From f0154409a199152522818e70f23a75b49fcdff5d Mon Sep 17 00:00:00 2001 From: nikstur Date: Thu, 12 Oct 2023 23:57:25 +0200 Subject: [PATCH 01/22] nixos/nix-daemon: remove activationScript The activationScript does not seem to be necessary anymore as the paths are created anyways. --- nixos/modules/services/system/nix-daemon.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/nixos/modules/services/system/nix-daemon.nix b/nixos/modules/services/system/nix-daemon.nix index c9df20196dbd9..ce255cd8d0a46 100644 --- a/nixos/modules/services/system/nix-daemon.nix +++ b/nixos/modules/services/system/nix-daemon.nix @@ -249,11 +249,6 @@ in services.xserver.displayManager.hiddenUsers = attrNames nixbldUsers; - system.activationScripts.nix = stringAfter [ "etc" "users" ] - '' - install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user - ''; - # Legacy configuration conversion. nix.settings = mkMerge [ (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) From f827f7ad7b8b301b420d0a94b1db293e1e5be051 Mon Sep 17 00:00:00 2001 From: nikstur Date: Tue, 24 Oct 2023 23:51:37 +0200 Subject: [PATCH 02/22] nixos/wrappers: replace activationScript Create the wrappers via a separate systemd service. --- nixos/modules/security/wrappers/default.nix | 57 +++++++++++---------- 1 file changed, 31 insertions(+), 26 deletions(-) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index a8bb0650b11af..250f9775be14d 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -275,33 +275,38 @@ in mrpx ${wrap.source}, '') wrappers; - ###### wrappers activation script - system.activationScripts.wrappers = - lib.stringAfter [ "specialfs" "users" ] - '' - chmod 755 "${parentWrapperDir}" - - # We want to place the tmpdirs for the wrappers to the parent dir. - wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) - chmod a+rx "$wrapperDir" - - ${lib.concatStringsSep "\n" mkWrappedPrograms} - - if [ -L ${wrapperDir} ]; then - # Atomically replace the symlink - # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ - old=$(readlink -f ${wrapperDir}) - if [ -e "${wrapperDir}-tmp" ]; then - rm --force --recursive "${wrapperDir}-tmp" - fi - ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" - mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" - rm --force --recursive "$old" - else - # For initial setup - ln --symbolic "$wrapperDir" "${wrapperDir}" + systemd.services.suid-sgid-wrappers = { + description = "Create SUID/SGID Wrappers"; + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" ]; + unitConfig.DefaultDependencies = false; + unitConfig.RequiresMountsFor = [ "/nix/store" "/run/wrappers" ]; + serviceConfig.Type = "oneshot"; + script = '' + chmod 755 "${parentWrapperDir}" + + # We want to place the tmpdirs for the wrappers to the parent dir. + wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) + chmod a+rx "$wrapperDir" + + ${lib.concatStringsSep "\n" mkWrappedPrograms} + + if [ -L ${wrapperDir} ]; then + # Atomically replace the symlink + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ + old=$(readlink -f ${wrapperDir}) + if [ -e "${wrapperDir}-tmp" ]; then + rm --force --recursive "${wrapperDir}-tmp" fi - ''; + ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" + mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" + rm --force --recursive "$old" + else + # For initial setup + ln --symbolic "$wrapperDir" "${wrapperDir}" + fi + ''; + }; ###### wrappers consistency checks system.checks = lib.singleton (pkgs.runCommandLocal From 3c1c4b65e9eaf68e49113cba5dfe6750596fc86f Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Tue, 17 Oct 2023 13:43:37 +0200 Subject: [PATCH 03/22] nixos/timesyncd: replace activationScript via ExecPreStart --- nixos/modules/system/boot/timesyncd.nix | 45 ++++++++++++------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/nixos/modules/system/boot/timesyncd.nix b/nixos/modules/system/boot/timesyncd.nix index a6604802c38ca..7487cf97fe531 100644 --- a/nixos/modules/system/boot/timesyncd.nix +++ b/nixos/modules/system/boot/timesyncd.nix @@ -46,6 +46,28 @@ with lib; wantedBy = [ "sysinit.target" ]; aliases = [ "dbus-org.freedesktop.timesync1.service" ]; restartTriggers = [ config.environment.etc."systemd/timesyncd.conf".source ]; + + preStart = ( + # Ensure that we have some stored time to prevent + # systemd-timesyncd to resort back to the fallback time. If + # the file doesn't exist we assume that our current system + # clock is good enough to provide an initial value. + '' + if ! [ -f /var/lib/systemd/timesync/clock ]; then + test -d /var/lib/systemd/timesync || mkdir -p /var/lib/systemd/timesync + touch /var/lib/systemd/timesync/clock + fi + '' + + # workaround an issue of systemd-timesyncd not starting due to upstream systemd reverting their dynamic users changes + # - https://github.com/NixOS/nixpkgs/pull/61321#issuecomment-492423742 + # - https://github.com/systemd/systemd/issues/12131 + (lib.optionalString (versionOlder config.system.stateVersion "19.09") '' + if [ -L /var/lib/systemd/timesync ]; then + rm /var/lib/systemd/timesync + mv /var/lib/private/systemd/timesync /var/lib/systemd/timesync + fi + '') + ); }; environment.etc."systemd/timesyncd.conf".text = '' @@ -59,28 +81,5 @@ with lib; group = "systemd-timesync"; }; users.groups.systemd-timesync.gid = config.ids.gids.systemd-timesync; - - system.activationScripts.systemd-timesyncd-migration = - # workaround an issue of systemd-timesyncd not starting due to upstream systemd reverting their dynamic users changes - # - https://github.com/NixOS/nixpkgs/pull/61321#issuecomment-492423742 - # - https://github.com/systemd/systemd/issues/12131 - mkIf (versionOlder config.system.stateVersion "19.09") '' - if [ -L /var/lib/systemd/timesync ]; then - rm /var/lib/systemd/timesync - mv /var/lib/private/systemd/timesync /var/lib/systemd/timesync - fi - ''; - system.activationScripts.systemd-timesyncd-init-clock = - # Ensure that we have some stored time to prevent systemd-timesyncd to - # resort back to the fallback time. - # If the file doesn't exist we assume that our current system clock is - # good enough to provide an initial value. - '' - if ! [ -f /var/lib/systemd/timesync/clock ]; then - test -d /var/lib/systemd/timesync || mkdir -p /var/lib/systemd/timesync - touch /var/lib/systemd/timesync/clock - fi - ''; }; - } From 59e37267556eb917146ca3110ab7c96905b9ffbd Mon Sep 17 00:00:00 2001 From: nikstur Date: Tue, 17 Oct 2023 17:35:16 +0200 Subject: [PATCH 04/22] nixos/activation: replace var activationScript via tmpfiles --- .../system/activation/activation-script.nix | 21 +++++-------------- nixos/tests/activation/var.nix | 18 ++++++++++++++++ nixos/tests/all-tests.nix | 1 + 3 files changed, 24 insertions(+), 16 deletions(-) create mode 100644 nixos/tests/activation/var.nix diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index c8407dd6779a3..c62e3933405d3 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -233,23 +233,12 @@ in config = { system.activationScripts.stdio = ""; # obsolete + system.activationScripts.var = ""; # obsolete - system.activationScripts.var = - '' - # Various log/runtime directories. - - mkdir -p /var/tmp - chmod 1777 /var/tmp - - # Empty, immutable home directory of many system accounts. - mkdir -p /var/empty - # Make sure it's really empty - ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true - find /var/empty -mindepth 1 -delete - chmod 0555 /var/empty - chown root:root /var/empty - ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true - ''; + systemd.tmpfiles.rules = [ + "D /var/empty 0555 root root -" + "h /var/empty - - - - +i" + ]; system.activationScripts.usrbinenv = if config.environment.usrbinenv != null then '' diff --git a/nixos/tests/activation/var.nix b/nixos/tests/activation/var.nix new file mode 100644 index 0000000000000..1a546a7671c54 --- /dev/null +++ b/nixos/tests/activation/var.