From 28bb97817f2b8d0581dfcc513273e0dc04b6b0a1 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 14:56:39 -0800 Subject: nixos/swap: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/config/swap.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index 8989a64082643..21046d6f1697b 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -258,7 +258,8 @@ in # avoid this race condition. after = [ "systemd-modules-load.service" ]; wantedBy = [ "${realDevice'}.swap" ]; - before = [ "${realDevice'}.swap" ]; + before = [ "${realDevice'}.swap" "shutdown.target"]; + conflicts = [ "shutdown.target" ]; path = [ pkgs.util-linux pkgs.e2fsprogs ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup; -- cgit 1.4.1 From 454f3cb58d2ea69cfc2cda071c760e34aaa59813 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 14:57:59 -0800 Subject: nixos/apparmor: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/security/apparmor.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 24b48338ed772..ea1af6c6e2f29 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -164,7 +164,8 @@ in "local-fs.target" "systemd-journald-audit.socket" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; wantedBy = [ "multi-user.target" ]; unitConfig = { Description="Load AppArmor policies"; -- cgit 1.4.1 From 407ef67228d2a1206e40a6978e5cb8a41ebb290f Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:00:39 -0800 Subject: nixos/auditd: ensure correct ordering w.r.t. shutdown.target This looks like it's got a few other idiosyncrasies, but I'll leave it alone for now. --- nixos/modules/security/auditd.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/auditd.nix b/nixos/modules/security/auditd.nix index db4b2701ee2e9..12d5831619ad8 100644 --- a/nixos/modules/security/auditd.nix +++ b/nixos/modules/security/auditd.nix @@ -13,6 +13,8 @@ with lib; systemd.services.auditd = { description = "Linux Audit daemon"; wantedBy = [ "basic.target" ]; + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target "]; unitConfig = { ConditionVirtualization = "!container"; @@ -23,7 +25,7 @@ with lib; path = [ pkgs.audit ]; serviceConfig = { - ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit"; + ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/log/audit"; ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange"; }; }; -- cgit 1.4.1 From d7ab46ed87ca8385e80ddff6138145baeacf033f Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:02:51 -0800 Subject: nixos/duosec: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/security/duosec.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 2a855a77e3a39..ef76bfeb6d66a 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -195,7 +195,8 @@ in systemd.services.login-duo = lib.mkIf cfg.ssh.enable { wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; script = '' if test -f "${cfg.secretKeyFile}"; then @@ -216,7 +217,8 @@ in systemd.services.pam-duo = lib.mkIf cfg.ssh.enable { wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; script = '' if test -f "${cfg.secretKeyFile}"; then -- cgit 1.4.1 From a7a5b2eca1054166a60ac366d90da701e57b9138 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:03:56 -0800 Subject: nixos/suid-sgid-wrappers: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/security/wrappers/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 250f9775be14d..4e123fa9ca5ee 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -278,7 +278,8 @@ in systemd.services.suid-sgid-wrappers = { description = "Create SUID/SGID Wrappers"; wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; unitConfig.RequiresMountsFor = [ "/nix/store" "/run/wrappers" ]; serviceConfig.Type = "oneshot"; -- cgit 1.4.1 From 5ab8a128deb592b1c509b45e9a8b68442f9b262e Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:07:03 -0800 Subject: nixos/firewall-iptables: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/services/networking/firewall-iptables.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/firewall-iptables.nix b/nixos/modules/services/networking/firewall-iptables.nix index e900868387203..2d11517700086 100644 --- a/nixos/modules/services/networking/firewall-iptables.nix +++ b/nixos/modules/services/networking/firewall-iptables.nix @@ -308,8 +308,9 @@ in description = "Firewall"; wantedBy = [ "sysinit.target" ]; wants = [ "network-pre.target" ]; - before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; + before = [ "network-pre.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; path = [ cfg.package ] ++ cfg.extraPackages; -- cgit 1.4.1 From e4136ed6dd7612043a62aea89eeb3c4f3ea549e5 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:09:59 -0800 Subject: nixos/growpart: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/system/boot/grow-partition.