diff options
Diffstat (limited to 'nixos/modules')
17 files changed, 480 insertions, 133 deletions
diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index e8bbeac4f72..222da3e02e8 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -116,8 +116,14 @@ in extraOutputsToInstall = mkOption { type = types.listOf types.str; default = [ ]; - example = [ "doc" "info" "devdoc" ]; - description = lib.mdDoc "List of additional package outputs to be symlinked into {file}`/run/current-system/sw`."; + example = [ "dev" "info" ]; + description = lib.mdDoc '' + Entries listed here will be appended to the `meta.outputsToInstall` attribute for each package in `environment.systemPackages`, and the files from the corresponding derivation outputs symlinked into {file}`/run/current-system/sw`. + + For example, this can be used to install the `dev` and `info` outputs for all packages in the system environment, if they are available. + + To use specific outputs instead of configuring them globally, select the corresponding attribute on the package derivation, e.g. `libxml2.dev` or `coreutils.info`. + ''; }; extraSetup = mkOption { diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 5158974c27b..785084209b0 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -700,6 +700,7 @@ in { environment.profiles = [ "$HOME/.nix-profile" + "\${XDG_STATE_HOME:-$HOME/.local/state}/nix/profile" "/etc/profiles/per-user/$USER" ]; diff --git a/nixos/modules/hardware/cpu/amd-sev.nix b/nixos/modules/hardware/cpu/amd-sev.nix index 28ee07f005b..08e1de49638 100644 --- a/nixos/modules/hardware/cpu/amd-sev.nix +++ b/nixos/modules/hardware/cpu/amd-sev.nix @@ -1,37 +1,43 @@ -{ config, lib, ... }: +{ config, options, lib, ... }: with lib; let - cfg = config.hardware.cpu.amd.sev; - defaultGroup = "sev"; -in - with lib; { - options.hardware.cpu.amd.sev = { - enable = mkEnableOption (lib.mdDoc "access to the AMD SEV device"); - user = mkOption { - description = lib.mdDoc "Owner to assign to the SEV device."; - type = types.str; - default = "root"; - }; - group = mkOption { - description = lib.mdDoc "Group to assign to the SEV device."; - type = types.str; - default = defaultGroup; - }; - mode = mkOption { - description = lib.mdDoc "Mode to set for the SEV device."; - type = types.str; - default = "0660"; - }; + cfgSev = config.hardware.cpu.amd.sev; + cfgSevGuest = config.hardware.cpu.amd.sevGuest; + + optionsFor = device: group: { + enable = mkEnableOption (lib.mdDoc "access to the AMD ${device} device"); + user = mkOption { + description = lib.mdDoc "Owner to assign to the ${device} device."; + type = types.str; + default = "root"; + }; + group = mkOption { + description = lib.mdDoc "Group to assign to the ${device} device."; + type = types.str; + default = group; }; + mode = mkOption { + description = lib.mdDoc "Mode to set for the ${device} device."; + type = types.str; + default = "0660"; + }; + }; +in +with lib; { + options.hardware.cpu.amd.sev = optionsFor "SEV" "sev"; + + options.hardware.cpu.amd.sevGuest = optionsFor "SEV guest" "sev-guest"; - config = mkIf cfg.enable { + config = mkMerge [ + # /dev/sev + (mkIf cfgSev.enable { assertions = [ { - assertion = hasAttr cfg.user config.users.users; + assertion = hasAttr cfgSev.user config.users.users; message = "Given user does not exist"; } { - assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups); + assertion = (cfgSev.group == options.hardware.cpu.amd.sev.group.default) || (hasAttr cfgSev.group config.users.groups); message = "Given group does not exist"; } ]; @@ -40,12 +46,35 @@ in options kvm_amd sev=1 ''; - users.groups = optionalAttrs (cfg.group == defaultGroup) { - "${cfg.group}" = {}; + users.groups = optionalAttrs (cfgSev.group == options.hardware.cpu.amd.sev.group.default) { + "${cfgSev.group}" = { }; }; - services.udev.extraRules = with cfg; '' + services.udev.extraRules = with cfgSev; '' KERNEL=="sev", OWNER="${user}", GROUP="${group}", MODE="${mode}" ''; - }; - } + }) + + # /dev/sev-guest + (mkIf cfgSevGuest.enable { + assertions = [ + { + assertion = hasAttr cfgSevGuest.user config.users.users; + message = "Given user does not exist"; + } + { + assertion = (cfgSevGuest.group == options.hardware.cpu.amd.sevGuest.group.default) || (hasAttr cfgSevGuest.group config.users.groups); + message = "Given group does not exist"; + } + ]; + + users.groups = optionalAttrs (cfgSevGuest.group == options.hardware.cpu.amd.sevGuest.group.default) { + "${cfgSevGuest.group}" = { }; + }; + + services.udev.extraRules = with cfgSevGuest; '' + KERNEL=="sev-guest", OWNER="${user}", GROUP="${group}", MODE="${mode}" + ''; + }) + ]; +} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 7744bbd76e6..206d5eaf75d 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -499,6 +499,7 @@ ./services/games/quake3-server.nix ./services/games/teeworlds.nix ./services/games/terraria.nix + ./services/games/xonotic.nix ./services/hardware/acpid.nix ./services/hardware/actkbd.nix ./services/hardware/argonone.nix diff --git a/nixos/modules/services/games/xonotic.nix b/nixos/modules/services/games/xonotic.nix new file mode 100644 index 00000000000..c84347ddc98 --- /dev/null +++ b/nixos/modules/services/games/xonotic.nix @@ -0,0 +1,198 @@ +{ config +, pkgs +, lib +, ... +}: + +let + cfg = config.services.xonotic; + + serverCfg = pkgs.writeText "xonotic-server.cfg" ( + toString cfg.prependConfig + + "\n" + + builtins.concatStringsSep "\n" ( + lib.mapAttrsToList (key: option: + let + escape = s: lib.escape [ "\"" ] s; + quote = s: "\"${s}\""; + + toValue = x: quote (escape (toString x)); + + value = (if lib.isList option then + builtins.concatStringsSep + " " + (builtins.map (x: toValue x) option) + else + toValue option + ); + in + "${key} ${value}" + ) cfg.settings + ) + + "\n" + + toString cfg.appendConfig + ); +in + +{ + options.services.xonotic = { + enable = lib.mkEnableOption (lib.mdDoc "Xonotic dedicated server"); + + package = lib.mkPackageOption pkgs "xonotic-dedicated" {}; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Open the firewall for TCP and UDP on the specified port. + ''; + }; + + dataDir = lib.mkOption { + type = lib.types.path; + readOnly = true; + default = "/var/lib/xonotic"; + description = lib.mdDoc '' + Data directory. + ''; + }; + + settings = lib.mkOption { + description = lib.mdDoc '' + Generates the `server.cfg` file. Refer to [upstream's example][0] for + details. + + [0]: https://gitlab.com/xonotic/xonotic/-/blob/master/server/server.cfg + ''; + default = {}; + type = lib.types.submodule { + freeformType = with lib.types; let + scalars = oneOf [ singleLineStr int float ]; + in + attrsOf (oneOf [ scalars (nonEmptyListOf scalars) ]); + + options.sv_public = lib.mkOption { + type = lib.types.int; + default = 0; + example = [ (-1) 1 ]; + description = lib.mdDoc '' + Controls whether the server will be publicly listed. + ''; + }; + + options.hostname = lib.mkOption { + type = lib.types.singleLineStr; + default = "Xonotic $g_xonoticversion Server"; + description = lib.mdDoc '' + The name that will appear in the server list. `$g_xonoticversion` + gets replaced with the current version. + ''; + }; + + options.sv_motd = lib.mkOption { + type = lib.types.singleLineStr; + default = ""; + description = lib.mdDoc '' + Text displayed when players join the server. + ''; + }; + + options.sv_termsofservice_url = lib.mkOption { + type = lib.types.singleLineStr; + default = ""; + description = lib.mdDoc '' + URL for the Terms of Service for playing on your server. + ''; + }; + + options.maxplayers = lib.mkOption { + type = lib.types.int; + default = 16; + description = lib.mdDoc '' + Number of player slots on