Merge branch 'master' into pr/bcachefs

author: Jörg Thalheim <Mic92@users.noreply.github.com> 2024-01-07 11:40:30 +0100
committer: GitHub <noreply@github.com> 2024-01-07 11:40:30 +0100
commit: db59d03371a1ca74896c812e1653d5bccc0bc0f4 (patch)
tree: 59507d6d1cfbbebb6467774befc5656f5a41bc52 /nixos/modules/tasks
parent: 9598daf31aec96e4a987e2e03d68cf55ce575d0a (diff)
parent: 12c489d36b19907c6def5f73e420cd019857e2eb (diff)
6 files changed, 39 insertions, 254 deletions
diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix
index 91e30aa4c0af9..1378a0090c1df 100644
--- a/nixos/modules/tasks/filesystems.nix
+++ b/nixos/modules/tasks/filesystems.nix
@@ -406,7 +406,8 @@ in
             ConditionVirtualization = "!container";
             DefaultDependencies = false; # needed to prevent a cycle
           };
-          before = [ "systemd-pstore.service" ];
+          before = [ "systemd-pstore.service" "shutdown.target" ];
+          conflicts = [ "shutdown.target" ];
           wantedBy = [ "systemd-pstore.service" ];
         };
       };
diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix
index a9134b79b4a64..e771b706becea 100644
--- a/nixos/modules/tasks/filesystems/bcachefs.nix
+++ b/nixos/modules/tasks/filesystems/bcachefs.nix
@@ -78,9 +78,10 @@ let
     value = {
       description = "Unlock bcachefs for ${fs.mountPoint}";
       requiredBy = [ mountUnit ];
-      before = [ mountUnit ];
-      bindsTo = [ deviceUnit ];
       after = [ deviceUnit ];
+      before = [ mountUnit "shutdown.target" ];
+      bindsTo = [ deviceUnit ];
+      conflicts = [ "shutdown.target" ];
       unitConfig.DefaultDependencies = false;
       serviceConfig = {
         Type = "oneshot";
diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix
index 784040f0ce9e3..b38f228fc1606 100644
--- a/nixos/modules/tasks/filesystems/zfs.nix
+++ b/nixos/modules/tasks/filesystems/zfs.nix
@@ -130,7 +130,8 @@ let
         "systemd-ask-password-console.service"
       ] ++ optional (config.boot.initrd.clevis.useTang) "network-online.target";
       requiredBy = getPoolMounts prefix pool ++ [ "zfs-import.target" ];
-      before = getPoolMounts prefix pool ++ [ "zfs-import.target" ];
+      before = getPoolMounts prefix pool ++ [ "shutdown.target" "zfs-import.target" ];
+      conflicts = [ "shutdown.target" ];
       unitConfig = {
         DefaultDependencies = "no";
       };
@@ -508,9 +509,15 @@ in
     };
 
     services.zfs.zed = {
-      enableMail = mkEnableOption (lib.mdDoc "ZED's ability to send emails") // {
-        default = cfgZfs.package.enableMail;
-        defaultText = literalExpression "config.${optZfs.package}.enableMail";
+      enableMail = mkOption {
+        type = types.bool;
+        default = config.services.mail.sendmailSetuidWrapper != null;
+        defaultText = literalExpression ''
+          config.services.mail.sendmailSetuidWrapper != null
+        '';
+        description = mdDoc ''
+          Whether to enable ZED's ability to send emails.
+        '';
       };
 
       settings = mkOption {
@@ -551,14 +558,6 @@ in
           message = "The kernel module and the userspace tooling versions are not matching, this is an unsupported usecase.";
         }
         {
-          assertion = cfgZED.enableMail -> cfgZfs.package.enableMail;
-          message = ''
-            To allow ZED to send emails, ZFS needs to be configured to enable
-            this. To do so, one must override the `zfs` package and set
-            `enableMail` to true.
-          '';
-        }
-        {
           assertion = config.networking.hostId != null;
           message = "ZFS requires networking.hostId to be set";
         }
@@ -668,10 +667,17 @@ in
       # TODO FIXME See https://github.com/NixOS/nixpkgs/pull/99386#issuecomment-798813567. To not break people's bootloader and as probably not everybody would read release notes that thoroughly add inSystem.
       boot.loader.grub = mkIf (inInitrd || inSystem) {
         zfsSupport = true;
+        zfsPackage = cfgZfs.package;
       };
 
