Loading .github/PULL_REQUEST_TEMPLATE.md +3 −1 Original line number Diff line number Diff line Loading @@ -14,7 +14,9 @@ For new packages please briefly describe the package or provide a link to its ho - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - [ ] For non-Linux: Is `sandbox = true` set in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] `sandbox = relaxed` - [ ] `sandbox = true` - [ ] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) Loading nixos/modules/services/web-apps/dex.nix +2 −5 Original line number Diff line number Diff line Loading @@ -108,8 +108,7 @@ in ProtectClock = true; ProtectHome = true; ProtectHostname = true; # Would re-mount paths ignored by temporary root #ProtectSystem = "strict"; ProtectSystem = "strict"; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectKernelModules = true; Loading @@ -121,9 +120,7 @@ in RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ]; TemporaryFileSystem = "/:ro"; # Does not work well with the temporary root #UMask = "0066"; UMask = "0066"; } // optionalAttrs (cfg.environmentFile != null) { EnvironmentFile = cfg.environmentFile; }; Loading nixos/modules/system/boot/grow-partition.nix +25 −29 Original line number Diff line number Diff line Loading @@ -16,29 +16,28 @@ with lib; }; config = mkIf config.boot.growPartition { assertions = [ { assertion = !config.boot.initrd.systemd.repart.enable && !config.systemd.repart.enable; message = "systemd-repart already grows the root partition and thus you should not use boot.growPartition"; } ]; systemd.services.growpart = { wantedBy = [ "-.mount" ]; after = [ "-.mount" ]; before = [ "systemd-growfs-root.service" ]; conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; TimeoutSec = "infinity"; # growpart returns 1 if the partition is already grown SuccessExitStatus = "0 1"; }; assertions = [{ assertion = !config.boot.initrd.systemd.enable; message = "systemd stage 1 does not support 'boot.growPartition' yet."; }]; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.gawk}/bin/gawk copy_bin_and_libs ${pkgs.gnused}/bin/sed copy_bin_and_libs ${pkgs.util-linux}/sbin/sfdisk copy_bin_and_libs ${pkgs.util-linux}/sbin/lsblk substitute "${pkgs.cloud-utils.guest}/bin/.growpart-wrapped" "$out/bin/growpart" \ --replace "${pkgs.bash}/bin/sh" "/bin/sh" \ --replace "awk" "gawk" \ --replace "sed" "gnused" ln -s sed $out/bin/gnused ''; boot.initrd.postDeviceCommands = '' script = '' rootDevice="${config.fileSystems."/".device}" if waitDevice "$rootDevice"; then rootDevice="$(readlink -f "$rootDevice")" parentDevice="$rootDevice" while [ "''${parentDevice%[0-9]}" != "''${parentDevice}" ]; do Loading @@ -48,11 +47,8 @@ with lib; if [ "''${parentDevice%[0-9]p}" != "''${parentDevice}" ] && [ -b "''${parentDevice%p}" ]; then parentDevice="''${parentDevice%p}" fi TMPDIR=/run sh $(type -P growpart) "$parentDevice" "$partNum" udevadm settle fi "${pkgs.cloud-utils.guest}/bin/growpart" "$parentDevice" "$partNum" ''; }; }; } nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -332,6 +332,7 @@ in { graphite = handleTest ./graphite.nix {}; graylog = handleTest ./graylog.nix {}; grocy = handleTest ./grocy.nix {}; grow-partition = runTest ./grow-partition.nix; grub = handleTest ./grub.nix {}; guacamole-server = handleTest ./guacamole-server.nix {}; gvisor = handleTest ./gvisor.nix {}; Loading nixos/tests/grow-partition.nix 0 → 100644 +83 −0 Original line number Diff line number Diff line { lib, ... }: let rootFslabel = "external"; rootFsDevice = "/dev/disk/by-label/${rootFslabel}"; externalModule = partitionTableType: { config, lib, pkgs, ... }: { virtualisation.directBoot.enable = false; virtualisation.mountHostNixStore = false; virtualisation.useEFIBoot = partitionTableType == "efi"; # This stops