This patch is about removing `wireguardPeerConfig`,
`dhcpServerStaticLeaseConfig` - a.k.a. the
AbstractSingletonProxyFactoryBean of nixpkgs - and friends.
As a former colleague said
> worst abstraction ever
I second that. I've written enough networkd config for NixOS systems so
far to have a strong dislike. In fact, these don't even make sense:
`netdevs.wireguardPeers._.wireguardPeerConfig` will be rendered into
the key `[WireGuardPeer]` and every key from `wireguardPeerConfig` is in
there. Since it's INI, there's no place where sections on the same level
as wireguardPeerConfig fit into. Hence, get rid of it all.
For the transition, using the old way is still allowed, but gives a
warning. I think we could drop this after one release.
The tests of rosenpass and systemd-networkd-dhcpserver-static-leases
were broken on the rev before, hence they were updated, but are still
not building.
This fixes the usage of fonts whose filenames contain special
characters of various sorts.
For example, the setting
```nix
boot.plymouth.font =
"${pkgs.noto-fonts}/share/fonts/noto/NotoSans[wdth,wght].ttf";
```
will cause a build failure, without this patch.
Closes#233865. Currently, the documentation for `boot.loader.grub.theme` misleadingly implies that it needs a package for a grub theme instead of a path to a grub theme.
This allows us to set things like dependencies in a way that we can
catch typos at eval time.
So instead of
```nix
systemd.services.foo.wants = [ "bar.service" ];
```
we can write
```nix
systemd.services.foo.wants = [ config.systemd.services.bar.name ];
```
which will throw an error if no such service has been defined.
Not all cases can be done like this (eg template services), but in a lot
of cases this will allow to avoid typos.
There is a matching option on the unit option
(`systemd.units."foo.service".name`) as well.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
This option makes it easier to reuse a system's ukify.conf without the
need for manually calling the generator on `settings` again to receive a
rendered configuration file.
Theoretically, a complete configuration file could now be provided by
users.
Running systemd-timesyncd with an empty list of timeservers to sync from
does not work.
In case an empty list is configured here, systemd will fall back to its
compiled-in defaults, which NixOS sets to `{0..4}.nixos.pool.ntp.org`,
as per https://github.com/systemd/systemd/blob/main/docs/DISTRO_PORTING.md#ntp-pool
This has caused some confusion. Explicitly document this, and describe
how to disable timesyncd.
We need to make sure systemd-tmpfiles-setup.service ran before we
start systemd-binft.service. Otherwise it might fail to start
due to non-existant files
Fixes#295365
This ensures a ".dtb" PE section makes it into the UKI so systemd-stub
can install the correct devicetree for use by the Linux kernel. This is
often needed on systems that boot with u-boot since the devicetree used
by u-boot is often a paired down version of what the Linux kernel needs.
On those kinds of boards, the lack of this PE section means that u-boot
will end up installing its internal devicetree into the UEFI
configuration table, which is what the Linux kernel ends up using.
Without sort-keys specified on entries, the entries are sorted only by
file name (in decreasing order, so starting at the end of the alphabet!),
without taking any other fields into account (see
[the boot loader specification reference][1]).
Moreover, entries without a sort-key are always ordered after all
entries with a sort-key, so by not adding a sort-key to the NixOS ones,
we cannot add a sort-key to any other entry while keeping it below the
NixOS entries.
So currently we have options to set the file names for additional entries like
memtest and netbootxyz.
However, as mentioned above, the sorting by file name is not very intuitive and
actually sorts in the opposite order of what is currently mentioned in the option
descriptions.
With this commit, we set a configurable sort-key on all NixOS entries,
and add options for setting the sort-keys for the memtest and netbootxyz
entries.
The sorting by sort-key is more intuitive (it starts at the start of the
alphabet) and also takes into account the machine-id and version for entries
with identical sort-keys.
We use a bootspec extension to store the sort keys, which allows us to
redefine the sort key for individual specialisations without needing any
special casing.
[1]: https://uapi-group.org/specifications/specs/boot_loader_specification/#sorting
The maximum length for a GPT label supported by systemd is 36
characters. When a repart definition contains a label that is longer
than the supported maximum length, it is ignored by systemd-repart and
a log message is produced.
The new assertion makes this obvious to the user at evaluation time,
allowing them to either drop the property entirely or choose a supported
label within the length limit instead.
Since we are not in a `callPackage` context, dependencies in
`nativeBuildInputs` don't get spliced to the buildPlatform, causing a
cross-compiled nixos system to fail at this step when running mypy built
for the hostPlatform.
