From 6e6f33ad838a4935fb51684a56f6f27bcc56c4e6 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sat, 4 Jun 2022 14:43:44 +0100 Subject: openldap: remove deprecated options --- nixos/modules/services/databases/openldap.nix | 43 --------------------------- nixos/tests/openldap.nix | 19 ------------ 2 files changed, 62 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index d80d1b07b97c3..bba6007beb22b 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -3,7 +3,6 @@ with lib; let cfg = config.services.openldap; - legacyOptions = [ "rootpwFile" "suffix" "dataDir" "rootdn" "rootpw" ]; openldap = cfg.package; configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d"; @@ -76,44 +75,6 @@ let lib.flatten (lib.mapAttrsToList (name: value: attrsToLdif "${name},${dn}" value) children) ); in { - imports = let - deprecationNote = "This option is removed due to the deprecation of `slapd.conf` upstream. Please migrate to `services.openldap.settings`, see the release notes for advice with this process."; - mkDatabaseOption = old: new: - lib.mkChangedOptionModule [ "services" "openldap" old ] [ "services" "openldap" "settings" "children" ] - (config: let - database = lib.getAttrFromPath [ "services" "openldap" "database" ] config; - value = lib.getAttrFromPath [ "services" "openldap" old ] config; - in lib.setAttrByPath ([ "olcDatabase={1}${database}" "attrs" ] ++ new) value); - in [ - (lib.mkRemovedOptionModule [ "services" "openldap" "extraConfig" ] deprecationNote) - (lib.mkRemovedOptionModule [ "services" "openldap" "extraDatabaseConfig" ] deprecationNote) - - (lib.mkChangedOptionModule [ "services" "openldap" "logLevel" ] [ "services" "openldap" "settings" "attrs" "olcLogLevel" ] - (config: lib.splitString " " (lib.getAttrFromPath [ "services" "openldap" "logLevel" ] config))) - (lib.mkChangedOptionModule [ "services" "openldap" "defaultSchemas" ] [ "services" "openldap" "settings" "children" "cn=schema" "includes"] - (config: lib.optionals (lib.getAttrFromPath [ "services" "openldap" "defaultSchemas" ] config) ( - map (schema: "${openldap}/etc/schema/${schema}.ldif") [ "core" "cosine" "inetorgperson" "nis" ]))) - - (lib.mkChangedOptionModule [ "services" "openldap" "database" ] [ "services" "openldap" "settings" "children" ] - (config: let - database = lib.getAttrFromPath [ "services" "openldap" "database" ] config; - in { - "olcDatabase={1}${database}".attrs = { - # objectClass is case-insensitive, so don't need to capitalize ${database} - objectClass = [ "olcdatabaseconfig" "olc${database}config" ]; - olcDatabase = "{1}${database}"; - olcDbDirectory = lib.mkDefault "/var/db/openldap"; - }; - "cn=schema".includes = lib.mkDefault ( - map (schema: "${openldap}/etc/schema/${schema}.ldif") [ "core" "cosine" "inetorgperson" "nis" ] - ); - })) - (mkDatabaseOption "rootpwFile" [ "olcRootPW" "path" ]) - (mkDatabaseOption "suffix" [ "olcSuffix" ]) - (mkDatabaseOption "dataDir" [ "olcDbDirectory" ]) - (mkDatabaseOption "rootdn" [ "olcRootDN" ]) - (mkDatabaseOption "rootpw" [ "olcRootPW" ]) - ]; options = { services.openldap = { enable = mkOption { @@ -248,10 +209,6 @@ in { meta.maintainers = with lib.maintainers; [ mic92 kwohlfahrt ]; config = mkIf cfg.enable { - assertions = map (opt: { - assertion = ((getAttr opt cfg) != "_mkMergedOptionModule") -> (cfg.database != "_mkMergedOptionModule"); - message = "Legacy OpenLDAP option `services.openldap.${opt}` requires `services.openldap.database` (use value \"mdb\" if unsure)"; - }) legacyOptions; environment.systemPackages = [ openldap ]; # Literal attributes must always be set diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index 3c388119d5d24..1ef74fe30a2a3 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -60,25 +60,6 @@ in { }; }) { inherit pkgs system; }; - # Old-style configuration - oldOptions = import ./make-test-python.nix ({ pkgs, ... }: { - inherit testScript; - name = "openldap"; - - nodes.machine = { pkgs, ... }: { - services.openldap = { - enable = true; - logLevel = "stats acl"; - defaultSchemas = true; - database = "mdb"; - suffix = "dc=example"; - rootdn = "cn=root,dc=example"; - rootpw = "notapassword"; - declarativeContents."dc=example" = dbContents; - }; - }; - }) { inherit system pkgs; }; - # Manually managed configDir, for example if dynamic config is essential manualConfigDir = import ./make-test-python.nix ({ pkgs, ... }: { name = "openldap"; -- cgit 1.4.1 From d1f55ce0a462a036f3d54631c24a8f344ad32902 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sat, 4 Jun 2022 16:39:35 +0100 Subject: openldap: change default ldapi directory By default, this is /run/ldapi, which is not compatible with systemd's runtime directories. Change it to /run/slapd/ldapi (in library and server). This makes `ldapi:///` work as a default socket again. --- nixos/tests/openldap.nix | 1 + pkgs/development/libraries/openldap/default.nix | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index 1ef74fe30a2a3..13afe166b9bf1 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -29,6 +29,7 @@ in { environment.etc."openldap/root_password".text = "notapassword"; services.openldap = { enable = true; + urlList = [ "ldapi:///" "ldap://" ]; settings = { children = { "cn=schema".includes = [ diff --git a/pkgs/development/libraries/openldap/default.nix b/pkgs/development/libraries/openldap/default.nix index 551a0827eee23..4198221e79832 100644 --- a/pkgs/development/libraries/openldap/default.nix +++ b/pkgs/development/libraries/openldap/default.nix @@ -93,18 +93,18 @@ stdenv.mkDerivation rec { "ac_cv_func_memcmp_working=yes" ] ++ lib.optional stdenv.isFreeBSD "--with-pic"; - makeFlags = [ + NIX_CFLAGS_COMPILE = [ "-DLDAPI_SOCK=\"/run/slapd/ldapi\"" ]; + + makeFlags= [ "CC=${stdenv.cc.targetPrefix}cc" "STRIP=" # Disable install stripping as it breaks cross-compiling. We strip binaries anyway in fixupPhase. + "STRIP_OPTS=" "prefix=${placeholder "out"}" "sysconfdir=${placeholder "out"}/etc" "systemdsystemunitdir=${placeholder "out"}/lib/systemd/system" # contrib modules require these "moduledir=${placeholder "out"}/lib/modules" "mandir=${placeholder "out"}/share/man" - ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [ - # Can be unconditional, doing it like this to prevent a mass rebuild. - "STRIP_OPTS=" ]; extraContribModules = [ -- cgit 1.4.1 From d72f89a8fc8af8239575ca417e01deeef89f1a1e Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sat, 4 Jun 2022 19:22:05 +0100 Subject: openldap: Allow notify outside of main thread This fixes a bug I observed in deployment on a RPi, but not able to reproduce in tests. --- nixos/modules/services/databases/openldap.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index bba6007beb22b..97fd2393128be 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -269,6 +269,9 @@ in { "-h" (lib.concatStringsSep " " cfg.urlList) ]); Type = "notify"; + # Fixes an error where openldap attempts to notify from a thread + # outside the main process: + # Got notification message from PID 6378, but reception only permitted for main PID 6377 NotifyAccess = "all"; PIDFile = cfg.settings.attrs.olcPidFile; }; -- cgit 1.4.1 From 38ead944cee78c8ee5543067b3ec839bbb36eed6 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sat, 4 Jun 2022 20:17:11 +0100 Subject: openldap: run in foreground Now that we use notify daemon type, this works safely and simplifies configuration. --- nixos/modules/services/databases/openldap.