Commit graph

1038 commits

Author SHA1 Message Date
Eelco Dolstra
de9e238469
FIx some malformed XML in option descriptions
E.g. these were using "<para>" at the *end* of a description. The real
WTF is that this is possible at all...
2019-05-13 09:15:17 +02:00
John Ericson
395bcc0b27
Merge pull request #61257 from matthewbauer/add-binfmt-emulated-systems
nixos/binfmt: handle emulatedSystems
2019-05-12 19:11:52 -04:00
Markus Schmidl
147621f7db nixos/luksroot: GPG Smartcard support for luks encrypted volumes 2019-05-12 20:05:10 +02:00
Matthew Bauer
93a522cf0c nixos/binfmt: fixup 2019-05-10 22:53:14 -04:00
Matthew Bauer
60381b7b11 binfmt: add more magics and masks
New ones taken from this script:

https://github.com/qemu/qemu/blob/master/scripts/qemu-binfmt-conf.sh
2019-05-10 21:00:21 -04:00
Matthew Bauer
153598ebb0 nixos/binfmt: handle emulatedSystems
Fixes #61248
2019-05-10 18:05:59 -04:00
Linus Heckemann
864f4f084a
Merge pull request #60237 from mayflower/kexec-no-clobber
nixos/kexec: don't clobber existing kexec-loaded kernel
2019-05-06 21:53:47 +02:00
Linus Heckemann
6b6f25e926 nixos/kexec: log what's happening 2019-04-29 22:43:16 +02:00
Edmund Wu
162546f0a1 nixos/luksroot: create /run/cryptsetup (#60235)
Needed since 2.0.0
Changed to /run/cryptsetup from /run/lock/cryptsetup in 2.0.1
2019-04-28 17:49:32 +00:00
Michael Weiss
698388bc61 Revert "nixos/switch-to-configuration: Never stop system.slice"
This change was only a temporary workaround and isn't required anymore,
since /etc/systemd/system/system.slice should not be present on any
recent NixOS system (which makes this change a no-op).

This reverts commit 7098b0fcdf.
2019-04-28 07:21:34 +02:00
Linus Heckemann
4d667685c2 nixos/kexec: don't clobber existing kexec-loaded kernel 2019-04-26 00:35:10 +02:00
Linus Heckemann
42c107c2aa
Merge pull request #49537 from mayflower/stage1-symlink-fix
nixos stage-1: fix init existence test
2019-04-18 17:59:08 +02:00
Pierre Bourdon
5d2bb3d715 nixos/stage-1: "find-libs" shell script is for the host 2019-04-18 15:02:51 +02:00
Joachim F
d7da5e2af2
Merge pull request #53826 from delroth/randstruct-custom-seed
nixos: allow customizing the kernel RANDSTRUCT seed
2019-04-16 17:49:19 +00:00
Linus Heckemann
b499c52de5 stage-1: provide meaningful names to initrd and module tree 2019-04-13 23:22:56 +02:00
Samuel Dionne-Riel
ef0ca61215
Merge pull request #58027 from DanielFabian/gfxpayload
grub: Add gfxpayload
2019-04-08 10:06:59 -04:00
Daniel Fabian
84ff0956a8 grub: Add support for gfxpayload in grub. Needed for NVIDIA drivers before KMS, afaik 2019-04-08 11:34:39 +01:00
aszlig
dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Matthew Bauer
73be6fba8b
Merge pull request #54625 from FlorianFranzen/efi32
grub: Support 32bit EFI on 64bit platforms
2019-03-21 11:39:45 -04:00
Florian Franzen
e51a840259 grub: Support 32bit EFI on 64bit x86 platforms 2019-03-18 10:38:07 +01:00
aszlig
ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Jan Malakhovski
570aed4b46 lib: add showWarnings 2019-03-08 11:19:18 +02:00
Danylo Hlynskyi
79cc48cdbb
Revert "Merge pull request #54980 from danbst/etc-relative" (#56507)
This reverts commit 0b91fa43e4, reversing
changes made to 183919a0c0.
2019-02-28 07:48:40 +02:00
Silvan Mosberger
bcda0e37f6
Merge pull request #56012 from matix2267/logind-lid-switch-external-power
nixos/logind: Add defaultText to config option since it's not static value.
2019-02-22 20:55:46 +01:00
Silvan Mosberger
c0318efe9a
Merge pull request #50504 from symphorien/local-closureInfo
nixos: add preferLocalBuild=true; on derivations for config files and closureInfo
2019-02-22 20:53:17 +01:00
Symphorien Gibol
a915b33315 nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
Michael Raskin
0b91fa43e4
Merge pull request #54980 from danbst/etc-relative
nixos: make symlinks in `/etc` relative (except `/etc/static`)
2019-02-21 09:45:42 +00:00
Mateusz Gołębiewski
ddcf485386 nixos/logind: Add defaultText to config option since it's not static value. 2019-02-18 20:37:02 +01:00
Mateusz Gołębiewski
fb9619ca03 nixos/logind: Add option for HandleLidSwitchExternalPower
The default according to `man logind.conf` is to perform the same action as in
HandleLidSwitch.
2019-02-16 23:56:22 +01:00
Sharif Olorin
3755577ba6 nixos/systemd: update max line length in systemd units
The length check was introduced[0] to match systemd's max line
length. This limit has been increased[1][2] to 1MiB, starting with
systemd v235.

