diff options
Diffstat (limited to 'nixos/modules/system')
-rw-r--r-- | nixos/modules/system/activation/bootspec.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/binfmt.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/grow-partition.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/initrd-ssh.nix | 6 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/grub/grub.nix | 12 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py | 7 | ||||
-rw-r--r-- | nixos/modules/system/boot/networkd.nix | 3 | ||||
-rw-r--r-- | nixos/modules/system/boot/resolved.nix | 9 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/initrd-secrets.nix | 3 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/initrd.nix | 3 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/oomd.nix | 26 |
11 files changed, 53 insertions, 22 deletions
diff --git a/nixos/modules/system/activation/bootspec.nix b/nixos/modules/system/activation/bootspec.nix index 98c234bc340d..2ed6964b2a6a 100644 --- a/nixos/modules/system/activation/bootspec.nix +++ b/nixos/modules/system/activation/bootspec.nix @@ -11,6 +11,7 @@ let cfg = config.boot.bootspec; children = lib.mapAttrs (childName: childConfig: childConfig.configuration.system.build.toplevel) config.specialisation; + hasAtLeastOneInitrdSecret = lib.length (lib.attrNames config.boot.initrd.secrets) > 0; schemas = { v1 = rec { filename = "boot.json"; @@ -27,6 +28,7 @@ let label = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"; } // lib.optionalAttrs config.boot.initrd.enable { initrd = "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}"; + } // lib.optionalAttrs hasAtLeastOneInitrdSecret { initrdSecrets = "${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets"; }; })); diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index d16152ab9dec..08e3dce70844 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkOption mkDefault types optionalString stringAfter; + inherit (lib) mkOption mkDefault types optionalString; cfg = config.boot.binfmt; diff --git a/nixos/modules/system/boot/grow-partition.nix b/nixos/modules/system/boot/grow-partition.nix index 897602f9826a..8a0fc3a03dac 100644 --- a/nixos/modules/system/boot/grow-partition.nix +++ b/nixos/modules/system/boot/grow-partition.nix @@ -25,7 +25,7 @@ with lib; systemd.services.growpart = { wantedBy = [ "-.mount" ]; after = [ "-.mount" ]; - before = [ "systemd-growfs-root.service" ]; + before = [ "systemd-growfs-root.service" "shutdown.target" ]; conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig = { diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index a8cd2e8f05fc..61e61f32bc5e 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -243,8 +243,10 @@ in services.sshd = { description = "SSH Daemon"; - wantedBy = ["initrd.target"]; - after = ["network.target" "initrd-nixos-copy-secrets.service"]; + wantedBy = [ "initrd.target" ]; + after = [ "network.target" "initrd-nixos-copy-secrets.service" ]; + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; # Keys from Nix store are world-readable, which sshd doesn't # like. If this were a real nix store and not the initrd, we diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 7097e1d83dca..0556c875241a 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -36,7 +36,7 @@ let # Package set of targeted architecture if cfg.forcei686 then pkgs.pkgsi686Linux else pkgs; - realGrub = if cfg.zfsSupport then grubPkgs.grub2.override { zfsSupport = true; } + realGrub = if cfg.zfsSupport then grubPkgs.grub2.override { zfsSupport = true; zfs = cfg.zfsPackage; } else grubPkgs.grub2; grub = @@ -614,6 +614,16 @@ in ''; }; + zfsPackage = mkOption { + type = types.package; + internal = true; + default = pkgs.zfs; + defaultText = literalExpression "pkgs.zfs"; + description = lib.mdDoc '' + Which ZFS package to use if `config.boot.loader.grub.zfsSupport` is true. + ''; + }; + efiSupport = mkOption { default = false; type = types.bool; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index e2e7ffe59dcd..6cd46f30373b 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -20,13 +20,13 @@ from dataclasses import dataclass class BootSpec: init: str initrd: str - initrdSecrets: str kernel: str kernelParams: List[str] label: str system: str toplevel: str specialisations: Dict[str, "BootSpec"] + initrdSecrets: str | None = None @@ -131,9 +131,8 @@ def write_entry(profile: str | None, generation: int, specialisation: str | None specialisation=" (%s)" % specialisation if specialisation else "") try: - subprocess.check_call([bootspec.initrdSecrets, "@efiSysMountPoint@%s" % (initrd)]) - except FileNotFoundError: - pass + if bootspec.initrdSecrets is not None: + subprocess.check_call([bootspec.initrdSecrets, "@efiSysMountPoint@%s" % (initrd)]) except subprocess.CalledProcessError: if current: print("failed to create initrd secrets!", file=sys.stderr) diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 3e10770812db..f236a4c005ad 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -597,6 +597,8 @@ let "DHCP" "DHCPServer" "LinkLocalAddressing" + "IPv6LinkLocalAddressGenerationMode" + "IPv6StableSecretAddress" "IPv4LLRoute" "DefaultRouteOnDevice" "LLMNR" @@ -648,6 +650,7 @@ let (assertValueOneOf "DHCP" ["yes" "no" "ipv4" "ipv6"]) (assertValueOneOf "DHCPServer" boolValues) (assertValueOneOf "LinkLocalAddressing" ["yes" "no" "ipv4" "ipv6" "fallback" "ipv4-fallback"]) + (assertValueOneOf "IPv6LinkLocalAddressGenerationMode" ["eui64" "none" "stable-privacy" "random"]) (assertValueOneOf "IPv4LLRoute" boolValues) (assertValueOneOf "DefaultRouteOnDevice" boolValues) (assertValueOneOf "LLMNR" (boolValues ++ ["resolve"])) diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index b898a6317962..538f71cc0b9a 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -23,12 +23,13 @@ in }; services.resolved.fallbackDns = mkOption { - default = [ ]; + default = null; example = [ "8.8.8.8" "2001:4860:4860::8844" ]; - type = types.listOf types.str; + type = types.nullOr (types.listOf types.str); description = lib.mdDoc '' A list of IPv4 and IPv6 addresses to use as the fallback DNS servers. - If this option is empty, a compiled-in list of DNS servers is used instead. + If this option is null, a compiled-in list of DNS servers is used instead. + Setting this option to an empty list will override the built-in list to an empty list, disabling fallback. ''; }; @@ -134,7 +135,7 @@ in [Resolve] ${optionalString (config.networking.nameservers != []) "DNS=${concatStringsSep " " config.networking.nameservers}"} - ${optionalString (cfg.fallbackDns != []) + ${optionalString (cfg.fallbackDns != null) "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"} ${optionalString (cfg.domains != []) "Domains=${concatStringsSep " " cfg.domains}"} diff --git a/nixos/modules/system/boot/systemd/initrd-secrets.nix b/nixos/modules/system/boot/systemd/initrd-secrets.nix index 7b59c0cbe7b8..d375238aa146 100644 --- a/nixos/modules/system/boot/systemd/initrd-secrets.nix +++ b/nixos/modules/system/boot/systemd/initrd-secrets.nix @@ -11,7 +11,8 @@ description = "Copy secrets into place"; # Run as early as possible wantedBy = [ "sysinit.target" ]; - before = [ "cryptsetup-pre.target" ]; + before = [ "cryptsetup-pre.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; # We write the secrets to /.initrd-secrets and move them because this allows diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index d7e8a67c4bc9..4ae07944afc3 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -396,8 +396,7 @@ in { ManagerEnvironment=${lib.concatStringsSep " " (lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment)} ''; - "/lib/modules".source = "${modulesClosure}/lib/modules"; - "/lib/firmware".source = "${modulesClosure}/lib/firmware"; + "/lib".source = "${modulesClosure}/lib"; "/etc/modules-load.d/nixos.conf".text = concatStringsSep "\n" config.boot.initrd.kernelModules; diff --git a/nixos/modules/system/boot/systemd/oomd.nix b/nixos/modules/system/boot/systemd/oomd.nix index fad755e278c7..000b18c01609 100644 --- a/nixos/modules/system/boot/systemd/oomd.nix +++ b/nixos/modules/system/boot/systemd/oomd.nix @@ -3,14 +3,18 @@ cfg = config.systemd.oomd; in { + imports = [ + (lib.mkRenamedOptionModule [ "systemd" "oomd" "enableUserServices" ] [ "systemd" "oomd" "enableUserSlices" ]) + ]; + options.systemd.oomd = { enable = lib.mkEnableOption (lib.mdDoc "the `systemd-oomd` OOM killer") // { default = true; }; # Fedora enables the first and third option by default. See the 10-oomd-* files here: - # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac351025597 + # https://src.fedoraproject.org/rpms/systemd/tree/806c95e1c70af18f81d499b24cd7acfa4c36ffd6 enableRootSlice = lib.mkEnableOption (lib.mdDoc "oomd on the root slice (`-.slice`)"); enableSystemSlice = lib.mkEnableOption (lib.mdDoc "oomd on the system slice (`system.slice`)"); - enableUserServices = lib.mkEnableOption (lib.mdDoc "oomd on all user services (`user@.service`)"); + enableUserSlices = lib.mkEnableOption (lib.mdDoc "oomd on all user slices (`user@.slice`) and all user owned slices"); extraConfig = lib.mkOption { type = with lib.types; attrsOf (oneOf [ str int bool ]); @@ -44,14 +48,24 @@ in { users.groups.systemd-oom = { }; systemd.slices."-".sliceConfig = lib.mkIf cfg.enableRootSlice { - ManagedOOMSwap = "kill"; + ManagedOOMMemoryPressure = "kill"; + ManagedOOMMemoryPressureLimit = "80%"; }; systemd.slices."system".sliceConfig = lib.mkIf cfg.enableSystemSlice { - ManagedOOMSwap = "kill"; + ManagedOOMMemoryPressure = "kill"; + ManagedOOMMemoryPressureLimit = "80%"; }; - systemd.services."user@".serviceConfig = lib.mkIf cfg.enableUserServices { + systemd.slices."user-".sliceConfig = lib.mkIf cfg.enableUserSlices { ManagedOOMMemoryPressure = "kill"; - ManagedOOMMemoryPressureLimit = "50%"; + ManagedOOMMemoryPressureLimit = "80%"; + }; + systemd.user.units."slice" = lib.mkIf cfg.enableUserSlices { + text = '' + [Slice] + ManagedOOMMemoryPressure=kill + ManagedOOMMemoryPressureLimit=80% + ''; + overrideStrategy = "asDropin"; }; }; } |