diff options
Diffstat (limited to 'nixos/modules/tasks')
| -rw-r--r-- | nixos/modules/tasks/encrypted-devices.nix | 11 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems.nix | 19 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems/bcachefs.nix | 26 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems/btrfs.nix | 113 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems/ecryptfs.nix | 14 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems/ext.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems/nfs.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems/zfs.nix | 49 | ||||
| -rw-r--r-- | nixos/modules/tasks/kbd.nix | 14 | ||||
| -rw-r--r-- | nixos/modules/tasks/network-interfaces-scripted.nix | 138 | ||||
| -rw-r--r-- | nixos/modules/tasks/network-interfaces-systemd.nix | 35 | ||||
| -rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 178 | ||||
| -rw-r--r-- | nixos/modules/tasks/powertop.nix | 1 |
13 files changed, 447 insertions, 160 deletions
diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index b1a7711ddcb4..da0c9408d891 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -36,7 +36,7 @@ let keyFile = mkOption { default = null; - example = "/root/.swapkey"; + example = "/mnt-root/root/.swapkey"; type = types.nullOr types.str; description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>."; }; @@ -56,11 +56,18 @@ in }; config = mkIf anyEncrypted { + assertions = map (dev: { + assertion = dev.encrypted.label != null; + message = '' + The filesystem for ${dev.mountPoint} has encrypted.enable set to true, but no encrypted.label set + ''; + }) encDevs; + boot.initrd = { luks = { devices = map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs; - cryptoModules = [ "aes" "sha256" "sha1" "xts" ]; + forceLuksSupportInInitrd = true; }; postMountCommands = concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs; diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 3951d617f6f1..b3690fad1a6a 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -115,11 +115,18 @@ let }; - config = { + config = let + defaultFormatOptions = + # -F needed to allow bare block device without partitions + if (builtins.substring 0 3 config.fsType) == "ext" then "-F" + # -q needed for non-interactive operations + else if config.fsType == "jfs" then "-q" + # (same here) + else if config.fsType == "reiserfs" then "-q" + else null; + in { options = mkIf config.autoResize [ "x-nixos.autoresize" ]; - - # -F needed to allow bare block device without partitions - formatOptions = mkIf ((builtins.substring 0 3 config.fsType) == "ext") (mkDefault "-F"); + formatOptions = mkIf (defaultFormatOptions != null) (mkDefault defaultFormatOptions); }; }; @@ -217,7 +224,7 @@ in # Add the mount helpers to the system path so that `mount' can find them. system.fsPackages = [ pkgs.dosfstools ]; - environment.systemPackages = [ pkgs.fuse ] ++ config.system.fsPackages; + environment.systemPackages = with pkgs; [ fuse3 fuse ] ++ config.system.fsPackages; environment.etc.fstab.text = let @@ -294,7 +301,7 @@ in "/run" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; }; "/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; }; "/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; }; - "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; }; + "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "ptmxmode=0666" "gid=${toString config.ids.gids.tty}" ]; }; # To hold secrets that shouldn't be written to disk (generally used for NixOps, harmless elsewhere) "/run/keys" = { fsType = "ramfs"; options = [ "nosuid" "nodev" "mode=750" "gid=${toString config.ids.gids.keys}" ]; }; diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix new file mode 100644 index 000000000000..227707173a3d --- /dev/null +++ b/nixos/modules/tasks/filesystems/bcachefs.