nixos/udev: Add an option to fail on FHS paths

So far we were merely printing a warning if there are still references
to (/usr)/s?bin, but we actually want to make sure that we fix those
paths, especially on updates of packages that come with udev rules.

This adds a new option allowImpurePaths, which when set to false will
cause the "udev-rules" derivation to fail.

I've set this to true by default, to not break existing systems too much
and the intention is to set it to false for a few NixOS VM tests.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

nixos/modules/services/hardware/udev.nix

@@ -116,6 +116,7 @@ let
           )"
           echo "$localFile ($remoteFile) contains references to $refs."
         done
+        ${optionalString (!cfg.allowImpurePaths) "exit 1"}
       fi
 
       ${optionalString config.networking.usePredictableInterfaceNames ''
@@ -231,6 +232,20 @@ in
         '';
       };
 
+      allowImpurePaths = mkOption {
+        default = true;
+        example = false;
+        type = types.bool;
+        description = ''
+          If this is disabled, the build will fail whenever one of the
+          <command>udev</command> rules contains a reference to
+          <filename>/usr/bin</filename>, <filename>/usr/sbin</filename>,
+          <filename>/bin</filename> or <filename>/sbin</filename>.
+
+          By default only a warning is printed during build.
+        '';
+      };
+
     };
 
     hardware.firmware = mkOption {