the server, including spectators. + ''; + }; + + options.net_address = lib.mkOption { + type = lib.types.singleLineStr; + default = "0.0.0.0"; + description = lib.mdDoc '' + The address Xonotic will listen on. + ''; + }; + + options.port = lib.mkOption { + type = lib.types.port; + default = 26000; + description = lib.mdDoc '' + The port Xonotic will listen on. + ''; + }; + }; + }; + + # Still useful even though we're using RFC 42 settings because *some* keys + # can be repeated. + appendConfig = lib.mkOption { + type = with lib.types; nullOr lines; + default = null; + description = lib.mdDoc '' + Literal text to insert at the end of `server.cfg`. + ''; + }; + + # Certain changes need to happen at the beginning of the file. + prependConfig = lib.mkOption { + type = with lib.types; nullOr lines; + default = null; + description = lib.mdDoc '' + Literal text to insert at the start of `server.cfg`. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.xonotic = { + description = "Xonotic server"; + wantedBy = [ "multi-user.target" ]; + + environment = { + # Required or else it tries to write the lock file into the nix store + HOME = cfg.dataDir; + }; + + serviceConfig = { + DynamicUser = true; + User = "xonotic"; + StateDirectory = "xonotic"; + ExecStart = "${cfg.package}/bin/xonotic-dedicated"; + + # Symlink the configuration from the nix store to where Xonotic actually + # looks for it + ExecStartPre = [ + "${pkgs.coreutils}/bin/mkdir -p ${cfg.dataDir}/.xonotic/data" + '' + ${pkgs.coreutils}/bin/ln -sf ${serverCfg} \ + ${cfg.dataDir}/.xonotic/data/server.cfg + '' + ]; + + # Cargo-culted from search results about writing Xonotic systemd units + ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; + + Restart = "on-failure"; + RestartSec = 10; + StartLimitBurst = 5; + }; + }; + + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ + cfg.settings.port + ]; + networking.firewall.allowedUDPPorts = lib.mkIf cfg.openFirewall [ + cfg.settings.port + ]; + }; + + meta.maintainers = with lib.maintainers; [ CobaltCause ]; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 66aff30b5ed..1d06893bf1d 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -68,6 +68,7 @@ let "redis" "rspamd" "rtl_433" + "sabnzbd" "scaphandre" "script" "shelly" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/sabnzbd.nix b/nixos/modules/services/monitoring/prometheus/exporters/sabnzbd.nix new file mode 100644 index 00000000000..41127749401 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/sabnzbd.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, options }: + +let + inherit (lib) mkOption types; + cfg = config.services.prometheus.exporters.sabnzbd; +in +{ + port = 9387; + + extraOpts = { + servers = mkOption { + description = "List of sabnzbd servers to connect to."; + type = types.listOf (types.submodule { + options = { + baseUrl = mkOption { + type = types.str; + description = "Base URL of the sabnzbd server."; + example = "http://localhost:8080/sabnzbd"; + }; + apiKeyFile = mkOption { + type = types.str; + description = "File containing the API key."; + example = "/run/secrets/sabnzbd_apikey"; + }; + }; + }); + }; + }; + + serviceOpts = + let + servers = lib.zipAttrs cfg.servers; + apiKeys = lib.concatStringsSep "," (builtins.map (file: "$(cat ${file})") servers.apiKeyFile); + in + { + environment = { + METRICS_PORT = toString cfg.port; + METRICS_ADDR = cfg.listenAddress; + SABNZBD_BASEURLS = lib.concatStringsSep "," servers.baseUrl; + }; + + script = '' + export SABNZBD_APIKEYS="${apiKeys}" + exec ${lib.getExe pkgs.prometheus-sabnzbd-exporter} + ''; + }; +} diff --git a/nixos/modules/services/networking/mtr-exporter.nix b/nixos/modules/services/networking/mtr-exporter.nix index 43ebbbe96d0..af694c3e736 100644 --- a/nixos/modules/services/networking/mtr-exporter.nix +++ b/nixos/modules/services/networking/mtr-exporter.nix @@ -2,63 +2,114 @@ let inherit (lib) - maintainers types mkEnableOption mkOption mkIf - literalExpression escapeShellArg escapeShellArgs; + maintainers types literalExpression + escapeShellArg escapeShellArgs + mkEnableOption mkOption mkRemovedOptionModule mkIf mdDoc + optionalString concatMapStrings concatStringsSep; + cfg = config.services.mtr-exporter; + + jobsConfig = pkgs.writeText "mtr-exporter.conf" (concatMapStrings (job: '' + ${job.name} -- ${job.schedule} -- ${concatStringsSep " " job.flags} ${job.address} + '') cfg.jobs); in { + imports = [ + (mkRemovedOptionModule [ "services" "mtr-exporter" "target" ] "Use services.mtr-exporter.jobs instead.") + (mkRemovedOptionModule [ "services" "mtr-exporter" "mtrFlags" ] "Use services.mtr-exporter.jobs.<job>.flags instead.") + ]; + options = { services = { mtr-exporter = { - enable = mkEnableOption (lib.mdDoc "a Prometheus exporter for MTR"); + enable = mkEnableOption (mdDoc "a Prometheus exporter for MTR"); - target = mkOption { + address = mkOption { type = types.str; - example = "example.org"; - description = lib.mdDoc "Target to check using MTR."; - }; - - interval = mkOption { - type = types.int; - default = 60; - description = lib.mdDoc "Interval between MTR checks in seconds."; + default = "127.0.0.1"; + description = lib.mdDoc "Listen address for MTR exporter."; }; port = mkOption { type = types.port; default = 8080; - description = lib.mdDoc "Listen port for MTR exporter."; + description = mdDoc "Listen port for MTR exporter."; }; - address = mkOption { - type = types.str; - default = "127.0.0.1"; - description = lib.mdDoc "Listen address for MTR exporter."; + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + example = ["-flag.deprecatedMetrics"]; + description = mdDoc '' + Extra command line options to pass to MTR exporter. + ''; }; - mtrFlags = mkOption { - type = with types; listOf str; - default = []; - example = ["-G1"]; - description = lib.mdDoc "Additional flags to pass to MTR."; + package = mkOption { + type = types.package; + default = pkgs.mtr-exporter; + defaultText = literalExpression "pkgs.mtr-exporter"; + description = mdDoc "The MTR exporter package to use."; + }; + + mtrPackage = mkOption { + type = types.package; + default = pkgs.mtr; + defaultText = literalExpression "pkgs.mtr"; + description = mdDoc "The MTR package to use."; + }; + + jobs = mkOption { + description = mdDoc "List of MTR jobs. Will be added to /etc/mtr-exporter.conf"; + type = types.nonEmptyListOf (types.submodule { + options = { + name = mkOption { + type = types.str; + description = mdDoc "Name of ICMP pinging job."; + }; + + address = mkOption { + type = types.str; + example = "host.example.org:1234"; + description = mdDoc "Target address for MTR client."; + }; + + schedule = mkOption { + type = types.str; + default = "@every 60s"; + example = "@hourly"; + description = mdDoc "Schedule of MTR checks. Also accepts Cron format."; + }; + + flags = mkOption { + type = with types; listOf str; + default = []; + example = ["-G1"]; + description = mdDoc "Additional flags to pass to MTR."; + }; + }; + }); }; }; }; }; config = mkIf cfg.enable { + environment.etc."mtr-exporter.conf" = { + source = jobsConfig; + }; + systemd.services.mtr-exporter = { - script = '' - exec ${pkgs.mtr-exporter}/bin/mtr-exporter \ - -mtr ${pkgs.mtr}/bin/mtr \ - -schedule '@every ${toString cfg.interval}s' \ - -bind ${escapeShellArg cfg.address}:${toString cfg.port} \ - -- \ - ${escapeShellArgs (cfg.mtrFlags ++ [ cfg.target ])} - ''; wantedBy = [ "multi-user.target" ]; requires = [ "network.target" ]; after = [ "network.target" ]; serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/mtr-exporter \ + -mtr '${cfg.mtrPackage}/bin/mtr' \ + -bind ${escapeShellArg "${cfg.address}:${toString cfg.port}"} \ + -jobs '${jobsConfig}' \ + ${escapeShellArgs cfg.extraFlags} + ''; Restart = "on-failure"; # Hardening CapabilityBoundingSet = [ "" ]; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 702423ef09c..bf2f5230c73 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -27,13 +27,11 @@ let mkValueString = mkValueStringSshd; } " ";}); - configFile = settingsFormat.generate "config" cfg.settings; - sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } '' + configFile = settingsFormat.generate "sshd.conf-settings" cfg.settings; + sshconf = pkgs.runCommand "sshd.conf-final" { } '' cat ${configFile} - >$out <<EOL ${cfg.extraConfig} EOL - - sshd -G -f $out ''; cfg = config.services.openssh; @@ -576,6 +574,21 @@ in '')} ''; + system.checks = [ + (pkgs.runCommand "check-sshd-config" + { + nativeBuildInputs = [ validationPackage ]; + } '' + ${concatMapStringsSep "\n" + (lport: "sshd -G -T -C lport=${toString lport} -f ${sshconf} > /dev/null") + cfg.ports} + ${concatMapStringsSep "\n" + (la: "sshd -G -T -C laddr=${la.addr},lport=${toString la.port} -f ${sshconf} > /dev/null") + cfg.listenAddresses} + touch $out + '') + ]; + assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true; message = "cannot enable X11 forwarding without setting xauth location";} (let diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index 34210580f53..68e0e06d046 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -17,6 +17,8 @@ let type = with types; nullOr str; description = lib.mdDoc '' wg-quick .conf file, describing the interface. + Using this option can be a useful means of configuring WireGuard if + one has an existing .conf file. This overrides any other configuration interface configuration options. See wg-quick manpage for more details. ''; diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 9b158bb9d18..483bfe046df 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -7,10 +7,8 @@ let # valid policy options policy = (types.enum [ "allow" "block" "reject" "keep" "apply-policy" ]); - defaultRuleFile = "/var/lib/usbguard/rules.conf"; - # decide what file to use for rules - ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else defaultRuleFile; + ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else cfg.ruleFile; daemonConf = '' # generated by nixos/modules/services/security/usbguard.nix @@ -51,6 +49,19 @@ in ''; }; + ruleFile = mkOption { + type = types.nullOr types.path; + default = /var/lib/usbguard/rules.conf; + example = /run/secrets/usbguard-rules; + description = lib.mdDoc '' + This tells the USBGuard daemon which file to load as policy rule set. + + The file can be changed manually or via the IPC interface assuming it has the right file permissions. + + For more details see {manpage}`usbguard-rules.conf(5)`. + ''; + + }; rules = mkOption { type = types.nullOr types.lines; default = null; @@ -63,8 +74,7 @@ in be changed by the IPC interface. If you do not set this option, the USBGuard daemon will load - it's policy rule set from `${defaultRuleFile}`. - This file can be changed manually or via the IPC interface. + it's policy rule set from the option configured in `services.usbguard.ruleFile`. Running `usbguard generate-policy` as root will generate a config for your currently plugged in devices. @@ -248,7 +258,6 @@ in ''; }; imports = [ - (mkRemovedOptionModule [ "services" "usbguard" "ruleFile" ] "The usbguard module now uses ${defaultRuleFile} as ruleFile. Alternatively, use services.usbguard.rules to configure rules.") (mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d.") (mkRemovedOptionModule [ "services" "usbguard" "auditFilePath" ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.") (mkRenamedOptionModule [ "services" "usbguard" "implictPolicyTarget" ] [ "services" "usbguard" "implicitPolicyTarget" ]) diff --git a/nixos/modules/services/web-apps/wordpress.nix