Loading nixos/modules/config/users-groups.nix +92 −0 Original line number Diff line number Diff line Loading @@ -428,6 +428,8 @@ let uidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) cfg.users) "uid"; gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.groups) "gid"; sdInitrdUidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) config.boot.initrd.systemd.users) "uid"; sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid"; spec = pkgs.writeText "users-groups.json" (builtins.toJSON { inherit (cfg) mutableUsers; Loading Loading @@ -534,6 +536,54 @@ in { WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing. ''; }; # systemd initrd boot.initrd.systemd.users = mkOption { visible = false; description = '' Users to include in initrd. ''; default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { options.uid = mkOption { visible = false; type = types.int; description = '' ID of the user in initrd. ''; defaultText = literalExpression "config.users.users.\${name}.uid"; default = cfg.users.${name}.uid; }; options.group = mkOption { visible = false; type = types.singleLineStr; description = '' Group the user belongs to in initrd. ''; defaultText = literalExpression "config.users.users.\${name}.group"; default = cfg.users.${name}.group; }; })); }; boot.initrd.systemd.groups = mkOption { visible = false; description = '' Groups to include in initrd. ''; default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { options.gid = mkOption { visible = false; type = types.int; description = '' ID of the group in initrd. ''; defaultText = literalExpression "config.users.groups.\${name}.gid"; default = cfg.groups.${name}.gid; }; })); }; }; Loading Loading @@ -639,10 +689,52 @@ in { "/etc/profiles/per-user/$USER" ]; # systemd initrd boot.initrd.systemd = lib.mkIf config.boot.initrd.systemd.enable { contents = { "/etc/passwd".text = '' ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: { uid, group }: let g = config.boot.initrd.systemd.groups.${group}; in "${n}:x:${toString uid}:${toString g.gid}::/var/empty:") config.boot.initrd.systemd.users)} ''; "/etc/group".text = '' ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: { gid }: "${n}:x:${toString gid}:") config.boot.initrd.systemd.groups)} ''; }; users = { root = {}; nobody = {}; }; groups = { root = {}; nogroup = {}; systemd-journal = {}; tty = {}; dialout = {}; kmem = {}; input = {}; video = {}; render = {}; sgx = {}; audio = {}; video = {}; lp = {}; disk = {}; cdrom = {}; tape = {}; kvm = {}; }; }; assertions = [ { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique); message = "UIDs and GIDs must be unique!"; } { assertion = !cfg.enforceIdUniqueness || (sdInitrdUidsAreUnique && sdInitrdGidsAreUnique); message = "systemd initrd UIDs and GIDs must be unique!"; } { # If mutableUsers is false, to prevent users creating a # configuration that locks them out of the system, ensure that # there is at least one "privileged" account that has a Loading nixos/modules/services/hardware/udev.nix +0 −11 Original line number Diff line number Diff line Loading @@ -16,16 +16,6 @@ let ''; # networkd link files are used early by udev to set up interfaces early. # This must be done in stage 1 to avoid race conditions between udev and # network daemons. # TODO move this into the initrd-network module when it exists initrdLinkUnits = pkgs.runCommand "initrd-link-units" {} '' mkdir -p $out ln -s ${udev}/lib/systemd/network/*.link $out/ ${lib.concatMapStringsSep "\n" (file: "ln -s ${file} $out/") (lib.mapAttrsToList (n: v: "${v.unit}/${n}") (lib.filterAttrs (n: _: hasSuffix ".link" n) config.systemd.network.units))} ''; extraUdevRules = pkgs.writeTextFile { name = "extra-udev-rules"; text = cfg.extraRules; Loading Loading @@ -398,7 +388,6 @@ in systemd = config.boot.initrd.systemd.package; binPackages = config.boot.initrd.services.udev.binPackages ++ [ config.boot.initrd.systemd.contents."/bin".source ]; }; "/etc/systemd/network".source = initrdLinkUnits; }; # Insert initrd rules boot.initrd.services.udev.packages = [ Loading nixos/modules/services/system/dbus.nix +20 −1 Original line number Diff line number Diff line Loading @@ -14,13 +14,17 @@ let serviceDirectories = cfg.packages; }; inherit (lib) mkOption mkIf mkMerge types; inherit (lib) mkOption mkEnableOption mkIf mkMerge types; in { options = { boot.initrd.systemd.dbus = { enable = mkEnableOption (lib.mdDoc "dbus in stage 1") // { visible = false; }; }; services.dbus = { enable = mkOption { Loading Loading @@ -111,6 +115,21 @@ in ]; } (mkIf config.boot.initrd.systemd.dbus.enable { boot.initrd.systemd = { users.messagebus = { }; groups.messagebus = { }; contents."