Commit graph

1366 commits

Author SHA1 Message Date
Jörg Thalheim
4cc7c2e55a
tmpfiles: load user-defined entries first
systemd-tmpfiles will load all files in lexicographic order and ignores rules
for the same path in later files with a warning Since we apply the default rules
provided by systemd, we should load user-defines rules first so users have a
chance to override defaults.
2020-04-16 13:02:24 +01:00
Maximilian Bosch
2d55f9c01a
Merge pull request #84266 from Ma27/nspawn-overrides
nixos/systemd-nspawn: disallow multiple packages with `.nspawn`-units
2020-04-16 00:24:33 +02:00
Rouven Czerwinski
61da203324 boot.initrd.luks: remove x86_64/i586 AES modules
Commit 1d2c3279311e4f03fcf164e1366f2fda9f4bfccf in the upstream kernel
repository removed support for the scalar x86_64 and i586 AES
assembly implementations, since the generic AES implementation generated
by the compiler is faster for both platforms. Remove the modules from
the cryptoModules list. This causes a regression for kernel versions
>=5.4 which include the removal. This should have no negative impact on
AES performance on older kernels since the generic implementation should
be faster there as well since the implementation was hardly touched from
its initial submission.

Fixes #84842
2020-04-12 15:12:38 +02:00
Graham Christensen
35d8514a91
Merge pull request #81848 from grahamc/nested-specialisation
specialisation: replace nesting with named configurations
2020-04-12 08:56:11 -04:00
Graham Christensen
ec2d28e323
specialisation: replace nesting with named configurations
Co-authored-by: worldofpeace <worldofpeace@protonmail.ch>
2020-04-12 08:12:50 -04:00
Emily
91c6809946 nixos/stage-1: check secret paths before copying
Fixes #84976.
2020-04-11 16:42:47 +01:00
Emily
8a37c3dd1a nixos/initrd-ssh: fix typo in docs 2020-04-11 16:19:48 +01:00
Michael Reilly
84cf00f980
treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
B YI
07bc7b971d
nixos/initrd-ssh: fix typo (#84719) 2020-04-08 17:04:29 +02:00
Maximilian Bosch
a9e3ec1d6e
nixos/systemd-nspawn: disallow multiple packages with .nspawn-units
In contrast to `.service`-units, it's not possible to declare an
`overrides.conf`, however this is done by `generateUnits` for `.nspawn`
units as well. This change breaks the build if you have two derivations
configuring one nspawn unit.

This will happen in a case like this:

``` nix
{ pkgs, ... }: {
  systemd.packages = [
    (pkgs.writeTextDir "etc/systemd/nspawn/container0.nspawn" ''
      [Files]
      Bind=/tmp
    '')
  ];
  systemd.nspawn.container0 = {
    /* ... */
  };
}
```
2020-04-04 21:11:21 +02:00
Matthieu Coudron
b9a4e6953d kernel: fix config generation
Addresses https://github.com/NixOS/nixpkgs/issues/71803:
Kernel options are not merged as described, especially the "optional"
aspects. The error silences legitimate warnings.
2020-04-01 22:25:57 +02:00
Maciej Krüger
948de104de
stage-1-init: add boot.persistence option
This option allows replacing the tmpfs mounted on / by
the live CD's init script with a physical device

Since nixOS symlinks everything there's no trouble
at all.

That enables the user to easily use a nixOS live CD
as a portable installation.

Note that due to some limitations in how the store is mounted
currently only the non-store things are persisted.
2020-04-01 03:56:32 +02:00
Rouven Czerwinski
d22373b2b1 nixos/systemd: remove one DefaultBlockIOAccounting
DefaultBlockIOAccounting=yes is set twice in the same file, remove one
copy.
2020-03-29 10:56:34 +02:00
Emily
d930466b77 nixos/initrd-ssh: switch from Dropbear to OpenSSH
Dropbear lags behind OpenSSH significantly in both support for modern
key formats like `ssh-ed25519`, let alone the recently-introduced
U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched
my `authorizedKeys` over to it and promptly locked myself out of my
server's initrd SSH, breaking reboots), as well as security features
like multiprocess isolation. Using the same SSH daemon for stage-1 and
the main system ensures key formats will always remain compatible, as
well as more conveniently allowing the sharing of configuration and
host keys.

The main reason to use Dropbear over OpenSSH would be initrd space
concerns, but NixOS initrds are already large (17 MiB currently on my
server), and the size difference between the two isn't huge (the test's
initrd goes from 9.7 MiB to 12 MiB with this change). If the size is
still a problem, then it would be easy to shrink sshd down to a few
hundred kilobytes by using an initrd-specific build that uses musl and
disables things like Kerberos support.

This passes the test and works on my server, but more rigorous testing
and review from people who use initrd SSH would be appreciated!
2020-03-25 08:26:50 +00:00
volth
4d57e56b71
$toplevel/system: use kernel's architecture
`$toplevel/system` of a system closure with `x86_64` kernel and `i686` userland should contain "x86_64-linux".

If `$toplevel/system` contains "i686-linux", the closure will be run using `qemu-system-i386`, which is able to run `x86_64` kernel on most Intel CPU, but fails on AMD.

So this fix is for a rare case of `x86_64` kernel + `i686` userland + AMD CPU
2020-03-20 16:55:44 +00:00
Florian Klink
355c58e485 nixos/networkd: respect systemd.network.links also with disabled systemd-networkd
This mirrors the behaviour of systemd - It's udev that parses `.link`
files, not `systemd-networkd`.

This was originally applied in 36ef112a47,
but was reverted due to 1115959a8d causing
evaluation errors on hydra.
2020-03-19 14:15:32 +01:00
Danylo Hlynskyi
fab05f17d1
Merge pull request #80114 from rnhmjoj/initrd
nixos/boot: add option to disable initrd
2020-03-16 20:04:24 +02:00
Vladimír Čunát
0729b8c55e
Revert Merge #82310: nixos/systemd: apply .link
...even when networkd is disabled

This reverts commit ce78f3ac70, reversing
changes made to dc34da0755.