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/system/boot/grow-partition.nix b/nixos/modules/system/boot/grow-partition.nix index 897602f9826ab..8a0fc3a03dac4 100644 --- a/nixos/modules/system/boot/grow-partition.nix +++ b/nixos/modules/system/boot/grow-partition.nix @@ -25,7 +25,7 @@ with lib; systemd.services.growpart = { wantedBy = [ "-.mount" ]; after = [ "-.mount" ]; - before = [ "systemd-growfs-root.service" ]; + before = [ "systemd-growfs-root.service" "shutdown.target" ]; conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig = { -- cgit 1.4.1 From 0db4d5b3356d30519b6e51e76cf4872a7dffa3be Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:12:10 -0800 Subject: nixos/initrd-ssh: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/system/boot/initrd-ssh.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index a8cd2e8f05fcc..61e61f32bc5ee 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -243,8 +243,10 @@ in services.sshd = { description = "SSH Daemon"; - wantedBy = ["initrd.target"]; - after = ["network.target" "initrd-nixos-copy-secrets.service"]; + wantedBy = [ "initrd.target" ]; + after = [ "network.target" "initrd-nixos-copy-secrets.service" ]; + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; # Keys from Nix store are world-readable, which sshd doesn't # like. If this were a real nix store and not the initrd, we -- cgit 1.4.1 From 1f73c2a7b635442339505ac67a587b71c3748af7 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:18:23 -0800 Subject: nixos/initrd-secrets: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/system/boot/systemd/initrd-secrets.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/system/boot/systemd/initrd-secrets.nix b/nixos/modules/system/boot/systemd/initrd-secrets.nix index 7b59c0cbe7b84..d375238aa146e 100644 --- a/nixos/modules/system/boot/systemd/initrd-secrets.nix +++ b/nixos/modules/system/boot/systemd/initrd-secrets.nix @@ -11,7 +11,8 @@ description = "Copy secrets into place"; # Run as early as possible wantedBy = [ "sysinit.target" ]; - before = [ "cryptsetup-pre.target" ]; + before = [ "cryptsetup-pre.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; # We write the secrets to /.initrd-secrets and move them because this allows -- cgit 1.4.1 From 9c505de9f4fddb0a13831682450445d9d59f0fd0 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:34:11 -0800 Subject: nixos/filesystems: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/tasks/filesystems.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 91e30aa4c0af9..1378a0090c1df 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -406,7 +406,8 @@ in ConditionVirtualization = "!container"; DefaultDependencies = false; # needed to prevent a cycle }; - before = [ "systemd-pstore.service" ]; + before = [ "systemd-pstore.service" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; wantedBy = [ "systemd-pstore.service" ]; }; }; -- cgit 1.4.1 From d4f57da9e85edc9d9fb00ce0b7f0906b78762659 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:34:31 -0800 Subject: nixos/bcachefs: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/tasks/filesystems/bcachefs.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix index f28fd5cde9c19..2393b4c2462a4 100644 --- a/nixos/modules/tasks/filesystems/bcachefs.nix +++ b/nixos/modules/tasks/filesystems/bcachefs.nix @@ -70,9 +70,10 @@ let value = { description = "Unlock bcachefs for ${fs.mountPoint}"; requiredBy = [ mountUnit ]; - before = [ mountUnit ]; - bindsTo = [ deviceUnit ]; after = [ deviceUnit ]; + before = [ mountUnit "shutdown.target" ]; + bindsTo = [ deviceUnit ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig = { Type = "oneshot"; -- cgit 1.4.1 From e95b3d3915161f7bfd03d04b755fd0bf744363a1 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:34:52 -0800 Subject: nixos/zfs: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/tasks/filesystems/zfs.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 72bc79f31b68a..75dca6073ff82 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -127,7 +127,8 @@ let "systemd-ask-password-console.service" ]; requiredBy = getPoolMounts prefix pool ++ [ "zfs-import.target" ]; - before = getPoolMounts prefix pool ++ [ "zfs-import.target" ]; + before = getPoolMounts prefix pool ++ [ "shutdown.target" "zfs-import.