1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-25 03:17:13 +00:00
Commit graph

1229 commits

Author SHA1 Message Date
Maximilian Bosch 47724fc77c
nixos/networkd: add ipv4-fallback and fallback as valid options to LinkLocalAddressing
Both options were introduced in systemd v243[1]. Those options can be
used to ensure that LinkLocalAddressing is only configured for a given
interface if DHCPv4 fails. To quote `systemd.network(5)`:

```
If "fallback" or "ipv4-fallback" is specified, then an IPv4
link-local address is configured only when DHCPv4 fails. If "fallback", an IPv6 link-local
address is always configured, and if "ipv4-fallback", the address is not configured. Note
that, the fallback mechanism works only when DHCPv4 client is enabled, that is, it requires
"DHCP=yes" or "DHCP=ipv4".
```

[1] 8bc17bb3f7
2019-10-28 20:51:17 +01:00
Mathieu A.-Tetreault 054ceb826e plymouth: Add extra config field
Signed-off-by: Mathieu A.-Tetreault <alexandretm@amotus.ca>
2019-10-25 11:22:45 -04:00
Tor Hedin Brønner 5924bab20b nixos/plymouth: do not order plymouth-quit after display-manager
GDM now specifies ordering between `plymouth-quit` and `display-manager`:
9be5321097

This causes an ordering cycle between GDM and plymouth-quit which can result in
systemd breaking GDM:
```
plymouth-quit.service: Job display-manager.service/start deleted to break
                       ordering cycle starting with plymouth-quit.service/start
```

Not sure how often this triggers, as I've run my system with plymouth and
9be5321097 without any issues. But I did catch a VM doing this.

NOTE: I also tried to remove the ordering in GDM to see if plymouth managed to
live longer, but it didn't seem to help. So I opted to stick as close to
upstream (upstream GDM specifies ordering, but plymouth does not).
2019-10-14 13:08:51 +02:00
Florian Klink e24526d38e
Merge pull request #69422 from arianvp/fix-machinectl
nixos/systemd: Make machinectl work with NixOS
2019-10-12 14:12:44 +02:00
Eelco Dolstra 2c97f0669d
Typo 2019-10-10 16:24:33 +02:00
Fabian Möller 996d846726
nixos/systemd: fix broken tmpfiles.d symlinks 2019-10-09 10:53:01 +02:00
Thomas Tuegel 22b4014900
Merge pull request #69357 from mtetreault/plymouth-custom-logo
breeze-plymouth: allow usage of custom logo
2019-10-08 05:32:07 -05:00
Vladimír Čunát f760f0ef48
Revert "Merge #67232: machinectl compliant NixOS installation"
This reverts commit 66967ec752, reversing
changes made to fb6595eafd.
Fixes #70442; discussion: https://github.com/NixOS/nixpkgs/pull/70027
2019-10-07 20:56:59 +02:00
Eelco Dolstra 37c22b9d30
Revive systemd.coredump.enable 2019-10-07 20:28:13 +02:00
Mathieu A.-Tetreault 001b42db7f breeze-plymouth: allow usage of custom logo 2019-10-07 09:43:23 -04:00
lassulus 9d04a64a8f iso-image: add loopback.cfg support to boot iso from grub 2019-10-04 23:24:52 +02:00
Samuel Dionne-Riel 95005c1039
Merge pull request #68265 from tkerber/rpi4
Various: Add support for raspberry pi 4.
2019-09-27 14:35:17 -04:00
Arian van Putten 7058b0ad12 nixos/systemd: Make machinectl work with NixOS
Images generated with nixos-install will be supported by machinectl
problem is that systemd-nspawn's private usersns feature clashes
with DynamicUser and RuntimeDirectory features, which causes NixOS
images to not boot. There is an upstream issue for this
https://github.com/systemd/systemd/issues/13622
2019-09-25 18:27:19 +02:00
Franz Pletz 66967ec752
Merge pull request #67232 from ck3d/container-useHostResolvConf
machinectl compliant NixOS installation
2019-09-25 09:34:17 +00:00
Franz Pletz 0dc4fe0a44
nixos/systemd: pick more upstream tmpfiles confs
In #68792 it was discovered that /dev/fuse doesn't have
wordl-read-writeable permissions anymore. The cause of this is that the
tmpfiles examples in systemd were reorganized and split into more files.
We thus lost some of the configuration we were depending on.

