholm";

              # Enable the X11 windowing system.
              services.xserver.enable = true;

              # Enable the Plasma 5 Desktop Environment.
              services.xserver.displayManager.sddm.enable = true;
              services.xserver.desktopManager.plasma5.enable = true;

              # Configure keymap in X11
              services.xserver.layout = "us,se";
              services.xserver.xkbOptions = "grp:win_space_toggle,ctrl:nocaps";

              # Touchpad support (enabled default in most desktopManager)
              services.xserver.libinput.enable = true;

              # Sound
              sound.enable = true;
              hardware.pulseaudio.enable = true;

              users.mutableUsers = false;

              # Temporary password
              users.users.root.hashedPassword =
                "$6$v.11lrgD$fm6oiWuPe891QsBtXlL7d.CuMYGGRg2N24FeH8Mjy9.l3qFtgrPGWexWnaU9AITY5AcCFsrj9qT.erOCaDC5U0";

              users.users.a12l = {
                description = "Albin Otterhäll";
                extraGroups = [ "networkmanager" "wheel" ];
                home = "/home/a12l";

                # Also a temporary password
                #hashedPassword = "$6$GeuHc/O2dpTGsGNz$ONwvYqxoQsAUd2KipPh.rYma6UFNLIOm/mcy..dkkEOpQd1JqRa/.s0DxqtNIDu6mP4twl3TTc.mq8kraNoUo.";

                # `password.txt` only contains the hash that is assigned to `hashedPassword`.
                passwordFile = "password.txt";

                #passwordFile = config.age.secrets.a12l_password.path;
                isNormalUser = true;
              };

              system.stateVersion = "21.11"; # Did you read the comment?
            })

            impermanence.nixosModules.impermanence
            {
              environment.persistence."/persistent" = {
                directories = [
                  "/var/log"
                  "/var/lib/systemd/coredump"
                  "/etc/NetworkManager/system-connections"
                ];

                files = [
                  "/etc/machine-id"
                  "/etc/mullvad-vpn/settings.json"
                  "/etc/nix/id_rsa"
                  "/etc/ssh/ssh_host_ed25519_key"
                  "/etc/ssh/ssh_host_ed25519_key.pub"
                  "/etc/ssh/ssh_host_rsa_key"
                  "/etc/ssh/ssh_host_rsa_key.pub"
                ];
              };
            }
          ];
        };
      };
    };
}

/run/current-system/activate

#!/nix/store/l0wlqpbsvh1pgvhcdhw7qkka3d31si7k-bash-5.1-p8/bin/bash

systemConfig='/nix/store/4jfqbapm7w55hrb4cghhwgx7lsjhnrzf-nixos-system-mobile-p-ep1-21.11.20211210.5730959'

export PATH=/empty
for i in /nix/store/fvprxgcxf4px865gdjd81fbwnxcjrg41-coreutils-9.0 /nix/store/lhambyc1v2c7qzzr5sq7p449xs1j6pg8-gnugrep-3.7 /nix/store/rnx655nq2qs53yb5arv2gapa91r1wsbn-findutils-4.8.0 /nix/store/fmdggb1g7zganhnng3lf42g7p6fyxdig-getent-glibc-2.33-56 /nix/store/c5bd4lrnsck51cll6s14wkp93ni4zj1j-glibc-2.33-56-bin /nix/store/khv33kn327fpdx2311bcjj98kigd2rac-shadow-4.8.1 /nix/store/8hrr221p6qd1zdnnx311bjdfdsbkbmin-net-tools-2.10 /nix/store/j9qg60v12mm5c0s8xnjsb0gl98ap8zlh-util-linux-2.37.2-bin; do
    PATH=$PATH:$i/bin:$i/sbin
done

_status=0
trap "_status=1 _localstatus=\$?" ERR

# Ensure a consistent umask.
umask 0022

#### Activation script snippet specialfs:
_localstatus=0
specialMount() {
  local device="$1"
  local mountPoint="$2"
  local options="$3"
  local fsType="$4"

  if mountpoint -q "$mountPoint"; then
    local options="remount,$options"
  else
    mkdir -m 0755 -p "$mountPoint"
  fi
  mount -t "$fsType" -o "$options" "$device" "$mountPoint"
}
source /nix/store/g4pp1y486prf9hijwrl8afm0w1vkjf47-mounts.sh


