Merge branch 'master' into staging
This commit is contained in:
Franz Pletz
@@ -5,6 +5,52 @@ with lib;
|
||||
|
||||
let
|
||||
|
||||
randomEncryptionCoerce = enable: { inherit enable; };
|
||||
|
||||
randomEncryptionOpts = { ... }: {
|
||||
|
||||
options = {
|
||||
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Encrypt swap device with a random key. This way you won't have a persistent swap device.
|
||||
|
||||
WARNING: Don't try to hibernate when you have at least one swap partition with
|
||||
this option enabled! We have no way to set the partition into which hibernation image
|
||||
is saved, so if your image ends up on an encrypted one you would lose it!
|
||||
|
||||
WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
|
||||
when using randomEncryption as the UUIDs and labels will get erased on every boot when
|
||||
the partition is encrypted. Best to use /dev/disk/by-partuuid/…
|
||||
'';
|
||||
};
|
||||
|
||||
cipher = mkOption {
|
||||
default = "aes-xts-plain64";
|
||||
example = "serpent-xts-plain64";
|
||||
type = types.str;
|
||||
description = ''
|
||||
Use specified cipher for randomEncryption.
|
||||
|
||||
Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
|
||||
'';
|
||||
};
|
||||
|
||||
source = mkOption {
|
||||
default = "/dev/urandom";
|
||||
example = "/dev/random";
|
||||
type = types.str;
|
||||
description = ''
|
||||
Define the source of randomness to obtain a random key for encryption.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
swapCfg = {config, options, ...}: {
|
||||
|
||||
options = {
|
||||
@@ -47,10 +93,17 @@ let
|
||||
|
||||
randomEncryption = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
example = {
|
||||
enable = true;
|
||||
cipher = "serpent-xts-plain64";
|
||||
source = "/dev/random";
|
||||
};
|
||||
type = types.coercedTo types.bool randomEncryptionCoerce (types.submodule randomEncryptionOpts);
|
||||
description = ''
|
||||
Encrypt swap device with a random key. This way you won't have a persistent swap device.
|
||||
|
||||
HINT: run "cryptsetup benchmark" to test cipher performance on your machine.
|
||||
|
||||
WARNING: Don't try to hibernate when you have at least one swap partition with
|
||||
this option enabled! We have no way to set the partition into which hibernation image
|
||||
is saved, so if your image ends up on an encrypted one you would lose it!
|
||||
@@ -77,7 +130,7 @@ let
|
||||
device = mkIf options.label.isDefined
|
||||
"/dev/disk/by-label/${config.label}";
|
||||
deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device);
|
||||
realDevice = if config.randomEncryption then "/dev/mapper/${deviceName}" else config.device;
|
||||
realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device;
|
||||
};
|
||||
|
||||
};
|
||||
@@ -125,14 +178,14 @@ in
|
||||
|
||||
createSwapDevice = sw:
|
||||
assert sw.device != "";
|
||||
assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-uuid" sw.device);
|
||||
assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-label" sw.device);
|
||||
assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-uuid" sw.device);
|
||||
assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-label" sw.device);
|
||||
let realDevice' = escapeSystemdPath sw.realDevice;
|
||||
in nameValuePair "mkswap-${sw.deviceName}"
|
||||
{ description = "Initialisation of swap device ${sw.device}";
|
||||
wantedBy = [ "${realDevice'}.swap" ];
|
||||
before = [ "${realDevice'}.swap" ];
|
||||
path = [ pkgs.utillinux ] ++ optional sw.randomEncryption pkgs.cryptsetup;
|
||||
path = [ pkgs.utillinux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;
|
||||
|
||||
script =
|
||||
''
|
||||
@@ -145,11 +198,11 @@ in
|
||||
truncate --size "${toString sw.size}M" "${sw.device}"
|
||||
fi
|
||||
chmod 0600 ${sw.device}
|
||||
${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"}
|
||||
${optionalString (!sw.randomEncryption.enable) "mkswap ${sw.realDevice}"}
|
||||
fi
|
||||
''}
|
||||