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inInitrd = any (fs: fs == "bcachefs") config.boot.initrd.supportedFilesystems; + +in + +{ + config = mkIf (any (fs: fs == "bcachefs") config.boot.supportedFilesystems) { + + system.fsPackages = [ pkgs.bcachefs-tools ]; + + # use kernel package with bcachefs support until it's in mainline + boot.kernelPackages = pkgs.linuxPackages_testing_bcachefs; + boot.initrd.availableKernelModules = mkIf inInitrd [ "bcachefs" ]; + + boot.initrd.extraUtilsCommands = mkIf inInitrd + '' + copy_bin_and_libs ${pkgs.bcachefs-tools}/bin/fsck.bcachefs + ''; + + }; +} diff --git a/nixos/modules/tasks/filesystems/btrfs.nix b/nixos/modules/tasks/filesystems/btrfs.nix index 8cfa1b6921d3..1384873b6631 100644 --- a/nixos/modules/tasks/filesystems/btrfs.nix +++ b/nixos/modules/tasks/filesystems/btrfs.nix @@ -1,35 +1,132 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: with lib; let inInitrd = any (fs: fs == "btrfs") config.boot.initrd.supportedFilesystems; + inSystem = any (fs: fs == "btrfs") config.boot.supportedFilesystems; + + cfgScrub = config.services.btrfs.autoScrub; + + enableAutoScrub = cfgScrub.enable; + enableBtrfs = inInitrd || inSystem || enableAutoScrub; in { - config = mkIf (any (fs: fs == "btrfs") config.boot.supportedFilesystems) { + options = { + # One could also do regular btrfs balances, but that shouldn't be necessary + # during normal usage and as long as the filesystems aren't filled near capacity + services.btrfs.autoScrub = { + enable = mkEnableOption "Enable regular btrfs scrub"; - system.fsPackages = [ pkgs.btrfs-progs ]; + fileSystems = mkOption { + type = types.listOf types.path; + example = [ "/" ]; + description = '' + List of paths to btrfs filesystems to regularily call <command>btrfs scrub</command> on. + Defaults to all mount points with btrfs filesystems. + If you mount a filesystem multiple times or additionally mount subvolumes, + you need to manually specify this list to avoid scrubbing multiple times. + ''; + }; - boot.initrd.kernelModules = mkIf inInitrd [ "btrfs" "crc32c" ]; + interval = mkOption { + default = "monthly"; + type = types.str; + example = "weekly"; + description = '' + Systemd calendar expression for when to scrub btrfs filesystems. + The recommended period is a month but could be less + (<citerefentry><refentrytitle>btrfs-scrub</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>). + See + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry> + for more information on the syntax. + ''; + }; + + }; + }; - boot.initrd.extraUtilsCommands = mkIf inInitrd + config = mkMerge [ + (mkIf enableBtrfs { + system.fsPackages = [ pkgs.btrfs-progs ]; + + boot.initrd.kernelModules = mkIf inInitrd [ "btrfs" "crc32c" ]; + + boot.initrd.extraUtilsCommands = mkIf inInitrd '' copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfs ln -sv btrfs $out/bin/btrfsck ln -sv btrfsck $out/bin/fsck.btrfs ''; - boot.initrd.extraUtilsCommandsTest = mkIf inInitrd + boot.initrd.extraUtilsCommandsTest = mkIf inInitrd '' $out/bin/btrfs --version ''; - boot.initrd.postDeviceCommands = mkIf inInitrd + boot.initrd.postDeviceCommands = mkIf inInitrd '' btrfs device scan ''; - }; + }) + + (mkIf enableAutoScrub { + assertions = [ + { + assertion = cfgScrub.enable -> (cfgScrub.fileSystems != []); + message = '' + If 'services.btrfs.autoScrub' is enabled, you need to have at least one + btrfs file system mounted via 'fileSystems' or specify a list manually + in 'services.btrfs.autoScrub.fileSystems'. + ''; + } + ]; + + # This will yield duplicated units if the user mounts a filesystem multiple times + # or additionally mounts subvolumes, but going the other way around via devices would + # yield duplicated units when a filesystem spans multiple devices. + # This way around seems like the more sensible default. + services.btrfs.autoScrub.fileSystems = mkDefault (mapAttrsToList (name: fs: fs.mountPoint) + (filterAttrs (name: fs: fs.fsType == "btrfs") config.fileSystems)); + + # TODO: Did not manage to do it via the usual btrfs-scrub@.timer/.service + # template units due to problems enabling the parameterized units, + # so settled with many units and templating via nix for now. + # https://github.com/NixOS/nixpkgs/pull/32496#discussion_r156527544 + systemd.timers = let + scrubTimer = fs: let + fs' = utils.escapeSystemdPath fs; + in nameValuePair "btrfs-scrub-${fs'}" { + description = "regular btrfs scrub timer