fix(migrate-daniel-to-kanidm): robust deps + smarter session guard #501

Closed

lytedev wants to merge 0 commits from fix-migrate-daniel-unit into main

pull from: fix-migrate-daniel-unit

merge into: lytedev:main

lytedev:main

lytedev:voxtype-per-host-model

lytedev:push-kanidm-opt-in

lytedev:push-voxtype-flake-fix

lytedev:push-uvqqknxvqlvy

lytedev:push-qrqsxkmlrevert

lytedev:align-daniel-uid

lytedev:fix-kanidm-uid-attr-map

lytedev:fix-hibernate

lytedev:nix-on-droid

lytedev:agent-runners

lytedev:self-hosted-dns

lytedev:fix-runner-tmpfs-revert

lytedev:github-mirror

lytedev:beefcake-email

lytedev:beefcake-immich

lytedev:firefox-nightly-devedition

lytedev:fix-bun-baseline

lytedev:fix-user-env-manifest-perms

lytedev:cleanup-home-manager

lytedev:stale-symlink-cleanup

lytedev:flab-stuff

lytedev:printer-sftp

lytedev:dragon-vr-monado

lytedev:clever-vr-game-clamshell-mode-detection

lytedev:wireguard-mesh

Conversation 0 Commits - Files changed -

lytedev commented 2026-04-20 11:08:20 -05:00

Owner

Copy link

Summary

The migration oneshot introduced in #498 silently bailed on every boot on foxtrot (and anywhere else that got rebooted cleanly — it only worked on thinker because we ran it by hand). Two bugs, one trivial one structural:

1. Missing PATH. Systemd services run with an empty PATH by default. The script half-used ${pkgs.x}/bin/y absolute paths and half-used bare commands (getent, grep, dirname). set -e + bare getent = silent command not found → the "daniel not resolvable via NSS" branch fires and the unit returns success-with-nothing-done. Same for grep on the session guard.
2. Session guard matched by name, not uid. loginctl list-sessions | awk '{print $3}' | grep -qx daniel fires on any session named daniel, which includes both the pre-migration user@1000.service lingering from the old generation AND the new kanidm session once a user logs in. So after a normal reboot, the unit effectively never migrates — the guard always matches something.

Changes

• Replace the per-command let block with path = [ coreutils findutils gawk glibc.bin gnugrep rsync shadow systemd ] so every binary resolves naturally (and getent/grep/dirname actually exist).
• Rewrite the session guard: query getent passwd daniel for the post-migration uid, then skip only if there's an active session at a different uid (i.e. the uid=1000 lingering). A kanidm session at the new uid doesn't block migration.
• Downgrade the "not resolvable" log to "will retry next boot" so it's clearer this is expected behavior pre-kanidm-unixd-startup.

Test plan

• Deploy to a freshly-rebooted host that still has nested /home/daniel/.home (foxtrot).
• First boot: migration flattens .home, chowns /home/daniel, writes /var/lib/lyte/migrate-daniel-to-kanidm.done.
• Second boot: marker present, unit exits 0 immediately.
• If a uid=1000 session somehow lingers (linger enabled, deploy-via-SSH, etc.), unit logs a skip message with the remediation.

## Summary The migration oneshot introduced in #498 silently bailed on every boot on foxtrot (and anywhere else that got rebooted cleanly — it only worked on thinker because we ran it by hand). Two bugs, one trivial one structural: 1. **Missing PATH.** Systemd services run with an empty PATH by default. The script half-used `${pkgs.x}/bin/y` absolute paths and half-used bare commands (`getent`, `grep`, `dirname`). `set -e` + bare `getent` = silent `command not found` → the "daniel not resolvable via NSS" branch fires and the unit returns success-with-nothing-done. Same for `grep` on the session guard. 2. **Session guard matched by name, not uid.** `loginctl list-sessions | awk '{print $3}' | grep -qx daniel` fires on *any* session named `daniel`, which includes both the pre-migration `user@1000.service` lingering from the old generation AND the new kanidm session once a user logs in. So after a normal reboot, the unit effectively never migrates — the guard always matches something. ## Changes - Replace the per-command `let` block with `path = [ coreutils findutils gawk glibc.bin gnugrep rsync shadow systemd ]` so every binary resolves naturally (and `getent`/`grep`/`dirname` actually exist). - Rewrite the session guard: query `getent passwd daniel` for the post-migration uid, then skip only if there's an active session at a *different* uid (i.e. the uid=1000 lingering). A kanidm session at the new uid doesn't block migration. - Downgrade the "not resolvable" log to "will retry next boot" so it's clearer this is expected behavior pre-kanidm-unixd-startup. ## Test plan - [ ] Deploy to a freshly-rebooted host that still has nested `/home/daniel/.home` (foxtrot). - [ ] First boot: migration flattens `.home`, chowns `/home/daniel`, writes `/var/lib/lyte/migrate-daniel-to-kanidm.done`. - [ ] Second boot: marker present, unit exits 0 immediately. - [ ] If a uid=1000 session somehow lingers (linger enabled, deploy-via-SSH, etc.), unit logs a skip message with the remediation.

lytedev added 1 commit 2026-04-20 11:08:20 -05:00

fix(migrate-daniel-to-kanidm): robust deps + smarter session guard ... 253263e774

Previous incarnation of the migration oneshot silently bailed on every
boot because:
- `getent`, `grep`, and `dirname` weren't in the service's PATH
  (systemd services start with a minimal PATH and the script only
  absolute-path'd about half its commands).
- The active-session guard matched on the *name* `daniel`, which
  fires even for the newly-resolved kanidm session (uid 2001) — and
  especially fires if the pre-migration user@1000.service is lingering.

Switch to `path = [...]` with every needed package so bare
`getent`/`grep` work, and switch the guard to checking session
UIDs: we skip only if there is an active session at the pre-migration
uid (1000) where chowning live files would stomp on that user.

lytedev force-pushed fix-migrate-daniel-unit from 253263e774 to ca5af6b042 2026-04-20 11:14:27 -05:00 Compare

lytedev scheduled this pull request to auto merge when all checks succeed 2026-04-20 11:17:12 -05:00

lytedev canceled auto merging this pull request when all checks succeed 2026-04-20 11:17:17 -05:00

lytedev force-pushed fix-migrate-daniel-unit from ca5af6b042 to 5fb7f812dd 2026-04-20 13:45:01 -05:00 Compare

lytedev closed this pull request 2026-04-21 11:07:15 -05:00

All checks were successful

Hide all checks

/ check-format (push) Successful in 8s

Required

Details

/ build (push) Successful in 7m10s

Required

Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is wrong

  

enhancement

New feature

  

question

Awaiting information

  

scary

Potentially problematic change

  

upstream

Awaiting upstream changes

No labels

bug

enhancement

question

scary

upstream

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lytedev/nix!501

No description provided.