diff options
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/installer/tools/nix-fallback-paths.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/audio/snapserver.nix | 22 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/gnome.nix | 32 | ||||
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 78 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 4 |
5 files changed, 121 insertions, 25 deletions
diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index dfafda77cb5..1707935ad5b 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,7 +1,7 @@ { - x86_64-linux = "/nix/store/0n2wfvi1i3fg97cjc54wslvk0804y0sn-nix-2.7.0"; - i686-linux = "/nix/store/4p27c1k9z99pli6x8cxfph20yfyzn9nh-nix-2.7.0"; - aarch64-linux = "/nix/store/r9yr8ijsb0gi9r7y92y3yzyld59yp0kj-nix-2.7.0"; - x86_64-darwin = "/nix/store/hyfj5imsd0c4amlcjpf8l6w4q2draaj3-nix-2.7.0"; - aarch64-darwin = "/nix/store/9l96qllhbb6xrsjaai76dn74ap7rq92n-nix-2.7.0"; + x86_64-linux = "/nix/store/yx36yzxpw1hn4fz8iyf1rfyd56jg3yf4-nix-2.8.0"; + i686-linux = "/nix/store/c0hg806zvwg800qbszzj8ff4a224kjgf-nix-2.8.0"; + aarch64-linux = "/nix/store/wic2832ll53q392r2wks4xr2nrk7p8p5-nix-2.8.0"; + x86_64-darwin = "/nix/store/5yqdvnkmkrhl36xh0qy31pymdphjimdd-nix-2.8.0"; + aarch64-darwin = "/nix/store/izc9592szrnpv8n86hr88bhpyc9g6b4s-nix-2.8.0"; } diff --git a/nixos/modules/services/audio/snapserver.nix b/nixos/modules/services/audio/snapserver.nix index 6d5ce98df89..91d97a0b551 100644 --- a/nixos/modules/services/audio/snapserver.nix +++ b/nixos/modules/services/audio/snapserver.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; @@ -101,6 +101,8 @@ in { openFirewall = mkOption { type = types.bool; + # Make the behavior consistent with other services. Set the default to + # false and remove the accompanying warning after NixOS 22.05 is released. default = true; description = '' Whether to automatically open the specified ports in the firewall. @@ -273,10 +275,16 @@ in { config = mkIf cfg.enable { - # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85 - warnings = filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then '' - services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead. - '' else "") cfg.streams); + warnings = + # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85 + filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then '' + services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead. + '' else "") cfg.streams) + # Remove this warning after NixOS 22.05 is released. + ++ optional (options.services.snapserver.openFirewall.highestPrio >= (mkOptionDefault null).priority) '' + services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11. + Enable it explicitly if you need to control Snapserver remotely. + ''; systemd.services.snapserver = { after = [ "network.target" ]; @@ -304,8 +312,8 @@ in { networking.firewall.allowedTCPPorts = optionals cfg.openFirewall [ cfg.port ] - ++ optional cfg.tcp.enable cfg.tcp.port - ++ optional cfg.http.enable cfg.http.port; + ++ optional (cfg.openFirewall && cfg.tcp.enable) cfg.tcp.port + ++ optional (cfg.openFirewall && cfg.http.enable) cfg.http.port; }; meta = { diff --git a/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix index 258d39d4918..e7e626c66f0 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -22,6 +22,9 @@ let favorite-apps=[ 'org.gnome.Epiphany.