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 97fd2393128be..1d712987a56ba 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -169,8 +169,7 @@ in { default = null; description = '' Use this config directory instead of generating one from the - settings option. Overrides all NixOS settings. If - you use this option,ensure `olcPidFile` is set to `/run/slapd/slapd.conf`. + settings option. Overrides all NixOS settings. ''; example = "/var/db/slapd.d"; }; @@ -216,7 +215,6 @@ in { attrs = { objectClass = "olcGlobal"; cn = "config"; - olcPidFile = "/run/slapd/slapd.pid"; }; children."cn=schema".attrs = { cn = "schema"; @@ -265,7 +263,7 @@ in { ''; serviceConfig = { ExecStart = lib.escapeShellArgs ([ - "${openldap}/libexec/slapd" "-u" cfg.user "-g" cfg.group "-F" configDir + "${openldap}/libexec/slapd" "-d" "0" "-u" cfg.user "-g" cfg.group "-F" configDir "-h" (lib.concatStringsSep " " cfg.urlList) ]); Type = "notify"; @@ -273,7 +271,6 @@ in { # outside the main process: # Got notification message from PID 6378, but reception only permitted for main PID 6377 NotifyAccess = "all"; - PIDFile = cfg.settings.attrs.olcPidFile; }; }; -- cgit 1.4.1 From fd7d901133f9fbfc893cdb33f7d630846bb21f9c Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sun, 5 Jun 2022 00:52:54 +0100 Subject: openldap: run under systemd-defined user/group This improves security, by starting the service as an unprivileged user, rather than starting as root and relying on the service to drop privileges. This requires a significant cleanup of pre-init scripts, to make use of StateDirectory and RuntimeDirectory for permissions. --- nixos/modules/services/databases/openldap.nix | 127 ++++++++++++++++++-------- nixos/tests/openldap.nix | 2 +- 2 files changed, 89 insertions(+), 40 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 1d712987a56ba..45242b2b48fa6 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -10,7 +10,15 @@ let # Can't do types.either with multiple non-overlapping submodules, so define our own singleLdapValueType = lib.mkOptionType rec { name = "LDAP"; - description = "LDAP value"; + # TODO: It would be nice to define a { secret = ...; } option, using + # systemd's LoadCredentials for secrets. That would remove the last + # barrier to using DynamicUser for openldap. This is blocked on + # systemd/systemd#19604 + description = '' + LDAP value - either a string, or an attrset containing + path or base64 for included + values or base-64 encoded values respectively. + ''; check = x: lib.isString x || (lib.isAttrs x && (x ? path || x ? base64)); merge = lib.mergeEqualOption; }; @@ -80,9 +88,7 @@ in { enable = mkOption { type = types.bool; default = false; - description = " - Whether to enable the ldap server. - "; + description = "Whether to enable the ldap server."; }; package = mkOption { @@ -147,7 +153,7 @@ in { attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; - olcDbDirectory = "/var/db/ldap"; + olcDbDirectory = "/var/lib/openldap/ldap"; olcDbIndex = [ "objectClass eq" "cn pres,eq" @@ -171,7 +177,18 @@ in { Use this config directory instead of generating one from the settings option. Overrides all NixOS settings. ''; - example = "/var/db/slapd.d"; + example = "/var/lib/openldap/slapd.d"; + }; + + mutableConfig = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow writable on-line configuration. If + true, the NixOS settings will only be used to + initialize the OpenLDAP configuration if it does not exist, and are + subsequently ignored. + ''; }; declarativeContents = mkOption { @@ -185,6 +202,11 @@ in { reboot of the server. Performance-wise the database and indexes are rebuilt on each server startup, so this will slow down server startup, especially with large databases. + + Note that the root of the DB must be defined in + services.openldap.settings and the + olcDbDirectory must begin with + "/var/lib/openldap". ''; example = lib.literalExpression '' { @@ -207,7 +229,49 @@ in { meta.maintainers = with lib.maintainers; [ mic92 kwohlfahrt ]; - config = mkIf cfg.enable { + config = let + dbSettings = mapAttrs' (name: { attrs, ... }: nameValuePair attrs.olcSuffix attrs) + (filterAttrs (name: value: hasPrefix "olcDatabase=" name) cfg.settings.children); + settingsFile = pkgs.writeText "config.ldif" (lib.concatStringsSep "\n" (attrsToLdif "cn=config" cfg.settings)); + writeConfig = pkgs.writeShellScript "openldap-config" '' + set -euo pipefail + + ${lib.optionalString (!cfg.mutableConfig) "rm -rf ${configDir}/*"} + if [ ! -e "${configDir}/cn=config.ldif" ]; then + ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile} + fi + chmod -R ${if cfg.mutableConfig then "u+rw" else "u+r-w"} ${configDir} + ''; + + contentsFiles = mapAttrs (dn: ldif: pkgs.writeText "${dn}.ldif" ldif) cfg.declarativeContents; + writeContents = pkgs.writeShellScript "openldap-load" '' + rm -rf /var/lib/openldap/$2/* + ${openldap}/bin/slapadd -F ${configDir} -b $1 -l $3 + ''; + in mkIf cfg.enable { + assertions = [{ + assertion = (cfg.declarativeContents != {}) -> cfg.configDir == null; + message = '' + Declarative DB contents (${attrNames cfg.declarativeContents}) are not + supported with user-managed configuration. + ''; + }] ++ (map (dn: { + assertion = (getAttr dn dbSettings) ? "olcDbDirectory"; + # olcDbDirectory is necessary to prepopulate database using `slapadd`. + message = '' + Declarative DB ${dn} does not exist in `services.openldap.settings`, or does not have + `olcDbDirectory` configured. + ''; + }) (attrNames cfg.declarativeContents)) ++ (mapAttrsToList (dn: { olcDbDirectory ? null, ... }: { + # For forward compatibility with `DynamicUser`, and to avoid accidentally clobbering + # directories with `declarativeContents`. + assertion = (olcDbDirectory != null) -> + ((hasPrefix "/var/lib/openldap/" olcDbDirectory) && (olcDbDirectory != "/var/lib/openldap/")); + message = '' + Database ${dn} has `olcDbDirectory` (${olcDbDirectory}) that is not a subdirectory of + `/var/lib/openldap/`. + ''; + }) dbSettings); environment.systemPackages = [ openldap ]; # Literal attributes must always be set @@ -231,46 +295,31 @@ in { ]; wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; - preStart = let - settingsFile = pkgs.writeText "config.ldif" (lib.concatStringsSep "\n" (attrsToLdif "cn=config" cfg.settings)); - - dbSettings = lib.filterAttrs (name: value: lib.hasPrefix "olcDatabase=" name) cfg.settings.children; - dataDirs = lib.mapAttrs' (name: value: lib.nameValuePair value.attrs.olcSuffix value.attrs.olcDbDirectory) - (lib.filterAttrs (_: value: value.attrs ? olcDbDirectory) dbSettings); - dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents; - mkLoadScript = dn: let - dataDir = lib.escapeShellArg (getAttr dn dataDirs); - in '' - rm -rf ${dataDir}/* - ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${getAttr dn dataFiles} - chown -R "${cfg.user}:${cfg.group}" ${dataDir} - ''; - in '' - mkdir -p /run/slapd - chown -R "${cfg.user}:${cfg.group}" /run/slapd - - mkdir -p ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)} - chown "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)} - - ${lib.optionalString (cfg.configDir == null) ('' - rm -Rf ${configDir}/* - ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile} - '')} - chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} - - ${lib.concatStrings (map mkLoadScript (lib.attrNames cfg.declarativeContents))} - ${openldap}/bin/slaptest -u -F ${lib.escapeShellArg configDir} - ''; serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStartPre = [ + "!${pkgs.coreutils}/bin/mkdir -p ${configDir}" + "+${pkgs.coreutils}/bin/chown $USER ${configDir}" + ] ++ (lib.optional (cfg.configDir == null) writeConfig) + ++ (mapAttrsToList (dn: content: lib.escapeShellArgs [ + writeContents dn (getAttr dn dbSettings).olcDbDirectory content + ]) contentsFiles) + ++ [ "${openldap}/bin/slaptest -u -F ${configDir}" ]; ExecStart = lib.escapeShellArgs ([ - "${openldap}/libexec/slapd" "-d" "0" "-u" cfg.user "-g" cfg.group "-F" configDir - "-h" (lib.concatStringsSep " " cfg.urlList) + "${openldap}/libexec/slapd" "-d" "0" "-F" configDir "-h" (lib.concatStringsSep " " cfg.urlList) ]); Type = "notify"; # Fixes an error where openldap attempts to notify from a thread # outside the main process: # Got notification message from PID 6378, but reception only permitted for main PID 6377 NotifyAccess = "all"; + RuntimeDirectory = "slapd"; # TODO: openldap, for consistency + StateDirectory = ["openldap"] + ++ (map ({olcDbDirectory, ... }: removePrefix "/var/lib/" olcDbDirectory) (attrValues dbSettings)); + StateDirectoryMode = "700"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; }; }; diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index 13afe166b9bf1..43d5e0d4a1a2e 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -43,7 +43,7 @@ in { attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; - olcDbDirectory = "/var/db/openldap"; + olcDbDirectory = "/var/lib/openldap/db"; olcSuffix = "dc=example"; olcRootDN = { # cn=root,dc=example -- cgit 1.4.1 From ad5acb9b0ec738c9bede7ec12947236992e78d2d Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sun, 5 Jun 2022 13:47:24 +0100 Subject: openldap: use specialisations for tests This speeds up tests a bit. Also, ensure that mutable config works for manual config dir. --- nixos/tests/openldap.nix | 179 ++++++++++++++++++++++++----------------------- 1 file changed, 91 insertions(+), 88 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index 43d5e0d4a1a2e..20117b87d4b8d 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -1,9 +1,4 @@ -{ pkgs ? (import ../.. { inherit system; config = { }; }) -, system ? builtins.currentSystem -, ... -}: - -let +import ./make-test-python.nix ({ pkgs, ... }: let dbContents = '' dn: dc=example objectClass: domain @@ -13,100 +8,108 @@ let objectClass: organizationalUnit ou: users ''; - testScript = '' - machine.wait_for_unit("openldap.service") - machine.succeed( - 'ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"', - ) + + ldifConfig = '' + dn: cn=config + cn: config + objectClass: olcGlobal + olcLogLevel: stats + + dn: cn=schema,cn=config + cn: schema + objectClass: olcSchemaConfig + + include: file://${pkgs.openldap}/etc/schema/core.ldif + include: file://${pkgs.openldap}/etc/schema/cosine.ldif + include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif + + dn: olcDatabase={0}config,cn=config + olcDatabase: {0}config + objectClass: olcDatabaseConfig + olcRootDN: cn=root,cn=config + olcRootPW: configpassword + + dn: olcDatabase={1}mdb,cn=config + objectClass: olcDatabaseConfig + objectClass: olcMdbConfig + olcDatabase: {1}mdb + olcDbDirectory: /var/db/openldap + olcDbIndex: objectClass eq + olcSuffix: dc=example + olcRootDN: cn=root,dc=example + olcRootPW: notapassword ''; in { - # New-style configuration - current = import ./make-test-python.nix ({ pkgs, ... }: { - inherit testScript; - name = "openldap"; + name = "openldap"; - nodes.machine = { pkgs, ... }: { - environment.etc."openldap/root_password".text = "notapassword"; - services.openldap = { - enable = true; - urlList = [ "ldapi:///" "ldap://" ]; - settings = { - children = { - "cn=schema".includes = [ - "${pkgs.openldap}/etc/schema/core.ldif" - "${pkgs.openldap}/etc/schema/cosine.ldif" - "${pkgs.openldap}/etc/schema/inetorgperson.ldif" - "${pkgs.openldap}/etc/schema/nis.ldif" - ]; - "olcDatabase={1}mdb" = { - # This tests string, base64 and path values, as well as lists of string values - attrs = { - objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; - olcDatabase = "{1}mdb"; - olcDbDirectory = "/var/lib/openldap/db"; - olcSuffix = "dc=example"; - olcRootDN = { - # cn=root,dc=example - base64 = "Y249cm9vdCxkYz1leGFtcGxl"; - }; - olcRootPW = { - path = "/etc/openldap/root_password"; - }; + nodes.machine = { pkgs, ... }: { + environment.etc."openldap/root_password".text = "notapassword"; + services.openldap = { + enable = true; + urlList = [ "ldapi:///" "ldap://" ]; + settings = { + children = { + "cn=schema".includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + ]; + "olcDatabase={1}mdb" = { + # This tests string, base64 and path values, as well as lists of string values + attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/db"; + olcSuffix = "dc=example"; + olcRootDN = { + # cn=root,dc=example + base64 = "Y249cm9vdCxkYz1leGFtcGxl"; + }; + olcRootPW = { + path = "/etc/openldap/root_password"; }; }; }; }; - declarativeContents."dc=example" = dbContents; }; + declarativeContents."dc=example" = dbContents; }; - }) { inherit pkgs system; }; - # Manually managed configDir, for example if dynamic config is essential - manualConfigDir = import ./make-test-python.nix ({ pkgs, ... }: { - name = "openldap"; - - nodes.machine = { pkgs, ... }: { - services.openldap = { - enable = true; - configDir = "/var/db/slapd.d"; + specialisation = { + manualConfigDir = { + inheritParentConfig = false; + configuration = { ... }: { + services.openldap = { + enable = true; + configDir = "/var/db/slapd.d"; + }; + }; }; }; + }; + testScript = { nodes, ... }: let + specializations = "${nodes.machine.config.system.build.toplevel}/specialisation"; + changeRootPw = '' + dn: olcDatabase={1}mdb,cn=config + changetype: modify + replace: olcRootPW + olcRootPW: foobar + ''; + in '' + machine.wait_for_unit("openldap.service") + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') - testScript = let - contents = pkgs.writeText "data.ldif" dbContents; - config = pkgs.writeText "config.ldif" '' - dn: cn=config - cn: config - objectClass: olcGlobal - olcLogLevel: stats - olcPidFile: /run/slapd/slapd.pid - - dn: cn=schema,cn=config - cn: schema - objectClass: olcSchemaConfig - - include: file://${pkgs.openldap}/etc/schema/core.ldif - include: file://${pkgs.openldap}/etc/schema/cosine.ldif - include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif - - dn: olcDatabase={1}mdb,cn=config - objectClass: olcDatabaseConfig - objectClass: olcMdbConfig - olcDatabase: {1}mdb - olcDbDirectory: /var/db/openldap - olcDbIndex: objectClass eq - olcSuffix: dc=example - olcRootDN: cn=root,dc=example - olcRootPW: notapassword - ''; - in '' + with subtest("manual config dir"): machine.succeed( - "mkdir -p /var/db/slapd.d /var/db/openldap", - "slapadd -F /var/db/slapd.d -n0 -l ${config}", - "slapadd -F /var/db/slapd.d -n1 -l ${contents}", - "chown -R openldap:openldap /var/db/slapd.d /var/db/openldap", - "systemctl restart openldap", + 'mkdir -p /var/db/slapd.d /var/db/openldap', + 'slapadd -F /var/db/slapd.d -n0 -l ${pkgs.writeText "config.ldif" ldifConfig}', + 'slapadd -F /var/db/slapd.d -n1 -l ${pkgs.writeText "contents.ldif" dbContents}', + 'chown -R openldap:openldap /var/db/slapd.d /var/db/openldap', + '${specializations}/manualConfigDir/bin/switch-to-configuration test', ) - '' + testScript; - }) { inherit system pkgs; }; -} + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') + machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar -b "dc=example"') + ''; +}) -- cgit 1.4.1 From 8a7193fc0a9fa7fa098299a321fd2bd3f4fa2d7c Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sun, 5 Jun 2022 18:07:51 +0100 Subject: openldap: test and fix mutable config --- nixos/modules/services/databases/openldap.nix | 6 ++++-- nixos/tests/openldap.nix | 20 +++++++++++++++++++- 2 files changed, 23 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 45242b2b48fa6..167eba16b99d8 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -231,7 +231,7 @@ in { config = let dbSettings = mapAttrs' (name: { attrs, ... }: nameValuePair attrs.olcSuffix attrs) - (filterAttrs (name: value: hasPrefix "olcDatabase=" name) cfg.settings.children); + (filterAttrs (name: { attrs, ... }: (hasPrefix "olcDatabase=" name) && attrs ? olcSuffix) cfg.settings.children); settingsFile = pkgs.writeText "config.ldif" (lib.concatStringsSep "\n" (attrsToLdif "cn=config" cfg.settings)); writeConfig = pkgs.writeShellScript "openldap-config" '' set -euo pipefail @@ -245,7 +245,9 @@ in { contentsFiles = mapAttrs (dn: ldif: pkgs.writeText "${dn}.ldif" ldif) cfg.declarativeContents; writeContents = pkgs.writeShellScript "openldap-load" '' - rm -rf /var/lib/openldap/$2/* + set -euo pipefail + + rm -rf $2/* ${openldap}/bin/slapadd -F ${configDir} -b $1 -l $3 ''; in mkIf cfg.enable { diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index 20117b87d4b8d..b31df594a36d0 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -55,6 +55,14 @@ in { "${pkgs.openldap}/etc/schema/inetorgperson.ldif" "${pkgs.openldap}/etc/schema/nis.ldif" ]; + "olcDatabase={0}config" = { + attrs = { + objectClass = [ "olcDatabaseConfig" ]; + olcDatabase = "{0}config"; + olcRootDN = "cn=root,cn=config"; + olcRootPW = "configpassword"; + }; + }; "olcDatabase={1}mdb" = { # This tests string, base64 and path values, as well as lists of string values attrs = { @@ -77,6 +85,9 @@ in { }; specialisation = { + mutableConfig.configuration = { ... }: { + services.openldap.mutableConfig = true; + }; manualConfigDir = { inheritParentConfig = false; configuration = { ... }: { @@ -99,10 +110,17 @@ in { in '' machine.wait_for_unit("openldap.service") machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') + machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') + + with subtest("mutable config"): + machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test') + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') + machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar -b "dc=example"') with subtest("manual config dir"): machine.succeed( - 'mkdir -p /var/db/slapd.d /var/db/openldap', + 'mkdir /var/db/slapd.d /var/db/openldap', 'slapadd -F /var/db/slapd.d -n0 -l ${pkgs.writeText "config.ldif" ldifConfig}', 'slapadd -F /var/db/slapd.d -n1 -l ${pkgs.writeText "contents.ldif" dbContents}', 'chown -R openldap:openldap /var/db/slapd.d /var/db/openldap', -- cgit 1.4.1 From 334d622ec72c79a23bc5102f424ca535685e3dfb Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sun, 5 Jun 2022 20:03:46 +0100 Subject: openldap: test starting with empty DB This addresses the original concern behind #92544 --- nixos/modules/services/databases/openldap.nix | 5 ++++- nixos/tests/openldap.nix | 18 ++++++++++++++---- 2 files changed, 18 insertions(+), 5 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 167eba16b99d8..608e88938b431 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -236,7 +236,10 @@ in { writeConfig = pkgs.writeShellScript "openldap-config" '' set -euo pipefail - ${lib.optionalString (!cfg.mutableConfig) "rm -rf ${configDir}/*"} + ${lib.optionalString (!cfg.mutableConfig) '' + chmod -R u+w ${configDir} + rm -rf ${configDir}/* + ''} if [ ! -e "${configDir}/cn=config.ldif" ]; then ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile} fi diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index b31df594a36d0..04e2650e38080 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -81,12 +81,17 @@ in { }; }; }; - declarativeContents."dc=example" = dbContents; }; specialisation = { + declarativeContents.configuration = { ... }: { + services.openldap.declarativeContents."dc=example" = dbContents; + }; mutableConfig.configuration = { ... }: { - services.openldap.mutableConfig = true; + services.openldap = { + declarativeContents."dc=example" = dbContents; + mutableConfig = true; + }; }; manualConfigDir = { inheritParentConfig = false; @@ -108,9 +113,14 @@ in { olcRootPW: foobar ''; in '' + # Test startup with empty DB machine.wait_for_unit("openldap.service") - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') - machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') + + with subtest("declarative contents"): + machine.succeed('${specializations}/declarativeContents/bin/switch-to-configuration test') + machine.wait_for_unit("openldap.service") + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') + machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') with subtest("mutable config"): machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test') -- cgit 1.4.1 From 60d1c1d9ad3717150fc38bd2b1b974b511cd17b4 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sun, 5 Jun 2022 20:18:21 +0100 Subject: openldap: change runtime directory Use `openldap` for consistency between `/var/lib` and `/run`. --- nixos/modules/services/databases/openldap.nix | 2 +- pkgs/development/libraries/openldap/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 608e88938b431..5006a3065e940 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -319,7 +319,7 @@ in { # outside the main process: # Got notification message from PID 6378, but reception only permitted for main PID 6377 NotifyAccess = "all"; - RuntimeDirectory = "slapd"; # TODO: openldap, for consistency + RuntimeDirectory = "openldap"; StateDirectory = ["openldap"] ++ (map ({olcDbDirectory, ... }: removePrefix "/var/lib/" olcDbDirectory) (attrValues dbSettings)); StateDirectoryMode = "700"; diff --git a/pkgs/development/libraries/openldap/default.nix b/pkgs/development/libraries/openldap/default.nix index 4198221e79832..80c226a1058fc 100644 --- a/pkgs/development/libraries/openldap/default.nix +++ b/pkgs/development/libraries/openldap/default.nix @@ -93,7 +93,7 @@ stdenv.mkDerivation rec { "ac_cv_func_memcmp_working=yes" ] ++ lib.optional stdenv.isFreeBSD "--with-pic"; - NIX_CFLAGS_COMPILE = [ "-DLDAPI_SOCK=\"/run/slapd/ldapi\"" ]; + NIX_CFLAGS_COMPILE = [ "-DLDAPI_SOCK=\"/run/openldap/ldapi\"" ]; makeFlags= [ "CC=${stdenv.cc.targetPrefix}cc" -- cgit 1.4.1 From b30534eb02796423cec9fbda8f7aea535c932e3e Mon Sep 17 00:00:00 2001 From: Dan Callaghan Date: Tue, 19 Jul 2022 22:31:11 +1000 Subject: openldap: load client config from /etc, not the nix store We want Openldap clients to load /etc/ldap.conf at runtime, not ${pkgs.openldap}/etc/ldap.conf which is always a sample config. Pass sysconfdir=/etc at compile time, so that /etc/krb5.conf is embedded in the library as the path of its config file. Pass sysconfdir=${out}/etc at install time, so that the sample configs and schema files are correctly included in the build output. This hack works because the Makefiles are not smart enough to notice that the sysconfdir variable has changed across invocations -- because nobody ever writes their Makefiles to be that smart. :-) Fixes #181937. --- nixos/tests/openldap.nix | 23 ++++++++++++++++++----- pkgs/development/libraries/openldap/default.nix | 3 ++- 2 files changed, 20 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index 04e2650e38080..075bb5d1f6405 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -39,11 +39,23 @@ import ./make-test-python.nix ({ pkgs, ... }: let olcRootDN: cn=root,dc=example olcRootPW: notapassword ''; + + ldapClientConfig = { + enable = true; + loginPam = false; + nsswitch = false; + server = "ldap://"; + base = "dc=example"; + }; + in { name = "openldap"; nodes.machine = { pkgs, ... }: { environment.etc."openldap/root_password".text = "notapassword"; + + users.ldap = ldapClientConfig; + services.openldap = { enable = true; urlList = [ "ldapi:///" "ldap://" ]; @@ -96,6 +108,7 @@ in { manualConfigDir = { inheritParentConfig = false; configuration = { ... }: { + users.ldap = ldapClientConfig; services.openldap = { enable = true; configDir = "/var/db/slapd.d"; @@ -119,14 +132,14 @@ in { with subtest("declarative contents"): machine.succeed('${specializations}/declarativeContents/bin/switch-to-configuration test') machine.wait_for_unit("openldap.service") - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') with subtest("mutable config"): machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test') - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar -b "dc=example"') + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar') with subtest("manual config dir"): machine.succeed( @@ -136,8 +149,8 @@ in { 'chown -R openldap:openldap /var/db/slapd.d /var/db/openldap', '${specializations}/manualConfigDir/bin/switch-to-configuration test', ) - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar -b "dc=example"') + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar') ''; }) diff --git a/pkgs/development/libraries/openldap/default.nix b/pkgs/development/libraries/openldap/default.nix index 8d4820f33ffc8..f357b8d4b7208 100644 --- a/pkgs/development/libraries/openldap/default.nix +++ b/pkgs/development/libraries/openldap/default.nix @@ -67,7 +67,7 @@ stdenv.mkDerivation rec { "STRIP=" # Disable install stripping as it breaks cross-compiling. We strip binaries anyway in fixupPhase. "STRIP_OPTS=" "prefix=${placeholder "out"}" - "sysconfdir=${placeholder "out"}/etc" + "sysconfdir=/etc" "systemdsystemunitdir=${placeholder "out"}/lib/systemd/system" # contrib modules require these "moduledir=${placeholder "out"}/lib/modules" @@ -101,6 +101,7 @@ stdenv.mkDerivation rec { installFlags = [ "prefix=${placeholder "out"}" + "sysconfdir=${placeholder "out"}/etc" "moduledir=${placeholder "out"}/lib/modules" "INSTALL=install" ]; -- cgit 1.4.1 From c9183d37385787ae2afd5a7550d119c7bb9b1fe6 Mon Sep 17 00:00:00 2001 From: K900 Date: Thu, 30 Jun 2022 12:54:47 +0300 Subject: nixos/systemd: make sure all the device nodes are created in stage1 The ConditionFileNotEmpty override patch wasn't correct for stage1, which does have the modules in /lib. So, remove the patch and set the right path with overrides in the final system. Also, make sure systemd-tmpfiles-setup-dev is pulled in to create all the necessary symlinks. --- nixos/modules/system/boot/systemd.nix | 6 ++++ nixos/modules/system/boot/systemd/initrd.nix | 3 ++ ...e-units-for-uninitialised-encrypted-devic.patch | 7 ++-- ...002-Don-t-try-to-unmount-nix-or-nix-store.patch | 7 ++-- .../linux/systemd/0003-Fix-NixOS-containers.patch | 9 ++--- .../0004-Look-for-fsck-in-the-right-place.patch | 7 ++-- ...-Add-some-NixOS-specific-unit-directories.patch | 9 ++--- ...rid-of-a-useless-message-in-user-sessions.patch | 7 ++-- ...ocaled-timedated-disable-methods-that-cha.patch | 9 ++--- .../linux/systemd/0008-Fix-hwdb-paths.patch | 7 ++-- ...Change-usr-share-zoneinfo-to-etc-zoneinfo.patch | 11 +++--- ...10-localectl-use-etc-X11-xkb-for-list-x11.patch | 7 ++-- ...-create-statedir-and-don-t-touch-prefixdi.patch | 11 +++--- .../0012-add-rootprefix-to-lookup-dir-paths.patch | 7 ++-- ...tdown-execute-scripts-in-etc-systemd-syst.patch | 7 ++-- ...ep-execute-scripts-in-etc-systemd-system-.patch | 8 ++--- ...-nodes.service-Update-ConditionFileNotEmp.patch | 27 -------------- ...h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch | 30 ++++++++++++++++ ...h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch | 33 ----------------- ...0016-pkg-config-derive-prefix-from-prefix.patch | 30 ++++++++++++++++ ...stemd-environment-when-calling-generators.patch | 39 ++++++++++++++++++++ ...0017-pkg-config-derive-prefix-from-prefix.patch | 33 ----------------- ...stemd-environment-when-calling-generators.patch | 42 ---------------------- pkgs/os-specific/linux/systemd/default.nix | 10 +++--- 24 files changed, 148 insertions(+), 218 deletions(-) delete mode 100644 pkgs/os-specific/linux/systemd/0015-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch create mode 100644 pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch delete mode 100644 pkgs/os-specific/linux/systemd/0016-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch create mode 100644 pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch create mode 100644 pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch delete mode 100644 pkgs/os-specific/linux/systemd/0017-pkg-config-derive-prefix-from-prefix.patch delete mode 100644 pkgs/os-specific/linux/systemd/0018-inherit-systemd-environment-when-calling-generators.patch (limited to 'nixos') diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 645fbc2b713a9..53cebfd65c6bc 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -592,6 +592,12 @@ in systemd.services.systemd-importd.environment = proxy_env; systemd.services.systemd-pstore.wantedBy = [ "sysinit.target" ]; # see #81138 + # NixOS has kernel modules in a different location, so override that here. + systemd.services.kmod-static-nodes.unitConfig.ConditionFileNotEmpty = [ + "" # required to unset the previous value! + "/run/booted-system/kernel-modules/lib/modules/%v/modules.devname" + ]; + # Don't bother with certain units in containers. systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; systemd.services.systemd-random-seed.unitConfig.ConditionVirtualization = "!container"; diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index cdec7f532917d..a5461fd2ac466 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -420,6 +420,9 @@ in { services."systemd-makefs@" = lib.mkIf needMakefs { unitConfig.IgnoreOnIsolate = true; }; services."systemd-growfs@" = lib.mkIf needGrowfs { unitConfig.IgnoreOnIsolate = true; }; + # make sure all the /dev nodes are set up + services.systemd-tmpfiles-setup-dev.wantedBy = ["sysinit.target"]; + services.initrd-nixos-activation = { after = [ "initrd-fs.target" ]; requiredBy = [ "initrd.target" ]; diff --git a/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch b/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch index 4b11aa1b136bd..2699c38440cee 100644 --- a/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch +++ b/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch @@ -1,7 +1,7 @@ -From c8b50208dce4c467c1f85c3db3e05bdcfd43c378 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 8 Jan 2013 15:46:30 +0100 -Subject: [PATCH 01/18] Start device units for uninitialised encrypted devices +Subject: [PATCH] Start device units for uninitialised encrypted devices This is necessary because the NixOS service that initialises the filesystem depends on the appearance of the device unit. Also, this @@ -27,6 +27,3 @@ index 25b8a590a6..d18999ea87 100644 # add symlink to GPT root disk SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}!="crypto_LUKS", SYMLINK+="gpt-auto-root" SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}=="crypto_LUKS", SYMLINK+="gpt-auto-root-luks" --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch b/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch index e05a7af17dcbb..f46480d32febb 100644 --- a/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch +++ b/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch @@ -1,7 +1,7 @@ -From c884aee4c66c97f592ae0f8ebd97f48a39d8c53c Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 12 Apr 2013 13:16:57 +0200 -Subject: [PATCH 02/18] Don't try to unmount /nix or /nix/store +Subject: [PATCH] Don't try to unmount /nix or /nix/store They'll still be remounted read-only. @@ -37,6 +37,3 @@ index 820aa8e286..653e43053d 100644 #if ! HAVE_SPLIT_USR || path_equal(path, "/usr") #endif --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch index 6db68f5e01189..a669350dbed8b 100644 --- a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch +++ b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch @@ -1,7 +1,7 @@ -From eb3ff76f95bfe248f517e029ea1b152f4983370a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 16 Apr 2014 10:59:28 +0200 -Subject: [PATCH 03/18] Fix NixOS containers +Subject: [PATCH] Fix NixOS containers In NixOS containers, the init script is bind-mounted into the container, so checking early whether it exists will fail. @@ -10,7 +10,7 @@ container, so checking early whether it exists will fail. 1 file changed, 2 insertions(+) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c -index c5fd978395..0fa415f5b5 100644 +index 4ce80bba70..bb149192bd 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -5651,6 +5651,7 @@ static int run(int argc, char *argv[]) { @@ -29,6 +29,3 @@ index c5fd978395..0fa415f5b5 