diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/config/users-groups.nix | 9 | ||||
| -rw-r--r-- | nixos/modules/installer/cd-dvd/iso-image.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/installer/tools/nixos-generate-config.pl | 2 | ||||
| -rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/security/pam.nix | 18 | ||||
| -rw-r--r-- | nixos/modules/security/pam_mount.nix | 72 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/udisks2.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/misc/nix-daemon.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/misc/subsonic.nix | 157 | ||||
| -rw-r--r-- | nixos/modules/services/misc/sundtek.nix | 33 | ||||
| -rw-r--r-- | nixos/modules/services/networking/quassel.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/zerotierone.nix | 32 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/apache-httpd/default.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/system/boot/loader/grub/grub.nix | 29 | ||||
| -rw-r--r-- | nixos/modules/system/boot/loader/grub/install-grub.pl | 39 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/docker.nix | 3 | ||||
| -rw-r--r-- | nixos/tests/docker.nix | 4 |
18 files changed, 383 insertions, 32 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 9d48edf2f26c..478f433b431c 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -108,6 +108,15 @@ let description = "The user's home directory."; }; + cryptHomeLuks = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Path to encrypted luks device that contains + the user's home directory. + ''; + }; + shell = mkOption { type = types.str; default = "/run/current-system/sw/bin/nologin"; diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 0128fa9f33dd..c9abff2ecfc0 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -216,7 +216,7 @@ in # !!! Hack - attributes expected by other modules. system.boot.loader.kernelFile = "bzImage"; - environment.systemPackages = [ pkgs.grub2 pkgs.syslinux ]; + environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi pkgs.syslinux ]; # In stage 1 of the boot, mount the CD as the root FS by label so # that we don't need to know its device. We pass the label of the diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index a929e1eb8262..b768be6a3e01 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -354,7 +354,7 @@ EOF if ($status != 0 || join("", @msg) =~ /ERROR:/) { die "Failed to retrieve subvolume info for $mountPoint\n"; } - my @ids = join("", @id_info) =~ m/Object ID:[ \t\n]*([^ \t\n]*)/; + my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/; if ($#ids > 0) { die "Btrfs subvol name for $mountPoint listed multiple times in mount\n" } elsif ($#ids == 0) { diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 80d6ff20f9b4..88c860110179 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -225,6 +225,7 @@ uwsgi = 201; gitit = 202; riemanntools = 203; + subsonic = 204; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -428,6 +429,7 @@ uwsgi = 201; gitit = 202; riemanntools = 203; + subsonic = 204; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 4f0a4672ece1..f74b16f678fd 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -84,6 +84,7 @@ ./security/grsecurity.nix ./security/pam.nix ./security/pam_usb.nix + ./security/pam_mount.nix ./security/polkit.nix ./security/prey.nix ./security/rngd.nix @@ -217,6 +218,8 @@ ./services/misc/ripple-data-api.nix ./services/misc/rogue.nix ./services/misc/siproxd.nix + ./services/misc/subsonic.nix + ./services/misc/sundtek.nix ./services/misc/svnserve.nix ./services/misc/synergy.nix ./services/misc/uhub.nix @@ -344,6 +347,7 @@ ./services/networking/wicd.nix ./services/networking/wpa_supplicant.nix ./services/networking/xinetd.nix + ./services/networking/zerotierone.nix ./services/networking/znc.nix ./services/printing/cupsd.nix ./services/scheduling/atd.nix diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 35622b12ea33..02520fb88cdd 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -126,6 +126,14 @@ let ''; }; + pamMount = mkOption { + default = config.security.pam.mount.enable; + type = types.bool; + description = '' + Enable PAM mount (pam_mount) system to mount fileystems on user login. + ''; + }; + allowNullPassword = mkOption { default = false; type = types.bool; @@ -224,7 +232,9 @@ let ${optionalString cfg.usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} ${optionalString cfg.unixAuth - "auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"} + "auth ${if (config.security.pam.enableEcryptfs || cfg.pamMount) then "required" else "sufficient"} pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"} + ${optionalString cfg.pamMount + "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} ${optionalString config.security.pam.enableEcryptfs "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} ${optionalString cfg.otpwAuth @@ -238,12 +248,14 @@ let auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass ''} - ${optionalString (! config.security.pam.enableEcryptfs) "auth required pam_deny.so"} + ${optionalString (!