/etc/dbus-1".source = pkgs.makeDBusConf { inherit (cfg) apparmor; suidHelper = "/bin/false"; serviceDirectories = [ pkgs.dbus ]; }; packages = [ pkgs.dbus ]; storePaths = [ "${pkgs.dbus}/bin/dbus-daemon" ]; targets.sockets.wants = [ "dbus.socket" ]; }; }) (mkIf (cfg.implementation == "dbus") { environment.systemPackages = [ pkgs.dbus Loading nixos/modules/system/boot/initrd-network.nix +5 −1 Original line number Diff line number Diff line Loading @@ -67,11 +67,15 @@ in boot.initrd.network.flushBeforeStage2 = mkOption { type = types.bool; default = true; default = !config.boot.initrd.systemd.enable; defaultText = "!config.boot.initrd.systemd.enable"; description = lib.mdDoc '' Whether to clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over. Stage 2 will do the regular network configuration based on the NixOS networking options. The default is false when systemd is enabled in initrd, because the systemd-networkd documentation suggests it. ''; }; Loading nixos/modules/system/boot/initrd-openvpn.nix +18 −3 Original line number Diff line number Diff line Loading @@ -51,7 +51,7 @@ in # Add openvpn and ip binaries to the initrd # The shared libraries are required for DNS resolution boot.initrd.extraUtilsCommands = '' boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.openvpn}/bin/openvpn copy_bin_and_libs ${pkgs.iproute2}/bin/ip Loading @@ -59,18 +59,33 @@ in cp -pv ${pkgs.glibc}/lib/libnss_dns.so.2 $out/lib ''; boot.initrd.systemd.storePaths = [ "${pkgs.openvpn}/bin/openvpn" "${pkgs.iproute2}/bin/ip" "${pkgs.glibc}/lib/libresolv.so.2" "${pkgs.glibc}/lib/libnss_dns.so.2" ]; boot.initrd.secrets = { "/etc/initrd.ovpn" = cfg.configuration; }; # openvpn --version would exit with 1 instead of 0 boot.initrd.extraUtilsCommandsTest = '' boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) '' $out/bin/openvpn --show-gateway ''; boot.initrd.network.postCommands = '' boot.initrd.network.postCommands = mkIf (!config.boot.initrd.systemd.enable) '' openvpn /etc/initrd.ovpn & ''; boot.initrd.systemd.services.openvpn = { wantedBy = [ "initrd.target" ]; path = [ pkgs.iproute2 ]; after = [ "network.target" "initrd-nixos-copy-secrets.service" ]; serviceConfig.ExecStart = "${pkgs.openvpn}/bin/openvpn /etc/initrd.ovpn"; serviceConfig.Type = "notify"; }; }; } Loading
nixos/modules/config/users-groups.nix +92 −0 Original line number Diff line number Diff line Loading @@ -428,6 +428,8 @@ let uidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) cfg.users) "uid"; gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.groups) "gid"; sdInitrdUidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) config.boot.initrd.systemd.users) "uid"; sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid"; spec = pkgs.writeText "users-groups.json" (builtins.toJSON { inherit (cfg) mutableUsers; Loading Loading @@ -534,6 +536,54 @@ in { WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing. ''; }; # systemd initrd boot.initrd.systemd.users = mkOption { visible = false; description = '' Users to include in initrd. ''; default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { options.uid = mkOption { visible = false; type = types.int; description = '' ID of the user in initrd. ''; defaultText = literalExpression "config.users.users.\${name}.uid"; default = cfg.users.${name}.uid; }; options.group = mkOption { visible = false; type = types.singleLineStr; description = '' Group the user belongs to in initrd. ''; defaultText = literalExpression "config.users.users.\${name}.group"; default = cfg.users.${name}.group; }; })); }; boot.initrd.systemd.groups = mkOption { visible = false; description = '' Groups to include in initrd. ''; default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { options.gid = mkOption { visible = false; type = types.int; description = '' ID of the group in initrd. ''; defaultText = literalExpression "config.users.groups.\${name}.gid"; default = cfg.groups.${name}.gid; }; })); }; }; Loading Loading @@ -639,10 +689,52 @@ in { "/etc/profiles/per-user/$USER" ]; # systemd initrd boot.initrd.systemd = lib.mkIf config.boot.initrd.systemd.enable { contents = { "/etc/passwd".text = '' ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: { uid, group }: let g = config.boot.initrd.systemd.groups.${group}; in "${n}:x:${toString uid}:${toString g.gid}::/var/empty:") config.boot.initrd.systemd.users)} ''; "/etc/group".text = '' ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: { gid }: "${n}:x:${toString gid}:") config.boot.initrd.systemd.groups)} ''; }; users = { root = {}; nobody = {}; }; groups = { root = {}; nogroup = {}; systemd-journal = {}; tty = {}; dialout = {}; kmem = {}; input = {}; video = {}; render = {}; sgx = {}; audio = {}; video = {}; lp = {}; disk = {}; cdrom = {}; tape = {}; kvm = {}; }; }; assertions = [ { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique); message = "UIDs and GIDs must be unique!"; } { assertion = !cfg.enforceIdUniqueness || (sdInitrdUidsAreUnique && sdInitrdGidsAreUnique); message = "systemd initrd UIDs and GIDs must be unique!"; } { # If mutableUsers is false, to prevent users creating a # configuration that locks them out of the system, ensure that # there is at least one "privileged" account that has a Loading
