diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2016-05-26 16:50:22 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2016-05-26 16:50:22 +0200 |
| commit | 81039713fad72bcfb6d29e358866344c254096c2 (patch) | |
| tree | 5150eb44e296607c43c5c7ece21249d0e39ff098 /nixos | |
| parent | 21df05d1ad9ad8b3e8138138f65525d2e6324341 (diff) | |
| parent | 8fbdb40ef0ce39e6605db3dfd223402636de8907 (diff) | |
| download | nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar.gz nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar.bz2 nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar.lz nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar.xz nixlib-81039713fad72bcfb6d29e358866344c254096c2.tar.zst nixlib-81039713fad72bcfb6d29e358866344c254096c2.zip | |
Merge branch 'master' into staging
... to get the systemd update (rebuilding ~7k jobs).
Diffstat (limited to 'nixos')
42 files changed, 371 insertions, 107 deletions
diff --git a/nixos/doc/manual/configuration/luks-file-systems.xml b/nixos/doc/manual/configuration/luks-file-systems.xml index 45475dbcd446..88b506d5323d 100644 --- a/nixos/doc/manual/configuration/luks-file-systems.xml +++ b/nixos/doc/manual/configuration/luks-file-systems.xml @@ -9,21 +9,21 @@ <para>NixOS supports file systems that are encrypted using <emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example, here is how you create an encrypted Ext4 file system on the device -<filename>/dev/sda2</filename>: +<filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>: <screen> -$ cryptsetup luksFormat /dev/sda2 +$ cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d WARNING! ======== -This will overwrite data on /dev/sda2 irrevocably. +This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: *** Verify passphrase: *** -$ cryptsetup luksOpen /dev/sda2 crypted -Enter passphrase for /dev/sda2: *** +$ cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted +Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: *** $ mkfs.ext4 /dev/mapper/crypted </screen> @@ -33,7 +33,7 @@ as <filename>/</filename>, add the following to <filename>configuration.nix</filename>: <programlisting> -boot.initrd.luks.devices = [ { device = "/dev/sda2"; name = "crypted"; } ]; +boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d"; fileSystems."/".device = "/dev/mapper/crypted"; </programlisting> diff --git a/nixos/doc/manual/man-nixos-generate-config.xml b/nixos/doc/manual/man-nixos-generate-config.xml index 140642bc9c9c..993a932ddfbe 100644 --- a/nixos/doc/manual/man-nixos-generate-config.xml +++ b/nixos/doc/manual/man-nixos-generate-config.xml @@ -113,8 +113,8 @@ <varlistentry> <term><option>--no-filesystems</option></term> <listitem> - <para>Omit everything concerning file system information - (which includes swap devices) from the hardware configuration.</para> + <para>Omit everything concerning file systems and swap devices + from the hardware configuration.</para> </listitem> </varlistentry> diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml index 22dea8029242..b08688a66959 100644 --- a/nixos/doc/manual/release-notes/rl-1609.xml +++ b/nixos/doc/manual/release-notes/rl-1609.xml @@ -30,7 +30,10 @@ following incompatible changes:</para> <itemizedlist> <listitem> - <para>todo</para> + <para>Shell aliases for systemd sub-commands + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>: + <command>start</command>, <command>stop</command>, + <command>restart</command>, <command>status</command>.</para> </listitem> </itemizedlist> diff --git a/nixos/lib/test-driver/Logger.pm b/nixos/lib/test-driver/Logger.pm index 6e62fdfd7708..3fe5ef67c144 100644 --- a/nixos/lib/test-driver/Logger.pm +++ b/nixos/lib/test-driver/Logger.pm @@ -3,6 +3,7 @@ package Logger; use strict; use Thread::Queue; use XML::Writer; +use Encode qw(decode encode); sub new { my ($class) = @_; @@ -56,7 +57,8 @@ sub nest { sub sanitise { my ($s) = @_; $s =~ s/[[:cntrl:]\xff]//g; - return $s; + $s = decode('UTF-8', $s, Encode::FB_DEFAULT); + return encode('UTF-8', $s, Encode::FB_CROAK); } sub log { diff --git a/nixos/lib/test-driver/Machine.pm b/nixos/lib/test-driver/Machine.pm index 37d6518fd8d7..1a243918c22f 100644 --- a/nixos/lib/test-driver/Machine.pm +++ b/nixos/lib/test-driver/Machine.pm @@ -382,9 +382,17 @@ sub waitForUnit { my $state = $info->{ActiveState}; die "unit ‘$unit’ reached state ‘$state’\n" if $state eq "failed"; if ($state eq "inactive") { + # If there are no pending jobs, then assume this unit + # will