diff options
Diffstat (limited to 'nixos/modules/system')
-rw-r--r-- | nixos/modules/system/boot/binfmt.nix | 14 | ||||
-rw-r--r-- | nixos/modules/system/boot/initrd-ssh.nix | 10 | ||||
-rw-r--r-- | nixos/modules/system/boot/kernel.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/external/external.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/external/external.xml | 43 | ||||
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 13 | ||||
-rw-r--r-- | nixos/modules/system/boot/plymouth.nix | 3 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/coredump.nix | 16 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/initrd.nix | 7 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/repart.nix | 123 |
11 files changed, 168 insertions, 67 deletions
diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index 7f817e5d350da..98db67e7c00e0 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -316,11 +316,13 @@ in { mkdir -p -m 0755 /run/binfmt ${lib.concatStringsSep "\n" (lib.mapAttrsToList activationSnippet config.boot.binfmt.registrations)} ''; - systemd.additionalUpstreamSystemUnits = lib.mkIf (config.boot.binfmt.registrations != {}) [ - "proc-sys-fs-binfmt_misc.automount" - "proc-sys-fs-binfmt_misc.mount" - "systemd-binfmt.service" - ]; - systemd.services.systemd-binfmt.restartTriggers = [ (builtins.toJSON config.boot.binfmt.registrations) ]; + systemd = lib.mkIf (config.boot.binfmt.registrations != {}) { + additionalUpstreamSystemUnits = [ + "proc-sys-fs-binfmt_misc.automount" + "proc-sys-fs-binfmt_misc.mount" + "systemd-binfmt.service" + ]; + services.systemd-binfmt.restartTriggers = [ (builtins.toJSON config.boot.binfmt.registrations) ]; + }; }; } diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 701d242abc154..125f75d667069 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -128,13 +128,13 @@ in HostKey ${initrdKeyPath path} '')} - KexAlgorithms ${concatStringsSep "," sshdCfg.kexAlgorithms} - Ciphers ${concatStringsSep "," sshdCfg.ciphers} - MACs ${concatStringsSep "," sshdCfg.macs} + KexAlgorithms ${concatStringsSep "," sshdCfg.settings.KexAlgorithms} + Ciphers ${concatStringsSep "," sshdCfg.settings.Ciphers} + MACs ${concatStringsSep "," sshdCfg.settings.Macs} - LogLevel ${sshdCfg.logLevel} + LogLevel ${sshdCfg.settings.LogLevel} - ${if sshdCfg.useDns then '' + ${if sshdCfg.settings.UseDns then '' UseDNS yes '' else '' UseDNS no diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index 8f203b2c8b328..0298e28f32897 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -20,7 +20,7 @@ in ###### interface options = { - boot.kernel.enable = mkEnableOption (lib.mdDoc "the Linux kernel. This is useful for systemd-like containers which do not require a kernel.") // { + boot.kernel.enable = mkEnableOption (lib.mdDoc "the Linux kernel. This is useful for systemd-like containers which do not require a kernel") // { default = true; }; diff --git a/nixos/modules/system/boot/loader/external/external.nix b/nixos/modules/system/boot/loader/external/external.nix index 7c5455bb47aa2..926cbd2b4b3f3 100644 --- a/nixos/modules/system/boot/loader/external/external.nix +++ b/nixos/modules/system/boot/loader/external/external.nix @@ -8,7 +8,7 @@ in { meta = { maintainers = with maintainers; [ cole-h grahamc raitobezarius ]; - doc = ./external.xml; + doc = ./external.md; }; options.boot.loader.external = { diff --git a/nixos/modules/system/boot/loader/external/external.xml b/nixos/modules/system/boot/loader/external/external.xml deleted file mode 100644 index 9a392c27441d9..0000000000000 --- a/nixos/modules/system/boot/loader/external/external.xml +++ /dev/null @@ -1,43 +0,0 @@ -<!-- Do not edit this file directly, edit its companion .md instead - and regenerate this file using nixos/doc/manual/md-to-db.sh --> -<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-bootloader-external"> - <title>External Bootloader Backends</title> - <para> - NixOS has support for several bootloader backends by default: - systemd-boot, grub, uboot, etc. The built-in bootloader backend - support is generic and supports most use cases. Some users may - prefer to create advanced workflows around managing the bootloader - and bootable entries. - </para> - <para> - You can replace the built-in bootloader support with your own - tooling using the <quote>external</quote> bootloader option. - </para> - <para> - Imagine you have created a new package called FooBoot. FooBoot - provides a program at - <literal>${pkgs.fooboot}/bin/fooboot-install</literal> which takes - the system closure’s path as its only argument and configures the - system’s bootloader. - </para> - <para> - You can enable FooBoot like this: - </para> - <programlisting language="nix"> -{ pkgs, ... }: { - boot.loader.external = { - enable = true; - installHook = "${pkgs.fooboot}/bin/fooboot-install"; - }; -} -</programlisting> - <section xml:id="sec-bootloader-external-developing"> - <title>Developing Custom Bootloader Backends</title> - <para> - Bootloaders should use - <link xlink:href="https://github.com/NixOS/rfcs/pull/125">RFC-0125</link>’s - Bootspec format and synthesis tools to identify the key properties - for bootable system generations. - </para> - </section> -</chapter> diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 03d03cb348e82..cdb5d8bf3c26f 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -929,7 +929,14 @@ in ++ (if builtins.elem "xts" luks.cryptoModules then ["ecb"] else []); # copy the cryptsetup binary and it's dependencies - boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) '' + boot.initrd.extraUtilsCommands = let + pbkdf2-sha512 = pkgs.runCommandCC "pbkdf2-sha512" { buildInputs = [ pkgs.openssl ]; } '' + mkdir -p "$out/bin" + cc -O3 -lcrypto ${./pbkdf2-sha512.c} -o "$out/bin/pbkdf2-sha512" + strip -s "$out/bin/pbkdf2-sha512" + ''; + in + mkIf (!config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.cryptsetup}/bin/cryptsetup copy_bin_and_libs ${askPass}/bin/cryptsetup-askpass sed -i s,/bin/sh,$out/bin/sh, $out/bin/cryptsetup-askpass @@ -939,9 +946,7 @@ in copy_bin_and_libs ${pkgs.yubikey-personalization}/bin/ykinfo copy_bin_and_libs ${pkgs.openssl.bin}/bin/openssl - cc -O3 -I${pkgs.openssl.dev}/include -L${lib.getLib pkgs.openssl}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto - strip -s pbkdf2-sha512 - copy_bin_and_libs pbkdf2-sha512 + copy_bin_and_libs ${pbkdf2-sha512}/bin/pbkdf2-sha512 mkdir -p $out/etc/ssl cp -pdv ${pkgs.openssl.out}/etc/ssl/openssl.cnf $out/etc/ssl diff --git a/nixos/modules/system/boot/plymouth.nix b/nixos/modules/system/boot/plymouth.nix index 9b6472fea4293..a1ab709385756 100644 --- a/nixos/modules/system/boot/plymouth.nix +++ b/nixos/modules/system/boot/plymouth.nix @@ -146,6 +146,9 @@ in systemd.services.systemd-ask-password-plymouth.wantedBy = [ "multi-user.target" ]; systemd.paths.systemd-ask-password-plymouth.wantedBy = [ "multi-user.target" ]; + # Prevent Plymouth taking over the screen during system updates. + systemd.services.plymouth-start.restartIfChanged = false; + boot.initrd.systemd = { extraBin.plymouth = "${plymouth}/bin/plymouth"; # for the recovery shell storePaths = [ diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 4fcaeebffc3b2..d26ea7597c450 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -90,7 +90,7 @@ let # copy what we need. Instead of using statically linked binaries, # we just copy what we need from Glibc and use patchelf to make it # work. - extraUtils = pkgs.runCommandCC "extra-utils" + extraUtils = pkgs.runCommand "extra-utils" { nativeBuildInputs = [pkgs.buildPackages.nukeReferences]; allowedReferences = [ "out" ]; # prevent accidents like glibc being included in the initrd } diff --git a/nixos/modules/system/boot/systemd/coredump.nix b/nixos/modules/system/boot/systemd/coredump.nix index c2ca973d38074..03ef00e5683c1 100644 --- a/nixos/modules/system/boot/systemd/coredump.nix +++ b/nixos/modules/system/boot/systemd/coredump.nix @@ -44,7 +44,21 @@ in { ''; # install provided sysctl snippets - "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; + "sysctl.d/50-coredump.conf".source = + # Fix systemd-coredump error caused by truncation of `kernel.core_pattern` + # when the `systemd` derivation name is too long. This works by substituting + # the path to `systemd` with a symlink that has a constant-length path. + # + # See: https://github.com/NixOS/nixpkgs/issues/213408 + pkgs.substitute { + src = "${systemd}/example/sysctl.d/50-coredump.conf"; + replacements = [ + "--replace" + "${systemd}" + "${pkgs.symlinkJoin { name = "systemd"; paths = [ systemd ]; }}" + ]; + }; + "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; }; diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 620d76aef20d8..cf76704577fd0 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -118,7 +118,7 @@ let name = "initrd-bin-env"; paths = map getBin cfg.initrdBin; pathsToLink = ["/bin" "/sbin"]; - postBuild = concatStringsSep "\n" (mapAttrsToList (n: v: "ln -s '${v}' $out/bin/'${n}'") cfg.extraBin); + postBuild = concatStringsSep "\n" (mapAttrsToList (n: v: "ln -sf '${v}' $out/bin/'${n}'") cfg.extraBin); }; initialRamdisk = pkgs.makeInitrdNG { @@ -427,9 +427,6 @@ in { # fido2 support "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so" "${pkgs.libfido2}/lib/libfido2.so.1" - - # the unwrapped systemd-cryptsetup executable - "${cfg.package}/lib/systemd/.systemd-cryptsetup-wrapped" ] ++ jobScripts; targets.initrd.aliases = ["default.target"]; @@ -495,7 +492,7 @@ in { # If we are not booting a NixOS closure (e.g. init=/bin/sh), # we don't know what root to prepare so we don't do anything - if ! [ -x "/sysroot$closure/prepare-root" ]; then + if ! [ -x "/sysroot$(readlink "/sysroot$closure/prepare-root" || echo "$closure/prepare-root")" ]; then echo "NEW_INIT=''${initParam[1]}" > /etc/switch-root.conf echo "$closure does not look like a NixOS installation - not activating" exit 0 diff --git a/nixos/modules/system/boot/systemd/repart.nix b/nixos/modules/system/boot/systemd/repart.nix new file mode 100644 index 0000000000000..8f3a700237700 --- /dev/null +++ b/nixos/modules/system/boot/systemd/repart.nix @@ -0,0 +1,123 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.systemd.repart; + initrdCfg = config.boot.initrd.systemd.repart; + + writeDefinition = name: partitionConfig: pkgs.writeText + "${name}.conf" + (lib.generators.toINI { } { Partition = partitionConfig; }); + + listOfDefinitions = lib.mapAttrsToList + writeDefinition + (lib.filterAttrs (k: _: !(lib.hasPrefix "_" k)) cfg.partitions); + + # Create a directory in the store that contains a copy of all definition + # files. This is then passed to systemd-repart in the initrd so it can access + # the definition files after the sysroot has been mounted but before + # activation. This needs a hard copy of the files and not just symlinks + # because otherwise the files do not show up in the sysroot. + definitionsDirectory = pkgs.runCommand "systemd-repart-definitions" { } '' + mkdir -p $out + ${(lib.concatStringsSep "\n" + (map (pkg: "cp ${pkg} $out/${pkg.name}") listOfDefinitions) + )} + ''; +in +{ + options = { + boot.initrd.systemd.repart.enable = lib.mkEnableOption (lib.mdDoc "systemd-repart") // { + description = lib.mdDoc '' + Grow and add partitions to a partition table at boot time in the initrd. + systemd-repart only works with GPT partition tables. + + To run systemd-repart after the initrd, see + `options.systemd.repart.enable`. + ''; + }; + + systemd.repart = { + enable = lib.mkEnableOption (lib.mdDoc "systemd-repart") // { + description = lib.mdDoc '' + Grow and add partitions to a partition table. + systemd-repart only works with GPT partition tables. + + To run systemd-repart while in the initrd, see + `options.boot.initrd.systemd.repart.enable`. + ''; + }; + + partitions = lib.mkOption { + type = with lib.types; attrsOf (attrsOf (oneOf [ str int bool ])); + default = { }; + example = { + "10-root" = { + Type = "root"; + }; + "20-home" = { + Type = "home"; + SizeMinBytes = "512M"; + SizeMaxBytes = "2G"; + }; + }; + description = lib.mdDoc '' + Specify partitions as a set of the names of the definition files as the + key and the partition configuration as its value. The partition + configuration can use all upstream options. See <link + xlink:href="https://www.freedesktop.org/software/systemd/man/repart.d.html"/> + for all available options. + ''; + }; + }; + }; + + config = lib.mkIf (cfg.enable || initrdCfg.enable) { + # Always link the definitions into /etc so that they are also included in + # the /nix/store of the sysroot during early userspace (i.e. while in the + # initrd). + environment.etc."repart.d".source = definitionsDirectory; + + boot.initrd.systemd = lib.mkIf initrdCfg.enable { + additionalUpstreamUnits = [ + "systemd-repart.service" + ]; + + storePaths = [ + "${config.boot.initrd.systemd.package}/bin/systemd-repart" + ]; + + # Override defaults in upstream unit. + services.systemd-repart = { + # Unset the conditions as they cannot be met before activation because + # the definition files are not stored in the expected locations. + unitConfig.ConditionDirectoryNotEmpty = [ + " " # required to unset the previous value. + ]; + serviceConfig = { + # systemd-repart runs before the activation script. Thus we cannot + # rely on them being linked in /etc already. Instead we have to + # explicitly pass their location in the sysroot to the binary. + ExecStart = [ + " " # required to unset the previous value. + ''${config.boot.initrd.systemd.package}/bin/systemd-repart \ + --definitions=/sysroot${definitionsDirectory} \ + --dry-run=no + '' + ]; + }; + # Because the initrd does not have the `initrd-usr-fs.target` the + # upestream unit runs too early in the boot process, before the sysroot + # is available. However, systemd-repart needs access to the sysroot to + # find the definition files. + after = [ "sysroot.mount" ]; + }; + }; + + systemd = lib.mkIf cfg.enable { + additionalUpstreamSystemUnits = [ + "systemd-repart.service" + ]; + }; + }; + +} |