diff options
Diffstat (limited to 'nixos/modules/system/boot')
22 files changed, 186 insertions, 71 deletions
diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index 9eeae0c3ef447..cbdf581d73a7f 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -20,8 +20,14 @@ let optionalString fixBinary "F"; in ":${name}:${type}:${offset'}:${magicOrExtension}:${mask'}:${interpreter}:${flags}"; - activationSnippet = name: { interpreter, ... }: - "ln -sf ${interpreter} /run/binfmt/${name}"; + activationSnippet = name: { interpreter, ... }: '' + rm -f /run/binfmt/${name} + cat > /run/binfmt/${name} << 'EOF' + #!${pkgs.bash}/bin/sh + exec -- ${interpreter} "$@" + EOF + chmod +x /run/binfmt/${name} + ''; getEmulator = system: (lib.systems.elaborate { inherit system; }).emulator pkgs; @@ -260,7 +266,7 @@ in { extra-platforms = ${toString (cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux")} ''; nix.sandboxPaths = lib.mkIf (cfg.emulatedSystems != []) - ([ "/run/binfmt" ] ++ (map (system: dirOf (dirOf (getEmulator system))) cfg.emulatedSystems)); + ([ "/run/binfmt" "${pkgs.bash}" ] ++ (map (system: dirOf (dirOf (getEmulator system))) cfg.emulatedSystems)); environment.etc."binfmt.d/nixos.conf".source = builtins.toFile "binfmt_nixos.conf" (lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine config.boot.binfmt.registrations)); diff --git a/nixos/modules/system/boot/grow-partition.nix b/nixos/modules/system/boot/grow-partition.nix index 71a86c74772e7..87c981b24cec9 100644 --- a/nixos/modules/system/boot/grow-partition.nix +++ b/nixos/modules/system/boot/grow-partition.nix @@ -20,10 +20,10 @@ with lib; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.gawk}/bin/gawk copy_bin_and_libs ${pkgs.gnused}/bin/sed - copy_bin_and_libs ${pkgs.utillinux}/sbin/sfdisk - copy_bin_and_libs ${pkgs.utillinux}/sbin/lsblk + copy_bin_and_libs ${pkgs.util-linux}/sbin/sfdisk + copy_bin_and_libs ${pkgs.util-linux}/sbin/lsblk - substitute "${pkgs.cloud-utils}/bin/.growpart-wrapped" "$out/bin/growpart" \ + substitute "${pkgs.cloud-utils.guest}/bin/.growpart-wrapped" "$out/bin/growpart" \ --replace "${pkgs.bash}/bin/sh" "/bin/sh" \ --replace "awk" "gawk" \ --replace "sed" "gnused" diff --git a/nixos/modules/system/boot/initrd-network.nix b/nixos/modules/system/boot/initrd-network.nix index ec794d6eb014d..2a7417ed37153 100644 --- a/nixos/modules/system/boot/initrd-network.nix +++ b/nixos/modules/system/boot/initrd-network.nix @@ -32,8 +32,8 @@ let fi if [ -n "$dns" ]; then rm -f /etc/resolv.conf - for i in $dns; do - echo "nameserver $dns" >> /etc/resolv.conf + for server in $dns; do + echo "nameserver $server" >> /etc/resolv.conf done fi fi diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index f7ef261037090..00ac83a189724 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -159,9 +159,14 @@ in boot.initrd.extraUtilsCommandsTest = '' # sshd requires a host key to check config, so we pass in the test's + tmpkey="$(mktemp initrd-ssh-testkey.XXXXXXXXXX)" + cp "${../../../tests/initrd-network-ssh/ssh_host_ed25519_key}" "$tmpkey" + # keys from Nix store are world-readable, which sshd doesn't like + chmod 600 "$tmpkey" echo -n ${escapeShellArg sshdConfig} | $out/bin/sshd -t -f /dev/stdin \ - -h ${../../../tests/initrd-network-ssh/ssh_host_ed25519_key} + -h "$tmpkey" + rm "$tmpkey" ''; boot.initrd.network.postCommands = '' diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index 43871f439f7f3..ed7226331d70e 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -227,7 +227,7 @@ in "xhci_pci" "usbhid" "hid_generic" "hid_lenovo" "hid_apple" "hid_roccat" - "hid_logitech_hidpp" "hid_logitech_dj" + "hid_logitech_hidpp" "hid_logitech_dj" "hid_microsoft" ] ++ optionals (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ # Misc. x86 keyboard stuff. diff --git a/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix b/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix index 2d27611946e2c..1437ab3877009 100644 --- a/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix +++ b/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix @@ -12,9 +12,6 @@ let inherit (config.boot.loader.generationsDir) copyKernels; }; - # Temporary check, for nixos to cope both with nixpkgs stdenv-updates and trunk - inherit (pkgs.stdenv.hostPlatform) platform; - in { @@ -59,7 +56,7 @@ in system.build.installBootLoader = generationsDirBuilder; system.boot.loader.id = "generationsDir"; - system.boot.loader.kernelFile = platform.kernelTarget; + system.boot.loader.kernelFile = pkgs.stdenv.hostPlatform.linux-kernel.target; }; } diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 20e39628eabbc..289c2b199862e 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -66,7 +66,7 @@ let extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios gfxpayloadEfi gfxpayloadBios; path = with pkgs; makeBinPath ( - [ coreutils gnused gnugrep findutils diffutils btrfs-progs utillinux mdadm ] + [ coreutils gnused gnugrep findutils diffutils btrfs-progs util-linux mdadm ] ++ optional (cfg.efiSupport && (cfg.version == 2)) efibootmgr ++ optionals cfg.useOSProber [ busybox os-prober ]); font = if cfg.font == null then "" @@ -327,6 +327,26 @@ in ''; }; + extraInstallCommands = mkOption { + default = ""; + example = literalExample '' + # the example below generates detached signatures that GRUB can verify + # https://www.gnu.org/software/grub/manual/grub/grub.html#Using-digital-signatures + ''${pkgs.findutils}/bin/find /boot -not -path "/boot/efi/*" -type f -name '*.sig' -delete + old_gpg_home=$GNUPGHOME + export GNUPGHOME="$(mktemp -d)" + ''${pkgs.gnupg}/bin/gpg --import ''${priv_key} > /dev/null 2>&1 + ''${pkgs.findutils}/bin/find /boot -not -path "/boot/efi/*" -type f -exec ''${pkgs.gnupg}/bin/gpg --detach-sign "{}" \; > /dev/null 2>&1 + rm -rf $GNUPGHOME + export GNUPGHOME=$old_gpg_home + ''; + type = types.lines; + description = '' + Additional shell commands inserted in the bootloader installer + script after generating menu entries. + ''; + }; + extraPerEntryConfig = mkOption { default = ""; example = "root (hd0)"; @@ -705,7 +725,7 @@ in let install-grub-pl = pkgs.substituteAll { src = ./install-grub.pl; - inherit (pkgs) utillinux; + utillinux = pkgs.util-linux; btrfsprogs = pkgs.btrfs-progs; }; in pkgs.writeScript "install-grub.sh" ('' @@ -715,7 +735,7 @@ in ${optionalString cfg.enableCryptodisk "export GRUB_ENABLE_CRYPTODISK=y"} '' + flip concatMapStrings cfg.mirroredBoots (args: '' ${pkgs.perl}/bin/perl ${install-grub-pl} ${grubConfig args} $@ - '')); + '') + cfg.extraInstallCommands); system.build.grub = grub; @@ -741,7 +761,7 @@ in + "'boot.loader.grub.mirroredBoots' to make the system bootable."; } { - assertion = cfg.efiSupport || all (c: c < 2) (mapAttrsToList (_: c: c) bootDeviceCounters); + assertion = cfg.efiSupport || all (c: c < 2) (mapAttrsToList (n: c: if n == "nodev" then 0 else c) bootDeviceCounters); message = "You cannot have duplicated devices in mirroredBoots"; } { diff --git a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix index 337afe9ef628d..1023361f0b1f6 100644 --- a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix +++ b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix @@ -5,8 +5,6 @@ with lib; let cfg = config.boot.loader.raspberryPi; - inherit (pkgs.stdenv.hostPlatform) platform; - builderUboot = import ./uboot-builder.nix { inherit pkgs configTxt; inherit (cfg) version; }; builderGeneric = import ./raspberrypi-builder.nix { inherit pkgs configTxt; }; @@ -20,7 +18,7 @@ let timeoutStr = if blCfg.timeout == null then "-1" else toString blCfg.timeout; isAarch64 = pkgs.stdenv.hostPlatform.isAarch64; - optional = pkgs.stdenv.lib.optionalString; + optional = pkgs.lib.optionalString; configTxt = pkgs.writeText "config.txt" ('' @@ -60,8 +58,7 @@ in version = mkOption { default = 2; type = types.enum [ 0 1 2 3 4 ]; - description = '' - ''; + description = ""; }; uboot = { @@ -103,6 +100,6 @@ in system.build.installBootLoader = builder; system.boot.loader.id = "raspberrypi"; - system.boot.loader.kernelFile = platform.kernelTarget; + system.boot.loader.kernelFile = pkgs.stdenv.hostPlatform.linux-kernel.target; }; } diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 65c7b825f8559..97e824fe629ce 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -200,9 +200,7 @@ def main(): else: # Update bootloader to latest if needed systemd_version = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[1] - # Ideally this should use check_output as well, but as a temporary - # work-around for #97433 we ignore any errors. - sdboot_status = subprocess.run(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "status"], universal_newlines=True, stdout=subprocess.PIPE).stdout + sdboot_status = subprocess.check_output(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "status"], universal_newlines=True) # See status_binaries() in systemd bootctl.c for code which generates this m = re.search("^\W+File:.*/EFI/(BOOT|systemd)/.*\.efi \(systemd-boot (\d+)\)$", diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 88190e8200b16..8dd2ea20519a1 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -404,7 +404,7 @@ let echo "Please move your mouse to create needed randomness." ''} echo "Waiting for your FIDO2 device..." - fido2luks -i open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase + fido2luks open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase if [ $? -ne 0 ]; then echo "No FIDO2 key found, falling back to normal open procedure" open_normally diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 47689b2a4700a..3b01bc00bafa2 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -648,11 +648,13 @@ let "RapidCommit" "ForceDHCPv6PDOtherInformation" "PrefixDelegationHint" + "RouteMetric" ]) (assertValueOneOf "UseDNS" boolValues) (assertValueOneOf "UseNTP" boolValues) (assertValueOneOf "RapidCommit" boolValues) (assertValueOneOf "ForceDHCPv6PDOtherInformation" boolValues) + (assertInt "RouteMetric") ]; sectionDHCPServer = checkUnitConfig "DHCPServer" [ diff --git a/nixos/modules/system/boot/pbkdf2-sha512.c b/nixos/modules/system/boot/pbkdf2-sha512.c index b40c383ac0233..67e989957ba6c 100644 --- a/nixos/modules/system/boot/pbkdf2-sha512.c +++ b/nixos/modules/system/boot/pbkdf2-sha512.c @@ -35,4 +35,4 @@ int main(int argc, char** argv) fwrite(key, 1, key_length, stdout); return 0; -} \ No newline at end of file +} diff --git a/nixos/modules/system/boot/plymouth.nix