Merge staging-next into staging

nixos/lib/systemd-lib.nix

@@ -169,6 +169,10 @@ in rec {
  optional (attr ? ${name} && !isInt attr.${name})
  "Systemd ${group} field `${name}' is not an integer";
 
+ assertRemoved = name: see: group: attr:
+ optional (attr ? ${name})
+ "Systemd ${group} field `${name}' has been removed. See ${see}";
+
  checkUnitConfig = group: checks: attrs: let
  # We're applied at the top-level type (attrsOf unitOption), so the actual
  # unit options might contain attributes from mkOverride and mkIf that we need to

nixos/lib/systemd-types.nix

@@ -45,12 +45,61 @@ let
 
  inherit (lib.types)
  attrsOf
+ coercedTo
+ enum
  lines
  listOf
  nullOr
+ oneOf
+ package
  path
+ singleLineStr
  submodule
  ;
+
+ initrdStorePathModule = { config, ... }: {
+ options = {
+ enable = (mkEnableOption "copying of this file and symlinking it") // { default = true; };
+
+ target = mkOption {
+ type = nullOr path;
+ description = ''
+ Path of the symlink.
+ '';
+ default = null;
+ };
+
+ source = mkOption {
+ type = path;
+ description = "Path of the source file.";
+ };
+
+ dlopen = {
+ usePriority = mkOption {
+ type = enum [ "required" "recommended" "suggested" ];
+ default = "recommended";
+ description = ''
+ Priority of dlopen ELF notes to include. "required" is
+ minimal, "recommended" includes "required", and
+ "suggested" includes "recommended".
+
+ See: https://systemd.io/ELF_DLOPEN_METADATA/
+ '';
+ };
+
+ features = mkOption {
+ type = listOf singleLineStr;
+ default = [ ];
+ description = ''
+ Features to enable via dlopen ELF notes. These will be in
+ addition to anything included via 'usePriority',
+ regardless of their priority.
+ '';
+ };
+ };
+ };
+ };
+
 in
 
 {
@@ -86,31 +135,23 @@ in
  automounts = listOf (submodule [ stage2AutomountOptions unitConfig automountConfig ]);
  initrdAutomounts = attrsOf (submodule [ stage1AutomountOptions unitConfig automountConfig ]);
 
+ initrdStorePath = listOf (coercedTo
+ (oneOf [ singleLineStr package ])
+ (source: { inherit source; })
+ (submodule initrdStorePathModule));
+
  initrdContents = attrsOf (submodule ({ config, options, name, ... }: {
+ imports = [ initrdStorePathModule ];
  options = {
- enable = (mkEnableOption "copying of this file and symlinking it") // { default = true; };
-
- target = mkOption {
- type = path;
- description = ''
- Path of the symlink.
- '';
- default = name;
- };
-
  text = mkOption {
  default = null;
  type = nullOr lines;
  description = "Text of the file.";
  };
-
- source = mkOption {
- type = path;
- description = "Path of the source file.";
- };
  };
 
  config = {
+ target = mkDefault name;
  source = mkIf (config.text != null) (
  let name' = "initrd-" + baseNameOf name;
  in mkDerivedConfig options.text (pkgs.writeText name')

nixos/modules/system/boot/networkd.nix

@@ -18,12 +18,16 @@ let
  "ManageForeignRoutes"
  "RouteTable"
  "IPv6PrivacyExtensions"
+ "IPv4Forwarding"
+ "IPv6Forwarding"
  ])
  (assertValueOneOf "SpeedMeter" boolValues)
  (assertInt "SpeedMeterIntervalSec")
  (assertValueOneOf "ManageForeignRoutingPolicyRules" boolValues)
  (assertValueOneOf "ManageForeignRoutes" boolValues)
  (assertValueOneOf "IPv6PrivacyExtensions" (boolValues ++ ["prefer-public" "kernel"]))
+ (assertValueOneOf "IPv4Forwarding" boolValues)
+ (assertValueOneOf "IPv6Forwarding" boolValues)
  ];
 
  sectionDHCPv4 = checkUnitConfig "DHCPv4" [
@@ -652,6 +656,8 @@ let
  "DNSDefaultRoute"
  "NTP"
  "IPForward"
+ "IPv4Forwarding"
+ "IPv6Forwarding"
  "IPMasquerade"
  "IPv6PrivacyExtensions"
  "IPv6AcceptRA"
@@ -700,7 +706,9 @@ let
  (assertValueOneOf "LLDP" (boolValues ++ ["routers-only"]))
  (assertValueOneOf "EmitLLDP" (boolValues ++ ["nearest-bridge" "non-tpmr-bridge" "customer-bridge"]))
  (assertValueOneOf "DNSDefaultRoute" boolValues)
- (assertValueOneOf "IPForward" (boolValues ++ ["ipv4" "ipv6"]))
+ (assertRemoved "IPForward" "IPv4Forwarding and IPv6Forwarding in systemd.network(5) and networkd.conf(5)")
+ (assertValueOneOf "IPv4Forwarding" boolValues)
+ (assertValueOneOf "IPv6Forwarding" boolValues)
  (assertValueOneOf "IPMasquerade" (boolValues ++ ["ipv4" "ipv6" "both"]))
  (assertValueOneOf "IPv6PrivacyExtensions" (boolValues ++ ["prefer-public" "kernel"]))
  (assertValueOneOf "IPv6AcceptRA" boolValues)
@@ -2835,6 +2843,7 @@ let
  "systemd-networkd-wait-online.service"
  "systemd-networkd.service"
  "systemd-networkd.socket"
+ "systemd-networkd-persistent-storage.service"
  ];
 
