diff options
author | William A. Kennington III <william@wkennington.com> | 2015-09-29 15:54:33 -0700 |
---|---|---|
committer | William A. Kennington III <william@wkennington.com> | 2015-09-29 15:54:33 -0700 |
commit | 271972de0a7f0027f33d2bf3098070f1a73bbc55 (patch) | |
tree | c37c532df1e46c3ad5e5a51f713cb35fdd374373 /nixos | |
parent | 48a791d27062c71ced0921920d95fdd991b35107 (diff) | |
parent | ea4850ca6438d62012d2f3caec1c52c1653192b0 (diff) | |
download | nixpkgs-271972de0a7f0027f33d2bf3098070f1a73bbc55.tar nixpkgs-271972de0a7f0027f33d2bf3098070f1a73bbc55.tar.gz nixpkgs-271972de0a7f0027f33d2bf3098070f1a73bbc55.tar.bz2 nixpkgs-271972de0a7f0027f33d2bf3098070f1a73bbc55.tar.lz nixpkgs-271972de0a7f0027f33d2bf3098070f1a73bbc55.tar.xz nixpkgs-271972de0a7f0027f33d2bf3098070f1a73bbc55.tar.zst nixpkgs-271972de0a7f0027f33d2bf3098070f1a73bbc55.zip |
Merge branch 'master.upstream' into staging.upstream
Diffstat (limited to 'nixos')
50 files changed, 901 insertions, 608 deletions
diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index 15bd185ccec..87964e27bb9 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -31,10 +31,8 @@ let else fn; - # Convert the list of options into an XML file. The builtin - # unsafeDiscardStringContext is used to prevent the realisation of - # the store paths which are used in options definitions. - optionsXML = builtins.toFile "options.xml" (builtins.unsafeDiscardStringContext (builtins.toXML optionsList')); + # Convert the list of options into an XML file. + optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList'); optionsDocBook = runCommand "options-db.xml" {} '' optionsXML=${optionsXML} @@ -139,6 +137,8 @@ in rec { ''; # */ meta.description = "The NixOS manual in HTML format"; + + allowedReferences = ["out"]; }; manualPDF = stdenv.mkDerivation { @@ -187,6 +187,8 @@ in rec { ${docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \ ./man-pages.xml ''; + + allowedReferences = ["out"]; }; } diff --git a/nixos/doc/manual/release-notes/rl-1509.xml b/nixos/doc/manual/release-notes/rl-1509.xml index 098613f9685..a2f38d99b25 100644 --- a/nixos/doc/manual/release-notes/rl-1509.xml +++ b/nixos/doc/manual/release-notes/rl-1509.xml @@ -104,27 +104,40 @@ which contains the latest Elm platform.</para></listitem> <para>Local printers are no longer shared or advertised by default. This behavior can be changed by enabling - <literal>services.printing.defaultShared</literal> or - <literal>services.printing.browsing</literal> respectively.</para> + <option>services.printing.defaultShared</option> or + <option>services.printing.browsing</option> respectively.</para> </listitem> <listitem> <para> The VirtualBox host and guest options have been named more consistently. They can now found in - <literal>virtualisation.virtualbox.host.*</literal> instead of - <literal>services.virtualboxHost.*</literal> and - <literal>virtualisation.virtualbox.guest.*</literal> instead of - <literal>services.virtualboxGuest.*</literal>. + <option>virtualisation.virtualbox.host.*</option> instead of + <option>services.virtualboxHost.*</option> and + <option>virtualisation.virtualbox.guest.*</option> instead of + <option>services.virtualboxGuest.*</option>. + </para> + + <para> + Also, there now is support for the <literal>vboxsf</literal> file + system using the <option>fileSystems</option> configuration + attribute. An example of how this can be used in a configuration: + +<programlisting> +fileSystems."/shiny" = { + device = "myshinysharedfolder"; + fsType = "vboxsf"; +}; +</programlisting> + </para> </listitem> <listitem> <para> - Haskell packages can no longer be found by name, i.e. the commands - <literal>nix-env -qa cabal-install</literal> and <literal>nix-env -i - ghc</literal> will fail, even though we <emphasis>do</emphasis> ship - both <literal>cabal-install</literal> and <literal>ghc</literal>. + Haskell packages can no longer be found by name, except for + <literal>ghc</literal>, <literal>cabal-install</literal>, and + <literal>stack</literal>, even though we do package the whole Hackage. The reason for this inconvenience is the sheer size of the Haskell package set: name-based lookups such as these would become much slower than they are today if we'd add the entire Hackage database @@ -203,7 +216,7 @@ nix-env -f "<nixpkgs>" -iA haskellPackages.cabal-install The <literal>locate</literal> service no longer indexes the Nix store by default, preventing packages with potentially numerous versions from cluttering the output. Indexing the store can be activated by setting - <literal>services.locate.includeStore = true</literal>. + <option>services.locate.includeStore = true</option>. </para> </listitem> @@ -239,10 +252,22 @@ nix-env -f "<nixpkgs>" -iA haskellPackages.cabal-install discovered in the Diffie-Hellman key exchange</link> can now replace OpenSSH's default version with one they generated themselves using the new - <literal>services.openssh.moduliFile</literal> option. + <option>services.openssh.moduliFile</option> option. </para> </listitem> + <listitem> <para> + A newly packaged TeX Live 2015 is provided in <literal>pkgs.texlive</literal>, + split into 6500 nix packages. For basic user documentation see + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive-new/default.nix#L1" + >the source</link>. + Beware of <link xlink:href="https://github.com/NixOS/nixpkgs/issues/9757" + >an issue</link> when installing a too large package set. + + The plan is to deprecate and maybe delete the original TeX packages + until the next release. + </para> </listitem> + </itemizedlist> </para> diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix new file mode 100644 index 00000000000..79c5199cbec --- /dev/null +++ b/nixos/lib/make-disk-image.nix @@ -0,0 +1,115 @@ +{ pkgs +, lib + +, # The NixOS configuration to be installed onto the disk image. + config + +, # The size of the disk, in megabytes. + diskSize + +, # Whether the disk should be partitioned (with a single partition + # containing the root filesystem) or contain the root filesystem + # directly. + partitioned ? true + +, # The root file system type. + fsType ? "ext4" + +, # The initial NixOS configuration file to be copied to + # /etc/nixos/configuration.nix. + configFile ? null + +, # Shell code executed after the VM has finished. + postVM ? "" + +}: + +with lib; + +pkgs.vmTools.runInLinuxVM ( + pkgs.runCommand "nixos-disk-image" + { preVM = + '' + mkdir $out + diskImage=$out/nixos.img + ${pkgs.vmTools.qemu}/bin/qemu-img create -f raw $diskImage "${toString diskSize}M" + mv closure xchg/ + ''; + buildInputs = [ pkgs.utillinux pkgs.perl pkgs.e2fsprogs pkgs.parted ]; + exportReferencesGraph = + [ "closure" config.system.build.toplevel ]; + inherit postVM; + } + '' + ${if partitioned then '' + # Create a single / partition. + parted /dev/vda mklabel msdos + parted /dev/vda -- mkpart primary ext2 1M -1s + . /sys/class/block/vda1/uevent + mknod /dev/vda1 b $MAJOR $MINOR + rootDisk=/dev/vda1 + '' else '' + rootDisk=/dev/vda + ''} + + # Create an empty filesystem and mount it. + mkfs.${fsType} -L nixos $rootDisk + ${optionalString (fsType == "ext4") '' + tune2fs -c 0 -i 0 $rootDisk + ''} + mkdir /mnt + mount $rootDisk /mnt + + # The initrd expects these directories to exist. + mkdir /mnt/dev /mnt/proc /mnt/sys + + mount -o bind /proc /mnt/proc + mount -o bind /dev /mnt/dev + mount -o bind /sys /mnt/sys + + # Copy all paths in the closure to the filesystem. + storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure) + + mkdir -p /mnt/nix/store + echo "copying everything (will take a while)..." + set -f + cp -prd $storePaths /mnt/nix/store/ + + # Register the paths in the Nix database. + printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ + chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" + + # Add missing size/hash fields to the database. FIXME: + # exportReferencesGraph should provide these directly. + chroot /mnt ${config.nix.package}/bin/nix-store --verify --check-contents + + # Create the system profile to allow nixos-rebuild to work. + chroot /mnt ${config.nix.package}/bin/nix-env --option build-users-group "" \ + -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} + + # `nixos-rebuild' requires an /etc/NIXOS. + mkdir -p /mnt/etc + touch /mnt/etc/NIXOS + + # `switch-to-configuration' requires a /bin/sh + mkdir -p /mnt/bin + ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh + + # Install a configuration.nix. + mkdir -p /mnt/etc/nixos + ${optionalString (configFile != null) '' + cp ${configFile} /mnt/etc/nixos/configuration.nix + ''} + + # Generate the GRUB menu. + ln -s vda /dev/xvda + ln -s vda /dev/sda + chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot + + umount /mnt/proc /mnt/dev /mnt/sys + umount /mnt + + # Do an fsck to make sure resize2fs works. + fsck.${fsType} -f -y $rootDisk + '' +) diff --git a/nixos/maintainers/scripts/ec2/amazon-base-config.nix b/nixos/maintainers/scripts/ec2/amazon-base-config.nix deleted file mode 100644 index 28317317eab..00000000000 --- a/nixos/maintainers/scripts/ec2/amazon-base-config.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ modulesPath, ...}: -{ - imports = [ "${modulesPath}/virtualisation/amazon-init.nix" ]; - services.journald.rateLimitBurst = 0; -} diff --git a/nixos/maintainers/scripts/ec2/amazon-hvm-config.nix b/nixos/maintainers/scripts/ec2/amazon-hvm-config.nix deleted file mode 100644 index d0c7f3a6a6c..00000000000 --- a/nixos/maintainers/scripts/ec2/amazon-hvm-config.