I'm sorry; Hydra has been unable to evaluate, always returning
> error: unexpected EOF reading a line
and I've been unable to reproduce the problem locally.  Bisecting
pointed to this merge, but I still can't see what exactly was wrong.
2020-03-13 22:05:33 +01:00
Michele Guerini Rocco
7b15d6cee4
Merge pull request #81241 from thefloweringash/nesting-system
nixos/activation: propagate system to nested configurations
2020-03-13 09:58:10 +01:00
Florian Klink
36ef112a47 nixos/networkd: respect systemd.network.links also with disabled systemd-networkd
This mirrors the behaviour of systemd - It's udev that parses `.link`
files, not `systemd-networkd`.
2020-03-11 10:21:37 +01:00
adisbladis
6fcce60fd5
Merge pull request #82139 from adisbladis/switch-to-configuration-manual
switch-to-configuration: Add new option X-OnlyManualStart
2020-03-10 11:17:33 +00:00
adisbladis
db6c94304f
switch-to-configuration: Add new option X-OnlyManualStart
This is to facilitate units that should _only_ be manually started and
not activated when a configuration is switched to.

More specifically this is to be used by the new Nixops deploy-*
targets created in https://github.com/NixOS/nixops/pull/1245 that are
triggered by Nixops before/after switch-to-configuration is called.
2020-03-09 11:28:07 +00:00
zimbatm
cc90ececa7
environment.etc: fix typo 2020-03-09 12:01:41 +01:00
Andrew Childs
ce416779bb nixos/activation: use eval-config's system argument for nesting
This avoids a possible surprise if the user is using `nixpkgs.system`
and `nesting.children`. `nesting.children` is expected to ignore all
parent configuration so we shouldn't propagate the user-facing option
`nixpkgs.system`. To avoid doing so, we introduce a new internal
option for holding the value passed to eval-config.nix, and use that
when recursing for nesting.
2020-03-05 20:28:31 +09:00
Maximilian Bosch
7f9131f260
Merge pull request #81405 from NinjaTrappeur/nin-networkd-policy-rules
nixos/networkd: add RoutingPolicyRules-related options
2020-03-04 12:29:29 +01:00
Maximilian Bosch
70325e63d8
Merge pull request #79532 from NixOS/fix-predictable-ifnames-in-initrd
nixos/stage-1: fix predictable interface names in initrd
2020-03-02 17:14:06 +01:00
Félix Baylac-Jacqué
9897d83f58 nixos/networkd: test routingPolicyRules with a nixos vm test 2020-03-02 15:37:40 +01:00
Félix Baylac-Jacqué
611d765b76 nixos/networkd: Add the RoutingPolicyRule-related options 2020-03-01 14:52:36 -08:00
Andrew Childs
b83164a049 nixos/activation: propagate system to nested configurations
The current behavior lets `system` default to
`builtins.currentSystem`. The system value specified to
`eval-config.nix` has very low precedence, so this should compose
properly.

Fixes #80806
2020-02-27 23:57:44 +09:00
Benjamin Staffin
4c5ea02dc5
grub: Update extraConfig example text (#79406)
This expands the example to something one might actually want to use
to set up a serial console.
2020-02-15 16:45:47 -05:00
rnhmjoj
dea79b56f7
nixos/boot: add option to disable initrd 2020-02-15 12:13:33 +01:00
Marek Mahut
4011c2a2aa
Merge pull request #76481 from fare-patches/vesa
Deprecate the boot.vesa option
2020-02-13 09:47:54 +01:00
worldofpeace
d12524fd51 Merge pull request #78453 from wedens/memtest-efi-grub
nixos/grub: make memtest work with EFI
2020-02-09 16:09:58 -05:00
Franz Pletz
589789997f
nixos/initrd-network: always run postCommands
As outlined in #71447, postCommands should always be run if networking
in initrd is enabled. regardless if the configuration actually
succeeded.
2020-02-08 14:57:49 +01:00
Franz Pletz
d25c1a8fdc
nixos/initrd-network: use ipconfig from klibc
This apparently has features that the version from Arch's
mkinitcpio-nfs-utils does not have. Fixes #75314.
2020-02-08 14:57:49 +01:00
Franz Pletz
ea7d02406b
nixos/initrd-network: flush interfaces before stage 2
Depending on the network management backend being used, if the interface
configuration in stage 1 is not cleared, there might still be some old
addresses or routes from stage 1 present in stage 2 after network
configuration has finished.
2020-02-08 14:04:02 +01:00
Franz Pletz
44e289f93b
nixos/stage-1: fix predictable interfaces names
This makes predictable interfaces names available as soon as possible
with udev by adding the default network link units to initrd which are read
by udev. Also adds some udev rules that are needed but which would normally
loaded from the udev store path which is not included in the initrd.
2020-02-08 14:04:02 +01:00
Silvan Mosberger
5acd168425
Merge pull request #59827 from oxij/nixos/suppress-systemd-units
nixos/systemd: add an option to suppress system units
2020-02-06 18:11:01 +01:00
Frederik Rietdijk
419bc0a4cd Revert "Revert "Merge master into staging-next""
In 87a19e9048 I merged staging-next into master using the GitHub gui as intended.
In ac241fb7a5 I merged master into staging-next for the next staging cycle, however, I accidentally pushed it to master.
Thinking this may cause trouble, I reverted it in 0be87c7979. This was however wrong, as it "removed" master.

This reverts commit 0be87c7979.
2020-02-05 19:41:25 +01:00
Frederik Rietdijk
0be87c7979 Revert "Merge master into staging-next"
I merged master into staging-next but accidentally pushed it to master.
This should get us back to 87a19e9048.