In this commit some of the new tmpfiles configuration that are
applicable to us are added which also makes wtmp/lastlog in the pam
module not necessary anymore.

Rationale for the new tmpfile configs:

  - `journal-nowcow.conf`: Contains chattr +C for journald logs which
  makes sense on copy-on-write filesystems like Btrfs. Other filesystems
  shouldn't do anything funny when that flag is set.

  - `static-nodes-permissions.conf`: Contains some permission overrides
  for some device nodes like audio, loop, tun, fuse and kvm.

  - `systemd-nspawn.conf`: Makes sure `/var/lib/machines` exists and old
  snapshots are properly removed.

  - `systemd-tmp.conf`: Removes systemd services related private tmp
  folders and temporary coredump files.

  - `var.conf`: Creates some useful directories in `/var` which we would
  create anyway at some point. Also includes
  `/var/log/{wtmp,btmp,lastlog}`.

Fixes #68792.
2019-09-23 15:23:31 +02:00
Peter Simons a486f0178d
Merge pull request #68950 from peti/t/nixos-doc-fix
nixos: improve the example that shows how to include nvidia_x11 in boot.extraModulePackages
2019-09-22 11:53:52 +02:00
volth 45db499d2d
rmdir: avoid failing when directory did not exist
I bet nobody has `environment.usrbinenv = null`, it would fail on the second activation trying to `rmdir` inexisting `/usr/bin`
2019-09-19 00:32:35 +00:00
volth af665d822a add config.environment.ld-linux
Add option to install symlink to ld-linux(8) system-wide to allow running unmodified ELF binaries.
It might be useful to run games or executables distributed inside jar files as discussed
https://discourse.nixos.org/t/runtime-alternative-to-patchelf-set-interpreter/3539
https://discourse.nixos.org/t/running-binaries-without-fhs-and-patchelf/1828

It is the third concession to FHS after `/bin/sh` and `/usr/bin/env` but it is disabled by default unlike those two
2019-09-18 22:41:52 +00:00
Peter Simons be3dae2e3a nixos: improve the example that shows how to include nvidia_x11 in boot.extraModulePackages
Fixes https://github.com/NixOS/nixpkgs/issues/68931.
2019-09-17 08:37:56 +02:00
Thomas Kerber cc5baf2d86
Various: Add support for raspberry pi 4. 2019-09-17 04:05:16 +01:00
Eelco Dolstra b20a0e49c8
Revert systemd interface version to 2
The new systemd in 19.09 gives an "Access Denied" error when doing
"systemctl daemon-reexec" on an 19.03 system. The fix is to use the
previous systemctl to signal the daemon to re-exec itself. This
ensures that users don't have to reboot when upgrading from NixOS
19.03 to 19.09.
2019-09-16 16:51:19 +02:00
Eelco Dolstra b9ed9c7fed
Typo 2019-09-16 16:50:39 +02:00
Christian Kögler db9b5f5525
nixos: deactivate immutablity for /var/empty in container 2019-09-13 17:33:38 +02:00
Vladimír Čunát f21211ebfe
Merge branch 'master' into staging 2019-09-02 23:25:24 +02:00
Silvan Mosberger 478e7184f8
nixos/modules: Remove all usages of types.string
And replace them with a more appropriate type

Also fix up some minor module problems along the way
2019-08-31 18:19:00 +02:00
Frederik Rietdijk ad1d58c622 Merge staging-next into staging 2019-08-31 10:04:20 +02:00
Peter Hoeg 73701a7a05
Merge pull request #67487 from dasJ/suspend-then-hibernate
nixos/systemd: Add suspend-then-hibernate units
2019-08-28 17:29:17 +08:00
Frederik Rietdijk 5061fe0c2c Merge staging-next into staging 2019-08-28 08:26:42 +02:00
volth 35d68ef143 treewide: remove redundant quotes 2019-08-26 21:40:19 +00:00
Janne Heß c8e863e25e nixos/systemd: Add suspend-then-hibernate units
Pretty useful for laptops. I use them with:

```
services.logind.lidSwitch = "suspend-then-hibernate";
environment.etc."systemd/sleep.conf".text = "HibernateDelaySec=8h";
```
2019-08-26 11:04:10 +02:00
Florian Klink 0fb17141fb nixos/systemd: enable cgroup accounting by default
If this is the default for OpenShift already, we probably can enable it
as well.