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, pkgs, ...}: -{ - imports = [ ./amazon-base-config.nix ]; - ec2.hvm = true; -} diff --git a/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix b/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix deleted file mode 100644 index c0ec38bf489..00000000000 --- a/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, pkgs, lib, ...}: -let - cloudUtils = pkgs.fetchurl { - url = "https://launchpad.net/cloud-utils/trunk/0.27/+download/cloud-utils-0.27.tar.gz"; - sha256 = "16shlmg36lidp614km41y6qk3xccil02f5n3r4wf6d1zr5n4v8vd"; - }; - growpart = pkgs.stdenv.mkDerivation { - name = "growpart"; - src = cloudUtils; - buildPhase = '' - cp bin/growpart $out - sed -i 's|awk|gawk|' $out - sed -i 's|sed|gnused|' $out - ''; - dontInstall = true; - dontPatchShebangs = true; - }; -in -{ - imports = [ ./amazon-base-config.nix ]; - ec2.hvm = true; - boot.loader.grub.device = lib.mkOverride 0 "/dev/xvdg"; - boot.kernelParams = [ "console=ttyS0" ]; - - boot.initrd.extraUtilsCommands = '' - copy_bin_and_libs ${pkgs.gawk}/bin/gawk - copy_bin_and_libs ${pkgs.gnused}/bin/sed - copy_bin_and_libs ${pkgs.utillinux}/sbin/sfdisk - cp -v ${growpart} $out/bin/growpart - ''; - boot.initrd.postDeviceCommands = '' - [ -e /dev/xvda ] && [ -e /dev/xvda1 ] && TMPDIR=/run sh $(type -P growpart) /dev/xvda 1 - ''; -} diff --git a/nixos/maintainers/scripts/ec2/amazon-image.nix b/nixos/maintainers/scripts/ec2/amazon-image.nix new file mode 100644 index 00000000000..ef8646c66d1 --- /dev/null +++ b/nixos/maintainers/scripts/ec2/amazon-image.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + imports = + [ ../../../modules/installer/cd-dvd/channel.nix + ../../../modules/virtualisation/amazon-image.nix + ]; + + system.build.amazonImage = import ../../../lib/make-disk-image.nix { + inherit pkgs lib config; + partitioned = config.ec2.hvm; + diskSize = if config.ec2.hvm then 2048 else 8192; + configFile = pkgs.writeText "configuration.nix" + '' + { + imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ]; + ${optionalString config.ec2.hvm '' + ec2.hvm = true; + ''} + } + ''; + }; + +} diff --git a/nixos/maintainers/scripts/ec2/create-amis.sh b/nixos/maintainers/scripts/ec2/create-amis.sh new file mode 100755 index 00000000000..8604091dbcd --- /dev/null +++ b/nixos/maintainers/scripts/ec2/create-amis.sh @@ -0,0 +1,217 @@ +#! /bin/sh -e + +set -o pipefail +#set -x + +stateDir=${TMPDIR:-/tmp}/ec2-image +echo "keeping state in $stateDir" +mkdir -p $stateDir + +version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g) +echo "NixOS version is $version" + +rm -f ec2-amis.nix + + +for type in hvm pv; do + link=$stateDir/$type + imageFile=$link/nixos.img + system=x86_64-linux + arch=x86_64 + + # Build the image. + if ! [ -L $link ]; then + if [ $type = pv ]; then hvmFlag=false; else hvmFlag=true; fi + + echo "building image type '$type'..." + nix-build -o $link \ + '<nixpkgs/nixos>' \ + -A config.system.build.amazonImage \ + --arg configuration "{ imports = [ <nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix> ]; ec2.hvm = $hvmFlag; }" + fi + + for store in ebs s3; do + + bucket=nixos-amis + bucketDir="$version-$type-$store" + + prevAmi= + prevRegion= + + for region in eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do + + name=nixos-$version-$arch-$type-$store + description="NixOS $system $version ($type-$store)" + + amiFile=$stateDir/$region.$type.$store.ami-id + + if ! [ -e $amiFile ]; then + + echo "doing $name in $region..." + + if [ -n "$prevAmi" ]; then + ami=$(ec2-copy-image \ + --region "$region" \ + --source-region "$prevRegion" --source-ami-id "$prevAmi" \ + --name "$name" --description "$description" | cut -f 2) + else + + if [ $store = s3 ]; then + + # Bundle the image. + imageDir=$stateDir/$type-bundled + + if ! [ -d $imageDir ]; then + rm -rf $imageDir.tmp + mkdir -p $imageDir.tmp + ec2-bundle-image \ + -d $imageDir.tmp \ + -i $imageFile --arch $arch \ + --user "$AWS_ACCOUNT" -c "$EC2_CERT" -k "$EC2_PRIVATE_KEY" + mv $imageDir.tmp $imageDir + fi + + # Upload the bundle to S3. + if ! [ -e $imageDir/uploaded ]; then + echo "uploading bundle to S3..." + ec2-upload-bundle \ + -m $imageDir/nixos.img.manifest.xml \ + -b "$bucket/$bucketDir" \ + -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" \ + --location EU + touch $imageDir/uploaded + fi + + extraFlags="$bucket/$bucketDir/nixos.img.manifest.xml" + + else + + # Convert the image to vhd format so we don't have + # to upload a huge raw image. + vhdFile=$stateDir/$type.vhd + if ! [ -e $vhdFile ]; then + qemu-img convert -O vpc $imageFile $vhdFile.tmp + mv $vhdFile.tmp $vhdFile + fi + + taskId=$(cat $stateDir/$region.$type.task-id 2> /dev/null || true) + volId=$(cat $stateDir/$region.$type.vol-id 2> /dev/null || true) + snapId=$(cat $stateDir/$region.$type.snap-id 2> /dev/null || true) + + # Import the VHD file. + if [ -z "$snapId" -a -z "$volId" -a -z "$taskId" ]; then + echo "importing $vhdFile..." + taskId=$(ec2-import-volume $vhdFile --no-upload -f vhd \ + -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" \ + --region "$region" -z "${region}a" \ + --bucket "$bucket" --prefix "$bucketDir/" \ + | tee /dev/stderr \ + | sed 's/.*\(import-vol-[0-9a-z]\+\).*/\1/ ; t ; d') + echo -n "$taskId" > $stateDir/$region.$type.task-id + fi + + if [ -z "$snapId" -a -z "$volId" ]; then + ec2-resume-import $vhdFile -t "$taskId" --region "$region" \ + -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" + fi + + # Wait for the volume creation to finish. + if [ -z "$snapId" -a -z "$volId" ]; then + echo "waiting for import to finish..." + while true; do + volId=$(ec2-describe-conversion-tasks "$taskId" --region "$region" | sed 's/.*VolumeId.*\(vol-[0-9a-f]\+\).*/\1/ ; t ; d') + if [ -n "$volId" ]; then break; fi + sleep 10 + done + + echo -n "$volId" > $stateDir/$region.$type.vol-id + fi + + # Delete the import task. + if [ -n "$volId" -a -n "$taskId" ]; then + echo "removing import task..." + ec2-delete-disk-image -t "$taskId" --region "$region" -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" || true + rm -f $stateDir/$region.$type.task-id + fi + + # Create a snapshot. + if [ -z "$snapId" ]; then + echo "creating snapshot..." + snapId=$(ec2-create-snapshot "$volId" --region "$region" | cut -f 2) + echo -n "$snapId" > $stateDir/$region.$type.snap-id + ec2-create-tags "$snapId" -t "Name=$description" --region "$region" + fi + + # Wait for the snapshot to finish. + echo "waiting for snapshot to finish..." + while true; do + status=$(ec2-describe-snapshots "$snapId" --region "$region" | head -n1 | cut -f 4) + if [ "$status" = completed ]; then break; fi + sleep 10 + done + + # Delete the volume. + if [ -n "$volId" ]; then + echo "deleting volume..." + ec2-delete-volume "$volId" --region "$region" || true + rm -f $stateDir/$region.$type.vol-id + fi + + extraFlags="-b /dev/sda1=$snapId:20:true:gp2" + + if [ $type = pv ]; then + extraFlags+=" --root-device-name=/dev/sda1" + fi + + extraFlags+=" -b /dev/sdb=ephemeral0 -b /dev/sdc=ephemeral1 -b /dev/sdd=ephemeral2 -b /dev/sde=ephemeral3" + fi + + # Register the AMI. + if [ $type = pv ]; then + kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2) + [ -n "$kernel" ] + echo "using PV-GRUB kernel $kernel" + extraFlags+=" --virtualization-type paravirtual --kernel $kernel" + else + extraFlags+=" --virtualization-type hvm" + fi + + ami=$(ec2-register \ + -n "$name" \ + -d "$description" \ + --region "$region" \ + --architecture "$arch" \ + $extraFlags | cut -f 2) + fi + + echo -n "$ami" > $amiFile + echo "created AMI $ami of type '$type' in $region..." + + else + ami=$(cat $amiFile) + fi + + if [ -z "$NO_WAIT" -o -z "$prevAmi" ]; then + echo "waiting for AMI..." + while true; do + status=$(ec2-describe-images "$ami" --region "$region" | head -n1 | cut -f 5) + if [ "$status" = available ]; then break; fi + sleep 10 + done + + ec2-modify-image-attribute \ + --region "$region" "$ami" -l -a all + fi + + echo "region = $region, type = $type, store = $store, ami = $ami" + if [ -z "$prevAmi" ]; then + prevAmi="$ami" + prevRegion="$region" + fi + + echo " \"15.09\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix + done + + done + +done diff --git a/nixos/maintainers/scripts/ec2/create-ebs-amis.py b/nixos/maintainers/scripts/ec2/create-ebs-amis.py deleted file mode 100755 index 44af56c4091..00000000000 --- a/nixos/maintainers/scripts/ec2/create-ebs-amis.py +++ /dev/null @@ -1,216 +0,0 @@ -#! /usr/bin/env python - -import os -import sys -import time -import argparse -import nixops.util -from nixops import deployment -from boto.ec2.blockdevicemapping import BlockDeviceMapping, BlockDeviceType -import boto.ec2 -from nixops.statefile import StateFile, get_default_state_file - -parser = argparse.ArgumentParser(description='Create an EBS-backed NixOS AMI') -parser.add_argument('--region', dest='region', required=True, help='EC2 region to create the image in') -parser.add_argument('--channel', dest='channel', default="14.12", help='Channel to use') -parser.add_argument('--keep', dest='keep', action='store_true', help='Keep NixOps machine after use') -parser.add_argument('--hvm', dest='hvm', action='store_true', help='Create HVM image') -parser.add_argument('--key', dest='key_name', action='store_true', help='Keypair used for HVM instance creation', default="rob") -args = parser.parse_args() - -instance_type = "m3.medium" if args.hvm else "m1.small" - -if args.hvm: - virtualization_type = "hvm" - root_block = "/dev/sda1" - image_type = 'hvm' -else: - virtualization_type = "paravirtual" - root_block = "/dev/sda" - image_type = 'ebs' - -ebs_size = 20 - -# Start a NixOS machine in the given region. -f = open("ebs-creator-config.nix", "w") -f.write('''{{ - resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos"; - resources.ec2KeyPairs.keypair.region = "{0}"; - - machine = - {{ pkgs, ... }}: - {{ - deployment.ec2.accessKeyId = "lb-nixos"; - deployment.ec2.region = "{0}"; - deployment.ec2.blockDeviceMapping."