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "specialfs" "$_localstatus"
fi

#### Activation script snippet binfmt:
_localstatus=0
mkdir -p -m 0755 /run/binfmt



if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "binfmt" "$_localstatus"
fi

#### Activation script snippet stdio:
_localstatus=0


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "stdio" "$_localstatus"
fi

#### Activation script snippet binsh:
_localstatus=0
# Create the required /bin/sh symlink; otherwise lots of things
# (notably the system() function) won't work.
mkdir -m 0755 -p /bin
ln -sfn "/nix/store/90y23lrznwmkdnczk1dzdsq4m35zj8ww-bash-interactive-5.1-p8/bin/sh" /bin/.sh.tmp
mv /bin/.sh.tmp /bin/sh # atomically replace /bin/sh


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "binsh" "$_localstatus"
fi

#### Activation script snippet createDirsIn--persistent:
_localstatus=0
/nix/store/ivp9v06rzbk4rs666mf56v2ziz7p6nhr-impermanence-create-directories "/persistent" "/var/log"
/nix/store/ivp9v06rzbk4rs666mf56v2ziz7p6nhr-impermanence-create-directories "/persistent" "/var/lib/systemd/coredump"
/nix/store/ivp9v06rzbk4rs666mf56v2ziz7p6nhr-impermanence-create-directories "/persistent" "/etc/NetworkManager/system-connections"
/nix/store/ivp9v06rzbk4rs666mf56v2ziz7p6nhr-impermanence-create-directories "/persistent" "/etc"
/nix/store/ivp9v06rzbk4rs666mf56v2ziz7p6nhr-impermanence-create-directories "/persistent" "/etc/mullvad-vpn"
/nix/store/ivp9v06rzbk4rs666mf56v2ziz7p6nhr-impermanence-create-directories "/persistent" "/etc/nix"
/nix/store/ivp9v06rzbk4rs666mf56v2ziz7p6nhr-impermanence-create-directories "/persistent" "/etc/ssh"


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "createDirsIn--persistent" "$_localstatus"
fi

#### Activation script snippet domain:
_localstatus=0


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "domain" "$_localstatus"
fi

#### Activation script snippet users:
_localstatus=0
install -m 0700 -d /root
install -m 0755 -d /home

/nix/store/c574kdpzmzazki2d311sg58iqafqbkr3-perl-5.34.0-env/bin/perl \
-w /nix/store/8smw5zaclai395bpr5gp5inzdgbkn43h-update-users-groups.pl /nix/store/z17iz01ad76646swmb60bz1mpslc8f5m-users-groups.json


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "users" "$_localstatus"
fi

#### Activation script snippet groups:
_localstatus=0


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "groups" "$_localstatus"
fi

#### Activation script snippet etc:
_localstatus=0
# Set up the statically computed bits of /etc.
echo "setting up /etc..."
/nix/store/qlss9csm5p9d75497jqhafh6d6jqnlrv-perl-5.34.0-env/bin/perl /nix/store/cz6na7w751iv7z78fb9ms8hhvnsd0l8z-setup-etc.pl /nix/store/4yrb6yq9filixw40mr2bab87pv338jxg-etc/etc


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "etc" "$_localstatus"
fi

#### Activation script snippet hostname:
_localstatus=0
hostname "mobile-p-ep1"


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "hostname" "$_localstatus"
fi

#### Activation script snippet modprobe:
_localstatus=0
# Allow the kernel to find our wrapped modprobe (which searches
# in the right location in the Nix store for kernel modules).
# We need this when the kernel (or some module) auto-loads a
# module.
echo /nix/store/skc5bc5ih1s19hbsjmbvn9jwzr81h4ga-kmod-29/bin/modprobe > /proc/sys/kernel/modprobe


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "modprobe" "$_localstatus"
fi

#### Activation script snippet nix:
_localstatus=0
install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user

# Subscribe the root user to the NixOS channel by default.
if [ ! -e "/root/.nix-channels" ]; then
    echo "https://nixos.org/channels/nixos-21.11 nixos" > "/root/.nix-channels"
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "nix" "$_localstatus"
fi

