diff --git a/nixos/doc/manual/redirects.json b/nixos/doc/manual/redirects.json index 5a56af028e2d..297956be881b 100644 --- a/nixos/doc/manual/redirects.json +++ b/nixos/doc/manual/redirects.json @@ -1,4 +1,19 @@ { + "module-boot-plymouth-tpm2-totp": [ + "index.html#module-boot-plymouth-tpm2-totp" + ], + "module-boot-plymouth-tpm2-totp-quick-start": [ + "index.html#module-boot-plymouth-tpm2-totp-quick-start" + ], + "module-boot-plymouth-tpm2-totp-quick-start-check": [ + "index.html#module-boot-plymouth-tpm2-totp-quick-start-check" + ], + "module-boot-plymouth-tpm2-totp-quick-start-configure": [ + "index.html#module-boot-plymouth-tpm2-totp-quick-start-configure" + ], + "module-boot-plymouth-tpm2-totp-quick-start-enable": [ + "index.html#module-boot-plymouth-tpm2-totp-quick-start-enable" + ], "sec-override-nixos-test": [ "index.html#sec-override-nixos-test" ], diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md index 967f774d0a8b..961238bbf230 100644 --- a/nixos/doc/manual/release-notes/rl-2511.section.md +++ b/nixos/doc/manual/release-notes/rl-2511.section.md @@ -88,6 +88,8 @@ - The [Neat IP Address Planner](https://spritelink.github.io/NIPAP/) (NIPAP) can now be enabled through [services.nipap.enable](#opt-services.nipap.enable). +- [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) can now be used to show a TOTP during boot using Plymouth. Available as [boot.plymouth.tpm2-totp](#opt-boot.plymouth.tpm2-totp.enable). + - [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable). - [ente](https://github.com/ente-io/ente), a service that provides a fully open source, end-to-end encrypted platform for photos and videos. Available as [services.ente.api](#opt-services.ente.api.enable) and [services.ente.web](#opt-services.ente.web.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 3ca08fd4cb47..67cab5751f9b 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1830,6 +1830,7 @@ ./system/boot/modprobe.nix ./system/boot/networkd.nix ./system/boot/nix-store-veritysetup.nix + ./system/boot/plymouth-tpm2-totp.nix ./system/boot/plymouth.nix ./system/boot/resolved.nix ./system/boot/shutdown.nix diff --git a/nixos/modules/system/boot/plymouth-tpm2-totp.md b/nixos/modules/system/boot/plymouth-tpm2-totp.md new file mode 100644 index 000000000000..aecec001ca63 --- /dev/null +++ b/nixos/modules/system/boot/plymouth-tpm2-totp.md @@ -0,0 +1,29 @@ +# tpm2-totp with Plymouth {#module-boot-plymouth-tpm2-totp} + +[tpm2-totp](https://github.com/tpm2-software/tpm2-totp) attests the trustworthiness of a device against a human using time-based one-time passwords. This module uses a `tpm2-totp` configuration to display a TOTP at boot using Plymouth. + +## Quick start {#module-boot-plymouth-tpm2-totp-quick-start} + +### 1. Enable modules {#module-boot-plymouth-tpm2-totp-quick-start-enable} + +```nix +{ + boot.plymouth.tpm2-totp.enable = true; + + # Plymouth and systemd initrd/stage-1 are required: + boot.plymouth.enable = true; + boot.initrd.systemd.enable = true; +} +``` + +Switch to the new configuration before proceeding to the next step. + +### 2. Configure `tpm2-totp` {#module-boot-plymouth-tpm2-totp-quick-start-configure} + +Generate a new TOTP secret and save the secret in your chosen authenticator app. See `man tpm2-totp` for commands and configuration examples. + +More information, including security considerations, can be found in the `README.md` in the [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) repository. Be sure to select the tag for the version of `tpm2-totp` you have installed. + +### 3. Check configuration {#module-boot-plymouth-tpm2-totp-quick-start-check} + +Reboot and you should see the TOTP appear on the Plymouth boot screen. The TOTP should match the code displayed in your authenticator app (or the code