see https://github.com/openshift/machine-config-operator/pull/581
2019-08-25 22:26:12 +02:00
Florian Klink f3a18d4562 nixos/systemd: add new Default{BlockIO,IP}Accounting settings 2019-08-25 22:25:19 +02:00
Florian Klink f34f38ef1c nixos/systemd: honor default enableCgroupAccounting settings
systemd defaults DefaultMemoryAccounting and DefaultTasksAccounting to
yes, so no need to enable explicitly
2019-08-25 22:25:19 +02:00
Félix Baylac-Jacqué 0528816570 systemd-networkd: add tests
(cherry picked from commit ec073e41a0)
2019-08-21 11:11:28 +02:00
David Guibert 7fd91a898b systemd-networkd: add support for wireguard netdev. 2019-08-21 11:11:24 +02:00
Matthieu Coudron 3b205ad3a7
Merge pull request #58207 from teto/kernelPackages_check
boot.kernelPackages: check for conflicts
It's currently possible to set conflicting `boot.kernelPackages` several times.
Nixos now warns when this is the case instead of just picking one.
2019-08-20 14:15:51 +09:00
Nikolay Amiantov fca97dfebc stage-1 init: fix debug menu
* Read one char at a time, so user doesn't have to enter "i<ENTER>"
  contrary to the menu;
* Exec shell inside setsid.
2019-08-19 19:54:00 +03:00
Florian Klink bafc256915 nixos/systemd: remove separate coredump module 2019-08-18 17:54:26 +02:00
Florian Klink 9be0327a49 nixos/systemd: install sysctl snippets
systemd provides two sysctl snippets, 50-coredump.conf and
50-default.conf.

These enable:
 - Loose reverse path filtering
 - Source route filtering
 - `fq_codel` as a packet scheduler (this helps to fight bufferbloat)

This also configures the kernel to pass coredumps to `systemd-coredump`.
These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`,
and overridden via `boot.kernel.sysctl`
(which will place the parameters in `/etc/sysctl.d/60-nixos.conf`.

Let's start using these, like other distros already do for quite some
time, and remove those duplicate `boot.kernel.sysctl` options we
previously did set.