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig = { DefaultDependencies = "no"; }; -- cgit 1.4.1 From 54064109fb09d69cba69e220b69a7f87d3515818 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:39:01 -0800 Subject: nixos/network-interfaces: ensure correct ordering w.r.t. shutdown.target Also, mark this service as `oneshot`, since it is. --- nixos/modules/tasks/network-interfaces.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 298add13437a0..6feb1b1238a8a 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1408,9 +1408,11 @@ in systemd.services.domainname = lib.mkIf (cfg.domain != null) { wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig.ExecStart = ''${pkgs.nettools}/bin/domainname "${cfg.domain}"''; + serviceConfig.Type = "oneshot"; }; environment.etc.hostid = mkIf (cfg.hostId != null) { source = hostidFile; }; -- cgit 1.4.1 From 07004b46acc1c6de0bbe6f624aa8a724089bca03 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:42:49 -0800 Subject: nixos/lxd-agent: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/virtualisation/lxd-agent.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/virtualisation/lxd-agent.nix b/nixos/modules/virtualisation/lxd-agent.nix index 5bcc86e3bcbe9..2e8a5e8cfa1d3 100644 --- a/nixos/modules/virtualisation/lxd-agent.nix +++ b/nixos/modules/virtualisation/lxd-agent.nix @@ -56,6 +56,8 @@ in { systemd.services.lxd-agent = { enable = true; wantedBy = [ "multi-user.target" ]; + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; path = [ pkgs.kmod pkgs.util-linux ]; preStart = preStartScript; -- cgit 1.4.1 From 0a226a0639f07ce59087850a9036df1cf20e8aac Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:44:36 -0800 Subject: nixos/qemu: ensure correct ordering w.r.t. shutdown.target --- nixos/modules/virtualisation/qemu-vm.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 6f275baf60dcf..b167d3b1d0aff 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -1256,6 +1256,8 @@ in unitConfig.RequiresMountsFor = "/sysroot/nix/.ro-store"; }]; services.rw-store = { + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig = { DefaultDependencies = false; RequiresMountsFor = "/sysroot/nix/.rw-store"; -- cgit 1.4.1 From d8c9b26a16086d5e900a7c7a8577837860fc973f Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:45:52 -0800 Subject: nixos/tests/dhparams: ensure correct ordering w.r.t. shutdown.target --- nixos/tests/dhparams.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/dhparams.nix b/nixos/tests/dhparams.nix index 021042fafdb10..8d7082c114001 100644 --- a/nixos/tests/dhparams.nix +++ b/nixos/tests/dhparams.nix @@ -18,6 +18,8 @@ import ./make-test-python.nix { systemd.services.foo = { description = "Check systemd Ordering"; wantedBy = [ "multi-user.target" ]; + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig = { # This is to make sure that the dhparams generation of foo occurs # before this service so we need this service to start as early as -- cgit 1.4.1 From 88dc5ded81a6ef0ab32920e78801ba1d68879863 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:47:09 -0800 Subject: nixos/tests/stunnel: ensure correct ordering w.r.t. shutdown.target Also, mark the service as `oneshot` since it is. --- nixos/tests/stunnel.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/tests/stunnel.nix b/nixos/tests/stunnel.nix index 07fba435d4df6..f8cfa0414761d 100644 --- a/nixos/tests/stunnel.nix +++ b/nixos/tests/stunnel.nix @@ -19,8 +19,10 @@ let makeCert = { config, pkgs, ... }: { systemd.services.create-test-cert = { wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; script = '' ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa -nodes -out /test-cert.pem -keyout /test-key.pem -subj /CN=${config.networking.hostName} ( umask 077; cat /test-key.pem /test-cert.pem > /test-key-and-cert.pem ) -- cgit 1.4.1 From 6f8091159ecec673fcafea1215ba190a86c99ebd Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Thu, 30 Nov 2023 15:48:25 -0800 Subject: nixos/tests/systemd-initrd-networkd: ensure correct ordering w.r.t. shutdown.target --- nixos/tests/systemd-initrd-networkd.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/tests/systemd-initrd-networkd.nix b/nixos/tests/systemd-initrd-networkd.nix index 9c4ddb6e4b363..691f4300d7a23 100644 --- a/nixos/tests/systemd-initrd-networkd.nix +++ b/nixos/tests/systemd-initrd-networkd.nix @@ -33,7 +33,8 @@ let boot.initrd.network.flushBeforeStage2 = flush; systemd.services.check-flush = { requiredBy = ["multi-user.target"]; - before = ["network-pre.target" "multi-user.target"]; + before = [ "network-pre.target" "multi-user.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; wants = ["network-pre.target"]; unitConfig.DefaultDependencies = false; serviceConfig.Type = "oneshot"; -- cgit 1.4.1