/dev/xvdg".size = pkgs.lib.mkOverride 10 {1}; - }}; -}} -'''.format(args.region, ebs_size)) -f.close() - -db = StateFile(get_default_state_file()) -try: - depl = db.open_deployment("ebs-creator") -except Exception: - depl = db.create_deployment() - depl.name = "ebs-creator" -depl.logger.set_autoresponse("y") -depl.nix_exprs = [os.path.abspath("./ebs-creator.nix"), os.path.abspath("./ebs-creator-config.nix")] -if not args.keep: depl.destroy_resources() -depl.deploy(allow_reboot=True) - -m = depl.machines['machine'] - -# Do the installation. -device="/dev/xvdg" -if args.hvm: - m.run_command('parted -s /dev/xvdg -- mklabel msdos') - m.run_command('parted -s /dev/xvdg -- mkpart primary ext2 1M -1s') - device="/dev/xvdg1" - -m.run_command("if mountpoint -q /mnt; then umount /mnt; fi") -m.run_command("mkfs.ext4 -L nixos {0}".format(device)) -m.run_command("mkdir -p /mnt") -m.run_command("mount {0} /mnt".format(device)) -m.run_command("touch /mnt/.ebs") -m.run_command("mkdir -p /mnt/etc/nixos") - -m.run_command("nix-channel --add https://nixos.org/channels/nixos-{} nixos".format(args.channel)) -m.run_command("nix-channel --update") - -version = m.run_command("nix-instantiate --eval-only -A lib.nixpkgsVersion '<nixpkgs>'", capture_stdout=True).split(' ')[0].replace('"','').strip() -print >> sys.stderr, "NixOS version is {0}".format(version) -if args.hvm: - m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/amazon-base-config.nix") - m.upload_file("./amazon-hvm-config.nix", "/mnt/etc/nixos/configuration.nix") - m.upload_file("./amazon-hvm-install-config.nix", "/mnt/etc/nixos/amazon-hvm-install-config.nix") - m.run_command("NIXOS_CONFIG=/etc/nixos/amazon-hvm-install-config.nix nixos-install") -else: - m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/configuration.nix") - m.run_command("nixos-install") - -m.run_command("umount /mnt") - -if args.hvm: - ami_name = "nixos-{0}-x86_64-hvm".format(version) - description = "NixOS {0} (x86_64; EBS root; hvm)".format(version) -else: - ami_name = "nixos-{0}-x86_64-ebs".format(version) - description = "NixOS {0} (x86_64; EBS root)".format(version) - - -# Wait for the snapshot to finish. -def check(): - status = snapshot.update() - print >> sys.stderr, "snapshot status is {0}".format(status) - return status == '100%' - -m.connect() -volume = m._conn.get_all_volumes([], filters={'attachment.instance-id': m.resource_id, 'attachment.device': "/dev/sdg"})[0] - -# Create a snapshot. -snapshot = volume.create_snapshot(description=description) -print >> sys.stderr, "created snapshot {0}".format(snapshot.id) - -nixops.util.check_wait(check, max_tries=120) - -m._conn.create_tags([snapshot.id], {'Name': ami_name}) - -if not args.keep: depl.destroy_resources() - -# Register the image. -aki = m._conn.get_all_images(filters={'manifest-location': 'ec2*pv-grub-hd0_1.03-x86_64*'})[0] -print >> sys.stderr, "using kernel image {0} - {1}".format(aki.id, aki.location) - -block_map = BlockDeviceMapping() -block_map[root_block] = BlockDeviceType(snapshot_id=snapshot.id, delete_on_termination=True, size=ebs_size, volume_type="gp2") -block_map['/dev/sdb'] = BlockDeviceType(ephemeral_name="ephemeral0") -block_map['/dev/sdc'] = BlockDeviceType(ephemeral_name="ephemeral1") -block_map['/dev/sdd'] = BlockDeviceType(ephemeral_name="ephemeral2") -block_map['/dev/sde'] = BlockDeviceType(ephemeral_name="ephemeral3") - -common_args = dict( - name=ami_name, - description=description, - architecture="x86_64", - root_device_name=root_block, - block_device_map=block_map, - virtualization_type=virtualization_type, - delete_root_volume_on_termination=True - ) -if not args.hvm: - common_args['kernel_id']=aki.id - -ami_id = m._conn.register_image(**common_args) - -print >> sys.stderr, "registered AMI {0}".format(ami_id) - -print >> sys.stderr, "sleeping a bit..." -time.sleep(30) - -print >> sys.stderr, "setting image name..." -m._conn.create_tags([ami_id], {'Name': ami_name}) - -print >> sys.stderr, "making image public..." -image = m._conn.get_all_images(image_ids=[ami_id])[0] -image.set_launch_permissions(user_ids=[], group_names=["all"]) - -# Do a test deployment to make sure that the AMI works. -f = open("ebs-test.nix", "w") -f.write( - ''' - {{ - network.description = "NixOS EBS test"; - - resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos"; - resources.ec2KeyPairs.keypair.region = "{0}"; - - machine = {{ config, pkgs, resources, ... }}: {{ - deployment.targetEnv = "ec2"; - deployment.ec2.accessKeyId = "lb-nixos"; - deployment.ec2.region = "{0}"; - deployment.ec2.instanceType = "{2}"; - deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name; - deployment.ec2.securityGroups = [ "public-ssh" ]; - deployment.ec2.ami = "{1}"; - }}; - }} - '''.format(args.region, ami_id, instance_type)) -f.close() - -test_depl = db.create_deployment() -test_depl.auto_response = "y" -test_depl.name = "ebs-creator-test" -test_depl.nix_exprs = [os.path.abspath("./ebs-test.nix")] -test_depl.deploy(create_only=True) -test_depl.machines['machine'].run_command("nixos-version") - -# Log the AMI ID. -f = open("ec2-amis.nix".format(args.region, image_type), "w") -f.write("{\n") - -for dest in [ 'us-east-1', 'us-west-1', 'us-west-2', 'eu-west-1', 'eu-central-1', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'sa-east-1']: - copy_image = None - if args.region != dest: - try: - print >> sys.stderr, "copying image from region {0} to {1}".format(args.region, dest) - conn = boto.ec2.connect_to_region(dest) - copy_image = conn.copy_image(args.region, ami_id, ami_name, description=None, client_token=None) - except : - print >> sys.stderr, "FAILED!" - - # Log the AMI ID. - if copy_image != None: - f.write(' "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,dest,"hvm" if args.hvm else "ebs",copy_image.image_id)) - else: - f.write(' "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,args.region,"hvm" if args.hvm else "ebs",ami_id)) - - -f.write("}\n") -f.close() - -if not args.keep: - test_depl.logger.set_autoresponse("y") - test_depl.destroy_resources() - test_depl.delete() - diff --git a/nixos/maintainers/scripts/ec2/create-s3-amis.sh b/nixos/maintainers/scripts/ec2/create-s3-amis.sh deleted file mode 100755 index ed861a3944a..00000000000 --- a/nixos/maintainers/scripts/ec2/create-s3-amis.sh +++ /dev/null @@ -1,53 +0,0 @@ -#! /bin/sh -e - -export NIXOS_CONFIG=$(dirname $(readlink -f $0))/amazon-base-config.nix - -version=$(nix-instantiate --eval-only '<nixpkgs/nixos>' -A config.system.nixosVersion | sed s/'"'//g) -echo "NixOS version is $version" - -buildAndUploadFor() { - system="$1" - arch="$2" - - echo "building $system image..." - nix-build '<nixpkgs/nixos>' \ - -A config.system.build.amazonImage --argstr system "$system" -o ec2-ami - - ec2-bundle-image -i ./ec2-ami/nixos.img --user "$AWS_ACCOUNT" --arch "$arch" \ - -c "$EC2_CERT" -k "$EC2_PRIVATE_KEY" - - for region in eu-west-1; do - echo "uploading $system image for $region..." - - name=nixos-$version-$arch-s3 - bucket="$(echo $name-$region | tr '[A-Z]_' '[a-z]-')" - - if [ "$region" = eu-west-1 ]; then s3location=EU; - elif [ "$region" = us-east-1 ]; then s3location=US; - else s3location="$region" - fi - - ec2-upload-bundle -b "$bucket" -m /tmp/nixos.img.manifest.xml \ - -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" --location "$s3location" \ - --url http://s3.amazonaws.com - - kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2) - echo "using PV-GRUB kernel $kernel" - - ami=$(ec2-register "$bucket/nixos.img.manifest.xml" -n "$name" -d "NixOS $system r$revision" -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY" \ - --region "$region" --kernel "$kernel" | cut -f 2) - - echo "AMI ID is $ami" - - echo " \"14.12\".\"$region\".s3 = \"$ami\";" >> ec2-amis.nix - - ec2-modify-image-attribute --region "$region" "$ami" -l -a all -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY" - - for cp_region in us-east-1 us-west-1 us-west-2 eu-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do - new_ami=$(aws ec2 copy-image --source-image-id $ami --source-region $region --region $cp_region --name "$name" | json ImageId) - echo " \"14.12\".\"$cp_region\".s3 = \"$new_ami\";" >> ec2-amis.nix - done - done -} - -buildAndUploadFor x86_64-linux x86_64 diff --git a/nixos/maintainers/scripts/ec2/ebs-creator.nix b/nixos/maintainers/scripts/ec2/ebs-creator.nix deleted file mode 100644 index 7bb13695fa7..00000000000 --- a/nixos/maintainers/scripts/ec2/ebs-creator.