b/nixos/modules/system/boot/plymouth.nix index 55e5b07ed615d..662576888fc20 100644 --- a/nixos/modules/system/boot/plymouth.nix +++ b/nixos/modules/system/boot/plymouth.nix @@ -9,7 +9,7 @@ let cfg = config.boot.plymouth; - nixosBreezePlymouth = pkgs.breeze-plymouth.override { + nixosBreezePlymouth = pkgs.plasma5Packages.breeze-plymouth.override { logoFile = cfg.logo; logoName = "nixos"; osName = "NixOS"; diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index b024f9cf5ee93..7fe8f4dfb7e3a 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, pkgs, lib, ... }: with lib; let @@ -136,7 +136,7 @@ in } ]; - users.users.resolved.group = "systemd-resolve"; + users.users.systemd-resolve.group = "systemd-resolve"; # add resolve to nss hosts database if enabled and nscd enabled # system.nssModules is configured in nixos/modules/system/boot/systemd.nix @@ -150,6 +150,9 @@ in wantedBy = [ "multi-user.target" ]; aliases = [ "dbus-org.freedesktop.resolve1.service" ]; restartTriggers = [ config.environment.etc."systemd/resolved.conf".source ]; + # Upstream bug: https://github.com/systemd/systemd/issues/18078 + # systemd-resolved without libidn2 is broken + environment.LD_LIBRARY_PATH = "${lib.getLib pkgs.libidn2}/lib"; }; environment.etc = { diff --git a/nixos/modules/system/boot/shutdown.nix b/nixos/modules/system/boot/shutdown.nix index 11041066e07c1..8cda7b3aabe8c 100644 --- a/nixos/modules/system/boot/shutdown.nix +++ b/nixos/modules/system/boot/shutdown.nix @@ -18,7 +18,7 @@ with lib; serviceConfig = { Type = "oneshot"; - ExecStart = "${pkgs.utillinux}/sbin/hwclock --systohc ${if config.time.hardwareClockInLocalTime then "--localtime" else "--utc"}"; + ExecStart = "${pkgs.util-linux}/sbin/hwclock --systohc ${if config.time.hardwareClockInLocalTime then "--localtime" else "--utc"}"; }; }; diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index f7c2940049e56..5b39f34200cdc 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -2,6 +2,13 @@ targetRoot=/mnt-root console=tty1 +verbose="@verbose@" + +info() { + if [[ -n "$verbose" ]]; then + echo "$@" + fi +} extraUtils="@extraUtils@" export LD_LIBRARY_PATH=@extraUtils@/lib @@ -55,7 +62,7 @@ EOF echo "Rebooting..." reboot -f else - echo "Continuing..." + info "Continuing..." fi } @@ -63,9 +70,9 @@ trap 'fail' 0 # Print a greeting. -echo -echo "[1;32m<<< NixOS Stage 1 >>>[0m" -echo +info +info "[1;32m<<< NixOS Stage 1 >>>[0m" +info # Make several required directories. mkdir -p /etc/udev @@ -120,7 +127,7 @@ eval "exec $logOutFd>&1 $logErrFd>&2" if test -w /dev/kmsg; then tee -i < /tmp/stage-1-init.log.fifo /proc/self/fd/"$logOutFd" | while read -r line; do if test -n "$line"; then - echo "<7>stage-1-init: $line" > /dev/kmsg + echo "<7>stage-1-init: [$(date)] $line" > /dev/kmsg fi done & else @@ -210,15 +217,18 @@ ln -s @modulesClosure@/lib/modules /lib/modules ln -s @modulesClosure@/lib/firmware /lib/firmware echo @extraUtils@/bin/modprobe > /proc/sys/kernel/modprobe for i in @kernelModules@; do - echo "loading module $(basename $i)..." + info "loading module $(basename $i)..." modprobe $i done # Create device nodes in /dev. @preDeviceCommands@ -echo "running udev..." +info "running udev..." ln -sfn /proc/self/fd /dev/fd +ln -sfn /proc/self/fd/0 /dev/stdin +ln -sfn /proc/self/fd/1 /dev/stdout +ln -sfn /proc/self/fd/2 /dev/stderr mkdir -p /etc/systemd ln -sfn @linkUnits@ /etc/systemd/network mkdir -p /etc/udev @@ -232,8 +242,7 @@ udevadm settle # XXX: Use case usb->lvm will still