never reach active state. my ($status, $jobs) = $self->execute("systemctl list-jobs --full 2>&1"); - die "unit ‘$unit’ is inactive and there are no pending jobs\n" - if $jobs =~ /No jobs/; # FIXME: fragile + if ($jobs =~ /No jobs/) { # FIXME: fragile + # Handle the case where the unit may have started + # between the previous getUnitInfo() and + # list-jobs. + my $info2 = $self->getUnitInfo($unit); + die "unit ‘$unit’ is inactive and there are no pending jobs\n" + if $info2->{ActiveState} eq $state; + } } return 1 if $state eq "active"; }; diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index a6657768e061..7064ef64b4c8 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -192,7 +192,7 @@ in system.activationScripts = mkIf insertLdapPassword { ldap = stringAfter [ "etc" "groups" "users" ] '' if test -f "${cfg.bind.password}" ; then - echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig} - > /etc/ldap.conf.bindpw + echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig.source} - > /etc/ldap.conf.bindpw mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf chmod 600 /etc/ldap.conf fi diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index 89b8a04b5e7c..9642981803bf 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -150,10 +150,6 @@ in system.build.binsh = pkgs.bashInteractive; - # Ensure TERMINFO is set appropriately *before* user shells are run, - # as they may depend on it - environment.sessionVariables.TERMINFO = "/run/current-system/sw/share/terminfo"; - # Set session variables in the shell as well. This is usually # unnecessary, but it allows changes to session variables to take # effect without restarting the session (e.g. by opening a new diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index c31ded977e68..bdb3c227ecc8 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -79,7 +79,7 @@ let echo "options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} nomodeset" >> $out/loader/entries/nixos-livecd-nomodeset.conf echo "default nixos-livecd" > $out/loader/loader.conf - echo "timeout ${builtins.toString config.boot.loader.gummiboot.timeout}" >> $out/loader/loader.conf + echo "timeout ${builtins.toString config.boot.loader.timeout}" >> $out/loader/loader.conf ''; efiImg = pkgs.runCommand "efi-image_eltorito" { buildInputs = [ pkgs.mtools pkgs.libfaketime ]; } diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 8e75f8d3c40a..ca7fb71ba9b8 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -1,5 +1,6 @@ #! @perl@ +use strict; use Cwd 'abs_path'; use File::Spec; use File::Path; @@ -69,6 +70,7 @@ for (my $n = 0; $n < scalar @ARGV; $n++) { my @attrs = (); my @kernelModules = (); my @initrdKernelModules = (); +my @initrdAvailableKernelModules = (); my @modulePackages = (); my @imports; @@ -379,7 +381,7 @@ EOF # Is this a btrfs filesystem? if ($fsType eq "btrfs") { my ($status, @id_info) = runCommand("btrfs subvol show $rootDir$mountPoint"); - if ($status != 0 || join("", @msg) =~ /ERROR:/) { + if ($status != 0 || join("", @id_info) =~ /ERROR:/) { die "Failed to retrieve subvolume info for $mountPoint\n"; } my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/; @@ -408,7 +410,7 @@ EOF EOF if (scalar @extraOptions > 0) { - $fileSystems .= <<EOF; + $fileSystems .= <<EOF; options = \[ ${\join " ", map { "\"" . $_ . "\"" } uniq(@extraOptions)} \]; EOF } @@ -417,6 +419,25 @@ EOF }; EOF + + # If this filesystem is on a LUKS device, then add a + # boot.initrd.luks.devices entry. + if (-e $device) { + my $deviceName = basename(abs_path($device)); + if (-e "/sys/class/block/$deviceName" + && read_file("/sys/class/block/$deviceName/dm/uuid", err_mode => 'quiet') =~ /^CRYPT-LUKS/) + { + my @slaves = glob("/sys/class/block/$deviceName/slaves/*"); + if (scalar @slaves == 1) { + my $slave = "/dev/" . basename($slaves[0]); + if (-e $slave) { + my $dmName = read_file("/sys/class/block/$deviceName/dm/name"); + chomp $dmName; + $fileSystems .= " boot.initrd.luks.devices.\"$dmName\".device = \"${\(findStableDevPath $slave)}\";\n\n"; + } + } + } + } } @@ -440,7 +461,7 @@ sub toNixList { sub multiLineList { my $indent = shift; return " [ ]" if !@_; - $res = "\n${indent}[ "; + my $res = "\n${indent}[ "; my $first = 1; foreach my $s (@_) { $res .= "$indent " if !$first; @@ -457,7 +478,7 @@ my $modulePackages = toNixList(uniq @modulePackages); my $fsAndSwap = ""; if (!$noFilesystems) { - $fsAndSwap = "\n${fileSystems} "; + $fsAndSwap = "\n$fileSystems "; $fsAndSwap .