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - network.description = "NixOS EBS creator"; - - machine = - { config, pkgs, resources, ... }: - { deployment.targetEnv = "ec2"; - deployment.ec2.instanceType = "c3.large"; - deployment.ec2.securityGroups = [ "public-ssh" ]; - deployment.ec2.ebsBoot = false; - deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name; - environment.systemPackages = [ pkgs.parted ]; - }; -} diff --git a/nixos/modules/config/fonts/fonts.nix b/nixos/modules/config/fonts/fonts.nix index a3fa4bd9778..ea0a6703857 100644 --- a/nixos/modules/config/fonts/fonts.nix +++ b/nixos/modules/config/fonts/fonts.nix @@ -31,6 +31,7 @@ with lib; pkgs.xorg.fontbh100dpi pkgs.xorg.fontmiscmisc pkgs.xorg.fontcursormisc + pkgs.unifont ]; }; diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index f99cea7d17b..b49f8a156d1 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -39,6 +39,16 @@ in ''; }; + networking.extraResolvconfConf = lib.mkOption { + type = types.lines; + default = ""; + example = "libc=NO"; + description = '' + Extra configuration to append to <filename>resolvconf.conf</filename>. + ''; + }; + + networking.proxy = { default = lib.mkOption { @@ -150,6 +160,7 @@ in '' + optionalString dnsmasqResolve '' dnsmasq_conf=/etc/dnsmasq-conf.conf dnsmasq_resolv=/etc/dnsmasq-resolv.conf + '' + cfg.extraResolvconfConf + '' ''; } // (optionalAttrs config.services.resolved.enable ( diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index 533280890a7..d0243f9775c 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -57,8 +57,8 @@ in type = types.attrsOf (types.listOf types.str); example = { PATH = [ "/bin" "/sbin" ]; MANPATH = [ "/man" "/share/man" ]; }; description = '' - Attribute set of environment variable. Each attribute maps to a list - of relative paths. Each relative path is appended to the each profile + Attribute set of environment variable. Each attribute maps to a list + of relative paths. Each relative path is appended to the each profile of <option>environment.profiles</option> to form the content of the corresponding environment variable. ''; @@ -123,6 +123,7 @@ in "''${pkgs.dash}/bin/dash" ''; type = types.path; + visible = false; description = '' The shell executable that is linked system-wide to <literal>/bin/sh</literal>. Please note that NixOS assumes all diff --git a/nixos/modules/installer/cd-dvd/channel.nix b/nixos/modules/installer/cd-dvd/channel.nix index eccb19da5cb..ea7e3e16b8d 100644 --- a/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixos/modules/installer/cd-dvd/channel.nix @@ -33,7 +33,7 @@ in echo "unpacking the NixOS/Nixpkgs sources..." mkdir -p /nix/var/nix/profiles/per-user/root ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ - -i ${channelSources} --quiet --option use-substitutes false + -i ${channelSources} --quiet --option build-use-substitutes false mkdir -m 0700 -p /root/.nix-defexpr ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels mkdir -m 0755 -p /var/lib/nixos diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index cf7ef455eb8..87a7bac208b 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -36,7 +36,6 @@ in askPassword = mkOption { type = types.str; - default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"; description = ''Program used by SSH to ask for passwords.''; }; @@ -223,5 +222,7 @@ in export SSH_ASKPASS=${askPassword} ''; + programs.ssh.askPassword = mkDefault "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"; + }; } diff --git a/nixos/modules/programs/venus.nix b/nixos/modules/programs/venus.nix index ca3188b1819..8f85b602fe2 100644 --- a/nixos/modules/programs/venus.nix +++ b/nixos/modules/programs/venus.nix @@ -99,7 +99,6 @@ in }; outputTheme = mkOption { - default = "${pkgs.venus}/themes/classic_fancy"; type = types.path; description = '' Directory containing a config.ini file which is merged with this one. @@ -170,5 +169,7 @@ in startAt = cfg.dates; }; + services.venus.outputTheme = mkDefault "${pkgs.venus}/themes/classic_fancy"; + }; } diff --git a/nixos/modules/services/amqp/activemq/default.nix b/nixos/modules/services/amqp/activemq/default.nix index 261f9761766..56ff388f8a9 100644 --- a/nixos/modules/services/amqp/activemq/default.nix +++ b/nixos/modules/services/amqp/activemq/default.nix @@ -32,7 +32,6 @@ in { ''; }; configurationDir = mkOption { - default = "${activemq}/conf"; description = '' The base directory for ActiveMQ's configuration. By default, this directory is searched for a file named activemq.xml, @@ -126,6 +125,8 @@ in { ''; }; + services.activemq.configurationDir = mkDefault "${activemq}/conf"; + }; } diff --git a/nixos/modules/services/hardware/sane.nix b/nixos/modules/services/hardware/sane.nix index 3bf765c6f99..0428602688d 100644 --- a/nixos/modules/services/hardware/sane.nix +++ b/nixos/modules/services/hardware/sane.nix @@ -36,7 +36,6 @@ in hardware.sane.configDir = mkOption { type = types.string; - default = "${saneConfig}/etc/sane.d"; description = "The value of SANE_CONFIG_DIR."; }; @@ -47,6 +46,8 @@ in config = mkIf config.hardware.sane.enable { + hardware.sane.configDir = mkDefault "${saneConfig}/etc/sane.d"; + environment.systemPackages = backends; environment.sessionVariables = { SANE_CONFIG_DIR = config.hardware.sane.configDir; diff --git a/nixos/modules/services/logging/logstash.nix b/nixos/modules/services/logging/logstash.nix index aec45d9286d..3a798c6f372 100644 --- a/nixos/modules/services/logging/logstash.nix +++ b/nixos/modules/services/logging/logstash.nix @@ -84,10 +84,10 @@ in type = types.lines; default = ''stdin { type => "example" }''; description = "Logstash input configuration."; - example = '' + example = literalExample '' # Read from journal pipe { - command => "${pkgs.systemd}/bin/journalctl -f -o json" + command => "''${pkgs.systemd}/bin/journalctl -f -o json" type => "syslog" codec => json {} } ''; diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index c570a01fb3b..c10d8197686 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -80,7 +80,6 @@ in services.nixosManual.browser = mkOption { type = types.path; - default = "${pkgs.w3m}/bin/w3m"; description = '' Browser used to show the manual. ''; @@ -93,7 +92,7 @@ in system.build.manual = manual; - environment.systemPackages = [ manual.manpages help ]; + environment.systemPackages = [ manual.manpages manual.manual help ]; boot.extraTTYs = mkIf cfg.showManual ["tty${cfg.ttyNumber}"]; @@ -116,6 +115,8 @@ in services.mingetty.helpLine = mkIf cfg.showManual "\nPress <Alt-F${toString cfg.ttyNumber}> for the NixOS manual."; + services.nixosManual.browser = mkDefault "${pkgs.w3m}/bin/w3m"; + }; } diff --git a/nixos/modules/services/misc/subsonic.nix b/nixos/modules/services/misc/subsonic.nix index 3e1a2e8fbb5..4d164ad8d65 100644 --- a/nixos/modules/services/misc/subsonic.nix +++ b/nixos/modules/services/misc/subsonic.nix @@ -97,7 +97,6 @@ in transcoders = mkOption { type = types.listOf types.path; - default = [ "${pkgs.ffmpeg}/bin/ffmpeg" ]; description = '' List of paths to transcoder executables that should be accessible from Subsonic. Symlinks will be created to each executable inside @@ -153,5 +152,8 @@ in }; users.extraGroups.subsonic.gid = config.ids.gids.subsonic; + + services.subsonic.transcoders = mkDefault [ "${pkgs.ffmpeg}/bin/ffmpeg" ]; + }; } diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 0393d01054d..fa653565a67 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -200,7 +200,6 @@ in { staticRootPath = mkOption { description = "Root path for static assets."; - default = "${cfg.package.out}/share/go/src/github.com/grafana/grafana/public"; type = types.str; }; @@ -311,7 +310,7 @@ in { config = mkIf cfg.enable { warnings = [ - "Grafana passwords will be stored as plaintext in nix store!" + "Grafana passwords will be stored as plaintext in the Nix store!" ]; systemd.services.grafana = { @@ -331,5 +330,8 @@ in { home = cfg.dataDir; createHome = true; }; + + services.grafana.staticRootPath = mkDefault "${cfg.package.out}/share/go/src/github.com/grafana/grafana/public"; + }; } diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index 57547da1006..34e7470dfc6 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -24,6 +24,8 @@ let pid-file "/var/run/named/named.pid"; }; + ${cfg.extraConfig} + ${ concatMapStrings ({ name, file, master ? true, slaves ? [], masters ? [] }: '' @@ -110,6 +112,13 @@ in }]; }; + extraConfig = mkOption { + default = ""; + description = " + Extra lines to be added verbatim to the generated named configuration file. + "; + }; + configFile = mkOption { default = confFile; description = " diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix index 8552395fdb1..b31d479ab4f 100644 --- a/nixos/modules/services/networking/dhcpcd.nix +++ b/nixos/modules/services/networking/dhcpcd.nix @@ -18,6 +18,7 @@ let map (i: i.name) (filter (i: if i.useDHCP != null then !i.useDHCP else i.ip4 != [ ] || i.ipAddress != null) interfaces) ++ mapAttrsToList (i: _: i) config.networking.sits ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.bridges)) + ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.vswitches)) ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.bonds)) ++ config.networking.dhcpcd.denyInterfaces; diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index c724ee979c2..218bce2dbb3 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -52,10 +52,7 @@ in default = "opendns"; type = types.nullOr types.string; description = '' - The name of the upstream DNSCrypt resolver to use. See - <literal>${resolverListFile}</literal> for alternative resolvers - (e.g., if you are concerned about logging and/or server - location). + The name of the upstream DNSCrypt resolver to use. ''; }; customResolver = mkOption { diff --git a/nixos/modules/services/networking/seeks.nix b/nixos/modules/services/networking/seeks.nix index 155ecbb98ef..f5bc60be345 100644 --- a/nixos/modules/services/networking/seeks.nix +++ b/nixos/modules/services/networking/seeks.nix @@ -33,7 +33,7 @@ in type = types.str; description = " The Seeks server