on ${fs}"; + + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = cfgScrub.interval; + AccuracySec = "1d"; + Persistent = true; + }; + }; + in listToAttrs (map scrubTimer cfgScrub.fileSystems); + + systemd.services = let + scrubService = fs: let + fs' = utils.escapeSystemdPath fs; + in nameValuePair "btrfs-scrub-${fs'}" { + description = "btrfs scrub on ${fs}"; + + serviceConfig = { + Type = "oneshot"; + Nice = 19; + IOSchedulingClass = "idle"; + ExecStart = "${pkgs.btrfs-progs}/bin/btrfs scrub start -B ${fs}"; + }; + }; + in listToAttrs (map scrubService cfgScrub.fileSystems); + }) + ]; } diff --git a/nixos/modules/tasks/filesystems/ecryptfs.nix b/nixos/modules/tasks/filesystems/ecryptfs.nix new file mode 100644 index 000000000000..12a407cabbfb --- /dev/null +++ b/nixos/modules/tasks/filesystems/ecryptfs.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: +# TODO: make ecryptfs work in initramfs? + +with lib; + +{ + config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) { + system.fsPackages = [ pkgs.ecryptfs ]; + security.wrappers = { + "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + }; + }; +} diff --git a/nixos/modules/tasks/filesystems/ext.nix b/nixos/modules/tasks/filesystems/ext.nix index cc9d0ef37d59..3a8999c242bd 100644 --- a/nixos/modules/tasks/filesystems/ext.nix +++ b/nixos/modules/tasks/filesystems/ext.nix @@ -5,7 +5,8 @@ system.fsPackages = [ pkgs.e2fsprogs ]; - boot.initrd.availableKernelModules = [ "ext2" "ext3" "ext4" ]; + # As of kernel 4.3, there is no separate ext3 driver (they're also handled by ext4.ko) + boot.initrd.availableKernelModules = [ "ext2" "ext4" ]; boot.initrd.extraUtilsCommands = '' diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix index 73cf18384bd4..d3a558738f4b 100644 --- a/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixos/modules/tasks/filesystems/nfs.nix @@ -85,8 +85,14 @@ in enable = mkDefault false; }; + systemd.services.auth-rpcgss-module = + { + unitConfig.ConditionPathExists = [ "" "/etc/krb5.keytab" ]; + }; + systemd.services.rpc-gssd = { restartTriggers = [ nfsConfFile ]; + unitConfig.ConditionPathExists = [ "" "/etc/krb5.keytab" ]; }; systemd.services.rpc-statd = diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 2de3a3d8a330..30c54ddd0e4e 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -24,7 +24,11 @@ let kernel = config.boot.kernelPackages; - packages = if config.boot.zfs.enableUnstable then { + packages = if config.boot.zfs.enableLegacyCrypto then { + spl = kernel.splLegacyCrypto; + zfs = kernel.zfsLegacyCrypto; + zfsUser = pkgs.zfsLegacyCrypto; + } else if config.boot.zfs.enableUnstable then { spl = kernel.splUnstable; zfs = kernel.zfsUnstable; zfsUser = pkgs.zfsUnstable; @@ -72,7 +76,28 @@ in version will have already passed an extensive test suite, but it is more likely to hit an undiscovered bug compared to running a released version of ZFS on Linux. - ''; + ''; + }; + + enableLegacyCrypto = mkOption { + type = types.bool; + default = false; + description = '' + Enabling this option will allow you to continue to use the old format for + encrypted datasets. With the inclusion of stability patches the format of + encrypted datasets has changed. They can still be accessed and mounted but + in read-only mode mounted. It is highly recommended to convert them to + the new format. + + This option is only for convenience to people that cannot convert their + datasets to the new format yet and it will be removed in due time. + + For migration strategies from old format to this new one, check the Wiki: + https://nixos.wiki/wiki/NixOS_on_ZFS#Encrypted_Dataset_Format_Change + + See https://github.com/zfsonlinux/zfs/pull/6864 for more details about + the stability patches. + ''; }; extraPools = mkOption { @@ -140,6 +165,17 @@ in this once. ''; }; + + requestEncryptionCredentials = mkOption { + type = types.bool; + default = config.boot.zfs.enableUnstable; + description = '' + Request encryption keys or passwords for all encrypted datasets on import. + + Dataset encryption is only supported in zfsUnstable at the moment. + ''; + }; + }; services.zfs.autoSnapshot = { @@ -257,12 +293,16 @@ in assertions = [ { assertion = config.networking.hostId != null; - message = "ZFS requires config.networking.hostId to be set"; + message = "ZFS requires networking.hostId to be set"; } { assertion = !cfgZfs.forceImportAll || cfgZfs.forceImportRoot; message = "If you enable boot.zfs.forceImportAll, you must also enable boot.zfs.forceImportRoot"; } + { + assertion = cfgZfs.requestEncryptionCredentials -> cfgZfs.enableUnstable; + message = "This feature is only available for zfs unstable. Set the NixOS option boot.zfs.enableUnstable."; + } ]; boot = { @@ -306,6 +346,9 @@ in done echo if [[ -n "$msg" ]]; then echo "$msg"; fi + ${lib.optionalString cfgZfs.requestEncryptionCredentials '' + zfs load-key -a + ''} '') rootPools)); }; diff --git a/nixos/modules/tasks/kbd.nix b/nixos/modules/tasks/kbd.nix index 3975dd5b0ffd..7fb3cbc5c1bc 100644 --- a/nixos/modules/tasks/kbd.nix +++ b/nixos/modules/tasks/kbd.nix @@ -98,22 +98,10 @@ in '') config.i18n.consoleColors} ''; - /* XXX: systemd-vconsole-setup needs a "main" terminal. By default - * /dev/tty0 is used which wouldn't work when the service is restarted - * from X11. We set this to /dev/tty1; not ideal because it may also be - * owned by X11 or something else. - * - * See #22470. - */ systemd.services."systemd-vconsole-setup" = - { wantedBy = [ "sysinit.target" ]; - before = [ "display-manager.service" ]; + { before = [ "display-manager.service" ]; after = [ "systemd-udev-settle.service" ]; restartTriggers = [ vconsoleConf kbdEnv ]; - serviceConfig.ExecStart = [ - "" - "${pkgs.systemd}/lib/systemd/systemd-vconsole-setup /dev/tty1" - ]; }; } diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 0560176bf579..630fe6d114ce 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -9,19 +9,19 @@ let interfaces = attrValues cfg.interfaces; hasVirtuals = any (i: i.virtual) interfaces; + slaves = concatMap (i: i.interfaces) (attrValues cfg.bonds) + ++ concatMap (i: i.interfaces) (attrValues cfg.bridges) + ++ concatMap (i: i.interfaces) (attrValues cfg.vswitches) + ++ concatMap (i: [i.interface]) (attrValues cfg.macvlans) + ++ concatMap (i: [i.interface]) (attrValues cfg.vlans); + # We must escape interfaces due to the systemd interpretation subsystemDevice = interface: "sys-subsystem-net-devices-${escapeSystemdPath interface}.device"; interfaceIps = i: - i.ip4 ++ optionals cfg.enableIPv6 i.ip6 - ++ optional (i.ipAddress != null) { - address = i.ipAddress; - prefixLength = i.prefixLength; - } ++ optional (cfg.enableIPv6 && i.ipv6Address != null) { - address = i.ipv6Address; - prefixLength = i.ipv6PrefixLength; - }; + i.ipv4.addresses + ++ optionals cfg.enableIPv6 i.ipv6.addresses; destroyBond = i: '' while true; do @@ -71,7 +71,10 @@ let (hasAttr dev cfg.vswitches) || (hasAttr dev cfg.wlanInterfaces) then [ "${dev}-netdev.service" ] - else optional (dev != null && !config.boot.isContainer) (subsystemDevice dev); + else optional (dev != null && dev != "lo" && !config.boot.isContainer) (subsystemDevice dev); + + hasDefaultGatewaySet = (cfg.defaultGateway != null && cfg.defaultGateway.address != "") + || (cfg.enableIPv6 && cfg.defaultGateway6 != null && cfg.defaultGateway6.address != ""); networkLocalCommands = { after = [ "network-setup.service" ]; @@ -84,8 +87,9 @@ let after = [ "network-pre.target" "systemd-udevd.service" "systemd-sysctl.service" ]; before = [ "network.target" "shutdown.target" ]; wants = [ "network.target" ]; + partOf = map (i: "network-addresses-${i.name}.service") interfaces; conflicts = [ "shutdown.