Before there was a kernel modules path named kernel-modules which then got turned
into linux-X.X.XX-modules-shrunk. Now the unshrunk package is called linux-X.X.XX-modules
and gets turned into X.X.XX-modules-shrunk.
this lets us *dis*able filesystem explicitly, as is required by e.g. the
zfs-less installer images. currently that specifically is only easily
possible by adding an overlay that stubs out `zfs`, with the obvious
side-effect of also removing tooling that could run without the kernel
module loaded.
These should be defaults as they're pretty reasonable to want to
override as a user. Unsure how to change the slice defaults to be
overridable, that should probably be a later conversation.
Lists are convenient to have in sysupdate configuration when using
multiple `MatchPattern` under `Target` when the target can have multiple
filenames. This use-case is helpful for BootLoaderSpec bootcounting where the target file on
disk can have multiple filenames, and in order for sysupdate to properly
ensure only N number of instances of this target exist at one time, we
need to have multiple match patterns.
Previously any user-provided config for boot.uki.settings would need to
either specify a full set of config for ukify or a combination of
mkOptionDefault to merge the "settings" attribute set with the module's
defaults and then mkOverride or mkForce to override a contained
attribute.
Now it is possible to trivially override parts of the module's default
config, such as the initrd or kernel command line, but overriding the
full set of settings now requires mkOverride / mkForce.
There were several modules, critically including NetworkManager, which
were not prepared for this change. Most of the change was good,
however. Let's bring back the dependency and change the assertion to a
warning for now.
Previously we required network-online.target for multi-user.target. This
has made a lot of people very angry and has been widely regarded as a
bad move (or at least, very nonstandard):
15d761a525 (commitcomment-128564097)
This was done because of fragile tests and services declaring
dependencies on multi-user.target when they meant network-online.target.
Let's rip off the bandaid and fix our tests.
This makes it easier to reason about what variables are inserted during packaging.
We also make sure that template file is also valid python syntax, which makes editor errors go away during development.
Removed patches:
- 0007-Fix-hwdb-paths.patch
The directory we want seems to already be included in the list. Is there
a reason why we want to restrict it further?
- 0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
This patch has little to do with how the meson.build file looks now. The
new patch 0017 is the successor to this one.
- 0015-pkg-config-derive-prefix-from-prefix.patch
This is fixed upstream. We don't need this anymore.
The example systemd-sysupdate transfer name has a ".conf" suffix,
although the files on the final system are already appended with this
suffix, so the file ends up being "transfer-name.conf.conf". Remove the
suffix in the example so that users will get a transfer filename they
expect.
Systemd-repart will use loopback devices for partition creation if it is
able to, and will fallback to doing "offline" partition creation writing
data directly to files. From what I see looking at the repart code,
there are specific features that cannot be taken advantage of when not
using loopback devices (e.g. no BTRFS subvolumes in systemd v255) and in
certain places they have to perform some manual re-sizing work that can
otherwise be avoided.
A bootspec could remove the `initrdSecrets` attribute and is a perfectly valid bootspec, as can be seen
in the bootspec.cue.
This makes the builder not fail upon missing `initrdSecrets`.
When `config.boot.zfs.enableUnstable` is set to true, grub was built with the `zfs` package even though the rest of the system uses the `zfsUnstable` package.
The effect of this can only be seen when `zfs` and `zfsUnstable` actually differ (which is not currently the case), for example when overriding one of them locally.
When a system has a wrong date and time timesyncd is unable to synchronize it
because DNSSEC doesn't work. In order to break this chicken and egg problem
systemd-timesync disables DNSSEC validation by setting
SYSTEMD_NSS_RESOLVE_VALIDATE=0 in the unit file. However, it doesn't work in
NixOS because it uses NSCD. This patch disables NSCD in systemd-timesyncd when
SYSTEMD_NSS_RESOLVE_VALIDATE is set to 0 so that it uses NSS libraries
directly. In order for it to be able to find the libnss_resolve.so.2 library
this patch adds the systemd directory in the nix store to the LD_LIBRARY_PATH.
The previous code did not apply any changes to the upstream defaults on being presented with an empty list.
This changes the code to use the above behaviour on a `null` value while an empty list is passed through as normal which yields a systemd configuration line with empty value which resets it to an empty value.
Signed-off-by: benaryorg <binary@benary.org>
Since 1557027, makeModulesClosure doesn't create a lib/firmware
directory if there is no firmware in the initramfs. If this happens,
systemd-stage-1 fails to build.