configuration. If it is not specified, - a default configuration is used (${seeks}/etc/seeks). + a default configuration is used. "; }; diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index d5accfef1cb..4eb32b1cf30 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -54,12 +54,15 @@ in description = "Syncthing service"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - environment.STNORESTART = "placeholder"; # do not self-restart + environment.STNORESTART = "yes"; # do not self-restart + environment.STNOUPGRADE = "yes"; serviceConfig = { User = "${cfg.user}"; PermissionsStartOnly = true; - Restart = "always"; + Restart = "on-failure"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -home=${cfg.dataDir}"; + SuccessExitStatus = "2 3 4"; + RestartForceExitStatus="3 4"; }; }; diff --git a/nixos/modules/services/web-servers/phpfpm.nix b/nixos/modules/services/web-servers/phpfpm.nix index 41dbfff41cf..82398948bfa 100644 --- a/nixos/modules/services/web-servers/phpfpm.nix +++ b/nixos/modules/services/web-servers/phpfpm.nix @@ -44,8 +44,7 @@ in { phpIni = mkOption { type = types.path; - default = "${cfg.phpPackage}/etc/php-recommended.ini"; - description = "php.ini file to use."; + description = "PHP configuration file to use."; }; poolConfigs = mkOption { @@ -86,5 +85,7 @@ in { }; }; + services.phpfpm.phpIni = mkDefault "${cfg.phpPackage}/etc/php-recommended.ini"; + }; } diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index fc0803f2aca..ca0832e5b0c 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -114,6 +114,10 @@ let rm -rf $HOME/.compose-cache mkdir $HOME/.compose-cache + # Work around KDE errors when a user first logs in and + # .local/share doesn't exist yet. + mkdir -p $HOME/.local/share + ${cfg.displayManager.sessionCommands} # Allow the user to execute commands at the beginning of the X session. diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index bc8f478c7d8..11e21c9d917 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -104,7 +104,6 @@ in }; background = mkOption { - default = "${pkgs.nixos-artwork}/share/artwork/gnome/Gnome_Dark.png"; description = '' The background image or color to use. ''; @@ -172,5 +171,8 @@ in }; users.extraGroups.lightdm.gid = config.ids.gids.lightdm; + + services.xserver.displayManager.lightdm.background = mkDefault "${pkgs.nixos-artwork}/share/artwork/gnome/Gnome_Dark.png"; + }; } diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 480bbfa2b07..51828c5c090 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -135,7 +135,7 @@ ln -s @modulesClosure@/lib/modules /lib/modules echo @extraUtils@/bin/modprobe > /proc/sys/kernel/modprobe for i in @kernelModules@; do echo "loading module $(basename $i)..." - modprobe $i || true + modprobe $i done @@ -146,7 +146,7 @@ ln -sfn @udevRules@ /etc/udev/rules.d mkdir -p /dev/.mdadm systemd-udevd --daemon udevadm trigger --action=add -udevadm settle || true +udevadm settle # Load boot-time keymap before any LVM/LUKS initialization @@ -290,10 +290,23 @@ mountFS() { if [ -z "$fsType" ]; then fsType=auto; fi fi - echo "$device /mnt-root$mountPoint $fsType $options" >> /etc/fstab + # Filter out x- options, which busybox doesn't do yet. + local optionsFiltered="$(IFS=,; for i in $options; do if [ "${i:0:2}" != "x-" ]; then echo -n $i,; fi; done)" + + echo "$device /mnt-root$mountPoint $fsType $optionsFiltered" >> /etc/fstab checkFS "$device" "$fsType" + # Optionally resize the filesystem. + case $options in + *x-nixos.autoresize*) + if [ "$fsType" = ext2 -o "$fsType" = ext3 -o "$fsType" = ext4 ]; then + echo "resizing $device..." + resize2fs "$device" + fi + ;; + esac + # Create backing directories for unionfs-fuse. if [ "$fsType" = unionfs-fuse ]; then for i in $(IFS=:; echo ${options##*,dirs=}); do @@ -303,7 +316,7 @@ mountFS() { echo "mounting $device on $mountPoint..." - mkdir -p "/mnt-root$mountPoint" || true + mkdir -p "/mnt-root$mountPoint" # For CIFS mounts, retry a few times before giving up. local n=0 @@ -375,7 +388,7 @@ while read -u 3 mountPoint; do # Wait once more for the udev queue to empty, just in case it's # doing something with $device right now. - udevadm settle || true + udevadm settle mountFS "$device" "$mountPoint" "$options" "$fsType" done @@ -388,9 +401,9 @@ exec 3>&- # Emit a udev rule for /dev/root to prevent systemd from complaining. if [ -e /mnt-root/iso ]; then - eval $(udevadm info --export --export-prefix=ROOT_ --device-id-of-file=/mnt-root/iso || true) + eval $(udevadm info --export --export-prefix=ROOT_ --device-id-of-file=/mnt-root/iso) else - eval $(udevadm info --export --export-prefix=ROOT_ --device-id-of-file=$targetRoot || true) + eval $(udevadm info --export --export-prefix=ROOT_ --device-id-of-file=$targetRoot) fi if [ "$ROOT_MAJOR" -a "$ROOT_MINOR" -a "$ROOT_MAJOR" != 0 ]; then mkdir -p /run/udev/rules.d @@ -399,7 +412,7 @@ fi # Stop udevd. -udevadm control --exit || true +udevadm control --exit # Kill any remaining processes, just to be sure we're not taking any # with us into stage 2. But keep storage daemons like unionfs-fuse. diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index f782eca3f64..ace2d10ec9c 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -70,6 +70,12 @@ let copy_bin_and_libs ${pkgs.kmod}/bin/kmod ln -sf kmod $out/bin/modprobe + # Copy resize2fs if needed. + ${optionalString (any (fs: fs.autoResize) (attrValues config.fileSystems)) '' + # We need mke2fs in the initrd. + copy_bin_and_libs ${pkgs.e2fsprogs}/sbin/resize2fs + ''} + ${config.boot.initrd.extraUtilsCommands} # Copy ld manually since it isn't detected correctly @@ -393,7 +399,6 @@ in } ]; - system.build.bootStage1 = bootStage1; system.build.initialRamdisk = initialRamdisk; system.build.extraUtils = extraUtils; diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index 8b5dd22fd38..331531cee15 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -6,6 +6,7 @@ let fileSystems = attrValues config.fileSystems ++ config.swapDevices; encDevs = filter (dev: dev.encrypted.enable) fileSystems; keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs; + keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs; isIn = needle: haystack: filter (p: p == needle) haystack != []; anyEncrypted = fold (j: v: v || j.encrypted.enable) false encDevs; @@ -29,15 +30,15 @@ let label = mkOption { default = null; example = "rootfs"; - type = types.nullOr types.str; - description = "Label of the backing encrypted device."; + type = types.uniq (types.nullOr types.str); + description = "Label of the unlocked encrypted device. Set <literal>fileSystems.<name?>.device</literal> to <literal>/dev/mapper/<label></literal> to mount the unlocked device."; }; keyFile = mkOption { default = null; example = "/root/.swapkey"; type = types.nullOr types.str; - description = "File system location of keyfile."; + description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>."; }; }; }; @@ -58,11 +59,11 @@ in boot.initrd = { luks = { devices = - map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) encDevs; + map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs; cryptoModules = [ "aes" "sha256" "sha1" "xts" ]; }; postMountCommands = - concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.label};\n") keyedEncDevs; + concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs; }; }; } diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 4409bd4cc8c..9dd250f140c 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -7,7 +7,7 @@ let fileSystems = attrValues config.fileSystems; - prioOption = prio: optionalString (prio !=null) " pri=${toString prio}"; + prioOption = prio: optionalString (prio != null) " pri=${toString prio}"; fileSystemOpts = { name, config, ... }: { @@ -41,9 +41,9 @@ let }; options = mkOption { - default = "defaults,relatime"; + default = "defaults"; example = "data=journal"; - type = types.commas; + type = types.commas; # FIXME: should be a list description = "Options used to mount the file system."; }; @@ -58,6 +58,17 @@ let ''; }; + autoResize = mkOption { + default = false; + type = types.bool; + description = '' + If set, the filesystem is grown to its maximum size before + being mounted. (This is typically the size of the containing + partition.) This is currently only supported for ext2/3/4 + filesystems that are mounted during early boot. + ''; + }; + noCheck = mkOption { default = false; type = types.bool; @@ -69,8 +80,7 @@ let config = { mountPoint = mkDefault name; device = mkIf (config.fsType == "tmpfs") (mkDefault config.fsType); - # The vboxsf filesystem doesn't support the relatime option: - options = mkIf (config.fsType == "vboxsf") (mkDefault "defaults"); + options = mkIf config.autoResize "x-nixos.autoresize"; }; }; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index d4b10e9ed09..675bd3d232a 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -21,9 +21,9 @@ let kernel = config.boot.kernelPackages; - splKernelPkg = if cfgZfs.useGit then kernel.spl_git else kernel.spl; - zfsKernelPkg = if cfgZfs.useGit then kernel.zfs_git else kernel.zfs; - zfsUserPkg = if cfgZfs.useGit then pkgs.zfs_git else pkgs.zfs; + splKernelPkg = kernel.spl; + zfsKernelPkg = kernel.zfs; + zfsUserPkg = pkgs.zfs; autosnapPkg = pkgs.zfstools.override { zfs = zfsUserPkg; @@ -53,16 +53,6 @@ in options = { boot.zfs = { - useGit = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - Use the git version of the SPL and ZFS packages. - Note that these are unreleased versions, with less testing, and therefore - may be more unstable. - ''; - }; extraPools = mkOption { type = types.listOf types.str; diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 328d94cbb05..d8b1592c36b 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -220,6 +220,45 @@ in ''; }); + createVswitchDevice = n: v: nameValuePair "${n}-netdev" + (let + managedInterfaces = filter (x: hasAttr x cfg.interfaces) v.interfaces; + managedInterfaceServices = concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) managedInterfaces; + virtualInterfaces = filter (x: (hasAttr x cfg.interfaces) && cfg.interfaces.