From b61927e5f35fd085419c75fb3ec0ec707a4727ed Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Mon, 29 Dec 2025 17:38:05 +0100
Subject: [PATCH 1/2] nixos/podman: fix starting unprivileged containers with
 sdnotify=conmon

Closes #410857

Back when I researched the correct combinations of settings, containers
would hang indefinitely with `--sdnotify=conmon` when using lingering
and Delegate=yes.

Apparently, this changed now this is needed to get these containers to
start.
---
 nixos/modules/virtualisation/oci-containers.nix | 12 ++++--------
 nixos/tests/oci-containers.nix                  |  2 +-
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix
index 5b3576c97acd..6b7500d6c08e 100644
--- a/nixos/modules/virtualisation/oci-containers.nix
+++ b/nixos/modules/virtualisation/oci-containers.nix
@@ -542,7 +542,7 @@ let
         Environment = "PODMAN_SYSTEMD_UNIT=%n";
         Type = "notify";
         NotifyAccess = "all";
-        Delegate = mkIf (container.podman.sdnotify == "healthy") true;
+        Delegate = true;
         User = effectiveUser;
         RuntimeDirectory = escapedName;
       };
@@ -630,13 +630,9 @@ in
               inherit (config.users.users.${podman.user}) linger;
             in
             warnings
-            ++ lib.optional (podman.user != "root" && linger && podman.sdnotify == "conmon") ''
-              Podman container ${name} is configured as rootless (user ${podman.user})
-              with `--sdnotify=conmon`, but lingering for this user is turned on.
-            ''
-            ++ lib.optional (podman.user != "root" && !linger && podman.sdnotify == "healthy") ''
-              Podman container ${name} is configured as rootless (user ${podman.user})
-              with `--sdnotify=healthy`, but lingering for this user is turned off.
+            ++ lib.optional (podman.user != "root" && !linger) ''
+              Podman container ${name} is configured as rootless (user ${podman.user}),
+              but lingering for this user is turned off.
             ''
           ) [ ] cfg.containers
         );
diff --git a/nixos/tests/oci-containers.nix b/nixos/tests/oci-containers.nix
index 9d41e4baffdf..71c35e8d4176 100644
--- a/nixos/tests/oci-containers.nix
+++ b/nixos/tests/oci-containers.nix
@@ -84,7 +84,7 @@ let
               isSystemUser = true;
               group = "redis";
               home = "/var/lib/redis";
-              linger = type == "healthy";
+              linger = true;
               createHome = true;
               uid = 2342;
               subUidRanges = [

From 53448422726f8efb3087d335094eab0e260f6c79 Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Tue, 30 Dec 2025 10:43:36 +0100
Subject: [PATCH 2/2] podman: add rootless tests to passthru.tests

---
 pkgs/by-name/po/podman/package.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/by-name/po/podman/package.nix b/pkgs/by-name/po/podman/package.nix
index 5090d9dd84ac..fed9635c312f 100644
--- a/pkgs/by-name/po/podman/package.nix
+++ b/pkgs/by-name/po/podman/package.nix
@@ -158,6 +158,8 @@ buildGoModule (finalAttrs: {
         podman-tls-ghostunnel
         ;
       oci-containers-podman = nixosTests.oci-containers.podman;
+      oci-containers-podman-rootless-conmon = nixosTests.oci-containers.podman-rootless-conmon;
+      oci-containers-podman-rootless-healthy = nixosTests.oci-containers.podman-rootless-healthy;
     };
     # do not add qemu to this wrapper, store paths get written to the podman vm config and break when GCed
     binPath = lib.makeBinPath (