fail, usb->luks->lvm is covered @preLVMCommands@ - -echo "starting device mapper and LVM..." +info "starting device mapper and LVM..." lvm vgchange -ay if test -n "$debug1devices"; then fail; fi @@ -356,6 +365,7 @@ mountFS() { case $options in *x-nixos.autoresize*) if [ "$fsType" = ext2 -o "$fsType" = ext3 -o "$fsType" = ext4 ]; then + modprobe "$fsType" echo "resizing $device..." e2fsck -fp "$device" resize2fs "$device" @@ -375,7 +385,7 @@ mountFS() { done fi - echo "mounting $device on $mountPoint..." + info "mounting $device on $mountPoint..." mkdir -p "/mnt-root$mountPoint" diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 6823e12847c2f..44287f3cf09b3 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -22,7 +22,7 @@ let rootModules = config.boot.initrd.availableKernelModules ++ config.boot.initrd.kernelModules; kernel = modulesTree; firmware = firmware; - allowMissing = true; + allowMissing = false; }; @@ -107,8 +107,8 @@ let copy_bin_and_libs $BIN done - # Copy some utillinux stuff. - copy_bin_and_libs ${pkgs.utillinux}/sbin/blkid + # Copy some util-linux stuff. + copy_bin_and_libs ${pkgs.util-linux}/sbin/blkid # Copy dmsetup and lvm. copy_bin_and_libs ${getBin pkgs.lvm2}/bin/dmsetup @@ -235,7 +235,7 @@ let --replace scsi_id ${extraUtils}/bin/scsi_id \ --replace cdrom_id ${extraUtils}/bin/cdrom_id \ --replace ${pkgs.coreutils}/bin/basename ${extraUtils}/bin/basename \ - --replace ${pkgs.utillinux}/bin/blkid ${extraUtils}/bin/blkid \ + --replace ${pkgs.util-linux}/bin/blkid ${extraUtils}/bin/blkid \ --replace ${getBin pkgs.lvm2}/bin ${extraUtils}/bin \ --replace ${pkgs.mdadm}/sbin ${extraUtils}/sbin \ --replace ${pkgs.bash}/bin/sh ${extraUtils}/bin/sh \ @@ -280,7 +280,7 @@ let inherit (config.system.build) earlyMountScript; - inherit (config.boot.initrd) checkJournalingFS + inherit (config.boot.initrd) checkJournalingFS verbose preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules; resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}") @@ -308,7 +308,7 @@ let # the initial RAM disk. initialRamdisk = pkgs.makeInitrd { name = "initrd-${kernel-name}"; - inherit (config.boot.initrd) compressor prepend; + inherit (config.boot.initrd) compressor compressorArgs prepend; contents = [ { object = bootStage1; @@ -334,7 +334,9 @@ let # Script to add secret files to the initrd at bootloader update time initialRamdiskSecretAppender = - pkgs.writeScriptBin "append-initrd-secrets" + let + compressorExe = initialRamdisk.compressorExecutableFunction pkgs; + in pkgs.writeScriptBin "append-initrd-secrets" '' #!${pkgs.bash}/bin/bash -e function usage { @@ -376,7 +378,7 @@ let } (cd "$tmp" && find . -print0 | sort -z | cpio -o -H newc -R +0:+0 --reproducible --null) | \ - ${config.boot.initrd.compressor} >> "$1" + ${compressorExe} ${lib.escapeShellArgs initialRamdisk.compressorArgs} >> "$1" ''; in @@ -511,13 +513,33 @@ in }; boot.initrd.compressor = mkOption { - internal = true; - default = "gzip -9n"; - type = types.str; - description = "The compressor to use on the initrd image."; + default = ( + if lib.versionAtLeast config.boot.kernelPackages.kernel.version "5.9" + then "zstd" + else "gzip" + ); + defaultText = "zstd if the kernel supports it (5.9+), gzip if not."; + type = types.unspecified; # We don't have a function type... + description = '' + The compressor to use on the initrd image. May be any of: + + <itemizedlist> + <listitem><para>The name of one of the predefined compressors, see <filename>pkgs/build-support/kernel/initrd-compressor-meta.nix</filename> for the definitions.