the qemu-vm module from overriding the fileSystems option # with virtualisation.fileSystems. virtualisation.fileSystems = lib.mkForce { }; boot.loader.grub.enable = true; boot.loader.grub.efiSupport = partitionTableType == "efi"; boot.loader.grub.efiInstallAsRemovable = partitionTableType == "efi"; boot.loader.grub.device = if partitionTableType == "efi" then "nodev" else "/dev/vda"; boot.growPartition = true; fileSystems = { "/".device = rootFsDevice; }; system.build.diskImage = import ../lib/make-disk-image.nix { inherit config lib pkgs; label = rootFslabel; inherit partitionTableType; format = "raw"; bootSize = "128M"; additionalSpace = "0M"; copyChannel = false; }; }; in { name = "grow-partition"; meta.maintainers = with lib.maintainers; [ arianvp ]; nodes = { efi = externalModule "efi"; legacy = externalModule "legacy"; legacyGPT = externalModule "legacy+gpt"; hybrid = externalModule "hybrid"; }; testScript = { nodes, ... }: lib.concatLines (lib.mapAttrsToList (name: node: '' import os import subprocess import tempfile import shutil tmp_disk_image = tempfile.NamedTemporaryFile() shutil.copyfile("${node.system.build.diskImage}/nixos.img", tmp_disk_image.name) subprocess.run([ "${node.virtualisation.qemu.package}/bin/qemu-img", "resize", "-f", "raw", tmp_disk_image.name, "+32M", ]) # Set NIX_DISK_IMAGE so that the qemu script finds the right disk image. os.environ['NIX_DISK_IMAGE'] = tmp_disk_image.name ${name}.wait_for_unit("growpart.service") systemd_growpart_logs = ${name}.succeed("journalctl --boot --unit growpart.service") assert "CHANGED" in systemd_growpart_logs ${name}.succeed("systemctl restart growpart.service") systemd_growpart_logs = ${name}.succeed("journalctl --boot --unit growpart.service") assert "NOCHANGE" in systemd_growpart_logs '') nodes); } Loading
.github/PULL_REQUEST_TEMPLATE.md +3 −1 Original line number Diff line number Diff line Loading @@ -14,7 +14,9 @@ For new packages please briefly describe the package or provide a link to its ho - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - [ ] For non-Linux: Is `sandbox = true` set in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] `sandbox = relaxed` - [ ] `sandbox = true` - [ ] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) Loading
nixos/modules/services/web-apps/dex.nix +2 −5 Original line number Diff line number Diff line Loading @@ -108,8 +108,7 @@ in ProtectClock = true; ProtectHome = true; ProtectHostname = true; # Would re-mount paths ignored by temporary root #ProtectSystem = "strict"; ProtectSystem = "strict"; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectKernelModules = true; Loading @@ -121,9 +120,7 @@ in RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ]; TemporaryFileSystem = "/:ro"; # Does not work well with the temporary root #UMask = "0066"; UMask = "0066"; } // optionalAttrs (cfg.environmentFile != null) { EnvironmentFile = cfg.environmentFile; }; Loading
nixos/modules/system/boot/grow-partition.nix +25 −29 Original line number Diff line number Diff line Loading @@ -16,29 +16,28 @@ with lib; }; config = mkIf config.boot.growPartition { assertions = [ { assertion = !config.boot.initrd.systemd.repart.enable && !config.systemd.repart.enable; message = "systemd-repart already grows the root partition and thus you should not use boot.growPartition"; } ]; systemd.services.growpart = { wantedBy = [ "-.mount" ]; after = [ "-.mount" ]; before = [ "systemd-growfs-root.service" ]; conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; TimeoutSec = "infinity"; # growpart returns 1 if the partition is already grown SuccessExitStatus = "0 1"; }; assertions = [{ assertion = !config.boot.initrd.systemd.enable; message = "systemd stage 1 does not support 'boot.growPartition' yet."; }]; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.gawk}/bin/gawk copy_bin_and_libs ${pkgs.gnused}/bin/sed copy_bin_and_libs ${pkgs.util-linux}/sbin/sfdisk copy_bin_and_libs ${pkgs.util-linux}/sbin/lsblk substitute "${pkgs.cloud-utils.guest}/bin/.growpart-wrapped" "$out/bin/growpart" \ --replace "${pkgs.bash}/bin/sh" "/bin/sh" \ --replace "awk" "gawk" \ --replace "sed" "gnused" ln -s sed $out/bin/gnused ''; boot.initrd.postDeviceCommands = '' script = '' rootDevice="${config.fileSystems."