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "multi-user.target" ] ++ optional hasDefaultGatewaySet "network-online.target"; unitConfig.ConditionCapability = "CAP_NET_ADMIN"; @@ -113,24 +117,32 @@ let # Set the default gateway. ${optionalString (cfg.defaultGateway != null && cfg.defaultGateway.address != "") '' - # FIXME: get rid of "|| true" (necessary to make it idempotent). - ip route add default ${optionalString (cfg.defaultGateway.metric != null) + ${optionalString (cfg.defaultGateway.interface != null) '' + ip route replace ${cfg.defaultGateway.address} dev ${cfg.defaultGateway.interface} ${optionalString (cfg.defaultGateway.metric != null) + "metric ${toString cfg.defaultGateway.metric}" + } proto static + ''} + ip route replace default ${optionalString (cfg.defaultGateway.metric != null) "metric ${toString cfg.defaultGateway.metric}" } via "${cfg.defaultGateway.address}" ${ optionalString (cfg.defaultGatewayWindowSize != null) "window ${toString cfg.defaultGatewayWindowSize}"} ${ optionalString (cfg.defaultGateway.interface != null) - "dev ${cfg.defaultGateway.interface}"} proto static || true + "dev ${cfg.defaultGateway.interface}"} proto static ''} ${optionalString (cfg.defaultGateway6 != null && cfg.defaultGateway6.address != "") '' - # FIXME: get rid of "|| true" (necessary to make it idempotent). - ip -6 route add ::/0 ${optionalString (cfg.defaultGateway6.metric != null) + ${optionalString (cfg.defaultGateway6.interface != null) '' + ip -6 route replace ${cfg.defaultGateway6.address} dev ${cfg.defaultGateway6.interface} ${optionalString (cfg.defaultGateway6.metric != null) + "metric ${toString cfg.defaultGateway6.metric}" + } proto static + ''} + ip -6 route replace default ${optionalString (cfg.defaultGateway6.metric != null) "metric ${toString cfg.defaultGateway6.metric}" } via "${cfg.defaultGateway6.address}" ${ optionalString (cfg.defaultGatewayWindowSize != null) "window ${toString cfg.defaultGatewayWindowSize}"} ${ optionalString (cfg.defaultGateway6.interface != null) - "dev ${cfg.defaultGateway6.interface}"} proto static || true + "dev ${cfg.defaultGateway6.interface}"} proto static ''} ''; }; @@ -149,9 +161,11 @@ let in nameValuePair "network-addresses-${i.name}" { description = "Address configuration of ${i.name}"; - wantedBy = [ "network-setup.service" ]; - # propagate stop and reload from network-setup - partOf = [ "network-setup.service" ]; + wantedBy = [ + "network-setup.service" + "network-link-${i.name}.service" + "network.target" + ]; # order before network-setup because the routes that are configured # there may need ip addresses configured before = [ "network-setup.service" ]; @@ -165,33 +179,58 @@ let path = [ pkgs.iproute ]; script = '' - # FIXME: shouldn't this be done in network-link? - echo "bringing up interface..." - ip link set "${i.name}" up - state="/run/nixos/network/addresses/${i.name}" + mkdir -p $(dirname "$state") + ${flip concatMapStrings ips (ip: + let + cidr = "${ip.address}/${toString ip.prefixLength}"; + in + '' + echo "${cidr}" >> $state + echo -n "adding address ${cidr}... " + if out=$(ip addr add "${cidr}" dev "${i.name}" 2>&1); then + echo "done" + elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then + echo "failed" + exit 1 + fi + '' + )} + + state="/run/nixos/network/routes/${i.name}" mkdir -p $(dirname "$state") - '' + flip concatMapStrings (ips) (ip: - let - address = "${ip.address}/${toString ip.prefixLength}"; - in - '' - echo "${address}" >> $state - if out=$(ip addr add "${address}" dev "${i.name}" 2>&1); then - echo "added ip ${address}" - elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then - echo "failed to add ${address}" - exit 1 - fi - ''); + ${flip concatMapStrings (i.ipv4.routes ++ i.ipv6.routes) (route: + let + cidr = "${route.address}/${toString route.prefixLength}"; + via = optionalString (route.via != null) ''via "${route.via}"''; + options = concatStrings (mapAttrsToList (name: val: "${name} ${val} ") route.options); + in + '' + echo "${cidr}" >> $state + echo -n "adding route ${cidr}... " + if out=$(ip route add "${cidr}" ${options} ${via} dev "${i.name}" 2>&1); then + echo "done" + elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then + echo "failed" + exit 1 + fi + '' + )} + ''; preStop = '' + state="/run/nixos/network/routes/${i.name}" + while read cidr; do + echo -n "deleting route $cidr... " + ip route del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed" + done < "$state" + rm -f "$state" + state="/run/nixos/network/addresses/${i.name}" - while read address; do - echo -n "deleting $address..." - ip addr del "$address" dev "${i.name}" >/dev/null 2>&1 || echo -n " Failed" - echo "" + while read