${x}.virtual) v.interfaces; + virtualInterfaceServices = concatMap (i: [ "${i}-netdev.service" ]) virtualInterfaces; + deps = map subsystemDevice v.interfaces; + ofRules = pkgs.writeText "vswitch-${n}-openFlowRules" v.openFlowRules; + in + { description = "Open vSwitch Interface ${n}"; + wantedBy = [ "network.target" "vswitchd.service" (subsystemDevice n) ]; + requires = optionals v.bindInterfaces (deps ++ managedInterfaceServices ++ virtualInterfaceServices); + requiredBy = optionals v.bindInterfaces (managedInterfaceServices ++ virtualInterfaceServices); + bindsTo = deps ++ [ "vswitchd.service" ]; + partOf = [ "vswitchd.service" ]; + after = [ "network-pre.target" "vswitchd.service" ] ++ deps ++ managedInterfaceServices ++ virtualInterfaceServices; + before = [ "network-interfaces.target" (subsystemDevice n) ]; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + path = [ pkgs.iproute config.virtualisation.vswitch.package ]; + script = '' + echo "Removing old Open vSwitch ${n}..." + ovs-vsctl --if-exists del-br ${n} + + echo "Adding Open vSwitch ${n}..." + ovs-vsctl -- add-br ${n} ${concatMapStrings (i: " -- add-port ${n} ${i}") v.interfaces} \ + ${concatMapStrings (x: " -- set-controller ${n} " + x) v.controllers} \ + ${concatMapStrings (x: " -- " + x) (splitString "\n" v.extraOvsctlCmds)} + + echo "Adding OpenFlow rules for Open vSwitch ${n}..." + ovs-ofctl add-flows ${n} ${ofRules} + ''; + postStop = '' + ip link set ${n} down || true + ovs-ofctl del-flows ${n} || true + ovs-vsctl --if-exists del-br ${n} + ''; + }); + createBondDevice = n: v: nameValuePair "${n}-netdev" (let deps = map subsystemDevice v.interfaces; @@ -335,6 +374,7 @@ in map configureAddrs interfaces ++ map createTunDevice (filter (i: i.virtual) interfaces)) // mapAttrs' createBridgeDevice cfg.bridges + // mapAttrs' createVswitchDevice cfg.vswitches // mapAttrs' createBondDevice cfg.bonds // mapAttrs' createMacvlanDevice cfg.macvlans // mapAttrs' createSitDevice cfg.sits diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 8223c5a4941..301ee43fd0e 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -35,6 +35,9 @@ in assertions = [ { assertion = cfg.defaultGatewayWindowSize == null; message = "networking.defaultGatewayWindowSize is not supported by networkd."; + } { + assertion = cfg.vswitches == {}; + message = "networking.vswichtes are not supported by networkd."; } ] ++ flip mapAttrsToList cfg.bridges (n: { rstp, ... }: { assertion = !rstp; message = "networking.bridges.${n}.rstp is not supported by networkd."; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 9931c977e8f..7af3160e2d4 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -12,7 +12,8 @@ let hasBonds = cfg.bonds != { }; slaves = concatMap (i: i.interfaces) (attrValues cfg.bonds) - ++ concatMap (i: i.interfaces) (attrValues cfg.bridges); + ++ concatMap (i: i.interfaces) (attrValues cfg.bridges) + ++ concatMap (i: i.interfaces) (attrValues cfg.vswitches); slaveIfs = map (i: cfg.interfaces.${i}) (filter (i: cfg.interfaces ? ${i}) slaves); @@ -371,6 +372,81 @@ in options = [ interfaceOpts ]; }; + networking.vswitches = mkOption { + default = { }; + example = + { vs0.interfaces = [ "eth0" "eth1" ]; + vs1.interfaces = [ "eth2" "wlan0" ]; + }; + description = + '' + This option allows you to define Open vSwitches that connect + physical networks together. The value of this option is an + attribute set. Each attribute specifies a vswitch, with the + attribute name specifying the name of the vswitch's network + interface. + ''; + + type = types.attrsOf types.optionSet; + + options = { + + interfaces = mkOption { + example = [ "eth0" "eth1" ]; + type = types.listOf types.str; + description = + "The physical network interfaces connected by the vSwitch."; + }; + + bindInterfaces = mkOption { + type = types.bool; + default = false; + description = '' + If true, then the interfaces of the vSwitch are brought 'up' and especially + also 'down' together with the vSwitch. That requires that every interfaces + is configured as a systemd network services. + ''; + }; + + controllers = mkOption { + type = types.listOf types.str; + default = []; + example = [ "ptcp:6653:[::1]" ]; + description = '' + Specify the controller targets. For the allowed options see <literal>man 8 ovs-vsctl</literal>. + ''; + }; + + openFlowRules = mkOption { + type = types.lines; + default = ""; + example = '' + actions=normal + ''; + description = '' + OpenFlow rules to insert into the Open vSwitch. All <literal>openFlowRules</literal> are + loaded with <literal>ovs-ofctl</literal> within one atomic operation. + ''; + }; + + extraOvsctlCmds = mkOption { + type = types.lines; + default = ""; + example = '' + set-fail-mode <switch_name> secure + set Bridge <switch_name> stp_enable=true + ''; + description = '' + Commands to manipulate the Open vSwitch database. Every line executed with <literal>ovs-vsctl</literal>. + All commands are bundled together with the operations for adding the interfaces + into one atomic operation. + ''; + }; + + }; + + }; + networking.bridges = mkOption { default = { }; example = @@ -766,6 +842,8 @@ in services.mstpd = mkIf needsMstpd { enable = true; }; + virtualisation.vswitch = mkIf (cfg.vswitches != { }) { enable = true; }; + }; } diff --git a/nixos/modules/virtualisation/amazon-config.nix b/nixos/modules/virtualisation/amazon-config.nix deleted file mode 100644 index 809cdb4d108..00000000000 --- a/nixos/modules/virtualisation/amazon-config.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ]; -} diff --git a/nixos/modules/virtualisation/amazon-grow-partition.nix b/nixos/modules/virtualisation/amazon-grow-partition.nix new file mode 100644 index 00000000000..44a9fa93e7e --- /dev/null +++ b/nixos/modules/virtualisation/amazon-grow-partition.nix @@ -0,0 +1,50 @@ +# This module automatically grows the root partition on Amazon EC2 HVM +# instances. This allows an instance to be created with a bigger root +# filesystem than provided by the AMI. + +{ config, lib, pkgs, ... }: + +with lib; + +let + + growpart = pkgs.stdenv.mkDerivation { + name = "growpart"; + src = pkgs.fetchurl { + url = "https://launchpad.net/cloud-utils/trunk/0.27/+download/cloud-utils-0.27.tar.gz"; + sha256 = "16shlmg36lidp614km41y6qk3xccil02f5n3r4wf6d1zr5n4v8vd"; + }; + patches = [ ./growpart-util-linux-2.26.patch ]; + buildPhase = '' + cp bin/growpart $out + sed -i 's|awk|gawk|' $out + sed -i 's|sed|gnused|' $out + ''; + dontInstall = true; + dontPatchShebangs = true; + }; + +in + +{ + + config = mkIf config.ec2.hvm { + + boot.initrd.extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.gawk}/bin/gawk + copy_bin_and_libs ${pkgs.gnused}/bin/sed + copy_bin_and_libs ${pkgs.utillinux}/sbin/sfdisk + cp -v ${growpart} $out/bin/growpart + ln -s sed $out/bin/gnused + ''; + + boot.initrd.postDeviceCommands = '' + if [ -e /dev/xvda ] && [ -e /dev/xvda1 ]; then + TMPDIR=/run sh $(type -P growpart) /dev/xvda 1 + udevadm settle + fi + ''; + + }; + +} diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index 600a29f31bc..bf2364a0459 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -1,105 +1,40 @@ +# Configuration for Amazon EC2 instances. (Note that this file is a +# misnomer - it should be "amazon-config.nix" or so, not +# "amazon-image.nix", since it's used not only to build images but +# also to reconfigure instances. However, we can't rename it because +# existing "configuration.nix" files on EC2 instances refer to it.) + { config, lib, pkgs, ... }: with lib; -let - cfg = config.ec2; -in + +let cfg = config.ec2; in + { - imports = [ ../profiles/headless.nix ./ec2-data.nix ]; + imports = [ ../profiles/headless.nix ./ec2-data.nix ./amazon-grow-partition.nix ]; config = { - system.build.amazonImage = - pkgs.vmTools.runInLinuxVM ( - pkgs.runCommand "amazon-image" - { preVM = - '' - mkdir $out - diskImage=$out/nixos.img - ${pkgs.vmTools.qemu}/bin/qemu-img create -f raw $diskImage "8G" - mv closure xchg/ - ''; - buildInputs = [ pkgs.utillinux pkgs.perl ]; - exportReferencesGraph = - [ "closure" config.system.build.toplevel ]; - } - '' - ${if cfg.hvm then '' - # Create a single / partition. - ${pkgs.parted}/sbin/parted /dev/vda mklabel msdos - ${pkgs.parted}/sbin/parted /dev/vda -- mkpart primary ext2 1M -1s - . /sys/class/block/vda1/uevent - mknod /dev/vda1 b $MAJOR $MINOR - - # Create an empty filesystem and mount it. - ${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda1 - ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda1 - mkdir /mnt - mount /dev/vda1 /mnt - '' else '' - # Create an empty filesystem and mount it. - ${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda - ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda - mkdir /mnt - mount /dev/vda /mnt - ''} - - # The initrd expects these directories to exist. - mkdir /mnt/dev /mnt/proc /mnt/sys - - mount -o bind /proc /mnt/proc - mount -o bind /dev /mnt/dev - mount -o bind /sys /mnt/sys - - # Copy all paths in the closure to the filesystem. - storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure) - - mkdir -p /mnt/nix/store - echo "copying everything (will take a while)..." - cp -prd $storePaths /mnt/nix/store/ - - # Register the paths in the Nix database. - printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" - - # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env --option build-users-group "" \ - -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} - - # `nixos-rebuild' requires an /etc/NIXOS. - mkdir -p /mnt/etc - touch /mnt/etc/NIXOS - - # `switch-to-configuration' requires a /bin/sh - mkdir -p /mnt/bin - ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh - - # Install a configuration.nix. - mkdir -p /mnt/etc/nixos - cp ${./amazon-config.nix} /mnt/etc/nixos/configuration.nix - - # Generate the GRUB menu. - ln -s vda /dev/xvda - chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot - - umount /mnt/proc /mnt/dev /mnt/sys - umount /mnt - '' - ); - - fileSystems."