100644 } } else { --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch b/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch index ce3263a2bdbe5..dfaf53e4a3149 100644 --- a/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch +++ b/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch @@ -1,7 +1,7 @@ -From 789ca236fdc81dc3f514ddad3354eeb5fa8cc7d8 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 1 May 2014 14:10:10 +0200 -Subject: [PATCH 04/18] Look for fsck in the right place +Subject: [PATCH] Look for fsck in the right place --- src/fsck/fsck.c | 2 +- @@ -20,6 +20,3 @@ index 745d01ff50..dd4eef45c3 100644 cmdline[i++] = arg_repair; cmdline[i++] = "-T"; --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch b/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch index 89804466ad058..8a06e2cf69cb9 100644 --- a/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch +++ b/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch @@ -1,7 +1,7 @@ -From 6871d9637bc653a976e04cd595697d7244a293e2 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 19 Dec 2014 14:46:17 +0100 -Subject: [PATCH 05/18] Add some NixOS-specific unit directories +Subject: [PATCH] Add some NixOS-specific unit directories Look in `/nix/var/nix/profiles/default/lib/systemd/{system,user}` for units provided by packages installed into the default profile via @@ -92,7 +92,7 @@ index 1f4331a8bf..4b9a8ae26e 100644 if (!add) diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in -index fc0f8c34fa..162432e77f 100644 +index 693433b34b..5932a21b5b 100644 --- a/src/core/systemd.pc.in +++ b/src/core/systemd.pc.in @@ -38,10 +38,10 @@ systemdsystemconfdir=${systemd_system_conf_dir} @@ -121,6 +121,3 @@ index fc0f8c34fa..162432e77f 100644 systemdusergeneratorpath=${systemd_user_generator_path} systemd_sleep_dir=${root_prefix}/lib/systemd/system-sleep --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch b/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch index 2cb85655e678f..c06f12550261a 100644 --- a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch +++ b/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch @@ -1,7 +1,7 @@ -From 67daf22c74a780e283a493a0f9fdbbea2ce0aaba Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 11 May 2015 15:39:38 +0200 -Subject: [PATCH 06/18] Get rid of a useless message in user sessions +Subject: [PATCH] Get rid of a useless message in user sessions Namely lots of variants of @@ -26,6 +26,3 @@ index 296b759959..71ef7f27b4 100644 /* If stopping a unit fails continuously we might enter a stop loop here, hence stop acting on the * service being unnecessary after a while. */ --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch b/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch index e9d9ef6b5fe9b..174cca335b8e8 100644 --- a/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch +++ b/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch @@ -1,8 +1,8 @@ -From 21b9acb1d4202a022475a24db727055f9dd2532a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Gabriel Ebner Date: Sun, 6 Dec 2015 14:26:36 +0100 -Subject: [PATCH 07/18] hostnamed, localed, timedated: disable methods that - change system settings. +Subject: [PATCH] hostnamed, localed, timedated: disable methods that change + system settings. --- src/hostname/hostnamed.c | 6 ++++++ @@ -103,6 +103,3 @@ index 9ca5d37b75..e41d8d73df 100644 r = context_update_ntp_status(c, bus, m); if (r < 0) return r; --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch b/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch index 67e63298f2321..69bd1cc97b27b 100644 --- a/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch +++ b/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch @@ -1,7 +1,7 @@ -From 3894fcd76e5791e094c685c0095006b6867893c1 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 7 Jul 2016 02:47:13 +0300 -Subject: [PATCH 08/18] Fix hwdb paths +Subject: [PATCH] Fix hwdb paths Patch by vcunat. --- @@ -23,6 +23,3 @@ index 62d27f7b89..87318e041b 100644 - UDEVLIBEXECDIR "/hwdb.bin\0" + "/etc/udev/hwdb.bin\0" + --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch b/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch index 94d57bc7c054f..106eba2bed83f 100644 --- a/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch +++ b/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch @@ -1,7 +1,7 @@ -From 322fe2a15ac92d38f6952a2f7fd66e56eaa0f1f4 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Tue, 11 Oct 2016 13:12:08 +0300 -Subject: [PATCH 09/18] Change /usr/share/zoneinfo to /etc/zoneinfo +Subject: [PATCH] Change /usr/share/zoneinfo to /etc/zoneinfo NixOS uses this path. --- @@ -35,7 +35,7 @@ index e486474c44..5f373d0723 100644 Etc/UTC. The resulting link should lead to the corresponding binary diff --git a/src/basic/time-util.c b/src/basic/time-util.c -index c309369406..e0d84a7cfa 100644 +index 0ad8de4b9a..b794c6c7d0 100644 --- a/src/basic/time-util.c +++ b/src/basic/time-util.c @@ -1281,7 +1281,7 @@ static int get_timezones_from_zone1970_tab(char ***ret) { @@ -88,7 +88,7 @@ index 39160182ef..8dcc3307c8 100644 (void) mkdir_parents(etc_localtime, 0755); if (symlink(e, etc_localtime) < 0) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c -index 0fa415f5b5..b4404fff49 100644 +index bb149192bd..08751ed944 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1901,8 +1901,8 @@ int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid @@ -136,6 +136,3 @@ index e41d8d73df..ff1a384b3b 100644 if (!p) return -ENOMEM; --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch b/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch index 23d12fb2f8201..a3315a1e657a6 100644 --- a/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch +++ b/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch @@ -1,7 +1,7 @@ -From 35dd77fafe73cc4a648f101163945cbcae8ed6b9 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Imuli Date: Wed, 19 Oct 2016 08:46:47 -0400 -Subject: [PATCH 10/18] localectl: use /etc/X11/xkb for list-x11-* +Subject: [PATCH] localectl: use /etc/X11/xkb for list-x11-* NixOS has an option to link the xkb data files to /etc/X11, but not to /usr/share/X11. @@ -22,6 +22,3 @@ index 661d54c27d..e98b578531 100644 if (!f) return log_error_errno(errno, "Failed to open keyboard mapping list. %m"); --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch b/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch index 824ddb33bfb4b..75d113d003398 100644 --- a/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch +++ b/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch @@ -1,17 +1,17 @@ -From 1928e1d8eda7d3e296170bb5bd813463cc3e679c Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 11 Feb 2018 04:37:44 +0100 -Subject: [PATCH 11/18] build: don't create statedir and don't touch prefixdir +Subject: [PATCH] build: don't create statedir and don't touch prefixdir --- meson.build | 3 --- 1 file changed, 3 deletions(-) diff --git a/meson.build b/meson.build -index 36cbfa4893..a10d6a3eb7 100644 +index 9c170acc0a..818b7a3eb5 100644 --- a/meson.build +++ b/meson.build -@@ -3926,9 +3926,6 @@ install_data('LICENSE.GPL2', +@@ -3928,9 +3928,6 @@ install_data('LICENSE.GPL2', install_subdir('LICENSES', install_dir : docdir) @@ -21,6 +21,3 @@ index 36cbfa4893..a10d6a3eb7 100644 ############################################################ # Ensure that changes to the docs/ directory do not break the --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch b/pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch index 86ebfa5d4b014..c1659ae8a78a8 100644 --- a/pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch +++ b/pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch @@ -1,7 +1,7 @@ -From 201b588b4b30fb53aefaed43e5d434373a076cb0 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Thu, 