This reverts commit ac241fb7a5, reversing
changes made to 76a439239e.
2020-02-05 19:18:35 +01:00
Silvan Mosberger
3ab846e34a
Merge pull request #35188 from sorki/overlayfs
use overlayfs by default for netboot and iso
2020-02-05 13:46:04 +01:00
Richard Marko
0c20feb231 use overlayfs by default for netboot and iso 2020-02-05 10:35:59 +01:00
wedens
7b5550a3fc nixos/grub: make memtest work with EFI
Memtest86+ doesn't support EFI, so unfree Memtest86 is used when EFI
support is enabled (systemd-boot currently also uses Memtest86 when
memtest is enabled).
2020-02-05 11:12:55 +07:00
Silvan Mosberger
b4cc413928
Merge pull request #77594 from Frostman/fix-grub-extrafiles-mirroredboots
Fix boot.loader.grub.extraFiles when used with mirroredBoots
2020-02-05 00:22:35 +01:00
Sergey Lukjanov
7144b9ac54 Fix boot.loader.grub.extraFiles when used with mirroredBoots
Substitute @bootPath@ in boot.loader.grub.extraPrepareConfig script
same way as it's done for boot.loader.grub.extraEntries option.
2020-02-03 15:37:00 -08:00
misuzu
f93a9074e4 nixos/systemd: add systemd.sleep.extraConfig config option 2020-02-03 18:33:15 +02:00
Eelco Dolstra
26aba55951
Revert "add config.environment.ld-linux"
This reverts commit af665d822a, see
https://github.com/NixOS/nixpkgs/pull/78798#issuecomment-580059834 for
the reasons in a similar PR.
2020-02-02 15:29:49 +01:00
Eelco Dolstra
5495cb91eb
Revert "rmdir: avoid failing when directory did not exist"
This reverts commit 45db499d2d.
2020-02-02 15:29:40 +01:00
Maximilian Bosch
0f10495eb9
Merge pull request #74624 from Ma27/networkd-units-internal
nixos/networkd: mark `units` option as internal
2020-02-02 07:59:57 +01:00
Andreas Rammhold
355b31c98e
Merge pull request #78476 from Ma27/networkd-vrf-options
nixos/networkd: add vrfConfig option for netdevs, add simple test
2020-01-31 13:28:22 +01:00
Matthew Bauer
3a7fe07e3c
Merge pull request #69057 from volth/ld-linux
add config.environment.ld-linux
2020-01-27 20:08:12 -05:00
Jörg Thalheim
43f117537f
Merge pull request #78426 from Mic92/tmpfiles
nixos/systemd: add all systemd tmpfiles files
2020-01-27 09:55:50 +00:00
Maximilian Bosch
bc130855a7
nixos/networkd: add vrfConfig option to netdevs 2020-01-25 17:38:15 +01:00
Jörg Thalheim
3ef5115963
nixos/systemd: add all systemd tmpfiles files
Especially tmp.conf is important to create /tmp and /var/tmp with the correct
permissions.
2020-01-24 17:20:54 +00:00
Marek Mahut
c4d75cbb0c boot.initrd.luks: adding a warning when using FIDO2 with kernel ≤ 5.4 2020-01-22 16:00:40 +01:00
Marek Mahut
dea2fe9f39 boot.initrd.luks: Adding FIDO2 support 2020-01-22 08:38:16 +01:00
Florian Klink
a3d67f417e
Merge pull request #77665 from zaninime/ifxfrm
systemd-networkd: add configuration for XFRM interfaces
2020-01-21 22:14:53 +01:00
Francesco Zanini
9974bb16b0 systemd-networkd: add configuration for XFRM interfaces 2020-01-14 11:33:18 +01:00
worldofpeace
1c2e27e4d5 nixos/systemd-lib: don't fail on systemd.packages duplicates
In some cases like we've noticed in https://github.com/NixOS/nixpkgs/issues/76169,
having duplicate packages in systemd.packages like
```
systemd.packages = [ gnome-shell gnome-shell gnome-session ];
```
breaks.

Here we use an associative array to ensure no
duplicate paths when we symlink all the units listed
in systemd.packages.
2020-01-07 21:42:14 -05:00
Silvan Mosberger
ff16d17b42
nixos/systemd: Explicitly put default path packages after othe… (#77088)
nixos/systemd: Explicitly put default path packages after others
2020-01-06 21:51:04 +01:00
rnhmjoj
1d61efb7f1 treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
Silvan Mosberger
9327e1c6ba
nixos/systemd: Explicitly put default path packages after others
This fixes the dhcpcd issue in https://github.com/NixOS/nixpkgs/issues/76969,
which was exposed by https://github.com/NixOS/nixpkgs/pull/75031
introducing changes in the module ordering and therefore option ordering
too.

The dhcpcd issue would also be fixable by explicitly putting
dhcpcd's paths before others, however it makes more sense for systemd's
default paths to be after all others by default, since they should only
be a fallback, which is how binary finding will work if they come after.
2020-01-06 15:58:06 +01:00
Francois-Rene Rideau
eaffc7d0a5 Deprecate the boot.vesa option 2019-12-24 16:05:30 -05:00
Maximilian Bosch
77d8988b7b
nixos/systemd-nspawn: use config.systemd.package
When using a modified systemd-package (e.g. to test a patch), it's
recommended to use the `systemd.package`-option to avoid rebuilding all packages
that somehow depend on systemd.

With this change, the modified package is also used by `systemd-nspawn@`
units.
2019-12-21 17:19:26 +01:00
Janne Heß
35f7d38a3b nixos/systemd: Use a proper type for unit paths 2019-12-11 15:43:17 +01:00
Silvan Mosberger
4ee3e8b21d
nixos/treewide: Move rename.nix imports to their respective modules
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
Maximilian Bosch
4324419f9e
Merge pull request #72888 from fooker/pr-3
nixos/networkd: Add more valid values for RequiredForOnline
2019-12-06 18:04:34 +01:00
Florian Klink
2c1281eb7a nixos/networkd: add missing "Advertise" option
This is in systemd since v240.
2019-12-06 08:43:34 +01:00
Domen Kožar
0f799bd8a4
Revert "nixos/switch-to-configuration: restart changed socket units"
This reverts commit 89806e9536.