</para></listitem> + <listitem><para>A function which, given the nixpkgs package set, returns the path to a compressor tool, e.g. <literal>pkgs: "''${pkgs.pigz}/bin/pigz"</literal></para></listitem> + <listitem><para>(not recommended, because it does not work when cross-compiling) the full path to a compressor tool, e.g. <literal>"''${pkgs.pigz}/bin/pigz"</literal></para></listitem> + </itemizedlist> + + The given program should read data from stdin and write it to stdout compressed. + ''; example = "xz"; }; + boot.initrd.compressorArgs = mkOption { + default = null; + type = types.nullOr (types.listOf types.str); + description = "Arguments to pass to the compressor for the initrd image, or null to use the compressor's defaults."; + }; + boot.initrd.secrets = mkOption { default = {}; type = types.attrsOf (types.nullOr types.path); @@ -543,6 +565,23 @@ in description = "Names of supported filesystem types in the initial ramdisk."; }; + boot.initrd.verbose = mkOption { + default = true; + type = types.bool; + description = + '' + Verbosity of the initrd. Please note that disabling verbosity removes + only the mandatory messages generated by the NixOS scripts. For a + completely silent boot, you might also want to set the two following + configuration options: + + <itemizedlist> + <listitem><para><literal>boot.consoleLogLevel = 0;</literal></para></listitem> + <listitem><para><literal>boot.kernelParams = [ "quiet" "udev.log_priority=3" ];</literal></para></listitem> + </itemizedlist> + ''; + }; + boot.loader.supportsInitrdSecrets = mkOption { internal = true; default = false; diff --git a/nixos/modules/system/boot/stage-2.nix b/nixos/modules/system/boot/stage-2.nix index dd6d83ee00947..94bc34fea0db3 100644 --- a/nixos/modules/system/boot/stage-2.nix +++ b/nixos/modules/system/boot/stage-2.nix @@ -17,7 +17,7 @@ let inherit (config.system.build) earlyMountScript; path = lib.makeBinPath ([ pkgs.coreutils - pkgs.utillinux + pkgs.util-linux ] ++ lib.optional useHostResolvConf pkgs.openresolv); fsPackagesPath = lib.makeBinPath config.system.fsPackages; postBootCommands = pkgs.writeText "local-cmds" diff --git a/nixos/modules/system/boot/systemd-unit-options.nix b/nixos/modules/system/boot/systemd-unit-options.nix index 5addc6f9ca44d..4154389b2ce5f 100644 --- a/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixos/modules/system/boot/systemd-unit-options.nix @@ -210,12 +210,21 @@ in rec { ''; }; + startLimitBurst = mkOption { + type = types.int; + description = '' + Configure unit start rate limiting. Units which are started + more than startLimitBurst times within an interval time + interval are not permitted to start any more. + ''; + }; + startLimitIntervalSec = mkOption { type = types.int; description = '' Configure unit start rate limiting. Units which are started - more than burst times within an interval time interval are - not permitted to start any more. + more than startLimitBurst times within an interval time + interval are not permitted to start any more. ''; }; @@ -245,8 +254,7 @@ in rec { serviceConfig = mkOption { default = {}; example = - { StartLimitInterval = 10; - RestartSec = 5; + { RestartSec = 5; }; type = types.addCheck (types.attrsOf unitOption) checkService; description = '' diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 74d6957678f56..6b672c7b2eb48 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -243,6 +243,8 @@ let OnFailure = toString config.onFailure; } // optionalAttrs (options.startLimitIntervalSec.isDefined) { StartLimitIntervalSec = toString config.startLimitIntervalSec; + } // optionalAttrs (options.startLimitBurst.isDefined) { + StartLimitBurst = toString config.startLimitBurst; }; }; }; @@ -261,7 +263,7 @@ let } (mkIf (config.preStart != "") { serviceConfig.ExecStartPre = - makeJobScript "${name}-pre-start" config.preStart; + [ (makeJobScript "${name}-pre-start" config.preStart) ]; }) (mkIf (config.script != "") { serviceConfig.ExecStart = @@ -269,7 +271,7 @@ let }) (mkIf (config.postStart != "") { serviceConfig.ExecStartPost = - makeJobScript "${name}-post-start" config.postStart; + [ (makeJobScript "${name}-post-start" config.postStart) ]; }) (mkIf (config.reload != "") { serviceConfig.ExecReload = @@ -548,6 +550,14 @@ in ''; }; + systemd.enableUnifiedCgroupHierarchy = mkOption { + default = true; + type = types.bool; + description = '' + Whether to enable the unified cgroup hierarchy (cgroupsv2). + ''; + }; + systemd.coredump.enable = mkOption { default = true; type = types.bool; @@ -884,14 +894,25 @@ in config = { - warnings = concatLists (mapAttrsToList (name: service: - let - type = service.serviceConfig.Type or ""; - restart = service.serviceConfig.Restart or "no"; - in optional - (type == "oneshot" && (restart == "always" || restart == "on-success")) - "Service '${name}.service' with 'Type=oneshot' cannot have 'Restart=always' or 'Restart=on-success'") - cfg.services); + warnings = concatLists ( + mapAttrsToList + (name: service: + let + type = service.serviceConfig.Type or ""; + restart = service.serviceConfig.Restart or "no"; + hasDeprecated = builtins.hasAttr "StartLimitInterval" service.serviceConfig; + in + concatLists [ + (optional (type == "oneshot" && (restart == "always" || restart == "on-success")) + "Service '${name}.service' with 'Type=oneshot' cannot have 'Restart=always' or 'Restart=on-success'" + ) + (optional hasDeprecated + "Service '${name}.service' uses the attribute 'StartLimitInterval' in the Service section, which is deprecated. See https://github.com/NixOS/nixpkgs/issues/45786." + ) + ] + ) + cfg.services + ); system.build.units = cfg.units; @@ -1165,6 +1186,7 @@ in boot.kernel.sysctl = mkIf (!cfg.coredump.enable) { "kernel.core_pattern" = "core"; }; + boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0"; }; # FIXME: Remove these eventually. diff --git a/nixos/modules/system/boot/timesyncd.nix b/nixos/modules/system/boot/timesyncd.nix index 35fb5578b0705..692315dbe99c4 100644 --- a/nixos/modules/system/boot/timesyncd.nix +++ b/nixos/modules/system/boot/timesyncd.nix @@ -16,6 +16,7 @@ with lib; }; servers = mkOption { default = config.networking.timeServers; + type = types.listOf types.str; description = '' The set of NTP servers from which to synchronise. ''; diff --git a/nixos/modules/system/boot/tmp.nix b/nixos/modules/system/boot/tmp.nix index 26eb172210e73..5bb299adb15f0 100644 --- a/nixos/modules/system/boot/tmp.nix +++ b/nixos/modules/system/boot/tmp.nix @@ -30,7 +30,14 @@ with lib; config = { - systemd.additionalUpstreamSystemUnits = optional config.boot.tmpOnTmpfs "tmp.mount"; + systemd.mounts = mkIf config.boot.tmpOnTmpfs [ + { + what = "tmpfs"; + where = "/tmp"; + type = "tmpfs"; + mountConfig.Options = [ "mode=1777" "strictatime" "rw" "nosuid" "nodev" "size=50%" ]; + } + ]; systemd.tmpfiles.rules = optional config.boot.cleanTmpDir "D! /tmp 1777 root root"; |