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +{ + + name = "activation-var"; + + meta.maintainers = with lib.maintainers; [ nikstur ]; + + nodes.machine = { }; + + testScript = '' + assert machine.succeed("stat -c '%a' /var/tmp") == "1777\n" + assert machine.succeed("stat -c '%a' /var/empty") == "555\n" + assert machine.succeed("stat -c '%U' /var/empty") == "root\n" + assert machine.succeed("stat -c '%G' /var/empty") == "root\n" + assert "i" in machine.succeed("lsattr -d /var/empty") + ''; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 22371c9fec374..c92acdebcc85b 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -264,6 +264,7 @@ in { esphome = handleTest ./esphome.nix {}; etc = pkgs.callPackage ../modules/system/etc/test.nix { inherit evalMinimalConfig; }; activation = pkgs.callPackage ../modules/system/activation/test.nix { }; + activation-var = runTest ./activation/var.nix; etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {}; etcd-cluster = handleTestOn ["x86_64-linux"] ./etcd-cluster.nix {}; etebase-server = handleTest ./etebase-server.nix {}; From a8f50f991948b91d1a191d1348bfff860a39b5a2 Mon Sep 17 00:00:00 2001 From: nikstur Date: Tue, 17 Oct 2023 17:41:29 +0200 Subject: [PATCH 05/22] nixos/activation: remove specialfs activationScript The stage-2-init.sh script has the same functionality hardcoded so we do not need it in the activationScript again. --- .../system/activation/activation-script.nix | 20 +------------------ 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index c62e3933405d3..424a9d179998a 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -234,6 +234,7 @@ in system.activationScripts.stdio = ""; # obsolete system.activationScripts.var = ""; # obsolete + system.activationScripts.specialfs = ""; # obsolete systemd.tmpfiles.rules = [ "D /var/empty 0555 root root -" @@ -252,25 +253,6 @@ in rmdir --ignore-fail-on-non-empty /usr/bin /usr ''; - system.activationScripts.specialfs = - '' - specialMount() { - local device="$1" - local mountPoint="$2" - local options="$3" - local fsType="$4" - - if mountpoint -q "$mountPoint"; then - local options="remount,$options" - else - mkdir -p "$mountPoint" - chmod 0755 "$mountPoint" - fi - mount -t "$fsType" -o "$options" "$device" "$mountPoint" - } - source ${config.system.build.earlyMountScript} - ''; - systemd.user = { services.nixos-activation = { description = "Run user-specific NixOS activation"; From cb08d3dd72f51fd20d26c823204faa11d742cfe1 Mon Sep 17 00:00:00 2001 From: nikstur Date: Tue, 17 Oct 2023 21:39:51 +0200 Subject: [PATCH 06/22] nixos/nix-channel: replace activationScript via tmpfiles --- nixos/modules/config/nix-channel.nix | 11 ++++------- nixos/tests/activation/nix-channel.nix | 16 ++++++++++++++++ nixos/tests/all-tests.nix | 1 + 3 files changed, 21 insertions(+), 7 deletions(-) create mode 100644 nixos/tests/activation/nix-channel.nix diff --git a/nixos/modules/config/nix-channel.nix b/nixos/modules/config/nix-channel.nix index 3f8e088ede929..4abc846b08586 100644 --- a/nixos/modules/config/nix-channel.nix +++ b/nixos/modules/config/nix-channel.nix @@ -97,12 +97,9 @@ in nix.settings.nix-path = mkIf (! cfg.channel.enable) (mkDefault ""); - system.activationScripts.nix-channel = mkIf cfg.channel.enable - (stringAfter [ "etc" "users" ] '' - # Subscribe the root user to the NixOS channel by default. - if [ ! -e "/root/.nix-channels" ]; then - echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels" - fi - ''); + systemd.tmpfiles.rules = lib.mkIf cfg.channel.enable [ + "f /root/.nix-channels -" + ''w "/root/.nix-channels" - - - - "${config.system.defaultChannel} nixos\n"'' + ]; }; } diff --git a/nixos/tests/activation/nix-channel.nix b/nixos/tests/activation/nix-channel.nix new file mode 100644 index 0000000000000..8416ff0347aca --- /dev/null +++ b/nixos/tests/activation/nix-channel.nix @@ -0,0 +1,16 @@ +{ lib, ... }: + +{ + + name = "activation-nix-channel"; + + meta.maintainers = with lib.maintainers; [ nikstur ]; + + nodes.machine = { + nix.channel.enable = true; + }; + + testScript = '' + print(machine.succeed("cat /root/.nix-channels")) + ''; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index c92acdebcc85b..69f1b912d6b31 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -265,6 +265,7 @@ in { etc = pkgs.callPackage ../modules/system/etc/test.nix { inherit evalMinimalConfig; }; activation = pkgs.callPackage ../modules/system/activation/test.nix { }; activation-var = runTest ./activation/var.nix; + activation-nix-channel = runTest ./activation/nix-channel.nix; etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {}; etcd-cluster = handleTestOn ["x86_64-linux"] ./etcd-cluster.nix {}; etebase-server = handleTest ./etebase-server.nix {}; From 88f63d11659edaab1a62621e627fd4f23bb64b04 Mon Sep 17 00:00:00 2001 From: nikstur Date: Tue, 17 Oct 2023 23:16:08 +0200 Subject: [PATCH 07/22] nixos/binfmt: replace activationScript via tmpfiles --- nixos/modules/system/boot/binfmt.nix | 51 +++++++++++++++------------- 1 file changed, 27 insertions(+), 24 deletions(-) diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index 8c9483f01c102..d16152ab9dec5 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -20,17 +20,13 @@ let optionalString fixBinary "F"; in ":${name}:${type}:${offset'}:${magicOrExtension}:${mask'}:${interpreter}:${flags}"; - activationSnippet = name: { interpreter, wrapInterpreterInShell, ... }: if wrapInterpreterInShell then '' - rm -f /run/binfmt/${name} - cat > /run/binfmt/${name} << 'EOF' - #!${pkgs.bash}/bin/sh - exec -- ${interpreter} "$@" - EOF - chmod +x /run/binfmt/${name} - '' else '' - rm -f /run/binfmt/${name} - ln -s ${interpreter} /run/binfmt/${name} - ''; + mkInterpreter = name: { interpreter, wrapInterpreterInShell, ... }: + if wrapInterpreterInShell + then pkgs.writeShellScript "${name}-interpreter" '' + #!${pkgs.bash}/bin/sh + exec -- ${interpreter} "$@" + '' + else interpreter; getEmulator = system: (lib.systems.elaborate { inherit system; }).emulator pkgs; getQemuArch = system: (lib.systems.elaborate { inherit system; }).qemuArch; @@ -318,18 +314,25 @@ in { environment.etc."binfmt.d/nixos.conf".source = builtins.toFile "binfmt_nixos.conf" (lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine config.boot.binfmt.registrations)); - system.activationScripts.binfmt = stringAfter [ "specialfs" ] '' - mkdir -p /run/binfmt - chmod 0755 /run/binfmt - ${lib.concatStringsSep "\n" (lib.mapAttrsToList activationSnippet config.boot.binfmt.registrations)} - ''; - systemd = lib.mkIf (config.boot.binfmt.registrations != {}) { - additionalUpstreamSystemUnits = [ - "proc-sys-fs-binfmt_misc.automount" - "proc-sys-fs-binfmt_misc.mount" - "systemd-binfmt.service" - ]; - services.systemd-binfmt.restartTriggers = [ (builtins.toJSON config.boot.binfmt.registrations) ]; - }; + + systemd = lib.mkMerge [ + ({ tmpfiles.rules = [ + "d /run/binfmt 0755 -" + ] ++ lib.mapAttrsToList + (name: interpreter: + "L+ /run/binfmt/${name} - - - - ${interpreter}" + ) + (lib.mapAttrs mkInterpreter config.boot.binfmt.registrations); + }) + + (lib.mkIf (config.boot.binfmt.registrations != {}) { + additionalUpstreamSystemUnits = [ + "proc-sys-fs-binfmt_misc.automount" + "proc-sys-fs-binfmt_misc.mount" + "systemd-binfmt.service" + ]; + services.systemd-binfmt.restartTriggers = [ (builtins.toJSON config.boot.binfmt.registrations) ]; + }) + ]; }; } From 1b2b1364dee8beed7168ecae05362a33df13a8fe Mon Sep 17 00:00:00 2001 From: nikstur Date: Thu, 19 Oct 2023 23:56:01 +0200 Subject: [PATCH 08/22] nixos/ups: replace activationScript via tmpfiles --- nixos/modules/services/monitoring/ups.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/monitoring/ups.nix b/nixos/modules/services/monitoring/ups.nix index bb11b6a1c1d01..efef2d777acd8 100644 --- a/nixos/modules/services/monitoring/ups.nix +++ b/nixos/modules/services/monitoring/ups.nix @@ -239,11 +239,9 @@ in power.ups.schedulerRules = mkDefault "${pkgs.nut}/etc/upssched.conf.sample"; - system.activationScripts.upsSetup = stringAfter [ "users" "groups" ] - '' - # Used to store pid files of drivers. - mkdir -p /var/state/ups - ''; + systemd.tmpfiles.rules = [ + "d /var/state/ups -" + ]; /* From 168b967b3224727f8789c1b9709f7c6821f26566 Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 00:09:47 +0200 Subject: [PATCH 09/22] nixos/mattermost: replace activationScript via tmpfiles --- nixos/modules/services/web-apps/mattermost.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/web-apps/mattermost.nix b/nixos/modules/services/web-apps/mattermost.nix index 66e5f1695a155..24f3b33318456 100644 --- a/nixos/modules/services/web-apps/mattermost.nix +++ b/nixos/modules/services/web-apps/mattermost.nix @@ -287,9 +287,9 @@ in # The systemd service will fail to execute the preStart hook # if the WorkingDirectory does not exist - system.activationScripts.mattermost = '' - mkdir -p "${cfg.statePath}" - ''; + systemd.tmpfiles.rules = [ + ''d "${cfg.statePath}" -'' + ]; systemd.services.mattermost = { description = "Mattermost chat service"; From 6c800013bfe84e4f6a732337d7f88a161884cfcc Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 00:30:45 +0200 Subject: [PATCH 10/22] nixos/strongswan-swanctl: replace activationScripts via tmpfiles --- .../networking/strongswan-swanctl/module.nix | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix index c51e8ad9f5fc9..bfea89969728f 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/module.