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ] ''; + nixos-background-ligtht = pkgs.nixos-artwork.wallpapers.simple-blue; + nixos-background-dark = pkgs.nixos-artwork.wallpapers.simple-dark-gray; + nixos-gsettings-desktop-schemas = let defaultPackages = with pkgs; [ gsettings-desktop-schemas gnome.gnome-shell ]; in @@ -42,11 +45,11 @@ let chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides cat - > $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/nixos-defaults.gschema.override <<- EOF [org.gnome.desktop.background] - picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-blue.gnomeFilePath}' - picture-uri-dark='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray.gnomeFilePath}' + picture-uri='file://${nixos-background-ligtht.gnomeFilePath}' + picture-uri-dark='file://${nixos-background-dark.gnomeFilePath}' [org.gnome.desktop.screensaver] - picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom.gnomeFilePath}' + picture-uri='file://${nixos-background-dark.gnomeFilePath}' ${cfg.favoriteAppsOverride} @@ -56,6 +59,26 @@ let ${pkgs.glib.dev}/bin/glib-compile-schemas $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/ ''; + nixos-background-info = pkgs.writeTextFile rec { + name = "nixos-background-info"; + text = '' + <?xml version="1.0"?> + <!DOCTYPE wallpapers SYSTEM "gnome-wp-list.dtd"> + <wallpapers> + <wallpaper deleted="false"> + <name>Blobs</name> + <filename>${nixos-background-ligtht.gnomeFilePath}</filename> + <filename-dark>${nixos-background-dark.gnomeFilePath}</filename-dark> + <options>zoom</options> + <shade_type>solid</shade_type> + <pcolor>#3a4ba0</pcolor> + <scolor>#2f302f</scolor> + </wallpaper> + </wallpapers> + ''; + destination = "/share/gnome-background-properties/nixos.xml"; + }; + flashbackEnabled = cfg.flashback.enableMetacity || length cfg.flashback.customSessions > 0; flashbackWms = optional cfg.flashback.enableMetacity { wmName = "metacity"; @@ -431,6 +454,7 @@ in # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-38/elements/core/meta-gnome-core-shell.bst environment.systemPackages = with pkgs.gnome; [ adwaita-icon-theme + nixos-background-info gnome-backgrounds gnome-bluetooth gnome-color-manager @@ -439,8 +463,6 @@ in gnome-shell-extensions gnome-themes-extra pkgs.gnome-tour # GNOME Shell detects the .desktop file on first log-in. - pkgs.nixos-artwork.wallpapers.simple-dark-gray - pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom pkgs.gnome-user-docs pkgs.orca pkgs.glib # for gsettings diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index dde07571b3e..57fc02a2e32 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -1,10 +1,11 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; let luks = config.boot.initrd.luks; kernelPackages = config.boot.kernelPackages; + defaultPrio = (mkOptionDefault {}).priority; commonFunctions = '' die() { @@ -474,6 +475,16 @@ let preLVM = filterAttrs (n: v: v.preLVM) luks.devices; postLVM = filterAttrs (n: v: !v.preLVM) luks.devices; + stage1Crypttab = pkgs.writeText "initrd-crypttab" (lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: let + opts = v.crypttabExtraOpts + ++ optional v.allowDiscards "discard" + ++ optionals v.bypassWorkqueues [ "no-read-workqueue" "no-write-workqueue" ] + ++ optional (v.header != null) "header=${v.header}" + ++ optional (v.keyFileOffset != null) "keyfile-offset=${v.keyFileOffset}" + ++ optional (v.keyFileSize != null) "keyfile-size=${v.keyFileSize}" + ; + in "${n} ${v.device} ${if v.keyFile == null then "-" else v.keyFile} ${lib.concatStringsSep "," opts}") luks.devices)); + in { imports = [ @@ -802,6 +813,18 @@ in Commands that should be run right after we have mounted our LUKS device. ''; }; + + crypttabExtraOpts = mkOption { + type = with types; listOf singleLineStr; + default = []; + example = [ "_netdev" ]; + visible = false; + description = '' + Only used with systemd stage 1. + + Extra options to append to the last column of the generated crypttab file. + ''; + }; }; })); }; @@ -853,6 +876,31 @@ in -> versionAtLeast kernelPackages.kernel.version "5.9"; message = "boot.initrd.luks.devices.<name>.bypassWorkqueues is not supported for kernels older than 5.9"; } + + { assertion = config.boot.initrd.systemd.enable -> all (dev: !dev.fallbackToPassword) (attrValues luks.devices); + message = "boot.initrd.luks.devices.<name>.fallbackToPassword is implied by systemd stage 1."; + } + { assertion = config.boot.initrd.systemd.enable -> all (dev: dev.preLVM) (attrValues luks.devices); + message = "boot.initrd.luks.devices.