nixos/modules/services/hardware/udev.nix +0 −11 Original line number Diff line number Diff line Loading @@ -16,16 +16,6 @@ let ''; # networkd link files are used early by udev to set up interfaces early. # This must be done in stage 1 to avoid race conditions between udev and # network daemons. # TODO move this into the initrd-network module when it exists initrdLinkUnits = pkgs.runCommand "initrd-link-units" {} '' mkdir -p $out ln -s ${udev}/lib/systemd/network/*.link $out/ ${lib.concatMapStringsSep "\n" (file: "ln -s ${file} $out/") (lib.mapAttrsToList (n: v: "${v.unit}/${n}") (lib.filterAttrs (n: _: hasSuffix ".link" n) config.systemd.network.units))} ''; extraUdevRules = pkgs.writeTextFile { name = "extra-udev-rules"; text = cfg.extraRules; Loading Loading @@ -398,7 +388,6 @@ in systemd = config.boot.initrd.systemd.package; binPackages = config.boot.initrd.services.udev.binPackages ++ [ config.boot.initrd.systemd.contents."/bin".source ]; }; "/etc/systemd/network".source = initrdLinkUnits; }; # Insert initrd rules boot.initrd.services.udev.packages = [ Loading
nixos/modules/services/system/dbus.nix +20 −1 Original line number Diff line number Diff line Loading @@ -14,13 +14,17 @@ let serviceDirectories = cfg.packages; }; inherit (lib) mkOption mkIf mkMerge types; inherit (lib) mkOption mkEnableOption mkIf mkMerge types; in { options = { boot.initrd.systemd.dbus = { enable = mkEnableOption (lib.mdDoc "dbus in stage 1") // { visible = false; }; }; services.dbus = { enable = mkOption { Loading Loading @@ -111,6 +115,21 @@ in ]; } (mkIf config.boot.initrd.systemd.dbus.enable { boot.initrd.systemd = { users.messagebus = { }; groups.messagebus = { }; contents."/etc/dbus-1".source = pkgs.makeDBusConf { inherit (cfg) apparmor; suidHelper = "/bin/false"; serviceDirectories = [ pkgs.dbus ]; }; packages = [ pkgs.dbus ]; storePaths = [ "${pkgs.dbus}/bin/dbus-daemon" ]; targets.sockets.wants = [ "dbus.socket" ]; }; }) (mkIf (cfg.implementation == "dbus") { environment.systemPackages = [ pkgs.dbus Loading
nixos/modules/system/boot/initrd-network.nix +5 −1 Original line number Diff line number Diff line Loading @@ -67,11 +67,15 @@ in boot.initrd.network.flushBeforeStage2 = mkOption { type = types.bool; default = true; default = !config.boot.initrd.systemd.enable; defaultText = "!config.boot.initrd.systemd.enable"; description = lib.mdDoc '' Whether to clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over. Stage 2 will do the regular network configuration based on the NixOS networking options. The default is false when systemd is enabled in initrd, because the systemd-networkd documentation suggests it. ''; }; Loading
nixos/modules/system/boot/initrd-openvpn.nix +18 −3 Original line number Diff line number Diff line Loading @@ -51,7 +51,7 @@ in # Add openvpn and ip binaries to the initrd # The shared libraries are required for DNS resolution boot.initrd.extraUtilsCommands = '' boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.openvpn}/bin/openvpn copy_bin_and_libs ${pkgs.iproute2}/bin/ip Loading @@ -59,18 +59,33 @@ in cp -pv ${pkgs.glibc}/lib/libnss_dns.so.2 $out/lib ''; boot.initrd.systemd.storePaths = [ "${pkgs.openvpn}/bin/openvpn" "${pkgs.iproute2}/bin/ip" "${pkgs.glibc}/lib/libresolv.so.2" "${pkgs.glibc}/lib/libnss_dns.so.2" ]; boot.initrd.secrets = { "/etc/initrd.ovpn" = cfg.configuration; }; # openvpn --version would exit with 1 instead of 0 boot.initrd.extraUtilsCommandsTest = '' boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) '' $out/bin/openvpn --show-gateway ''; boot.initrd.network.postCommands = '' boot.initrd.network.postCommands = mkIf (!config.boot.initrd.systemd.enable) '' openvpn /etc/initrd.ovpn & ''; boot.initrd.systemd.services.openvpn = { wantedBy = [ "initrd.target" ]; path = [ pkgs.iproute2 ]; after = [ "network.target" "initrd-nixos-copy-secrets.service" ]; serviceConfig.ExecStart = "${pkgs.openvpn}/bin/openvpn /etc/initrd.ovpn"; serviceConfig.Type = "notify"; }; }; }
