nixos-rebuild-ng: validate NixOS configuration path

When `path://` or `git+file://` protocol is used in Flake mode (that is
the most common case since we normalize the paths, see PR #375493) and
the current working directory in a symlink pointing base store path to
the Nix store (e.g., /run/opengl-driver/lib), there is a nasty bug where
Nix resolves the path as the Nix store path of the current derivation
instead of the target derivation.

Since we blindly activate this path, this can corrupt the installation
and break some other activation scripts, like `systemd-boot-builder.py`.
While it is possible to recover this situation using `nix-env -p
/nix/var/nix/profiles/system --delete-generations old`, this is far from
ideal.

This commit solves it by validating that the resolved NixOS
configuration path includes at least `$out/nixos-version`. I am not sure
if this is going to break some cases so there is a escape hatch in the
form of the environment variable
`NIXOS_REBUILD_I_UNDERSTAND_THE_CONSEQUENCES_PLEASE_BREAK_MY_SYSTEM`,
but in general it looks safe.

0 files changed, 0 insertions, 0 deletions