<name>.preLVM is not used by systemd stage 1."; + } + { assertion = config.boot.initrd.systemd.enable -> options.boot.initrd.luks.reusePassphrases.highestPrio == defaultPrio; + message = "boot.initrd.luks.reusePassphrases has no effect with systemd stage 1."; + } + { assertion = config.boot.initrd.systemd.enable -> all (dev: dev.preOpenCommands == "" && dev.postOpenCommands == "") (attrValues luks.devices); + message = "boot.initrd.luks.devices.<name>.preOpenCommands and postOpenCommands is not supported by systemd stage 1. Please bind a service to cryptsetup.target or cryptsetup-pre.target instead."; + } + # TODO + { assertion = config.boot.initrd.systemd.enable -> !luks.gpgSupport; + message = "systemd stage 1 does not support GPG smartcards yet."; + } + # TODO + { assertion = config.boot.initrd.systemd.enable -> !luks.fido2Support; + message = "systemd stage 1 does not support FIDO2 yet."; + } + # TODO + { assertion = config.boot.initrd.systemd.enable -> !luks.yubikeySupport; + message = "systemd stage 1 does not support Yubikeys yet."; + } ]; # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested @@ -867,7 +915,7 @@ in ++ (if builtins.elem "xts" luks.cryptoModules then ["ecb"] else []); # copy the cryptsetup binary and it's dependencies - boot.initrd.extraUtilsCommands = '' + boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.cryptsetup}/bin/cryptsetup copy_bin_and_libs ${askPass}/bin/cryptsetup-askpass sed -i s,/bin/sh,$out/bin/sh, $out/bin/cryptsetup-askpass @@ -915,7 +963,7 @@ in ''} ''; - boot.initrd.extraUtilsCommandsTest = '' + boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) '' $out/bin/cryptsetup --version ${optionalString luks.yubikeySupport '' $out/bin/ykchalresp -V @@ -932,9 +980,27 @@ in ''} ''; - boot.initrd.preFailCommands = postCommands; - boot.initrd.preLVMCommands = commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand preLVM) + postCommands; - boot.initrd.postDeviceCommands = commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand postLVM) + postCommands; + boot.initrd.systemd = { + contents."/etc/crypttab".source = stage1Crypttab; + + extraBin.systemd-cryptsetup = "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup"; + + additionalUpstreamUnits = [ + "cryptsetup-pre.target" + "cryptsetup.target" + "remote-cryptsetup.target" + ]; + storePaths = [ + "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup" + ]; + + }; + # We do this because we need the udev rules from the package + boot.initrd.services.lvm.enable = true; + + boot.initrd.preFailCommands = mkIf (!config.boot.initrd.systemd.enable) postCommands; + boot.initrd.preLVMCommands = mkIf (!config.boot.initrd.systemd.enable) (commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand preLVM) + postCommands); + boot.initrd.postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) (commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand postLVM) + postCommands); environment.systemPackages = [ pkgs.cryptsetup ]; }; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 5e42eda3875..d10ebac5682 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -420,7 +420,7 @@ let ${lib.optionalString (config.boot.initrd.secrets == {}) "exit 0"} - export PATH=${pkgs.coreutils}/bin:${pkgs.cpio}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin + export PATH=${pkgs.coreutils}/bin:${pkgs.libarchive}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin function cleanup { if [ -n "$tmp" -a -d "$tmp" ]; then @@ -440,7 +440,7 @@ let ) config.boot.initrd.secrets) } - (cd "$tmp" && find . -print0 | sort -z | cpio --quiet -o -H newc -R +0:+0 --reproducible --null) | \ + (cd "$tmp" && find . -print0 | sort -z | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @-) | \ ${compressorExe} ${lib.escapeShellArgs initialRamdisk.compressorArgs} >> "$1" ''; |