See #74626
2019-11-30 13:46:57 +01:00
Maximilian Bosch
60f2c59471
nixos/networkd: mark units option as internal
The options at `systemd.network` (`links`, `netdevs` and `networks`) are
directly mapped to the three different unit types of `systemd-networkd(8)`.

However there's also the option `systemd.network.units` which is
basically used as a container for generated unit-configs that are linked
to `/etc/systemd/networkd`[1].

This should not be exposed to the user as it's unclear whether or not it
should be used directly which can be pretty confusing which is why I decided to
declare this option as internal (including all sub-options as `internal`
doesn't seem to be propagated to submodules).

[1] 9db75ed88f/nixos/modules/system/boot/networkd.nix (L933-L937)
2019-11-29 12:50:51 +01:00
Domen Kožar
634096c503
Merge pull request #73871 from mayflower/socket-activation-fix
nixos/switch-to-configuration: restart changed socket units
2019-11-26 13:28:48 +01:00
Franz Pletz
89806e9536 nixos/switch-to-configuration: restart changed socket units
Previously, socket units wouldn't be restarted if they were
changed. To restart the socket, the service the socket is attached
to needs to be stopped first before the socket can be restarted.
2019-11-25 14:43:49 +01:00
WilliButz
fc91467b0d
nixos/timesyncd: add user systemd-timesync to group systemd-timesync 2019-11-25 10:46:28 +01:00
WilliButz
2ffb2c0bd1
nixos/resolved: add user systemd-resolve to group systemd-resolve 2019-11-25 10:46:28 +01:00
WilliButz
b79e3e615a
nixos/networkd: add systemd-network user to group systemd-network 2019-11-25 10:46:28 +01:00
John Ericson
d0d5136cce Merge remote-tracking branch 'upstream/master' into wrapper-pname-support 2019-11-24 17:25:07 +00:00
John Ericson
9b090ccbca treewide: Get rid of most parseDrvName without breaking compat
That is because this commit should be merged to both master and
release-19.09.
2019-11-24 17:22:28 +00:00
Maximilian Bosch
b451612bd9
nixos/networkd: add missing dhcpv6 and static options to IPv6PrefixDelegation 2019-11-23 12:51:38 +01:00
Frederik Rietdijk
65edeb8633 Merge master into staging-next 2019-11-20 10:01:49 +01:00
(cdep)illabout
6c019a867c
nixos/timesyncd: add extraConfig option
This adds an `extraConfig` option to timesyncd for setting additional
options in `/etc/systemd/timesyncd.conf`.

This is similar to things like `services.journald.extraConfig` and
`services.logind.extraConfig`.
2019-11-20 14:57:02 +09:00
Dustin Frisch
943508a7fa nixos/networkd: add Name as valid option to Link
This has been there since v209 [1]

```
The interface name to use. This option has lower precedence than NamePolicy=, so for this setting to take effect, NamePolicy= must either be unset, empty, disabled, or all policies configured there must fail. Also see the example below with "Name=dmz0".

Note that specifying a name that the kernel might use for another interface (for example "eth0") is dangerous because the name assignment done by udev will race with the assignment done by the kernel, and only one interface may use the name. Depending on the order of operations, either udev or the kernel will win, making the naming unpredictable. It is best to use some different prefix, for example "internal0"/"external0" or "lan0"/"lan1"/"lan3".
```

[1] 43b3a5ef61
2019-11-19 22:13:17 +01:00
Frederik Rietdijk
73b88e17dd Merge staging-next into staging 2019-11-11 12:09:26 +01:00
Thomas Tuegel
8e639f142f
Merge pull request #71986 from mtetreault/mte/plymouth-improvements
plymouth: Add extra config field
2019-11-09 08:17:14 -06:00
Silvan Mosberger
9fe4e06812 nixos/systemd: Allow unit options to have multiple equal defs (#73024)
E.g. this allows

  systemd.services.<name?>.serviceConfig.DynamicUser =
    mkMerge [ true true ];
2019-11-08 15:45:44 +00:00
Dustin Frisch
0aeaf4dfe0
nixos/networkd: Add more valid values for RequiredForOnline
`RequiredForOnline` allows for a boolean value or operational state.
This adds the values for all valid the operational states.
2019-11-06 13:12:34 +01:00
Florian Klink
c3566c7a4f
Merge pull request #70352 from wucke13/systemd-importd
systemd: add systemd-importd
2019-11-05 15:42:44 +01:00
wucke13
29ac226225 systemd: adding support for systemd-importd
Adding `systemd-importd` to the build, so that `machinectl`s `import-.*`
may actually do anything. Currently they fail with

```
Failed to transfer image: The name org.freedesktop.import1 was not provided by any .service files
```
as `systemd-importd` is not built. Also registers the regarding dbus
api and service in the systemd module.
2019-11-02 21:33:18 +01:00
Maximilian Bosch
47724fc77c
nixos/networkd: add ipv4-fallback and fallback as valid options to LinkLocalAddressing
Both options were introduced in systemd v243[1]. Those options can be
used to ensure that LinkLocalAddressing is only configured for a given
interface if DHCPv4 fails. To quote `systemd.network(5)`:

```
If "fallback" or "ipv4-fallback" is specified, then an IPv4
link-local address is configured only when DHCPv4 fails. If "fallback", an IPv6 link-local
address is always configured, and if "ipv4-fallback", the address is not configured. Note
that, the fallback mechanism works only when DHCPv4 client is enabled, that is, it requires
"DHCP=yes" or "DHCP=ipv4".
```

[1] 8bc17bb3f7
2019-10-28 20:51:17 +01:00
Mathieu A.-Tetreault
054ceb826e plymouth: Add extra config field
Signed-off-by: Mathieu A.-Tetreault <alexandretm@amotus.ca>
2019-10-25 11:22:45 -04:00
Tor Hedin Brønner
5924bab20b nixos/plymouth: do not order plymouth-quit after display-manager
GDM now specifies ordering between `plymouth-quit` and `display-manager`:
9be5321097

This causes an ordering cycle between GDM and plymouth-quit which can result in
systemd breaking GDM:
```
plymouth-quit.service: Job display-manager.service/start deleted to break
                       ordering cycle starting with plymouth-quit.service/start
```

Not sure how often this triggers, as I've run my system with plymouth and
9be5321097 without any issues. But I did catch a VM doing this.

