From 1916a0cb9e97592ce22f6c3ca5e1febef1ca162b Mon Sep 17 00:00:00 2001 From: Adrian Pistol Date: Wed, 18 Oct 2023 17:48:27 +0200 Subject: syslogng: clean up build --- nixos/modules/services/logging/syslog-ng.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/logging/syslog-ng.nix b/nixos/modules/services/logging/syslog-ng.nix index d22acbeaa70..48d556b9459 100644 --- a/nixos/modules/services/logging/syslog-ng.nix +++ b/nixos/modules/services/logging/syslog-ng.nix @@ -67,7 +67,7 @@ in { configHeader = mkOption { type = types.lines; default = '' - @version: 3.6 + @version: 4.4 @include "scl.conf" ''; description = lib.mdDoc '' -- cgit 1.4.1 From b3c1d8c9aea817c66e8a6384a345390ac36f40eb Mon Sep 17 00:00:00 2001 From: nikstur Date: Sat, 14 Oct 2023 01:29:05 +0200 Subject: nixos: add system.switch.enable flag This flag allows the user to optionally exclude switch-to-confguration.pl from toplevel. This is interesting for appliance images where you don't want to re-build the system. This flag is called `rebuildable` because the standard interface to do this is `nixos-rebuild` which will not work anymore with this change. --- nixos/modules/module-list.nix | 1 + .../system/activation/activatable-system.nix | 65 +++++++++------------- .../system/activation/switchable-system.nix | 55 ++++++++++++++++++ nixos/tests/all-tests.nix | 1 + nixos/tests/non-switchable-system.nix | 15 +++++ 5 files changed, 98 insertions(+), 39 deletions(-) create mode 100644 nixos/modules/system/activation/switchable-system.nix create mode 100644 nixos/tests/non-switchable-system.nix (limited to 'nixos') diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2c06f493172..496943ad33a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1392,6 +1392,7 @@ ./system/activation/activatable-system.nix ./system/activation/activation-script.nix ./system/activation/specialisation.nix + ./system/activation/switchable-system.nix ./system/activation/bootspec.nix ./system/activation/top-level.nix ./system/boot/binfmt.nix diff --git a/nixos/modules/system/activation/activatable-system.nix b/nixos/modules/system/activation/activatable-system.nix index 7f6154794bd..3d941596747 100644 --- a/nixos/modules/system/activation/activatable-system.nix +++ b/nixos/modules/system/activation/activatable-system.nix @@ -1,52 +1,16 @@ -{ config, lib, pkgs, ... }: +{ options, config, lib, pkgs, ... }: let inherit (lib) mkOption - optionalString types ; - perlWrapped = pkgs.perl.withPackages (p: with p; [ ConfigIniFiles FileSlurp ]); - systemBuilderArgs = { activationScript = config.system.activationScripts.script; dryActivationScript = config.system.dryActivationScript; }; - systemBuilderCommands = '' - echo "$activationScript" > $out/activate - echo "$dryActivationScript" > $out/dry-activate - substituteInPlace $out/activate --subst-var-by out ''${!toplevelVar} - substituteInPlace $out/dry-activate --subst-var-by out ''${!toplevelVar} - chmod u+x $out/activate $out/dry-activate - unset activationScript dryActivationScript - - mkdir $out/bin - substitute ${./switch-to-configuration.pl} $out/bin/switch-to-configuration \ - --subst-var out \ - --subst-var-by toplevel ''${!toplevelVar} \ - --subst-var-by coreutils "${pkgs.coreutils}" \ - --subst-var-by distroId ${lib.escapeShellArg config.system.nixos.distroId} \ - --subst-var-by installBootLoader ${lib.escapeShellArg config.system.build.installBootLoader} \ - --subst-var-by localeArchive "${config.i18n.glibcLocales}/lib/locale/locale-archive" \ - --subst-var-by perl "${perlWrapped}" \ - --subst-var-by shell "${pkgs.bash}/bin/sh" \ - --subst-var-by su "${pkgs.shadow.su}/bin/su" \ - --subst-var-by systemd "${config.systemd.package}" \ - --subst-var-by utillinux "${pkgs.util-linux}" \ - ; - - chmod +x $out/bin/switch-to-configuration - ${optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) '' - if ! output=$(${perlWrapped}/bin/perl -c $out/bin/switch-to-configuration 2>&1); then - echo "switch-to-configuration syntax is not valid:" - echo "$output" - exit 1 - fi - ''} - ''; - in { options = { @@ -60,6 +24,18 @@ in do, but for image based systems, this may not be needed or not be desirable. ''; }; + system.activatableSystemBuilderCommands = options.system.systemBuilderCommands // { + description = lib.mdDoc '' + Like `system.systemBuilderCommands`, but only for the commands that are + needed *both* when the system is activatable and when it isn't. + + Disclaimer: This option might go away in the future. It might be + superseded by separating switch-to-configuration into a separate script + which will make this option superfluous. See + https://github.com/NixOS/nixpkgs/pull/263462#discussion_r1373104845 for + a discussion. + ''; + }; system.build.separateActivationScript = mkOption { type = types.package; description = '' @@ -71,7 +47,18 @@ in }; }; config = { - system.systemBuilderCommands = lib.mkIf config.system.activatable systemBuilderCommands; + system.activatableSystemBuilderCommands = '' + echo "$activationScript" > $out/activate + echo "$dryActivationScript" > $out/dry-activate + substituteInPlace $out/activate --subst-var-by out ''${!toplevelVar} + substituteInPlace $out/dry-activate --subst-var-by out ''${!toplevelVar} + chmod u+x $out/activate $out/dry-activate + unset activationScript dryActivationScript + ''; + + system.systemBuilderCommands = lib.mkIf + config.system.activatable + config.system.activatableSystemBuilderCommands; system.systemBuilderArgs = lib.mkIf config.system.activatable (systemBuilderArgs // { toplevelVar = "out"; @@ -86,7 +73,7 @@ in }) '' mkdir $out - ${systemBuilderCommands} + ${config.system.activatableSystemBuilderCommands} ''; }; } diff --git a/nixos/modules/system/activation/switchable-system.nix b/nixos/modules/system/activation/switchable-system.nix new file mode 100644 index 00000000000..00bc18e48d1 --- /dev/null +++ b/nixos/modules/system/activation/switchable-system.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +let + + perlWrapped = pkgs.perl.withPackages (p: with p; [ ConfigIniFiles FileSlurp ]); + +in + +{ + + options = { + system.switch.enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Whether to include the capability to switch configurations. + + Disabling this makes the system unable to be reconfigured via `nixos-rebuild`. + + This is good for image based appliances where updates are handled + outside the image. Reducing features makes the image lighter and + slightly more secure. + ''; + }; + }; + + config = lib.mkIf config.system.switch.enable { + system.activatableSystemBuilderCommands = '' + mkdir $out/bin + substitute ${./switch-to-configuration.pl} $out/bin/switch-to-configuration \ + --subst-var out \ + --subst-var-by toplevel ''${!toplevelVar} \ + --subst-var-by coreutils "${pkgs.coreutils}" \ + --subst-var-by distroId ${lib.escapeShellArg config.system.nixos.distroId} \ + --subst-var-by installBootLoader ${lib.escapeShellArg config.system.build.installBootLoader} \ + --subst-var-by localeArchive "${config.i18n.glibcLocales}/lib/locale/locale-archive" \ + --subst-var-by perl "${perlWrapped}" \ + --subst-var-by shell "${pkgs.bash}/bin/sh" \ + --subst-var-by su "${pkgs.shadow.su}/bin/su" \ + --subst-var-by systemd "${config.systemd.package}" \ + --subst-var-by utillinux "${pkgs.util-linux}" \ + ; + + chmod +x $out/bin/switch-to-configuration + ${lib.optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) '' + if ! output=$(${perlWrapped}/bin/perl -c $out/bin/switch-to-configuration 2>&1); then + echo "switch-to-configuration syntax is not valid:" + echo "$output" + exit 1 + fi + ''} + ''; + }; + +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 22371c9fec3..5098b4dfb1e 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -571,6 +571,7 @@ in { node-red = handleTest ./node-red.nix {}; nomad = handleTest ./nomad.nix {}; non-default-filesystems = handleTest ./non-default-filesystems.nix {}; + non-switchable-system = runTest ./non-switchable-system.nix; noto-fonts = handleTest ./noto-fonts.nix {}; noto-fonts-cjk-qt-default-weight = handleTest ./noto-fonts-cjk-qt-default-weight.nix {}; novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {}; diff --git a/nixos/tests/non-switchable-system.nix b/nixos/tests/non-switchable-system.nix new file mode 100644 index 00000000000..54bede75453 --- /dev/null +++ b/nixos/tests/non-switchable-system.nix @@ -0,0 +1,15 @@ +{ lib, ... }: + +{ + name = "non-switchable-system"; + + meta.maintainers = with lib.maintainers; [ nikstur ]; + + nodes.machine = { + system.switch.enable = false; + }; + + testScript = '' + machine.succeed("test ! -e /run/current-system/bin/switch-to-configuration") + ''; +} -- cgit 1.4.1 From 996cf6ac56692656f0f0484b5a50ee7df135c23d Mon Sep 17 00:00:00 2001 From: nikstur Date: Thu, 26 Oct 2023 18:15:50 +0200 Subject: nixos/docs: add non-switchable-systems section --- .../development/non-switchable-systems.section.md | 21 +++++++++++++++++++++ .../what-happens-during-a-system-switch.chapter.md | 1 + 2 files changed, 22 insertions(+) create mode 100644 nixos/doc/manual/development/non-switchable-systems.section.md (limited to 'nixos') diff --git a/nixos/doc/manual/development/non-switchable-systems.section.md b/nixos/doc/manual/development/non-switchable-systems.section.md new file mode 100644 index 00000000000..87bb46c7890 --- /dev/null +++ b/nixos/doc/manual/development/non-switchable-systems.section.md @@ -0,0 +1,21 @@ +# Non Switchable Systems {#sec-non-switchable-system} + +In certain systems, most notably image based appliances, updates are handled +outside the system. This means that you do not need to rebuild your +configuration on the system itself anymore. + +If you want to build such a system, you can use the `image-based-appliance` +profile: + +```nix +{ modulesPath, ... }: { + imports = [ "${modulesPath}/profiles/image-based-appliance.nix" ] +} +``` + +The most notable deviation of this profile from a standard NixOS configuration +is that after building it, you cannot switch *to* the configuration anymore. +The profile sets `config.system.switch.enable = false;`, which excludes +`switch-to-configuration`, the central script called by `nixos-rebuild`, from +your system. Removing this script makes the image lighter and slightly more +secure. diff --git a/nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md b/nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md index 5d6d67f1aa9..7aa84bbdb95 100644 --- a/nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md +++ b/nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md @@ -51,4 +51,5 @@ explained in the next sections. ```{=include=} sections unit-handling.section.md activation-script.section.md +non-switchable-systems.section.md ``` -- cgit 1.4.1 From 79eba74561a67d9e5f8a936e9a3a5eede7916cf5 Mon Sep 17 00:00:00 2001 From: nikstur Date: Thu, 26 Oct 2023 17:53:16 +0200 Subject: nixos: release notes for `system.switch.enable` --- nixos/doc/manual/release-notes/rl-2311.section.md | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 2368480d045..1087c70729e 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -315,6 +315,11 @@ ## Other Notable Changes {#sec-release-23.11-notable-changes} +- A new option `system.switch.enable` was added. By default, this is option is + enabled. Disabling it makes the system unable to be reconfigured via + `nixos-rebuild`. This is good for image based appliances where updates are + handled outside the image. + - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration. - GNOME, Pantheon, Cinnamon module no longer forces Qt applications to use Adwaita style since it was buggy and is no longer maintained upstream (specifically, Cinnamon now defaults to the gtk2 style instead, following the default in Linux Mint). If you still want it, you can add the following options to your configuration but it will probably be eventually removed: -- cgit 1.4.1 From 8dfe8e447efefcaf2990532114f4b0259ba2eba3 Mon Sep 17 00:00:00 2001 From: nikstur Date: Thu, 26 Oct 2023 00:53:03 +0200 Subject: nixos/profiles/minimal: remove some perl --- nixos/modules/profiles/minimal.nix | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/profiles/minimal.nix b/nixos/modules/profiles/minimal.nix index bd1b2b45218..75f355b4a00 100644 --- a/nixos/modules/profiles/minimal.nix +++ b/nixos/modules/profiles/minimal.nix @@ -18,6 +18,15 @@ with lib; documentation.nixos.enable = mkDefault false; + # Perl is a default package. + environment.defaultPackages = mkDefault [ ]; + + # The lessopen package pulls in Perl. + programs.less.lessopen = mkDefault null; + + # This pulls in nixos-containers which depends on Perl. + boot.enableContainers = mkDefault false; + programs.command-not-found.enable = mkDefault false; services.logrotate.enable = mkDefault false; -- cgit 1.4.1 From e8bed1eec973d79a5af23a9530729e89cb8196e9 Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Tue, 17 Oct 2023 16:14:13 +0200 Subject: nixos/profiles: add image-based-appliance profile --- nixos/modules/profiles/image-based-appliance.nix | 26 ++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 nixos/modules/profiles/image-based-appliance.nix (limited to 'nixos') diff --git a/nixos/modules/profiles/image-based-appliance.nix b/nixos/modules/profiles/image-based-appliance.nix new file mode 100644 index 00000000000..7e8b6f696d5 --- /dev/null +++ b/nixos/modules/profiles/image-based-appliance.nix @@ -0,0 +1,26 @@ +# This profile sets up a sytem for image based appliance usage. An appliance is +# installed as an image, cannot be re-built, has no Nix available, and is +# generally not meant for interactive use. Updates to such an appliance are +# handled by updating whole partition images via a tool like systemd-sysupdate. + +{ lib, modulesPath, ... }: + +{ + + # Appliances are always "minimal". + imports = [ + "${modulesPath}/profiles/minimal.nix" + ]; + + # The system cannot be rebuilt. + nix.enable = false; + system.switch.enable = false; + + # The system is static. + users.mutableUsers = false; + + # The system avoids interpreters as much as possible to reduce its attack + # surface. + boot.initrd.systemd.enable = lib.mkDefault true; + networking.useNetworkd = lib.mkDefault true; +} -- cgit 1.4.1 From a000d9fff682f4117b7587bf5050c5c60fd51e1b Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Sat, 28 Oct 2023 14:43:19 +0000 Subject: tests/netdata: fix test after upgrade to 1.43.0 --- nixos/tests/netdata.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/netdata.nix b/nixos/tests/netdata.nix index c5f7294f79a..e3438f63404 100644 --- a/nixos/tests/netdata.nix +++ b/nixos/tests/netdata.nix @@ -30,8 +30,8 @@ import ./make-test-python.nix ({ pkgs, ...} : { # check if netdata can read disk ops for root owned processes. # if > 0, successful. verifies both netdata working and # apps.plugin has elevated capabilities. - url = "http://localhost:19999/api/v1/data\?chart=users.pwrites" - filter = '[.data[range(10)][.labels | indices("root")[0]]] | add | . > 0' + url = "http://localhost:19999/api/v1/data\?chart=user.root_disk_physical_io" + filter = '[.data[range(10)][2]] | add | . < 0' cmd = f"curl -s {url} | jq -e '{filter}'" netdata.wait_until_succeeds(cmd) -- cgit 1.4.1 From 137a3c1303104df0f564684b4e8f0c51e14e65e9 Mon Sep 17 00:00:00 2001 From: Joseph Stahl <1269177+josephst@users.noreply.github.com> Date: Sat, 28 Oct 2023 22:13:25 -0400 Subject: systemd domainname service - fix missing domainname binary needs nettools in path --- nixos/modules/tasks/network-interfaces.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index a0e8e5d47a6..d976f9951bb 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1410,7 +1410,7 @@ in wantedBy = [ "sysinit.target" ]; before = [ "sysinit.target" ]; unitConfig.DefaultDependencies = false; - serviceConfig.ExecStart = ''domainname "${cfg.domain}"''; + serviceConfig.ExecStart = ''${pkgs.nettools}/bin/domainname "${cfg.domain}"''; }; environment.etc.hostid = mkIf (cfg.hostId != null) { source = hostidFile; }; -- cgit 1.4.1