diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2020-02-05 19:18:11 +0100 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2020-02-05 19:18:35 +0100 |
commit | 0be87c79797a5fa384fbc356c74ed54f9f7829ea (patch) | |
tree | 69e2f87d4a1ec8f8962d35e330188afcf8f88dcb /nixos/modules | |
parent | ac241fb7a570d6cf81d229ad22a8889602639160 (diff) | |
download | nixpkgs-0be87c79797a5fa384fbc356c74ed54f9f7829ea.tar nixpkgs-0be87c79797a5fa384fbc356c74ed54f9f7829ea.tar.gz nixpkgs-0be87c79797a5fa384fbc356c74ed54f9f7829ea.tar.bz2 nixpkgs-0be87c79797a5fa384fbc356c74ed54f9f7829ea.tar.lz nixpkgs-0be87c79797a5fa384fbc356c74ed54f9f7829ea.tar.xz nixpkgs-0be87c79797a5fa384fbc356c74ed54f9f7829ea.tar.zst nixpkgs-0be87c79797a5fa384fbc356c74ed54f9f7829ea.zip |
Revert "Merge master into staging-next"
I merged master into staging-next but accidentally pushed it to master. This should get us back to 87a19e9048773d5a363679617406ad148d36c3b8. This reverts commit ac241fb7a570d6cf81d229ad22a8889602639160, reversing changes made to 76a439239eb310d9ad76d998b34d5d3bc0e37acb.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/installer/cd-dvd/iso-image.nix | 14 | ||||
-rw-r--r-- | nixos/modules/installer/netboot/netboot.nix | 14 | ||||
-rw-r--r-- | nixos/modules/misc/ids.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/networking/kresd.nix | 146 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-1-init.sh | 13 |
5 files changed, 100 insertions, 91 deletions
diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 4558b4dc955..11319e5f4f8 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -569,18 +569,14 @@ in }; fileSystems."/nix/store" = - { fsType = "overlay"; - device = "overlay"; - options = [ - "lowerdir=/nix/.ro-store" - "upperdir=/nix/.rw-store/store" - "workdir=/nix/.rw-store/work" - ]; + { fsType = "unionfs-fuse"; + device = "unionfs"; + options = [ "allow_other" "cow" "nonempty" "chroot=/mnt-root" "max_files=32768" "hide_meta_files" "dirs=/nix/.rw-store=rw:/nix/.ro-store=ro" ]; }; - boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "uas" "overlay" ]; + boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "uas" ]; - boot.initrd.kernelModules = [ "loop" "overlay" ]; + boot.initrd.kernelModules = [ "loop" ]; # Closures to be copied to the Nix store on the CD, namely the init # script and the top-level system configuration directory. diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix index 95eba86bcb6..5146858cccf 100644 --- a/nixos/modules/installer/netboot/netboot.nix +++ b/nixos/modules/installer/netboot/netboot.nix @@ -50,18 +50,14 @@ with lib; }; fileSystems."/nix/store" = - { fsType = "overlay"; - device = "overlay"; - options = [ - "lowerdir=/nix/.ro-store" - "upperdir=/nix/.rw-store/store" - "workdir=/nix/.rw-store/work" - ]; + { fsType = "unionfs-fuse"; + device = "unionfs"; + options = [ "allow_other" "cow" "nonempty" "chroot=/mnt-root" "max_files=32768" "hide_meta_files" "dirs=/nix/.rw-store=rw:/nix/.ro-store=ro" ]; }; - boot.initrd.availableKernelModules = [ "squashfs" "overlay" ]; + boot.initrd.availableKernelModules = [ "squashfs" ]; - boot.initrd.kernelModules = [ "loop" "overlay" ]; + boot.initrd.kernelModules = [ "loop" ]; # Closures to be copied to the Nix store, namely the init # script and the top-level system configuration directory. diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 979cdc5d4ad..bedd87a368e 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -299,7 +299,7 @@ in couchpotato = 267; gogs = 268; pdns-recursor = 269; - #kresd = 270; # switched to "knot-resolver" with dynamic ID + kresd = 270; rpc = 271; geoip = 272; fcron = 273; @@ -600,7 +600,7 @@ in headphones = 266; couchpotato = 267; gogs = 268; - #kresd = 270; # switched to "knot-resolver" with dynamic ID + kresd = 270; #rpc = 271; # unused #geoip = 272; # unused fcron = 273; diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index a2f91a4200b..bb941e93e15 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -3,34 +3,12 @@ with lib; let - cfg = config.services.kresd; - - # Convert systemd-style address specification to kresd config line(s). - # On Nix level we don't attempt to precisely validate the address specifications. - mkListen = kind: addr: let - al_v4 = builtins.match "([0-9.]