NOTE: I also tried to remove the ordering in GDM to see if plymouth managed to
live longer, but it didn't seem to help. So I opted to stick as close to
upstream (upstream GDM specifies ordering, but plymouth does not).
2019-10-14 13:08:51 +02:00
Florian Klink
e24526d38e
Merge pull request #69422 from arianvp/fix-machinectl
nixos/systemd: Make machinectl work with NixOS
2019-10-12 14:12:44 +02:00
Eelco Dolstra
2c97f0669d
Typo 2019-10-10 16:24:33 +02:00
Fabian Möller
996d846726
nixos/systemd: fix broken tmpfiles.d symlinks 2019-10-09 10:53:01 +02:00
Thomas Tuegel
22b4014900
Merge pull request #69357 from mtetreault/plymouth-custom-logo
breeze-plymouth: allow usage of custom logo
2019-10-08 05:32:07 -05:00
Vladimír Čunát
f760f0ef48
Revert "Merge #67232: machinectl compliant NixOS installation"
This reverts commit 66967ec752, reversing
changes made to fb6595eafd.
Fixes #70442; discussion: https://github.com/NixOS/nixpkgs/pull/70027
2019-10-07 20:56:59 +02:00
Eelco Dolstra
37c22b9d30
Revive systemd.coredump.enable 2019-10-07 20:28:13 +02:00
Mathieu A.-Tetreault
001b42db7f breeze-plymouth: allow usage of custom logo 2019-10-07 09:43:23 -04:00
lassulus
9d04a64a8f iso-image: add loopback.cfg support to boot iso from grub 2019-10-04 23:24:52 +02:00
Samuel Dionne-Riel
95005c1039
Merge pull request #68265 from tkerber/rpi4
Various: Add support for raspberry pi 4.
2019-09-27 14:35:17 -04:00
Arian van Putten
7058b0ad12 nixos/systemd: Make machinectl work with NixOS
Images generated with nixos-install will be supported by machinectl
problem is that systemd-nspawn's private usersns feature clashes
with DynamicUser and RuntimeDirectory features, which causes NixOS
images to not boot. There is an upstream issue for this
https://github.com/systemd/systemd/issues/13622
2019-09-25 18:27:19 +02:00
Franz Pletz
66967ec752
Merge pull request #67232 from ck3d/container-useHostResolvConf
machinectl compliant NixOS installation
2019-09-25 09:34:17 +00:00
Franz Pletz
0dc4fe0a44
nixos/systemd: pick more upstream tmpfiles confs
In #68792 it was discovered that /dev/fuse doesn't have
wordl-read-writeable permissions anymore. The cause of this is that the
tmpfiles examples in systemd were reorganized and split into more files.
We thus lost some of the configuration we were depending on.

In this commit some of the new tmpfiles configuration that are
applicable to us are added which also makes wtmp/lastlog in the pam
module not necessary anymore.

Rationale for the new tmpfile configs:

  - `journal-nowcow.conf`: Contains chattr +C for journald logs which
  makes sense on copy-on-write filesystems like Btrfs. Other filesystems
  shouldn't do anything funny when that flag is set.

  - `static-nodes-permissions.conf`: Contains some permission overrides
  for some device nodes like audio, loop, tun, fuse and kvm.

  - `systemd-nspawn.conf`: Makes sure `/var/lib/machines` exists and old
  snapshots are properly removed.

  - `systemd-tmp.conf`: Removes systemd services related private tmp
  folders and temporary coredump files.

  - `var.conf`: Creates some useful directories in `/var` which we would
  create anyway at some point. Also includes
  `/var/log/{wtmp,btmp,lastlog}`.

Fixes #68792.
2019-09-23 15:23:31 +02:00
Peter Simons
a486f0178d
Merge pull request #68950 from peti/t/nixos-doc-fix
nixos: improve the example that shows how to include nvidia_x11 in boot.extraModulePackages
2019-09-22 11:53:52 +02:00
volth
45db499d2d
rmdir: avoid failing when directory did not exist
I bet nobody has `environment.usrbinenv = null`, it would fail on the second activation trying to `rmdir` inexisting `/usr/bin`
2019-09-19 00:32:35 +00:00
volth
af665d822a add config.environment.ld-linux
Add option to install symlink to ld-linux(8) system-wide to allow running unmodified ELF binaries.
It might be useful to run games or executables distributed inside jar files as discussed
https://discourse.nixos.org/t/runtime-alternative-to-patchelf-set-interpreter/3539
https://discourse.nixos.org/t/running-binaries-without-fhs-and-patchelf/1828

It is the third concession to FHS after `/bin/sh` and `/usr/bin/env` but it is disabled by default unlike those two
2019-09-18 22:41:52 +00:00
Peter Simons
be3dae2e3a nixos: improve the example that shows how to include nvidia_x11 in boot.extraModulePackages
Fixes https://github.com/NixOS/nixpkgs/issues/68931.
2019-09-17 08:37:56 +02:00
Thomas Kerber
cc5baf2d86
Various: Add support for raspberry pi 4. 2019-09-17 04:05:16 +01:00
Eelco Dolstra
b20a0e49c8
Revert systemd interface version to 2
The new systemd in 19.09 gives an "Access Denied" error when doing
"systemctl daemon-reexec" on an 19.03 system. The fix is to use the
previous systemctl to signal the daemon to re-exec itself. This
ensures that users don't have to reboot when upgrading from NixOS
19.03 to 19.09.
2019-09-16 16:51:19 +02:00
Eelco Dolstra
b9ed9c7fed
Typo 2019-09-16 16:50:39 +02:00
Christian Kögler
db9b5f5525
nixos: deactivate immutablity for /var/empty in container 2019-09-13 17:33:38 +02:00
Vladimír Čunát
f21211ebfe
Merge branch 'master' into staging 2019-09-02 23:25:24 +02:00
Silvan Mosberger
478e7184f8
nixos/modules: Remove all usages of types.string
And replace them with a more appropriate type

