From 850160d1200b1293e6c58658e2836c60948fa837 Mon Sep 17 00:00:00 2001
From: Michael Hoang <enzime@users.noreply.github.com>
Date: Tue, 30 Sep 2025 16:47:54 +0200
Subject: [PATCH] nixos_test_lib: fix Nix in Nix not working with
 `driverInteractive`

---
 .../service-dummy-test-from-flake/default.nix | 44 ++++++++++---------
 checks/update/flake-module.nix                |  3 +-
 pkgs/testing/nixos_test_lib/nix_setup.py      | 31 +++++++------
 3 files changed, 40 insertions(+), 38 deletions(-)

diff --git a/checks/service-dummy-test-from-flake/default.nix b/checks/service-dummy-test-from-flake/default.nix
index 29e8d253c..11c679f4a 100644
--- a/checks/service-dummy-test-from-flake/default.nix
+++ b/checks/service-dummy-test-from-flake/default.nix
@@ -29,32 +29,34 @@ nixosLib.runTest (
       { nodes, ... }:
       ''
         import subprocess
-        from nixos_test_lib.nix_setup import setup_nix_in_nix # type: ignore[import-untyped]
+        import tempfile
+        from nixos_test_lib.nix_setup import setup_nix_in_nix
 
-        setup_nix_in_nix(None)  # No closure info for this test
+        with tempfile.TemporaryDirectory() as temp_dir:
+          setup_nix_in_nix(temp_dir, None)  # No closure info for this test
 
-        start_all()
-        admin1.wait_for_unit("multi-user.target")
-        peer1.wait_for_unit("multi-user.target")
+          start_all()
+          admin1.wait_for_unit("multi-user.target")
+          peer1.wait_for_unit("multi-user.target")
 
-        # peer1 should have the 'hello' file
-        peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
+          # peer1 should have the 'hello' file
+          peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
 
-        ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
-        # Check that the file is owned by 'nobody'
-        assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
-        # Check that the file is in the 'users' group
-        assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
-        # Check that the file is in the '0644' mode
-        assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
+          ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
+          # Check that the file is owned by 'nobody'
+          assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
+          # Check that the file is in the 'users' group
+          assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
+          # Check that the file is in the '0644' mode
+          assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
 
-        # Run clan command
-        result = subprocess.run(
-            ["${
-              clan-core.packages.${hostPkgs.system}.clan-cli
-            }/bin/clan", "machines", "list", "--flake", "${config.clan.test.flakeForSandbox}"],
-            check=True
-        )
+          # Run clan command
+          result = subprocess.run(
+              ["${
+                clan-core.packages.${hostPkgs.system}.clan-cli
+              }/bin/clan", "machines", "list", "--flake", "${config.clan.test.flakeForSandbox}"],
+              check=True
+          )
       '';
   }
 )
diff --git a/checks/update/flake-module.nix b/checks/update/flake-module.nix
index 6ff1ad2ef..33fb859f6 100644
--- a/checks/update/flake-module.nix
+++ b/checks/update/flake-module.nix
@@ -225,12 +225,13 @@
                         [
                             "${pkgs.nix}/bin/nix",
                             "copy",
+                            "--from",
+                            f"{temp_dir}/store",
                             "--to",
                             "ssh://root@192.168.1.1",
                             "--no-check-sigs",
                             f"${self.packages.${pkgs.hostPlatform.system}.clan-cli}",
                             "--extra-experimental-features", "nix-command flakes",
-                            "--from", f"{os.environ["TMPDIR"]}/store"
                         ],
                         check=True,
                         env={
diff --git a/pkgs/testing/nixos_test_lib/nix_setup.py b/pkgs/testing/nixos_test_lib/nix_setup.py
index 2280ed650..d43353d1f 100644
--- a/pkgs/testing/nixos_test_lib/nix_setup.py
+++ b/pkgs/testing/nixos_test_lib/nix_setup.py
@@ -10,15 +10,14 @@ NIX_STORE_BIN = "@nix-store@"
 XARGS_BIN = "@xargs@"
 
