nixos: allow more things to be disabled (#429695)

nixos/modules/config/system-path.nix

@@ -8,41 +8,47 @@
 }:
 let
 
-  requiredPackages =
+  corePackageNames = [
-    map (pkg: lib.setPrio ((pkg.meta.priority or lib.meta.defaultPriority) + 3) pkg)
+    "acl"
-      [
+    "attr"
-        pkgs.acl
+    "bashInteractive" # bash with ncurses support
-        pkgs.attr
+    "bzip2"
-        pkgs.bashInteractive # bash with ncurses support
+    "coreutils-full"
-        pkgs.bzip2
+    "cpio"
-        pkgs.coreutils-full
+    "curl"
-        pkgs.cpio
+    "diffutils"
-        pkgs.curl
+    "findutils"
-        pkgs.diffutils
+    "gawk"
-        pkgs.findutils
+    "getent"
-        pkgs.gawk
+    "getconf"
-        pkgs.stdenv.cc.libc
+    "gnugrep"
-        pkgs.getent
+    "gnupatch"
-        pkgs.getconf
+    "gnused"
-        pkgs.gnugrep
+    "gnutar"
-        pkgs.gnupatch
+    "gzip"
-        pkgs.gnused
+    "xz"
-        pkgs.gnutar
+    "less"
-        pkgs.gzip
+    "libcap"
-        pkgs.xz
+    "ncurses"
-        pkgs.less
+    "netcat"
-        pkgs.libcap
+    "mkpasswd"
-        pkgs.ncurses
+    "procps"
-        pkgs.netcat
+    "su"
-        config.programs.ssh.package
+    "time"
-        pkgs.mkpasswd
+    "util-linux"
-        pkgs.procps
+    "which"
-        pkgs.su
+    "zstd"
-        pkgs.time
-        pkgs.util-linux
-        pkgs.which
-        pkgs.zstd
   ];
+  corePackages =
+    (map (
+      n:
+      let
+        pkg = pkgs.${n};
+      in
+      lib.setPrio ((pkg.meta.priority or lib.meta.defaultPriority) + 3) pkg
+    ) corePackageNames)
+    ++ [ pkgs.stdenv.cc.libc ];
+  corePackagesText = "[ ${lib.concatMapStringsSep " " (n: "pkgs.${n}") corePackageNames} ]";
 
   defaultPackageNames = [
     "perl"
@@ -80,6 +86,29 @@ in
         '';
       };
 
+      corePackages = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = corePackages;
+        defaultText = lib.literalMD ''
+          these packages, with their `meta.priority` numerically increased
+          (thus lowering their installation priority):
+
+              ${corePackagesText}
+        '';
+        example = [ ];
+        description = ''
+          Set of core packages for a normal interactive system.
+
+          Only change this if you know what you're doing!
+
+          Like with systemPackages, packages are installed to
+          {file}`/run/current-system/sw`. They are
+          automatically available to all users, and are
+          automatically updated every time you rebuild the system
+          configuration.
+        '';
+      };
+
       defaultPackages = lib.mkOption {
         type = lib.types.listOf lib.types.package;
         default = defaultPackages;
@@ -151,7 +180,7 @@ in
 
   config = {
 
-    environment.systemPackages = requiredPackages ++ config.environment.defaultPackages;
+    environment.systemPackages = config.environment.corePackages ++ config.environment.defaultPackages;
 
     environment.pathsToLink = [
       "/bin"

nixos/modules/programs/bash/bash.nix

@@ -23,15 +23,11 @@ let
 in
 
 {
-  imports = [
-    (lib.mkRemovedOptionModule [ "programs" "bash" "enable" ] "")
-  ];
 
   options = {
 
     programs.bash = {
 
-      /*
       enable = lib.mkOption {
         default = true;
         description = ''
@@ -44,7 +40,6 @@ in
         '';
         type = lib.types.bool;
       };
-      */
 
       shellAliases = lib.mkOption {
         default = { };
@@ -129,8 +124,7 @@ in
 
   };
 
-  config = # lib.mkIf cfg.enable
+  config = lib.mkIf cfg.enable {
-    {
 
     programs.bash = {
 

nixos/modules/programs/fuse.nix

@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   cfg = config.programs.fuse;
@@ -7,6 +12,10 @@ in
   meta.maintainers = with lib.maintainers; [ ];
 
   options.programs.fuse = {
+    enable = lib.mkEnableOption "fuse" // {
+      default = true;
+    };
+
     mountMax = lib.mkOption {
       # In the C code it's an "int" (i.e. signed and at least 16 bit), but
       # negative numbers obviously make no sense:
@@ -27,10 +36,30 @@ in
     };
   };
 