= "swapDevices =" . multiLineList(" ", @swapDevices) . ";\n"; } @@ -494,7 +515,7 @@ if ($showHardwareConfig) { if ($force || ! -e $fn) { print STDERR "writing $fn...\n"; - my $bootloaderConfig = ""; + my $bootLoaderConfig = ""; if (-e "/sys/firmware/efi/efivars") { $bootLoaderConfig = <<EOF; # Use the gummiboot efi boot loader. @@ -568,7 +589,7 @@ $bootLoaderConfig # }; # The NixOS release to be compatible with for stateful data such as databases. - system.stateVersion = "@nixosRelease@"; + system.stateVersion = "${\(qw(@nixosRelease@))}"; } EOF diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index b2cb121d1d63..149062a6b332 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -267,6 +267,7 @@ graylog = 243; sniproxy = 244; nzbget = 245; + mosquitto = 246; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -504,6 +505,7 @@ emby = 242; sniproxy = 244; nzbget = 245; + mosquitto = 246; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index f12ecc1b88ec..fd7cadf76cc1 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -5,9 +5,11 @@ with lib; let cfg = config.system; - releaseFile = "${toString pkgs.path}/.version"; - suffixFile = "${toString pkgs.path}/.version-suffix"; + releaseFile = "${toString pkgs.path}/.version"; + suffixFile = "${toString pkgs.path}/.version-suffix"; revisionFile = "${toString pkgs.path}/.git-revision"; + gitRepo = "${toString pkgs.path}/.git"; + gitCommitId = lib.substring 0 7 (commitIdFromGitRepo gitRepo); in { @@ -102,6 +104,8 @@ in # changing them would not rebuild the manual nixosLabel = mkDefault (maybeEnv "NIXOS_LABEL" cfg.nixosVersion); nixosVersion = mkDefault (maybeEnv "NIXOS_VERSION" (cfg.nixosRelease + cfg.nixosVersionSuffix)); + nixosRevision = mkIf (pathExists gitRepo) (mkDefault gitCommitId); + nixosVersionSuffix = mkIf (pathExists gitRepo) (mkDefault (".git." + gitCommitId)); # Note: code names must only increase in alphabetical order. nixosCodeName = "Flounder"; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 370220d253a5..be41b5ebcdd7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -347,6 +347,7 @@ ./services/networking/mjpg-streamer.nix ./services/networking/minidlna.nix ./services/networking/miniupnpd.nix + ./services/networking/mosquitto.nix ./services/networking/mstpd.nix ./services/networking/murmur.nix ./services/networking/namecoind.nix diff --git a/nixos/modules/programs/man.nix b/nixos/modules/programs/man.nix index 201144ccb451..e59ffd6f936d 100644 --- a/nixos/modules/programs/man.nix +++ b/nixos/modules/programs/man.nix @@ -19,7 +19,7 @@ with lib; config = mkIf config.programs.man.enable { - environment.systemPackages = [ pkgs.man ]; + environment.systemPackages = [ pkgs.man-db ]; environment.pathsToLink = [ "/share/man" ]; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 2f37f180c7ec..3440261c3965 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -34,6 +34,8 @@ with lib; # Old Grub-related options. (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ]) (mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ]) + (mkRenamedOptionModule [ "boot" "loader" "grub" "timeout" ] [ "boot" "loader" "timeout" ]) + (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "timeout" ] [ "boot" "loader" "timeout" ]) # smartd (mkRenamedOptionModule [ "services" "smartd" "deviceOpts" ] [ "services" "smartd" "defaults" "monitored" ]) diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/setuid-wrappers.nix index 7d69f9b1183d..99dd514feea3 100644 --- a/nixos/modules/security/setuid-wrappers.nix +++ b/nixos/modules/security/setuid-wrappers.nix @@ -96,7 +96,7 @@ in }: '' - if ! source=${if source != "" then source else "$(PATH=$SETUID_PATH type -tP ${program})"}; then + if ! source=${if source != "" then source else "$(readlink -f $(PATH=$SETUID_PATH type -tP ${program}))"}; then # If we can't find the program, fall back to the # system profile. source=/nix/var/nix/profiles/default/bin/${program} diff --git a/nixos/modules/services/mail/opensmtpd.nix b/nixos/modules/services/mail/opensmtpd.nix index 42a1244cde57..e773cdedaea2 100644 --- a/nixos/modules/services/mail/opensmtpd.nix +++ b/nixos/modules/services/mail/opensmtpd.nix @@ -107,7 +107,16 @@ in { wantedBy = [ "multi-user.target" ]; wants = [ "network.target" ]; after = [ "network.target" ]; - preStart = "mkdir -p /var/spool"; + preStart = '' + mkdir -p /var/spool/smtpd + + mkdir -p /var/spool/smtpd/offline + chown root.smtpq /var/spool/smtpd/offline + chmod 770 /var/spool/smtpd/offline + + mkdir -p /var/spool/smtpd/purge + chmod 700 /var/spool/smtpd/purge + ''; serviceConfig.ExecStart = "${opensmtpd}/sbin/smtpd -d -f ${conf} ${args}"; environment.OPENSMTPD_PROC_PATH = "${procEnv}/libexec/opensmtpd"; }; diff --git a/nixos/modules/services/networking/chrony.nix b/nixos/modules/services/networking/chrony.nix index 1cd678e7c621..a38142b4a08f 100644 --- a/nixos/modules/services/networking/chrony.nix +++ b/nixos/modules/services/networking/chrony.nix @@ -64,7 +64,7 @@ in ###### implementation - config = mkIf config.services.chrony.enable { + config = mkIf cfg.enable { # Make chronyc available in the system path environment.systemPackages = [ pkgs.chrony ]; @@ -101,12 +101,14 @@ in home = stateDir; }; - systemd.services.ntpd.enable = false; + systemd.services.ntpd.enable = mkForce false; systemd.services.chronyd = { description = "chrony NTP daemon"; wantedBy = [ "multi-user.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; after = [ "network.target" ]; conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index bb0dc756ba47..2a6161ee873a 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -90,7 +90,7 @@ in example = literalExample "${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; default = pkgs.fetchurl { url = "https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv"; - sha256 = "07kbbisrvrqdxif3061hxj3whin3llg4nh50ln7prisi2vbd76xd"; + sha256 = "0lac20qhcgjxxiiz8jzcn3hkqj4ywl58hahp5n2i6vf9akfyqp7c"; }; defaultText = "pkgs.fetchurl { url = ...; sha256 = ...; }"; }; diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix new file mode 100644 index 000000000000..f926cd710c8d --- /dev/null +++ b/nixos/modules/services/networking/mosquitto.nix @@ -0,0 +1,219 @@ +{ config, lib, pkgs, ...}: + +with lib; + +let + cfg = config.services.mosquitto; + + listenerConf = optionalString cfg.ssl.enable '' + listener ${toString cfg.ssl.port} ${cfg.ssl.host} + cafile ${cfg.ssl.cafile} + certfile ${cfg.ssl.certfile} + keyfile ${cfg.ssl.keyfile} + ''; + + mosquittoConf = pkgs.writeText "mosquitto.conf" '' + pid_file /run/mosquitto/pid + acl_file ${aclFile} + persistence true + allow_anonymous ${if cfg.allowAnonymous then "true" else "false"} + bind_address ${cfg.host} + port ${toString cfg.port} + ${listenerConf} + ${cfg.extraConf} + ''; + + userAcl = (concatStringsSep "\n\n" (mapAttrsToList (n: c: + "user ${n}\n" + (concatStringsSep "\n" c.acl)) cfg.users + )); + + aclFile = pkgs.writeText "mosquitto.acl" '' + ${cfg.aclExtraConf} + ${userAcl} + ''; + +in + +{ + + ###### Interface + + options = { + services.mosquitto = { + enable = mkEnableOption "Enable the MQTT Mosquitto broker."; + + host = mkOption { + default = "127.0.0.1"; + example = "0.0.0.0"; + type = types.string; + description = '' + Host to listen on without SSL. + ''; + }; + + port = mkOption { + default = 1883; + example = 1883; + type = types.int; + description = '' + Port on which to listen without SSL. + ''; + }; + + ssl = { + enable = mkEnableOption "Enable SSL listener."; + + cafile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to PEM encoded CA certificates."; + }; + + certfile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to PEM encoded server certificate."; + }; + + keyfile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to PEM encoded server key."; + }; + + host = mkOption { + default = "0.0.0.0"; + example = "localhost"; + type = types.string; + description = '' + Host to listen on with SSL. + ''; + }; + + port = mkOption { + default = 8883; + example = 8883; + type = types.int; + description = '' + Port on which to listen with SSL. + ''; + }; + }; + + dataDir = mkOption { + default = "/var/lib/mosquitto"; + type = types.path; + description = '' + The data directory. + ''; + }; + + users = mkOption { + type = types.attrsOf (types.submodule { + options = { + password = mkOption { + type = with types; uniq (nullOr str); + default = null; + description = '' + Specifies the (clear text) password for the MQTT User. + ''; + }; + + hashedPassword = mkOption { + type = with types; uniq (nullOr str); + default = null; + description = '' + Specifies the hashed password for the MQTT User. + <option>hashedPassword</option> overrides <option>password</option>. + To generate hashed password install <literal>mkpasswd</literal> + package and run <literal>mkpasswd -m sha-512</literal>. + ''; + }; + + acl = mkOption { + type = types.listOf types.string; + example = [ "topic read A/B" "topic A/#" ]; + description = '' + Control client access to topics on the broker. + ''; + }; + }; + }); + example = { john = { password = "123456"; acl = [ "topic readwrite john/#" ]; }; }; + description = '' + A set of users and their passwords and ACLs. + ''; + }; + + allowAnonymous = mkOption { + default = false; + example = true; + type = types.bool; + description = '' + Allow clients to connect without authentication. + ''; + }; + + extraConf = mkOption { + default = ""; + type = types.lines; + description = '' + Extra config to append to `mosquitto.conf` file. + ''; + }; + + aclExtraConf = mkOption { + default = ""; + type = types.lines; + description = '' + Extra config to prepend to the ACL file. + ''; + }; + + }; + }; + + + ###### Implementation + + config = mkIf cfg.enable { + + systemd.services.mosquitto = { + description = "Mosquitto MQTT Broker Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "forking"; + User = "mosquitto"; + Group = "mosquitto"; + RuntimeDirectory = "mosquitto"; + WorkingDirectory = cfg.dataDir; + Restart = "on-failure"; + ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf} -d"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + PIDFile = "/run/mosquitto/pid"; + }; + preStart = '' + rm -f ${cfg.dataDir}/passwd + touch ${cfg.dataDir}/passwd + '' + concatStringsSep "\n" ( + mapAttrsToList (n: c: + if c.hashedPassword != null then + "echo '${n}:${c.hashedPassword}' > ${cfg.dataDir}/passwd" + else optionalString (c.password != null) + "${pkgs.mosquitto}/bin/mosquitto_passwd -b ${cfg.dataDir}/passwd ${n} ${c.password}" + ) cfg.users); + }; + + users.extraUsers.mosquitto = { + description = "Mosquitto MQTT Broker Daemon owner"; + group = "mosquitto"; + uid = config.ids.uids.mosquitto; + home = cfg.dataDir; + createHome = true; + }; + + users.extraGroups.mosquitto.gid = config.ids.gids.mosquitto; + + }; +} diff --git a/nixos/modules/services/networking/ntpd.nix b/nixos/modules/services/networking/ntpd.nix index 5256fc9bc071..c8a085679280 100644 --- a/nixos/modules/services/networking/ntpd.nix +++ b/nixos/modules/services/networking/ntpd.nix @@ -82,6 +82,8 @@ in { description = "NTP Daemon"; wantedBy = [ "multi-user.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; preStart = '' diff --git a/nixos/modules/services/networking/openntpd.nix b/nixos/modules/services/networking/openntpd.nix index e53fc574fbea..a8625fa2fa91 100644 --- a/nixos/modules/services/networking/openntpd.nix +++ b/nixos/modules/services/networking/openntpd.nix @@ -64,7 +64,8 @@ in systemd.services.openntpd = { description = "OpenNTP Server"; wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; + wants = [ "network-online.target" "time-sync.target" ]; + before = [ "time-sync.target" ]; after = [ "dnsmasq.service" "bind.service" "network-online.target" ]; serviceConfig.ExecStart = "${package}/sbin/ntpd -d -f ${cfgFile} ${cfg.extraOptions}"; }; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 33c4910fc0ce..22e3bb0066cc 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -102,7 +102,7 @@ in partOf = optional config.networking.firewall.enable "firewall.service"; restartTriggers = [ fail2banConf jailConf ]; - path = [ pkgs.fail2ban pkgs.iptables ]; + path = [ pkgs.fail2ban pkgs.iptables pkgs.iproute ]; preStart = '' diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 376f9f4b46b5..862ddc1d13f2 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -32,6 +32,12 @@ let '' #! ${pkgs.bash}/bin/bash + ${optionalString cfg.displayManager.logToJournal '' + if [ -z "$_DID_SYSTEMD_CAT" ]; then + _DID_SYSTEMD_CAT=1 exec ${config.systemd.package}/bin/systemd-cat -t xsession -- "$0" "$1" + fi + ''} + . /etc/profile cd "$HOME" @@ -39,7 +45,7 @@ let sessionType="$1" if [ "$sessionType" = default ]; then sessionType=""; fi - ${optionalString (!cfg.displayManager.job.logsXsession) '' + ${optionalString (!cfg.displayManager.job.logsXsession && !cfg.displayManager.logToJournal) '' exec > ~/.xsession-errors 2>&1 ''} @@ -83,6 +89,8 @@ let # .local/share doesn't exist yet. mkdir -p $HOME/.local/share + unset _DID_SYSTEMD_CAT + ${cfg.displayManager.sessionCommands} # Allow the user to execute commands at the beginning of the X session. @@ -278,6 +286,16 @@ in }; + logToJournal = mkOption { + type = types.bool; + default = true; + description = '' + By default, the stdout/stderr of sessions is written + to <filename>~/.xsession-errors</filename>. When this option + is enabled, it will instead be written to the journal. + ''; + }; + }; }; diff --git