Merge remote-tracking branch 'upstream/master' into hardened-stdenv

nixos/modules/system/boot/initrd-ssh.nix

@@ -85,6 +85,10 @@ in
   };
 
   config = mkIf (config.boot.initrd.network.enable && cfg.enable) {
+    assertions = [ {
+      assertion = cfg.hostRSAKey != null || cfg.hostDSSKey != null || cfg.hostECDSAKey != null;
+      message = "You should specify at least one host key for initrd SSH";
+    } ];
 
     boot.initrd.extraUtilsCommands = ''
       copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear

nixos/modules/system/boot/loader/grub/grub.nix

@@ -48,12 +48,13 @@ let
       bootPath = args.path;
       storePath = config.boot.loader.grub.storePath;
       bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId;
+      timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout;
       inherit efiSysMountPoint;
       inherit (args) devices;
       inherit (efi) canTouchEfiVariables;
       inherit (cfg)
         version extraConfig extraPerEntryConfig extraEntries
-        extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout
+        extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
         default fsIdentifier efiSupport gfxmodeEfi gfxmodeBios;
       path = (makeBinPath ([
         pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs
@@ -313,14 +314,6 @@ in
         '';
       };
 
-      timeout = mkOption {
-        default = if (config.boot.loader.timeout != null) then config.boot.loader.timeout else -1;
-        type = types.int;
-        description = ''
-          Timeout (in seconds) until GRUB boots the default menu item.
-        '';
-      };
-
       default = mkOption {
         default = 0;
         type = types.int;

nixos/modules/system/boot/loader/gummiboot/gummiboot.nix

@@ -16,7 +16,7 @@ let
 
     nix = config.nix.package.out;
 
-    timeout = if cfg.timeout != null then cfg.timeout else "";
+    timeout = if config.boot.loader.timeout != null then config.boot.loader.timeout else "";
 
     inherit (efi) efiSysMountPoint canTouchEfiVariables;
   };
@@ -29,20 +29,6 @@ in {
 
       description = "Whether to enable the gummiboot UEFI boot manager";
     };
-
-    timeout = mkOption {
-      default = if config.boot.loader.timeout == null then 10000 else config.boot.loader.timeout;
-
-      example = 4;
-
-      type = types.nullOr types.int;
-
-      description = ''
-        Timeout (in seconds) for how long to show the menu (null if none).
-        Note that even with no timeout the menu can be forced if the space
-        key is pressed during bootup
-      '';
-    };
   };
 
   config = mkIf cfg.enable {

nixos/modules/system/boot/luksroot.nix

@@ -5,7 +5,7 @@ with lib;
 let
   luks = config.boot.initrd.luks;
 
-  openCommand = { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: ''
+  openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; ''
     # Wait for luksRoot to appear, e.g. if on a usb drive.
     # XXX: copied and adapted from stage-1-init.sh - should be
     # available as a function.
@@ -192,9 +192,8 @@ let
     ''}
   '';
 
-  isPreLVM = f: f.preLVM;
-  preLVM = filter isPreLVM luks.devices;
-  postLVM = filter (f: !(isPreLVM f)) luks.devices;
+  preLVM = filterAttrs (n: v: v.preLVM) luks.devices;
+  postLVM = filterAttrs (n: v: !v.preLVM) luks.devices;
 
 in
 {
@@ -228,31 +227,31 @@ in
     };
 
     boot.initrd.luks.devices = mkOption {
-      default = [ ];
-      example = literalExample ''[ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ]'';
+      default = { };
+      example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; };
       description = ''
-        The list of devices that should be decrypted using LUKS before trying to mount the
-        root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups.
-
-        The devices are decrypted to the device mapper names defined.
-
-        Make sure that initrd has the crypto modules needed for decryption.
+        The encrypted disk that should be opened before the root
+        filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM
+        setups are sypported. The unencrypted devices can be accessed as
+        <filename>/dev/mapper/<replaceable>name</replaceable></filename>.
       '';
 
-      type = types.listOf types.optionSet;
+      type = types.loaOf types.optionSet;
 
-      options = {
+      options = { name, ... }: { options = {
 
         name = mkOption {
+          visible = false;
+          default = name;
           example = "luksroot";
           type = types.str;
-          description = "Named to be used for the generated device in /dev/mapper.";
+          description = "Name of the unencrypted device in <filename>/dev/mapper</filename>.";
         };
 
         device = mkOption {
-          example = "/dev/sda2";
+          example = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08";
           type = types.str;
-          description = "Path of the underlying block device.";
+          description = "Path of the underlying encrypted block device.";
         };
 
         header = mkOption {
@@ -289,6 +288,7 @@ in
           '';
         };
 
+        # FIXME: get rid of this option.
         preLVM = mkOption {
           default = true;
           type = types.bool;
@@ -394,7 +394,7 @@ in
           };
         };
 
-      };
+      }; };
     };
 
     boot.initrd.luks.yubikeySupport = mkOption {
@@ -408,7 +408,7 @@ in
     };
   };
 
-  config = mkIf (luks.devices != []) {
+  config = mkIf (luks.devices != {}) {
 
     # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
     boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks
@@ -438,7 +438,7 @@ in
         copy_bin_and_libs ${pkgs.ykpers}/bin/ykinfo
         copy_bin_and_libs ${pkgs.openssl.bin}/bin/openssl
 
-        cc -O3 -I${pkgs.openssl}/include -L${pkgs.openssl.out}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto
+        cc -O3 -I${pkgs.openssl.dev}/include -L${pkgs.openssl.out}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto
         strip -s pbkdf2-sha512
         copy_bin_and_libs pbkdf2-sha512
 
@@ -463,8 +463,8 @@ in
       ''}
     '';
 
-    boot.initrd.preLVMCommands = concatMapStrings openCommand preLVM;
-    boot.initrd.postDeviceCommands = concatMapStrings openCommand postLVM;
+    boot.initrd.preLVMCommands = concatStrings (mapAttrsToList openCommand preLVM);
+    boot.initrd.postDeviceCommands = concatStrings (mapAttrsToList openCommand postLVM);
 
     environment.systemPackages = [ pkgs.cryptsetup ];
   };

nixos/modules/system/boot/systemd.nix

@@ -753,13 +753,6 @@ in
         "TMPFS_XATTR" "SECCOMP"
       ];
 
-    environment.shellAliases =
-      { start = "systemctl start";
-        stop = "systemctl stop";
-        restart = "systemctl restart";
-        status = "systemctl status";
-      };
-
     users.extraGroups.systemd-journal.gid = config.ids.gids.systemd-journal;
     users.extraUsers.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway;
     users.extraGroups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway;