From 57c96ff6efac77ea0a9d40abf540f4e099f5a8c1 Mon Sep 17 00:00:00 2001
From: Jean-Baptiste Giraudeau <jb@giraudeau.info>
Date: Tue, 18 Feb 2025 09:41:55 +0100
Subject: [PATCH] nixos-container: avoid subshell when testing $PRIVATE_USERS

 So that the script is not rejected by https://www.shellcheck.net/wiki/SC2235
 under `systemd.enableStrictShellChecks = true;`
---
 nixos/modules/virtualisation/nixos-containers.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix
index 823e7e0fe909..04fc77bbf5da 100644
--- a/nixos/modules/virtualisation/nixos-containers.nix
+++ b/nixos/modules/virtualisation/nixos-containers.nix
@@ -118,7 +118,7 @@ let
       NIX_BIND_OPT=""
       if [ -n "$PRIVATE_USERS" ]; then
         extraFlags+=("--private-users=$PRIVATE_USERS")
-        if [ "$PRIVATE_USERS" = "pick" ] || ( [ "$PRIVATE_USERS" != "identity" ] && [ "$PRIVATE_USERS" -gt 0 ] ); then
+        if [ "$PRIVATE_USERS" = "pick" ] || { [ "$PRIVATE_USERS" != "identity" ] && [ "$PRIVATE_USERS" -gt 0 ]; }; then
           # when user namespacing is enabled, we use `idmap` mount option
           # so that bind mounts under /nix get proper owner (and not nobody/nogroup).
           NIX_BIND_OPT=":idmap"