a/nixos/modules/services/x11/display-managers/kdm.nix b/nixos/modules/services/x11/display-managers/kdm.nix index 9b937ff7ee18..d9f7f8f0dfc4 100644 --- a/nixos/modules/services/x11/display-managers/kdm.nix +++ b/nixos/modules/services/x11/display-managers/kdm.nix @@ -139,7 +139,7 @@ in mkdir -m 0755 -p /var/lib/kdm chown kdm /var/lib/kdm ${(optionalString (config.system.boot.loader.id == "grub" && config.system.build.grub != null) "PATH=${config.system.build.grub}/sbin:$PATH ") + - "KDEDIRS=/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon"} + "KDEDIRS=/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon -logfile /dev/stderr"} ''; logsXsession = true; }; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 4f65ed72d36e..82d3e31e2a01 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -520,6 +520,7 @@ in serviceConfig = { Restart = "always"; RestartSec = "200ms"; + SyslogIdentifier = "display-manager"; }; }; @@ -527,10 +528,11 @@ in [ "-terminate" "-config ${configFile}" "-xkbdir" "${cfg.xkbDir}" + # Log at the default verbosity level to stderr rather than /var/log/X.*.log. + "-verbose" "3" "-logfile" "/dev/null" ] ++ optional (cfg.display != null) ":${toString cfg.display}" ++ optional (cfg.tty != null) "vt${toString cfg.tty}" ++ optional (cfg.dpi != null) "-dpi ${toString cfg.dpi}" - ++ optionals (cfg.display != null) [ "-logfile" "/var/log/X.${toString cfg.display}.log" ] ++ optional (!cfg.enableTCP) "-nolisten tcp"; services.xserver.modules = diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 7fc467b60f7b..2e06a684f0cc 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -48,12 +48,13 @@ let bootPath = args.path; storePath = config.boot.loader.grub.storePath; bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId; + timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout; inherit efiSysMountPoint; inherit (args) devices; inherit (efi) canTouchEfiVariables; inherit (cfg) version extraConfig extraPerEntryConfig extraEntries - extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout + extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels default fsIdentifier efiSupport gfxmodeEfi gfxmodeBios; path = (makeBinPath ([ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs @@ -313,14 +314,6 @@ in ''; }; - timeout = mkOption { - default = if (config.boot.loader.timeout != null) then config.boot.loader.timeout else -1; - type = types.int; - description = '' - Timeout (in seconds) until GRUB boots the default menu item. - ''; - }; - default = mkOption { default = 0; type = types.int; diff --git a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix index 69ad2c6d44f4..aec697da4a1a 100644 --- a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix +++ b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix @@ -16,7 +16,7 @@ let nix = config.nix.package.out; - timeout = if cfg.timeout != null then cfg.timeout else ""; + timeout = if config.boot.loader.timeout != null then config.boot.loader.timeout else ""; inherit (efi) efiSysMountPoint canTouchEfiVariables; }; @@ -29,20 +29,6 @@ in { description = "Whether to enable the gummiboot UEFI boot manager"; }; - - timeout = mkOption { - default = if config.boot.loader.timeout == null then 10000 else config.boot.loader.timeout; - - example = 4; - - type = types.nullOr types.int; - - description = '' - Timeout (in seconds) for how long to show the menu (null if none). - Note that even with no timeout the menu can be forced if the space - key is pressed during bootup - ''; - }; }; config = mkIf cfg.enable { diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index ad53f25d61b8..8dad09c89207 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' # Wait for luksRoot to appear, e.g. if on a usb drive. # XXX: copied and adapted from stage-1-init.sh - should be # available as a function. @@ -192,9 +192,8 @@ let ''} ''; - isPreLVM = f: f.preLVM; - preLVM = filter isPreLVM luks.devices; - postLVM = filter (f: !