/".device = "/dev/disk/by-label/nixos"; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + }; boot.initrd.kernelModules = [ "xen-blkfront" ]; boot.kernelModules = [ "xen-netfront" ]; + boot.kernelParams = mkIf cfg.hvm [ "console=ttyS0" ]; # Prevent the nouveau kernel module from being loaded, as it # interferes with the nvidia/nvidia-uvm modules needed for CUDA. - boot.blacklistedKernelModules = [ "nouveau" ]; + # Also blacklist xen_fbfront to prevent a 30 second delay during + # boot. + boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ]; # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. boot.loader.grub.version = if cfg.hvm then 2 else 1; boot.loader.grub.device = if cfg.hvm then "/dev/xvda" else "nodev"; boot.loader.grub.timeout = 0; - boot.loader.grub.extraPerEntryConfig = "root (hd0${lib.optionalString cfg.hvm ",0"})"; + boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)"; boot.initrd.postDeviceCommands = '' diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix index 0b0fdda4988..383750520ab 100644 --- a/nixos/modules/virtualisation/ec2-data.nix +++ b/nixos/modules/virtualisation/ec2-data.nix @@ -35,10 +35,8 @@ with lib; mkdir -m 0700 -p /root/.ssh $wget http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key > /root/key.pub if [ $? -eq 0 -a -e /root/key.pub ]; then - if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then - cat /root/key.pub >> /root/.ssh/authorized_keys - echo "new key added to authorized_keys" - fi + cat /root/key.pub >> /root/.ssh/authorized_keys + echo "new key added to authorized_keys" chmod 600 /root/.ssh/authorized_keys rm -f /root/key.pub fi @@ -80,8 +78,9 @@ with lib; # can obtain it securely by parsing the output of # ec2-get-console-output. echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" > /dev/console - ${config.programs.ssh.package}/bin/ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub > /dev/console - ${config.programs.ssh.package}/bin/ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub > /dev/console + for i in /etc/ssh/ssh_host_*_key.pub; do + ${config.programs.ssh.package}/bin/ssh-keygen -l -f $i > /dev/console + done echo "-----END SSH HOST KEY FINGERPRINTS-----" > /dev/console ''; serviceConfig.Type = "oneshot"; diff --git a/nixos/modules/virtualisation/growpart-util-linux-2.26.patch b/nixos/modules/virtualisation/growpart-util-linux-2.26.patch new file mode 100644 index 00000000000..c782c2d7e4b --- /dev/null +++ b/nixos/modules/virtualisation/growpart-util-linux-2.26.patch @@ -0,0 +1,88 @@ +From 1895d10a7539d055a4e0206af1e7a9e5ea32a4f7 Mon Sep 17 00:00:00 2001 +From: Juerg Haefliger <juerg.haefliger@hp.com> +Date: Wed, 25 Mar 2015 13:59:20 +0100 +Subject: [PATCH] Support new sfdisk version 2.26 + +The sfdisk usage with version 2.26 changed. Specifically, the option +--show-pt-geometry and functionality for CHS have been removed. +Also, restoring a backup MBR now needs to be done using dd. +--- + bin/growpart | 28 ++++++++++------------------ + 1 file changed, 10 insertions(+), 18 deletions(-) + +diff --git a/bin/growpart b/bin/growpart +index 595c40b..d4c995b 100755 +--- a/bin/growpart ++++ b/bin/growpart +@@ -28,7 +28,6 @@ PART="" + PT_UPDATE=false + DRY_RUN=0 + +-MBR_CHS="" + MBR_BACKUP="" + GPT_BACKUP="" + _capture="" +@@ -133,7 +132,8 @@ bad_Usage() { + } + + mbr_restore() { +- sfdisk --no-reread "${DISK}" ${MBR_CHS} -I "${MBR_BACKUP}" ++ dd if="${MBR_BACKUP}-${DISK#/dev/}-0x00000000.bak" of="${DISK}" bs=1 \ ++ conv=notrunc + } + + sfdisk_worked_but_blkrrpart_failed() { +@@ -148,34 +148,26 @@ sfdisk_worked_but_blkrrpart_failed() { + + mbr_resize() { + RESTORE_HUMAN="${TEMP_D}/recovery" +- MBR_BACKUP="${TEMP_D}/orig.save" ++ MBR_BACKUP="${TEMP_D}/backup" + + local change_out=${TEMP_D}/change.out + local dump_out=${TEMP_D}/dump.out + local new_out=${TEMP_D}/new.out + local dump_mod=${TEMP_D}/dump.mod +- local tmp="${TEMP_D}/tmp.out" +- local err="${TEMP_D}/err.out" + +- local _devc cyl _w1 heads _w2 sectors _w3 tot dpart ++ local tot dpart + local pt_start pt_size pt_end max_end new_size change_info + +- # --show-pt-geometry outputs something like +- # /dev/sda: 164352 cylinders, 4 heads, 32 sectors/track +- rqe sfd_geom sfdisk "${DISK}" --show-pt-geometry >"${tmp}" && +- read _devc cyl _w1 heads _w2 sectors _w3 <"${tmp}" && +- MBR_CHS="-C ${cyl} -H ${heads} -S ${sectors}" || +- fail "failed to get CHS from ${DISK}" ++ tot=$(sfdisk --list "${DISK}" | awk '{ print $(NF-1) ; exit }') || ++ fail "failed to get total number of sectors from ${DISK}" + +- tot=$((${cyl}*${heads}*${sectors})) ++ debug 1 "total number of sectors of ${DISK} is ${tot}" + +- debug 1 "geometry is ${MBR_CHS}. total size=${tot}" +- rqe sfd_dump sfdisk ${MBR_CHS} --unit=S --dump "${DISK}" \ ++ rqe sfd_dump sfdisk --dump "${DISK}" \ + >"${dump_out}" || + fail "failed to dump sfdisk info for ${DISK}" +- + { +- echo "## sfdisk ${MBR_CHS} --unit=S --dump ${DISK}" ++ echo "## sfdisk --dump ${DISK}" + cat "${dump_out}" + } >"${RESTORE_HUMAN}" + [ $? -eq 0 ] || fail "failed to save sfdisk -d output" +@@ -237,7 +229,7 @@ mbr_resize() { + exit 0 + fi + +- LANG=C sfdisk --no-reread "${DISK}" ${MBR_CHS} --force \ ++ LANG=C sfdisk --no-reread "${DISK}" --force \ + -O "${MBR_BACKUP}" <"${new_out}" >"${change_out}" 2>&1 + ret=$? + [ $ret -eq 0 ] || RESTORE_FUNC="mbr_restore" +-- +2.1.4 + diff --git a/nixos/modules/virtualisation/openvswitch.nix b/nixos/modules/virtualisation/openvswitch.nix index b5155246fda..a0231315236 100644 --- a/nixos/modules/virtualisation/openvswitch.nix +++ b/nixos/modules/virtualisation/openvswitch.nix @@ -19,6 +19,15 @@ in { ''; }; + resetOnStart = mkOption { + type = types.bool; + default = false; + description = '' + Whether to reset the Open vSwitch configuration database to a default + configuration on every start of the systemd <literal>ovsdb.service</literal>. + ''; + }; + package = mkOption { type = types.package; default = pkgs.openvswitch; @@ -75,6 +84,7 @@ in { mkdir -p ${runDir} mkdir -p /var/db/openvswitch chmod +w /var/db/openvswitch + ${optionalString cfg.resetOnStart "rm -f /var/db/openvswitch/conf.db"} if [[ ! -e /var/db/openvswitch/conf.db ]]; then ${cfg.package}/bin/ovsdb-tool create \ "/var/db/openvswitch/conf.db" \ @@ -98,6 +108,7 @@ in { Restart = "always"; RestartSec = 3; PIDFile = "/var/run/openvswitch/ovsdb.pid"; + # Use service type 'forking' to correctly determine when ovsdb-server is ready. Type = "forking"; }; postStart = '' @@ -118,6 +129,7 @@ in { --detach ''; PIDFile = "/var/run/openvswitch/ovs-vswitchd.pid"; + # Use service type 'forking' to correctly determine when vswitchd is ready. Type = "forking"; }; }; @@ -147,6 +159,7 @@ in { unix:/var/run/openvswitch/db.sock ''; PIDFile = "/var/run/openvswitch/ovs-monitor-ipsec.pid"; + # Use service type 'forking' to correctly determine when ovs-monitor-ipsec is ready. Type = "forking"; }; diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix index 2d3b4834fc5..425726333c4 100644 --- a/nixos/modules/virtualisation/virtualbox-image.nix +++ b/nixos/modules/virtualisation/virtualbox-image.nix @@ -11,93 +11,37 @@ in { options = { virtualbox = { baseImageSize = mkOption { - type = types.str; - default = "10G"; + type = types.int; + default = 10 * 1024; description = '' - The size of the VirtualBox base image. The size string should be on - a format the qemu-img command accepts. + The size of the VirtualBox base image in MiB. ''; }; }; }; config = { - system.build.virtualBoxImage = - pkgs.vmTools.runInLinuxVM ( - pkgs.runCommand "virtualbox-image" - { memSize = 768; - preVM = - '' - mkdir $out - diskImage=$out/image - ${pkgs.vmTools.qemu}/bin/qemu-img create -f raw $diskImage "${cfg.baseImageSize}" - mv closure xchg/ - ''; - postVM = - '' - echo "creating VirtualBox disk image..." - ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -O vdi $diskImage $out/disk.vdi - rm $diskImage - ''; - buildInputs = [ pkgs.utillinux pkgs.perl ]; - exportReferencesGraph = - [ "closure" config.system.build.toplevel ]; + + system.build.virtualBoxImage = import ../../lib/make-disk-image.nix { + inherit pkgs lib config; + partitioned = true; + diskSize = cfg.baseImageSize; + + configFile = pkgs.writeText "configuration.nix" + '' + { + imports = [ <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix> ]; } - '' - # Create a single / partition. - ${pkgs.parted}/sbin/parted /dev/vda mklabel msdos - ${pkgs.parted}/sbin/parted /dev/vda -- mkpart primary ext2 1M -1s - . /sys/class/block/vda1/uevent - mknod /dev/vda1 b $MAJOR $MINOR - - # Create