[0] https://github.com/nixos/nixpkgs/issues/3403
[1] e6dde451a5
    (relevant systemd commit)
[2] https://github.com/systemd/systemd/issues/3302
    (more context on systemd change)
2019-02-10 00:39:29 +00:00
Jeff Slight
c95407b327 boot/raspberrypi: replace deprecated configuration option 2019-02-08 11:36:09 -08:00
danbst
f47bfce584 make back /etc/static absolute symlink 2019-01-31 09:29:44 +02:00
Florian Jacob
fc8e1745c0 nixos/etc: Make symlinks relative instead of absolute
so that the links can be followed if the NixOS installation is not mounted as filesystem root.
In particular, this makes /etc/os-release adhere to the standard:
https://www.freedesktop.org/software/systemd/man/os-release.html
Fixes #28833.
2019-01-31 09:17:35 +02:00
danbst
27982b408e types.optionSet: deprecate and remove last usages 2019-01-31 00:41:10 +02:00
Silvan Mosberger
51d2eed83b
Merge pull request #42838 from teto/kernel_autoconf
[RFC] add ability to merge structured configs
2019-01-28 10:38:00 +01:00
Craig Younkins
6f6287fbf9 nixos/systemd: add StartLimitIntervalSec to unit config 2019-01-28 00:29:43 +00:00
Matthieu Coudron
3bb7b3f02e linux: ability to merge structured configs
This should make the composability of kernel configurations more straigthforward.

- now distinguish freeform options from tristate ones
- will look for a structured config in kernelPatches too
one can now access the structuredConfig from a kernel via linux_test.configfile.structuredConfig
in order to reinject it into another kernel, no need to rewrite the config from scratch

The following merge strategies are used in case of conflict:
-- freeform items must be equal or they conflict (mergeEqualOption)
-- for tristate (y/m/n) entries, I use the mergeAnswer strategy which takes the best available value, "best" being defined by the user (by default "y" > "m" > "n", e.g. if one entry is both marked "y" and "n", "y" wins)
-- if one item is both marked optional/mandatory, mandatory wins (mergeFalseByDefault)
2019-01-28 09:06:33 +09:00
Pierre Bourdon
8769d2d58c
nixos kernel.nix: add an option to customize the kernel RANDSTRUCT seed 2019-01-24 01:42:17 +01:00
Jörg Thalheim
a6b97bd1bb
Merge pull request #42183 from kisik21/master
nixos/stage-1, nixos/f2fs: added F2FS resizing
2019-01-17 07:42:32 +00:00
Vladimír Čunát
287144e342
Merge branch 'master' into staging-next 2019-01-10 13:07:21 +01:00
Claudio Bley
cb0b629894 nixos/luksroot: Fix typo Verifiying -> Verifying 2019-01-08 15:45:02 -05:00
Jörg Thalheim
ba9f589180
Merge pull request #53446 from Mic92/systemd-udev-settle
nixos/systemd-udev-settle: don't restart on upgrades
2019-01-08 13:05:25 +01:00
Matthew Bauer
751c03e8fd
Merge pull request #47665 from erikarvstedt/initrd-improvements
Minor initrd improvements
2019-01-06 21:48:26 -06:00
Jörg Thalheim
0a2c8cc1db
nixos/systemd-udev-settle: don't restart on upgrades
The idea is that we only need this target during boot,
however there is no point on restarting it on every upgrade.

This hopefully fixes #21954
2019-01-05 13:57:29 +01:00
Matthew Bauer
921a47bc92 treewide: remove cross assertions
sd-image-raspberrypi, sd-image-aarch64, and
sd-image-armv7l-multiplatform can all be cross compiled now.
2019-01-02 23:02:50 -06:00
Matthew Bauer
35af6e3605 treewide: use buildPackages for config builders 2019-01-02 23:02:50 -06:00
Matthew Bauer
92840ab944
Merge pull request #51600 from eburimu/fix/cross-extlinux-conf-builder
extlinux-conf: fix cross compilation
2018-12-19 11:01:31 -06:00
volth
fed7914539
Merge branch 'staging' into make-perl-pathd 2018-12-18 17:13:27 +00:00
volth
bb9557eb7c lib.makePerlPath -> perlPackages.makePerlPath 2018-12-15 03:50:31 +00:00
Benjamin Staffin
1181d6153e
logind: make killUserProcesses an option (#51426)
Right now it's not at all obvious that one can override this option
using `services.logind.extraConfig`; we might as well add an option
for `killUserProcesses` directly so it's clear and documented.
2018-12-11 16:51:16 -05:00