/lib only contains /lib/modules and /lib/firmware, both of while are
from modulesClosure. Therefore, we can just add the entirety of
${modulesClosure}/lib to the initramfs to allow for the possibility that
lib/firmware doesn't exist. This also brings systemd-stage-1 in line
with the traditional stage-1.
The CAKE section for systemd.network units allows configuring whether or
not redundant ACKs should be dropped. This option corresponds to the
respective tc-cake(8) params "ack-filter", "ack-filter-aggressive" or
"no-ack-filter".
Add support for these values in the `cakeConfig` module so that users
can configure it.
8f2babd032 was partially reverted by mistake. Original message below
---
On some systems, EFI variables are not supported or otherwise wonky.
bootctl attempting to access them causes failures during bootloader
installations and updates. For such systems, NixOS provides the options
`boot.loader.efi.canTouchEfiVariables` and
`boot.loader.systemd-boot.graceful` which pass flags to bootctl that
change whether and how EFI variables are accessed.
Previously, these flags were only passed to bootctl during an install
operation. However, they also apply during an update operation, which
can cause the same sorts of errors. This change passes the flags during
update operations as well to prevent those errors.
Fixes https://github.com/NixOS/nixpkgs/issues/151336
Previously, all available plymouth renderers were copied to the initrd,
including the X11 one. It is pretty much useless since the initrd is
exceedingly unlikely to run an X server, and causes the initrd closure to grow
by several large libraries (mostly Gtk and dependencies) and thus by a couple
of megabytes (over 5 MiB on my system). Remove it.
While this can be added via `services.journald.extraConfig`, this option
provides proper type-checking and other modules can determine
where journal data is stored. This is relevant when using e.g. promtail
to send logs to Loki and it should read from `/run/log/journal` if
volatile storage is used.
Adds a postResumeCommands option to the initramfs to allow inserting
code to execute after the device has attempted to resume, and before
filesystems are mounted. This allows to inject code for operations like
wiping the rootfs on boot; if those were instead put in
postDeviceCommands, on a hibernated device, they would execute before
the device resumes from hibernation.
Modules built in to the kernel can attempt to load firmware before
init is started. To guarantee the firmware is accessible to them
where they expect, /lib has to exist in the initramfs — it can't be
created later by init, because by that point the module may already
have tried and given up.
It hasn't expected the prefix for a long time (possibly ever). Other
documentation and patches within nixpkgs itself (such as the crashdump
module) do not have the prefix.
When using iproute2's ip binary, you can omit the dev parameter, e.g. ip link set up eth0 instead of ip link set up dev eth0.
This breaks if for some reason your device is named e.g. he, hel, … because it is interpreted as ip link set up help.
I just encountered this bug using networking.bridges trying to create an interface named he.
I used a grep on nixpkgs to try to find iproute2 invocations using variables without the dev keyword, and found a few, and fixed them by providing the dev keyword.
I merely fixed what I found, but the use of abbreviated commands makes it a bit hard to be sure everything has been found (e.g. ip l set … up instead of ip link set … up).
You can see in https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html that
this should be "HairPin" not "Hairpin". Using "Hairpin" results in
```
Oct 25 18:55:03 my-host systemd-networkd[843736]: /etc/systemd/network/10-bridge.network:11:
Unknown key name 'Hairpin' in section 'Bridge', ignoring.
```
The `AUTOFS4_FS` name appears to be a legacy naming stub:
>Ok, I ran the script, and also decided that we might as well remove
>the AUTOFS4 legacy naming stub entry by now.
>
>It has been five years, and people will have either picked up the new
>name with 'make oldconfig', or they just don't use 'make oldconfig' at
>all.
https://lore.kernel.org/lkml/CAHk-=wgK9-Tx4BxYMrc0pg==mcaz3cjWF6-CBwVpM_BZAmf4JQ@mail.gmail.com/#r
That has been remove in 6.6 kernel and results in a failure:
```
error:
Failed assertions:
- CONFIG_AUTOFS4_FS is not enabled!
```
Signed-off-by: Jakub Sokołowski <jakub@status.im>
There's no reason to do this in initrd. Partitions can be resized online.
We just have to make sure it happens before we resize the file system.
This also makes grow-partition work with systemd-initrd
This reverts commit 80665d606a.
Parsing the package version broke our systemd-boot builder test.
i.e. it won't be able to parse systemd-boot efi binaries coming from
ubuntu
We no longer use the faulty systemd-boot version so this code should no
longer be needed.
