From dda86832440d741aafbee6d200888ddd889bd231 Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
Date: Sat, 15 Mar 2025 12:23:53 -0400
Subject: [PATCH] nix-daemon: use PathState to wait for nix store

This allows to avoid wait4path and sh from execution path; simplifying
permissions setup for the daemon (which needs Full Disk Access to manage
all files under /nix/store.)

Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
---
 modules/services/nix-daemon.nix | 20 +++++++++++++-------
 tests/services-nix-daemon.nix   |  5 ++---
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/modules/services/nix-daemon.nix b/modules/services/nix-daemon.nix
index 404ca0571..40fac2b00 100644
--- a/modules/services/nix-daemon.nix
+++ b/modules/services/nix-daemon.nix
@@ -40,18 +40,25 @@ in
     };
   };
 
-  config = mkIf config.nix.enable {
+  config = let
+    nixDaemonCmd = lib.getExe' config.nix.package "nix-daemon";
+    keepAliveArgs = if cfg.enableSocketListener then {
+      command = nixDaemonCmd;
+    } else {
+      serviceConfig.ProgramArguments = [ nixDaemonCmd ];
+      serviceConfig.KeepAlive.PathState = {
+        "/nix/store" = true;
+      };
+    };
+  in mkIf config.nix.enable {
 
-    launchd.daemons.nix-daemon = {
-      command = lib.getExe' config.nix.package "nix-daemon";
+    launchd.daemons.nix-daemon = lib.recursiveUpdate {
       serviceConfig.ProcessType = config.nix.daemonProcessType;
       serviceConfig.LowPriorityIO = config.nix.daemonIOLowPriority;
       serviceConfig.Label = "org.nixos.nix-daemon"; # must match daemon installed by Nix regardless of the launchd label Prefix
       serviceConfig.SoftResourceLimits.NumberOfFiles = mkDefault 1048576;
       serviceConfig.StandardErrorPath = cfg.logFile;
 
-      serviceConfig.KeepAlive = mkIf (!cfg.enableSocketListener) true;
-
       serviceConfig.Sockets = mkIf cfg.enableSocketListener
         { Listeners.SockType = "stream";
           Listeners.SockPathName = "/nix/var/nix/daemon-socket/socket";
@@ -68,7 +75,6 @@ in
           OBJC_DISABLE_INITIALIZE_FORK_SAFETY = mkDefault "YES";
         }
       ];
-    };
-
+    } keepAliveArgs;
   };
 }
diff --git a/tests/services-nix-daemon.nix b/tests/services-nix-daemon.nix
index f8f06e5d9..2da5a381f 100644
--- a/tests/services-nix-daemon.nix
+++ b/tests/services-nix-daemon.nix
@@ -14,10 +14,9 @@ in
   test = ''
     echo checking nix-daemon service in /Library/LaunchDaemons >&2
     grep "<string>org.nixos.nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
-    grep "<string>/bin/wait4path" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
-    grep "&amp;&amp;" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
-    grep "exec ${nix}/bin/nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
+    grep "${nix}/bin/nix-daemon</string>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
     grep "<key>KeepAlive</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
+    grep "<key>PathState</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist
     (! grep "<key>Sockets</key>" ${config.out}/Library/LaunchDaemons/org.nixos.nix-daemon.plist)
 
     echo checking NIX_SSL_CERT_FILE in nix-daemon service >&2