#### Activation script snippet persist--persistent-etc-machine-id-:
_localstatus=0
if [[ -L '/etc/machine-id' && $(readlink -f '/etc/machine-id') == '/persistent/etc/machine-id' ]]; then
    echo "'/etc/machine-id' already links to '/persistent/etc/machine-id', ignoring"
elif mount | grep -F '/etc/machine-id'' ' >/dev/null && ! mount | grep -F '/etc/machine-id'/ >/dev/null; then
    echo "mount already exists at '/etc/machine-id', ignoring"
elif [[ -e '/etc/machine-id' ]]; then
    echo "A file already exists at '/etc/machine-id'!" >&2
    exit 1
elif [[ -e '/persistent/etc/machine-id' ]]; then
    touch '/etc/machine-id'
    mount -o bind '/persistent/etc/machine-id' '/etc/machine-id'
else
    ln -s '/persistent/etc/machine-id' '/etc/machine-id'
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "persist--persistent-etc-machine-id-" "$_localstatus"
fi

#### Activation script snippet persist--persistent-etc-mullvad-vpn-settingsjson-:
_localstatus=0
if [[ -L '/etc/mullvad-vpn/settings.json' && $(readlink -f '/etc/mullvad-vpn/settings.json') == '/persistent/etc/mullvad-vpn/settings.json' ]]; then
    echo "'/etc/mullvad-vpn/settings.json' already links to '/persistent/etc/mullvad-vpn/settings.json', ignoring"
elif mount | grep -F '/etc/mullvad-vpn/settings.json'' ' >/dev/null && ! mount | grep -F '/etc/mullvad-vpn/settings.json'/ >/dev/null; then
    echo "mount already exists at '/etc/mullvad-vpn/settings.json', ignoring"
elif [[ -e '/etc/mullvad-vpn/settings.json' ]]; then
    echo "A file already exists at '/etc/mullvad-vpn/settings.json'!" >&2
    exit 1
elif [[ -e '/persistent/etc/mullvad-vpn/settings.json' ]]; then
    touch '/etc/mullvad-vpn/settings.json'
    mount -o bind '/persistent/etc/mullvad-vpn/settings.json' '/etc/mullvad-vpn/settings.json'
else
    ln -s '/persistent/etc/mullvad-vpn/settings.json' '/etc/mullvad-vpn/settings.json'
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "persist--persistent-etc-mullvad-vpn-settingsjson-" "$_localstatus"
fi

#### Activation script snippet persist--persistent-etc-nix-id_rsa-:
_localstatus=0
if [[ -L '/etc/nix/id_rsa' && $(readlink -f '/etc/nix/id_rsa') == '/persistent/etc/nix/id_rsa' ]]; then
    echo "'/etc/nix/id_rsa' already links to '/persistent/etc/nix/id_rsa', ignoring"
elif mount | grep -F '/etc/nix/id_rsa'' ' >/dev/null && ! mount | grep -F '/etc/nix/id_rsa'/ >/dev/null; then
    echo "mount already exists at '/etc/nix/id_rsa', ignoring"
elif [[ -e '/etc/nix/id_rsa' ]]; then
    echo "A file already exists at '/etc/nix/id_rsa'!" >&2
    exit 1
elif [[ -e '/persistent/etc/nix/id_rsa' ]]; then
    touch '/etc/nix/id_rsa'
    mount -o bind '/persistent/etc/nix/id_rsa' '/etc/nix/id_rsa'
else
    ln -s '/persistent/etc/nix/id_rsa' '/etc/nix/id_rsa'
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "persist--persistent-etc-nix-id_rsa-" "$_localstatus"
fi

#### Activation script snippet persist--persistent-etc-ssh-ssh_host_ed25519_key-:
_localstatus=0
if [[ -L '/etc/ssh/ssh_host_ed25519_key' && $(readlink -f '/etc/ssh/ssh_host_ed25519_key') == '/persistent/etc/ssh/ssh_host_ed25519_key' ]]; then
    echo "'/etc/ssh/ssh_host_ed25519_key' already links to '/persistent/etc/ssh/ssh_host_ed25519_key', ignoring"
elif mount | grep -F '/etc/ssh/ssh_host_ed25519_key'' ' >/dev/null && ! mount | grep -F '/etc/ssh/ssh_host_ed25519_key'/ >/dev/null; then
    echo "mount already exists at '/etc/ssh/ssh_host_ed25519_key', ignoring"
elif [[ -e '/etc/ssh/ssh_host_ed25519_key' ]]; then
    echo "A file already exists at '/etc/ssh/ssh_host_ed25519_key'!" >&2
    exit 1
elif [[ -e '/persistent/etc/ssh/ssh_host_ed25519_key' ]]; then
    touch '/etc/ssh/ssh_host_ed25519_key'
    mount -o bind '/persistent/etc/ssh/ssh_host_ed25519_key' '/etc/ssh/ssh_host_ed25519_key'
else
    ln -s '/persistent/etc/ssh/ssh_host_ed25519_key' '/etc/ssh/ssh_host_ed25519_key'
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "persist--persistent-etc-ssh-ssh_host_ed25519_key-" "$_localstatus"
fi