(config.security.pam.enableEcryptfs || cfg.pamMount)) "auth required pam_deny.so"} # Password management. ${optionalString config.security.pam.enableEcryptfs "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} password requisite pam_unix.so nullok sha512 + ${optionalString cfg.pamMount + "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} ${optionalString config.users.ldap.enable "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable @@ -280,6 +292,8 @@ let "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"} ${optionalString (cfg.showMotd && config.users.motd != null) "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} + ${optionalString cfg.pamMount + "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} ''; }; diff --git a/nixos/modules/security/pam_mount.nix b/nixos/modules/security/pam_mount.nix new file mode 100644 index 000000000000..a5299728348d --- /dev/null +++ b/nixos/modules/security/pam_mount.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.security.pam.mount; + + anyPamMount = any (attrByPath ["pamMount"] false) (attrValues config.security.pam.services); +in + +{ + options = { + + security.pam.mount = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable PAM mount system to mount fileystems on user login. + ''; + }; + + extraVolumes = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of volume definitions for pam_mount. + For more information, visit <link + xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. + ''; + }; + }; + + }; + + config = mkIf (cfg.enable || anyPamMount) { + + environment.systemPackages = [ pkgs.pam_mount ]; + environment.etc = [{ + target = "security/pam_mount.conf.xml"; + source = + let + extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null) config.users.extraUsers; + userVolumeEntry = user: "<volume user=\"${user.name}\" path=\"${user.cryptHomeLuks}\" mountpoint=\"${user.home}\" />\n"; + in + pkgs.writeText "pam_mount.conf.xml" '' + <?xml version="1.0" encoding="utf-8" ?> + <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> + <!-- auto generated from Nixos: modules/config/users-groups.nix --> + <pam_mount> + <debug enable="0" /> + + ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} + ${concatStringsSep "\n" cfg.extraVolumes} + + <!-- if activated, requires ofl from hxtools to be present --> + <logout wait="0" hup="no" term="no" kill="no" /> + <!-- set PATH variable for pam_mount module --> + <path>${pkgs.utillinux}/bin</path> + <!-- create mount point if not present --> + <mkmountpoint enable="1" remove="true" /> + + <!-- specify the binaries to be called --> + <cryptmount>${pkgs.pam_mount}/bin/mount.crypt %(VOLUME) %(MNTPT)</cryptmount> + <cryptumount>${pkgs.pam_mount}/bin/umount.crypt %(MNTPT)</cryptumount> + <pmvarrun>${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun> + </pam_mount> + ''; + }]; + + }; +} diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix index f5b641c7378b..fd6d8886348e 100644 --- a/nixos/modules/services/hardware/udisks2.nix +++ b/nixos/modules/services/hardware/udisks2.nix @@ -46,7 +46,7 @@ with lib; serviceConfig = { Type = "dbus"; BusName = "org.freedesktop.UDisks2"; - ExecStart = "${pkgs.udisks2}/lib/udisks2/udisksd --no-debug"; + ExecStart = "${pkgs.udisks2}/libexec/udisks2/udisksd --no-debug"; }; }; }; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index b79a69e2ba8f..b5a8a7df9fca 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -143,7 +143,7 @@ in default = 0; description = '' Nix daemon process priority. This priority propagates to build processes. - 0 is the default Unix process priority, 20 is the lowest. + 0 is the default Unix process priority, 19 is the lowest. ''; }; diff --git a/nixos/modules/services/misc/subsonic.nix b/nixos/modules/services/misc/subsonic.nix new file mode 100644 index 000000000000..3e1a2e8fbb51 --- /dev/null +++ b/nixos/modules/services/misc/subsonic.nix @@ -0,0 +1,157 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.subsonic; + homeDir = "/var/subsonic"; + +in +{ + options = { + services.subsonic = { + enable = mkEnableOption "Subsonic daemon"; + + home = mkOption { + type = types.path; + default = "${homeDir}"; + description = '' + The directory where Subsonic will create files. + Make sure it is writable. + ''; + }; + + host = mkOption { + type = types.string; + default = "0.0.0.0"; + description = '' + The host name or IP address on which to bind Subsonic. + Only relevant if you have multiple network interfaces and want + to make Subsonic available on only one of them. The default value + will bind Subsonic to all available network interfaces. + ''; + }; + + port = mkOption { + type = types.int; + default = 4040; + description = '' + The port on which Subsonic will listen for + incoming HTTP traffic. Set to 0 to disable. + ''; + }; + + httpsPort = mkOption { + type = types.int; + default = 0; + description = '' + The port on which Subsonic will listen for + incoming HTTPS traffic. Set to 0 to disable. + ''; + }; + + contextPath = mkOption { + type = types.path; + default = "/"; + description = '' + The context path, i.e., the last part of the Subsonic + URL. Typically '/' or '/subsonic'. Default '/' + ''; + }; + + maxMemory = mkOption { + type = types.int; + default = 100; + description = '' + The memory limit (max Java heap size) in megabytes. + Default: 100 + ''; + }; + + defaultMusicFolder = mkOption { + type = types.path; + default = "/var/music"; + description = '' + Configure Subsonic to use this folder for music. This option + only has effect the first time Subsonic is started. + ''; + }; + + defaultPodcastFolder = mkOption { + type = types.path; + default = "/var/music/Podcast"; + description = '' + Configure Subsonic to use this folder for Podcasts. This option + only has effect the first time Subsonic is started. + ''; + }; + + defaultPlaylistFolder = mkOption { + type = types.path; + default = "/var/playlists"; + description = '' + Configure Subsonic to use this folder for playlists. This option + only has effect the first time Subsonic is started. + ''; + }; + + transcoders = mkOption { + type = types.listOf types.path; + default = [ "${pkgs.ffmpeg}/bin/ffmpeg" ]; + description = '' + List of paths to transcoder executables that should be accessible + from Subsonic. Symlinks will be created to each executable inside + ${cfg.home}/transcoders. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.subsonic = { + description = "Personal media streamer"; + after = [ "local-fs.target" "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.jre}/bin/java -Xmx${toString cfg.maxMemory}m \ + -Dsubsonic.home=${cfg.home} \ + -Dsubsonic.host=${cfg.host} \ + -Dsubsonic.port=${toString cfg.port} \ + -Dsubsonic.httpsPort=${toString cfg.httpsPort} \ + -Dsubsonic.contextPath=${cfg.contextPath} \ + -Dsubsonic.defaultMusicFolder=${cfg.defaultMusicFolder} \ + -Dsubsonic.defaultPodcastFolder=${cfg.defaultPodcastFolder} \ + -Dsubsonic.defaultPlaylistFolder=${cfg.defaultPlaylistFolder} \ + -Djava.awt.headless=true \ + -verbose:gc \ + -jar ${pkgs.subsonic}/subsonic-booter-jar-with-dependencies.jar + ''; + # Install transcoders. + ExecStartPre = '' + ${pkgs.coreutils}/bin/rm -rf ${cfg.home}/transcode ; \ + ${pkgs.coreutils}/bin/mkdir -p ${cfg.home}/transcode ; \ + ${pkgs.bash}/bin/bash -c ' \ + for exe in "$@"; do \ + ${pkgs.coreutils}/bin/ln -sf "$exe" ${cfg.home}/transcode; \ + done' IGNORED_FIRST_ARG ${toString cfg.transcoders} + ''; + # Needed for Subsonic to find subsonic.war. + WorkingDirectory = "${pkgs.subsonic}"; + Restart = "always"; + User = "subsonic"; + UMask = "0022"; + }; + }; + + users.extraUsers.subsonic = { + description = "Subsonic daemon user"; + home = homeDir; + createHome = true; + group = "subsonic"; + uid = config.ids.uids.subsonic; + }; + + users.extraGroups.subsonic.gid = config.ids.gids.subsonic; + }; +} diff --git a/nixos/modules/services/misc/sundtek.nix b/nixos/modules/services/misc/sundtek.nix new file mode 100644 index 000000000000..8438ef79904f --- /dev/null +++ b/nixos/modules/services/misc/sundtek.