       services.zfs.zed.settings = {
-        ZED_EMAIL_PROG = mkIf cfgZED.enableMail (mkDefault "${pkgs.mailutils}/bin/mail");
+        ZED_EMAIL_PROG = mkIf cfgZED.enableMail (mkDefault (
+          config.security.wrapperDir + "/" +
+          config.services.mail.sendmailSetuidWrapper.program
+        ));
+        # subject in header for sendmail
+        ZED_EMAIL_OPTS = mkIf cfgZED.enableMail (mkDefault "@ADDRESS@");
+
         PATH = lib.makeBinPath [
           cfgZfs.package
           pkgs.coreutils
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 298add13437a0..2b2d24a64cb20 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -1396,6 +1396,8 @@ in
       "net.ipv4.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces);
       "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6);
       "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6);
+      # allow all users to do ICMP echo requests (ping)
+      "net.ipv4.ping_group_range" = mkDefault "0 2147483647";
       # networkmanager falls back to "/proc/sys/net/ipv6/conf/default/use_tempaddr"
       "net.ipv6.conf.default.use_tempaddr" = tempaddrValues.${cfg.tempAddresses}.sysctl;
     } // listToAttrs (forEach interfaces
@@ -1408,9 +1410,11 @@ in
 
     systemd.services.domainname = lib.mkIf (cfg.domain != null) {
       wantedBy = [ "sysinit.target" ];
-      before = [ "sysinit.target" ];
+      before = [ "sysinit.target" "shutdown.target" ];
+      conflicts = [ "shutdown.target" ];
       unitConfig.DefaultDependencies = false;
       serviceConfig.ExecStart = ''${pkgs.nettools}/bin/domainname "${cfg.domain}"'';
+      serviceConfig.Type = "oneshot";
     };
 