Also fix up some minor module problems along the way
2019-08-31 18:19:00 +02:00
Frederik Rietdijk
ad1d58c622 Merge staging-next into staging 2019-08-31 10:04:20 +02:00
Peter Hoeg
73701a7a05
Merge pull request #67487 from dasJ/suspend-then-hibernate
nixos/systemd: Add suspend-then-hibernate units
2019-08-28 17:29:17 +08:00
Frederik Rietdijk
5061fe0c2c Merge staging-next into staging 2019-08-28 08:26:42 +02:00
volth
35d68ef143 treewide: remove redundant quotes 2019-08-26 21:40:19 +00:00
Janne Heß
c8e863e25e nixos/systemd: Add suspend-then-hibernate units
Pretty useful for laptops. I use them with:

```
services.logind.lidSwitch = "suspend-then-hibernate";
environment.etc."systemd/sleep.conf".text = "HibernateDelaySec=8h";
```
2019-08-26 11:04:10 +02:00
Florian Klink
0fb17141fb nixos/systemd: enable cgroup accounting by default
If this is the default for OpenShift already, we probably can enable it
as well.

see https://github.com/openshift/machine-config-operator/pull/581
2019-08-25 22:26:12 +02:00
Florian Klink
f3a18d4562 nixos/systemd: add new Default{BlockIO,IP}Accounting settings 2019-08-25 22:25:19 +02:00
Florian Klink
f34f38ef1c nixos/systemd: honor default enableCgroupAccounting settings
systemd defaults DefaultMemoryAccounting and DefaultTasksAccounting to
yes, so no need to enable explicitly
2019-08-25 22:25:19 +02:00
Félix Baylac-Jacqué
0528816570 systemd-networkd: add tests
(cherry picked from commit ec073e41a0)
2019-08-21 11:11:28 +02:00
David Guibert
7fd91a898b systemd-networkd: add support for wireguard netdev. 2019-08-21 11:11:24 +02:00
Matthieu Coudron
3b205ad3a7
Merge pull request #58207 from teto/kernelPackages_check
boot.kernelPackages: check for conflicts
It's currently possible to set conflicting `boot.kernelPackages` several times.
Nixos now warns when this is the case instead of just picking one.
2019-08-20 14:15:51 +09:00
Nikolay Amiantov
fca97dfebc stage-1 init: fix debug menu
* Read one char at a time, so user doesn't have to enter "i<ENTER>"
  contrary to the menu;
* Exec shell inside setsid.
2019-08-19 19:54:00 +03:00
Florian Klink
bafc256915 nixos/systemd: remove separate coredump module 2019-08-18 17:54:26 +02:00
Florian Klink
9be0327a49 nixos/systemd: install sysctl snippets
systemd provides two sysctl snippets, 50-coredump.conf and
50-default.conf.

These enable:
 - Loose reverse path filtering
 - Source route filtering
 - `fq_codel` as a packet scheduler (this helps to fight bufferbloat)

This also configures the kernel to pass coredumps to `systemd-coredump`.
These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`,
and overridden via `boot.kernel.sysctl`
(which will place the parameters in `/etc/sysctl.d/60-nixos.conf`.

Let's start using these, like other distros already do for quite some
time, and remove those duplicate `boot.kernel.sysctl` options we
previously did set.

