Merge master into staging-next

13 files changed, 91 insertions, 207 deletions

diff --git a/nixos/doc/manual/installation/installing-from-other-distro.xml b/nixos/doc/manual/installation/installing-from-other-distro.xml
index 8ed45899fd7f..45d68f8787f1 100644
--- a/nixos/doc/manual/installation/installing-from-other-distro.xml
+++ b/nixos/doc/manual/installation/installing-from-other-distro.xml
@@ -89,7 +89,7 @@ nixpkgs https://nixos.org/channels/nixpkgs-unstable</screen>
     NixOS partition. They are installed by default on NixOS, but you don't have
     NixOS yet..
    </para>
-<screen><prompt>$ </prompt>nix-env -iE "_: with import &lt;nixpkgs/nixos&gt; { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]"</screen>
+<screen><prompt>$ </prompt>nix-env -f '&lt;nixpkgs/nixos&gt;' --arg configuration {} -iA config.system.build.{nixos-generate-config,nixos-install,nixos-enter,manual.manpages}</screen>
   </listitem>
   <listitem>
    <note>
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index ccb83f39acb2..f2485f7395c8 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -466,6 +466,14 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
      initrd file has not been deleted.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     The <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link>
+     package and NixOS module have been removed from Nixpkgs as the software is
+     unmaintained and can't be built. For more information see issue
+     <link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
diff --git a/nixos/lib/make-iso9660-image.sh b/nixos/lib/make-iso9660-image.sh
index eb9edcd70269..d64fe9a365e7 100644
--- a/nixos/lib/make-iso9660-image.sh
+++ b/nixos/lib/make-iso9660-image.sh
@@ -129,7 +129,7 @@ fi
 
 if test -n "$compressImage"; then
     echo "Compressing image..."
-    zstd -T$NIX_BUILD_CORES $out/iso/$isoName
+    zstd -T$NIX_BUILD_CORES --rm $out/iso/$isoName
 fi
 
 mkdir -p $out/nix-support
diff --git a/nixos/modules/installer/cd-dvd/sd-image.nix b/nixos/modules/installer/cd-dvd/sd-image.nix
index 589bf74263b9..98c12e30633c 100644
--- a/nixos/modules/installer/cd-dvd/sd-image.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image.nix
@@ -190,7 +190,7 @@ in
         fsck.vfat -vn firmware_part.img
         dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS
         if test -n "$compressImage"; then
-            zstd -T$NIX_BUILD_CORES $img
+            zstd -T$NIX_BUILD_CORES --rm $img
         fi
       '';
     }) {};
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 85e5534e906f..3409e7ba22ea 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -239,7 +239,6 @@ in
       shout = 206;
       gateone = 207;
       namecoin = 208;
-      dnschain = 209;
       #lxd = 210; # unused
       kibana = 211;
       xtreemfs = 212;
@@ -549,7 +548,6 @@ in
       #shout = 206; #unused
       gateone = 207;
       namecoin = 208;
-      #dnschain = 209; #unused
       lxd = 210; # unused
       #kibana = 211;
       xtreemfs = 212;
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 5c5281b730f3..321fec5fb517 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -602,7 +602,6 @@
   ./services/networking/dhcpcd.nix
   ./services/networking/dhcpd.nix
   ./services/networking/dnscache.nix
-  ./services/networking/dnschain.nix
   ./services/networking/dnscrypt-proxy2.nix
   ./services/networking/dnscrypt-wrapper.nix
   ./services/networking/dnsdist.nix
diff --git a/nixos/modules/services/networking/corerad.nix b/nixos/modules/services/networking/corerad.nix
index 1a2c4aec6651..5d73c0a0d779 100644
--- a/nixos/modules/services/networking/corerad.nix
+++ b/nixos/modules/services/networking/corerad.nix
@@ -4,14 +4,50 @@ with lib;
 
 let
   cfg = config.services.corerad;
+
+  writeTOML = name: x:
+    pkgs.runCommandNoCCLocal name {
+      passAsFile = ["config"];
+      config = builtins.toJSON x;
+      buildInputs = [ pkgs.go-toml ];
+    } "jsontoml < $configPath > $out";
+
 in {
-  meta = {
-    maintainers = with maintainers; [ mdlayher ];
-  };
+  meta.maintainers = with maintainers; [ mdlayher ];
 
   options.services.corerad = {
     enable = mkEnableOption "CoreRAD IPv6 NDP RA daemon";
 