9 May 2019 11:15:22 +0200 -Subject: [PATCH 12/18] add rootprefix to lookup dir paths +Subject: [PATCH] add rootprefix to lookup dir paths systemd does not longer use the UDEVLIBEXEC directory as root for discovery default udev rules. By adding `$out/lib` to the lookup paths @@ -33,6 +33,3 @@ index 0a1ae023a3..cc00ff6c68 100644 #define CONF_PATHS(n) \ CONF_PATHS_USR(n) \ --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch b/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch index 21cbde9a92d4e..4add87267ddb6 100644 --- a/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch +++ b/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch @@ -1,7 +1,7 @@ -From 67434c58caddf7dd3cef66dd3e3f704d39e4bcb0 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 25 Jul 2019 20:45:55 +0300 -Subject: [PATCH 13/18] systemd-shutdown: execute scripts in +Subject: [PATCH] systemd-shutdown: execute scripts in /etc/systemd/system-shutdown This is needed for NixOS to use such scripts as systemd directory is immutable. @@ -22,6 +22,3 @@ index 2c3cbec02c..1b876203c6 100644 /* The log target defaults to console, but the original systemd process will pass its log target in through a * command line argument, which will override this default. Also, ensure we'll never log to the journal or --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch b/pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch index 2d6f6aefbbb13..22e2bc8e5300f 100644 --- a/pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch +++ b/pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch @@ -1,8 +1,7 @@ -From db1280d020e6d46a994240e755ce369d895322c5 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 25 Jul 2019 20:46:58 +0300 -Subject: [PATCH 14/18] systemd-sleep: execute scripts in - /etc/systemd/system-sleep +Subject: [PATCH] systemd-sleep: execute scripts in /etc/systemd/system-sleep This is needed for NixOS to use such scripts as systemd directory is immutable. --- @@ -21,6 +20,3 @@ index 65e391d02a..28af2f8bf5 100644 NULL }; --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0015-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch b/pkgs/os-specific/linux/systemd/0015-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch deleted file mode 100644 index 9adeed284fbbf..0000000000000 --- a/pkgs/os-specific/linux/systemd/0015-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch +++ /dev/null @@ -1,27 +0,0 @@ -From ac9f97341e6fe3fb4b5fe22e72f43312ef5b1ca4 Mon Sep 17 00:00:00 2001 -From: Florian Klink -Date: Sat, 7 Mar 2020 22:40:27 +0100 -Subject: [PATCH 15/18] kmod-static-nodes.service: Update ConditionFileNotEmpty - -On NixOS, kernel modules of the currently booted systems are located at -/run/booted-system/kernel-modules/lib/modules/%v/, not /lib/modules/%v/. ---- - units/kmod-static-nodes.service.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/units/kmod-static-nodes.service.in b/units/kmod-static-nodes.service.in -index 777e82d16b..b6abc2bba0 100644 ---- a/units/kmod-static-nodes.service.in -+++ b/units/kmod-static-nodes.service.in -@@ -12,7 +12,7 @@ Description=Create List of Static Device Nodes - DefaultDependencies=no - Before=sysinit.target systemd-tmpfiles-setup-dev.service - ConditionCapability=CAP_SYS_MODULE --ConditionFileNotEmpty=/lib/modules/%v/modules.devname -+ConditionFileNotEmpty=/run/booted-system/kernel-modules/lib/modules/%v/modules.devname - - [Service] - Type=oneshot --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch b/pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch new file mode 100644 index 0000000000000..653f3beea965d --- /dev/null +++ b/pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Florian Klink +Date: Sun, 8 Mar 2020 01:05:54 +0100 +Subject: [PATCH] path-util.h: add placeholder for DEFAULT_PATH_NORMAL + +This will be the $PATH used to lookup ExecStart= etc. options, which +systemd itself uses extensively. +--- + src/basic/path-util.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/basic/path-util.h b/src/basic/path-util.h +index 553aa4fb58..46294f4bb1 100644 +--- a/src/basic/path-util.h ++++ b/src/basic/path-util.h +@@ -24,11 +24,11 @@ + # define PATH_SBIN_BIN_NULSTR(x) PATH_NORMAL_SBIN_BIN_NULSTR(x) + #endif + +-#define DEFAULT_PATH_NORMAL PATH_SBIN_BIN("/usr/local/") ":" PATH_SBIN_BIN("/usr/") +-#define DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/usr/local/") PATH_SBIN_BIN_NULSTR("/usr/") ++#define DEFAULT_PATH_NORMAL "@defaultPathNormal@" ++#define DEFAULT_PATH_NORMAL_NULSTR "@defaultPathNormal@\0" + #define DEFAULT_PATH_SPLIT_USR DEFAULT_PATH_NORMAL ":" PATH_SBIN_BIN("/") + #define DEFAULT_PATH_SPLIT_USR_NULSTR DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/") +-#define DEFAULT_PATH_COMPAT PATH_SPLIT_SBIN_BIN("/usr/local/") ":" PATH_SPLIT_SBIN_BIN("/usr/") ":" PATH_SPLIT_SBIN_BIN("/") ++#define DEFAULT_PATH_COMPAT DEFAULT_PATH_NORMAL + + #if HAVE_SPLIT_USR + # define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR diff --git a/pkgs/os-specific/linux/systemd/0016-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch b/pkgs/os-specific/linux/systemd/0016-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch deleted file mode 100644 index dc727586ce9d8..0000000000000 --- a/pkgs/os-specific/linux/systemd/0016-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 6f40d7a9d0029b5a805245b938ac62e7b150ea75 Mon Sep 17 00:00:00 2001 -From: Florian Klink -Date: Sun, 8 Mar 2020 01:05:54 +0100 -Subject: [PATCH 16/18] path-util.h: add placeholder for DEFAULT_PATH_NORMAL - -This will be the $PATH used to lookup ExecStart= etc. options, which -systemd itself uses extensively. ---- - src/basic/path-util.h | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/basic/path-util.h b/src/basic/path-util.h -index 553aa4fb58..46294f4bb1 100644 ---- a/src/basic/path-util.h -+++ b/src/basic/path-util.h -@@ -24,11 +24,11 @@ - # define PATH_SBIN_BIN_NULSTR(x) PATH_NORMAL_SBIN_BIN_NULSTR(x) - #endif - --#define DEFAULT_PATH_NORMAL PATH_SBIN_BIN("/usr/local/") ":" PATH_SBIN_BIN("/usr/") --#define DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/usr/local/") PATH_SBIN_BIN_NULSTR("/usr/") -+#define DEFAULT_PATH_NORMAL "@defaultPathNormal@" -+#define DEFAULT_PATH_NORMAL_NULSTR "@defaultPathNormal@\0" - #define DEFAULT_PATH_SPLIT_USR DEFAULT_PATH_NORMAL ":" PATH_SBIN_BIN("/") - #define DEFAULT_PATH_SPLIT_USR_NULSTR DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/") --#define DEFAULT_PATH_COMPAT PATH_SPLIT_SBIN_BIN("/usr/local/") ":" PATH_SPLIT_SBIN_BIN("/usr/") ":" PATH_SPLIT_SBIN_BIN("/") -+#define DEFAULT_PATH_COMPAT DEFAULT_PATH_NORMAL - - #if HAVE_SPLIT_USR - # define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch b/pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch new file mode 100644 index 0000000000000..3fbfd7f10ab49 --- /dev/null +++ b/pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= +Date: Sun, 6 Dec 2020 08:34:19 +0100 +Subject: [PATCH] pkg-config: derive prefix from --prefix + +Point prefix to the one configured, instead of `/usr` `systemd` has limited +support for making the pkgconfig prefix overridable, and interpolates those +values later down. + +So we only need to patch this one value to get the correct paths. +See systemd/systemd@bc4e6e27922a2873985ab9367d79fb099f70b505 for details. + +Co-Authored-By: Florian Klink +--- + src/core/systemd.pc.