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -43,21 +43,21 @@ in { # The swanctl command complains when the following directories don't exist: # See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory - system.activationScripts.strongswan-swanctl-etc = stringAfter ["etc"] '' - mkdir -p '/etc/swanctl/x509' # Trusted X.509 end entity certificates - mkdir -p '/etc/swanctl/x509ca' # Trusted X.509 Certificate Authority certificates - mkdir -p '/etc/swanctl/x509ocsp' - mkdir -p '/etc/swanctl/x509aa' # Trusted X.509 Attribute Authority certificates - mkdir -p '/etc/swanctl/x509ac' # Attribute Certificates - mkdir -p '/etc/swanctl/x509crl' # Certificate Revocation Lists - mkdir -p '/etc/swanctl/pubkey' # Raw public keys - mkdir -p '/etc/swanctl/private' # Private keys in any format - mkdir -p '/etc/swanctl/rsa' # PKCS#1 encoded RSA private keys - mkdir -p '/etc/swanctl/ecdsa' # Plain ECDSA private keys - mkdir -p '/etc/swanctl/bliss' - mkdir -p '/etc/swanctl/pkcs8' # PKCS#8 encoded private keys of any type - mkdir -p '/etc/swanctl/pkcs12' # PKCS#12 containers - ''; + systemd.tmpfiles.rules = [ + "d /etc/swanctl/x509 -" # Trusted X.509 end entity certificates + "d /etc/swanctl/x509ca -" # Trusted X.509 Certificate Authority certificates + "d /etc/swanctl/x509ocsp -" + "d /etc/swanctl/x509aa -" # Trusted X.509 Attribute Authority certificates + "d /etc/swanctl/x509ac -" # Attribute Certificates + "d /etc/swanctl/x509crl -" # Certificate Revocation Lists + "d /etc/swanctl/pubkey -" # Raw public keys + "d /etc/swanctl/private -" # Private keys in any format + "d /etc/swanctl/rsa -" # PKCS#1 encoded RSA private keys + "d /etc/swanctl/ecdsa -" # Plain ECDSA private keys + "d /etc/swanctl/bliss -" + "d /etc/swanctl/pkcs8 -" # PKCS#8 encoded private keys of any type + "d /etc/swanctl/pkcs12 -" # PKCS#12 containers + ]; systemd.services.strongswan-swanctl = { description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl"; From 0b294fe2e81f8e97dff25d1b8188685d1a5301a6 Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 00:48:04 +0200 Subject: [PATCH 11/22] nixos/tests/opensearch: replace activationScript via tmpfiles --- nixos/tests/opensearch.nix | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/nixos/tests/opensearch.nix b/nixos/tests/opensearch.nix index c0caf950cb9c9..2887ac9677656 100644 --- a/nixos/tests/opensearch.nix +++ b/nixos/tests/opensearch.nix @@ -31,14 +31,9 @@ in services.opensearch.dataDir = "/var/opensearch_test"; services.opensearch.user = "open_search"; services.opensearch.group = "open_search"; - system.activationScripts.createDirectory = { - text = '' - mkdir -p "/var/opensearch_test" - chown open_search:open_search /var/opensearch_test - chmod 0700 /var/opensearch_test - ''; - deps = [ "users" "groups" ]; - }; + systemd.tmpfiles.rules = [ + "d /var/opensearch_test 0700 open_search open_search -" + ]; users = { groups.open_search = {}; users.open_search = { From da274a11d7e0aa801db73077206236c90806ef78 Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 01:24:08 +0200 Subject: [PATCH 12/22] nixos/tests/grafana: replace activationScript with tmpfiles --- nixos/tests/grafana/provision/default.nix | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/nixos/tests/grafana/provision/default.nix b/nixos/tests/grafana/provision/default.nix index 96378452ade31..d33d16ce12099 100644 --- a/nixos/tests/grafana/provision/default.nix +++ b/nixos/tests/grafana/provision/default.nix @@ -22,15 +22,14 @@ let }; }; - system.activationScripts.setup-grafana = { - deps = [ "users" ]; - text = '' - mkdir -p /var/lib/grafana/dashboards - chown -R grafana:grafana /var/lib/grafana - chmod 0700 -R /var/lib/grafana/dashboards - cp ${pkgs.writeText "test.json" (builtins.readFile ./test_dashboard.json)} /var/lib/grafana/dashboards/ - ''; - }; + systemd.tmpfiles.rules = + let + dashboard = pkgs.writeText "test.json" (builtins.readFile ./test_dashboard.json); + in + [ + "d /var/lib/grafana/dashboards 0700 grafana grafana -" + "C+ /var/lib/grafana/dashboards/test.json - - - - ${dashboard}" + ]; }; extraNodeConfs = { From d5a96d508b92807e2043699620cffde615dcc14d Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 01:28:28 +0200 Subject: [PATCH 13/22] nixos/stargazer: replace activationScript via tmpfiles --- nixos/modules/services/web-servers/stargazer.