     environment.etc.hostid = mkIf (cfg.hostId != null) { source = hostidFile; };
diff --git a/nixos/modules/tasks/snapraid.nix b/nixos/modules/tasks/snapraid.nix
deleted file mode 100644
index 9570c6b76123b..0000000000000
--- a/nixos/modules/tasks/snapraid.nix
+++ /dev/null
@@ -1,234 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let cfg = config.snapraid;
-in
-{
-  options.snapraid = with types; {
-    enable = mkEnableOption (lib.mdDoc "SnapRAID");
-    dataDisks = mkOption {
-      default = { };
-      example = {
-        d1 = "/mnt/disk1/";
-        d2 = "/mnt/disk2/";
-        d3 = "/mnt/disk3/";
-      };
-      description = lib.mdDoc "SnapRAID data disks.";
-      type = attrsOf str;
-    };
-    parityFiles = mkOption {
-      default = [ ];
-      example = [
-        "/mnt/diskp/snapraid.parity"
-        "/mnt/diskq/snapraid.2-parity"
-        "/mnt/diskr/snapraid.3-parity"
-        "/mnt/disks/snapraid.4-parity"
-        "/mnt/diskt/snapraid.5-parity"
-        "/mnt/disku/snapraid.6-parity"
-      ];
-      description = lib.mdDoc "SnapRAID parity files.";
-      type = listOf str;
-    };
-    contentFiles = mkOption {
-      default = [ ];
-      example = [
-        "/var/snapraid.content"
-        "/mnt/disk1/snapraid.content"
-        "/mnt/disk2/snapraid.content"
-      ];
-      description = lib.mdDoc "SnapRAID content list files.";
-      type = listOf str;
-    };
-    exclude = mkOption {
-      default = [ ];
-      example = [ "*.unrecoverable" "/tmp/" "/lost+found/" ];
-      description = lib.mdDoc "SnapRAID exclude directives.";
-      type = listOf str;
-    };
-    touchBeforeSync = mkOption {
-      default = true;
-      example = false;
-      description = lib.mdDoc
-        "Whether {command}`snapraid touch` should be run before {command}`snapraid sync`.";
-      type = bool;
-    };
-    sync.interval = mkOption {
-      default = "01:00";
-      example = "daily";
-      description = lib.mdDoc "How often to run {command}`snapraid sync`.";
-      type = str;
-    };
-    scrub = {
-      interval = mkOption {
-        default = "Mon *-*-* 02:00:00";
-        example = "weekly";
-        description = lib.mdDoc "How often to run {command}`snapraid scrub`.";
-        type = str;
-      };
-      plan = mkOption {
-        default = 8;
-        example = 5;
-        description = lib.mdDoc
-          "Percent of the array that should be checked by {command}`snapraid scrub`.";
-        type = int;
-      };
-      olderThan = mkOption {
-        default = 10;
-        example = 20;
-        description = lib.mdDoc
-          "Number of days since data was last scrubbed before it can be scrubbed again.";
-        type = int;
-      };
-    };
-    extraConfig = mkOption {
-      default = "";
-      example = ''
-        nohidden
-        blocksize 256
-        hashsize 16
-        autosave 500
-        pool /pool
-      '';
-      description = lib.mdDoc "Extra config options for SnapRAID.";
-      type = lines;
-    };
-  };
-
-  config =
-    let
-      nParity = builtins.length cfg.parityFiles;
-      mkPrepend = pre: s: pre + s;
-    in
-    mkIf cfg.enable {
-      assertions = [
-        {
-          assertion = nParity <= 6;
-          message = "You can have no more than six SnapRAID parity files.";
-        }
-        {
-          assertion = builtins.length cfg.contentFiles >= nParity + 1;
-          message =
-            "There must be at least one SnapRAID content file for each SnapRAID parity file plus one.";
-        }
-      ];
-
-      environment = {
-        systemPackages = with pkgs; [ snapraid ];
-
-        etc."snapraid.conf" = {
-          text = with cfg;
-            let
-              prependData = mkPrepend "data ";
-              prependContent = mkPrepend "content ";
-              prependExclude = mkPrepend "exclude ";
-            in
-            concatStringsSep "\n"
-              (map prependData
-                ((mapAttrsToList (name: value: name + " " + value)) dataDisks)
-              ++ zipListsWith (a: b: a + b)
-                ([ "parity " ] ++ map (i: toString i + "-parity ") (range 2 6))
-                parityFiles ++ map prependContent contentFiles
-              ++ map prependExclude exclude) + "\n" + extraConfig;
-        };
-      };
-
-      systemd.services = with cfg; {
-        snapraid-scrub = {
-          description = "Scrub the SnapRAID array";
-          startAt = scrub.interval;
-          serviceConfig = {
-            Type = "oneshot";
-            ExecStart = "${pkgs.snapraid}/bin/snapraid scrub -p ${
-              toString scrub.plan
-            } -o ${toString scrub.olderThan}";
-            Nice = 19;
-            IOSchedulingPriority = 7;
-            CPUSchedulingPolicy = "batch";
-