 
-def setup_nix_in_nix(closure_info: str | None) -> None:
+def setup_nix_in_nix(temp_dir: str, closure_info: str | None) -> None:
     """Set up Nix store inside test environment
 
     Args:
+        temp_dir: Temporary directory
         closure_info: Path to closure info directory containing store-paths file,
             or None if no closure info
     """
-    tmpdir = Path(os.environ.get("TMPDIR", "/tmp"))  # noqa: S108
-
     # Remove NIX_REMOTE if present (we don't have any nix daemon running)
     if "NIX_REMOTE" in os.environ:
         del os.environ["NIX_REMOTE"]
@@ -27,19 +26,19 @@ def setup_nix_in_nix(closure_info: str | None) -> None:
     os.environ["NIX_CONFIG"] = "substituters = \ntrusted-public-keys = "
 
     # Set up environment variables for test environment
-    os.environ["HOME"] = str(tmpdir)
-    os.environ["NIX_STATE_DIR"] = f"{tmpdir}/nix"
-    os.environ["NIX_CONF_DIR"] = f"{tmpdir}/etc"
+    os.environ["HOME"] = str(temp_dir)
+    os.environ["NIX_STATE_DIR"] = f"{temp_dir}/nix"
+    os.environ["NIX_CONF_DIR"] = f"{temp_dir}/etc"
     os.environ["IN_NIX_SANDBOX"] = "1"
-    os.environ["CLAN_TEST_STORE"] = f"{tmpdir}/store"
-    os.environ["LOCK_NIX"] = f"{tmpdir}/nix_lock"
+    os.environ["CLAN_TEST_STORE"] = f"{temp_dir}/store"
+    os.environ["LOCK_NIX"] = f"{temp_dir}/nix_lock"
 
     # Create necessary directories
-    Path(f"{tmpdir}/nix").mkdir(parents=True, exist_ok=True)
-    Path(f"{tmpdir}/etc").mkdir(parents=True, exist_ok=True)
-    Path(f"{tmpdir}/store").mkdir(parents=True, exist_ok=True)
-    Path(f"{tmpdir}/store/nix/store").mkdir(parents=True, exist_ok=True)
-    Path(f"{tmpdir}/store/nix/var/nix/gcroots").mkdir(parents=True, exist_ok=True)
+    Path(f"{temp_dir}/nix").mkdir(parents=True, exist_ok=True)
+    Path(f"{temp_dir}/etc").mkdir(parents=True, exist_ok=True)
+    Path(f"{temp_dir}/store").mkdir(parents=True, exist_ok=True)
+    Path(f"{temp_dir}/store/nix/store").mkdir(parents=True, exist_ok=True)
+    Path(f"{temp_dir}/store/nix/var/nix/gcroots").mkdir(parents=True, exist_ok=True)
 
     # Set up Nix store if closure info is provided
     if closure_info and Path(closure_info).exists():
@@ -60,7 +59,7 @@ def setup_nix_in_nix(closure_info: str | None) -> None:
                         "--recursive",
                         "--reflink=auto",  # Use copy-on-write if available
                         "--target-directory",
-                        f"{tmpdir}/store/nix/store",
+                        f"{temp_dir}/store/nix/store",
                     ],
                     stdin=f,
                     check=True,
@@ -71,7 +70,7 @@ def setup_nix_in_nix(closure_info: str | None) -> None:
             if registration_file.exists():
                 with registration_file.open() as f:
                     subprocess.run(  # noqa: S603
-                        [NIX_STORE_BIN, "--load-db", "--store", f"{tmpdir}/store"],
+                        [NIX_STORE_BIN, "--load-db", "--store", f"{temp_dir}/store"],
                         input=f.read(),
                         text=True,
                         check=True,
@@ -92,7 +91,7 @@ def prepare_test_flake(
         Path to the test flake directory
     """
     # Set up Nix store
-    setup_nix_in_nix(closure_info)
+    setup_nix_in_nix(temp_dir, closure_info)
 
     # Copy test flake
     flake_dir = Path(temp_dir) / "test-flake"