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/web-servers/stargazer.nix b/nixos/modules/services/web-servers/stargazer.nix index f0c3cf8787ebb..18f57363137cf 100644 --- a/nixos/modules/services/web-servers/stargazer.nix +++ b/nixos/modules/services/web-servers/stargazer.nix @@ -204,11 +204,9 @@ in }; # Create default cert store - system.activationScripts.makeStargazerCertDir = - lib.optionalAttrs (cfg.store == /var/lib/gemini/certs) '' - mkdir -p /var/lib/gemini/certs - chown -R ${cfg.user}:${cfg.group} /var/lib/gemini/certs - ''; + systemd.tmpfiles.rules = lib.mkIf (cfg.store == /var/lib/gemini/certs) [ + ''d /var/lib/gemini/certs - "${cfg.user}" "${cfg.group}" -'' + ]; users.users = lib.optionalAttrs (cfg.user == "stargazer") { stargazer = { From f18ff2ec0bc62f0b9823e637e0b9d3ba7eba2bf9 Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 01:36:47 +0200 Subject: [PATCH 14/22] nixos/mlmmj: replace activationScript --- nixos/modules/services/mail/mlmmj.nix | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/mail/mlmmj.nix b/nixos/modules/services/mail/mlmmj.nix index 642f8b20fe355..3f07fabcf1771 100644 --- a/nixos/modules/services/mail/mlmmj.nix +++ b/nixos/modules/services/mail/mlmmj.nix @@ -143,13 +143,11 @@ in environment.systemPackages = [ pkgs.mlmmj ]; - system.activationScripts.mlmmj = '' - ${pkgs.coreutils}/bin/mkdir -p ${stateDir} ${spoolDir}/${cfg.listDomain} - ${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${spoolDir} - ${concatMapLines (createList cfg.listDomain) cfg.mailLists} - ${pkgs.postfix}/bin/postmap /etc/postfix/virtual - ${pkgs.postfix}/bin/postmap /etc/postfix/transport - ''; + systemd.tmpfiles.rules = [ + ''d "${stateDir}" -'' + ''d "${spoolDir}/${cfg.listDomain}" -'' + ''Z "${spoolDir}" - "${cfg.user}" "${cfg.group}" -'' + ]; systemd.services.mlmmj-maintd = { description = "mlmmj maintenance daemon"; @@ -158,6 +156,11 @@ in Group = cfg.group; ExecStart = "${pkgs.mlmmj}/bin/mlmmj-maintd -F -d ${spoolDir}/${cfg.listDomain}"; }; + preStart = '' + ${concatMapLines (createList cfg.listDomain) cfg.mailLists} + ${pkgs.postfix}/bin/postmap /etc/postfix/virtual + ${pkgs.postfix}/bin/postmap /etc/postfix/transport + ''; }; systemd.timers.mlmmj-maintd = { From 6987ff3a4f70ea2c2a3de816eba82a06c9a6fddc Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 01:43:24 +0200 Subject: [PATCH 15/22] nixos/spiped: replace activationScript via tmpfiles --- nixos/modules/services/networking/spiped.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/networking/spiped.nix b/nixos/modules/services/networking/spiped.nix index 3e01ace54ad17..547317dbcbe2a 100644 --- a/nixos/modules/services/networking/spiped.nix +++ b/nixos/modules/services/networking/spiped.nix @@ -197,8 +197,9 @@ in script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`"; }; - system.activationScripts.spiped = optionalString (cfg.config != {}) - "mkdir -p /var/lib/spiped"; + systemd.tmpfiles.rules = lib.mkIf (cfg.config != { }) [ + "d /var/lib/spiped -" + ]; # Setup spiped config files environment.etc = mapAttrs' (name: cfg: nameValuePair "spiped/${name}.spec" From 339a866b7c25ce44705552105b64cd9cb78780a8 Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 01:57:07 +0200 Subject: [PATCH 16/22] nixos/tests/systemd-timesyncd: replace activationScript via tmpfiles --- nixos/tests/systemd-timesyncd.