diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2016-05-26 16:50:22 +0200 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2016-05-26 16:50:22 +0200 |
commit | 81039713fad72bcfb6d29e358866344c254096c2 (patch) | |
tree | 5150eb44e296607c43c5c7ece21249d0e39ff098 /nixos/modules/system | |
parent | 21df05d1ad9ad8b3e8138138f65525d2e6324341 (diff) | |
parent | 8fbdb40ef0ce39e6605db3dfd223402636de8907 (diff) | |
download | nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar.gz nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar.bz2 nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar.lz nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar.xz nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar.zst nixlib-81039713fad72bcfb6d29e358866344c254096c2.zip |
Merge branch 'master' into staging
... to get the systemd update (rebuilding ~7k jobs).
Diffstat (limited to 'nixos/modules/system')
-rw-r--r-- | nixos/modules/system/boot/loader/grub/grub.nix | 11 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/gummiboot/gummiboot.nix | 16 | ||||
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 42 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 7 |
4 files changed, 24 insertions, 52 deletions
diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 7fc467b60f7b..2e06a684f0cc 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -48,12 +48,13 @@ let bootPath = args.path; storePath = config.boot.loader.grub.storePath; bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId; + timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout; inherit efiSysMountPoint; inherit (args) devices; inherit (efi) canTouchEfiVariables; inherit (cfg) version extraConfig extraPerEntryConfig extraEntries - extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout + extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels default fsIdentifier efiSupport gfxmodeEfi gfxmodeBios; path = (makeBinPath ([ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs @@ -313,14 +314,6 @@ in ''; }; - timeout = mkOption { - default = if (config.boot.loader.timeout != null) then config.boot.loader.timeout else -1; - type = types.int; - description = '' - Timeout (in seconds) until GRUB boots the default menu item. - ''; - }; - default = mkOption { default = 0; type = types.int; diff --git a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix index 69ad2c6d44f4..aec697da4a1a 100644 --- a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix +++ b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix @@ -16,7 +16,7 @@ let nix = config.nix.package.out; - timeout = if cfg.timeout != null then cfg.timeout else ""; + timeout = if config.boot.loader.timeout != null then config.boot.loader.timeout else ""; inherit (efi) efiSysMountPoint canTouchEfiVariables; }; @@ -29,20 +29,6 @@ in { description = "Whether to enable the gummiboot UEFI boot manager"; }; - - timeout = mkOption { - default = if config.boot.loader.timeout == null then 10000 else config.boot.loader.timeout; - - example = 4; - - type = types.nullOr types.int; - - description = '' - Timeout (in seconds) for how long to show the menu (null if none). - Note that even with no timeout the menu can be forced if the space - key is pressed during bootup - ''; - }; }; config = mkIf cfg.enable { diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index ad53f25d61b8..8dad09c89207 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' # Wait for luksRoot to appear, e.g. if on a usb drive. # XXX: copied and adapted from stage-1-init.sh - should be # available as a function. @@ -192,9 +192,8 @@ let ''} ''; - isPreLVM = f: f.preLVM; - preLVM = filter isPreLVM luks.devices; - postLVM = filter (f: !(isPreLVM f)) luks.devices; + preLVM = filterAttrs (n: v: v.preLVM) luks.devices; + postLVM = filterAttrs (n: v: !v.preLVM) luks.devices; in { @@ -228,31 +227,31 @@ in }; boot.initrd.luks.devices = mkOption { - default = [ ]; - example = literalExample ''[ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ]''; + default = { }; + example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; description = '' - The list of devices that should be decrypted using LUKS before trying to mount the - root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups. - - The devices are decrypted to the device mapper names defined. - - Make sure that initrd has the crypto modules needed for decryption. + The encrypted disk that should be opened before the root + filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM + setups are sypported. The unencrypted devices can be accessed as + <filename>/dev/mapper/<replaceable>name</replaceable></filename>. ''; - type = types.listOf types.optionSet; + type = types.loaOf types.optionSet; - options = { + options = { name, ... }: { options = { name = mkOption { + visible = false; + default = name; example = "luksroot"; type = types.str; - description = "Named to be used for the generated device in /dev/mapper."; + description = "Name of the unencrypted device in <filename>/dev/mapper</filename>."; }; device = mkOption { - example = "/dev/sda2"; + example = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; type = types.str; - description = "Path of the underlying block device."; + description = "Path of the underlying encrypted block device."; }; header = mkOption { @@ -289,6 +288,7 @@ in ''; }; + # FIXME: get rid of this option. preLVM = mkOption { default = true; type = types.bool; @@ -394,7 +394,7 @@ in }; }; - }; + }; }; }; boot.initrd.luks.yubikeySupport = mkOption { @@ -408,7 +408,7 @@ in }; }; - config = mkIf (luks.devices != []) { + config = mkIf (luks.devices != {}) { # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks @@ -463,8 +463,8 @@ in ''} ''; - boot.initrd.preLVMCommands = concatMapStrings openCommand preLVM; - boot.initrd.postDeviceCommands = concatMapStrings openCommand postLVM; + boot.initrd.preLVMCommands = concatStrings (mapAttrsToList openCommand preLVM); + boot.initrd.postDeviceCommands = concatStrings (mapAttrsToList openCommand postLVM); environment.systemPackages = [ pkgs.cryptsetup ]; }; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index e7f892945315..076bbca850d9 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -753,13 +753,6 @@ in "TMPFS_XATTR" "SECCOMP" ]; - environment.shellAliases = - { start = "systemctl start"; - stop = "systemctl stop"; - restart = "systemctl restart"; - status = "systemctl status"; - }; - users.extraGroups.systemd-journal.gid = config.ids.gids.systemd-journal; users.extraUsers.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway; users.extraGroups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway; |