cidr; do + echo -n "deleting address $cidr... " + ip addr del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed" done < "$state" rm -f "$state" ''; @@ -203,16 +242,14 @@ let after = [ "dev-net-tun.device" "network-pre.target" ]; wantedBy = [ "network-setup.service" (subsystemDevice i.name) ]; partOf = [ "network-setup.service" ]; - before = [ "network-setup.service" (subsystemDevice i.name) ]; + before = [ "network-setup.service" ]; path = [ pkgs.iproute ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' - ip tuntap add dev "${i.name}" \ - ${optionalString (i.virtualType != null) "mode ${i.virtualType}"} \ - user "${i.virtualOwner}" + ip tuntap add dev "${i.name}" mode "${i.virtualType}" user "${i.virtualOwner}" ''; postStop = '' ip link del ${i.name} || true @@ -229,7 +266,7 @@ let partOf = [ "network-setup.service" ] ++ optional v.rstp "mstpd.service"; after = [ "network-pre.target" ] ++ deps ++ optional v.rstp "mstpd.service" ++ concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) v.interfaces; - before = [ "network-setup.service" (subsystemDevice n) ]; + before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute ]; @@ -339,7 +376,7 @@ let partOf = [ "network-setup.service" ]; after = [ "network-pre.target" ] ++ deps ++ concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) v.interfaces; - before = [ "network-setup.service" (subsystemDevice n) ]; + before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute pkgs.gawk ]; @@ -377,7 +414,7 @@ let bindsTo = deps; partOf = [ "network-setup.service" ]; after = [ "network-pre.target" ] ++ deps; - before = [ "network-setup.service" (subsystemDevice n) ]; + before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute ]; @@ -402,7 +439,7 @@ let bindsTo = deps; partOf = [ "network-setup.service" ]; after = [ "network-pre.target" ] ++ deps; - before = [ "network-setup.service" (subsystemDevice n) ]; + before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute ]; @@ -430,7 +467,7 @@ let bindsTo = deps; partOf = [ "network-setup.service" ]; after = [ "network-pre.target" ] ++ deps; - before = [ "network-setup.service" (subsystemDevice n) ]; + before = [ "network-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; path = [ pkgs.iproute ]; @@ -473,5 +510,8 @@ in config = mkMerge [ bondWarnings (mkIf (!cfg.useNetworkd) normalConfig) + { # Ensure slave interfaces are brought up + networking.interfaces = genAttrs slaves (i: {}); + } ]; } diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index a365a01bfb1e..c640e886fca8 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -9,14 +9,8 @@ let interfaces = attrValues cfg.interfaces; interfaceIps = i: - i.ip4 ++ optionals cfg.enableIPv6 i.ip6 - ++ optional (i.ipAddress != null) { - address = i.ipAddress; - prefixLength = i.prefixLength; - } ++ optional (cfg.enableIPv6 && i.ipv6Address != null) { - address = i.ipv6Address; - prefixLength = i.ipv6PrefixLength; - }; + i.ipv4.addresses + ++ optionals cfg.enableIPv6 i.ipv6.addresses; dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "none"; @@ -74,27 +68,24 @@ in networks."99-main" = genericNetwork mkDefault; } (mkMerge (flip map interfaces (i: { - netdevs = mkIf i.virtual ( - let - devType = if i.virtualType != null then i.virtualType - else (if hasPrefix "tun" i.name then "tun" else "tap"); - in { - "40-${i.name}" = { - netdevConfig = { - Name = i.name; - Kind = devType; - }; - "${devType}Config" = optionalAttrs (i.virtualOwner != null) { - User = i.virtualOwner; - }; + netdevs = mkIf i.virtual ({ + "40-${i.name}" = { + netdevConfig = { + Name = i.name; + Kind = i.virtualType; + }; + "${i.virtualType}Config" = optionalAttrs (i.virtualOwner != null) { + User = i.virtualOwner; }; - }); + }; + }); networks."40-${i.name}" = mkMerge [ (genericNetwork mkDefault) { name = mkDefault i.name; DHCP = mkForce (dhcpStr (if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ])); address = flip map (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); + networkConfig.IPv6PrivacyExtensions = "kernel"; } ]; }))) (mkMerge (flip mapAttrsToList cfg.bridges (name: bridge: { diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 8ce7b2d2cf36..5036b701bd86 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, utils, stdenv, ... }: +{ config, options, lib, pkgs, utils, stdenv, ... }: with lib; with utils; @@ -101,7 +101,7 @@ let address = mkOption { type = types.str; description = '' - IPv${toString v} address of the interface. Leave empty to configure the + IPv${toString v} address of the interface. Leave empty to configure the interface using DHCP. ''; }; @@ -116,6 +116,40 @@ let }; }; + routeOpts = v: + { options = { + address = mkOption { + type = types.str; + description = "IPv${toString v} address of the network."; + }; + + prefixLength = mkOption { + type = types.addCheck types.int (n: n >= 0 && n <= (if v == 4 then 32 else 128)); + description = '' + Subnet mask of the network, specified as the number of + bits in the prefix (<literal>${if v == 4 then "24" else "64"}</literal>). + ''; + }; + + via = mkOption { + type = types.nullOr types.str; + default = null; + description = "IPv${toString v} address of the next hop."; + }; + + options = mkOption { + type = types.attrsOf types.str; + default = { }; + example = { mtu = "1492"; window = "524288"; }; + description = '' + Other route options. See the symbol <literal>OPTION</literal> + in the <literal>ip-route(8)</literal> manual page for the details. + ''; + }; + + }; + }; + gatewayCoerce = address: { inherit address; }; gatewayOpts = { ... }: { @@ -148,13 +182,22 @@ let interfaceOpts = { name, ... }: { options = { - name = mkOption { example = "eth0"; type = types.str; description = "Name of the interface."; }; + preferTempAddress = mkOption { + type = types.bool; + default = cfg.enableIPv6; + defaultText = literalExample "config.networking.enableIpv6"; + description = '' + When using SLAAC prefer a temporary (IPv6) address over the EUI-64 + address for originating connections. This is used to reduce tracking. + ''; + }; + useDHCP = mkOption { type = types.nullOr types.bool; default = null; @@ -165,7 +208,7 @@ let ''; }; - ip4 = mkOption { + ipv4.addresses = mkOption { default = [ ]; example = [ { address = "10.0.0.1"; prefixLength = 16; } @@ -177,7 +220,7 @@ let ''; }; - ip6 = mkOption { + ipv6.addresses = mkOption { default = [ ]; example = [ { address = "fdfd:b3f0:482::1"; prefixLength = 48; } @@ -189,50 +232,27 @@ let ''; }; - ipAddress = mkOption { - default = null; - example = "10.0.0.1"; - type = types.nullOr types.str; - description = '' - IP address of the interface. Leave empty to configure the - interface using DHCP. - ''; - }; - - prefixLength = mkOption { - default = null; - example = 24; - type = types.nullOr types.int; - description = '' - Subnet mask of the interface, specified as the number of - bits in the prefix (<literal>24</literal>). - ''; - }; - - subnetMask = mkOption { - default = null; - description = '' - Defunct, supply the prefix length instead. - ''; - }; - - ipv6Address = mkOption { - default = null; - example = "2001:1470:fffd:2098::e006"; - type = types.nullOr types.str; + ipv4.routes = mkOption { + default = []; + example = [ + { address = "10.0.0.0"; prefixLength = 16; } + { address = "192.168.2.0"; prefixLength = 24; via = "192.168.1.1"; } + ]; + type = with types; listOf (submodule (routeOpts 4)); description = '' - IPv6 address of the interface. Leave empty to configure the - interface using NDP. + List of extra IPv4 static routes that will be assigned to the interface. ''; }; - ipv6PrefixLength = mkOption { - default = 64; - example = 64; - type = types.int; + ipv6.routes = mkOption { + default = []; + example = [ + { address = "fdfd:b3f0::"; prefixLength = 48; } + { address = "2001:1470:fffd:2098::"; prefixLength = 64; via = "fdfd:b3f0::1"; } + ]; + type = with types; listOf (submodule (routeOpts 6)); description = '' - Subnet mask of the interface, specified as the number of - bits in the prefix (<literal>64</literal>). + List of extra IPv6 static routes that will be assigned to the interface. ''; }; @@ -273,11 +293,13 @@ let }; virtualType = mkOption { - default = null; - type = with types; nullOr (enum [ "tun" "tap" ]); + default = if hasPrefix "tun" name then "tun" else "tap"; + defaultText = literalExample ''if hasPrefix "tun" name then "tun" else "tap"''; + type = with types; enum [ "tun" "tap" ]; description = '' - The explicit type of interface to create. Accepts tun or tap strings. - Also accepts null to implicitly detect the type of device. + The type of interface to create. + The default is TUN for an interface name starting + with "tun", otherwise TAP. ''; }; @@ -305,6 +327,32 @@ let name = mkDefault name; }; + # Renamed or removed options + imports = + let + defined = x: x != "_mkMergedOptionModule"; + in [ + (mkRenamedOptionModule [ "ip4" ] [ "ipv4" "addresses"]) + (mkRenamedOptionModule [ "ip6" ] [ "ipv6" "addresses"]) + (mkRemovedOptionModule [ "subnetMask" ] '' + Supply a prefix length instead; use option + networking.interfaces.<name>.ipv{4,6}.addresses'') + (mkMergedOptionModule + [ [ "ipAddress" ] [ "prefixLength" ] ] + [ "ipv4" "addresses" ] + (cfg: with cfg; + optional (defined ipAddress && defined prefixLength) + { address = ipAddress; prefixLength = prefixLength; })) + (mkMergedOptionModule + [ [ "ipv6Address" ] [ "ipv6PrefixLength" ] ] + [ "ipv6" "addresses" ] + (cfg: with cfg; + optional (defined ipv6Address && defined ipv6PrefixLength) + { address = ipv6Address; prefixLength = ipv6PrefixLength; })) + + ({ options.warnings = options.warnings; }) + ]; + }; hexChars = stringToCharacters "0123456789abcdef"; @@ -441,7 +489,7 @@ in networking.interfaces = mkOption { default = {}; example = - { eth0.ip4 = [ { + { eth0.ipv4 = [ { address = "131.211.84.78"; prefixLength = 25; } ]; @@ -920,13 +968,27 @@ in config = { + warnings = concatMap (i: i.warnings) interfaces; + assertions = (flip map interfaces (i: { - assertion = i.subnetMask == null; - message = "The networking.interfaces.${i.name}.subnetMask option is defunct. Use prefixLength instead."; + # With the linux kernel, interface name length is limited by IFNAMSIZ + # to 16 bytes, including the trailing null byte. + # See include/linux/if.h in the kernel sources + assertion = stringLength i.name < 16; + message = '' + The name of networking.interfaces."${i.name}" is too long, it needs to be less than 16 characters. + ''; })) ++ (flip map slaveIfs (i: { - assertion = i.ip4 == [ ] && i.ipAddress == null && i.ip6 == [ ] && i.ipv6Address == null; - message = "The networking.interfaces.${i.name} must not have any defined ips when it is a slave."; + assertion = i.ipv4.addresses == [ ] && i.ipv6.addresses == [ ]; + message = '' + The networking.interfaces."${i.name}" must not have any defined ips when it is a slave. + ''; + })) ++ (flip map interfaces (i: { + assertion = i.preferTempAddress -> cfg.enableIPv6; + message = '' + Temporary addresses are only needed when IPv6 is enabled. + ''; })) ++ [ { assertion = cfg.hostId == null || (stringLength cfg.hostId == 8 && isHexString cfg.hostId); @@ -949,9 +1011,10 @@ in "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); - } // listToAttrs (concatLists (flip map (filter (i: i.proxyARP) interfaces) - (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true)) - )); + } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) + (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) + // listToAttrs (flip map (filter (i: i.preferTempAddress) interfaces) + (i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2)); # Capabilities won't work unless we have at-least a 4.3 Linux # kernel because we need the ambient capability @@ -1059,6 +1122,9 @@ in '' + optionalString (i.mtu != null) '' echo "setting MTU to ${toString i.mtu}..." ip link set "${i.name}" mtu "${toString i.mtu}" + '' + '' + echo -n "bringing up interface... " + ip link set "${i.name}" up && echo "done" || (echo "failed"; exit 1) ''; }))); diff --git a/nixos/modules/tasks/powertop.nix b/nixos/modules/tasks/powertop.nix index 0ec4974789b4..609831506e16 100644 --- a/nixos/modules/tasks/powertop.nix +++ b/nixos/modules/tasks/powertop.nix @@ -16,6 +16,7 @@ in { powertop = { wantedBy = [ "multi-user.target" ]; description = "Powertop tunings"; + path = [ pkgs.kmod ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; |