+    settings = mkOption {
+      type = types.uniq types.attrs;
+      example = literalExample ''
+        {
+          interfaces = [
+            # eth0 is an upstream interface monitoring for IPv6 router advertisements.
+            {
+              name = "eth0";
+              monitor = true;
+            }
+            # eth1 is a downstream interface advertising IPv6 prefixes for SLAAC.
+            {
+              name = "eth1";
+              advertise = true;
+              prefix = [{ prefix = "::/64"; }];
+            }
+          ];
+          # Optionally enable Prometheus metrics.
+          debug = {
+            address = "localhost:9430";
+            prometheus = true;
+          };
+        }
+      '';
+      description = ''
+        Configuration for CoreRAD, see <link xlink:href="https://github.com/mdlayher/corerad/blob/master/internal/config/default.toml"/>
+        for supported values. Ignored if configFile is set.
+      '';
+    };
+
     configFile = mkOption {
       type = types.path;
       example = literalExample "\"\${pkgs.corerad}/etc/corerad/corerad.toml\"";
@@ -27,6 +63,9 @@ in {
   };
 
   config = mkIf cfg.enable {
+    # Prefer the config file over settings if both are set.
+    services.corerad.configFile = mkDefault (writeTOML "corerad.toml" cfg.settings);
+
     systemd.services.corerad = {
       description = "CoreRAD IPv6 NDP RA daemon";
       after = [ "network.target" ];
diff --git a/nixos/modules/services/networking/dnschain.nix b/nixos/modules/services/networking/dnschain.nix
deleted file mode 100644
index 003609ea7054..000000000000
--- a/nixos/modules/services/networking/dnschain.nix
+++ /dev/null
@@ -1,184 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfgs = config.services;
-  cfg  = cfgs.dnschain;
-
-  dataDir  = "/var/lib/dnschain";
-  username = "dnschain";
-
-  configFile = pkgs.writeText "dnschain.conf" ''
-    [log]
-    level = info
-
-    [dns]
-    host = ${cfg.dns.address}
-    port = ${toString cfg.dns.port}
-    oldDNSMethod = NO_OLD_DNS
-    externalIP = ${cfg.dns.externalAddress}
-
-    [http]
-    host = ${cfg.api.hostname}
-    port = ${toString cfg.api.port}
-    tlsPort = ${toString cfg.api.tlsPort}
-
-    ${cfg.extraConfig}
-  '';
-
-in
-
-{
-
-  ###### interface
-
-  options = {
-
-    services.dnschain = {
-
-      enable = mkEnableOption ''
-        DNSChain, a blockchain based DNS + HTTP server.
-        To resolve .bit domains set <literal>services.namecoind.enable = true;</literal>
-        and an RPC username/password.
-      '';
-
-      dns.address = mkOption {
-        type = types.str;
-        default = "127.0.0.1";
-        description = ''
-          The IP address the DNSChain resolver will bind to.
-          Leave this unchanged if you do not wish to directly expose the resolver.
-        '';
-      };
-
-      dns.externalAddress = mkOption {
-        type = types.str;
-        default = cfg.dns.address;
-        description = ''
-           The IP address used by clients to reach the resolver and the value of
-           the <literal>namecoin.dns</literal> record. Set this in case the bind address
-           is not the actual IP address (e.g. the machine is behind a NAT).
-        '';
-      };
-
-      dns.port = mkOption {
-        type = types.int;
-        default = 5333;
-        description = ''
-          The port the DNSChain resolver will bind to.
-        '';
-      };
-
-      api.hostname = mkOption {
-        type = types.str;
-        default = "0.0.0.0";
-        description = ''
-          The hostname (or IP address) the DNSChain API server will bind to.
-        '';
-      };
-
-      api.port = mkOption {
-        type = types.int;
-        default = 8080;