immediately before/after). diff --git a/nixos/modules/system/boot/plymouth-tpm2-totp.nix b/nixos/modules/system/boot/plymouth-tpm2-totp.nix new file mode 100644 index 000000000000..2c688f82c6c2 --- /dev/null +++ b/nixos/modules/system/boot/plymouth-tpm2-totp.nix @@ -0,0 +1,59 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.boot.plymouth.tpm2-totp; +in +{ + options.boot.plymouth.tpm2-totp = { + enable = lib.mkEnableOption "tpm2-totp using Plymouth" // { + description = "Whether to display a TOTP during boot using tpm2-totp and Plymouth."; + }; + + package = lib.mkPackageOption pkgs "tpm2-totp" { default = "tpm2-totp-with-plymouth"; }; + }; + + meta = { + maintainers = with lib.maintainers; [ majiir ]; + doc = ./plymouth-tpm2-totp.md; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = config.boot.initrd.systemd.enable; + message = "boot.plymouth.tpm2-totp is only supported with boot.initrd.systemd."; + } + ]; + + environment.systemPackages = [ + cfg.package + ]; + + boot.initrd.systemd.storePaths = [ + "${cfg.package}/libexec/tpm2-totp/plymouth-tpm2-totp" + "${cfg.package}/lib/libtpm2-totp.so.0" + "${cfg.package}/lib/libtpm2-totp.so.0.0.0" + ]; + + # Based on https://github.com/tpm2-software/tpm2-totp/blob/9bcfdcbfdd42e0b2e1d7769852009608f889631c/dist/plymouth-tpm2-totp.service.in + boot.initrd.systemd.services.plymouth-tpm2-totp = { + description = "Display a TOTP during boot using Plymouth"; + requires = [ "plymouth-start.service" ]; + after = [ + "plymouth-start.service" + "tpm2.target" + ]; + wantedBy = [ "sysinit.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig = { + Type = "exec"; + ExecStart = "${cfg.package}/libexec/tpm2-totp/plymouth-tpm2-totp"; + }; + }; + }; +} diff --git a/pkgs/applications/video/kodi/addons/jellyfin/default.nix b/pkgs/applications/video/kodi/addons/jellyfin/default.nix index 9b9a91032384..0c57f5e20ed1 100644 --- a/pkgs/applications/video/kodi/addons/jellyfin/default.nix +++ b/pkgs/applications/video/kodi/addons/jellyfin/default.nix @@ -17,13 +17,13 @@ in buildKodiAddon rec { pname = "jellyfin"; namespace = "plugin.video.jellyfin"; - version = "1.0.8"; + version = "1.1.0"; src = fetchFromGitHub { owner = "jellyfin"; repo = "jellyfin-kodi"; rev = "v${version}"; - sha256 = "sha256-/kolXnYO+wo6z7ucCXvxwjsiflvusKJ3qTWxm1YZMfU="; + sha256 = "sha256-5CJenvNmyNwrlNfF4jPap99oj21T96TeExbod8+KKTA="; }; nativeBuildInputs = [ python ]; diff --git a/pkgs/by-name/an/ananicy-rules-cachyos/package.nix b/pkgs/by-name/an/ananicy-rules-cachyos/package.nix index 4b24d0b86d19..24488ad5690e 100644 --- a/pkgs/by-name/an/ananicy-rules-cachyos/package.nix +++ b/pkgs/by-name/an/ananicy-rules-cachyos/package.nix @@ -7,13 +7,13 @@ stdenvNoCC.mkDerivation { pname = "ananicy-rules-cachyos"; - version = "0-unstable-2025-09-03"; + version = "0-unstable-2025-09-09"; src = fetchFromGitHub { owner = "CachyOS"; repo = "ananicy-rules"; - rev = "4a4931273868421e772c82f34f0df82252200526"; - hash = "sha256-Wr/NIWObhzBdkI7QsYNLO52dYU3BUNGVKHliEcNGU3Y="; + rev = "0f5d7883cc4c49b8e9c51d5512ba145b5289eb05"; + hash = "sha256-8zzUp1am6nu/6EnQkPTDkd/TLb2SBgSSyNpUyv44Zr8="; }; dontConfigure = true; diff --git a/pkgs/by-name/ge/gensio/package.nix b/pkgs/by-name/ge/gensio/package.nix index 041f626cd805..414f6443f2f1 100644 --- a/pkgs/by-name/ge/gensio/package.nix +++ b/pkgs/by-name/ge/gensio/package.nix @@ -10,13 +10,13 @@ stdenv.mkDerivation rec { pname = "gensio"; - version = "2.8.15"; + version = "3.0.0"; src = fetchFromGitHub { owner = "cminyard"; repo = "gensio"; rev = "v${version}"; - sha256 = "sha256-EDa95r8x5yIXibJigJXR3PCYTTvJlqB6XBN1RZHq6KM="; + sha256 = "sha256-YP5KKHpKVZhJxhCBbdXg6pTgvPRHUwdqlzDlR+hIB+w="; }; passthru = { diff --git a/pkgs/by-name/n9/n98-magerun2/package.nix b/pkgs/by-name/n9/n98-magerun2/package.nix