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.sundtek; + +in +{ + options.services.sundtek = { + enable = mkEnableOption "Sundtek driver"; + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.sundtek ]; + + systemd.services.sundtek = { + description = "Sundtek driver"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "oneshot"; + ExecStart = '' + ${pkgs.sundtek}/bin/mediasrv -d -v -p ${pkgs.sundtek}/bin ;\ + ${pkgs.sundtek}/bin/mediaclient --start=5 --wait-for-devices + ''; + ExecStop = "${pkgs.sundtek}/bin/mediaclient --shutdown"; + RemainAfterExit = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/quassel.nix b/nixos/modules/services/networking/quassel.nix index 005eb7bd7614..579d62884c78 100644 --- a/nixos/modules/services/networking/quassel.nix +++ b/nixos/modules/services/networking/quassel.nix @@ -3,7 +3,7 @@ with lib; let - quassel = pkgs.quasselDaemon_qt5; + quassel = pkgs.kde4.quasselDaemon; cfg = config.services.quassel; user = if cfg.user != null then cfg.user else "quassel"; in diff --git a/nixos/modules/services/networking/zerotierone.nix b/nixos/modules/services/networking/zerotierone.nix new file mode 100644 index 000000000000..886ea18d9809 --- /dev/null +++ b/nixos/modules/services/networking/zerotierone.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.zerotierone; +in +{ + options.services.zerotierone.enable = mkEnableOption "ZeroTierOne"; + + config = mkIf cfg.enable { + systemd.services.zerotierone = { + description = "ZeroTierOne"; + path = [ pkgs.zerotierone ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = + '' + mkdir -p /var/lib/zerotier-one + chmod 700 /var/lib/zerotier-one + chown -R root:root /var/lib/zerotier-one + ''; + serviceConfig = { + Type = "forking"; + User = "root"; + PIDFile = "/var/lib/zerotier-one/zerotier-one.pid"; + ExecStart = "${pkgs.zerotierone}/bin/zerotier-one -d"; + }; + }; + environment.systemPackages = [ pkgs.zerotierone ]; + }; +} diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 2885fd396525..7350a6a68c70 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -187,9 +187,6 @@ let <IfModule mod_mime_magic.c> MIMEMagicFile ${httpd}/conf/magic </IfModule> - - AddEncoding x-compress Z - AddEncoding x-gzip gz tgz ''; diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 3c879450ba6d..c7cf712e3c2b 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -10,7 +10,8 @@ let realGrub = if cfg.version == 1 then pkgs.grub else if cfg.zfsSupport then pkgs.grub2.override { zfsSupport = true; } - else pkgs.grub2; + else if cfg.enableTrustedboot then pkgs.trustedGrub + else pkgs.grub2; grub = # Don't include GRUB if we're only generating a GRUB menu (e.g., @@ -37,6 +38,7 @@ let grub = f grub; grubTarget = f (grub.grubTarget or ""); shell = "${pkgs.stdenv.shell}"; + fullName = (builtins.parseDrvName realGrub.name).name; fullVersion = (builtins.parseDrvName realGrub.name).version; grubEfi = f grubEfi; grubTargetEfi = if cfg.efiSupport && (cfg.version == 2) then f (grubEfi.grubTarget or "") else ""; @@ -367,6 +369,15 @@ in ''; }; + enableTrustedboot = mkOption { + default = false; + type = types.bool; + description = '' + Enable trusted boot. Grub will measure all critical components during + the boot process to offer TCG (TPM) support. + ''; + }; + }; }; @@ -429,6 +440,22 @@ in assertion = all (c: c < 2) (mapAttrsToList (_: c: c) bootDeviceCounters); message = "You cannot have duplicated devices in mirroredBoots"; } + { + assertion = !cfg.enableTrustedboot || cfg.version == 2; + message = "Trusted GRUB is only available for GRUB 2"; + } + { + assertion = !cfg.efiSupport || !cfg.enableTrustedboot; + message = "Trusted GRUB does not have EFI support"; + } + { + assertion = !cfg.zfsSupport || !cfg.enableTrustedboot; + message = "Trusted GRUB does not have ZFS support"; + } + { + assertion = !cfg.enableTrustedboot; + message = "Trusted GRUB can break your system. Remove assertion if you want to test trustedGRUB nevertheless."; + } ] ++ flip concatMap cfg.mirroredBoots (args: [ { assertion = args.devices != [ ]; diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index cad9013bf5ad..34bff727b73a 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -7,6 +7,7 @@ use File::Path; use File::stat; use File::Copy; use File::Slurp; +use File::Temp; require List::Compare; use POSIX; use Cwd; @@ -185,7 +186,7 @@ sub GrubFs { if ($status != 0) { die "Failed to retrieve subvolume info for @{[$fs->mount]}\n"; } - my @ids = join("", @id_info) =~ m/Object ID:[ \t\n]*([^ \t\n]*)/; + my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/; if ($#ids > 0) { die "Btrfs subvol name for @{[$fs->device]} listed multiple times in mount\n" } elsif ($#ids == 0) { @@ -433,15 +434,18 @@ foreach my $fn (glob "$bootPath/kernels/*") { # struct(GrubState => { + name => '$', version => '$', efi => '$', devices => '$', efiMountPoint => '$', }); sub readGrubState { - my $defaultGrubState = GrubState->new(version => "", efi => "", devices => "", efiMountPoint => "" ); + my $defaultGrubState = GrubState->new(name => "", version => "", efi => "", devices => "", efiMountPoint => "" ); open FILE, "<$bootPath/grub/state" or return $defaultGrubState; local $/ = "\n"; + my $name = <FILE>; + chomp($name); my $version = <FILE>; chomp($version); my $efi = <FILE>; @@ -451,7 +455,7 @@ sub readGrubState { my $efiMountPoint = <FILE>; chomp($efiMountPoint); close FILE; - my $grubState = GrubState->new(version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint ); + my $grubState = GrubState->new(name => $name, version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint ); return $grubState } @@ -496,20 +500,16 @@ my $efiTarget = getEfiTarget(); my $prevGrubState = readGrubState(); my @prevDeviceTargets = split/:/, $prevGrubState->devices; -my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference() ); -my $versionDiffer = (get("fullVersion") eq \$prevGrubState->version); -my $efiDiffer = ($efiTarget eq \$prevGrubState->efi); -my $efiMountPointDiffer = ($efiSysMountPoint eq \$prevGrubState->efiMountPoint); -my $requireNewInstall = $devicesDiffer || $versionDiffer || $efiDiffer || $efiMountPointDiffer || (($ENV{'NIXOS_INSTALL_GRUB'} // "") eq "1"); - -# install a symlink so that grub can detect the boot drive when set -# as the root directory -if (! -l "$bootPath/boot") { - if (-e "$bootPath/boot") { - unlink "$bootPath/boot"; - } - symlink ".", "$bootPath/boot"; -} +my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference()); +my $nameDiffer = get("fullName") ne $prevGrubState->name; +my $versionDiffer = get("fullVersion") ne $prevGrubState->version; +my $efiDiffer = $efiTarget ne $prevGrubState->efi; +my $efiMountPointDiffer = $efiSysMountPoint ne $prevGrubState->efiMountPoint; +my $requireNewInstall = $devicesDiffer || $nameDiffer || $versionDiffer || $efiDiffer || $efiMountPointDiffer || (($ENV{'NIXOS_INSTALL_GRUB'} // "") eq "1"); + +# install a symlink so that grub can detect the boot drive +my $tmpDir = File::Temp::tempdir(CLEANUP => 1) or die "Failed to create temporary space"; +symlink "$bootPath", "$tmpDir/boot" or die "Failed to symlink $tmpDir/boot"; # install non-EFI GRUB if (($requireNewInstall != 0) && ($efiTarget eq "no" || $efiTarget eq "both")) { @@ -517,10 +517,10 @@ if (($requireNewInstall != 0) && ($efiTarget eq "no" || $efiTarget eq "both")) { next if $dev eq "nodev"; print STDERR "installing the GRUB $grubVersion boot loader on $dev...\n"; if ($grubTarget eq "") { - system("$grub/sbin/grub-install", "--recheck", "--root-directory=$bootPath", Cwd::abs_path($dev)) == 0 + system("$grub/sbin/grub-install", "--recheck", "--root-directory=$tmpDir", Cwd::abs_path($dev)) == 0 or die "$0: installation of GRUB on $dev failed\n"; } else { - system("$grub/sbin/grub-install", "--recheck", "--root-directory=$bootPath", "--target=$grubTarget", Cwd::abs_path($dev)) == 0 + system("$grub/sbin/grub-install", "--recheck", "--root-directory=$tmpDir", "--target=$grubTarget", Cwd::abs_path($dev)) == 0 or die "$0: installation of GRUB on $dev failed\n"; } } @@ -543,6 +543,7 @@ if (($requireNewInstall != 0) && ($efiTarget eq "only" || $efiTarget eq "both")) # update GRUB state file if ($requireNewInstall != 0) { open FILE, ">$bootPath/grub/state" or die "cannot create $bootPath/grub/state: $!\n"; + print FILE get("fullName"), "\n" or die; print FILE get("fullVersion"), "\n" or die; print FILE $efiTarget, "\n" or die; print FILE join( ":", @deviceTargets ), "\n" or die; diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index 49170f2220bc..ef9cc2280db7 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -103,6 +103,9 @@ in LimitNPROC = 1048576; } // proxy_env; + path = [ pkgs.kmod ]; + environment.MODULE_DIR = "/run/current-system/kernel-modules/lib/modules"; + postStart = '' while ! [ -e /var/run/docker.sock ]; do sleep 0.1 diff --git a/nixos/tests/docker.nix b/nixos/tests/docker.nix index 63c909ff294c..fc6449b28d3e 100644 --- a/nixos/tests/docker.nix +++ b/nixos/tests/docker.nix @@ -15,8 +15,8 @@ import ./make-test.nix { startAll; $docker->waitForUnit("docker.service"); - $docker->succeed("tar cv --files-from /dev/null | docker import - scratch"); - $docker->succeed("docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratch /bin/sleep 10"); + $docker->succeed("tar cv --files-from /dev/null | docker import - scratchimg"); + $docker->succeed("docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"); $docker->succeed("docker ps | grep sleeping"); $docker->succeed("docker stop sleeping"); ''; |