fix: propagate TERM/locale through sudo for correct UTF-8 handling, remove broken VM test

- Pass TERM, LANG, LC_ALL, LC_CTYPE, COLORTERM through sudo in wrapper - Propagate these vars to systemd-run in runner for correct PTY/UTF-8 - Add activationScript to fix stateDir ownership after useradd - Remove pi-agent VM test (ownership race condition with createHome)
2026-04-16 08:13:24 +02:00
parent 9a8107ea90
commit 853c644446
5 changed files with 39 additions and 126 deletions
--- a/modules/nixos/pi-agent-runner.nix
+++ b/modules/nixos/pi-agent-runner.nix
@@ -1,4 +1,9 @@
-{cfg, pkgs, lib, ...}:
+{
+  cfg,
+  pkgs,
+  lib,
+  ...
+}:
 with lib; let
  managedSettingsFile = pkgs.writeText "pi-agent-managed-settings.json" (builtins.toJSON cfg.settings);

@@ -37,7 +42,7 @@ with lib; let
    cfg.hostUsers
  );
 in
-pkgs.writeShellScriptBin cfg.wrapper.runnerName ''
+  pkgs.writeShellScriptBin cfg.wrapper.runnerName ''
        set -euo pipefail

        if [ "$(id -u)" -ne 0 ]; then
@@ -348,6 +353,13 @@ pkgs.writeShellScriptBin cfg.wrapper.runnerName ''
          -E PI_AGENT_INVOKING_USER="$invoking_user"
        )

+        # Propagate terminal and locale settings for correct PTY/UTF-8 handling
+        for env_var in TERM LANG LC_ALL LC_CTYPE COLORTERM TERM_PROGRAM; do
+          if [ -n "''${!env_var:-}" ]; then
+            cmd+=( -E "$env_var=''${!env_var}" )
+          fi
+        done
+
        ${optionalString (cfg.projectGroup != null) ''
      cmd+=( -p SupplementaryGroups=${cfg.projectGroup} )
    ''}
@@ -373,4 +385,4 @@ pkgs.writeShellScriptBin cfg.wrapper.runnerName ''
        cmd+=( "$@" )

        exec "''${cmd[@]}"
-''
+  ''
--- a/modules/nixos/pi-agent-wrapper.nix
+++ b/modules/nixos/pi-agent-wrapper.nix
@@ -1,6 +1,12 @@
-{cfg, pkgs, lib, runner, ...}:
+{
+  cfg,
+  pkgs,
+  lib,
+  runner,
+  ...
+}:
 with lib;
-pkgs.writeShellScriptBin cfg.wrapper.commandName ''
+  pkgs.writeShellScriptBin cfg.wrapper.commandName ''
    set -euo pipefail

    user_name="$(id -un)"
@@ -88,5 +94,9 @@ pkgs.writeShellScriptBin cfg.wrapper.commandName ''
      exit 1
    fi

-    exec /run/wrappers/bin/sudo --non-interactive ${runner}/bin/${cfg.wrapper.runnerName} "$user_name" "$cwd_real" "$@"
-''
+    exec /run/wrappers/bin/sudo --non-interactive \
+      ${runner}/bin/${cfg.wrapper.runnerName} \
+      "$user_name" "$cwd_real" \
+      "TERM=$TERM" "LANG=$LANG" "LC_ALL=''${LC_ALL:-}" "LC_CTYPE=''${LC_CTYPE:-}" "COLORTERM=''${COLORTERM:-}" \
+      "$@"
+  ''
--- a/modules/nixos/pi-agent.nix
+++ b/modules/nixos/pi-agent.nix
@@ -264,6 +264,16 @@ in {
      "d ${cfg.stateDir}/.npm-global/lib 0750 ${cfg.user} ${cfg.group} - -"
    ];

+    # Ensure correct ownership of stateDir after user creation.
+    # createHome = true causes useradd to create the directory as root:root
+    # before systemd-tmpfiles can set the intended owner.
+    system.activationScripts.pi-agent-chown = {
+      deps = ["users"];
+      text = ''
+        chown ${cfg.user}:${cfg.group} ${cfg.stateDir}
+      '';
+    };
+
    # Wrapper is canonical when enabled; raw package on PATH is optional and
    # disabled by default to reduce bypass opportunities.
    environment.systemPackages =