From f6af893043fa84aca24417817a4c35c72607ee7d Mon Sep 17 00:00:00 2001 From: loystonpais Date: Sun, 17 May 2026 23:43:26 +0530 Subject: [PATCH 1/2] nix: apply Android-safe udev overrides Restrict udev trigger to safe subsystems to prevent coldplugging Android host hardware, and clear ConditionPathIsReadWrite= from upstream udev units --- flake.nix | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index bd4e9428..7cd55f31 100644 --- a/flake.nix +++ b/flake.nix @@ -286,16 +286,26 @@ "${modulesPath}/virtualisation/lxc-container.nix" ]; - # These services are broken or unnecessary in droidspaces container + # These services are broken in droidspaces container systemd.services.nix-channel-init.enable = false; systemd.services.firewall.enable = false; systemd.services.wpa_supplicant.enable = false; networking.firewall.enable = false; - # Theoretically systemd should detect container environment and not run udev - # but we will disable it anyways - services.udev.enable = false; + # Restrict udev to Android-safe subsystems only (prevent coldplugging host hardware) + systemd.services.systemd-udev-trigger.serviceConfig.ExecStart = lib.mkForce [ + "" + "-udevadm trigger --subsystem-match=usb --subsystem-match=block --subsystem-match=input --subsystem-match=tty --subsystem-match=net" + ]; + # Clear ConditionPathIsReadWrite= from upstream units + systemd.services.systemd-udevd.unitConfig.ConditionPathIsReadWrite = lib.mkForce []; + systemd.services.systemd-udev-trigger.unitConfig.ConditionPathIsReadWrite = lib.mkForce []; + systemd.services.systemd-udev-settle.unitConfig.ConditionPathIsReadWrite = lib.mkForce []; + systemd.sockets.systemd-udevd-kernel.unitConfig.ConditionPathIsReadWrite = lib.mkForce []; + systemd.sockets.systemd-udevd-control.unitConfig.ConditionPathIsReadWrite = lib.mkForce []; + + systemd.services.NetworkManager.enable = lib.mkDefault false; nix.settings.experimental-features = ["nix-command" "flakes"]; From 8610344c904cc2271dbb6fb579f8ac6fd5bd9374 Mon Sep 17 00:00:00 2001 From: loystonpais Date: Sun, 17 May 2026 21:50:36 +0530 Subject: [PATCH 2/2] nix: update nixpkgs, add experimental support for finix Newer nixpkgs comes with systemd v260 which drops support for kernel 5.4 and below. Bump nixpkgs but also add nixosDroidspacesTarballs.ARCH.minimal-with-systemd-v259 Add experimental support for finix. Finix is a nixos system with finit as pid 1 instead of systemd. Finix might help users run latest nixos on older kernels. --- flake.lock | 36 ++++++++++- flake.nix | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 207 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 0773f9d2..00361683 100644 --- a/flake.lock +++ b/flake.lock @@ -17,6 +17,22 @@ "type": "github" } }, + "finix": { + "locked": { + "lastModified": 1778975258, + "narHash": "sha256-VJ+vqtRre/wK0pC7gufYDAxRWWrwqxqww9HxYRGDwaM=", + "owner": "finix-community", + "repo": "finix", + "rev": "472f60067422037c3fac09ede84ce70447e5c06e", + "type": "github" + }, + "original": { + "owner": "finix-community", + "ref": "main", + "repo": "finix", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -36,6 +52,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1778458615, + "narHash": "sha256-cY07EsdhBJ8tFXPzDYevgqxRev9ZLxFonuq9wmq5kwg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c6e5ca3c836a5f4dd9af9f2c1fc1c38f0fac988a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c6e5ca3c836a5f4dd9af9f2c1fc1c38f0fac988a", + "type": "github" + } + }, + "nixpkgs-with-systemd-v259": { "locked": { "lastModified": 1776329215, "narHash": "sha256-a8BYi3mzoJ/AcJP8UldOx8emoPRLeWqALZWu4ZvjPXw=", @@ -54,8 +86,10 @@ "root": { "inputs": { "artifacts": "artifacts", + "finix": "finix", "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "nixpkgs-with-systemd-v259": "nixpkgs-with-systemd-v259" } }, "systems": { diff --git a/flake.nix b/flake.nix index 7cd55f31..0a7fe293 100644 --- a/flake.nix +++ b/flake.nix @@ -2,13 +2,18 @@ description = "Droidspaces - High-performance Container Runtime"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/b86751bc4085f48661017fa226dee99fab6c651b"; + nixpkgs.url = "github:NixOS/nixpkgs/c6e5ca3c836a5f4dd9af9f2c1fc1c38f0fac988a"; + + nixpkgs-with-systemd-v259.url = "github:NixOS/nixpkgs/b86751bc4085f48661017fa226dee99fab6c651b"; + flake-utils.url = "github:numtide/flake-utils"; artifacts = { url = "github:loystonpais/Droidspaces-OSS/artifacts"; flake = false; }; + + finix.url = "github:finix-community/finix?ref=main"; }; outputs = { @@ -16,7 +21,8 @@ nixpkgs, flake-utils, artifacts, - }: let + ... + } @ inputs: let lib = nixpkgs.lib; systems = ["x86_64-linux" "aarch64-linux"]; @@ -169,6 +175,25 @@ inherit system; modules = [self.nixosModules.working-droidspaces-rootfs-minimal]; }).config.system.build.tarball; + + minimal-with-systemd-v259 = + (inputs.nixpkgs-with-systemd-v259.lib.nixosSystem { + inherit system; + modules = [self.nixosModules.working-droidspaces-rootfs-minimal]; + }).config.system.build.tarball; + }); + + finixDroidspacesTarballs = lib.genAttrs systems (system: { + experimental = + (inputs.finix.lib.finixSystem { + inherit (pkgs) lib; + modules = [ + { + nixpkgs.pkgs = inputs.nixpkgs.lib.mkDefault pkgs; + } + self.nixosModules.finix-droidspaces-rootfs-experimental + ]; + }).config.droidspaces.tarball; }); manualTestVMs = let @@ -182,10 +207,15 @@ inherit system; modules = [self.nixosModules.test-system-nixos-rootfs]; }); + + finix-rootfs = mkDynamicVM (nixpkgs.lib.nixosSystem { + inherit system; + modules = [self.nixosModules.test-system-finix-rootfs]; + }); }); in { inherit forArch; - inherit (forArch.${system}) default nixos-rootfs; + inherit (forArch.${system}) default nixos-rootfs finix-rootfs; }; androidApp = { @@ -233,6 +263,23 @@ ''; }; + test-system-finix-rootfs = {pkgs, ...}: { + imports = [self.nixosModules.test-system-base]; + + environment.variables.FINIX_ROOTFS = let + system = pkgs.stdenv.hostPlatform.system; + tarballPath = "${self.legacyPackages.${system}.finixDroidspacesTarballs.${system}.experimental}"; + file = builtins.elemAt (lib.filesystem.listFilesRecursive "${tarballPath}/tarball") 0; + in + file; + + environment.interactiveShellInit = '' + echo '------' + echo 'Finix Droidspaces Minimal Rootfs is available at $FINIX_ROOTFS' + echo '------' + ''; + }; + test-system-base = {pkgs, ...}: { system.stateVersion = "26.05"; networking.hostName = "test"; @@ -311,6 +358,128 @@ system.stateVersion = "26.05"; }; + + finix-droidspaces-rootfs-experimental = {pkgs, ...}: { + imports = with inputs.finix.nixosModules; [ + openssh + nix-daemon + sudo + bash + sysklogd + + # Set container stuff + ({ + pkgs, + lib, + config, + ... + }: { + options = { + droidspaces.tarball = lib.mkOption { + type = lib.types.path; + description = "Path to droidspaces tarball to be extracted and used as rootfs"; + }; + }; + + config = { + boot.kernel.enable = false; + boot.initrd.enable = false; + boot.modprobeConfig.enable = false; + + finit.tasks.register-nix-paths = { + runlevels = "S"; + remain = true; + pre = pkgs.writeShellScript "register-nix-paths-pre" '' + test -f /nix-path-registration || exit 0 + ''; + command = pkgs.writeShellScript "register-nix-paths" '' + ${lib.getExe' config.services.nix-daemon.package.out "nix-store"} --load-db < /nix-path-registration + rm /nix-path-registration + ${lib.getExe' config.services.nix-daemon.package.out "nix-env"} -p /nix/var/nix/profiles/system --set /run/current-system + ''; + description = "Register Nix Store Paths"; + }; + + droidspaces.tarball = pkgs.callPackage "${inputs.nixpkgs}/nixos/lib/make-system-tarball.nix" { + fileName = "rootfs"; + extraArgs = "--owner=0"; + + storeContents = [ + { + object = config.system.build.toplevel; + symlink = "none"; + } + ]; + + contents = [ + { + source = pkgs.writeShellScript "init" '' + systemConfig=${config.system.build.toplevel} + + export HOME=/root PATH=${lib.makeBinPath [pkgs.coreutils pkgs.util-linux]} + + echo "starting container..." + + # Required by the activation script + install -m 0755 -d /etc + if [ ! -h "/etc/nixos" ]; then + install -m 0755 -d /etc/nixos + fi + install -m 01777 -d /tmp + + echo "running activation script..." + $systemConfig/activate + + + echo "starting finix..." + exec ${config.system.build.toplevel}/init "$@" + ''; + target = "/sbin/init"; + } + ]; + + extraCommands = "mkdir -p proc sys dev"; + }; + }; + }) + ]; + + services.sysklogd.enable = true; + + services.nix-daemon.enable = true; + services.nix-daemon.nrBuildUsers = 32; + services.nix-daemon.settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + + trusted-users = [ + "root" + "@wheel" + ]; + }; + + services.openssh.enable = true; + + programs.sudo.enable = true; + programs.bash.enable = true; + + users.users.test = { + isNormalUser = true; + + extraGroups = [ + "input" + "video" + "wheel" + ]; + }; + + environment.systemPackages = with pkgs; [ + nano + htop + ]; + }; }; }; }