In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
2019-08-18 17:54:26 +02:00
danbst
d80cd26ff9 Merge branch 'master' into flip-map-foreach 2019-08-18 18:00:25 +03:00
Frederik Rietdijk
c68f58d95c Merge master into staging-next 2019-08-17 09:30:16 +02:00
Samuel Dionne-Riel
b750ebf1b3
Merge pull request #60422 from kwohlfahrt/device-tree
nixos/hardware.deviceTree: new module
2019-08-16 13:26:48 -04:00
Edmund Wu
aa251bbc3e
systemd-networkd: link: Name -> OriginalName 2019-08-15 21:58:24 -04:00
Frederik Rietdijk
8d56f2472e Merge master into staging-next 2019-08-14 13:45:54 +02:00
Aaron Andersen
6f6468bef3
Merge pull request #65728 from Infinisil/types-eithers
lib/types: Add oneOf, extension of either to a list of types
2019-08-13 11:48:42 -04:00
Matthew Bauer
ddf38a8241
Merge pull request #65002 from matthewbauer/binfmt-wasm
Add binfmt interpreter for wasm
2019-08-09 14:04:21 -04:00
Matthieu Coudron
2da1ad60a8 boot.kernelPackages: check for conflicts
It's currently possible to set conflicting `boot.kernelPackages` several times
which can prove confusing.
This is an attempt to warn for this.
2019-08-10 02:27:52 +09:00
Silvan Mosberger
88bb9fa403
nixos/modules: Replace all nested types.either's with types.oneOf's 2019-08-08 23:35:52 +02:00
Kai Wohlfahrt
dd0a951279 nixos/hardware.deviceTree: new module
Add support for custom device-tree files, and applying overlays to them.
This is useful for supporting non-discoverable hardware, such as sensors
attached to GPIO pins on a Raspberry Pi.
2019-08-07 13:51:22 +01:00
Danylo Hlynskyi
7585496eff
Merge branch 'master' into flip-map-foreach 2019-08-05 14:09:28 +03:00
danbst
0f8596ab3f mass replace "flip map -> forEach"
See `forEach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /forEach /g'
```
2019-08-05 14:03:38 +03:00
danbst
91bb646e98 Revert "mass replace "flip map -> foreach""
This reverts commit 3b0534310c.
2019-08-05 14:01:45 +03:00
Nikolay Amiantov
717b8b3219 systemd service: remove generator-packages option
Use systemd.packages instead, it's less error prone and more in line with
what's expected.
2019-08-01 00:55:35 +03:00
Nikolay Amiantov
b458121105 stage-1 initrd: replace absolute paths for mdadm
We don't patch basename and readlink now too as they were added for
mdadm in 8ecd3a5e1d.
2019-08-01 00:55:35 +03:00
Nikolay Amiantov
a304fc5d75 systemd service: add support for shutdown packages
Shutdown hooks are executed right before the shutdown, which is useful
for some applications. Among other things this is needed for mdadm hook
to run.
2019-08-01 00:55:35 +03:00
Nikolay Amiantov
fd405dab3e systemd service: rename generator-packages 2019-08-01 00:55:35 +03:00
Domen Kožar
cfd507d581
system-boot: configurationLimit should be null as default 2019-07-23 10:20:09 +02:00
Matthew Bauer
857f7fb4af nixos/binfmt: update release notes and provide examples 2019-07-17 17:09:20 -04:00
Matthew Bauer
1acc701fdb nixos/binfmt: handle wasm binaries
This adds handling for WASM binaries to binfmt’s emulatedSystems. To
enable, add this to your configuration:

  boot.binfmt.emulatedSystems = [ "wasm32-wasi" ];

After rebuilding with nixos-rebuild switch, you can run wasm binaries
directly.
2019-07-17 17:00:46 -04:00
Nikolay Amiantov
294751a4fc
Merge pull request #62955 from abbradar/resolvconf
resolvconf service: init
2019-07-17 11:07:12 +03:00
Peter Hoeg
db858b4d30
Merge pull request #64806 from peterhoeg/f/exec
nixos/systemd: 242 supports Type = exec
2019-07-17 14:09:20 +07:00
Nikolay Amiantov
01b90dce78 resolvconf service: init
This is a refactor of how resolvconf is managed on NixOS. We split it
into a separate service which is enabled internally depending on whether
we want /etc/resolv.conf to be managed by it. Various services now take
advantage of those configuration options.

We also now use systemd instead of activation scripts to update
resolv.conf.

NetworkManager now uses the right option for rc-manager DNS
automatically, so the configuration option shouldn't be exposed.
2019-07-15 20:25:39 +03:00
Peter Hoeg
eb55dd5e6b nixos/systemd: 242 supports Type = exec 2019-07-15 20:28:26 +08:00
danbst
3b0534310c mass replace "flip map -> foreach"
See `foreach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /foreach /g'
```
2019-07-14 13:46:10 +03:00
Venkateswara Rao Mandela
7f363b034e nixos/install-grub: include child configs in grub menu
Add configs listed under the fine-tune subdirectory to the grub menu.
Use specified configuration name for the entry if available.
2019-07-11 17:38:25 +05:30
Domen Kožar
224a6562a4
Add configurationLimit to systemd-boot to prevent running out of disk space
Refs #23926
2019-06-22 20:11:11 +02:00
Matthew Bauer
2b8ea614b8
Merge pull request #63090 from NixOS/nomodeset
kernel.nix: boot.vesa implies nomodeset
2019-06-20 15:31:17 -04:00
volth
f3282c8d1e treewide: remove unused variables (#63177)
* treewide: remove unused variables

* making ofborg happy
2019-06-16 19:59:05 +00:00
Frederik Rietdijk
087b87758e Merge master into staging-next 2019-06-15 08:17:58 +02:00
Florian Klink
e0818a1530
nixos/systemd: enable systemd-tmpfiles-setup and -clean for user sessions (#62813)
nixos/systemd: enable systemd-tmpfiles-setup and -clean for user sessions
2019-06-14 22:43:15 +02:00
Wout Mertens
7938c1613d
kernel.nix: boot.vesa implies nomodeset
Without nomodeset the console is reset to 80x25 after Grub
2019-06-13 17:58:08 +02:00
Frederik Rietdijk
7184efb40a Merge master into staging-next 2019-06-12 09:22:07 +02:00
Franz Pletz
9b2ee2c057
Merge pull request #62838 from mayflower/fix/cryptsetup-kernel-crypto
cryptsetup: enable kernel crypto api support again
2019-06-12 05:05:38 +00:00
Frederik Rietdijk
e58f0f6c99 Merge master into staging-next 2019-06-10 10:35:50 +02:00
Roman Volosatovs
8e489018d3
systemd-networkd: Only generate [Match] if present 2019-06-09 19:09:10 +02:00
Frederik Rietdijk
d3afcac771 Merge master into staging-next 2019-06-09 12:28:52 +02:00
Franz Pletz
2587df7f02
cryptsetup: enable kernel crypto api support again
This is needed for tcrypt and the benchmark subcommand. If enabled,
it is also used to unlock LUKS2 volumes and therefore the kernel modules
providing this feature need to be available in our initrd.

Fixes #42163. #54019.
2019-06-07 22:15:35 +02:00
Peter Hoeg
255550e003 nixos/systemd: enable systemd-tmpfiles-setup and -clean for user sessions 2019-06-07 14:52:46 +08:00
Matthew Bauer
f8c12edfdf
Merge pull request #62333 from kampka/buildPackages-for-config-builders
Build packages for config builders
2019-06-05 14:47:16 -04:00
Vladimír Čunát
c0ccf42c69
Merge branch 'staging-next' into staging 2019-06-05 11:12:34 +02:00
Matthew Bauer
22039a182e
Merge pull request #62606 from Shados/fix-62602
nixos/grub: Add defaultText for font option
2019-06-04 14:34:13 -04:00
Andreas Rammhold
024a383d64
nixos/systemd: migrate systemd-timesync state when required
Somewhen between systemd v239 and v242 upstream decided to no longer run
a few system services with `DyanmicUser=1` but failed to provide a
migration path for all the state those services left behind.