(isPreLVM f)) luks.devices; + preLVM = filterAttrs (n: v: v.preLVM) luks.devices; + postLVM = filterAttrs (n: v: !v.preLVM) luks.devices; in { @@ -228,31 +227,31 @@ in }; boot.initrd.luks.devices = mkOption { - default = [ ]; - example = literalExample ''[ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ]''; + default = { }; + example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; description = '' - The list of devices that should be decrypted using LUKS before trying to mount the - root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups. - - The devices are decrypted to the device mapper names defined. - - Make sure that initrd has the crypto modules needed for decryption. + The encrypted disk that should be opened before the root + filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM + setups are sypported. The unencrypted devices can be accessed as + <filename>/dev/mapper/<replaceable>name</replaceable></filename>. ''; - type = types.listOf types.optionSet; + type = types.loaOf types.optionSet; - options = { + options = { name, ... }: { options = { name = mkOption { + visible = false; + default = name; example = "luksroot"; type = types.str; - description = "Named to be used for the generated device in /dev/mapper."; + description = "Name of the unencrypted device in <filename>/dev/mapper</filename>."; }; device = mkOption { - example = "/dev/sda2"; + example = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; type = types.str; - description = "Path of the underlying block device."; + description = "Path of the underlying encrypted block device."; }; header = mkOption { @@ -289,6 +288,7 @@ in ''; }; + # FIXME: get rid of this option. preLVM = mkOption { default = true; type = types.bool; @@ -394,7 +394,7 @@ in }; }; - }; + }; }; }; boot.initrd.luks.yubikeySupport = mkOption { @@ -408,7 +408,7 @@ in }; }; - config = mkIf (luks.devices != []) { + config = mkIf (luks.devices != {}) { # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks @@ -463,8 +463,8 @@ in ''} ''; - boot.initrd.preLVMCommands = concatMapStrings openCommand preLVM; - boot.initrd.postDeviceCommands = concatMapStrings openCommand postLVM; + boot.initrd.preLVMCommands = concatStrings (mapAttrsToList openCommand preLVM); + boot.initrd.postDeviceCommands = concatStrings (mapAttrsToList openCommand postLVM); environment.systemPackages = [ pkgs.cryptsetup ]; }; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index e7f892945315..076bbca850d9 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -753,13 +753,6 @@ in "TMPFS_XATTR" "SECCOMP" ]; - environment.shellAliases = - { start = "systemctl start"; - stop = "systemctl stop"; - restart = "systemctl restart"; - status = "systemctl status"; - }; - users.extraGroups.systemd-journal.gid = config.ids.gids.systemd-journal; users.extraUsers.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway; users.extraGroups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway; diff --git a/nixos/modules/tasks/cpu-freq.nix b/nixos/modules/tasks/cpu-freq.nix index 70bbee8474eb..1f4d1db33cef 100644 --- a/nixos/modules/tasks/cpu-freq.nix +++ b/nixos/modules/tasks/cpu-freq.nix @@ -38,7 +38,7 @@ in description = "CPU Frequency Governor Setup"; after = [ "systemd-modules-load.service" ]; wantedBy = [ "multi-user.target" ]; - path = [ cpupower ]; + path = [ cpupower config.system.sbin.modprobe ]; unitConfig.ConditionVirtualization = false; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index f0f56b17f20f..40a40c8a5700 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -113,6 +113,8 @@ let kernel = config.boot.kernelPackages.kernel; in # Make it easy to log in as root when running the test interactively. users.extraUsers.root.initialHashedPassword = mkOverride 150 ""; + services.xserver.displayManager.logToJournal = true; + }; } diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index 5d99bccb0e93..9e8417cde1df 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -32,8 +32,8 @@ let cfg = config.ec2; in # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. boot.loader.grub.version = if cfg.hvm then 2 else 1; boot.loader.grub.device = if cfg.hvm then "/dev/xvda" else "nodev"; - boot.loader.grub.timeout = 0; boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)"; + boot.loader.timeout = 0; boot.initrd.postDeviceCommands = '' diff --git a/nixos/modules/virtualisation/azure-common.nix b/nixos/modules/virtualisation/azure-common.nix index eedf115ee150..70a3d752f6d1 100644 --- a/nixos/modules/virtualisation/azure-common.nix +++ b/nixos/modules/virtualisation/azure-common.nix @@ -10,10 +10,10 @@ with lib; boot.kernelParams = [ "console=ttyS0" "earlyprintk=ttyS0" "rootdelay=300" "panic=1" "boot.panic_on_fail" ]; boot.initrd.kernelModules = [ "hv_vmbus" "hv_netvsc" "hv_utils" "hv_storvsc" ]; - # Generate a GRUB menu. + # Generate a GRUB menu. boot.loader.grub.device = "/dev/sda"; boot.loader.grub.version = 2; - boot.loader.grub.timeout = 0; + boot.loader.timeout = 0; # Don't put old configurations in the