${optionalString sw.randomEncryption ''
|
||||
cryptsetup open ${sw.device} ${sw.deviceName} --type plain --key-file /dev/urandom
|
||||
${optionalString sw.randomEncryption.enable ''
|
||||
cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} ${sw.device} ${sw.deviceName}
|
||||
mkswap ${sw.realDevice}
|
||||
''}
|
||||
'';
|
||||
@@ -157,12 +210,12 @@ in
|
||||
unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ];
|
||||
unitConfig.DefaultDependencies = false; # needed to prevent a cycle
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.RemainAfterExit = sw.randomEncryption;
|
||||
serviceConfig.ExecStop = optionalString sw.randomEncryption "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}";
|
||||
serviceConfig.RemainAfterExit = sw.randomEncryption.enable;
|
||||
serviceConfig.ExecStop = optionalString sw.randomEncryption.enable "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}";
|
||||
restartIfChanged = false;
|
||||
};
|
||||
|
||||
in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption) config.swapDevices));
|
||||
in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption.enable) config.swapDevices));
|
||||
|
||||
};
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
{
|
||||
meta.maintainers = [ maintainers.grahamc ];
|
||||
meta.maintainers = with maintainers; [ grahamc ];
|
||||
options = {
|
||||
|
||||
hardware.mcelog = {
|
||||
@@ -19,19 +19,17 @@ with lib;
|
||||
};
|
||||
|
||||
config = mkIf config.hardware.mcelog.enable {
|
||||
systemd.services.mcelog = {
|
||||
description = "Machine Check Exception Logging Daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
systemd = {
|
||||
packages = [ pkgs.mcelog ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.mcelog}/bin/mcelog --daemon --foreground";
|
||||
SuccessExitStatus = [ 0 15 ];
|
||||
|
||||
ProtectHome = true;
|
||||
PrivateNetwork = true;
|
||||
PrivateTmp = true;
|
||||
services.mcelog = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ProtectHome = true;
|
||||
PrivateNetwork = true;
|
||||
PrivateTmp = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
||||
@@ -204,6 +204,7 @@ with lib;
|
||||
"Set the option `services.xserver.displayManager.sddm.package' instead.")
|
||||
(mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "")
|
||||
(mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "")
|
||||
(mkRemovedOptionModule [ "boot" "zfs" "enableUnstable" ] "0.7.0 is now the default")
|
||||
|
||||
# ZSH
|
||||
(mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
|
||||
|
||||
@@ -108,7 +108,7 @@ in
|
||||
after = [ "network.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${mongodb}/bin/mongod --quiet --config ${mongoCnf} --fork --pidfilepath ${cfg.pidFile}";
|
||||
ExecStart = "${mongodb}/bin/mongod --config ${mongoCnf} --fork --pidfilepath ${cfg.pidFile}";
|
||||
User = cfg.user;
|
||||
PIDFile = cfg.pidFile;
|
||||
Type = "forking";
|
||||
|
||||
@@ -243,7 +243,7 @@ in
|
||||
preStart = ''
|
||||
if [ ! -d ${lib.escapeShellArg nodedir} ]; then
|
||||
mkdir -p /var/db/tahoe-lafs
|
||||
tahoe create-introducer "${lib.escapeShellArg nodedir}
|
||||
tahoe create-introducer ${lib.escapeShellArg nodedir}
|
||||
fi
|
||||
|
||||
# Tahoe has created a predefined tahoe.cfg which we must now
|
||||
|
||||
@@ -169,7 +169,8 @@ in
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
PIDFile = "/run/tinc.${network}.pid";
|
||||
Restart = "on-failure";
|
||||
Restart = "always";
|
||||
RestartSec = "3";
|
||||
};
|
||||
preStart = ''
|
||||
mkdir -p /etc/tinc/${network}/hosts
|
||||
|
||||
@@ -648,51 +648,11 @@ in
|
||||
|
||||
services.xserver.xkbDir = mkDefault "${pkgs.xkeyboard_config}/etc/X11/xkb";
|
||||
|
||||
system.extraDependencies = singleton (pkgs.runCommand "xkb-layouts-exist" {
|
||||
inherit (cfg) layout xkbDir;
|
||||
system.extraDependencies = singleton (pkgs.runCommand "xkb-validated" {
|
||||
inherit (cfg) xkbModel layout xkbVariant xkbOptions;
|
||||
nativeBuildInputs = [ pkgs.xkbvalidate ];
|
||||
} ''