\+):([0-9]\+)" addr; - al_v6 = builtins.match "\\[(.\+)]:([0-9]\+)" addr; - al_portOnly = builtins.match "()([0-9]\+)" addr; - al = findFirst (a: a != null) - (throw "services.kresd.*: incorrect address specification '${addr}'") - [ al_v4 al_v6 al_portOnly ]; - port = last al; - addrSpec = if al_portOnly == null then "'${head al}'" else "{'::', '127.0.0.1'}"; - in # freebind is set for compatibility with earlier kresd services; - # it could be configurable, for example. - '' - net.listen(${addrSpec}, ${port}, { kind = '${kind}', freebind = true }) - ''; - configFile = pkgs.writeText "kresd.conf" ( - optionalString (cfg.listenDoH != []) '' - modules.load('http') - '' - + concatMapStrings (mkListen "dns") cfg.listenPlain - + concatMapStrings (mkListen "tls") cfg.listenTLS - + concatMapStrings (mkListen "doh") cfg.listenDoH - + cfg.extraConfig - ); + cfg = config.services.kresd; + configFile = pkgs.writeText "kresd.conf" '' + ${optionalString (cfg.listenDoH != []) "modules.load('http')"} + ${cfg.extraConfig}; + ''; package = pkgs.knot-resolver.override { extraFeatures = cfg.listenDoH != []; @@ -47,7 +25,6 @@ in { value ) ) - (mkRemovedOptionModule [ "services" "kresd" "cacheDir" ] "Please use (bind-)mounting instead.") ]; ###### interface @@ -58,8 +35,8 @@ in { description = '' Whether to enable knot-resolver domain name server. DNSSEC validation is turned on by default. - You can run <literal>sudo nc -U /run/knot-resolver/control/1</literal> - and give commands interactively to kresd@1.service. + You can run <literal>sudo nc -U /run/kresd/control</literal> + and give commands interactively to kresd. ''; }; extraConfig = mkOption { @@ -69,10 +46,16 @@ in { Extra lines to be added verbatim to the generated configuration file. ''; }; + cacheDir = mkOption { + type = types.path; + default = "/var/cache/kresd"; + description = '' + Directory for caches. They are intended to survive reboots. + ''; + }; listenPlain = mkOption { type = with types; listOf str; default = [ "[::1]:53" "127.0.0.1:53" ]; - example = [ "53" ]; description = '' What addresses and ports the server should listen on. For detailed syntax see ListenStream in man systemd.socket. @@ -92,54 +75,91 @@ in { default = []; example = [ "198.51.100.1:443" "[2001:db8::1]:443" "443" ]; description = '' - Addresses and ports on which kresd should provide DNS over HTTPS (see RFC 8484). + Addresses and ports on which kresd should provide DNS over HTTPS (see RFC 7858). For detailed syntax see ListenStream in man systemd.socket. ''; }; - instances = mkOption { - type = types.ints.unsigned; - default = 1; - description = '' - The number of instances to start. They will be called kresd@{1,2,...}.service. - Knot Resolver uses no threads, so this is the way to scale. - You can dynamically start/stop them at will, so this is just system default. - ''; - }; # TODO: perhaps options for more common stuff like cache size or forwarding }; ###### implementation config = mkIf cfg.enable { - environment.etc."knot-resolver/kresd.conf".source = configFile; # not required + environment.etc."kresd.conf".source = configFile; # not required - users.users.knot-resolver = - { isSystemUser = true; - group = "knot-resolver"; + users.users.kresd = + { uid = config.ids.uids.kresd; + group = "kresd"; description = "Knot-resolver daemon user"; }; - users.groups.knot-resolver.gid = null; + users.groups.kresd.gid = config.ids.gids.kresd; + + systemd.sockets.kresd = rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + listenStreams = cfg.listenPlain; + socketConfig = { + ListenDatagram = listenStreams; + FreeBind = true; + FileDescriptorName = "dns"; + }; + }; - systemd.packages = [ package ]; # the units are patched inside the package a bit + systemd.sockets.kresd-tls = mkIf (cfg.listenTLS != []) rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + partOf = [ "kresd.socket" ]; + listenStreams = cfg.listenTLS; + socketConfig = { + FileDescriptorName = "tls"; + FreeBind = true; + Service = "kresd.service"; + }; + }; - systemd.targets.kresd = { # configure units started by default - wantedBy = [ "multi-user.target" ]; - wants = [ "kres-cache-gc.service" ] - ++ map (i: "kresd@${toString i}.service") (range 1 cfg.instances); + systemd.sockets.kresd-doh = mkIf (cfg.listenDoH != []) rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + partOf = [ "kresd.socket" ]; + listenStreams = cfg.listenDoH; + socketConfig = { + FileDescriptorName = "doh"; + FreeBind = true; + Service = "kresd.service"; + }; }; - systemd.services."kresd@".serviceConfig = { - ExecStart = "${package}/bin/kresd --noninteractive " - + "-c ${package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}"; - # Ensure correct ownership in case UID or GID changes. - CacheDirectory = "knot-resolver"; - CacheDirectoryMode = "0750"; + + systemd.sockets.kresd-control = rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + partOf = [ "kresd.socket" ]; + listenStreams = [ "/run/kresd/control" ]; + socketConfig = { + FileDescriptorName = "control"; + Service = "kresd.service"; + SocketMode = "0660"; # only root user/group may connect and control kresd + }; }; - environment.etc."tmpfiles.d/knot-resolver.conf".source = - "${package}/lib/tmpfiles.d/knot-resolver.conf"; + systemd.tmpfiles.rules = [ "d '${cfg.cacheDir}' 0770 kresd kresd - -" ]; - # Try cleaning up the previously default location of cache file. - # Note that /var/cache/* should always be safe to remove. - # TODO: remove later, probably between 20.09 and 21.03 - systemd.tmpfiles.rules = [ "R /var/cache/kresd" ]; + systemd.services.kresd = { + description = "Knot-resolver daemon"; + + serviceConfig = { + User = "kresd"; + Type = "notify"; + WorkingDirectory = cfg.cacheDir; + Restart = "on-failure"; + Sockets = [ "kresd.socket" "kresd-control.socket" ] + ++ optional (cfg.listenTLS != []) "kresd-tls.socket"; + }; + + # Trust anchor goes from dns-root-data by default. + script = '' + exec '${package}/bin/kresd' --config '${configFile}' --forks=1 + ''; + + requires = [ "kresd.socket" ]; + }; }; } diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 8736613c3d2..f520bf54ad1 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -334,10 +334,8 @@ mountFS() { # Filter out x- options, which busybox doesn't do yet. local optionsFiltered="$(IFS=,; for i in $options; do if [ "${i:0:2}" != "x-" ]; then echo -n $i,; fi; done)" - # Prefix (lower|upper|work)dir with /mnt-root (overlayfs) - local optionsPrefixed="$( echo "$optionsFiltered" | sed -E 's#\<(lowerdir|upperdir|workdir)=#\1=/mnt-root#g' )" - echo "$device /mnt-root$mountPoint $fsType $optionsPrefixed" >> /etc/fstab + echo "$device /mnt-root$mountPoint $fsType $optionsFiltered" >> /etc/fstab checkFS "$device" "$fsType" @@ -356,11 +354,10 @@ mountFS() { ;; esac - # Create backing directories for overlayfs - if [ "$fsType" = overlay ]; then - for i in upper work; do - dir="$( echo "$optionsPrefixed" | grep -o "${i}dir=[^,]*" )" - mkdir -m 0700 -p "${dir##*=}" + # Create backing directories for unionfs-fuse. + if [ "$fsType" = unionfs-fuse ]; then + for i in $(IFS=:; echo ${options##*,dirs=}); do + mkdir -m 0700 -p /mnt-root"${i%=*}" done fi |