#### Activation script snippet persist--persistent-etc-ssh-ssh_host_ed25519_keypub-:
_localstatus=0
if [[ -L '/etc/ssh/ssh_host_ed25519_key.pub' && $(readlink -f '/etc/ssh/ssh_host_ed25519_key.pub') == '/persistent/etc/ssh/ssh_host_ed25519_key.pub' ]]; then
    echo "'/etc/ssh/ssh_host_ed25519_key.pub' already links to '/persistent/etc/ssh/ssh_host_ed25519_key.pub', ignoring"
elif mount | grep -F '/etc/ssh/ssh_host_ed25519_key.pub'' ' >/dev/null && ! mount | grep -F '/etc/ssh/ssh_host_ed25519_key.pub'/ >/dev/null; then
    echo "mount already exists at '/etc/ssh/ssh_host_ed25519_key.pub', ignoring"
elif [[ -e '/etc/ssh/ssh_host_ed25519_key.pub' ]]; then
    echo "A file already exists at '/etc/ssh/ssh_host_ed25519_key.pub'!" >&2
    exit 1
elif [[ -e '/persistent/etc/ssh/ssh_host_ed25519_key.pub' ]]; then
    touch '/etc/ssh/ssh_host_ed25519_key.pub'
    mount -o bind '/persistent/etc/ssh/ssh_host_ed25519_key.pub' '/etc/ssh/ssh_host_ed25519_key.pub'
else
    ln -s '/persistent/etc/ssh/ssh_host_ed25519_key.pub' '/etc/ssh/ssh_host_ed25519_key.pub'
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "persist--persistent-etc-ssh-ssh_host_ed25519_keypub-" "$_localstatus"
fi

#### Activation script snippet persist--persistent-etc-ssh-ssh_host_rsa_key-:
_localstatus=0
if [[ -L '/etc/ssh/ssh_host_rsa_key' && $(readlink -f '/etc/ssh/ssh_host_rsa_key') == '/persistent/etc/ssh/ssh_host_rsa_key' ]]; then
    echo "'/etc/ssh/ssh_host_rsa_key' already links to '/persistent/etc/ssh/ssh_host_rsa_key', ignoring"
elif mount | grep -F '/etc/ssh/ssh_host_rsa_key'' ' >/dev/null && ! mount | grep -F '/etc/ssh/ssh_host_rsa_key'/ >/dev/null; then
    echo "mount already exists at '/etc/ssh/ssh_host_rsa_key', ignoring"
elif [[ -e '/etc/ssh/ssh_host_rsa_key' ]]; then
    echo "A file already exists at '/etc/ssh/ssh_host_rsa_key'!" >&2
    exit 1
elif [[ -e '/persistent/etc/ssh/ssh_host_rsa_key' ]]; then
    touch '/etc/ssh/ssh_host_rsa_key'
    mount -o bind '/persistent/etc/ssh/ssh_host_rsa_key' '/etc/ssh/ssh_host_rsa_key'
else
    ln -s '/persistent/etc/ssh/ssh_host_rsa_key' '/etc/ssh/ssh_host_rsa_key'
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "persist--persistent-etc-ssh-ssh_host_rsa_key-" "$_localstatus"
fi