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/nixos/tests/systemd-timesyncd.nix b/nixos/tests/systemd-timesyncd.nix index 43abd36c47d97..f38d06be1516e 100644 --- a/nixos/tests/systemd-timesyncd.nix +++ b/nixos/tests/systemd-timesyncd.nix @@ -15,12 +15,13 @@ in { # create the path that should be migrated by our activation script when # upgrading to a newer nixos version system.stateVersion = "19.03"; - system.activationScripts.simulate-old-timesync-state-dir = lib.mkBefore '' - rm -f /var/lib/systemd/timesync - mkdir -p /var/lib/systemd /var/lib/private/systemd/timesync - ln -s /var/lib/private/systemd/timesync /var/lib/systemd/timesync - chown systemd-timesync: /var/lib/private/systemd/timesync - ''; + systemd.tmpfiles.rules = [ + "r /var/lib/systemd/timesync -" + "d /var/lib/systemd -" + "d /var/lib/private/systemd/timesync -" + "L /var/lib/systemd/timesync - - - - /var/lib/private/systemd/timesync" + "d /var/lib/private/systemd/timesync - systemd-timesync systemd-timesync -" + ]; }); }; From d345b385fe3d9ca25f7148d8fa13061d36e3aa5b Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 11:45:24 +0200 Subject: [PATCH 17/22] nixos/tests/stunnel: replace activationScript Replace with a separate systemd service. --- nixos/tests/stunnel.nix | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/nixos/tests/stunnel.nix b/nixos/tests/stunnel.nix index 22c087290fc7b..07fba435d4df6 100644 --- a/nixos/tests/stunnel.nix +++ b/nixos/tests/stunnel.nix @@ -17,11 +17,16 @@ let }; }; makeCert = { config, pkgs, ... }: { - system.activationScripts.create-test-cert = stringAfter [ "users" ] '' - ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa -nodes -out /test-cert.pem -keyout /test-key.pem -subj /CN=${config.networking.hostName} - ( umask 077; cat /test-key.pem /test-cert.pem > /test-key-and-cert.pem ) - chown stunnel /test-key.pem /test-key-and-cert.pem + systemd.services.create-test-cert = { + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" ]; + unitConfig.DefaultDependencies = false; + script = '' + ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa -nodes -out /test-cert.pem -keyout /test-key.pem -subj /CN=${config.networking.hostName} + ( umask 077; cat /test-key.pem /test-cert.pem > /test-key-and-cert.pem ) + chown stunnel /test-key.pem /test-key-and-cert.pem ''; + }; }; serverCommon = { pkgs, ... }: { networking.firewall.allowedTCPPorts = [ 443 ]; From 256956e34d731087fa18227d3ae838b76389d5fd Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 12:22:12 +0200 Subject: [PATCH 18/22] nixos/activation: link gcroot with tmpfiles instead of in activation --- nixos/modules/system/activation/activation-script.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index 424a9d179998a..95b0c7bbd6817 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -55,10 +55,6 @@ let # used as a garbage collection root. ln -sfn "$(readlink -f "$systemConfig")" /run/current-system - # Prevent the current configuration from being garbage-collected. - mkdir -p /nix/var/nix/gcroots - ln -sfn /run/current-system /nix/var/nix/gcroots/current-system - exit $_status ''; @@ -237,6 +233,9 @@ in system.activationScripts.specialfs = ""; # obsolete systemd.tmpfiles.rules = [ + # Prevent the current configuration from being garbage-collected. + "d /nix/var/nix/gcroots -" + "L+ /nix/var/nix/gcroots/current-system - - - - /run/current-system" "D /var/empty 0555 root root -" "h /var/empty - - - - +i" ]; From b16365b3938fc34bda35a55e133b174edd5abf65 Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 13:09:37 +0200 Subject: [PATCH 19/22] nixos/iscsi: replace activationScript Move the functionality into preStart of the systemd service. --- .../services/networking/iscsi/initiator.nix | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/nixos/modules/services/networking/iscsi/initiator.nix b/nixos/modules/services/networking/iscsi/initiator.nix index d2865a660ead0..f360d078b81d9 100644 --- a/nixos/modules/services/networking/iscsi/initiator.nix +++ b/nixos/modules/services/networking/iscsi/initiator.nix @@ -52,25 +52,27 @@ in ''; environment.etc."iscsi/initiatorname.iscsi".text = "InitiatorName=${cfg.name}"; - system.activationScripts.iscsid = let - extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' - if [ -f "${cfg.extraConfigFile}" ]; then - printf "\n# The following is from ${cfg.extraConfigFile}:\n" - cat "${cfg.extraConfigFile}" - else - echo "Warning: services.openiscsi.