diff options
Diffstat (limited to 'nixos/modules/tasks')
-rw-r--r-- | nixos/modules/tasks/filesystems.nix | 3 | ||||
-rw-r--r-- | nixos/modules/tasks/filesystems/bcachefs.nix | 5 | ||||
-rw-r--r-- | nixos/modules/tasks/filesystems/zfs.nix | 32 | ||||
-rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 6 | ||||
-rw-r--r-- | nixos/modules/tasks/snapraid.nix | 234 | ||||
-rw-r--r-- | nixos/modules/tasks/trackpoint.nix | 13 |
6 files changed, 39 insertions, 254 deletions
diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 91e30aa4c0af9..1378a0090c1df 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -406,7 +406,8 @@ in ConditionVirtualization = "!container"; DefaultDependencies = false; # needed to prevent a cycle }; - before = [ "systemd-pstore.service" ]; + before = [ "systemd-pstore.service" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; wantedBy = [ "systemd-pstore.service" ]; }; }; diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix index a9134b79b4a64..e771b706becea 100644 --- a/nixos/modules/tasks/filesystems/bcachefs.nix +++ b/nixos/modules/tasks/filesystems/bcachefs.nix @@ -78,9 +78,10 @@ let value = { description = "Unlock bcachefs for ${fs.mountPoint}"; requiredBy = [ mountUnit ]; - before = [ mountUnit ]; - bindsTo = [ deviceUnit ]; after = [ deviceUnit ]; + before = [ mountUnit "shutdown.target" ]; + bindsTo = [ deviceUnit ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 784040f0ce9e3..b38f228fc1606 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -130,7 +130,8 @@ let "systemd-ask-password-console.service" ] ++ optional (config.boot.initrd.clevis.useTang) "network-online.target"; requiredBy = getPoolMounts prefix pool ++ [ "zfs-import.target" ]; - before = getPoolMounts prefix pool ++ [ "zfs-import.target" ]; + before = getPoolMounts prefix pool ++ [ "shutdown.target" "zfs-import.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig = { DefaultDependencies = "no"; }; @@ -508,9 +509,15 @@ in }; services.zfs.zed = { - enableMail = mkEnableOption (lib.mdDoc "ZED's ability to send emails") // { - default = cfgZfs.package.enableMail; - defaultText = literalExpression "config.${optZfs.package}.enableMail"; + enableMail = mkOption { + type = types.bool; + default = config.services.mail.sendmailSetuidWrapper != null; + defaultText = literalExpression '' + config.services.mail.sendmailSetuidWrapper != null + ''; + description = mdDoc '' + Whether to enable ZED's ability to send emails. + ''; }; settings = mkOption { @@ -551,14 +558,6 @@ in message = "The kernel module and the userspace tooling versions are not matching, this is an unsupported usecase."; } { - assertion = cfgZED.enableMail -> cfgZfs.package.enableMail; - message = '' - To allow ZED to send emails, ZFS needs to be configured to enable - this. To do so, one must override the `zfs` package and set - `enableMail` to true. - ''; - } - { assertion = config.networking.hostId != null; message = "ZFS requires networking.hostId to be set"; } @@ -668,10 +667,17 @@ in # TODO FIXME See https://github.com/NixOS/nixpkgs/pull/99386#issuecomment-798813567. To not break people's bootloader and as probably not everybody would read release notes that thoroughly add inSystem. boot.loader.grub = mkIf (inInitrd || inSystem) { zfsSupport = true; + zfsPackage = cfgZfs.package; }; services.zfs.zed.settings = { - ZED_EMAIL_PROG = mkIf cfgZED.enableMail (mkDefault "${pkgs.mailutils}/bin/mail"); + ZED_EMAIL_PROG = mkIf cfgZED.enableMail (mkDefault ( + config.security.wrapperDir + "/" + + config.services.mail.sendmailSetuidWrapper.program + )); + # subject in header for sendmail + ZED_EMAIL_OPTS = mkIf cfgZED.enableMail (mkDefault "@ADDRESS@"); + PATH = lib.makeBinPath [ cfgZfs.package pkgs.coreutils diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 298add13437a0..2b2d24a64cb20 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1396,6 +1396,8 @@ in "net.ipv4.