-        description = ''
-          The port the DNSChain API server (HTTP) will bind to.
-        '';
-      };
-
-      api.tlsPort = mkOption {
-        type = types.int;
-        default = 4433;
-        description = ''
-          The port the DNSChain API server (HTTPS) will bind to.
-        '';
-      };
-
-      extraConfig = mkOption {
-        type = types.lines;
-        default = "";
-        example = ''
-          [log]
-          level = debug
-        '';
-        description = ''
-          Additional options that will be appended to the configuration file.
-        '';
-      };
-
-    };
-
-    services.dnsmasq.resolveDNSChainQueries = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin.
-      '';
-    };
-
-    services.pdns-recursor.resolveDNSChainQueries = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin.
-      '';
-    };
-
-  };
-
-
-  ###### implementation
-
-  config = mkIf cfg.enable {
-
-    services.dnsmasq.servers = optionals cfgs.dnsmasq.resolveDNSChainQueries
-      [ "/.bit/127.0.0.1#${toString cfg.dns.port}"
-        "/.dns/127.0.0.1#${toString cfg.dns.port}"
-      ];
-
-    services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveDNSChainQueries {
-      forwardZonesRecurse =
-        { bit = "127.0.0.1:${toString cfg.dns.port}";
-          dns = "127.0.0.1:${toString cfg.dns.port}";
-        };
-      luaConfig =''
-        addNTA("bit", "namecoin doesn't support DNSSEC")
-        addNTA("dns", "namecoin doesn't support DNSSEC")
-      '';
-    };
-
-    users.users.${username} = {
-      description = "DNSChain daemon user";
-      home = dataDir;
-      createHome = true;
-      uid = config.ids.uids.dnschain;
-      extraGroups = optional cfgs.namecoind.enable "namecoin";
-    };
-
-    systemd.services.dnschain = {
-      description = "DNSChain daemon";
-      after    = optional cfgs.namecoind.enable "namecoind.target";
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig = {
-        User = "dnschain";
-        Restart = "on-failure";
-        ExecStart = "${pkgs.nodePackages.dnschain}/bin/dnschain";
-      };
-
-      preStart = ''
-        # Link configuration file into dnschain home directory
-        configPath=${dataDir}/.dnschain/dnschain.conf
-        mkdir -p ${dataDir}/.dnschain
-        if [ "$(realpath $configPath)" != "${configFile}" ]; then
-          rm -f $configPath
-          ln -s ${configFile} $configPath
-        fi
-      '';
-    };
-
-  };
-
-  meta.maintainers = with lib.maintainers; [ rnhmjoj ];
-
-}
diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix
index ead7f0859434..6ca99e1321bd 100644
--- a/nixos/modules/services/networking/namecoind.nix
+++ b/nixos/modules/services/networking/namecoind.nix
@@ -149,11 +149,6 @@ in
 
   config = mkIf cfg.enable {
 
-    services.dnschain.extraConfig = ''
-      [namecoin]
-      config = ${configFile}
-    '';
-
     users.users.namecoin = {
       uid  = config.ids.uids.namecoin;
       description = "Namecoin daemon user";
diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix
index 9b34b12e73a5..b0545363b330 100644
--- a/nixos/modules/system/boot/networkd.nix
+++ b/nixos/modules/system/boot/networkd.nix
@@ -1178,14 +1178,22 @@ in
       users.users.systemd-network.group = "systemd-network";
 
       systemd.additionalUpstreamSystemUnits = [
-        "systemd-networkd.service" "systemd-networkd-wait-online.service"
+        "systemd-networkd-wait-online.service"
+        "systemd-networkd.service"
+        "systemd-networkd.socket"
       ];
 
       systemd.network.units = mapAttrs' (n: v: nameValuePair "${n}.netdev" (netdevToUnit n v)) cfg.netdevs
         // mapAttrs' (n: v: nameValuePair "${n}.network" (networkToUnit n v)) cfg.networks;
 
