nixpkgs/nixos/modules/services/hardware/fwupd.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207

# fwupd daemon.

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.fwupd;

  format = pkgs.formats.ini {
    listToValue = l: lib.concatStringsSep ";" (map (s: generators.mkValueStringDefault {} s) l);
    mkKeyValue = generators.mkKeyValueDefault {} "=";
  };

  customEtc = {
    "fwupd/fwupd.conf" = {
      source = format.generate "fwupd.conf" ({
        fwupd = cfg.daemonSettings;
      } // lib.optionalAttrs (lib.length (lib.attrNames cfg.uefiCapsuleSettings) != 0) {
        uefi_capsule = cfg.uefiCapsuleSettings;
      });
      # fwupd tries to chmod the file if it doesn't have the right permissions
      mode = "0640";
    };
  };

  originalEtc =
    let
      mkEtcFile = n: nameValuePair n { source = "${cfg.package}/etc/${n}"; };
    in listToAttrs (map mkEtcFile cfg.package.filesInstalledToEtc);
  extraTrustedKeys =
    let
      mkName = p: "pki/fwupd/${baseNameOf (toString p)}";
      mkEtcFile = p: nameValuePair (mkName p) { source = p; };
    in listToAttrs (map mkEtcFile cfg.extraTrustedKeys);

  enableRemote = base: remote: {
    "fwupd/remotes.d/${remote}.conf" = {
      source = pkgs.runCommand "${remote}-enabled.conf" {} ''
        sed "s,^Enabled=false,Enabled=true," \
        "${base}/etc/fwupd/remotes.d/${remote}.conf" > "$out"
      '';
    };
  };
  remotes = (foldl'
    (configFiles: remote: configFiles // (enableRemote cfg.package remote))
    {}
    cfg.extraRemotes
  ) // (
    # We cannot include the file in $out and rely on filesInstalledToEtc
    # to install it because it would create a cyclic dependency between
    # the outputs. We also need to enable the remote,
    # which should not be done by default.
    lib.optionalAttrs
      (cfg.daemonSettings.TestDevices or false)
      (enableRemote cfg.package.installedTests "fwupd-tests")
  );

in {

  ###### interface
  options = {
    services.fwupd = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = lib.mdDoc ''
          Whether to enable fwupd, a DBus service that allows
          applications to update firmware.
        '';
      };

      extraTrustedKeys = mkOption {
        type = types.listOf types.path;
        default = [];
        example = literalExpression "[ /etc/nixos/fwupd/myfirmware.pem ]";
        description = lib.mdDoc ''
          Installing a public key allows firmware signed with a matching private key to be recognized as trusted, which may require less authentication to install than for untrusted files. By default trusted firmware can be upgraded (but not downgraded) without the user or administrator password. Only very few keys are installed by default.
        '';
      };

      extraRemotes = mkOption {
        type = with types; listOf str;
        default = [];
        example = [ "lvfs-testing" ];
        description = lib.mdDoc ''
          Enables extra remotes in fwupd. See `/etc/fwupd/remotes.d`.
        '';
      };

      package = mkPackageOption pkgs "fwupd" { };

      daemonSettings = mkOption {
        type = types.submodule {
          freeformType = format.type.nestedTypes.elemType;
          options = {
            DisabledDevices = mkOption {
              type = types.listOf types.str;
              default = [];
              example = [ "2082b5e0-7a64-478a-b1b2-e3404fab6dad" ];
              description = lib.mdDoc ''
                List of device GUIDs to be disabled.
              '';
            };

            DisabledPlugins = mkOption {
              type = types.listOf types.str;
              default = [];
              example = [ "udev" ];
              description = lib.mdDoc ''
                List of plugins to be disabled.
              '';
            };

            EspLocation = mkOption {
              type = types.path;
              default = config.boot.loader.efi.efiSysMountPoint;
              defaultText = lib.literalExpression "config.boot.loader.efi.efiSysMountPoint";
              description = lib.mdDoc ''
                The EFI system partition (ESP) path used if UDisks is not available
                or if this partition is not mounted at /boot/efi, /boot, or /efi
              '';
            };

            TestDevices = mkOption {
              internal = true;
              type = types.bool;
              default = false;
              description = lib.mdDoc ''
                Create virtual test devices and remote for validating daemon flows.
                This is only intended for CI testing and development purposes.
              '';
            };
          };
        };
        default = {};
        description = lib.mdDoc ''
          Configurations for the fwupd daemon.
        '';
      };

      uefiCapsuleSettings = mkOption {
        type = types.submodule {
          freeformType = format.type.nestedTypes.elemType;
        };
        default = {};
        description = lib.mdDoc ''
          UEFI capsule configurations for the fwupd daemon.
        '';
      };
    };
  };

  imports = [
    (mkRenamedOptionModule [ "services" "fwupd" "blacklistDevices"] [ "services" "fwupd" "daemonSettings" "DisabledDevices" ])
    (mkRenamedOptionModule [ "services" "fwupd" "blacklistPlugins"] [ "services" "fwupd" "daemonSettings" "DisabledPlugins" ])
    (mkRenamedOptionModule [ "services" "fwupd" "disabledDevices" ] [ "services" "fwupd" "daemonSettings" "DisabledDevices" ])
    (mkRenamedOptionModule [ "services" "fwupd" "disabledPlugins" ] [ "services" "fwupd" "daemonSettings" "DisabledPlugins" ])
    (mkRemovedOptionModule [ "services" "fwupd" "enableTestRemote" ] "This option was removed after being removed upstream. It only provided a method for testing fwupd functionality, and should not have been exposed for use outside of nix tests.")
  ];

  ###### implementation
  config = mkIf cfg.enable {
    # Disable test related plug-ins implicitly so that users do not have to care about them.
    services.fwupd.daemonSettings = {
      EspLocation = config.boot.loader.efi.efiSysMountPoint;
    };

    environment.systemPackages = [ cfg.package ];

    # customEtc overrides some files from the package
    environment.etc = originalEtc // customEtc // extraTrustedKeys // remotes;

    services.dbus.packages = [ cfg.package ];

    services.udev.packages = [ cfg.package ];

    # required to update the firmware of disks
    services.udisks2.enable = true;

    systemd = {
      packages = [ cfg.package ];

      # fwupd-refresh expects a user that we do not create, so just run with DynamicUser
      # instead and ensure we take ownership of /var/lib/fwupd
      services.fwupd-refresh.serviceConfig = {
        StateDirectory = "fwupd";
        # Better for debugging, upstream sets stderr to null for some reason..
        StandardError = "inherit";
      };

      timers.fwupd-refresh.wantedBy = [ "timers.target" ];
    };

    users.users.fwupd-refresh = {
      isSystemUser = true;
      group = "fwupd-refresh";
    };
    users.groups.fwupd-refresh = {};

    security.polkit.enable = true;
  };

  meta = {
    maintainers = pkgs.fwupd.meta.maintainers;
  };
}