In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
2019-08-18 17:54:26 +02:00
danbst d80cd26ff9 Merge branch 'master' into flip-map-foreach 2019-08-18 18:00:25 +03:00
Frederik Rietdijk c68f58d95c Merge master into staging-next 2019-08-17 09:30:16 +02:00
Samuel Dionne-Riel b750ebf1b3
Merge pull request #60422 from kwohlfahrt/device-tree
nixos/hardware.deviceTree: new module
2019-08-16 13:26:48 -04:00
Edmund Wu aa251bbc3e
systemd-networkd: link: Name -> OriginalName 2019-08-15 21:58:24 -04:00
Frederik Rietdijk 8d56f2472e Merge master into staging-next 2019-08-14 13:45:54 +02:00
Aaron Andersen 6f6468bef3
Merge pull request #65728 from Infinisil/types-eithers
lib/types: Add oneOf, extension of either to a list of types
2019-08-13 11:48:42 -04:00
Matthew Bauer ddf38a8241
Merge pull request #65002 from matthewbauer/binfmt-wasm
Add binfmt interpreter for wasm
2019-08-09 14:04:21 -04:00
Matthieu Coudron 2da1ad60a8 boot.kernelPackages: check for conflicts
It's currently possible to set conflicting `boot.kernelPackages` several times
which can prove confusing.
This is an attempt to warn for this.
2019-08-10 02:27:52 +09:00
Silvan Mosberger 88bb9fa403
nixos/modules: Replace all nested types.either's with types.oneOf's 2019-08-08 23:35:52 +02:00
Kai Wohlfahrt dd0a951279 nixos/hardware.deviceTree: new module
Add support for custom device-tree files, and applying overlays to them.
This is useful for supporting non-discoverable hardware, such as sensors
attached to GPIO pins on a Raspberry Pi.
2019-08-07 13:51:22 +01:00
Danylo Hlynskyi 7585496eff
Merge branch 'master' into flip-map-foreach 2019-08-05 14:09:28 +03:00
danbst 0f8596ab3f mass replace "flip map -> forEach"
See `forEach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /forEach /g'
```
2019-08-05 14:03:38 +03:00
danbst 91bb646e98 Revert "mass replace "flip map -> foreach""
This reverts commit 3b0534310c.
2019-08-05 14:01:45 +03:00
Nikolay Amiantov 717b8b3219 systemd service: remove generator-packages option
Use systemd.packages instead, it's less error prone and more in line with
what's expected.
2019-08-01 00:55:35 +03:00
Nikolay Amiantov b458121105 stage-1 initrd: replace absolute paths for mdadm
We don't patch basename and readlink now too as they were added for
mdadm in 8ecd3a5e1d.
2019-08-01 00:55:35 +03:00
Nikolay Amiantov a304fc5d75 systemd service: add support for shutdown packages
Shutdown hooks are executed right before the shutdown, which is useful
for some applications. Among other things this is needed for mdadm hook
to run.
2019-08-01 00:55:35 +03:00
Nikolay Amiantov fd405dab3e systemd service: rename generator-packages 2019-08-01 00:55:35 +03:00
Domen Kožar cfd507d581
system-boot: configurationLimit should be null as default 2019-07-23 10:20:09 +02:00
Matthew Bauer 857f7fb4af nixos/binfmt: update release notes and provide examples 2019-07-17 17:09:20 -04:00
Matthew Bauer 1acc701fdb nixos/binfmt: handle wasm binaries
This adds handling for WASM binaries to binfmt’s emulatedSystems. To
enable, add this to your configuration:

  boot.binfmt.emulatedSystems = [ "wasm32-wasi" ];

After rebuilding with nixos-rebuild switch, you can run wasm binaries
directly.
2019-07-17 17:00:46 -04:00
Nikolay Amiantov 294751a4fc
Merge pull request #62955 from abbradar/resolvconf
resolvconf service: init
2019-07-17 11:07:12 +03:00
Peter Hoeg db858b4d30
Merge pull request #64806 from peterhoeg/f/exec
nixos/systemd: 242 supports Type = exec
2019-07-17 14:09:20 +07:00
Nikolay Amiantov 01b90dce78 resolvconf service: init
This is a refactor of how resolvconf is managed on NixOS. We split it
into a separate service which is enabled internally depending on whether
we want /etc/resolv.conf to be managed by it. Various services now take
advantage of those configuration options.

We also now use systemd instead of activation scripts to update
resolv.conf.

NetworkManager now uses the right option for rc-manager DNS
automatically, so the configuration option shouldn't be exposed.
2019-07-15 20:25:39 +03:00
Peter Hoeg eb55dd5e6b nixos/systemd: 242 supports Type = exec 2019-07-15 20:28:26 +08:00
danbst 3b0534310c mass replace "flip map -> foreach"
See `foreach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /foreach /g'
```
2019-07-14 13:46:10 +03:00
Venkateswara Rao Mandela 7f363b034e nixos/install-grub: include child configs in grub menu
Add configs listed under the fine-tune subdirectory to the grub menu.
Use specified configuration name for the entry if available.
2019-07-11 17:38:25 +05:30
Domen Kožar 224a6562a4
Add configurationLimit to systemd-boot to prevent running out of disk space
Refs #23926
2019-06-22 20:11:11 +02:00
Matthew Bauer 2b8ea614b8
Merge pull request #63090 from NixOS/nomodeset
kernel.nix: boot.vesa implies nomodeset
2019-06-20 15:31:17 -04:00
volth f3282c8d1e treewide: remove unused variables (#63177)
* treewide: remove unused variables