-  config = {
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [
+      pkgs.fuse
+      pkgs.fuse3
+    ];
+
+    security.wrappers =
+      let
+        mkSetuidRoot = source: {
+          setuid = true;
+          owner = "root";
+          group = "root";
+          inherit source;
+        };
+      in
+      {
+        fusermount = mkSetuidRoot "${lib.getBin pkgs.fuse}/bin/fusermount";
+        fusermount3 = mkSetuidRoot "${lib.getBin pkgs.fuse3}/bin/fusermount3";
+      };
+
     environment.etc."fuse.conf".text = ''
       ${lib.optionalString (!cfg.userAllowOther) "#"}user_allow_other
       mount_max = ${builtins.toString cfg.mountMax}
     '';
+
   };
 }

nixos/modules/programs/ssh.nix

@@ -335,6 +335,8 @@ in
       }
     );
 
+    environment.corePackages = [ cfg.package ];
+
     # SSH configuration. Slight duplication of the sshd_config
     # generation in the sshd service.
     environment.etc."ssh/ssh_config".text = ''

nixos/modules/security/wrappers/default.nix

@@ -266,8 +266,6 @@ in
       in
       {
         # These are mount related wrappers that require the +s permission.
-        fusermount = mkSetuidRoot "${lib.getBin pkgs.fuse}/bin/fusermount";
-        fusermount3 = mkSetuidRoot "${lib.getBin pkgs.fuse3}/bin/fusermount3";
         mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
         umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
       };

nixos/modules/system/activation/activation-script.nix

@@ -317,7 +317,7 @@ in
       source ${config.system.build.earlyMountScript}
     '';
 
-    systemd.user = {
+    systemd.user = lib.mkIf config.system.activatable {
       services.nixos-activation = {
         description = "Run user-specific NixOS activation";
         script = config.system.userActivationScripts.script;

nixos/modules/system/boot/kernel.nix

@@ -414,7 +414,9 @@ in
 
           ln -s ${initrdPath} $out/initrd
 
+          ${optionalString (config.boot.initrd.secrets != { }) ''
             ln -s ${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets $out
+          ''}
 
           ln -s ${config.hardware.firmware}/lib/firmware $out/firmware
         '';

nixos/modules/system/boot/kexec.nix

@@ -1,7 +1,22 @@
-{ pkgs, lib, ... }:
-
 {
-  config = lib.mkIf (lib.meta.availableOn pkgs.stdenv.hostPlatform pkgs.kexec-tools) {
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.boot.kexec;
+in
+{
+  options.boot.kexec = {
+    enable = lib.mkEnableOption "kexec" // {
+      default = lib.meta.availableOn pkgs.stdenv.hostPlatform pkgs.kexec-tools;
+      defaultText = lib.literalExpression ''lib.meta.availableOn pkgs.stdenv.hostPlatform pkgs.kexec-tools'';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
     environment.systemPackages = [ pkgs.kexec-tools ];
 
     systemd.services.prepare-kexec = {

nixos/modules/tasks/filesystems.nix

@@ -461,13 +461,7 @@ in
     # Add the mount helpers to the system path so that `mount' can find them.
     system.fsPackages = [ pkgs.dosfstools ];
 
-    environment.systemPackages =
+    environment.systemPackages = config.system.fsPackages;
-      with pkgs;
-      [
-        fuse3
-        fuse
-      ]
-      ++ config.system.fsPackages;
 
     environment.etc.fstab.text =
       let

nixos/modules/tasks/network-interfaces.nix

@@ -1767,7 +1767,8 @@ in
       text = cfg.hostName + "\n";
     };
 
-    environment.systemPackages = [
+    environment.corePackages = lib.mkOptionDefault (
+      [
         pkgs.host
         pkgs.hostname-debian
         pkgs.iproute2
@@ -1777,7 +1778,8 @@ in
         pkgs.wirelesstools # FIXME: obsolete?
         pkgs.iw
       ]
-    ++ bridgeStp;
+      ++ bridgeStp
+    );
 
     # Wake-on-LAN configuration is shared by the scripted and networkd backends.
     systemd.network.links = pipe interfaces [