diff options
Diffstat (limited to 'nixos/modules/system/boot')
| -rw-r--r-- | nixos/modules/system/boot/coredump.nix | 66 | ||||
| -rw-r--r-- | nixos/modules/system/boot/kernel.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/system/boot/loader/grub/grub.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/networkd.nix | 88 | ||||
| -rw-r--r-- | nixos/modules/system/boot/stage-1-init.sh | 4 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 25 |
6 files changed, 117 insertions, 69 deletions
diff --git a/nixos/modules/system/boot/coredump.nix b/nixos/modules/system/boot/coredump.nix deleted file mode 100644 index 30f367da76663..0000000000000 --- a/nixos/modules/system/boot/coredump.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - - options = { - - systemd.coredump = { - - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enables storing core dumps in systemd. - Note that this alone is not enough to enable core dumps. The maximum - file size for core dumps must be specified in limits.conf as well. See - <option>security.pam.loginLimits</option> and the limits.conf(5) - man page (these specify the core dump limits for user login sessions) - and <option>systemd.extraConfig</option> (where e.g. - <literal>DefaultLimitCORE=1000000</literal> can be specified to set - the core dump limit for systemd system-level services). - ''; - }; - - extraConfig = mkOption { - default = ""; - type = types.lines; - example = "Storage=journal"; - description = '' - Extra config options for systemd-coredump. See coredump.conf(5) man page - for available options. - ''; - }; - }; - - }; - - config = mkMerge [ - (mkIf config.systemd.coredump.enable { - - systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ]; - - environment.etc."systemd/coredump.conf".text = - '' - [Coredump] - ${config.systemd.coredump.extraConfig} - ''; - - # Have the kernel pass core dumps to systemd's coredump helper binary. - # From systemd's 50-coredump.conf file. See: - # <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in> - boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e"; - }) - - (mkIf (!config.systemd.coredump.enable) { - boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core"; - - systemd.extraConfig = - '' - DefaultLimitCORE=0:infinity - ''; - }) - ]; - -} diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index ee43fe1002388..baa8c602a99e7 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -36,6 +36,7 @@ in boot.kernelPackages = mkOption { default = pkgs.linuxPackages; + type = types.unspecified // { merge = mergeEqualOption; }; apply = kernelPackages: kernelPackages.extend (self: super: { kernel = super.kernel.override { inherit randstructSeed; diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 4e4d14985b0d4..eca9dad642224 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -684,7 +684,7 @@ in assertion = if args.efiSysMountPoint == null then true else hasPrefix "/" args.efiSysMountPoint; message = "EFI paths must be absolute, not ${args.efiSysMountPoint}"; } - ] ++ flip map args.devices (device: { + ] ++ forEach args.devices (device: { assertion = device == "nodev" || hasPrefix "/" device; message = "GRUB devices must be absolute paths, not ${device} in ${args.path}"; })); diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index d6b446e9ac227..f2060e21509c9 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -55,6 +55,27 @@ let (assertMacAddress "MACAddress") ]; + # NOTE The PrivateKey directive is missing on purpose here, please + # do not add it to this list. The nix store is world-readable let's + # refrain ourselves from providing a footgun. + checkWireGuard = checkUnitConfig "WireGuard" [ + (assertOnlyFields [ + "PrivateKeyFile" "ListenPort" "FwMark" + ]) + (assertRange "FwMark" 1 4294967295) + ]; + + # NOTE The PresharedKey directive is missing on purpose here, please + # do not add it to this list. The nix store is world-readable,let's + # refrain ourselves from providing a footgun. + checkWireGuardPeer = checkUnitConfig "WireGuardPeer" [ + (assertOnlyFields [ + "PublicKey" "PresharedKeyFile" "AllowedIPs" + "Endpoint" "PersistentKeepalive" + ]) + (assertRange "PersistentKeepalive" 1 65535) + ]; + checkVlan = checkUnitConfig "VLAN" [ (assertOnlyFields ["Id" "GVRP" "MVRP" "LooseBinding" "ReorderHeader"]) (assertRange "Id" 0 4094) @@ -320,6 +341,46 @@ let ''; }; + wireguardConfig = mkOption { + default = {}; + example = { + PrivateKeyFile = "/etc/wireguard/secret.key"; + ListenPort = 51820; + FwMark = 42; + }; + type = types.addCheck (types.attrsOf unitOption) checkWireGuard; + description = '' + Each attribute in this set specifies an option in the + <literal>[WireGuard]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.netdev</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + Use <literal>PrivateKeyFile</literal> instead of + <literal>PrivateKey</literal>: the nix store is + world-readable. + ''; + }; + + wireguardPeers = mkOption { + default = []; + example = [ { wireguardPeerConfig={ + Endpoint = "192.168.1.1:51820"; + PublicKey = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g="; + PresharedKeyFile = "/etc/wireguard/psk.key"; + AllowedIPs = [ "10.0.0.1/32" ]; + PersistentKeepalive = 15; + };}]; + type = with types; listOf (submodule wireguardPeerOptions); + description = '' + Each item in this array specifies an option in the + <literal>[WireGuardPeer]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.netdev</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + Use <literal>PresharedKeyFile</literal> instead of + <literal>PresharedKey</literal>: the nix store is + world-readable. + ''; + }; + vlanConfig = mkOption { default = {}; example = { Id = "4"; }; @@ -450,6 +511,23 @@ let }; }; + wireguardPeerOptions = { + options = { + wireguardPeerConfig = mkOption { + default = {}; + example = { }; + type = types.addCheck (types.attrsOf unitOption) checkWireGuardPeer; + description = '' + Each attribute in this set specifies an option in the + <literal>[WireGuardPeer]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + }; + }; + + networkOptions = commonNetworkOptions // { networkConfig = mkOption { @@ -732,6 +810,16 @@ let ${attrsToSection def.bondConfig} ''} + ${optionalString (def.wireguardConfig != { }) '' + [WireGuard] + ${attrsToSection def.wireguardConfig} + + ''} + ${flip concatMapStrings def.wireguardPeers (x: '' + [WireGuardPeer] + ${attrsToSection x.wireguardPeerConfig} + + '')} ${def.extraConfig} ''; }; diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 67cbe720ddc3f..b817a45deba35 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -44,13 +44,13 @@ EOF *) to ignore the error and continue EOF - read reply + read -n 1 reply if [ -n "$allowShell" -a "$reply" = f ]; then exec setsid @shell@ -c "exec @shell@ < /dev/$console >/dev/$console 2>/dev/$console" elif [ -n "$allowShell" -a "$reply" = i ]; then echo "Starting interactive shell..." - setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail + setsid @shell@ -c "exec @shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail elif [ "$reply" = r ]; then echo "Rebooting..." reboot -f diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 1914827d0e5d6..23a2dd45d492a 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -76,6 +76,10 @@ let "systemd-journald-dev-log.socket" "syslog.socket" + # Coredumps. + "systemd-coredump.socket" + "systemd-coredump@.service" + # SysV init compatibility. "systemd-initctl.socket" "systemd-initctl.service" @@ -540,6 +544,16 @@ in ''; }; + systemd.coredump.extraConfig = mkOption { + default = ""; + type = types.lines; + example = "Storage=journal"; + description = '' + Extra config options for systemd-coredump. See coredump.conf(5) man page + for available options. + ''; + }; + systemd.extraConfig = mkOption { default = ""; type = types.lines; @@ -795,6 +809,7 @@ in DefaultMemoryAccounting=yes DefaultTasksAccounting=yes ''} + DefaultLimitCORE=infinity ${config.systemd.extraConfig} ''; @@ -818,6 +833,12 @@ in ${config.services.journald.extraConfig} ''; + "systemd/coredump.conf".text = + '' + [Coredump] + ${config.systemd.coredump.extraConfig} + ''; + "systemd/logind.conf".text = '' [Login] KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"} @@ -831,6 +852,10 @@ in [Sleep] ''; + # install provided sysctl snippets + "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; + "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; |