From 682cb1d640779e7ba63d070030deaf0cb4d82b53 Mon Sep 17 00:00:00 2001 From: nikstur Date: Sat, 28 Oct 2023 22:55:59 +0200 Subject: [PATCH 01/13] nixos/vmware-host: replace activationScript Replace with a dedicated system servie ordered before the other VMWare services. --- nixos/modules/virtualisation/vmware-host.nix | 63 +++++++++++--------- 1 file changed, 36 insertions(+), 27 deletions(-) diff --git a/nixos/modules/virtualisation/vmware-host.nix b/nixos/modules/virtualisation/vmware-host.nix index 1eaa896fe096..094114623a42 100644 --- a/nixos/modules/virtualisation/vmware-host.nix +++ b/nixos/modules/virtualisation/vmware-host.nix @@ -85,35 +85,44 @@ in }; }; - ###### wrappers activation script - - system.activationScripts.vmwareWrappers = - lib.stringAfter [ "specialfs" "users" ] - '' - mkdir -p "${parentWrapperDir}" - chmod 755 "${parentWrapperDir}" - # We want to place the tmpdirs for the wrappers to the parent dir. - wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) - chmod a+rx "$wrapperDir" - ${lib.concatStringsSep "\n" (vmwareWrappers)} - if [ -L ${wrapperDir} ]; then - # Atomically replace the symlink - # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ - old=$(readlink -f ${wrapperDir}) - if [ -e "${wrapperDir}-tmp" ]; then - rm --force --recursive "${wrapperDir}-tmp" - fi - ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" - mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" - rm --force --recursive "$old" - else - # For initial setup - ln --symbolic "$wrapperDir" "${wrapperDir}" - fi - ''; - # Services + systemd.services."vmware-wrappers" = { + description = "Create VMVare Wrappers"; + wantedBy = [ "multi-user.target" ]; + before = [ + "vmware-authdlauncher.service" + "vmware-networks-configuration.service" + "vmware-networks.service" + "vmware-usbarbitrator.service" + ]; + after = [ "systemd-sysusers.service" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + mkdir -p "${parentWrapperDir}" + chmod 755 "${parentWrapperDir}" + # We want to place the tmpdirs for the wrappers to the parent dir. + wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) + chmod a+rx "$wrapperDir" + ${lib.concatStringsSep "\n" (vmwareWrappers)} + if [ -L ${wrapperDir} ]; then + # Atomically replace the symlink + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ + old=$(readlink -f ${wrapperDir}) + if [ -e "${wrapperDir}-tmp" ]; then + rm --force --recursive "${wrapperDir}-tmp" + fi + ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" + mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" + rm --force --recursive "$old" + else + # For initial setup + ln --symbolic "$wrapperDir" "${wrapperDir}" + fi + ''; + }; + systemd.services."vmware-authdlauncher" = { description = "VMware Authentication Daemon"; serviceConfig = { From e96cd172fb625b910f13c0957be4204188afc884 Mon Sep 17 00:00:00 2001 From: nikstur Date: Sat, 28 Oct 2023 23:04:54 +0200 Subject: [PATCH 02/13] nixos/logcheck: replace activationScript via tmpfiles --- nixos/modules/services/logging/logcheck.nix | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index 8a277cea6e46..5d87fc87d416 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -220,10 +220,16 @@ in logcheck = {}; }; - system.activationScripts.logcheck = '' - mkdir -m 700 -p /var/{lib,lock}/logcheck - chown ${cfg.user} /var/{lib,lock}/logcheck - ''; + systemd.tmpfiles.settings.logcheck = { + "/var/lib/logcheck".d = { + mode = "700"; + inherit (cfg) user; + }; + "/var/lock/logcheck".d = { + mode = "700"; + inherit (cfg) user; + }; + }; services.cron.systemCronJobs = let withTime = name: {timeArgs, ...