+      # systemd-networkd is socket-activated by kernel netlink route change
+      # messages. It is important to have systemd buffer those on behalf of
+      # networkd.
+      systemd.sockets.systemd-networkd.wantedBy = [ "sockets.target" ];
+
       systemd.services.systemd-networkd = {
         wantedBy = [ "multi-user.target" ];
+        aliases = [ "dbus-org.freedesktop.network1.service" ];
         restartTriggers = map (x: x.source) (attrValues unitFiles);
         # prevent race condition with interface renaming (#39069)
         requires = [ "systemd-udev-settle.service" ];
diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix
index b7aaef575ac1..b024f9cf5ee9 100644
--- a/nixos/modules/system/boot/resolved.nix
+++ b/nixos/modules/system/boot/resolved.nix
@@ -148,6 +148,7 @@ in
 
     systemd.services.systemd-resolved = {
       wantedBy = [ "multi-user.target" ];
+      aliases = [ "dbus-org.freedesktop.resolve1.service" ];
       restartTriggers = [ config.environment.etc."systemd/resolved.conf".source ];
     };
 
diff --git a/nixos/modules/system/boot/timesyncd.nix b/nixos/modules/system/boot/timesyncd.nix
index 9e2f36ca01f8..35fb5578b070 100644
--- a/nixos/modules/system/boot/timesyncd.nix
+++ b/nixos/modules/system/boot/timesyncd.nix
@@ -41,6 +41,7 @@ with lib;
 
     systemd.services.systemd-timesyncd = {
       wantedBy = [ "sysinit.target" ];
+      aliases = [ "dbus-org.freedesktop.timesync1.service" ];
       restartTriggers = [ config.environment.etc."systemd/timesyncd.conf".source ];
     };
 
diff --git a/nixos/tests/corerad.nix b/nixos/tests/corerad.nix
index 741fa448f680..72ab255b1916 100644
--- a/nixos/tests/corerad.nix
+++ b/nixos/tests/corerad.nix
@@ -3,7 +3,7 @@ import ./make-test-python.nix (
     nodes = {
       router = {config, pkgs, ...}: { 
         config = {
-          # This machines simulates a router with IPv6 forwarding and a static IPv6 address.
+          # This machine simulates a router with IPv6 forwarding and a static IPv6 address.
           boot.kernel.sysctl = {
             "net.ipv6.conf.all.forwarding" = true;
           };
@@ -14,13 +14,25 @@ import ./make-test-python.nix (
             enable = true;
             # Serve router advertisements to the client machine with prefix information matching
             # any IPv6 /64 prefixes configured on this interface.
-            configFile = pkgs.writeText "corerad.toml" ''
-              [[interfaces]]
-              name = "eth1"
-              advertise = true
-                [[interfaces.prefix]]
-                prefix = "::/64"
-            '';
+            #
+            # This configuration is identical to the example in the CoreRAD NixOS module.
+            settings = {
+              interfaces = [
+                {
+                  name = "eth0";
+                  monitor = true;
+                }
+                {
+                  name = "eth1";
+                  advertise = true;
+                  prefix = [{ prefix = "::/64"; }];
+                }
+              ];
+              debug = {
+                address = "localhost:9430";
+                prometheus = true;
+              };
+            };
           };
         };
       };
@@ -66,5 +78,12 @@ import ./make-test-python.nix (
           assert (
               "/64 scope global temporary" in addrs
           ), "SLAAC temporary address was not configured on client after router advertisement"
+
+      with subtest("Verify HTTP debug server is configured"):
+          out = router.succeed("curl localhost:9430/metrics")
+
+          assert (
+              "corerad_build_info" in out
+          ), "Build info metric was not found in Prometheus output"
     '';
   })