#### Activation script snippet persist--persistent-etc-ssh-ssh_host_rsa_keypub-:
_localstatus=0
if [[ -L '/etc/ssh/ssh_host_rsa_key.pub' && $(readlink -f '/etc/ssh/ssh_host_rsa_key.pub') == '/persistent/etc/ssh/ssh_host_rsa_key.pub' ]]; then
    echo "'/etc/ssh/ssh_host_rsa_key.pub' already links to '/persistent/etc/ssh/ssh_host_rsa_key.pub', ignoring"
elif mount | grep -F '/etc/ssh/ssh_host_rsa_key.pub'' ' >/dev/null && ! mount | grep -F '/etc/ssh/ssh_host_rsa_key.pub'/ >/dev/null; then
    echo "mount already exists at '/etc/ssh/ssh_host_rsa_key.pub', ignoring"
elif [[ -e '/etc/ssh/ssh_host_rsa_key.pub' ]]; then
    echo "A file already exists at '/etc/ssh/ssh_host_rsa_key.pub'!" >&2
    exit 1
elif [[ -e '/persistent/etc/ssh/ssh_host_rsa_key.pub' ]]; then
    touch '/etc/ssh/ssh_host_rsa_key.pub'
    mount -o bind '/persistent/etc/ssh/ssh_host_rsa_key.pub' '/etc/ssh/ssh_host_rsa_key.pub'
else
    ln -s '/persistent/etc/ssh/ssh_host_rsa_key.pub' '/etc/ssh/ssh_host_rsa_key.pub'
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "persist--persistent-etc-ssh-ssh_host_rsa_keypub-" "$_localstatus"
fi

#### Activation script snippet trackpoint:
_localstatus=0
/nix/store/q0881awy50g4srnnwasci37y2jk5sf99-systemd-249.5/bin/udevadm trigger --attr-match=name="TPPS/2 IBM TrackPoint"


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "trackpoint" "$_localstatus"
fi

#### Activation script snippet udevd:
_localstatus=0
# The deprecated hotplug uevent helper is not used anymore
if [ -e /proc/sys/kernel/hotplug ]; then
  echo "" > /proc/sys/kernel/hotplug
fi

# Allow the kernel to find our firmware.
if [ -e /sys/module/firmware_class/parameters/path ]; then
  echo -n "/nix/store/pylfqgsbfkz0aawsfdhk1wkka8x5094a-firmware/lib/firmware" > /sys/module/firmware_class/parameters/path
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "udevd" "$_localstatus"
fi

#### Activation script snippet usrbinenv:
_localstatus=0
mkdir -m 0755 -p /usr/bin
ln -sfn /nix/store/fvprxgcxf4px865gdjd81fbwnxcjrg41-coreutils-9.0/bin/env /usr/bin/.env.tmp
mv /usr/bin/.env.tmp /usr/bin/env # atomically replace /usr/bin/env


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "usrbinenv" "$_localstatus"
fi

#### Activation script snippet var:
_localstatus=0
# Various log/runtime directories.

mkdir -m 1777 -p /var/tmp

# Empty, immutable home directory of many system accounts.
mkdir -p /var/empty
# Make sure it's really empty
/nix/store/6jx018s11y5y8q61187yxmg0p4jpb461-e2fsprogs-1.46.4-bin/bin/chattr -f -i /var/empty || true
find /var/empty -mindepth 1 -delete
chmod 0555 /var/empty
chown root:root /var/empty
/nix/store/6jx018s11y5y8q61187yxmg0p4jpb461-e2fsprogs-1.46.4-bin/bin/chattr -f +i /var/empty || true


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "var" "$_localstatus"
fi

#### Activation script snippet wrappers:
_localstatus=0
chmod 755 "/run/wrappers"

# We want to place the tmpdirs for the wrappers to the parent dir.
wrapperDir=$(mktemp --directory --tmpdir="/run/wrappers" wrappers.XXXXXXXXXX)
chmod a+rx "$wrapperDir"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/dbus-daemon-launch-helper"
echo -n "/nix/store/am952qxrg0g276kk2cfyyj0pdrzdagwl-dbus-1.12.20/libexec/dbus-daemon-launch-helper" > "$wrapperDir/dbus-daemon-launch-helper.real"

# Prevent races
chmod 0000 "$wrapperDir/dbus-daemon-launch-helper"
chown root.messagebus "$wrapperDir/dbus-daemon-launch-helper"

chmod "u+s,g-s,u+rx,g+rx,o-rx" "$wrapperDir/dbus-daemon-launch-helper"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/doas"
echo -n "/nix/store/6l2b0pa5v9r7cajy9aw0q7d8k93gni6f-doas-6.8.1/bin/doas" > "$wrapperDir/doas.real"

