diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-03-03 00:02:18 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-03 00:02:18 +0000 |
commit | 26d76ed9a52d644f7edb9a1712f2f3ad27196efa (patch) | |
tree | 6832616c740679c40f8f9495ba4431c2cd7840c0 /nixos | |
parent | 8a6c6d58fc729947d4f768876641791d6e42f82e (diff) | |
parent | af9110471a6e75d5eb30b2d625953aa18887dca5 (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/misc/paperless.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/nextcloud.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/photoprism.nix | 1 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py | 11 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix | 73 | ||||
-rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 4 | ||||
-rw-r--r-- | nixos/tests/systemd-boot.nix | 38 |
8 files changed, 99 insertions, 32 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 627427262da63..26304046b8cd5 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -719,6 +719,7 @@ ./services/misc/libreddit.nix ./services/misc/lidarr.nix ./services/misc/lifecycled.nix + ./services/misc/llama-cpp.nix ./services/misc/logkeys.nix ./services/misc/mame.nix ./services/misc/mbpfan.nix diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index ab042e4b6ee2a..9314c4f3848d8 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -342,6 +342,7 @@ in User = cfg.user; Restart = "on-failure"; + LimitNOFILE = 65536; # gunicorn needs setuid, liblapack needs mbind SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid mbind" ]; # Needs to serve web page diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 08f90dcf59d80..5cda4a00a9de5 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -45,7 +45,7 @@ let }; }; - webroot = pkgs.runCommand + webroot = pkgs.runCommandLocal "${cfg.package.name or "nextcloud"}-with-apps" { } '' diff --git a/nixos/modules/services/web-apps/photoprism.nix b/nixos/modules/services/web-apps/photoprism.nix index ccf995fccf3e5..39eb7c65c6359 100644 --- a/nixos/modules/services/web-apps/photoprism.nix +++ b/nixos/modules/services/web-apps/photoprism.nix @@ -104,6 +104,7 @@ in StateDirectory = "photoprism"; WorkingDirectory = "/var/lib/photoprism"; RuntimeDirectory = "photoprism"; + ReadWritePaths = [ cfg.originalsPath cfg.importPath cfg.storagePath ]; LoadCredential = lib.optionalString (cfg.passwordFile != null) "PHOTOPRISM_ADMIN_PASSWORD:${cfg.passwordFile}"; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 258cf622a894a..03bff1dee5b9d 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -43,6 +43,7 @@ class BootSpec: system: str toplevel: str specialisations: Dict[str, "BootSpec"] + sortKey: str initrdSecrets: str | None = None @@ -73,6 +74,7 @@ def system_dir(profile: str | None, generation: int, specialisation: str | None) return d BOOT_ENTRY = """title {title} +sort-key {sort_key} version Generation {generation} {description} linux {kernel} initrd {initrd} @@ -123,7 +125,13 @@ def get_bootspec(profile: str | None, generation: int) -> BootSpec: def bootspec_from_json(bootspec_json: Dict) -> BootSpec: specialisations = bootspec_json['org.nixos.specialisation.v1'] specialisations = {k: bootspec_from_json(v) for k, v in specialisations.items()} - return BootSpec(**bootspec_json['org.nixos.bootspec.v1'], specialisations=specialisations) + systemdBootExtension = bootspec_json.get('org.nixos.systemd-boot', {}) + sortKey = systemdBootExtension.get('sortKey', 'nixos') + return BootSpec( + **bootspec_json['org.nixos.bootspec.v1'], + specialisations=specialisations, + sortKey=sortKey + ) def copy_from_file(file: str, dry_run: bool = False) -> str: @@ -170,6 +178,7 @@ def write_entry(profile: str | None, generation: int, specialisation: str | None with open(tmp_path, 'w') as f: f.write(BOOT_ENTRY.format(title=title, + sort_key=bootspec.sortKey, generation=generation, kernel=kernel, initrd=initrd, diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index 645b764760dad..ba07506266e26 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -87,6 +87,16 @@ in { imports = [ (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "enable" ] [ "boot" "loader" "systemd-boot" "enable" ]) + (lib.mkChangedOptionModule + [ "boot" "loader" "systemd-boot" "memtest86" "entryFilename" ] + [ "boot" "loader" "systemd-boot" "memtest86" "sortKey" ] + (config: lib.strings.removeSuffix ".conf" config.boot.loader.systemd-boot.memtest86.entryFilename) + ) + (lib.mkChangedOptionModule + [ "boot" "loader" "systemd-boot" "netbootxyz" "entryFilename" ] + [ "boot" "loader" "systemd-boot" "netbootxyz" "sortKey" ] + (config: lib.strings.removeSuffix ".conf" config.boot.loader.systemd-boot.netbootxyz.entryFilename) + ) ]; options.boot.loader.systemd-boot = { @@ -102,6 +112,35 @@ in { ''; }; + sortKey = mkOption { + default = "nixos"; + type = lib.types.str; + description = '' + The sort key used for the NixOS bootloader entries. + This key determines sorting relative to non-NixOS entries. + See also https://uapi-group.org/specifications/specs/boot_loader_specification/#sorting + + This option can also be used to control the sorting of NixOS specialisations. + + By default, specialisations inherit the sort key of their parent generation + and will have the same value for both the sort-key and the version (i.e. the generation number), + systemd-boot will therefore sort them based on their file name, meaning that + in your boot menu you will have each main generation directly followed by + its specialisations sorted alphabetically by their names. + + If you want a different ordering for a specialisation, you can override + its sort-key which will cause the specialisation to be uncoupled from its + parent generation. It will then be sorted by its new sort-key just like + any other boot entry. + + The sort-key is stored in the generation's bootspec, which means that + generations keep their sort-keys even if the original definition of the + generation was removed from the NixOS configuration. + It also means that updating the sort-key will only affect new generations, + while old ones will keep the sort-key that they were originally built with. + ''; + }; + editor = mkOption { default = true; @@ -184,13 +223,15 @@ in { ''; }; - entryFilename = mkOption { - default = "memtest86.conf"; + sortKey = mkOption { + default = "o_memtest86"; type = types.str; description = lib.mdDoc '' - `systemd-boot` orders the menu entries by the config file names, + `systemd-boot` orders the menu entries by their sort keys, so if you want something to appear after all the NixOS entries, it should start with {file}`o` or onwards. + + See also {option}`boot.loader.systemd-boot.sortKey`. ''; }; }; @@ -207,13 +248,15 @@ in { ''; }; - entryFilename = mkOption { - default = "o_netbootxyz.conf"; + sortKey = mkOption { + default = "o_netbootxyz"; type = types.str; description = lib.mdDoc '' - `systemd-boot` orders the menu entries by the config file names, + `systemd-boot` orders the menu entries by their sort keys, so if you want something to appear after all the NixOS entries, it should start with {file}`o` or onwards. + + See also {option}`boot.loader.systemd-boot.sortKey`. ''; }; }; @@ -225,6 +268,7 @@ in { { "memtest86.conf" = ''' title Memtest86+ efi /efi/memtest86/memtest.efi + sort-key z_memtest '''; } ''; description = lib.mdDoc '' @@ -233,9 +277,10 @@ in { Each attribute name denotes the destination file name, and the corresponding attribute value is the contents of the entry. - `systemd-boot` orders the menu entries by the config file names, - so if you want something to appear after all the NixOS entries, - it should start with {file}`o` or onwards. + To control the ordering of the entry in the boot menu, use the sort-key + field, see + https://uapi-group.org/specifications/specs/boot_loader_specification/#sorting + and {option}`boot.loader.systemd-boot.sortKey`. ''; }; @@ -328,19 +373,25 @@ in { boot.loader.systemd-boot.extraEntries = mkMerge [ (mkIf cfg.memtest86.enable { - "${cfg.memtest86.entryFilename}" = '' + "memtest86.conf" = '' title Memtest86+ efi /efi/memtest86/memtest.efi + sort-key ${cfg.memtest86.sortKey} ''; }) (mkIf cfg.netbootxyz.enable { - "${cfg.netbootxyz.entryFilename}" = '' + "netbootxyz.conf" = '' title netboot.xyz efi /efi/netbootxyz/netboot.xyz.efi + sort-key ${cfg.netbootxyz.sortKey} ''; }) ]; + boot.bootspec.extensions."org.nixos.systemd-boot" = { + inherit (config.boot.loader.systemd-boot) sortKey; + }; + system = { build.installBootLoader = finalSystemdBootBuilder; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 75ba6dacc122c..b5a8b08eee70d 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -877,11 +877,9 @@ in type = types.package; default = (pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; - systemManagementModeRequired = cfg.useSecureBoot; }).fd; defaultText = ''(pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; - systemManagementModeRequired = cfg.useSecureBoot; }).fd''; description = lib.mdDoc "OVMF firmware package, defaults to OVMF configured with secure boot if needed."; @@ -1185,7 +1183,7 @@ in "-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm" "-device ${cfg.tpm.deviceModel},tpmdev=tpm_dev_0" ]) - (mkIf (cfg.efi.OVMF.systemManagementModeRequired or false) [ + (mkIf (pkgs.stdenv.hostPlatform.isx86 && cfg.efi.OVMF.systemManagementModeRequired) [ "-machine" "q35,smm=on" "-global" "driver=cfi.pflash01,property=secure,value=on" ]) diff --git a/nixos/tests/systemd-boot.nix b/nixos/tests/systemd-boot.nix index 1b7e83253e59e..54c380602bd40 100644 --- a/nixos/tests/systemd-boot.nix +++ b/nixos/tests/systemd-boot.nix @@ -93,6 +93,7 @@ in machine.wait_for_unit("multi-user.target") machine.succeed("test -e /boot/loader/entries/nixos-generation-1.conf") + machine.succeed("grep 'sort-key nixos' /boot/loader/entries/nixos-generation-1.conf") # Ensure we actually booted using systemd-boot # Magic number is the vendor UUID used by systemd-boot. @@ -115,15 +116,17 @@ in virtualisation.useSecureBoot = true; }; - testScript = '' + testScript = let + efiArch = pkgs.stdenv.hostPlatform.efiArch; + in { nodes, ... }: '' machine.start(allow_reboot=True) machine.wait_for_unit("multi-user.target") machine.succeed("sbctl create-keys") machine.succeed("sbctl enroll-keys --yes-this-might-brick-my-machine") - machine.succeed('sbctl sign /boot/EFI/systemd/systemd-bootx64.efi') - machine.succeed('sbctl sign /boot/EFI/BOOT/BOOTX64.EFI') - machine.succeed('sbctl sign /boot/EFI/nixos/*bzImage.efi') + machine.succeed('sbctl sign /boot/EFI/systemd/systemd-boot${efiArch}.efi') + machine.succeed('sbctl sign /boot/EFI/BOOT/BOOT${toUpper efiArch}.EFI') + machine.succeed('sbctl sign /boot/EFI/nixos/*${nodes.machine.system.boot.loader.kernelFile}.efi') machine.reboot() @@ -164,7 +167,9 @@ in nodes.machine = { pkgs, lib, ... }: { imports = [ common ]; - specialisation.something.configuration = {}; + specialisation.something.configuration = { + boot.loader.systemd-boot.sortKey = "something"; + }; }; testScript = '' @@ -177,6 +182,9 @@ in machine.succeed( "grep -q 'title NixOS (something)' /boot/loader/entries/nixos-generation-1-specialisation-something.conf" ) + machine.succeed( + "grep 'sort-key something' /boot/loader/entries/nixos-generation-1-specialisation-something.conf" + ) ''; }; @@ -254,25 +262,25 @@ in }; testScript = '' - machine.succeed("test -e /boot/loader/entries/o_netbootxyz.conf") + machine.succeed("test -e /boot/loader/entries/netbootxyz.conf") machine.succeed("test -e /boot/efi/netbootxyz/netboot.xyz.efi") ''; }; - entryFilename = makeTest { - name = "systemd-boot-entry-filename"; + memtestSortKey = makeTest { + name = "systemd-boot-memtest-sortkey"; meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ]; nodes.machine = { pkgs, lib, ... }: { imports = [ common ]; boot.loader.systemd-boot.memtest86.enable = true; - boot.loader.systemd-boot.memtest86.entryFilename = "apple.conf"; + boot.loader.systemd-boot.memtest86.sortKey = "apple"; }; testScript = '' - machine.fail("test -e /boot/loader/entries/memtest86.conf") - machine.succeed("test -e /boot/loader/entries/apple.conf") + machine.succeed("test -e /boot/loader/entries/memtest86.conf") machine.succeed("test -e /boot/efi/memtest86/memtest.efi") + machine.succeed("grep 'sort-key apple' /boot/loader/entries/memtest86.conf") ''; }; @@ -283,7 +291,6 @@ in nodes.machine = { pkgs, lib, ... }: { imports = [ commonXbootldr ]; boot.loader.systemd-boot.memtest86.enable = true; - boot.loader.systemd-boot.memtest86.entryFilename = "apple.conf"; }; testScript = { nodes, ... }: '' @@ -293,8 +300,7 @@ in machine.wait_for_unit("multi-user.target") machine.succeed("test -e /efi/EFI/systemd/systemd-bootx64.efi") - machine.fail("test -e /boot/loader/entries/memtest86.conf") - machine.succeed("test -e /boot/loader/entries/apple.conf") + machine.succeed("test -e /boot/loader/entries/memtest86.conf") machine.succeed("test -e /boot/EFI/memtest86/memtest.efi") ''; }; @@ -386,9 +392,9 @@ in machine.succeed("${finalSystem}/bin/switch-to-configuration boot") machine.fail("test -e /boot/efi/fruits/tomato.efi") machine.fail("test -e /boot/efi/nixos/.extra-files/efi/fruits/tomato.efi") - machine.succeed("test -e /boot/loader/entries/o_netbootxyz.conf") + machine.succeed("test -e /boot/loader/entries/netbootxyz.conf") machine.succeed("test -e /boot/efi/netbootxyz/netboot.xyz.efi") - machine.succeed("test -e /boot/efi/nixos/.extra-files/loader/entries/o_netbootxyz.conf") + machine.succeed("test -e /boot/efi/nixos/.extra-files/loader/entries/netbootxyz.conf") machine.succeed("test -e /boot/efi/nixos/.extra-files/efi/netbootxyz/netboot.xyz.efi") ''; }; |