|
||||
# We can use the default IFS here, because the layouts won't contain
|
||||
# spaces or tabs and are ruled out by the sed expression below.
|
||||
availableLayouts="$(
|
||||
sed -n -e ':i /^! \(layout\|variant\) *$/ {
|
||||
# Loop through all of the layouts/variants until we hit another ! at
|
||||
# the start of the line or the line is empty ('t' branches only if
|
||||
# the last substitution was successful, so if the line is empty the
|
||||
# substition will fail).
|
||||
:l; n; /^!/bi; s/^ *\([^ ]\+\).*/\1/p; tl
|
||||
}' "$xkbDir/rules/base.lst" | sort -u
|
||||
)"
|
||||
|
||||
layoutNotFound() {
|
||||
echo >&2
|
||||
echo "The following layouts and variants are available:" >&2
|
||||
echo >&2
|
||||
|
||||
# While an output width of 80 is more desirable for small terminals, we
|
||||
# really don't know the amount of columns of the terminal from within
|
||||
# the builder. The content in $availableLayouts however is pretty
|
||||
# large, so let's opt for a larger width here, because it will print a
|
||||
# smaller amount of lines on modern KMS/framebuffer terminals and won't
|
||||
# lose information even in smaller terminals (it only will look a bit
|
||||
# ugly).
|
||||
echo "$availableLayouts" | ${pkgs.utillinux}/bin/column -c 150 >&2
|
||||
|
||||
echo >&2
|
||||
echo "However, the keyboard layout definition in" \
|
||||
"\`services.xserver.layout' contains the layout \`$1', which" \
|
||||
"isn't a valid layout or variant." >&2
|
||||
echo >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Again, we don't need to take care of IFS, see the comment for
|
||||
# $availableLayouts.
|
||||
for l in ''${layout//,/ }; do
|
||||
if ! echo "$availableLayouts" | grep -qxF "$l"; then
|
||||
layoutNotFound "$l"
|
||||
fi
|
||||
done
|
||||
|
||||
validate "$xkbModel" "$layout" "$xkbVariant" "$xkbOptions"
|
||||
touch "$out"
|
||||
'');
|
||||
|
||||
|
||||
@@ -207,7 +207,7 @@ let
|
||||
preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules;
|
||||
|
||||
resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}")
|
||||
(filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption
|
||||
(filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption.enable
|
||||
# Don't include zram devices
|
||||
&& !(hasPrefix "/dev/zram" sd.device)
|
||||
) config.swapDevices);
|
||||
|
||||
@@ -24,11 +24,7 @@ let
|
||||
|
||||
kernel = config.boot.kernelPackages;
|
||||
|
||||
packages = if config.boot.zfs.enableUnstable then {
|
||||
spl = kernel.splUnstable;
|
||||
zfs = kernel.zfsUnstable;
|
||||
zfsUser = pkgs.zfsUnstable;
|
||||
} else {
|
||||
packages = {
|
||||
spl = kernel.spl;
|
||||
zfs = kernel.zfs;
|
||||
zfsUser = pkgs.zfs;
|
||||
@@ -62,19 +58,6 @@ in
|
||||
|
||||
options = {
|
||||
boot.zfs = {
|
||||
enableUnstable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Use the unstable zfs package. This might be an option, if the latest
|
||||
kernel is not yet supported by a published release of ZFS. Enabling
|
||||
this option will install a development version of ZFS on Linux. The
|
||||
version will have already passed an extensive test suite, but it is
|
||||
more likely to hit an undiscovered bug compared to running a released
|
||||
version of ZFS on Linux.
|
||||
'';
|
||||
};
|
||||
|
||||
extraPools = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
|
||||
Reference in New Issue
Block a user