# Prevent races
chmod 0000 "$wrapperDir/doas"
chown root.root "$wrapperDir/doas"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/doas"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/dumpcap"
echo -n "/nix/store/nk25h93agl6d8s7lr99dji985lx16ky6-wireshark-cli-3.4.10/bin/dumpcap" > "$wrapperDir/dumpcap.real"

# Prevent races
chmod 0000 "$wrapperDir/dumpcap"
chown root.wireshark "$wrapperDir/dumpcap"

# Set desired capabilities on the file plus cap_setpcap so
# the wrapper program can elevate the capabilities set on
# its file into the Ambient set.
/nix/store/6kffpwxq4630g42xwx8s5qdzn993r4yi-libcap-2.49/bin/setcap "cap_setpcap,cap_net_raw+p" "$wrapperDir/dumpcap"

# Set the executable bit
chmod u+rx,g+x "$wrapperDir/dumpcap"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/fusermount"
echo -n "/nix/store/mpzj2rc43m3v6xcqynmnxx26haqkcxw7-fuse-2.9.9/bin/fusermount" > "$wrapperDir/fusermount.real"

# Prevent races
chmod 0000 "$wrapperDir/fusermount"
chown root.root "$wrapperDir/fusermount"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/fusermount"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/fusermount3"
echo -n "/nix/store/4n9j735xmz5zc3xvc3vljngh0y7cl4g3-fuse-3.10.5/bin/fusermount3" > "$wrapperDir/fusermount3.real"

# Prevent races
chmod 0000 "$wrapperDir/fusermount3"
chown root.root "$wrapperDir/fusermount3"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/fusermount3"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/kcheckpass"
echo -n "/nix/store/xjqwvmlnxlki1wnl6pw3rs5gzmwayzc0-kscreenlocker-5.23.3/libexec/kcheckpass" > "$wrapperDir/kcheckpass.real"

# Prevent races
chmod 0000 "$wrapperDir/kcheckpass"
chown root.root "$wrapperDir/kcheckpass"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/kcheckpass"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/kwin_wayland"
echo -n "/nix/store/1ly8w05sg55mhqym829cbzcl0fk7s1hr-kwin-5.23.3/bin/kwin_wayland" > "$wrapperDir/kwin_wayland.real"

# Prevent races
chmod 0000 "$wrapperDir/kwin_wayland"
chown root.root "$wrapperDir/kwin_wayland"

# Set desired capabilities on the file plus cap_setpcap so
# the wrapper program can elevate the capabilities set on
# its file into the Ambient set.
/nix/store/6kffpwxq4630g42xwx8s5qdzn993r4yi-libcap-2.49/bin/setcap "cap_setpcap,cap_sys_nice+ep" "$wrapperDir/kwin_wayland"

# Set the executable bit
chmod u+rx,g+x,o+x "$wrapperDir/kwin_wayland"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/mount"
echo -n "/nix/store/j9qg60v12mm5c0s8xnjsb0gl98ap8zlh-util-linux-2.37.2-bin/bin/mount" > "$wrapperDir/mount.real"

# Prevent races
chmod 0000 "$wrapperDir/mount"
chown root.root "$wrapperDir/mount"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/mount"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/newgidmap"
echo -n "/nix/store/khv33kn327fpdx2311bcjj98kigd2rac-shadow-4.8.1/bin/newgidmap" > "$wrapperDir/newgidmap.real"

# Prevent races
chmod 0000 "$wrapperDir/newgidmap"
chown root.root "$wrapperDir/newgidmap"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/newgidmap"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/newgrp"
echo -n "/nix/store/khv33kn327fpdx2311bcjj98kigd2rac-shadow-4.8.1/bin/newgrp" > "$wrapperDir/newgrp.real"

# Prevent races
chmod 0000 "$wrapperDir/newgrp"
chown root.root "$wrapperDir/newgrp"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/newgrp"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/newuidmap"
echo -n "/nix/store/khv33kn327fpdx2311bcjj98kigd2rac-shadow-4.8.1/bin/newuidmap" > "$wrapperDir/newuidmap.real"

# Prevent races
chmod 0000 "$wrapperDir/newuidmap"
chown root.root "$wrapperDir/newuidmap"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/newuidmap"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/ping"
echo -n "/nix/store/is3vrx29xxp60jrbf0dp31nw4glw9swr-iputils-20210722/bin/ping" > "$wrapperDir/ping.real"