index baa1f07955ec..82615f1db76d 100644 --- a/pkgs/by-name/n9/n98-magerun2/package.nix +++ b/pkgs/by-name/n9/n98-magerun2/package.nix @@ -7,16 +7,16 @@ php83.buildComposerProject2 (finalAttrs: { pname = "n98-magerun2"; - version = "9.0.2"; + version = "9.1.0"; src = fetchFromGitHub { owner = "netz98"; repo = "n98-magerun2"; tag = finalAttrs.version; - hash = "sha256-v6Be9yODeac4ZLYfHXZTLMcfzjKGDXD7jz7kmI/z8wo="; + hash = "sha256-kjT72pLKuN166Edm8+8vUIfhFdMnZkeTagl0ECL20b8="; }; - vendorHash = "sha256-vaRRxtHu/ZFc+Z38KJjm0iUncFYUfRLkk7A3+T1p4+I="; + vendorHash = "sha256-0Bk01aU3vicwk9swkv+8VZxcPdaEMOOtp9niNfPfQyA="; nativeInstallCheckInputs = [ versionCheckHook ]; versionCheckProgramArg = "--version"; diff --git a/pkgs/by-name/tp/tpm2-totp/package.nix b/pkgs/by-name/tp/tpm2-totp/package.nix index 4bfea9d11936..d792d4a8e03f 100644 --- a/pkgs/by-name/tp/tpm2-totp/package.nix +++ b/pkgs/by-name/tp/tpm2-totp/package.nix @@ -5,7 +5,10 @@ tpm2-tss, autoreconfHook, autoconf-archive, + pandoc, pkg-config, + withPlymouth ? false, + plymouth, qrencode, }: @@ -27,13 +30,15 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook autoconf-archive + pandoc pkg-config ]; buildInputs = [ tpm2-tss qrencode - ]; + ] + ++ lib.optional withPlymouth plymouth; meta = with lib; { description = "Attest the trustworthiness of a device against a human using time-based one-time passwords"; diff --git a/pkgs/by-name/xp/xpar/package.nix b/pkgs/by-name/xp/xpar/package.nix index f99af41df992..162305064523 100644 --- a/pkgs/by-name/xp/xpar/package.nix +++ b/pkgs/by-name/xp/xpar/package.nix @@ -8,13 +8,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "xpar"; - version = "0.5"; + version = "0.6"; src = fetchFromGitHub { owner = "kspalaiologos"; repo = "xpar"; rev = finalAttrs.version; - hash = "sha256-DMUDWQqYSQjGxYOpcfwNaaM21avcZ1w3IqEhuOaabrw="; + hash = "sha256-cvt5fXg3mKzh0GlL1qkA7G17p2ZA0PpFnE2cLYwlmUM="; }; nativeBuildInputs = [ diff --git a/pkgs/development/beam-modules/livebook/default.nix b/pkgs/development/beam-modules/livebook/default.nix index 44e536cd0eaa..03c2d5111f87 100644 --- a/pkgs/development/beam-modules/livebook/default.nix +++ b/pkgs/development/beam-modules/livebook/default.nix @@ -9,7 +9,7 @@ beamPackages.mixRelease rec { pname = "livebook"; - version = "0.17.1"; + version = "0.17.2"; inherit (beamPackages) elixir; @@ -21,7 +21,7 @@ beamPackages.mixRelease rec { owner = "livebook-dev"; repo = "livebook"; tag = "v${version}"; - hash = "sha256-TQbSqavpJqasQsuLSvCdrkL7DZK56c7FHp5ABhK9noA="; + hash = "sha256-9AlvEqyQJvcRbAuuxF5Q5S9hG96vaQYVBYwPYp4lGQM="; }; mixFodDeps = beamPackages.fetchMixDeps { diff --git a/pkgs/tools/networking/openapi-generator-cli/default.nix b/pkgs/tools/networking/openapi-generator-cli/default.nix index 19782c0af6ad..21981d09e435 100644 --- a/pkgs/tools/networking/openapi-generator-cli/default.nix +++ b/pkgs/tools/networking/openapi-generator-cli/default.nix @@ -9,7 +9,7 @@ let this = stdenv.mkDerivation (finalAttrs: { - version = "7.14.0"; + version = "7.15.0"; pname = "openapi-generator-cli"; jarfilename = "openapi-generator-cli-${finalAttrs.version}.jar"; @@ -20,7 +20,7 @@ let src = fetchurl { url = "mirror://maven/org/openapitools/openapi-generator-cli/${finalAttrs.version}/${finalAttrs.jarfilename}"; - sha256 = "sha256-4DGGg1AiygLaSqleOWe2o7bUTC5fdgbm1cIkZvUZx1c="; + sha256 = "sha256-TaGnzbeMOkOx6rBkiJETXow1R9Lu26Ddadrzd/hl82Y="; }; dontUnpack = true; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 74ff82150ade..250bb2a93078 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -4261,6 +4261,10 @@ with pkgs; } ); + tpm2-totp-with-plymouth = tpm2-totp.override { + withPlymouth = true; + }; + trackma-curses = trackma.override { withCurses = true; }; trackma-gtk = trackma.override { withGTK = true; };