}: timeArgs != null; From 994df434ba29b9774efe56d23270a8dc150c68ce Mon Sep 17 00:00:00 2001 From: nikstur Date: Thu, 16 Nov 2023 23:14:22 +0100 Subject: [PATCH 03/13] nixos/ldap: replace activationScript Replace with a dedicated systemd service. --- nixos/modules/config/ldap.nix | 101 ++++++++++++++++++---------------- 1 file changed, 55 insertions(+), 46 deletions(-) diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index d2f01fb87d32..e374e4a7a27e 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -226,18 +226,6 @@ in "ldap.conf" = ldapConfig; }; - system.activationScripts = mkIf (!cfg.daemon.enable) { - ldap = stringAfter [ "etc" "groups" "users" ] '' - if test -f "${cfg.bind.passwordFile}" ; then - umask 0077 - conf="$(mktemp)" - printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" | - cat ${ldapConfig.source} - >"$conf" - mv -fT "$conf" /etc/ldap.conf - fi - ''; - }; - system.nssModules = mkIf cfg.nsswitch (singleton ( if cfg.daemon.enable then nss_pam_ldapd else nss_ldap )); @@ -258,42 +246,63 @@ in }; }; - systemd.services = mkIf cfg.daemon.enable { - nslcd = { - wantedBy = [ "multi-user.target" ]; - - preStart = '' - umask 0077 - conf="$(mktemp)" - { - cat ${nslcdConfig} - test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' || - printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')" - test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' || - printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')" - } >"$conf" - mv -fT "$conf" /run/nslcd/nslcd.conf - ''; - - restartTriggers = [ - nslcdConfig - cfg.bind.passwordFile - cfg.daemon.rootpwmodpwFile - ]; - - serviceConfig = { - ExecStart = "${nslcdWrapped}/bin/nslcd"; - Type = "forking"; - Restart = "always"; - User = "nslcd"; - Group = "nslcd"; - RuntimeDirectory = [ "nslcd" ]; - PIDFile = "/run/nslcd/nslcd.pid"; - AmbientCapabilities = "CAP_SYS_RESOURCE"; + systemd.services = mkMerge [ + (mkIf (!cfg.daemon.enable) { + ldap-password = { + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + if test -f "${cfg.bind.passwordFile}" ; then + umask 0077 + conf="$(mktemp)" + printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" | + cat ${ldapConfig.source} - >"$conf" + mv -fT "$conf" /etc/ldap.conf + fi + ''; }; - }; + }) - }; + (mkIf cfg.daemon.enable { + nslcd = { + wantedBy = [ "multi-user.target" ]; + + preStart = '' + umask 0077 + conf="$(mktemp)" + { + cat ${nslcdConfig} + test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' || + printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')" + test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' || + printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')" + } >"$conf" + mv -fT "$conf" /run/nslcd/nslcd.conf + ''; + + restartTriggers = [ + nslcdConfig + cfg.bind.passwordFile + cfg.daemon.rootpwmodpwFile + ]; + + serviceConfig = { + ExecStart = "${nslcdWrapped}/bin/nslcd"; + Type = "forking"; + Restart = "always"; + User = "nslcd"; + Group = "nslcd"; + RuntimeDirectory = [ "nslcd" ]; + PIDFile = "/run/nslcd/nslcd.pid"; + AmbientCapabilities = "CAP_SYS_RESOURCE"; + }; + }; + }) + ]; }; From 80fa4731f9ce5c0e5e70b0ed7c73730f043a9f1d Mon Sep 17 00:00:00 2001 From: nikstur Date: Sat, 28 Oct 2023 23:46:09 +0200 Subject: [PATCH 04/13] nixos/amdgpu-pro: replacce activationScript via tmpfiles --- nixos/modules/hardware/video/amdgpu-pro.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nixos/modules/hardware/video/amdgpu-pro.nix b/nixos/modules/hardware/video/amdgpu-pro.nix index 605aa6ef8b88..2a86280eec8c 100644 --- a/nixos/modules/hardware/video/amdgpu-pro.nix +++ b/nixos/modules/hardware/video/amdgpu-pro.nix @@ -39,9 +39,10 @@ in hardware.firmware = [ package.fw ]; - system.activationScripts.setup-amdgpu-pro = '' - ln -sfn ${package}/opt/amdgpu{,-pro} /run - ''; + systemd.tmpfiles.settings.amdgpu-pro = { + "/run/amdgpu"."L+".argument = "${package}/opt/amdgpu"; + "/run/amdgpu-pro"."L+".argument = "${package}/opt/amdgpu-pro"; + }; system.requiredKernelConfig = with config.lib.kernelConfig; [ (isYes "DEVICE_PRIVATE") From 36f2ab21eae7b7924f7bbeb62f7453a9d94defbc Mon Sep 17 00:00:00 2001 From: nikstur Date: Sat, 28 Oct 2023 23:50:24 +0200 Subject: [PATCH 05/13] nixos/tests/incron: replace activcationScript via tmpfiles --- nixos/tests/incron.