diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2020-09-06 18:14:23 +0200 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2020-09-06 18:14:23 +0200 |
commit | d362c0e54ec3bdf93054368ab559522752010758 (patch) | |
tree | fac9023f38838234fa5930d800039fe9a1311e34 /nixos | |
parent | 08eb704bc3b2cce416140e77973dbe53b6fcb17c (diff) | |
parent | 2dd41576fb97201451f535f658f13d0341ca18b6 (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/man-nixos-install.xml | 16 | ||||
-rw-r--r-- | nixos/doc/manual/man-nixos-rebuild.xml | 2 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 6 | ||||
-rw-r--r-- | nixos/lib/testing-python.nix | 9 | ||||
-rw-r--r-- | nixos/modules/installer/tools/nixos-install.sh | 73 | ||||
-rw-r--r-- | nixos/modules/installer/tools/nixos-rebuild.sh | 10 | ||||
-rw-r--r-- | nixos/modules/installer/tools/tools.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/games/terraria.nix | 18 | ||||
-rw-r--r-- | nixos/modules/services/mail/opendkim.nix | 30 | ||||
-rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 17 | ||||
-rw-r--r-- | nixos/modules/services/misc/gitlab.xml | 6 | ||||
-rw-r--r-- | nixos/modules/services/network-filesystems/cachefilesd.nix | 18 | ||||
-rw-r--r-- | nixos/modules/services/networking/syncthing.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/phpfpm/default.nix | 1 | ||||
-rw-r--r-- | nixos/modules/testing/test-instrumentation.nix | 9 |
15 files changed, 177 insertions, 53 deletions
diff --git a/nixos/doc/manual/man-nixos-install.xml b/nixos/doc/manual/man-nixos-install.xml index 84849282e9abd..b205e23096875 100644 --- a/nixos/doc/manual/man-nixos-install.xml +++ b/nixos/doc/manual/man-nixos-install.xml @@ -46,6 +46,10 @@ </arg> <arg> + <option>--flake</option> <replaceable>flake-uri</replaceable> + </arg> + + <arg> <arg choice='plain'> <option>--channel</option> </arg> @@ -200,6 +204,18 @@ </listitem> </varlistentry> <varlistentry> + <term> + <option>--flake</option> <replaceable>flake-uri</replaceable>#<replaceable>name</replaceable> + </term> + <listitem> + <para> + Build the NixOS system from the specified flake. + The flake must contain an output named + <literal>nixosConfigurations.<replaceable>name</replaceable></literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> <term> <option>--channel</option> </term> diff --git a/nixos/doc/manual/man-nixos-rebuild.xml b/nixos/doc/manual/man-nixos-rebuild.xml index f70f08a0f8a77..7dab5c69dfb5f 100644 --- a/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixos/doc/manual/man-nixos-rebuild.xml @@ -521,7 +521,7 @@ <varlistentry> <term> - <option>--flake</option> <replaceable>flake-uri</replaceable>[<replaceable>name</replaceable>] + <option>--flake</option> <replaceable>flake-uri</replaceable><optional>#<replaceable>name</replaceable></optional> </term> <listitem> <para> diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 0a76bffd5c98d..7d11d422e3025 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -1059,6 +1059,12 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; removed, as it depends on libraries from deepin. </para> </listitem> + <listitem> + <para> + The <literal>opendkim</literal> module now uses systemd sandboxing features + to limit the exposure of the system towards the opendkim service. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index c6939c7d6989c..76a2022082c54 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -63,18 +63,12 @@ rec { mkdir -p $out LOGFILE=/dev/null tests='exec(os.environ["testScript"])' ${driver}/bin/nixos-test-driver - - for i in */xchg/coverage-data; do - mkdir -p $out/coverage-data - mv $i $out/coverage-data/$(dirname $(dirname $i)) - done ''; }; makeTest = { testScript - , makeCoverageReport ? false , enableOCR ? false , name ? "unnamed" # Skip linting (mainly intended for faster dev cycles) @@ -153,7 +147,6 @@ rec { }; test = passMeta (runTests driver); - report = passMeta (releaseTools.gcovReport { coverageRuns = [ test ]; }); nodeNames = builtins.attrNames nodes; invalidNodeNames = lib.filter @@ -169,7 +162,7 @@ rec { Please stick to alphanumeric chars and underscores as separation. '' else - (if makeCoverageReport then report else test) // { + test // { inherit nodes driver test; }; diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index e0252befdfdcb..a180d1bc4c191 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -10,6 +10,7 @@ umask 0022 # Parse the command line for the -I flag extraBuildFlags=() +flakeFlags=() mountPoint=/mnt channelPath= @@ -34,6 +35,23 @@ while [ "$#" -gt 0 ]; do --system|--closure) system="$1"; shift 1 ;; + --flake) + flake="$1" + flakeFlags=(--experimental-features 'nix-command flakes') + shift 1 + ;; + --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file) + lockFlags+=("$i") + ;; + --update-input) + j="$1"; shift 1 + lockFlags+=("$i" "$j") + ;; + --override-input) + j="$1"; shift 1 + k="$1"; shift 1 + lockFlags+=("$i" "$j" "$k") + ;; --channel) channelPath="$1"; shift 1 ;; @@ -92,14 +110,32 @@ if [[ ${NIXOS_CONFIG:0:1} != / ]]; then exit 1 fi -if [[ ! -e $NIXOS_CONFIG && -z $system ]]; then +if [[ -n $flake ]]; then + if [[ $flake =~ ^(.*)\#([^\#\"]*)$ ]]; then + flake="${BASH_REMATCH[1]}" + flakeAttr="${BASH_REMATCH[2]}" + fi + if [[ -z "$flakeAttr" ]]; then + echo "Please specify the name of the NixOS configuration to be installed, as a URI fragment in the flake-uri." + echo "For example, to use the output nixosConfigurations.foo from the flake.nix, append \"#foo\" to the flake-uri." + exit 1 + fi + flakeAttr="nixosConfigurations.\"$flakeAttr\"" +fi + +# Resolve the flake. +if [[ -n $flake ]]; then + flake=$(nix "${flakeFlags[@]}" flake info --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url) +fi + +if [[ ! -e $NIXOS_CONFIG && -z $system && -z $flake ]]; then echo "configuration file $NIXOS_CONFIG doesn't exist" exit 1 fi # A place to drop temporary stuff. -tmpdir="$(mktemp -d -p $mountPoint)" -trap "rm -rf $tmpdir" EXIT +tmpdir="$(mktemp -d -p "$mountPoint")" +trap 'rm -rf $tmpdir' EXIT # store temporary files on target filesystem by default export TMPDIR=${TMPDIR:-$tmpdir} @@ -108,12 +144,19 @@ sub="auto?trusted=1" # Build the system configuration in the target filesystem. if [[ -z $system ]]; then - echo "building the configuration in $NIXOS_CONFIG..." outLink="$tmpdir/system" - nix-build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ - --extra-substituters "$sub" \ - '<nixpkgs/nixos>' -A system -I "nixos-config=$NIXOS_CONFIG" ${verbosity[@]} - system=$(readlink -f $outLink) + if [[ -z $flake ]]; then + echo "building the configuration in $NIXOS_CONFIG..." + nix-build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ + --extra-substituters "$sub" \ + '<nixpkgs/nixos>' -A system -I "nixos-config=$NIXOS_CONFIG" "${verbosity[@]}" + else + echo "building the flake in $flake..." + nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.toplevel" \ + --extra-substituters "$sub" "${verbosity[@]}" \ + "${extraBuildFlags[@]}" "${lockFlags[@]}" --out-link "$outLink" + fi + system=$(readlink -f "$outLink") fi # Set the system profile to point to the configuration. TODO: combine @@ -121,7 +164,7 @@ fi # a progress bar. nix-env --store "$mountPoint" "${extraBuildFlags[@]}" \ --extra-substituters "$sub" \ - -p $mountPoint/nix/var/nix/profiles/system --set "$system" ${verbosity[@]} + -p "$mountPoint"/nix/var/nix/profiles/system --set "$system" "${verbosity[@]}" # Copy the NixOS/Nixpkgs sources to the target as the initial contents # of the NixOS channel. @@ -131,12 +174,12 @@ if [[ -z $noChannelCopy ]]; then fi if [[ -n $channelPath ]]; then echo "copying channel..." - mkdir -p $mountPoint/nix/var/nix/profiles/per-user/root + mkdir -p "$mountPoint"/nix/var/nix/profiles/per-user/root nix-env --store "$mountPoint" "${extraBuildFlags[@]}" --extra-substituters "$sub" \ - -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet \ - ${verbosity[@]} - install -m 0700 -d $mountPoint/root/.nix-defexpr - ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels + -p "$mountPoint"/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet \ + "${verbosity[@]}" + install -m 0700 -d "$mountPoint"/root/.nix-defexpr + ln -sfn /nix/var/nix/profiles/per-user/root/channels "$mountPoint"/root/.nix-defexpr/channels fi fi @@ -150,7 +193,7 @@ touch "$mountPoint/etc/NIXOS" if [[ -z $noBootLoader ]]; then echo "installing the boot loader..." # Grub needs an mtab. - ln -sfn /proc/mounts $mountPoint/etc/mtab + ln -sfn /proc/mounts "$mountPoint"/etc/mtab NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot fi diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index ed9c2509b6b64..ad40fd2811dc4 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -17,6 +17,7 @@ showSyntax() { origArgs=("$@") extraBuildFlags=() lockFlags=() +flakeFlags=() action= buildNix=1 fast= @@ -99,6 +100,7 @@ while [ "$#" -gt 0 ]; do ;; --flake) flake="$1" + flakeFlags=(--experimental-features 'nix-command flakes') shift 1 ;; --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file) @@ -281,7 +283,7 @@ fi # Resolve the flake. if [[ -n $flake ]]; then - flake=$(nix flake info --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url) + flake=$(nix "${flakeFlags[@]}" flake info --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url) fi # Find configuration.nix and open editor instead of building. @@ -293,7 +295,7 @@ if [ "$action" = edit ]; then fi exec ${EDITOR:-nano} "$NIXOS_CONFIG" else - exec nix edit "${lockFlags[@]}" -- "$flake#$flakeAttr" + exec nix "${flakeFlags[@]}" edit "${lockFlags[@]}" -- "$flake#$flakeAttr" fi exit 1 fi @@ -419,7 +421,7 @@ if [ -z "$rollback" ]; then pathToConfig="$(nixBuild '<nixpkgs/nixos>' --no-out-link -A system "${extraBuildFlags[@]}")" else outLink=$tmpDir/result - nix build "$flake#$flakeAttr.config.system.build.toplevel" \ + nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.toplevel" \ "${extraBuildFlags[@]}" "${lockFlags[@]}" --out-link $outLink pathToConfig="$(readlink -f $outLink)" fi @@ -429,7 +431,7 @@ if [ -z "$rollback" ]; then if [[ -z $flake ]]; then pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A system -k "${extraBuildFlags[@]}")" else - nix build "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}" + nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}" pathToConfig="$(readlink -f ./result)" fi elif [ "$action" = build-vm ]; then diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 1582f04930948..26fc8fb402e65 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -22,7 +22,7 @@ let src = ./nixos-install.sh; inherit (pkgs) runtimeShell; nix = config.nix.package.out; - path = makeBinPath [ nixos-enter ]; + path = makeBinPath [ pkgs.nixUnstable nixos-enter ]; }; nixos-rebuild = diff --git a/nixos/modules/services/games/terraria.nix b/nixos/modules/services/games/terraria.nix index 413660321ec3c..34c8ff137d6a2 100644 --- a/nixos/modules/services/games/terraria.nix +++ b/nixos/modules/services/games/terraria.nix @@ -25,7 +25,7 @@ let exit 0 fi - ${getBin pkgs.tmux}/bin/tmux -S /var/lib/terraria/terraria.sock