an empty filesystem and mount it. - ${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda1 - ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda1 - mkdir /mnt - mount /dev/vda1 /mnt - - # The initrd expects these directories to exist. - mkdir /mnt/dev /mnt/proc /mnt/sys - mount --bind /proc /mnt/proc - mount --bind /dev /mnt/dev - mount --bind /sys /mnt/sys - - # Copy all paths in the closure to the filesystem. - storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure) - - echo "filling Nix store..." - mkdir -p /mnt/nix/store - set -f - cp -prd $storePaths /mnt/nix/store/ - - mkdir -p /mnt/etc/nix - echo 'build-users-group = ' > /mnt/etc/nix/nix.conf - - # Register the paths in the Nix database. - printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db - - # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package}/bin/nix-env \ - -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} - - # `nixos-rebuild' requires an /etc/NIXOS. - mkdir -p /mnt/etc/nixos - touch /mnt/etc/NIXOS - - # `switch-to-configuration' requires a /bin/sh - mkdir -p /mnt/bin - ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh - - # Generate the GRUB menu. - ln -s vda /dev/sda - chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot - - umount /mnt/proc /mnt/dev /mnt/sys - umount /mnt - '' - ); - + ''; + + postVM = + '' + echo "creating VirtualBox disk image..." + ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -O vdi $diskImage $out/disk.vdi + rm $diskImage + ''; + }; + system.build.virtualBoxOVA = pkgs.runCommand "virtualbox-ova" { buildInputs = [ pkgs.linuxPackages.virtualbox ]; vmName = "NixOS ${config.system.nixosVersion} (${pkgs.stdenv.system})"; @@ -118,17 +62,17 @@ in { VBoxManage storagectl "$vmName" --name SATA --add sata --portcount 4 --bootable on --hostiocache on VBoxManage storageattach "$vmName" --storagectl SATA --port 0 --device 0 --type hdd \ --medium ${config.system.build.virtualBoxImage}/disk.vdi - + echo "exporting VirtualBox VM..." mkdir -p $out VBoxManage export "$vmName" --output "$out/$fileName" ''; - + fileSystems."/".device = "/dev/disk/by-label/nixos"; - - boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; - + virtualisation.virtualbox.guest.enable = true; + }; } diff --git a/nixos/release.nix b/nixos/release.nix index 4492ee4046e..1a1ed4bca41 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -220,7 +220,7 @@ in rec { tests.dockerRegistry = hydraJob (import tests/docker-registry.nix { system = "x86_64-linux"; }); tests.etcd = hydraJob (import tests/etcd.nix { system = "x86_64-linux"; }); tests.ec2-nixops = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-nixops; - tests.ec2-config = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-config; + #tests.ec2-config = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-config; tests.firefox = callTest tests/firefox.nix {}; tests.firewall = callTest tests/firewall.nix {}; tests.fleet = hydraJob (import tests/fleet.nix { system = "x86_64-linux"; }); diff --git a/nixos/tests/ec2.nix b/nixos/tests/ec2.nix index 1296ff4e8e3..b12d498e3a0 100644 --- a/nixos/tests/ec2.nix +++ b/nixos/tests/ec2.nix @@ -9,9 +9,18 @@ let (import ../lib/eval-config.nix { inherit system; modules = [ - ../maintainers/scripts/ec2/amazon-hvm-config.nix + ../maintainers/scripts/ec2/amazon-image.nix ../../nixos/modules/testing/test-instrumentation.nix - { boot.initrd.kernelModules = [ "virtio" "virtio_blk" "virtio_pci" "virtio_ring" ]; } + { boot.initrd.kernelModules = [ "virtio" "virtio_blk" "virtio_pci" "virtio_ring" ]; + ec2.hvm = true; + + # Hack to make the partition resizing work in QEMU. + boot.initrd.postDeviceCommands = mkBefore + '' + ln -s vda /dev/xvda + ln -s vda1 /dev/xvda1 + ''; + } ]; }).config.system.build.amazonImage; @@ -34,41 +43,49 @@ let nodes = {}; testScript = '' - use File::Temp qw/ tempfile /; - my ($fh, $filename) = tempfile(); - - `qemu-img create -f qcow2 -o backing_file=${image}/nixos.img $filename`; - - my $startCommand = "qemu-kvm -m 768 -net nic -net 'user,net=169.254.0.0/16,guestfwd=tcp:169.254.169.254:80-cmd:${pkgs.micro-httpd}/bin/micro_httpd ${metaData}'"; - $startCommand .= " -drive file=" . Cwd::abs_path($filename) . ",if=virtio,werror=report"; + my $imageDir = ($ENV{'TMPDIR'} // "/tmp") . "/vm-state-machine"; + mkdir $imageDir, 0700; + my $diskImage = "$imageDir/machine.qcow2"; + system("qemu-img create -f qcow2 -o backing_file=${image}/nixos.img $diskImage") == 0 or die; + system("qemu-img resize $diskImage 10G") == 0 or die; + + # Note: we use net=169.0.0.0/8 rather than + # net=169.254.0.0/16 to prevent dhcpcd from getting horribly + # confused. (It would get a DHCP lease in the 169.254.* + # range, which it would then configure and prompty delete + # again when it deletes link-local addresses.) Ideally we'd + # turn off the DHCP server, but qemu does not have an option + # to do that. + my $startCommand = "qemu-kvm -m 768 -net nic -net 'user,net=169.0.0.0/8,guestfwd=tcp:169.254.169.254:80-cmd:${pkgs.micro-httpd}/bin/micro_httpd ${metaData}'"; + $startCommand .= " -drive file=$diskImage,if=virtio,werror=report"; $startCommand .= " \$QEMU_OPTS"; my $machine = createMachine({ startCommand => $startCommand }); + ${script} ''; }; - snakeOilPrivateKey = [ - "-----BEGIN EC PRIVATE KEY-----" - "MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49" - "AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN" - "r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA==" - "-----END EC PRIVATE KEY-----" - ]; - - snakeOilPublicKey = pkgs.lib.concatStrings [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA" - "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa" - "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil" - ]; + snakeOilPrivateKey = '' + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACDEPmwZv5dDPrMUaq0dDP+6eBTTe+QNrz14KBEIdhHd1QAAAJDufJ4S7nye + EgAAAAtzc2gtZWQyNTUxOQAAACDEPmwZv5dDPrMUaq0dDP+6eBTTe+QNrz14KBEIdhHd1Q + AAAECgwbDlYATM5/jypuptb0GF/+zWZcJfoVIFBG3LQeRyGsQ+bBm/l0M+sxRqrR0M/7p4 + FNN75A2vPXgoEQh2Ed3VAAAADEVDMiB0ZXN0IGtleQE= + -----END OPENSSH PRIVATE KEY----- + ''; + + snakeOilPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQ+bBm/l0M+sxRqrR0M/7p4FNN75A2vPXgoEQh2Ed3V EC2 test key"; + in { boot-ec2-nixops = makeEc2Test { name = "nixops-userdata"; sshPublicKey = snakeOilPublicKey; # That's right folks! My user's key is also the host key! userData = '' - SSH_HOST_DSA_KEY_PUB:${snakeOilPublicKey} - SSH_HOST_DSA_KEY:${pkgs.lib.concatStringsSep "|" snakeOilPrivateKey} + SSH_HOST_ED25519_KEY_PUB:${snakeOilPublicKey} + SSH_HOST_ED25519_KEY:${replaceStrings ["\n"] ["|"] snakeOilPrivateKey} ''; script = '' $machine->start; @@ -80,8 +97,9 @@ in { # Let's install our client private key $machine->succeed("mkdir -p ~/.ssh"); - ${concatMapStrings (s: "$machine->succeed('echo ${s} >> ~/.ssh/id_ecdsa');") snakeOilPrivateKey} - $machine->succeed("chmod 600 ~/.ssh/id_ecdsa"); + + $machine->succeed("echo '${snakeOilPrivateKey}' > ~/.ssh/id_ed25519"); + $machine->succeed("chmod 600 ~/.ssh/id_ed25519"); # We haven't configured the host key yet, so this should still fail $machine->fail("ssh -o BatchMode=yes localhost exit"); @@ -90,7 +108,16 @@ in { $machine->succeed("echo localhost,127.0.0.1 ${snakeOilPublicKey} > ~/.ssh/known_hosts"); $machine->succeed("ssh -o BatchMode=yes localhost exit"); + # Test whether the root disk was resized. + my $blocks = $machine->succeed("stat -c %b -f /"); + my $bsize = $machine->succeed("stat -c %S -f /"); + my $size = $blocks * $bsize; + die "wrong free space $size" if $size < 9.7 * 1024 * 1024 * 1024 || $size > 10 * 1024 * 1024 * 1024; + + # Just to make sure resizing is idempotent. $machine->shutdown; + $machine->start; + $machine->waitForFile("/root/user-data"); ''; }; diff --git a/nixos/tests/make-test.nix b/nixos/tests/make-test.nix index 285ca5b71d6..f3e26aa7e74 100644 --- a/nixos/tests/make-test.nix +++ b/nixos/tests/make-test.nix @@ -2,4 +2,4 @@ f: { system ? builtins.currentSystem, ... } @ args: with import ../lib/testing.nix { inherit system; }; -makeTest (if builtins.isFunction f then f (args // { inherit pkgs; }) else f) +makeTest (if builtins.isFunction f then f (args // { inherit pkgs; inherit (pkgs) lib; }) else f) diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index 728d46d446e..01fcd15fd8b 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -141,6 +141,7 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let vmFlags = mkFlags ([ "--uart1 0x3F8 4" "--uartmode1 client /run/virtualbox-log-${name}.sock" + "--memory 768" ] ++ (attrs.vmFlags or [])); controllerFlags = mkFlags [ @@ -324,7 +325,7 @@ in { mkVMConf = name: val: val.machine // { key = "${name}-config"; }; vmConfigs = mapAttrsToList mkVMConf vboxVMs; in [ ./common/user-account.nix ./common/x11.nix ] ++ vmConfigs; - virtualisation.memorySize = 1024; + virtualisation.memorySize = 2048; virtualisation.virtualbox.host.enable = true; users.extraUsers.alice.extraGroups = let inherit (config.virtualisation.virtualbox.host) enableHardening; @@ -412,6 +413,7 @@ in { shutdownVM_detectvirt; my $result = $machine->succeed("cat '$detectvirt_sharepath/result'"); chomp $result; + destroyVM_detectvirt; die "systemd-detect-virt returned \"$result\" instead of \"oracle\"" if $result ne "oracle"; }; @@ -422,11 +424,10 @@ in { vbm("startvm test1"); waitForStartup_test1; + waitForVMBoot_test1; vbm("startvm test2"); waitForStartup_test2; - - waitForVMBoot_test1; waitForVMBoot_test2; $machine->screenshot("net_booted"); |