-            LockPersonality = true;
-            MemoryDenyWriteExecute = true;
-            NoNewPrivileges = true;
-            PrivateDevices = true;
-            PrivateTmp = true;
-            ProtectClock = true;
-            ProtectControlGroups = true;
-            ProtectHostname = true;
-            ProtectKernelLogs = true;
-            ProtectKernelModules = true;
-            ProtectKernelTunables = true;
-            RestrictAddressFamilies = "none";
-            RestrictNamespaces = true;
-            RestrictRealtime = true;
-            RestrictSUIDSGID = true;
-            SystemCallArchitectures = "native";
-            SystemCallFilter = "@system-service";
-            SystemCallErrorNumber = "EPERM";
-            CapabilityBoundingSet = "CAP_DAC_OVERRIDE";
-
-            ProtectSystem = "strict";
-            ProtectHome = "read-only";
-            ReadWritePaths =
-              # scrub requires access to directories containing content files
-              # to remove them if they are stale
-              let
-                contentDirs = map dirOf contentFiles;
-              in
-              unique (
-                attrValues dataDisks ++ contentDirs
-              );
-          };
-          unitConfig.After = "snapraid-sync.service";
-        };
-        snapraid-sync = {
-          description = "Synchronize the state of the SnapRAID array";
-          startAt = sync.interval;
-          serviceConfig = {
-            Type = "oneshot";
-            ExecStart = "${pkgs.snapraid}/bin/snapraid sync";
-            Nice = 19;
-            IOSchedulingPriority = 7;
-            CPUSchedulingPolicy = "batch";
-
-            LockPersonality = true;
-            MemoryDenyWriteExecute = true;
-            NoNewPrivileges = true;
-            PrivateTmp = true;
-            ProtectClock = true;
-            ProtectControlGroups = true;
-            ProtectHostname = true;
-            ProtectKernelLogs = true;
-            ProtectKernelModules = true;
-            ProtectKernelTunables = true;
-            RestrictAddressFamilies = "none";
-            RestrictNamespaces = true;
-            RestrictRealtime = true;
-            RestrictSUIDSGID = true;
-            SystemCallArchitectures = "native";
-            SystemCallFilter = "@system-service";
-            SystemCallErrorNumber = "EPERM";
-            CapabilityBoundingSet = "CAP_DAC_OVERRIDE" +
-              lib.optionalString cfg.touchBeforeSync " CAP_FOWNER";
-
-            ProtectSystem = "strict";
-            ProtectHome = "read-only";
-            ReadWritePaths =
-              # sync requires access to directories containing content files
-              # to remove them if they are stale
-              let
-                contentDirs = map dirOf contentFiles;
-                # Multiple "split" parity files can be specified in a single
-                # "parityFile", separated by a comma.
-                # https://www.snapraid.it/manual#7.1
-                splitParityFiles = map (s: splitString "," s) parityFiles;
-              in
-              unique (
-                attrValues dataDisks ++ splitParityFiles ++ contentDirs
-              );
-          } // optionalAttrs touchBeforeSync {
-            ExecStartPre = "${pkgs.snapraid}/bin/snapraid touch";
-          };
-        };
-      };
-    };
-}
diff --git a/nixos/modules/tasks/trackpoint.nix b/nixos/modules/tasks/trackpoint.nix
index d197a0feb337c..317613b847927 100644
--- a/nixos/modules/tasks/trackpoint.nix
+++ b/nixos/modules/tasks/trackpoint.nix
@@ -80,10 +80,17 @@ with lib;
         ACTION=="add|change", SUBSYSTEM=="input", ATTR{name}=="${cfg.device}", ATTR{device/speed}="${toString cfg.speed}", ATTR{device/sensitivity}="${toString cfg.sensitivity}"
       '';
 
-      system.activationScripts.trackpoint =
-        ''
-          ${config.systemd.package}/bin/udevadm trigger --attr-match=name="${cfg.device}"
+      systemd.services.trackpoint = {
+        wantedBy = [ "sysinit.target" ] ;
+        before = [ "sysinit.target" "shutdown.target" ];
+        conflicts = [ "shutdown.target" ];
+        unitConfig.DefaultDependencies = false;
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = true;
+        serviceConfig.ExecStart = ''
+          ${config.systemd.package}/bin/udevadm trigger --attr-match=name="${cfg.device}
         '';
+      };
     })
 
     (mkIf (cfg.emulateWheel) {
author	Jörg Thalheim <Mic92@users.noreply.github.com>	2024-01-07 11:40:30 +0100
committer	GitHub <noreply@github.com>	2024-01-07 11:40:30 +0100
commit	db59d03371a1ca74896c812e1653d5bccc0bc0f4 (patch)
tree	59507d6d1cfbbebb6467774befc5656f5a41bc52 /nixos/modules/tasks
parent	9598daf31aec96e4a987e2e03d68cf55ce575d0a (diff)
parent	12c489d36b19907c6def5f73e420cd019857e2eb (diff)