GRUB menu. The user has no # way to select them anyway. diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index bcafc06e47c0..456a19fc2512 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -94,7 +94,7 @@ in # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. boot.loader.grub.device = "/dev/vda"; - boot.loader.grub.timeout = 0; + boot.loader.timeout = 0; # Don't put old configurations in the GRUB menu. The user has no # way to select them anyway. diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index fca21a8610be..dc65e4940549 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -338,7 +338,7 @@ in fi ''} - + rm -f $root/var/lib/private/host-notify # Run systemd-nspawn without startup notification (we'll # wait for the container systemd to signal readiness). diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 38417315df5b..2b522dbe2660 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -102,7 +102,7 @@ in # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. boot.loader.grub.device = "/dev/sda"; - boot.loader.grub.timeout = 0; + boot.loader.timeout = 0; # Don't put old configurations in the GRUB menu. The user has no # way to select them anyway. diff --git a/nixos/modules/virtualisation/nova-image.nix b/nixos/modules/virtualisation/nova-image.nix index 13e36e7888b5..7971212b47c5 100644 --- a/nixos/modules/virtualisation/nova-image.nix +++ b/nixos/modules/virtualisation/nova-image.nix @@ -27,7 +27,7 @@ with lib; boot.kernelParams = [ "console=ttyS0" ]; boot.loader.grub.device = "/dev/vda"; - boot.loader.grub.timeout = 0; + boot.loader.timeout = 0; # Allow root logins services.openssh.enable = true; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 8aa643687557..9d9b725a805d 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -465,7 +465,7 @@ in }); swapDevices = mkVMOverride [ ]; - boot.initrd.luks.devices = mkVMOverride []; + boot.initrd.luks.devices = mkVMOverride {}; # Don't run ntpd in the guest. It should get the correct time from KVM. services.ntp.enable = false; diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index c8c4df5c9138..f275291c716c 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -69,6 +69,7 @@ in rec { (all nixos.tests.boot.uefiUsb) (all nixos.tests.boot-stage1) (all nixos.tests.ipv6) + (all nixos.tests.i3wm) (all nixos.tests.kde4) #(all nixos.tests.lightdm) (all nixos.tests.login) diff --git a/nixos/tests/boot.nix b/nixos/tests/boot.nix index af7db5aa8164..3ea0df65c8b5 100644 --- a/nixos/tests/boot.nix +++ b/nixos/tests/boot.nix @@ -12,7 +12,6 @@ let modules = [ ../modules/installer/cd-dvd/installation-cd-minimal.nix ../modules/testing/test-instrumentation.nix - { key = "serial"; } ]; }).config.system.build.isoImage; @@ -30,20 +29,25 @@ let ''; }; in { + biosCdrom = makeBootTest "bios-cdrom" '' cdrom => glob("${iso}/iso/*.iso") ''; + biosUsb = makeBootTest "bios-usb" '' usb => glob("${iso}/iso/*.iso") ''; + uefiCdrom = makeBootTest "uefi-cdrom" '' cdrom => glob("${iso}/iso/*.iso"), bios => '${pkgs.OVMF}/FV/OVMF.fd' ''; + uefiUsb = makeBootTest "uefi-usb" '' usb => glob("${iso}/iso/*.iso"), bios => '${pkgs.OVMF}/FV/OVMF.fd' ''; + netboot = let config = (import ../lib/eval-config.nix { inherit system; diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 0b0e53ee7324..3fdf6510953e 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -360,14 +360,8 @@ in { "mount LABEL=boot /mnt/boot", ); ''; - # XXX: Currently, generate-config doesn't detect LUKS yet. extraConfig = '' boot.kernelParams = lib.mkAfter [ "console=tty0" ]; - boot.initrd.luks.devices = lib.singleton { - name = "cryptroot"; - device = "/dev/vda3"; - preLVM = true; - }; ''; enableOCR = true; preBootCommands = '' @@ -403,8 +397,6 @@ in { "mkdir /mnt/boot", "mount LABEL=boot /mnt/boot", "udevadm settle", - "mdadm --verbose -W /dev/md0", # wait for sync to finish; booting off an unsynced device tends to fail - "mdadm --verbose -W /dev/md1", ); ''; preBootCommands = '' diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index da4c0bddc348..06efb034c086 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -326,6 +326,7 @@ let in [ ./common/user-account.nix ./common/x11.nix ] ++ vmConfigs; virtualisation.memorySize = 2048; virtualisation.virtualbox.host.enable = true; + services.xserver.displayManager.auto.user = "alice"; users.extraUsers.alice.extraGroups = let inherit (config.virtualisation.virtualbox.host) enableHardening; in lib.mkIf enableHardening (lib.singleton "vboxusers"); |