send-keys Enter exit Enter + ${getBin pkgs.tmux}/bin/tmux -S ${cfg.dataDir}/terraria.sock send-keys Enter exit Enter ${getBin pkgs.coreutils}/bin/tail --pid="$1" -f /dev/null ''; in @@ -36,7 +36,7 @@ in type = types.bool; default = false; description = '' - If enabled, starts a Terraria server. The server can be connected to via <literal>tmux -S /var/lib/terraria/terraria.sock attach</literal> + If enabled, starts a Terraria server. The server can be connected to via <literal>tmux -S ${cfg.dataDir}/terraria.sock attach</literal> for administration by users who are a part of the <literal>terraria</literal> group (use <literal>C-b d</literal> shortcut to detach again). ''; }; @@ -111,13 +111,19 @@ in default = false; description = "Disables automatic Universal Plug and Play."; }; + dataDir = mkOption { + type = types.str; + default = "/var/lib/terraria"; + example = "/srv/terraria"; + description = "Path to variable state data directory for terraria."; + }; }; }; config = mkIf cfg.enable { users.users.terraria = { description = "Terraria server service user"; - home = "/var/lib/terraria"; + home = cfg.dataDir; createHome = true; uid = config.ids.uids.terraria; }; @@ -136,13 +142,13 @@ in User = "terraria"; Type = "forking"; GuessMainPID = true; - ExecStart = "${getBin pkgs.tmux}/bin/tmux -S /var/lib/terraria/terraria.sock new -d ${pkgs.terraria-server}/bin/TerrariaServer ${concatStringsSep " " flags}"; + ExecStart = "${getBin pkgs.tmux}/bin/tmux -S ${cfg.dataDir}/terraria.sock new -d ${pkgs.terraria-server}/bin/TerrariaServer ${concatStringsSep " " flags}"; ExecStop = "${stopScript} $MAINPID"; }; postStart = '' - ${pkgs.coreutils}/bin/chmod 660 /var/lib/terraria/terraria.sock - ${pkgs.coreutils}/bin/chgrp terraria /var/lib/terraria/terraria.sock + ${pkgs.coreutils}/bin/chmod 660 ${cfg.dataDir}/terraria.sock + ${pkgs.coreutils}/bin/chgrp terraria ${cfg.dataDir}/terraria.sock ''; }; }; diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index eb6a426684d42..9bf6f338d93ed 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -129,6 +129,36 @@ in { User = cfg.user; Group = cfg.group; RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim"; + StateDirectory = "opendkim"; + StateDirectoryMode = "0700"; + ReadWritePaths = [ cfg.keyPath ]; + + AmbientCapabilities = []; + CapabilityBoundingSet = []; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6 AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; + UMask = "0077"; }; }; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 425f35f37cb6d..9896b8023e441 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -783,6 +783,23 @@ in { }; }; + systemd.services.gitlab-mailroom = mkIf (gitlabConfig.production.incoming_email.enabled or false) { + description = "GitLab incoming mail daemon"; + after = [ "network.target" "redis.service" "gitlab.service" ]; # gitlab.service creates configs + wantedBy = [ "multi-user.target" ]; + environment = gitlabEnv; + serviceConfig = { + Type = "simple"; + TimeoutSec = "infinity"; + Restart = "on-failure"; + + User = cfg.user; + Group = cfg.group; + ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/bundle exec mail_room -c ${cfg.packages.gitlab}/share/gitlab/config.dist/mail_room.yml"; + WorkingDirectory = gitlabEnv.HOME; + }; + }; + systemd.services.gitlab = { after = [ "gitlab-workhorse.service" "gitaly.service" "network.target" "gitlab-postgresql.service" "redis.service" ]; requires = [ "gitlab-sidekiq.service" ]; diff --git a/nixos/modules/services/misc/gitlab.xml b/nixos/modules/services/misc/gitlab.xml index b6171a9a194c1..19a3df0a5f663 100644 --- a/nixos/modules/services/misc/gitlab.xml +++ b/nixos/modules/services/misc/gitlab.xml @@ -98,6 +98,12 @@ services.gitlab = { </para> <para> + When <literal>icoming_mail.enabled</literal> is set to <literal>true</literal> + in <link linkend="opt-services.gitlab.extraConfig">extraConfig</link> an additional + service called <literal>gitlab-mailroom</literal> is enabled for fetching incoming mail. + </para> + + <para> Refer to <xref linkend="ch-options" /> for all available configuration options for the <link linkend="opt-services.gitlab.enable">services.gitlab</link> module. diff --git a/nixos/modules/services/network-filesystems/cachefilesd.nix b/nixos/modules/services/network-filesystems/cachefilesd.nix index 619813408405f..229c9665419f5 100644 --- a/nixos/modules/services/network-filesystems/cachefilesd.nix +++ b/nixos/modules/services/network-filesystems/cachefilesd.nix @@ -43,17 +43,21 @@ in config = mkIf cfg.enable { + boot.kernelModules = [ "cachefiles" ]; + systemd.services.cachefilesd = { description = "Local network file caching management daemon"; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.kmod pkgs.cachefilesd ]; - script = '' - modprobe -qab cachefiles - mkdir -p ${cfg.cacheDir} - chmod 700 ${cfg.cacheDir} - exec cachefilesd -n -f ${cfgFile} - ''; + serviceConfig = { + Type = "exec"; + ExecStart = "${pkgs.cachefilesd}/bin/cachefilesd -n -f ${cfgFile}"; + Restart = "on-failure"; + PrivateTmp = true; + }; }; + systemd.tmpfiles.rules = [ + "d ${cfg.cacheDir} 0700 root root - -" + ]; }; } diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index e717d78feed57..28348c7893a0d 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -18,6 +18,7 @@ let fsWatcherEnabled = folder.watch; fsWatcherDelayS = folder.watchDelay; ignorePerms = folder.ignorePerms; + ignoreDelete = folder.ignoreDelete; versioning = folder.versioning; }) (filterAttrs ( _: folder: @@ -284,8 +285,6 @@ in { }); }; - - rescanInterval = mkOption { type = types.int; default = 3600; @@ -327,6 +326,16 @@ in { ''; }; + ignoreDelete = mkOption { + type = types.bool; + default = false; + description = '' + Whether to delete files in destination. See <link + xlink:href="https://docs.syncthing.net/advanced/folder-ignoredelete.html"> + upstream's docs</link>. + ''; + }; + }; })); }; diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix index d090885a8ca52..759eebf768db2 100644 --- a/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixos/modules/services/web-servers/phpfpm/default.nix @@ -277,6 +277,7 @@ in { ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; RuntimeDirectory = "phpfpm"; RuntimeDirectoryPreserve = true; # Relevant when multiple processes are running + Restart = "always"; }; } ) cfg.pools; diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 30ffb12cbadee..c0ec76e8a3a35 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -74,15 +74,8 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; # OOM killer randomly get rid of processes, since this leads # to failures that are hard to diagnose. echo 2 > /proc/sys/vm/panic_on_oom - - # Coverage data is written into /tmp/coverage-data. - mkdir -p /tmp/xchg/coverage-data ''; - # If the kernel has been built with coverage instrumentation, make - # it available under /proc/gcov. - boot.kernelModules = [ "gcov-proc" ]; - # Panic if an error occurs in stage 1 (rather than waiting for # user intervention). boot.kernelParams = @@ -111,8 +104,6 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; networking.defaultGateway = mkOverride 150 ""; networking.nameservers = mkOverride 150 [ ]; - systemd.globalEnvironment.GCOV_PREFIX = "/tmp/xchg/coverage-data"; - system.requiredKernelConfig = with config.lib.kernelConfig; [ (isYes "SERIAL_8250_CONSOLE") (isYes "SERIAL_8250") |