Prevent host PATH from leaking into nix build env

flake.nix

@@ -51,30 +51,43 @@
     };
     mkosi = system: let
       pkgsForSystem = import nixpkgs {inherit system;};
+      mkosiTools = with pkgsForSystem; [
+        apt
+        dpkg
+        gnupg
+        debootstrap
+        dosfstools
+        e2fsprogs
+        mtools
+        gptfdisk
+        util-linux
+        zstd
+        which
+        qemu-utils
+        parted
+        jq
+        reprepro
+        systemd
+        bash
+        coreutils
+        findutils
+        gnused
+        gnugrep
+        gnutar
+        gzip
+        xz
+        curl
+        git
+        patch
+        ncurses
+      ];
+      mkosiToolsEnv = pkgsForSystem.buildEnv {
+        name = "mkosi-tools";
+        paths = mkosiTools;
+      };
       mkosi-unwrapped =
         (pkgsForSystem.mkosi.override {
-          extraDeps = with pkgsForSystem;
-            [
-              apt
-              dpkg
-              gnupg
-              debootstrap
-              squashfsTools
-              dosfstools
-              e2fsprogs
-              mtools
-              mustache-go
-              cryptsetup
-              gptfdisk
-              util-linux
-              zstd
-              which
-              qemu-utils
-              parted
-              unzip
-              jq
-            ]
-            ++ [reprepro];
+          extraDeps = mkosiTools;
         }).overrideAttrs (old: {
           src = pkgsForSystem.fetchFromGitHub {
             owner = "systemd";
@@ -92,6 +105,9 @@
               ${fd} -i '*/run.py' --hunks=x1-2 ${builtins.elemAt old.patches 0}
               ${fd} --hunks=x1                 ${builtins.elemAt old.patches 1}
             } | patch -p1
+
+            # Don't add /usr/bin and /usr/sbin to the PATH, only use /nix
+            sed -i -E '\#^\s+"/usr/(bin|sbin)",$#d' mkosi/run.py
           '';
         });
     in
@@ -102,7 +118,7 @@
           --map-auto --map-root-user \
           --setuid=0 --setgid=0 \
           -- \
-          env PATH="$PATH" \
+          env PATH="${mkosiToolsEnv}/bin" \
           ${mkosi-unwrapped}/bin/mkosi "$@"
       '';
   in {

mkosi.profiles/gcp/mkosi.postoutput

@@ -21,13 +21,7 @@ cp mkosi.profiles/gcp/repart.d/00-uki.conf "${REPART_TMPDIR}/00-uki.conf"
 echo "SizeMinBytes=${ESP_BYTES}" >> "${REPART_TMPDIR}/00-uki.conf"
 echo "SizeMaxBytes=${ESP_BYTES}" >> "${REPART_TMPDIR}/00-uki.conf"
 
-#
-# - default systemd-repart (in /usr/bin) is "systemd 252 (252.39-1~deb12u2)"
-# - the one from nix (/nix/store/*-systemd-*/bin) is newer ("systemd 258 (258.3)" a.t.m.)
-# - to use "--copy-source" CLI option we need a newer one
-# - this hack ensures systemd-repart resolves to the nix one
-#
-PATH="${PATH#/usr/bin:/usr/sbin:}" systemd-repart \
+systemd-repart \
   --empty=create \
   --size=${DISK_GIB}G \
   --definitions="${REPART_TMPDIR}" \