Regardless of mutable or immutable users, systemd-sysupdate never
updates existing user records and thus will for example never change
passwords for you.
It only support initial passwords and now actively asserts agains other
paswords.
On Linux we cannot feasbibly generate users statically because we need
to take care to not change or re-use UIDs over the lifetime of a machine
(i.e. over multiple generations). This means we need the context of the
running machine.
Thus, stop creating users statically and instead generate them at
runtime irrespective of mutableUsers.
When /etc is immutable, the password files (e.g. /etc/passwd etc.) are
created in a separate directory (/var/lib/nixos/etc). /etc will be
pre-populated with symlinks to this separate directory.
Immutable users are now implemented by bind-mounting the password files
read-only onto themselves and only briefly re-mounting them writable to
re-execute sysusers. The biggest limitation of this design is that you
now need to manually unmount this bind mount to change passwords because
sysusers cannot change passwords for you. This shouldn't be too much of
an issue because system users should only rarely need to change their
passwords.
systemd-sysusers cannot create normal users (i.e. with a UID > 1000).
Thus we stop trying an explitily only use systemd-sysusers when there
are no normal users on the system (e.g. appliances).
We want to get rid of specialFileSystems / earlyMountScript eventually and
there is no need to run this before systemd anymore now that
the wrappers themselves are set up in a systemd unit since https://github.com/NixOS/nixpkgs/pull/263203
Also this is needed to make soft-reboot work. We want to make sure
that we remount /run/wrappers with the nosuid bit removed on soft-reboot
but because @earlyMountScript@ happens in initrd, this wouldn't happen
The activation script that remounts the /etc overlay now handles other
mount points on top of /etc by bind mounting them to the new temporary
/etc overlay and then atomically revealing it.
Summary of this change:
- Simplify code.
- Stop a disk image from being cached in the binary cache.
- Make erofs Nix Store image build in an acceptable time outside of
testing environments (like `darwin.builder`).
- Do not regress on performance for tests that use many store paths in
their Nix store image.
- Slightly longer startup time for tests where not many store paths are
included in the image (these probably shouldn't use `useNixStoreImage`
anyways).
- Slightly longer startup time when inputs of VM do not change because
the Nix store image is not cached anymore.
Remove the `storeImage` built with make-disk-image.nix. This produced a
separate derivation which is then cached in the binary cache. These
types of images should be avoided because they gunk up the cache as they
change frequently. Now all Nix store images, whether read-only or
writable are based on the erofs image previously only used for read-only
images.
Additionally, simplify the way the erofs image is built by copying the
paths to include to a separate directory and build the erofs image from
there.
Before this change, the list of Nix store paths to include in the Nix
store image was converted to a complex regex that *excludes* all other
paths from a potentially large Nix store.
This previous approach suffers from two issues:
1. The regex is complex and, as admitted in the source code of the
includes-to-excludes.py script, most likely contains at least one
error. This means that it's unlikely that anyone will touch this
piece of software again.
2. When the Nix store image is built from a large Nix store (like when
you build the VM script to run outside of any testing context) this
regex becomes painfully slow. There is at least one prominent
use-case where this matters: `darwin.builder`.
Benchmarking impressions:
- Building Nix store via make-disk-image.nix takes ~25s
- Building Nix store as an erofs image takes ~4s
- Running nixosTests.qemu-vm-writable-store-image takes ~10s when
building the erofs image with the regex vs ~14s when building by
copying to a temporary directory.
- nixosTests.gitlab which had the biggest gains from the initial erofs
change takes the same time as before.
- On a host with ~140k paths in /nix/store, building the erofs image
with the regex takes 410s as opposed to 6s when copying to a temporary
directory.
- Remove settings.server.{host,port} options
- Replaced by settings.server.address
- If any of settings.server.{host,port,path} are specified in the
configuration, a warning is displayed and these values will be used
instead of settings.server.address
- Change what secrets.oidcIssuerPrivateKeyFile maps to
- Previously: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
- Now: identity_providers.oidc.jwks[0].key
- Not done directly in the NixOS settings config but as a separate
YAML config file
- Done that way because Go templates are not correctly handled by
the YAML generator (#319716)
- Change secrets.jwtSecretFile env variable mapping
- Previously: AUTHELIA_JWT_SECRET_FILE
- Now: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
A configuration such as:
programs.tsmClient.servers.backup.domain = [ "/dir1" "dir2" ];
...would previously result in an error ("cannot coerce a list to a
string"), since `makeDsmSysLines` would return a nested list.
...not pythonPackage. This is an app, living in pkgs/servers, so
we just use callPackage in all-packages and drop the python module.
python3.pkgs.toPythonModule could be used if a python module was needed.
Before that change legacyPackages.x86_64-linux.python311.pkgs.etebase-server.python
would give a python 3.12 release, and was therefore broken.
etebase-server = toPythonModule (pkgs.etebase-server.override {
python3 = python;
});
would now be correct
