nixpkgs/pkgs/by-name/di/distrobuilder/nixos-generator.patch

diff --git c/distrobuilder/lxc.generator w/distrobuilder/lxc.generator
index 5f854d3..927f2df 100644
--- c/distrobuilder/lxc.generator
+++ w/distrobuilder/lxc.generator
@@ -16,16 +16,6 @@ is_lxc_privileged_container() {
 	grep -qw 4294967295$ /proc/self/uid_map
 }
 
-# is_in_path succeeds if the given file exists in on of the paths
-is_in_path() {
-	# Don't use $PATH as that may not include all relevant paths
-	for path in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin; do
-		[ -e "${path}/${1}" ] && return 0
-	done
-
-	return 1
-}
-
 ## Fix functions
 # fix_ro_paths avoids udevd issues with /sys and /proc being writable
 fix_ro_paths() {
@@ -47,41 +37,6 @@ fix_ro_run() {
 		EOF
 }
 
-# fix_nm_link_state forces the network interface to a DOWN state ahead of NetworkManager starting up
-fix_nm_link_state() {
-	[ -e "/sys/class/net/${1}" ] || return 0
-
-	ip=
-	if [ -f "/sbin/ip" ]; then
-		ip="/sbin/ip"
-	elif [ -f "/bin/ip" ]; then
-		ip="/bin/ip"
-	else
-		return 0
-	fi
-
-	cat <<-EOF > /run/systemd/system/network-device-down.service
-		# This file was created by distrobuilder
-		[Unit]
-		Description=Turn off network device
-		Before=NetworkManager.service
-		Before=systemd-networkd.service
-
-		[Service]
-		# do not turn off if there is a default route to 169.254.0.1, i.e. the device is a routed nic
-		ExecCondition=/bin/sh -c '! /usr/bin/grep -qs 00000000.0100FEA9 /proc/net/route'
-		ExecStart=-${ip} link set ${1} down
-		Type=oneshot
-		RemainAfterExit=true
-
-		[Install]
-		WantedBy=default.target
-		EOF
-
-	mkdir -p /run/systemd/system/default.target.wants
-	ln -sf /run/systemd/system/network-device-down.service /run/systemd/system/default.target.wants/network-device-down.service
-}
-
 # fix_systemd_override_unit generates a unit specific override
 fix_systemd_override_unit() {
 	dropin_dir="/run/systemd/${1}.d"
@@ -122,16 +77,7 @@ fix_systemd_mask() {
 # fix_systemd_udev_trigger overrides the systemd-udev-trigger.service to match the latest version
 # of the file which uses "ExecStart=-" instead of "ExecStart=".
 fix_systemd_udev_trigger() {
-	udev=
-	if [ -f /usr/bin/udevadm ]; then
-		udev=/usr/bin/udevadm
-	elif [ -f /sbin/udevadm ]; then
-		udev=/sbin/udevadm
-	elif [ -f /bin/udevadm ]; then
-		udev=/bin/udevadm
-	else
-		return 0
-	fi
+	udev=/run/current-system/sw/bin/udevadm
 
 	mkdir -p /run/systemd/system/systemd-udev-trigger.service.d
 	cat <<-EOF > /run/systemd/system/systemd-udev-trigger.service.d/zzz-lxc-override.conf
@@ -143,52 +89,40 @@ fix_systemd_udev_trigger() {
 		EOF
 }
 
-# fix_systemd_sysctl overrides the systemd-sysctl.service to use "ExecStart=-" instead of "ExecStart=".
-fix_systemd_sysctl() {
-	sysctl=/usr/lib/systemd/systemd-sysctl
-	[ ! -e "${sysctl}" ] && sysctl=/lib/systemd/systemd-sysctl
-
-	mkdir -p /run/systemd/system/systemd-sysctl.service.d
-	cat <<-EOF > /run/systemd/system/systemd-sysctl.service.d/zzz-lxc-override.conf
-		# This file was created by distrobuilder
-		[Service]
-		ExecStart=
-		ExecStart=-${sysctl}
-		EOF
-}
-
 ## Main logic
 # Exit immediately if not an Incus/LXC container
 is_lxc_container || exit 0
 
 # Determine systemd version
-SYSTEMD=""
-for path in /usr/lib/systemd/systemd /lib/systemd/systemd; do
-	[ -x "${path}" ] || continue
+SYSTEMD="$(/run/current-system/sw/lib/systemd/systemd --version | head -n1 | cut -d' ' -f2 | cut -d'~' -f1)"
 
-	SYSTEMD="$("${path}" --version | head -n1 | cut -d' ' -f2 | cut -d'~' -f1)"
-	break
-done
 
-# Apply systemd overrides
-if [ "${SYSTEMD}" -ge 244 ]; then
-	fix_systemd_override_unit system/service
-else
-	# Setup per-unit overrides
-	find /lib/systemd /etc/systemd /run/systemd /usr/lib/systemd -name "*.service" -type f | sed 's#/\(lib\|etc\|run\|usr/lib\)/systemd/##g'| while read -r service_file; do
-		fix_systemd_override_unit "${service_file}"
-	done
-fi
 
-# Workarounds for unprivileged containers.
-if ! is_lxc_privileged_container; then
-	fix_ro_paths systemd-networkd.service
-	fix_ro_paths systemd-resolved.service
+
+# Overriding some systemd features is only needed if security.nesting=false
+# in which case, /dev/.lxc will be missing
+# Adding this conditional back for NixOS as we do not have the reported
+# problems, and the overrides could reduce potential service hardening
+if [ ! -d /dev/.lxc ]; then
+  # Apply systemd overrides
+  if [ "${SYSTEMD}" -ge 244 ]; then
+    fix_systemd_override_unit system/service
+  else
+    # Setup per-unit overrides
+    find /lib/systemd /etc/systemd /run/systemd /usr/lib/systemd -name "*.service" -type f | sed 's#/\(lib\|etc\|run\|usr/lib\)/systemd/##g'| while read -r service_file; do
+      fix_systemd_override_unit "${service_file}"
+    done
+  fi
+
+  # Workarounds for unprivileged containers.
+  if ! is_lxc_privileged_container; then
+    fix_ro_paths systemd-networkd.service
+    fix_ro_paths systemd-resolved.service
+  fi
 fi
 
 # Ignore failures on some units.
 fix_systemd_udev_trigger
-fix_systemd_sysctl
 
 # Fix issues with /run not being writable.
 fix_ro_run systemd-nsresourced.service
@@ -221,11 +155,6 @@ if [ -d /etc/udev ]; then
 		EOF
 fi
 
-# Workarounds for NetworkManager in containers
-if is_in_path NetworkManager; then
-	fix_nm_link_state eth0
-fi
-
 # Allow masking units created by the lxc system-generator.
 for d in /etc/systemd/system /usr/lib/systemd/system /lib/systemd/system; do
 	if ! [ -d "${d}" ]; then