diff options
| author | Robin Gloster <mail@glob.in> | 2016-04-18 13:00:40 +0000 |
|---|---|---|
| committer | Robin Gloster <mail@glob.in> | 2016-04-18 13:49:22 +0000 |
| commit | d020caa5b2eca90ea051403fbb4c52b99ee071b9 (patch) | |
| tree | ba44ef1e784bca89e0df6b249956fd035b1d86e3 /nixos/modules/system | |
| parent | 3e68106afd95df012ddb548575f0133681687a90 (diff) | |
| parent | 0729f606973870c03d21bb2f21b70d91216943ca (diff) | |
| download | nixlib-d020caa5b2eca90ea051403fbb4c52b99ee071b9.tar nixlib-d020caa5b2eca90ea051403fbb4c52b99ee071b9.tar.gz nixlib-d020caa5b2eca90ea051403fbb4c52b99ee071b9.tar.bz2 nixlib-d020caa5b2eca90ea051403fbb4c52b99ee071b9.tar.lz nixlib-d020caa5b2eca90ea051403fbb4c52b99ee071b9.tar.xz nixlib-d020caa5b2eca90ea051403fbb4c52b99ee071b9.tar.zst nixlib-d020caa5b2eca90ea051403fbb4c52b99ee071b9.zip | |
Merge remote-tracking branch 'upstream/master' into hardened-stdenv
Diffstat (limited to 'nixos/modules/system')
| -rw-r--r-- | nixos/modules/system/activation/activation-script.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/system/boot/coredump.nix | 5 | ||||
| -rw-r--r-- | nixos/modules/system/boot/loader/grub/grub.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/system/boot/stage-2.nix | 13 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd-unit-options.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 24 |
8 files changed, 43 insertions, 18 deletions
diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index 854fa2f40b69..9d61d64f7553 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -12,7 +12,8 @@ let ''; }); - path = + path = map # outputs TODO? + (pkg: (pkg.bin or (pkg.out or pkg))) [ pkgs.coreutils pkgs.gnugrep pkgs.findutils pkgs.glibc # needed for getent pkgs.shadow diff --git a/nixos/modules/system/boot/coredump.nix b/nixos/modules/system/boot/coredump.nix index 3d80da9e4571..793c7515c761 100644 --- a/nixos/modules/system/boot/coredump.nix +++ b/nixos/modules/system/boot/coredump.nix @@ -50,6 +50,11 @@ with lib; (mkIf (!config.systemd.coredump.enable) { boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core"; + + systemd.extraConfig = + '' + DefaultLimitCORE=0:infinity + ''; }) ]; diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 6b201fcce638..0728db986440 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -55,10 +55,10 @@ let version extraConfig extraPerEntryConfig extraEntries extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout default fsIdentifier efiSupport gfxmodeEfi gfxmodeBios; - path = (makeSearchPath "bin" ([ + path = (makeBinPath ([ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs pkgs.utillinux ] ++ (if cfg.efiSupport && (cfg.version == 2) then [pkgs.efibootmgr ] else []) - )) + ":" + (makeSearchPath "sbin" [ + )) + ":" + (makeSearchPathOutputs "sbin" ["bin"] [ pkgs.mdadm pkgs.utillinux ]); }); diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 59bff5472e84..77a82547031a 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -436,9 +436,9 @@ in ${optionalString luks.yubikeySupport '' copy_bin_and_libs ${pkgs.ykpers}/bin/ykchalresp copy_bin_and_libs ${pkgs.ykpers}/bin/ykinfo - copy_bin_and_libs ${pkgs.openssl}/bin/openssl + copy_bin_and_libs ${pkgs.openssl.bin}/bin/openssl - cc -O3 -I${pkgs.openssl}/include -L${pkgs.openssl}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto + cc -O3 -I${pkgs.openssl}/include -L${pkgs.openssl.out}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto strip -s pbkdf2-sha512 copy_bin_and_libs pbkdf2-sha512 diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 7b13a305f035..5e6554324ca4 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -31,7 +31,6 @@ let extraUtils = pkgs.runCommand "extra-utils" { buildInputs = [pkgs.nukeReferences]; allowedReferences = [ "out" ]; # prevent accidents like glibc being included in the initrd - doublePatchelf = pkgs.stdenv.isArm; } '' set +o pipefail @@ -80,7 +79,7 @@ let ${config.boot.initrd.extraUtilsCommands} # Copy ld manually since it isn't detected correctly - cp -pv ${pkgs.glibc}/lib/ld*.so.? $out/lib + cp -pv ${pkgs.glibc.out}/lib/ld*.so.? $out/lib # Copy all of the needed libraries for the binaries for BIN in $(find $out/{bin,sbin} -type f); do @@ -111,9 +110,6 @@ let if ! test -L $i; then echo "patching $i..." patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true - if [ -n "$doublePatchelf" ]; then - patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true - fi fi done diff --git a/nixos/modules/system/boot/stage-2.nix b/nixos/modules/system/boot/stage-2.nix index c0ef4e02d1ff..b67f42a017e6 100644 --- a/nixos/modules/system/boot/stage-2.nix +++ b/nixos/modules/system/boot/stage-2.nix @@ -7,11 +7,14 @@ let kernel = config.boot.kernelPackages.kernel; activateConfiguration = config.system.activationScripts.script; - readonlyMountpoint = pkgs.runCommand "readonly-mountpoint" {} '' - mkdir -p $out/bin - cc -O3 ${./readonly-mountpoint.c} -o $out/bin/readonly-mountpoint - strip -s $out/bin/readonly-mountpoint - ''; + readonlyMountpoint = pkgs.stdenv.mkDerivation { + name = "readonly-mountpoint"; + unpackPhase = "true"; + installPhase = '' + mkdir -p $out/bin + cc -O3 ${./readonly-mountpoint.c} -o $out/bin/readonly-mountpoint + ''; + }; bootStage2 = pkgs.substituteAll { src = ./stage-2-init.sh; diff --git a/nixos/modules/system/boot/systemd-unit-options.nix b/nixos/modules/system/boot/systemd-unit-options.nix index d4cab93b26b8..c8c9cda913c0 100644 --- a/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixos/modules/system/boot/systemd-unit-options.nix @@ -193,7 +193,7 @@ in rec { path = mkOption { default = []; - apply = ps: "${makeSearchPath "bin" ps}:${makeSearchPath "sbin" ps}"; + apply = ps: "${makeBinPath ps}:${makeSearchPathOutputs "sbin" ["bin"] ps}"; description = '' Packages added to the service's <envar>PATH</envar> environment variable. Both the <filename>bin</filename> diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index a3c83521c354..3f497566ff11 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -472,6 +472,13 @@ in ''; }; + systemd.generator-packages = mkOption { + default = []; + type = types.listOf types.package; + example = literalExample "[ pkgs.systemd-cryptsetup-generator ]"; + description = "Packages providing systemd generators."; + }; + systemd.defaultUnit = mkOption { default = "multi-user.target"; type = types.str; @@ -628,7 +635,18 @@ in environment.systemPackages = [ systemd ]; - environment.etc = { + environment.etc = let + # generate contents for /etc/systemd/system-generators from + # systemd.generators and systemd.generator-packages + generators = pkgs.runCommand "system-generators" { packages = cfg.generator-packages; } '' + mkdir -p $out + for package in $packages + do + ln -s $package/lib/systemd/system-generators/* $out/ + done; + ${concatStrings (mapAttrsToList (generator: target: "ln -s ${target} $out/${generator};\n") cfg.generators)} + ''; + in ({ "systemd/system".source = generateUnits "system" cfg.units upstreamSystemUnits upstreamSystemWants; "systemd/user".source = generateUnits "user" cfg.user.units upstreamUserUnits []; @@ -667,7 +685,9 @@ in ${concatStringsSep "\n" cfg.tmpfiles.rules} ''; - } // mapAttrs' (n: v: nameValuePair "systemd/system-generators/${n}" {"source"=v;}) cfg.generators; + + "systemd/system-generators" = { source = generators; }; + }); system.activationScripts.systemd = stringAfter [ "groups" ] '' |