/".device}" if waitDevice "$rootDevice"; then rootDevice="$(readlink -f "$rootDevice")" parentDevice="$rootDevice" while [ "''${parentDevice%[0-9]}" != "''${parentDevice}" ]; do Loading @@ -48,11 +47,8 @@ with lib; if [ "''${parentDevice%[0-9]p}" != "''${parentDevice}" ] && [ -b "''${parentDevice%p}" ]; then parentDevice="''${parentDevice%p}" fi TMPDIR=/run sh $(type -P growpart) "$parentDevice" "$partNum" udevadm settle fi "${pkgs.cloud-utils.guest}/bin/growpart" "$parentDevice" "$partNum" ''; }; }; }
nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -332,6 +332,7 @@ in { graphite = handleTest ./graphite.nix {}; graylog = handleTest ./graylog.nix {}; grocy = handleTest ./grocy.nix {}; grow-partition = runTest ./grow-partition.nix; grub = handleTest ./grub.nix {}; guacamole-server = handleTest ./guacamole-server.nix {}; gvisor = handleTest ./gvisor.nix {}; Loading
nixos/tests/grow-partition.nix 0 → 100644 +83 −0 Original line number Diff line number Diff line { lib, ... }: let rootFslabel = "external"; rootFsDevice = "/dev/disk/by-label/${rootFslabel}"; externalModule = partitionTableType: { config, lib, pkgs, ... }: { virtualisation.directBoot.enable = false; virtualisation.mountHostNixStore = false; virtualisation.useEFIBoot = partitionTableType == "efi"; # This stops the qemu-vm module from overriding the fileSystems option # with virtualisation.fileSystems. virtualisation.fileSystems = lib.mkForce { }; boot.loader.grub.enable = true; boot.loader.grub.efiSupport = partitionTableType == "efi"; boot.loader.grub.efiInstallAsRemovable = partitionTableType == "efi"; boot.loader.grub.device = if partitionTableType == "efi" then "nodev" else "/dev/vda"; boot.growPartition = true; fileSystems = { "/".device = rootFsDevice; }; system.build.diskImage = import ../lib/make-disk-image.nix { inherit config lib pkgs; label = rootFslabel; inherit partitionTableType; format = "raw"; bootSize = "128M"; additionalSpace = "0M"; copyChannel = false; }; }; in { name = "grow-partition"; meta.maintainers = with lib.maintainers; [ arianvp ]; nodes = { efi = externalModule "efi"; legacy = externalModule "legacy"; legacyGPT = externalModule "legacy+gpt"; hybrid = externalModule "hybrid"; }; testScript = { nodes, ... }: lib.concatLines (lib.mapAttrsToList (name: node: '' import os import subprocess import tempfile import shutil tmp_disk_image = tempfile.NamedTemporaryFile() shutil.copyfile("${node.system.build.diskImage}/nixos.img", tmp_disk_image.name) subprocess.run([ "${node.virtualisation.qemu.package}/bin/qemu-img", "resize", "-f", "raw", tmp_disk_image.name, "+32M", ]) # Set NIX_DISK_IMAGE so that the qemu script finds the right disk image. os.environ['NIX_DISK_IMAGE'] = tmp_disk_image.name ${name}.wait_for_unit("growpart.service") systemd_growpart_logs = ${name}.succeed("journalctl --boot --unit growpart.service") assert "CHANGED" in systemd_growpart_logs ${name}.succeed("systemctl restart growpart.service") systemd_growpart_logs = ${name}.succeed("journalctl --boot --unit growpart.service") assert "NOCHANGE" in systemd_growpart_logs '') nodes); }
![github-actions[bot]'s avatar](https://secure.gravatar.com/avatar/e7cd911927c7d1acf6281b69d385990d8fadcd26871048bbcdbff2e88da7f607?s=48&d=identicon "github-actions[bot]")