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in +index 5932a21b5b..20bf8e316d 100644 +--- a/src/core/systemd.pc.in ++++ b/src/core/systemd.pc.in +@@ -11,7 +11,7 @@ + # considered deprecated (though there is no plan to remove them). New names + # shall have underscores. + +-prefix=/usr ++prefix={{PREFIX}} + root_prefix={{ROOTPREFIX_NOSLASH}} + rootprefix=${root_prefix} + sysconf_dir={{SYSCONF_DIR}} diff --git a/pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch b/pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch new file mode 100644 index 0000000000000..f4925437aa58a --- /dev/null +++ b/pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yuriy Taraday +Date: Fri, 17 Jun 2022 12:45:10 +0000 +Subject: [PATCH] inherit systemd environment when calling generators. + +Systemd generators need access to the environment configured in +stage-2-init.sh since it schedules fsck and mkfs executions based on +being able to find an appropriate binary for the target filesystem. + +With this commit I am altering the systemd behaviour since upstream +tries to gather environments with that they call +"environment-generators" and then seems to pass that on to all the other +executables that are being called from managers. +--- + src/core/manager.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 71ef7f27b4..33ded94a7c 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -3704,9 +3704,17 @@ static int build_generator_environment(Manager *m, char ***ret) { + * adjust generated units to that. Let's pass down some bits of information that are easy for us to + * determine (but a bit harder for generator scripts to determine), as environment variables. */ + ++ // On NixOS we must propagate PATH to generators so they are ++ // able to find binaries such as `fsck.${fstype}` and ++ // `mkfs.${fstype}`. That is why we ignore transient_environment that ++ // overrides the PATH variable. This propagates systemd's ++ // environment (e.g. PATH) that was setup ++ // before calling systemd from stage-2-init.sh. ++#if 0 + nl = strv_copy(m->transient_environment); + if (!nl) + return -ENOMEM; ++#endif + + r = strv_env_assign(&nl, "SYSTEMD_SCOPE", MANAGER_IS_SYSTEM(m) ? "system" : "user"); + if (r < 0) diff --git a/pkgs/os-specific/linux/systemd/0017-pkg-config-derive-prefix-from-prefix.patch b/pkgs/os-specific/linux/systemd/0017-pkg-config-derive-prefix-from-prefix.patch deleted file mode 100644 index 7ca62eb750624..0000000000000 --- a/pkgs/os-specific/linux/systemd/0017-pkg-config-derive-prefix-from-prefix.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 8d9355264f11034a28ad78e4e70809908acfdb3e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= -Date: Sun, 6 Dec 2020 08:34:19 +0100 -Subject: [PATCH 17/18] pkg-config: derive prefix from --prefix - -Point prefix to the one configured, instead of `/usr` `systemd` has limited -support for making the pkgconfig prefix overridable, and interpolates those -values later down. - -So we only need to patch this one value to get the correct paths. -See systemd/systemd@bc4e6e27922a2873985ab9367d79fb099f70b505 for details. - -Co-Authored-By: Florian Klink ---- - src/core/systemd.pc.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in -index 162432e77f..2fc20daf03 100644 ---- a/src/core/systemd.pc.in -+++ b/src/core/systemd.pc.in -@@ -11,7 +11,7 @@ - # considered deprecated (though there is no plan to remove them). New names - # shall have underscores. - --prefix=/usr -+prefix={{PREFIX}} - root_prefix={{ROOTPREFIX_NOSLASH}} - rootprefix=${root_prefix} - sysconf_dir={{SYSCONF_DIR}} --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/0018-inherit-systemd-environment-when-calling-generators.patch b/pkgs/os-specific/linux/systemd/0018-inherit-systemd-environment-when-calling-generators.patch deleted file mode 100644 index 06902cbad1bd9..0000000000000 --- a/pkgs/os-specific/linux/systemd/0018-inherit-systemd-environment-when-calling-generators.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 291ead07daab980fa39fd18512c8266c23161540 Mon Sep 17 00:00:00 2001 -From: Yuriy Taraday -Date: Fri, 17 Jun 2022 12:45:10 +0000 -Subject: [PATCH 18/18] inherit systemd environment when calling generators. - -Systemd generators need access to the environment configured in -stage-2-init.sh since it schedules fsck and mkfs executions based on -being able to find an appropriate binary for the target filesystem. - -With this commit I am altering the systemd behaviour since upstream -tries to gather environments with that they call -"environment-generators" and then seems to pass that on to all the other -executables that are being called from managers. ---- - src/core/manager.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/core/manager.c b/src/core/manager.c -index 71ef7f27b4..33ded94a7c 100644 ---- a/src/core/manager.c -+++ b/src/core/manager.c -@@ -3704,9 +3704,17 @@ static int build_generator_environment(Manager *m, char ***ret) { - * adjust generated units to that. Let's pass down some bits of information that are easy for us to - * determine (but a bit harder for generator scripts to determine), as environment variables. */ - -+ // On NixOS we must propagate PATH to generators so they are -+ // able to find binaries such as `fsck.${fstype}` and -+ // `mkfs.${fstype}`. That is why we ignore transient_environment that -+ // overrides the PATH variable. This propagates systemd's -+ // environment (e.g. PATH) that was setup -+ // before calling systemd from stage-2-init.sh. -+#if 0 - nl = strv_copy(m->transient_environment); - if (!nl) - return -ENOMEM; -+#endif - - r = strv_env_assign(&nl, "SYSTEMD_SCOPE", MANAGER_IS_SYSTEM(m) ? "system" : "user"); - if (r < 0) --- -2.36.1 - diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 48baed6615eaa..34a6e759a3153 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -149,7 +149,8 @@ stdenv.mkDerivation { # On major changes, or when otherwise required, you *must* reformat the patches, # `git am path/to/00*.patch` them into a systemd worktree, rebase to the more recent - # systemd version, and export the patches again via `git -c format.signoff=false format-patch v${version}`. + # systemd version, and export the patches again via + # `git -c format.signoff=false format-patch v${version} --no-numbered --zero-commit --no-signature`. # Use `find . -name "*.patch" | sort` to get an up-to-date listing of all patches patches = [ ./0001-Start-device-units-for-uninitialised-encrypted-devic.patch @@ -166,10 +167,9 @@ stdenv.mkDerivation { ./0012-add-rootprefix-to-lookup-dir-paths.patch ./0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch ./0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch - ./0015-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch - ./0016-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch - ./0017-pkg-config-derive-prefix-from-prefix.patch - ./0018-inherit-systemd-environment-when-calling-generators.patch + ./0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch + ./0016-pkg-config-derive-prefix-from-prefix.patch + ./0017-inherit-systemd-environment-when-calling-generators.patch ] ++ lib.optional stdenv.hostPlatform.isMusl ( let oe-core = fetchzip { -- cgit 1.4.1 From 1e8102cd580e4c968af839aae007943f1c3de70d Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Tue, 2 Aug 2022 22:31:40 +0100 Subject: nixos/openldap: fix option description markdown Otherwise manual build fails as: $ nix build -f nixos/release.nix manual.x86_64-linux ... > NotImplementedError: ('md node not supported yet', 'services.openldap.declarativeContents', 'inline_html', ('',)) For full logs, run 'nix log /nix/store/pfa7bg3pflp0c31ma0rc2ahwqabs88dd-base-json-md-converted.drv'. --- nixos/modules/services/databases/openldap.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 9bb0640439475..94fc155000e24 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -204,9 +204,9 @@ in { especially with large databases. Note that the root of the DB must be defined in - services.openldap.settings and the - olcDbDirectory must begin with - "/var/lib/openldap". + `services.openldap.settings` and the + `olcDbDirectory` must begin with + `"/var/lib/openldap"`. ''; example = lib.literalExpression '' { -- cgit 1.4.1