* making ofborg happy
2019-06-16 19:59:05 +00:00
Frederik Rietdijk 087b87758e Merge master into staging-next 2019-06-15 08:17:58 +02:00
Florian Klink e0818a1530
nixos/systemd: enable systemd-tmpfiles-setup and -clean for user sessions (#62813)
nixos/systemd: enable systemd-tmpfiles-setup and -clean for user sessions
2019-06-14 22:43:15 +02:00
Wout Mertens 7938c1613d
kernel.nix: boot.vesa implies nomodeset
Without nomodeset the console is reset to 80x25 after Grub
2019-06-13 17:58:08 +02:00
Frederik Rietdijk 7184efb40a Merge master into staging-next 2019-06-12 09:22:07 +02:00
Franz Pletz 9b2ee2c057
Merge pull request #62838 from mayflower/fix/cryptsetup-kernel-crypto
cryptsetup: enable kernel crypto api support again
2019-06-12 05:05:38 +00:00
Frederik Rietdijk e58f0f6c99 Merge master into staging-next 2019-06-10 10:35:50 +02:00
Roman Volosatovs 8e489018d3
systemd-networkd: Only generate [Match] if present 2019-06-09 19:09:10 +02:00
Frederik Rietdijk d3afcac771 Merge master into staging-next 2019-06-09 12:28:52 +02:00
Franz Pletz 2587df7f02
cryptsetup: enable kernel crypto api support again
This is needed for tcrypt and the benchmark subcommand. If enabled,
it is also used to unlock LUKS2 volumes and therefore the kernel modules
providing this feature need to be available in our initrd.

Fixes #42163. #54019.
2019-06-07 22:15:35 +02:00
Peter Hoeg 255550e003 nixos/systemd: enable systemd-tmpfiles-setup and -clean for user sessions 2019-06-07 14:52:46 +08:00
Matthew Bauer f8c12edfdf
Merge pull request #62333 from kampka/buildPackages-for-config-builders
Build packages for config builders
2019-06-05 14:47:16 -04:00
Vladimír Čunát c0ccf42c69
Merge branch 'staging-next' into staging 2019-06-05 11:12:34 +02:00
Matthew Bauer 22039a182e
Merge pull request #62606 from Shados/fix-62602
nixos/grub: Add defaultText for font option
2019-06-04 14:34:13 -04:00
Andreas Rammhold 024a383d64
nixos/systemd: migrate systemd-timesync state when required
Somewhen between systemd v239 and v242 upstream decided to no longer run
a few system services with `DyanmicUser=1` but failed to provide a
migration path for all the state those services left behind.

For the case of systemd-timesync the state has to be moved from
/var/lib/private/systemd/timesync to /var/lib/systemd/timesync if
/var/lib/systemd/timesync is currently a symlink.

We only do this if the stateVersion is still below 19.09 to avoid
starting to have an ever growing activation script for (then) ancient
systemd migrations that are no longer required.

See https://github.com/systemd/systemd/issues/12131 for details about
the missing migration path and related discussion.
2019-06-03 15:05:19 +02:00
Andreas Rammhold 1b7b1dbe2f
nixos/networkd: rename GatewayOnlink to GatewayOnLink
This follows upstreams renaming of the option [1].

[1] 9cb8c55934
2019-06-03 15:05:17 +02:00
Alexei Robyn fd9dec7177 nixos/grub: Add defaultText for font option
Fixes #62602.
2019-06-03 22:19:44 +10:00
Nikolay Amiantov fa2e4bfb61 nixos/systemd-boot: don't remove directories from EFI dir
This will only result in an error. These directories might be created by, for example, fwupdmgr.
2019-06-03 11:55:48 +03:00
Christian Kampka 0d570e020e Revert "treewide: use buildPackages for config builders"
This reverts commit 35af6e3605.
2019-05-31 23:27:49 +02:00
Christian Kampka fd15f37b37 Revert "extlinux-conf: fix cross compilation"
This reverts commit f17dd04f12.
2019-05-31 23:27:49 +02:00
Matthew Bauer 022d8ab861
Merge pull request #61036 from cdepillabout/nixos-memtest-loader
nixos/systemd-boot: add support for memtest86 EFI app
2019-05-20 21:42:40 -05:00
(cdep)illabout d88d675051
Change non-open-source to unfree in description. 2019-05-21 11:34:11 +09:00
Eelco Dolstra de9e238469
FIx some malformed XML in option descriptions
E.g. these were using "<para>" at the *end* of a description. The real
WTF is that this is possible at all...
2019-05-13 09:15:17 +02:00
John Ericson 395bcc0b27
Merge pull request #61257 from matthewbauer/add-binfmt-emulated-systems
nixos/binfmt: handle emulatedSystems
2019-05-12 19:11:52 -04:00
Markus Schmidl 147621f7db nixos/luksroot: GPG Smartcard support for luks encrypted volumes 2019-05-12 20:05:10 +02:00
Matthew Bauer 93a522cf0c nixos/binfmt: fixup 2019-05-10 22:53:14 -04:00
Matthew Bauer 60381b7b11 binfmt: add more magics and masks
New ones taken from this script:

https://github.com/qemu/qemu/blob/master/scripts/qemu-binfmt-conf.sh
2019-05-10 21:00:21 -04:00
Matthew Bauer 153598ebb0 nixos/binfmt: handle emulatedSystems
Fixes #61248
2019-05-10 18:05:59 -04:00
Linus Heckemann 864f4f084a
Merge pull request #60237 from mayflower/kexec-no-clobber
nixos/kexec: don't clobber existing kexec-loaded kernel
2019-05-06 21:53:47 +02:00
(cdep)illabout b12ea62ec9 nixos/systemd-boot: add support for memtest86 EFI app
This commit adds support for installing the memtest86 EFI app and adding
a boot entry for it with systemd-boot.
2019-05-06 17:08:55 +09:00
Linus Heckemann 6b6f25e926 nixos/kexec: log what's happening 2019-04-29 22:43:16 +02:00
Edmund Wu 162546f0a1 nixos/luksroot: create /run/cryptsetup (#60235)
Needed since 2.0.0
Changed to /run/cryptsetup from /run/lock/cryptsetup in 2.0.1
2019-04-28 17:49:32 +00:00
Michael Weiss 698388bc61 Revert "nixos/switch-to-configuration: Never stop system.slice"
This change was only a temporary workaround and isn't required anymore,
since /etc/systemd/system/system.slice should not be present on any
recent NixOS system (which makes this change a no-op).

This reverts commit 7098b0fcdf.
2019-04-28 07:21:34 +02:00
Linus Heckemann 4d667685c2 nixos/kexec: don't clobber existing kexec-loaded kernel 2019-04-26 00:35:10 +02:00
Linus Heckemann 42c107c2aa
Merge pull request #49537 from mayflower/stage1-symlink-fix
nixos stage-1: fix init existence test
2019-04-18 17:59:08 +02:00
Pierre Bourdon 5d2bb3d715 nixos/stage-1: "find-libs" shell script is for the host 2019-04-18 15:02:51 +02:00
Jan Malakhovski 0017a06717 nixos/systemd: add an option to suppress system units 2019-04-18 10:42:11 +00:00
Joachim F d7da5e2af2
Merge pull request #53826 from delroth/randstruct-custom-seed
nixos: allow customizing the kernel RANDSTRUCT seed
2019-04-16 17:49:19 +00:00
Linus Heckemann b499c52de5 stage-1: provide meaningful names to initrd and module tree 2019-04-13 23:22:56 +02:00
Samuel Dionne-Riel ef0ca61215
Merge pull request #58027 from DanielFabian/gfxpayload
grub: Add gfxpayload
2019-04-08 10:06:59 -04:00
Daniel Fabian 84ff0956a8 grub: Add support for gfxpayload in grub. Needed for NVIDIA drivers before KMS, afaik 2019-04-08 11:34:39 +01:00
aszlig dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Matthew Bauer 73be6fba8b
Merge pull request #54625 from FlorianFranzen/efi32
grub: Support 32bit EFI on 64bit platforms
2019-03-21 11:39:45 -04:00
Florian Franzen e51a840259 grub: Support 32bit EFI on 64bit x86 platforms 2019-03-18 10:38:07 +01:00
aszlig ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Jan Malakhovski 570aed4b46 lib: add showWarnings 2019-03-08 11:19:18 +02:00
Danylo Hlynskyi 79cc48cdbb
Revert "Merge pull request #54980 from danbst/etc-relative" (#56507)
This reverts commit 0b91fa43e4, reversing
changes made to 183919a0c0.
2019-02-28 07:48:40 +02:00
Silvan Mosberger bcda0e37f6
Merge pull request #56012 from matix2267/logind-lid-switch-external-power
nixos/logind: Add defaultText to config option since it's not static value.
2019-02-22 20:55:46 +01:00
Silvan Mosberger c0318efe9a
Merge pull request #50504 from symphorien/local-closureInfo
nixos: add preferLocalBuild=true; on derivations for config files and closureInfo
2019-02-22 20:53:17 +01:00
Symphorien Gibol a915b33315 nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
Michael Raskin 0b91fa43e4
Merge pull request #54980 from danbst/etc-relative
nixos: make symlinks in `/etc` relative (except `/etc/static`)
2019-02-21 09:45:42 +00:00
Mateusz Gołębiewski ddcf485386 nixos/logind: Add defaultText to config option since it's not static value. 2019-02-18 20:37:02 +01:00
Mateusz Gołębiewski fb9619ca03 nixos/logind: Add option for HandleLidSwitchExternalPower
The default according to `man logind.conf` is to perform the same action as in
HandleLidSwitch.
2019-02-16 23:56:22 +01:00
Sharif Olorin 3755577ba6 nixos/systemd: update max line length in systemd units
The length check was introduced[0] to match systemd's max line
length. This limit has been increased[1][2] to 1MiB, starting with
systemd v235.

