nixos/ifstate: fixed initrd usage with cryptsetup (#441561)

    "wireguard" = [ "wireguard" ];

    "xfrm" = [ "xfrm_interface" ];

  };

  # https://github.com/systemd/systemd/blob/main/units/systemd-networkd.service.in

  commonServiceConfig = {

    after = [

      "systemd-udevd.service"

      "network-pre.target"

      "systemd-sysusers.service"

      "systemd-sysctl.service"

    ];

    before = [

      "network.target"

      "multi-user.target"

      "shutdown.target"

      "initrd-switch-root.target"

    ];

    conflicts = [

      "shutdown.target"

      "initrd-switch-root.target"

    ];

    wants = [

      "network.target"

    ];

    unitConfig = {

      # Avoid default dependencies like "basic.target", which prevents ifstate from starting before luks is unlocked.

      DefaultDependencies = "no";

    };

  };

in

{

  meta.maintainers = with lib.maintainers; [ marcel ];

        etc."ifstate/ifstate.yaml".source = settingsFormat.generate "ifstate.yaml" cfg.settings cfg.package;

      };

      systemd.services.ifstate = {

      systemd.services.ifstate = commonServiceConfig // {

        description = "IfState";

        wantedBy = [

          "multi-user.target"

        ];

        after = [

          "systemd-udevd.service"

          "network-pre.target"

          "systemd-sysusers.service"

          "systemd-sysctl.service"

        ];

        before = [

          "network.target"

          "multi-user.target"

          "shutdown.target"

          "initrd-switch-root.target"

        ];

        conflicts = [

          "shutdown.target"

          "initrd-switch-root.target"

        ];

        wants = [

          "network.target"

        ];

        # mount is always available on nixos, avoid adding additional store paths to the closure

        path = [ "/run/wrappers" ];

            )

          ];

          services.ifstate-initrd = {

          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix#L3444

          additionalUpstreamUnits = [

            "network-online.target"

            "network-pre.target"

            "network.target"

            "nss-lookup.target"

            "nss-user-lookup.target"

            "remote-fs-pre.target"

            "remote-fs.target"

          ];

          services.ifstate-initrd = commonServiceConfig // {

            description = "IfState initrd";

            wantedBy = [

              "initrd.target"

            ];

            after = [

              "systemd-udevd.service"

              "network-pre.target"

              "systemd-sysusers.service"

              "systemd-sysctl.service"

            ];

            before = [

              "network.target"

              "multi-user.target"

              "shutdown.target"

              "initrd-switch-root.target"

            ];

            conflicts = [

              "shutdown.target"

              "initrd-switch-root.target"

            ];

            wants = [

              "network.target"

            ];

            # mount is always available on nixos, avoid adding additional store paths to the closure

            # https://github.com/NixOS/nixpkgs/blob/2b8e2457ebe576ebf41ddfa8452b5b07a8d493ad/nixos/modules/system/boot/systemd/initrd.nix#L550-L551

              # Otherwise systemd starts ifstate again, after the encryption password was entered by the user

              # and we are able to implement the cleanup using ExecStop rather than a separate unit.

              RemainAfterExit = true;

              # When using network namespaces pyroute2 expects this directory to exists.

              # @liske is currently investigating whether this should be considered a bug in pyroute2.

              ExecStartPre = "${lib.getExe' pkgs.coreutils "mkdir"} /var/run";

              ExecStart = "${lib.getExe initrdCfg.package} --config ${

                config.environment.etc."ifstate/ifstate.initrd.yaml".source

              } apply";