b/nixos/modules/services/web-apps/wordpress.nix index d4c987da114..5d2e775d452 100644 --- a/nixos/modules/services/web-apps/wordpress.nix +++ b/nixos/modules/services/web-apps/wordpress.nix @@ -34,7 +34,7 @@ let # copy additional plugin(s), theme(s) and language(s) ${concatStringsSep "\n" (mapAttrsToList (name: theme: "cp -r ${theme} $out/share/wordpress/wp-content/themes/${name}") cfg.themes)} ${concatStringsSep "\n" (mapAttrsToList (name: plugin: "cp -r ${plugin} $out/share/wordpress/wp-content/plugins/${name}") cfg.plugins)} - ${concatMapStringsSep "\n" (language: "cp -r ${language} $out/share/wordpress/wp-content/languages/") cfg.languages} + ${concatMapStringsSep "\n" (language: "cp -r ${language}/* $out/share/wordpress/wp-content/languages/") cfg.languages} ''; }; diff --git a/nixos/modules/services/web-servers/garage.nix b/nixos/modules/services/web-servers/garage.nix index 8b5734b5a2c..80fb24fe2c5 100644 --- a/nixos/modules/services/web-servers/garage.nix +++ b/nixos/modules/services/web-servers/garage.nix @@ -23,6 +23,12 @@ in example = { RUST_BACKTRACE="yes"; }; }; + environmentFile = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc "File containing environment variables to be passed to the Garage server."; + default = null; + }; + logLevel = mkOption { type = types.enum (["info" "debug" "trace"]); default = "info"; @@ -80,7 +86,7 @@ in after = [ "network.target" "network-online.target" ]; wants = [ "network.target" "network-online.target" ]; wantedBy = [ "multi-user.target" ]; - restartTriggers = [ configFile ]; + restartTriggers = [ configFile ] ++ (lib.optional (cfg.environmentFile != null) cfg.environmentFile); serviceConfig = { ExecStart = "${cfg.package}/bin/garage server"; @@ -88,6 +94,7 @@ in DynamicUser = lib.mkDefault true; ProtectHome = true; NoNewPrivileges = true; + EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; }; environment = { RUST_LOG = lib.mkDefault "garage=${cfg.logLevel}"; diff --git a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh index 84a0a93ded1..1a0da005029 100644 --- a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh +++ b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh @@ -70,33 +70,13 @@ copyToKernelsDir() { addEntry() { local path=$(readlink -f "$1") local tag="$2" # Generation number or 'default' - local current="$3" # whether this is the current/latest generation if ! test -e $path/kernel -a -e $path/initrd; then return fi - if test -e "$path/append-initrd-secrets"; then - local initrd="$target/nixos/$(basename "$path")-initramfs-with-secrets" - cp $(readlink -f "$path/initrd") "$initrd" - chmod 600 "${initrd}" - chown 0:0 "${initrd}" - filesCopied[$initrd]=1 - - "$path/append-initrd-secrets" "$initrd" || if test "${current}" = "1"; then - echo "failed to create initrd secrets for the current generation." >&2 - echo "are your \`boot.initrd.secrets\` still in place?" >&2 - exit 1 - else - echo "warning: failed to create initrd secrets for \"$path\", an older generation" >&2 - echo "note: this is normal after having removed or renamed a file in \`boot.initrd.secrets\`" >&2 - fi - else - copyToKernelsDir "$path/initrd"; initrd=$result - fi - copyToKernelsDir "$path/kernel"; kernel=$result - + copyToKernelsDir "$path/initrd"; initrd=$result dtbDir=$(readlink -m "$path/dtbs") if [ -e "$dtbDir" ]; then copyToKernelsDir "$dtbDir"; dtbs=$result @@ -150,20 +130,18 @@ MENU TITLE ------------------------------------------------------------ TIMEOUT $timeout EOF -addEntry $default default 1 >> $tmpFile +addEntry $default default >> $tmpFile if [ "$numGenerations" -gt 0 ]; then # Add up to $numGenerations generations of the system profile to the menu, # in reverse (most recent to least recent) order. - current=1 for generation in $( (cd /nix/var/nix/profiles && ls -d system-*-link) \ | sed 's/system-\([0-9]\+\)-link/\1/' \ | sort -n -r \ | head -n $numGenerations); do link=/nix/var/nix/profiles/system-$generation-link - addEntry $link $generation $current - current=0 + addEntry $link $generation done >> $tmpFile fi diff --git a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix index c64ef092667..9c9bee93de8 100644 --- a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix +++ b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix @@ -142,7 +142,6 @@ in assertion = !pkgs.stdenv.hostPlatform.isAarch64 || cfg.version >= 3; message = "Only Raspberry Pi >= 3 supports aarch64."; }; - boot.loader.supportsInitrdSecrets = cfg.uboot.enable; system.build.installBootLoader = builder; system.boot.loader.id = "raspberrypi"; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 1cf58dbe9f1..a3551f68dbe 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -610,13 +610,6 @@ in path the secret should have inside the initrd, the value is the path it should be copied from (or null for the same path inside and out). - - The loader `generic-extlinux-compatible` supports this. Because - it is not well know how different implementations react to - concatenated cpio archives, this is disabled by default. It can be - enabled by setting {option}`boot.loader.supportsInitrdSecrets` - to true. If this works for you, please report your findings at - https://github.com/NixOS/nixpkgs/issues/247145 . ''; example = literalExpression '' diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index dfa883a2c33..679567cbb73 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -173,6 +173,33 @@ let }]; })); + bridgeNetworks = mkMerge (flip mapAttrsToList cfg.bridges (name: bridge: { + netdevs."40-${name}" = { + netdevConfig = { + Name = name; + Kind = "bridge"; + }; + }; + networks = listToAttrs (forEach bridge.interfaces (bi: + nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { + DHCP = mkOverride 0 (dhcpStr false); + networkConfig.Bridge = name; + } ]))); + })); + + vlanNetworks = mkMerge (flip mapAttrsToList cfg.vlans (name: vlan: { + netdevs."40-${name}" = { + netdevConfig = { + Name = name; + Kind = "vlan"; + }; + vlanConfig.Id = vlan.id; + }; + networks."40-${vlan.interface}" = (mkMerge [ (genericNetwork (mkOverride 999)) { + vlan = [ name ]; + } ]); + })); + in { @@ -182,7 +209,15 @@ in # Note this is if initrd.network.enable, not if # initrd.systemd.network.enable. By setting the latter and not the # former, the user retains full control over the configuration. - boot.initrd.systemd.network = mkMerge [(genericDhcpNetworks true) interfaceNetworks]; + boot.initrd.systemd.network = mkMerge [ + (genericDhcpNetworks true) + interfaceNetworks + bridgeNetworks + vlanNetworks + ]; + boot.initrd.availableKernelModules = + optional (cfg.bridges != {}) "bridge" ++ + optional (cfg.vlans != {}) "8021q"; }) (mkIf cfg.useNetworkd { @@ -212,19 +247,7 @@ in } (genericDhcpNetworks false) interfaceNetworks - (mkMerge (flip mapAttrsToList cfg.bridges (name: bridge: { - netdevs."40-${name}" = { - netdevConfig = { - Name = name; - Kind = "bridge"; - }; - }; - networks = listToAttrs (forEach bridge.interfaces (bi: - nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { - DHCP = mkOverride 0 (dhcpStr false); - networkConfig.Bridge = name; - } ]))); - }))) + bridgeNetworks (mkMerge (flip mapAttrsToList cfg.bonds (name: bond: { netdevs."40-${name}" = { netdevConfig = { @@ -377,18 +400,7 @@ in } ]); }; }))) - (mkMerge (flip mapAttrsToList cfg.vlans (name: vlan: { - netdevs."40-${name}" = { - netdevConfig = { - Name = name; - Kind = "vlan"; - }; - vlanConfig.Id = vlan.id; - }; - networks."40-${vlan.interface}" = (mkMerge [ (genericNetwork (mkOverride 999)) { - vlan = [ name ]; - } ]); - }))) + vlanNetworks ]; # We need to prefill the slaved devices with networking options |