  environment.etc."systemd/networkd.conf" = renderConfig cfg.config;

nixos/modules/system/boot/stage-1.nix

@@ -131,6 +131,7 @@ let
 
  # Copy udev.
  copy_bin_and_libs ${udev}/bin/udevadm
+ cp ${lib.getLib udev.kmod}/lib/libkmod.so* $out/lib
  copy_bin_and_libs ${udev}/lib/systemd/systemd-sysctl
  for BIN in ${udev}/lib/udev/*_id; do
  copy_bin_and_libs $BIN

nixos/modules/system/boot/systemd.nix

@@ -37,6 +37,8 @@ let
  "cryptsetup.target"
  "cryptsetup-pre.target"
  "remote-cryptsetup.target"
+ ] ++ optionals cfg.package.withTpm2Tss [
+ "tpm2.target"
  ] ++ [
  "sigpwr.target"
  "timers.target"
@@ -112,6 +114,7 @@ let
  "sleep.target"
  "hybrid-sleep.target"
  "systemd-hibernate.service"
+ "systemd-hibernate-clear.service"
  "systemd-hybrid-sleep.service"
  "systemd-suspend.service"
  "systemd-suspend-then-hibernate.service"
@@ -136,6 +139,16 @@ let
  "systemd-ask-password-wall.path"
  "systemd-ask-password-wall.service"
 
+ # Varlink APIs
+ "systemd-bootctl@.service"
+ "systemd-bootctl.socket"
+ "systemd-creds@.service"
+ "systemd-creds.socket"
+ ] ++ lib.optional cfg.package.withTpm2Tss [
+ "systemd-pcrlock@.service"
+ "systemd-pcrlock.socket"
+ ] ++ [
+
  # Slices / containers.
  "slices.target"
  ] ++ optionals cfg.package.withImportd [
@@ -158,6 +171,7 @@ let
  ] ++ optionals cfg.package.withHostnamed [
  "dbus-org.freedesktop.hostname1.service"
  "systemd-hostnamed.service"
+ "systemd-hostnamed.socket"
  ] ++ optionals cfg.package.withPortabled [
  "dbus-org.freedesktop.portable1.service"
  "systemd-portabled.service"

nixos/modules/system/boot/systemd/initrd.nix

@@ -70,6 +70,7 @@ let
  "systemd-tmpfiles-setup-dev.service"
  "systemd-tmpfiles-setup.service"
  "timers.target"
+ "tpm2.target"
  "umount.target"
  "systemd-bsod.service"
  ] ++ cfg.additionalUpstreamUnits;
@@ -111,8 +112,7 @@ let
  inherit (config.boot.initrd) compressor compressorArgs prepend;
  inherit (cfg) strip;
 
- contents = map (path: { object = path; symlink = ""; }) (subtractLists cfg.suppressedStorePaths cfg.storePaths)
- ++ mapAttrsToList (_: v: { object = v.source; symlink = v.target; }) (filterAttrs (_: v: v.enable) cfg.contents);
+ contents = lib.filter ({ source, ... }: !lib.elem source cfg.suppressedStorePaths) cfg.storePaths;
  };
 
 in {
@@ -171,7 +171,7 @@ in {
  description = ''
  Store paths to copy into the initrd as well.
  '';
- type = with types; listOf (oneOf [ singleLineStr package ]);
+ type = utils.systemdUtils.types.initrdStorePath;
  default = [];
  };
 
@@ -344,7 +344,8 @@ in {
  };
 
  enableTpm2 = mkOption {
- default = true;
+ default = cfg.package.withTpm2Tss;
+ defaultText = "boot.initrd.systemd.package.withTpm2Tss";
  type = types.bool;
  description = ''
  Whether to enable TPM2 support in the initrd.
@@ -460,6 +461,7 @@ in {
  "${cfg.package}/lib/systemd/systemd-sulogin-shell"
  "${cfg.package}/lib/systemd/systemd-sysctl"
  "${cfg.package}/lib/systemd/systemd-bsod"
+ "${cfg.package}/lib/systemd/systemd-sysroot-fstab-check"
 