For the case of systemd-timesync the state has to be moved from
/var/lib/private/systemd/timesync to /var/lib/systemd/timesync if
/var/lib/systemd/timesync is currently a symlink.

We only do this if the stateVersion is still below 19.09 to avoid
starting to have an ever growing activation script for (then) ancient
systemd migrations that are no longer required.

See https://github.com/systemd/systemd/issues/12131 for details about
the missing migration path and related discussion.
2019-06-03 15:05:19 +02:00
Andreas Rammhold
1b7b1dbe2f
nixos/networkd: rename GatewayOnlink to GatewayOnLink
This follows upstreams renaming of the option [1].

[1] 9cb8c55934
2019-06-03 15:05:17 +02:00
Alexei Robyn
fd9dec7177 nixos/grub: Add defaultText for font option
Fixes #62602.
2019-06-03 22:19:44 +10:00
Nikolay Amiantov
fa2e4bfb61 nixos/systemd-boot: don't remove directories from EFI dir
This will only result in an error. These directories might be created by, for example, fwupdmgr.
2019-06-03 11:55:48 +03:00
Christian Kampka
0d570e020e Revert "treewide: use buildPackages for config builders"
This reverts commit 35af6e3605.
2019-05-31 23:27:49 +02:00
Christian Kampka
fd15f37b37 Revert "extlinux-conf: fix cross compilation"
This reverts commit f17dd04f12.
2019-05-31 23:27:49 +02:00
Matthew Bauer
022d8ab861
Merge pull request #61036 from cdepillabout/nixos-memtest-loader
nixos/systemd-boot: add support for memtest86 EFI app
2019-05-20 21:42:40 -05:00
(cdep)illabout
d88d675051
Change non-open-source to unfree in description. 2019-05-21 11:34:11 +09:00
Eelco Dolstra
de9e238469
FIx some malformed XML in option descriptions
E.g. these were using "<para>" at the *end* of a description. The real
WTF is that this is possible at all...
2019-05-13 09:15:17 +02:00
John Ericson
395bcc0b27
Merge pull request #61257 from matthewbauer/add-binfmt-emulated-systems
nixos/binfmt: handle emulatedSystems
2019-05-12 19:11:52 -04:00
Markus Schmidl
147621f7db nixos/luksroot: GPG Smartcard support for luks encrypted volumes 2019-05-12 20:05:10 +02:00
Matthew Bauer
93a522cf0c nixos/binfmt: fixup 2019-05-10 22:53:14 -04:00
Matthew Bauer
60381b7b11 binfmt: add more magics and masks
New ones taken from this script:

https://github.com/qemu/qemu/blob/master/scripts/qemu-binfmt-conf.sh
2019-05-10 21:00:21 -04:00
Matthew Bauer
153598ebb0 nixos/binfmt: handle emulatedSystems
Fixes #61248
2019-05-10 18:05:59 -04:00
Linus Heckemann
864f4f084a
Merge pull request #60237 from mayflower/kexec-no-clobber
nixos/kexec: don't clobber existing kexec-loaded kernel
2019-05-06 21:53:47 +02:00
(cdep)illabout
b12ea62ec9 nixos/systemd-boot: add support for memtest86 EFI app
This commit adds support for installing the memtest86 EFI app and adding
a boot entry for it with systemd-boot.
2019-05-06 17:08:55 +09:00
Linus Heckemann
6b6f25e926 nixos/kexec: log what's happening 2019-04-29 22:43:16 +02:00
Edmund Wu
162546f0a1 nixos/luksroot: create /run/cryptsetup (#60235)
Needed since 2.0.0
Changed to /run/cryptsetup from /run/lock/cryptsetup in 2.0.1
2019-04-28 17:49:32 +00:00
Michael Weiss
698388bc61 Revert "nixos/switch-to-configuration: Never stop system.slice"
This change was only a temporary workaround and isn't required anymore,
since /etc/systemd/system/system.slice should not be present on any
recent NixOS system (which makes this change a no-op).

This reverts commit 7098b0fcdf.
2019-04-28 07:21:34 +02:00
Linus Heckemann
4d667685c2 nixos/kexec: don't clobber existing kexec-loaded kernel 2019-04-26 00:35:10 +02:00
Linus Heckemann
42c107c2aa
Merge pull request #49537 from mayflower/stage1-symlink-fix
nixos stage-1: fix init existence test
2019-04-18 17:59:08 +02:00
Pierre Bourdon
5d2bb3d715 nixos/stage-1: "find-libs" shell script is for the host 2019-04-18 15:02:51 +02:00
Jan Malakhovski
0017a06717 nixos/systemd: add an option to suppress system units 2019-04-18 10:42:11 +00:00
Joachim F
d7da5e2af2
Merge pull request #53826 from delroth/randstruct-custom-seed
nixos: allow customizing the kernel RANDSTRUCT seed
2019-04-16 17:49:19 +00:00
Linus Heckemann
b499c52de5 stage-1: provide meaningful names to initrd and module tree 2019-04-13 23:22:56 +02:00
Samuel Dionne-Riel
ef0ca61215
Merge pull request #58027 from DanielFabian/gfxpayload
grub: Add gfxpayload
2019-04-08 10:06:59 -04:00
Daniel Fabian
84ff0956a8 grub: Add support for gfxpayload in grub. Needed for NVIDIA drivers before KMS, afaik 2019-04-08 11:34:39 +01:00
aszlig
dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Matthew Bauer
73be6fba8b
Merge pull request #54625 from FlorianFranzen/efi32
grub: Support 32bit EFI on 64bit platforms
2019-03-21 11:39:45 -04:00
Florian Franzen
e51a840259 grub: Support 32bit EFI on 64bit x86 platforms 2019-03-18 10:38:07 +01:00
aszlig
ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Jan Malakhovski
570aed4b46 lib: add showWarnings 2019-03-08 11:19:18 +02:00