[0] https://github.com/nixos/nixpkgs/issues/3403
[1] e6dde451a5
    (relevant systemd commit)
[2] https://github.com/systemd/systemd/issues/3302
    (more context on systemd change)
2019-02-10 00:39:29 +00:00
Jeff Slight c95407b327 boot/raspberrypi: replace deprecated configuration option 2019-02-08 11:36:09 -08:00
danbst f47bfce584 make back /etc/static absolute symlink 2019-01-31 09:29:44 +02:00
Florian Jacob fc8e1745c0 nixos/etc: Make symlinks relative instead of absolute
so that the links can be followed if the NixOS installation is not mounted as filesystem root.
In particular, this makes /etc/os-release adhere to the standard:
https://www.freedesktop.org/software/systemd/man/os-release.html
Fixes #28833.
2019-01-31 09:17:35 +02:00
danbst 27982b408e types.optionSet: deprecate and remove last usages 2019-01-31 00:41:10 +02:00
Silvan Mosberger 51d2eed83b
Merge pull request #42838 from teto/kernel_autoconf
[RFC] add ability to merge structured configs
2019-01-28 10:38:00 +01:00
Craig Younkins 6f6287fbf9 nixos/systemd: add StartLimitIntervalSec to unit config 2019-01-28 00:29:43 +00:00
Matthieu Coudron 3bb7b3f02e linux: ability to merge structured configs
This should make the composability of kernel configurations more straigthforward.

- now distinguish freeform options from tristate ones
- will look for a structured config in kernelPatches too
one can now access the structuredConfig from a kernel via linux_test.configfile.structuredConfig
in order to reinject it into another kernel, no need to rewrite the config from scratch

The following merge strategies are used in case of conflict:
-- freeform items must be equal or they conflict (mergeEqualOption)
-- for tristate (y/m/n) entries, I use the mergeAnswer strategy which takes the best available value, "best" being defined by the user (by default "y" > "m" > "n", e.g. if one entry is both marked "y" and "n", "y" wins)
-- if one item is both marked optional/mandatory, mandatory wins (mergeFalseByDefault)
2019-01-28 09:06:33 +09:00
Pierre Bourdon 8769d2d58c
nixos kernel.nix: add an option to customize the kernel RANDSTRUCT seed 2019-01-24 01:42:17 +01:00
Jörg Thalheim a6b97bd1bb
Merge pull request #42183 from kisik21/master
nixos/stage-1, nixos/f2fs: added F2FS resizing
2019-01-17 07:42:32 +00:00
Vladimír Čunát 287144e342
Merge branch 'master' into staging-next 2019-01-10 13:07:21 +01:00
Claudio Bley cb0b629894 nixos/luksroot: Fix typo Verifiying -> Verifying 2019-01-08 15:45:02 -05:00
Jörg Thalheim ba9f589180
Merge pull request #53446 from Mic92/systemd-udev-settle
nixos/systemd-udev-settle: don't restart on upgrades
2019-01-08 13:05:25 +01:00
Matthew Bauer 751c03e8fd
Merge pull request #47665 from erikarvstedt/initrd-improvements
Minor initrd improvements
2019-01-06 21:48:26 -06:00
Jörg Thalheim 0a2c8cc1db
nixos/systemd-udev-settle: don't restart on upgrades
The idea is that we only need this target during boot,
however there is no point on restarting it on every upgrade.

