diff options
author | Florian Klink <flokli@flokli.de> | 2019-11-05 15:42:44 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-11-05 15:42:44 +0100 |
commit | c3566c7a4fe240de83d5426876069e859350f088 (patch) | |
tree | 6b336cda1cfb31706d0ee7ebbc9fc560098e1924 | |
parent | 4db1caec0a84b4900b10ec21746a3960a25c039e (diff) | |
parent | 52ed193ec7f167579b8acbb27d02283ae9e92eff (diff) | |
download | nixpkgs-c3566c7a4fe240de83d5426876069e859350f088.tar nixpkgs-c3566c7a4fe240de83d5426876069e859350f088.tar.gz nixpkgs-c3566c7a4fe240de83d5426876069e859350f088.tar.bz2 nixpkgs-c3566c7a4fe240de83d5426876069e859350f088.tar.lz nixpkgs-c3566c7a4fe240de83d5426876069e859350f088.tar.xz nixpkgs-c3566c7a4fe240de83d5426876069e859350f088.tar.zst nixpkgs-c3566c7a4fe240de83d5426876069e859350f088.zip |
Merge pull request #70352 from wucke13/systemd-importd
systemd: add systemd-importd
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 2 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/systemd-nspawn.nix | 58 | ||||
-rw-r--r-- | pkgs/os-specific/linux/systemd/default.nix | 33 | ||||
-rw-r--r-- | pkgs/tools/security/gnupg/22.nix | 23 |
5 files changed, 104 insertions, 13 deletions
diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 33b350902a1..9e3c6149f92 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -63,6 +63,7 @@ let "systemd-logind.service" "autovt@.service" "systemd-user-sessions.service" + "dbus-org.freedesktop.import1.service" "dbus-org.freedesktop.machine1.service" "user@.service" "user-runtime-dir@.service" @@ -145,6 +146,7 @@ let "user.slice" "machine.slice" "machines.target" + "systemd-importd.service" "systemd-machined.service" "systemd-nspawn@.service" diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 1d933153ffa..b5d5589c7a4 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -274,6 +274,7 @@ in systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {}; + systemd-nspawn = handleTest ./systemd-nspawn.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; diff --git a/nixos/tests/systemd-nspawn.nix b/nixos/tests/systemd-nspawn.nix new file mode 100644 index 00000000000..c2039bb5980 --- /dev/null +++ b/nixos/tests/systemd-nspawn.nix @@ -0,0 +1,58 @@ +import ./make-test.nix ({pkgs, lib, ...}: +let + gpgKeyring = (pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } '' + mkdir -p $out + export GNUPGHOME=$out + cat > foo <<EOF + %echo Generating a basic OpenPGP key + %no-protection + Key-Type: DSA + Key-Length: 1024 + Subkey-Type: ELG-E + Subkey-Length: 1024 + Name-Real: Joe Tester + Name-Email: joe@foo.bar + Expire-Date: 0 + # Do a commit here, so that we can later print "done" + %commit + %echo done + EOF + gpg --batch --generate-key foo + rm $out/S.gpg-agent $out/S.gpg-agent.* + gpg --export joe@foo.bar -a > $out/pubkey.gpg + ''); + + nspawnImages = (pkgs.runCommand "localhost" { buildInputs = [ pkgs.coreutils pkgs.gnupg ]; } '' + mkdir -p $out + cd $out + dd if=/dev/urandom of=$out/testimage.raw bs=$((1024*1024+7)) count=5 + sha256sum testimage.raw > SHA256SUMS + export GNUPGHOME="$(mktemp -d)" + cp -R ${gpgKeyring}/* $GNUPGHOME + gpg --batch --sign --detach-sign --output SHA256SUMS.gpg SHA256SUMS + ''); +in { + name = "opensmtpd"; + + nodes = { + server = { pkgs, ... }: { + networking.firewall.allowedTCPPorts = [ 80 ]; + services.nginx = { + enable = true; + virtualHosts."server".root = nspawnImages; + }; + }; + client = { pkgs, ... }: { + environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/pubkey.gpg"; + }; + }; + + testScript = '' + startAll; + + $server->waitForUnit("nginx.service"); + $client->waitForUnit("network-online.target"); + $client->succeed("machinectl pull-raw --verify=signature http://server/testimage.raw"); + $client->succeed("cmp /var/lib/machines/testimage.raw ${nspawnImages}/testimage.raw"); + ''; +}) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index a9fc0c6f4b5..d14985d07ed 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -1,5 +1,5 @@ -{ stdenv, lib, fetchFromGitHub, fetchpatch, pkgconfig, intltool, gperf, libcap, kmod -, xz, pam, acl, libuuid, m4, utillinux, libffi +{ stdenv, lib, fetchFromGitHub, fetchpatch, pkgconfig, intltool, gperf, libcap +, curl, kmod, gnupg, gnutar, xz, pam, acl, libuuid, m4, utillinux, libffi , glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor , audit, lz4, bzip2, libmicrohttpd, pcre2 , linuxHeaders ? stdenv.cc.libc.linuxHeaders @@ -15,7 +15,21 @@ , withKexectools ? lib.any (lib.meta.platformMatch stdenv.hostPlatform) kexectools.meta.platforms, kexectools }: -stdenv.mkDerivation { +let gnupg-minimal = gnupg.override { + enableMinimal = true; + guiSupport = false; + pcsclite = null; + sqlite = null; + pinentry = null; + adns = null; + gnutls = null; + libusb = null; + openldap = null; + readline = null; + zlib = null; + bzip2 = null; +}; +in stdenv.mkDerivation { version = "243"; pname = "systemd"; @@ -41,7 +55,7 @@ stdenv.mkDerivation { (buildPackages.python3Packages.python.withPackages ( ps: with ps; [ python3Packages.lxml ])) ]; buildInputs = - [ linuxHeaders libcap kmod xz pam acl + [ linuxHeaders libcap curl.dev kmod xz pam acl /* cryptsetup */ libuuid glib libgcrypt libgpgerror libidn2 libmicrohttpd pcre2 ] ++ stdenv.lib.optional withKexectools kexectools ++ @@ -67,6 +81,7 @@ stdenv.mkDerivation { "-Ddebug-shell=${bashInteractive}/bin/bash" # while we do not run tests we should also not build them. Removes about 600 targets "-Dtests=false" + "-Dimportd=true" "-Dlz4=true" "-Dhostnamed=true" "-Dnetworkd=true" @@ -77,7 +92,7 @@ stdenv.mkDerivation { "-Dlocaled=true" "-Dresolve=true" "-Dsplit-usr=false" - "-Dlibcurl=false" + "-Dlibcurl=true" "-Dlibidn=false" "-Dlibidn2=true" "-Dquotacheck=false" @@ -144,6 +159,14 @@ stdenv.mkDerivation { patchShebangs $dir done + # absolute paths to gpg & tar + substituteInPlace src/import/pull-common.c \ + --replace '"gpg"' '"${gnupg-minimal}/bin/gpg"' + for file in src/import/{{export,import,pull}-tar,import-common}.c; do + substituteInPlace $file \ + --replace '"tar"' '"${gnutar}/bin/tar"' + done + substituteInPlace src/journal/catalog.c \ --replace /usr/lib/systemd/catalog/ $out/lib/systemd/catalog/ ''; diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index f62f10c8cf9..e54a1e1c5db 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -1,17 +1,17 @@ { fetchurl, fetchpatch, stdenv, pkgconfig, libgcrypt, libassuan, libksba -, libgpgerror, libiconv, npth, gettext, texinfo, pcsclite, sqlite -, buildPackages +, libgpgerror, libiconv, npth, gettext, texinfo, buildPackages # Each of the dependencies below are optional. # Gnupg can be built without them at the cost of reduced functionality. -, pinentry ? null, guiSupport ? false -, adns ? null, gnutls ? null, libusb ? null, openldap ? null -, readline ? null, zlib ? null, bzip2 ? null +, guiSupport ? true, enableMinimal ? false +, adns ? null , bzip2 ? null , gnutls ? null , libusb ? null , openldap ? null +, pcsclite ? null , pinentry ? null , readline ? null , sqlite ? null , zlib ? +null }: with stdenv.lib; -assert guiSupport -> pinentry != null; +assert guiSupport -> pinentry != null && enableMinimal == false; stdenv.mkDerivation rec { pname = "gnupg"; @@ -37,7 +37,7 @@ stdenv.mkDerivation rec { postPatch = '' sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' \ configure doc/dirmngr.texi doc/gnupg.info-1 - '' + stdenv.lib.optionalString stdenv.isLinux '' + '' + stdenv.lib.optionalString ( stdenv.isLinux && pcsclite != null) '' sed -i 's,"libpcsclite\.so[^"]*","${stdenv.lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c ''; #" fix Emacs syntax highlighting :-( @@ -50,7 +50,14 @@ stdenv.mkDerivation rec { "--with-npth-prefix=${npth}" ] ++ optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}"; - postInstall = '' + postInstall = if enableMinimal + then '' + rm -r $out/{libexec,sbin,share} + for f in `find $out/bin -type f -not -name gpg` + do + rm $f + done + '' else '' mkdir -p $out/lib/systemd/user for f in doc/examples/systemd-user/*.{service,socket} ; do substitute $f $out/lib/systemd/user/$(basename $f) \ |