  # generators
  "${cfg.package}/lib/systemd/system-generators/systemd-debug-generator"
@@ -486,7 +488,8 @@ in {
  # fido2 support
  "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so"
  "${pkgs.libfido2}/lib/libfido2.so.1"
- ] ++ jobScripts;
+ ] ++ jobScripts
+ ++ map (c: builtins.removeAttrs c ["text"]) (builtins.attrValues cfg.contents);
 
  targets.initrd.aliases = ["default.target"];
  units =

nixos/modules/system/boot/systemd/journald.nix

@@ -96,6 +96,7 @@ in {
  "systemd-journald@.service"
  "systemd-journal-flush.service"
  "systemd-journal-catalog-update.service"
+ "systemd-journald-sync@.service"
  ] ++ (optional (!config.boot.isContainer) "systemd-journald-audit.socket") ++ [
  "systemd-journald-dev-log.socket"
  "syslog.socket"

nixos/modules/system/boot/systemd/shutdown.nix

@@ -2,10 +2,7 @@
 
  cfg = config.systemd.shutdownRamfs;
 
- ramfsContents = let
- storePaths = map (p: "${p}\n") cfg.storePaths;
- contents = lib.mapAttrsToList (_: v: "${v.source}\n${v.target}") (lib.filterAttrs (_: v: v.enable) cfg.contents);
- in pkgs.writeText "shutdown-ramfs-contents" (lib.concatStringsSep "\n" (storePaths ++ contents));
+ ramfsContents = pkgs.writeText "shutdown-ramfs-contents.json" (builtins.toJSON cfg.storePaths);
 
 in {
  options.systemd.shutdownRamfs = {
@@ -24,7 +21,7 @@ in {
  description = ''
  Store paths to copy into the shutdown ramfs as well.
  '';
- type = lib.types.listOf lib.types.singleLineStr;
+ type = utils.systemdUtils.types.initrdStorePath;
  default = [];
  };
  };
@@ -35,7 +32,8 @@ in {
  "/etc/initrd-release".source = config.environment.etc.os-release.source;
  "/etc/os-release".source = config.environment.etc.os-release.source;
  };
- systemd.shutdownRamfs.storePaths = [pkgs.runtimeShell "${pkgs.coreutils}/bin"];
+ systemd.shutdownRamfs.storePaths = [pkgs.runtimeShell "${pkgs.coreutils}/bin"]
+ ++ map (c: builtins.removeAttrs c ["text"]) (builtins.attrValues cfg.contents);
 
  systemd.mounts = [{
  what = "tmpfs";

nixos/modules/virtualisation/proxmox-lxc.nix

@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
 
 with lib;
 
@@ -42,19 +47,35 @@ with lib;
  in
  mkIf cfg.enable {
  system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix {
- storeContents = [{
- object = config.system.build.toplevel;
- symlink = "none";
- }];
+ storeContents = [
+ {
+ object = config.system.build.toplevel;
+ symlink = "none";
+ }
+ ];
 
- contents = [{
- source = config.system.build.toplevel + "/init";
- target = "/sbin/init";
- }];
+ contents = [
+ {
+ source = config.system.build.toplevel + "/init";
+ target = "/sbin/init";
+ }
+ ];
 
  extraCommands = "mkdir -p root etc/systemd/network";
  };
 
+ boot.postBootCommands = ''
+ # After booting, register the contents of the Nix store in the Nix
+ # database.
+ if [ -f /nix-path-registration ]; then
+ ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration &&
+ rm /nix-path-registration
+ fi
+
+ # nixos-rebuild also requires a "system" profile
+ ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+ '';
+
  boot = {
  isContainer = true;
  loader.initScript.enable = true;
@@ -84,11 +105,22 @@ with lib;
  };
 
  systemd = {
- mounts = mkIf (!cfg.privileged) [{
- enable = false;
- where = "/sys/kernel/debug";
- }];
- services."getty@".unitConfig.ConditionPathExists = [ "" "/dev/%I" ];
+ mounts = mkIf (!cfg.privileged) [
+ {
+ enable = false;
+ where = "/sys/kernel/debug";
+ }
+ ];
+
+ # By default only starts getty on tty0 but first on LXC is tty1
+ services."autovt@".unitConfig.ConditionPathExists = [
+ ""
+ "/dev/%I"
+ ];
+
+ # These are disabled by `console.enable` but console via tty is the default in Proxmox
+ services."getty@tty1".enable = lib.mkForce true;
+ services."autovt@".enable = lib.mkForce true;
  };
 
  };

nixos/tests/rosenpass.nix

@@ -44,7 +44,8 @@ in
  enable = true;
  networks."rosenpass" = {
  matchConfig.Name = deviceName;
- networkConfig.IPForward = true;
+ networkConfig.IPv4Forwarding = true;
+ networkConfig.IPv6Forwarding = true;
  address = [ "${peer.ip}/64" ];
  };