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/tests/incron.nix b/nixos/tests/incron.nix index c978ff27dfad..d016360ba0ef 100644 --- a/nixos/tests/incron.nix +++ b/nixos/tests/incron.nix @@ -13,9 +13,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: ''; # ensure the directory to be monitored exists before incron is started - system.activationScripts.incronTest = '' - mkdir /test - ''; + systemd.tmpfiles.settings.incron-test = { + "/test".d = { }; + }; }; testScript = '' From 9b29bc0010a9cee3236511f70f36b8ae95887f5c Mon Sep 17 00:00:00 2001 From: nikstur Date: Sun, 29 Oct 2023 00:05:14 +0200 Subject: [PATCH 06/13] nixos/trackpoint: replace activationScript Replace with a separate systemd service ordered before sysinit.target --- nixos/modules/tasks/trackpoint.nix | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/nixos/modules/tasks/trackpoint.nix b/nixos/modules/tasks/trackpoint.nix index d197a0feb337..317613b84792 100644 --- a/nixos/modules/tasks/trackpoint.nix +++ b/nixos/modules/tasks/trackpoint.nix @@ -80,10 +80,17 @@ with lib; ACTION=="add|change", SUBSYSTEM=="input", ATTR{name}=="${cfg.device}", ATTR{device/speed}="${toString cfg.speed}", ATTR{device/sensitivity}="${toString cfg.sensitivity}" ''; - system.activationScripts.trackpoint = - '' - ${config.systemd.package}/bin/udevadm trigger --attr-match=name="${cfg.device}" + systemd.services.trackpoint = { + wantedBy = [ "sysinit.target" ] ; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + serviceConfig.ExecStart = '' + ${config.systemd.package}/bin/udevadm trigger --attr-match=name="${cfg.device} ''; + }; }) (mkIf (cfg.emulateWheel) { From af87c19427b9704eb77b5db080c3c117b00de589 Mon Sep 17 00:00:00 2001 From: nikstur Date: Sun, 29 Oct 2023 00:50:27 +0200 Subject: [PATCH 07/13] nixos/yggdrasil: replace activationScript Replace with separate service because it cannot be moved into the preStart of the yggdrasil service. --- .../modules/services/networking/yggdrasil.nix | 28 ++++++++++++------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index 514753687d69..9173e7eb3457 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -137,16 +137,24 @@ in message = "networking.enableIPv6 must be true for yggdrasil to work"; }]; - system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' - if [ ! -e ${keysPath} ] - then - mkdir --mode=700 -p ${builtins.dirOf keysPath} - ${binYggdrasil} -genconf -json \ - | ${pkgs.jq}/bin/jq \ - 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ - > ${keysPath} - fi - ''; + # This needs to be a separate service. The yggdrasil service fails if + # this is put into its preStart. + systemd.services.yggdrasil-persistent-keys = lib.mkIf cfg.persistentKeys { + wantedBy = [ "multi-user.target" ]; + before = [ "yggdrasil.service" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + if [ ! -e ${keysPath} ] + then + mkdir --mode=700 -p ${builtins.dirOf keysPath} + ${binYggdrasil} -genconf -json \ + | ${pkgs.jq}/bin/jq \ + 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ + > ${keysPath} + fi + ''; + }; systemd.services.yggdrasil = { description = "Yggdrasil Network Service"; From 1c22b64fc97f9a5d05d6286d06b7606fba31eaaf Mon Sep 17 00:00:00 2001 From: nikstur Date: Sun, 29 Oct 2023 01:05:47 +0200 Subject: [PATCH 08/13] nixos/tests/nextcloud: replace activationScript Replace with a seprate systemd service --- nixos/tests/nextcloud/basic.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nixos/tests/nextcloud/basic.nix b/nixos/tests/nextcloud/basic.nix index ab1d8353dba0..428fe0aa10db 100644 --- a/nixos/tests/nextcloud/basic.nix +++ b/nixos/tests/nextcloud/basic.nix @@ -13,10 +13,12 @@ in { # The only thing the client needs to do is download a file. client = { ... }: { services.davfs2.enable = true; - system.activationScripts.davfs2-secrets = '' - echo "http://nextcloud/remote.php/dav/files/${adminuser} ${adminuser} ${adminpass}" > /tmp/davfs2-secrets - chmod 600 /tmp/davfs2-secrets - ''; + systemd.tmpfiles.settings.nextcloud = { + "/tmp/davfs2-secrets"."f+" = { + mode = "0600"; + argument = "http://nextcloud/remote.php/dav/files/${adminuser} ${adminuser} ${adminpass}"; + }; + }; virtualisation.fileSystems = { "/mnt/dav" = { device = "http://nextcloud/remote.php/dav/files/${adminuser}"; From 8d3cf213db5a2323fea961b434a4157d7fed8911 Mon Sep 17 00:00:00 2001 From: nikstur Date: Mon, 13 Nov 2023 10:41:19 +0100 Subject: [PATCH 09/13] nixos/borgbackup: replace activationScript via tmpfiles --- nixos/modules/services/backup/borgbackup.nix | 23 ++++++++------------ 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index 393fe83f493f..6f4455d3be60 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -143,20 +143,15 @@ let }; # Paths listed in ReadWritePaths must exist before service is started - mkActivationScript = name: cfg: + mkTmpfiles = name: cfg: let - install = "install -o ${cfg.user} -g ${cfg.group}"; - in - nameValuePair "borgbackup-job-${name}" (stringAfter [ "users" ] ('' - # Ensure that the home directory already exists - # We can't assert createHome == true because that's not the case for root - cd "${config.users.users.