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); + # allow all users to do ICMP echo requests (ping) + "net.ipv4.ping_group_range" = mkDefault "0 2147483647"; # networkmanager falls back to "/proc/sys/net/ipv6/conf/default/use_tempaddr" "net.ipv6.conf.default.use_tempaddr" = tempaddrValues.${cfg.tempAddresses}.sysctl; } // listToAttrs (forEach interfaces @@ -1408,9 +1410,11 @@ in systemd.services.domainname = lib.mkIf (cfg.domain != null) { wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig.ExecStart = ''${pkgs.nettools}/bin/domainname "${cfg.domain}"''; + serviceConfig.Type = "oneshot"; }; environment.etc.hostid = mkIf (cfg.hostId != null) { source = hostidFile; }; diff --git a/nixos/modules/tasks/snapraid.nix b/nixos/modules/tasks/snapraid.nix deleted file mode 100644 index 9570c6b76123b..0000000000000 --- a/nixos/modules/tasks/snapraid.nix +++ /dev/null @@ -1,234 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let cfg = config.snapraid; -in -{ - options.snapraid = with types; { - enable = mkEnableOption (lib.mdDoc "SnapRAID"); - dataDisks = mkOption { - default = { }; - example = { - d1 = "/mnt/disk1/"; - d2 = "/mnt/disk2/"; - d3 = "/mnt/disk3/"; - }; - description = lib.mdDoc "SnapRAID data disks."; - type = attrsOf str; - }; - parityFiles = mkOption { - default = [ ]; - example = [ - "/mnt/diskp/snapraid.parity" - "/mnt/diskq/snapraid.2-parity" - "/mnt/diskr/snapraid.3-parity" - "/mnt/disks/snapraid.4-parity" - "/mnt/diskt/snapraid.5-parity" - "/mnt/disku/snapraid.6-parity" - ]; - description = lib.mdDoc "SnapRAID parity files."; - type = listOf str; - }; - contentFiles = mkOption { - default = [ ]; - example = [ - "/var/snapraid.content" - "/mnt/disk1/snapraid.content" - "/mnt/disk2/snapraid.content" - ]; - description = lib.mdDoc "SnapRAID content list files."; - type = listOf str; - }; - exclude = mkOption { - default = [ ]; - example = [ "*.unrecoverable" "/tmp/" "/lost+found/" ]; - description = lib.mdDoc "SnapRAID exclude directives."; - type = listOf str; - }; - touchBeforeSync = mkOption { - default = true; - example = false; - description = lib.mdDoc - "Whether {command}`snapraid touch` should be run before {command}`snapraid sync`."; - type = bool; - }; - sync.interval = mkOption { - default = "01:00"; - example = "daily"; - description = lib.mdDoc "How often to run {command}`snapraid sync`."; - type = str; - }; - scrub = { - interval = mkOption { - default = "Mon *-*-* 02:00:00"; - example = "weekly"; - description = lib.mdDoc "How often to run {command}`snapraid scrub`."; - type = str; - }; - plan = mkOption { - default = 8; - example = 5; - description = lib.mdDoc - "Percent of the array that should be checked by {command}`snapraid scrub`."; - type = int; - }; - olderThan = mkOption { - default = 10; - example = 20; - description = lib.mdDoc - "Number of days since data was last scrubbed before it can be scrubbed again."; - type = int; - }; - }; - extraConfig = mkOption { - default = ""; - example = '' - nohidden - blocksize 256 - hashsize 16 - autosave 500 - pool /pool - ''; - description = lib.mdDoc "Extra config options for SnapRAID."; - type = lines; - }; - }; - - config = - let - nParity = builtins.length cfg.parityFiles; - mkPrepend = pre: s: pre + s; - in - mkIf cfg.enable { - assertions = [ - { - assertion = nParity <= 6; - message = "You can have no more than six SnapRAID parity files."; - } - { - assertion = builtins.length cfg.contentFiles >= nParity + 1; - message = - "There must be at least one SnapRAID content file for each SnapRAID parity file plus one."; - } - ]; - - environment = { - systemPackages = with pkgs; [ snapraid ]; - - etc."snapraid.conf" = { - text = with cfg; - let - prependData = mkPrepend "data "; - prependContent = mkPrepend "content "; - prependExclude = mkPrepend "exclude "; - in - concatStringsSep "\n" - (map prependData - ((mapAttrsToList (name: value: name + " " + value)) dataDisks) - ++ zipListsWith (a: b: a + b) - ([ "parity " ] ++ map (i: toString i + "-parity ") (range 2 6)) - parityFiles ++ map prependContent contentFiles - ++ map prependExclude exclude) + "\n" + extraConfig; - }; - }; - - systemd.services = with cfg; { - snapraid-scrub = { - description = "Scrub the SnapRAID array"; - startAt = scrub.interval; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.snapraid}/bin/snapraid scrub -p ${ - toString scrub.plan - } -o ${toString scrub.olderThan}"; - Nice = 19; - IOSchedulingPriority = 7; - CPUSchedulingPolicy = "batch"; - - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - RestrictAddressFamilies = "none"; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = "@system-service"; - SystemCallErrorNumber = "EPERM"; - CapabilityBoundingSet = "CAP_DAC_OVERRIDE"; - - ProtectSystem = "strict"; - ProtectHome = "read-only"; - ReadWritePaths = - # scrub requires access to directories containing content files - # to remove them if they are stale - let - contentDirs = map dirOf contentFiles; - in - unique ( - attrValues dataDisks ++ contentDirs - ); - }; - unitConfig.After = "snapraid-sync.service"; - }; - snapraid-sync = { - description = "Synchronize the state of the SnapRAID array"; - startAt = sync.interval; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.snapraid}/bin/snapraid sync"; - Nice = 19; - IOSchedulingPriority = 7; - CPUSchedulingPolicy = "batch"; - - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - RestrictAddressFamilies = "none"; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = "@system-service"; - SystemCallErrorNumber = "EPERM"; - CapabilityBoundingSet = "CAP_DAC_OVERRIDE" + - lib.optionalString cfg.touchBeforeSync " CAP_FOWNER"; - - ProtectSystem = "strict"; - ProtectHome = "read-only"; - ReadWritePaths = - # sync requires access to directories containing content files - # to remove them if they are stale - let - contentDirs = map dirOf contentFiles; - # Multiple "split" parity files can be specified in a single - # "parityFile", separated by a comma. - # https://www.snapraid.it/manual#7.1 - splitParityFiles = map (s: splitString "," s) parityFiles; - in - unique ( - attrValues dataDisks ++ splitParityFiles ++ contentDirs - ); - } // optionalAttrs touchBeforeSync { - ExecStartPre = "${pkgs.snapraid}/bin/snapraid touch"; - }; - }; - }; - }; -} diff --git a/nixos/modules/tasks/trackpoint.nix b/nixos/modules/tasks/trackpoint.nix index d197a0feb337c..317613b847927 100644 --- a/nixos/modules/tasks/trackpoint.nix +++ b/nixos/modules/tasks/trackpoint.nix @@ -80,10 +80,17 @@ with lib; ACTION=="add|change", SUBSYSTEM=="input", ATTR{name}=="${cfg.device}", ATTR{device/speed}="${toString cfg.speed}", ATTR{device/sensitivity}="${toString cfg.sensitivity}" ''; - system.activationScripts.trackpoint = - '' - ${config.systemd.package}/bin/udevadm trigger --attr-match=name="${cfg.device}" + systemd.services.trackpoint = { + wantedBy = [ "sysinit.target" ] ; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + serviceConfig.ExecStart = '' + ${config.systemd.package}/bin/udevadm trigger --attr-match=name="${cfg.device} ''; + }; }) (mkIf (cfg.emulateWheel) { |