Merge master into staging-next

- The `electron` packages now places its application files in `$out/libexec/electron` instead of `$out/lib/electron`. Packages using electron-builder will fail to build and need to be adjusted by changing `lib` to `libexec`.

- `teleport` has been upgraded from major version 12 to major version 14. Please see upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) and release notes for versions [13](https://goteleport.com/docs/changelog/#1300-050823) and [14](https://goteleport.com/docs/changelog/#1400-092023). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 13.x version by setting `services.teleport.package = pkgs.teleport_13`. Afterwards, this option can be removed to upgrade to the default version (14).

- The Linux kernel module `msr` (see [`msr(4)`](https://man7.org/linux/man-pages/man4/msr.4.html)), which provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU, can now be configured via `hardware.cpu.x86.msr`.

{ lib

, config

, options

, ...

}:

let

  inherit (builtins) hasAttr;

  inherit (lib) mkIf mdDoc;

  cfg = config.hardware.cpu.x86.msr;

  opt = options.hardware.cpu.x86.msr;

  defaultGroup = "msr";

  isDefaultGroup = cfg.group == defaultGroup;

  set = "to set for devices of the `msr` kernel subsystem.";

  # Generates `foo=bar` parameters to pass to the kernel.

  # If `module = baz` is passed, generates `baz.foo=bar`.

  # Adds double quotes on demand to handle `foo="bar baz"`.

  kernelParam = { module ? null }: name: value:

    assert lib.asserts.assertMsg (!lib.strings.hasInfix "=" name) "kernel parameter cannot have '=' in name";

    let

      key = (if module == null then "" else module + ".") + name;

      valueString = lib.generators.mkValueStringDefault {} value;

      quotedValueString = if lib.strings.hasInfix " " valueString

        then lib.strings.escape ["\""] valueString

        else valueString;

    in "${key}=${quotedValueString}";

  msrKernelParam = kernelParam { module = "msr"; };

in

{

  options.hardware.cpu.x86.msr = with lib.options; with lib.types; {

    enable = mkEnableOption (mdDoc "the `msr` (Model-Specific Registers) kernel module and configure `udev` rules for its devices (usually `/dev/cpu/*/msr`)");

    owner = mkOption {

      type = str;

      default = "root";

      example = "nobody";

      description = mdDoc "Owner ${set}";

    };

    group = mkOption {

      type = str;

      default = defaultGroup;

      example = "nobody";

      description = mdDoc "Group ${set}";

    };

    mode = mkOption {

      type = str;

      default = "0640";

      example = "0660";

      description = mdDoc "Mode ${set}";

    };

    settings = mkOption {

      type = submodule {

        freeformType = attrsOf (oneOf [ bool int str ]);

        options.allow-writes = mkOption {

          type = nullOr (enum ["on" "off"]);

          default = null;

          description = "Whether to allow writes to MSRs (`\"on\"`) or not (`\"off\"`).";

        };

      };

      default = {};

      description = "Parameters for the `msr` kernel module.";

    };

  };

  config = mkIf cfg.enable {

    assertions = [

      {

        assertion = hasAttr cfg.owner config.users.users;

        message = "Owner '${cfg.owner}' set in `${opt.owner}` is not configured via `${options.users.users}.\"${cfg.owner}\"`.";

      }

      {

        assertion = isDefaultGroup || (hasAttr cfg.group config.users.groups);

        message = "Group '${cfg.group}' set in `${opt.group}` is not configured via `${options.users.groups}.\"${cfg.group}\"`.";

      }

    ];

    boot = {

      kernelModules = [ "msr" ];

      kernelParams = lib.attrsets.mapAttrsToList msrKernelParam (lib.attrsets.filterAttrs (_: value: value != null) cfg.settings);

    };

    users.groups.${cfg.group} = mkIf isDefaultGroup { };

    services.udev.extraRules = ''

      SUBSYSTEM=="msr", OWNER="${cfg.owner}", GROUP="${cfg.group}", MODE="${cfg.mode}"

    '';

  };

  meta = with lib; {

    maintainers = with maintainers; [ lorenzleutgeb ];

  };

}

  ./hardware/cpu/amd-sev.nix

  ./hardware/cpu/intel-microcode.nix

  ./hardware/cpu/intel-sgx.nix

  ./hardware/cpu/x86-msr.nix

  ./hardware/decklink.nix

  ./hardware/device-tree.nix

  ./hardware/digitalbitbox.nix

  ./services/misc/ripple-data-api.nix

  ./services/misc/rippled.nix

  ./services/misc/rmfakecloud.nix

  ./services/misc/rkvm.nix

  ./services/misc/rshim.nix

  ./services/misc/safeeyes.nix

  ./services/misc/sdrplay.nix

        description = lib.mdDoc ''

          Key type to use for private keys.

          For an up to date list of supported values check the --key-type option

          at <https://go-acme.github.io/lego/usage/cli/#usage>.

          at <https://go-acme.github.io/lego/usage/cli/options/>.

        '';

      };

    # Kernel 5.9 spams warnings whenever userspace writes to CPU MSRs.

    # See https://github.com/erpalma/throttled/issues/215

    boot.kernelParams =

      optional (versionAtLeast config.boot.kernelPackages.kernel.version "5.9")

      "msr.allow_writes=on";

    hardware.cpu.x86.msr.settings.allow-writes =

      mkIf (versionAtLeast config.boot.kernelPackages.kernel.version "5.9") "on";

  };

}