${cfg.user}.home}" - # Create each directory separately to prevent root owned parent dirs - ${install} -d .config .config/borg - ${install} -d .cache .cache/borg - '' + optionalString (isLocalPath cfg.repo && !cfg.removableDevice) '' - ${install} -d ${escapeShellArg cfg.repo} - '')); + settings = { inherit (cfg) user group; }; + in lib.nameValuePair "borgbackup-job-${name}" ({ + "${config.users.users."${cfg.user}".home}/.config/borg".d = settings; + "${config.users.users."${cfg.user}".home}/.cache/borg".d = settings; + } // optionalAttrs (isLocalPath cfg.repo && !cfg.removableDevice) { + "${cfg.repo}".d = settings; + }); mkPassAssertion = name: cfg: { assertion = with cfg.encryption; @@ -760,7 +755,7 @@ in { ++ mapAttrsToList mkSourceAssertions jobs ++ mapAttrsToList mkRemovableDeviceAssertions jobs; - system.activationScripts = mapAttrs' mkActivationScript jobs; + systemd.tmpfiles.settings = mapAttrs' mkTmpfiles jobs; systemd.services = # A job named "foo" is mapped to systemd.services.borgbackup-job-foo From 65ff518a0d56ea2907114288a891464c2ab916ac Mon Sep 17 00:00:00 2001 From: nikstur Date: Mon, 13 Nov 2023 10:47:25 +0100 Subject: [PATCH 10/13] nixos/ipa: replace activationScript Replaced with a dedicated systemd service. --- nixos/modules/security/ipa.nix | 40 ++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/nixos/modules/security/ipa.nix b/nixos/modules/security/ipa.nix index 69a670cd5e4a..49226ec38199 100644 --- a/nixos/modules/security/ipa.nix +++ b/nixos/modules/security/ipa.nix @@ -181,25 +181,33 @@ in { ''; }; - system.activationScripts.ipa = stringAfter ["etc"] '' - # libcurl requires a hard copy of the certificate - if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then - rm -f /etc/ipa/ca.crt - cp ${cfg.certificate} /etc/ipa/ca.crt - fi + systemd.services."ipa-activation" = { + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + # libcurl requires a hard copy of the certificate + if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then + rm -f /etc/ipa/ca.crt + cp ${cfg.certificate} /etc/ipa/ca.crt + fi - if [ ! -f /etc/krb5.keytab ]; then - cat < Date: Thu, 2 Nov 2023 00:15:38 +0100 Subject: [PATCH 11/13] nixos/wrappers: order service after sysusers service --- nixos/modules/security/wrappers/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 4e123fa9ca5e..a298686b34e9 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -280,6 +280,7 @@ in wantedBy = [ "sysinit.target" ]; before = [ "sysinit.target" "shutdown.target" ]; conflicts = [ "shutdown.target" ]; + after = [ "systemd-sysusers.service" ]; unitConfig.DefaultDependencies = false; unitConfig.RequiresMountsFor = [ "/nix/store" "/run/wrappers" ]; serviceConfig.Type = "oneshot"; From 3be357b2e78799704df2c3fb3b5f1c3872efc43b Mon Sep 17 00:00:00 2001 From: nikstur Date: Mon, 13 Nov 2023 09:22:18 +0100 Subject: [PATCH 12/13] nixos/binfmt: remove unused stringAfter --- nixos/modules/system/boot/binfmt.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index d16152ab9dec..08e3dce70844 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkOption mkDefault types optionalString stringAfter; + inherit (lib) mkOption mkDefault types optionalString; cfg = config.boot.binfmt; From 0ebd39b5418cc8b5d8635c41e893ee4dfc19c7de Mon Sep 17 00:00:00 2001 From: nikstur Date: Mon, 13 Nov 2023 09:29:33 +0100 Subject: [PATCH 13/13] nixos/nix-channel: remove unused stringAfter --- nixos/modules/config/nix-channel.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/config/nix-channel.nix b/nixos/modules/config/nix-channel.nix index a7ca7a5c74a4..dd97cb730ae4 100644 --- a/nixos/modules/config/nix-channel.nix +++ b/nixos/modules/config/nix-channel.nix @@ -12,7 +12,6 @@ let mkDefault mkIf mkOption - stringAfter types ;