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 - fi - ''; - in '' - ( - cat ${config.environment.etc."iscsi/iscsid.conf.fragment".source} - ${extraCfgDumper} - ) > /etc/iscsi/iscsid.conf - ''; - systemd.packages = [ cfg.package ]; - systemd.services."iscsid".wantedBy = [ "multi-user.target" ]; + systemd.services."iscsid" = { + wantedBy = [ "multi-user.target" ]; + preStart = + let + extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' + if [ -f "${cfg.extraConfigFile}" ]; then + printf "\n# The following is from ${cfg.extraConfigFile}:\n" + cat "${cfg.extraConfigFile}" + else + echo "Warning: services.openiscsi.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 + fi + ''; + in '' + ( + cat ${config.environment.etc."iscsi/iscsid.conf.fragment".source} + ${extraCfgDumper} + ) > /etc/iscsi/iscsid.conf + ''; + }; systemd.sockets."iscsid".wantedBy = [ "sockets.target" ]; systemd.services."iscsi" = mkIf cfg.enableAutoLoginOut { From 47ff8d20d752b95befaa2ebb3f6bae4d3eb37a18 Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 13:33:58 +0200 Subject: [PATCH 20/22] nixos/duosec: replace activationScript Replace with a separate systemd service. --- nixos/modules/security/duosec.nix | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 02b11766b3c09..2a855a77e3a39 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -193,8 +193,11 @@ in source = "${pkgs.duo-unix.out}/bin/login_duo"; }; - system.activationScripts = { - login_duo = mkIf cfg.ssh.enable '' + systemd.services.login-duo = lib.mkIf cfg.ssh.enable { + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" ]; + unitConfig.DefaultDependencies = false; + script = '' if test -f "${cfg.secretKeyFile}"; then mkdir -m 0755 -p /etc/duo @@ -209,7 +212,13 @@ in mv -fT "$conf" /etc/duo/login_duo.conf fi ''; - pam_duo = mkIf cfg.pam.enable '' + }; + + systemd.services.pam-duo = lib.mkIf cfg.ssh.enable { + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" ]; + unitConfig.DefaultDependencies = false; + script = '' if test -f "${cfg.secretKeyFile}"; then mkdir -m 0755 -p /etc/duo From b5617e0575c36b16779e2948518d0fc299198ebb Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 20 Oct 2023 15:43:27 +0200 Subject: [PATCH 21/22] nixos/mysql: replace activationScripts via preStart --- nixos/modules/config/mysql.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/config/mysql.nix b/nixos/modules/config/mysql.nix index 2f13c56f2ae59..95c9ba76663ea 100644 --- a/nixos/modules/config/mysql.nix +++ b/nixos/modules/config/mysql.nix @@ -429,11 +429,11 @@ in ''; }; - # Activation script to append the password from the password file + # preStart script to append the password from the password file # to the configuration files. It also fixes the owner of the # libnss-mysql-root.cfg because it is changed to root after the # password is appended. - system.activationScripts.mysql-auth-passwords = '' + systemd.services.mysql.preStart = '' if [[ -r ${cfg.passwordFile} ]]; then org_umask=$(umask) umask 0077 From d300940637a74421b78d3e94b25daf35f1b9ec9d Mon Sep 17 00:00:00 2001 From: nikstur Date: Wed, 25 Oct 2023 00:06:46 +0200 Subject: [PATCH 22/22] nixos/network-interfaces: replace hostname and domain activationScript The hostname is already set by systemd https://www.freedesktop.org/software/systemd/man/latest/hostname.html#Hostname%20semantics Create a separate service that registers the domainname. --- nixos/modules/tasks/network-interfaces.nix | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 853a2cb31432b..a0e8e5d47a604 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1406,18 +1406,12 @@ in val = tempaddrValues.${opt}.sysctl; in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val)); - # Set the host and domain names in the activation script. Don't - # clear it if it's not configured in the NixOS configuration, - # since it may have been set by dhcpcd in the meantime. - system.activationScripts.hostname = let - effectiveHostname = config.boot.kernel.sysctl."kernel.hostname" or cfg.hostName; - in optionalString (effectiveHostname != "") '' - hostname "${effectiveHostname}" - ''; - system.activationScripts.domain = - optionalString (cfg.domain != null) '' - domainname "${cfg.domain}" - ''; + systemd.services.domainname = lib.mkIf (cfg.domain != null) { + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.ExecStart = ''domainname "${cfg.domain}"''; + }; environment.etc.hostid = mkIf (cfg.hostId != null) { source = hostidFile; }; boot.initrd.systemd.contents."/etc/hostid" = mkIf (cfg.hostId != null) { source = hostidFile; };