This hopefully fixes #21954
2019-01-05 13:57:29 +01:00
Matthew Bauer 921a47bc92 treewide: remove cross assertions
sd-image-raspberrypi, sd-image-aarch64, and
sd-image-armv7l-multiplatform can all be cross compiled now.
2019-01-02 23:02:50 -06:00
Matthew Bauer 35af6e3605 treewide: use buildPackages for config builders 2019-01-02 23:02:50 -06:00
Matthew Bauer 92840ab944
Merge pull request #51600 from eburimu/fix/cross-extlinux-conf-builder
extlinux-conf: fix cross compilation
2018-12-19 11:01:31 -06:00
volth fed7914539
Merge branch 'staging' into make-perl-pathd 2018-12-18 17:13:27 +00:00
volth bb9557eb7c lib.makePerlPath -> perlPackages.makePerlPath 2018-12-15 03:50:31 +00:00
Benjamin Staffin 1181d6153e
logind: make killUserProcesses an option (#51426)
Right now it's not at all obvious that one can override this option
using `services.logind.extraConfig`; we might as well add an option
for `killUserProcesses` directly so it's clear and documented.
2018-12-11 16:51:16 -05:00
Renaud 53218d4a39
nixos/systemd-nspawn: accept all Exec and Files options
See: https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html
Closes #49712
2018-12-08 14:41:37 +01:00
eburimu f17dd04f12 extlinux-conf: fix cross compilation 2018-12-06 03:42:02 +03:00
Jörg Thalheim 50071c4475
Revert "nixos/luksroot: Check whether the device already exists"
This reverts commit 9cd4ce98bf.

This might be broken for some people: https://github.com/NixOS/nixpkgs/pull/50281#issuecomment-443516289
2018-12-02 17:27:35 +00:00
Janne Heß 9cd4ce98bf nixos/luksroot: Check whether the device already exists
The new reuse behaviour is cool and really useful but it breaks one of
my use cases. When using kexec, I have a script which will unlock the
disks in my initrd. However, do_open_passphrase will fail if the disk is
already unlocked.
2018-12-01 23:42:51 +01:00
Arian van Putten 7ce4cd4470 nixos/nspawn: Fix small typo (#51077)
This has slipped through review in my previous PR it seems
2018-11-26 22:05:13 +01:00
hyperfekt 482228919c nixos/bcachefs: remove superfluous fsck from initrd
bcachefs checks the filesystem at mount time, therefore no separate fsck binary is needed in initrd.
2018-11-03 18:07:32 +01:00
Will Dietz 1fe7abcf2e
Merge pull request #49513 from dtzWill/fix/activation-nscd-path
activation-script: add libc to path to provide nscd when needed
2018-11-02 03:57:25 -05:00
Jörg Thalheim 553e0d81ee
Merge pull request #48771 from arianvp/container-tweaks
nixos/containers: Introduce several tweaks to systemd-nspawn from upstream systemd
2018-10-31 16:08:16 +00:00
Linus Heckemann 817369d4c1 nixos stage-1: fix init existence test
The previous version contained a false positive case, where boot would
continue when the stage 2 init did not exist at all, and a false
negative case, where boot would stop if the stage 2 init was a symlink
which cannot be resolved in the initramfs root.

Fixes #49519.

Thanks @michas2 for finding and reporting the issue!
2018-10-31 15:59:18 +01:00