# Prevent races
chmod 0000 "$wrapperDir/ping"
chown root.root "$wrapperDir/ping"

# Set desired capabilities on the file plus cap_setpcap so
# the wrapper program can elevate the capabilities set on
# its file into the Ambient set.
/nix/store/6kffpwxq4630g42xwx8s5qdzn993r4yi-libcap-2.49/bin/setcap "cap_setpcap,cap_net_raw+p" "$wrapperDir/ping"

# Set the executable bit
chmod u+rx,g+x,o+x "$wrapperDir/ping"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/pkexec"
echo -n "/nix/store/7lm9xwmslsz3g5g5j48gpgv9apbv1i5a-polkit-0.120-bin/bin/pkexec" > "$wrapperDir/pkexec.real"

# Prevent races
chmod 0000 "$wrapperDir/pkexec"
chown root.root "$wrapperDir/pkexec"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/pkexec"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/polkit-agent-helper-1"
echo -n "/nix/store/f36nscads0plr02yw3dzlbxwyj3206ip-polkit-0.120/lib/polkit-1/polkit-agent-helper-1" > "$wrapperDir/polkit-agent-helper-1.real"

# Prevent races
chmod 0000 "$wrapperDir/polkit-agent-helper-1"
chown root.root "$wrapperDir/polkit-agent-helper-1"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/polkit-agent-helper-1"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/sg"
echo -n "/nix/store/khv33kn327fpdx2311bcjj98kigd2rac-shadow-4.8.1/bin/sg" > "$wrapperDir/sg.real"

# Prevent races
chmod 0000 "$wrapperDir/sg"
chown root.root "$wrapperDir/sg"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/sg"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/start_kdeinit"
echo -n "/nix/store/jnf27rs6g4dqrsia7vzym057d5j2xr84-kinit-5.87.0/libexec/kf5/start_kdeinit" > "$wrapperDir/start_kdeinit.real"

# Prevent races
chmod 0000 "$wrapperDir/start_kdeinit"
chown root.root "$wrapperDir/start_kdeinit"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/start_kdeinit"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/su"
echo -n "/nix/store/59z53l3k43ix5ywxv3wm37sj5h5ay7gj-shadow-4.8.1-su/bin/su" > "$wrapperDir/su.real"

# Prevent races
chmod 0000 "$wrapperDir/su"
chown root.root "$wrapperDir/su"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/su"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/umount"
echo -n "/nix/store/j9qg60v12mm5c0s8xnjsb0gl98ap8zlh-util-linux-2.37.2-bin/bin/umount" > "$wrapperDir/umount.real"

# Prevent races
chmod 0000 "$wrapperDir/umount"
chown root.root "$wrapperDir/umount"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/umount"

cp /nix/store/9il36wasldws1w6rc54ipffdwxvbibyp-security-wrapper/bin/security-wrapper "$wrapperDir/unix_chkpwd"
echo -n "/nix/store/3g6fhn6pplnfjz8m4mzg500sj2y86fzp-linux-pam-1.5.1/sbin/unix_chkpwd.orig" > "$wrapperDir/unix_chkpwd.real"

# Prevent races
chmod 0000 "$wrapperDir/unix_chkpwd"
chown root.root "$wrapperDir/unix_chkpwd"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/unix_chkpwd"


if [ -L /run/wrappers/bin ]; then
  # Atomically replace the symlink
  # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
  old=$(readlink -f /run/wrappers/bin)
  if [ -e "/run/wrappers/bin-tmp" ]; then
    rm --force --recursive "/run/wrappers/bin-tmp"
  fi
  ln --symbolic --force --no-dereference "$wrapperDir" "/run/wrappers/bin-tmp"
  mv --no-target-directory "/run/wrappers/bin-tmp" "/run/wrappers/bin"
  rm --force --recursive "$old"
else
  # For initial setup
  ln --symbolic "$wrapperDir" "/run/wrappers/bin"
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "wrappers" "$_localstatus"
fi


# Make this configuration the current configuration.
# The readlink is there to ensure that when $systemConfig = /system
# (which is a symlink to the store), /run/current-system is still
# used as a garbage collection root.
ln -sfn "$(readlink -f "$systemConfig")" /run/current-system

# Prevent the current configuration from being garbage-collected.
ln -sfn /run/current-system /nix/var/nix/gcroots/current-system

exit $_status