fix: first-boot service waits for internet and retries on failure

mrosseel · claude · mrosseel · commit da41e119e8be · 2026-03-10T23:33:14.000+01:00
Root cause: network-online.target was unreliable because
NetworkManager-wait-online was disabled, so pifinder-first-boot
ran before internet was available.

- Add curl-based connectivity check with 5-minute retry loop
- Add Restart=on-failure with 15s delay
- Re-enable NetworkManager-wait-online (with 30s timeout)
- Add sudo permissions for systemctl/journalctl (remote recovery)

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/nixos/migration.nix b/nixos/migration.nix
@@ -15,7 +15,7 @@ in {
   # Minimal system packages for migration troubleshooting
   # ---------------------------------------------------------------------------
   environment.systemPackages = with pkgs; [
-    nano
+    vim
     htop
     e2fsprogs
     dosfstools
@@ -117,11 +117,27 @@ in {
       Type = "oneshot";
       RemainAfterExit = true;
       TimeoutStartSec = "30min";
+      Restart = "on-failure";
+      RestartSec = "15s";
     };
-    path = with pkgs; [ nix coreutils systemd ];
+    path = with pkgs; [ nix coreutils systemd curl ];
     script = ''
       set -euo pipefail
 
+      # Wait for actual internet connectivity (network-online.target is unreliable)
+      echo "Waiting for internet connectivity..."
+      for i in $(seq 1 60); do
+        if curl -sf --max-time 5 https://cache.nixos.org/nix-cache-info >/dev/null 2>&1; then
+          echo "Internet available after ''${i} attempts"
+          break
+        fi
+        if [ "$i" -eq 60 ]; then
+          echo "ERROR: No internet after 5 minutes"
+          exit 1
+        fi
+        sleep 5
+      done
+
       STORE_PATH=$(cat /var/lib/pifinder/first-boot-target)
       if [ -z "$STORE_PATH" ] || [[ "$STORE_PATH" != /nix/store/* ]]; then
         echo "ERROR: Invalid store path: $STORE_PATH"
@@ -158,6 +174,12 @@ in {
         if (action.id.indexOf("org.freedesktop.NetworkManager") == 0) {
           return polkit.Result.YES;
         }
+        if (action.id == "org.freedesktop.login1.reboot" ||
+            action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+            action.id == "org.freedesktop.login1.power-off" ||
+            action.id == "org.freedesktop.login1.power-off-multiple-sessions") {
+          return polkit.Result.YES;
+        }
       }
     });
   '';
@@ -169,8 +191,14 @@ in {
     users = [ "pifinder" ];
     commands = [
       { command = "/run/current-system/sw/bin/shutdown *"; options = [ "NOPASSWD" ]; }
+      { command = "/run/current-system/sw/bin/hostnamectl *"; options = [ "NOPASSWD" ]; }
       { command = "/run/current-system/sw/bin/hostname *"; options = [ "NOPASSWD" ]; }
+      { command = "/run/current-system/sw/bin/avahi-set-host-name *"; options = [ "NOPASSWD" ]; }
       { command = "/run/current-system/sw/bin/dmesg"; options = [ "NOPASSWD" ]; }
+      { command = "/run/current-system/sw/bin/systemctl restart pifinder-first-boot.service"; options = [ "NOPASSWD" ]; }
+      { command = "/run/current-system/sw/bin/systemctl restart pifinder*"; options = [ "NOPASSWD" ]; }
+      { command = "/run/current-system/sw/bin/systemctl status *"; options = [ "NOPASSWD" ]; }
+      { command = "/run/current-system/sw/bin/journalctl *"; options = [ "NOPASSWD" ]; }
     ];
   }];
 
@@ -245,7 +273,10 @@ in {
     };
   };
 
-  systemd.services.NetworkManager-wait-online.enable = false;
+  # NetworkManager-wait-online adds ~10s to boot but is needed for
+  # pifinder-first-boot to have internet. The first-boot script also has
+  # its own connectivity retry loop as a fallback.
+  systemd.services.NetworkManager-wait-online.serviceConfig.TimeoutStartSec = "30s";
 
   system.stateVersion = "24.11";
   }; # config
