Commit Graph

1194 Commits

Author SHA1 Message Date
Luke Granger-Brown
0cc25061b0
Merge pull request #114240 from sorki/containers/nested
nixos/nixos-containers: default boot.enableContainers to true
2021-04-25 11:37:01 +01:00
lassulus
5aa4273e4f treewide: use auto diskSize for make-disk-image
(cherry picked from commit f3aa040bcb)
2021-04-24 14:49:07 -04:00
Michael Raskin
d04f1c4314
Merge pull request #101071 from ju1m/apparmor
apparmor: try again to fix and improve
2021-04-24 11:24:26 +00:00
github-actions[bot]
d8d6ba0d2e
Merge master into staging-next 2021-04-24 06:05:30 +00:00
Luke Granger-Brown
4fb91cbafe Revert "treewide: use auto diskSize for make-disk-image"
This reverts commit f3aa040bcb.
2021-04-24 02:38:36 +00:00
Julien Moutinho
05d334cfe2 Revert "Revert "apparmor: fix and improve the service""
This reverts commit 420f89ceb2.
2021-04-23 07:17:55 +02:00
github-actions[bot]
b95da5efb6
Merge master into staging-next 2021-04-22 18:14:27 +00:00
lassulus
f3aa040bcb treewide: use auto diskSize for make-disk-image 2021-04-22 19:52:49 +02:00
github-actions[bot]
8248f4db36
Merge master into staging-next 2021-04-22 06:05:51 +00:00
Matej Urbas
db5b547b25 nixos/amazon-init: add user-data shell script support 2021-04-18 10:19:06 +01:00
Philipp Mildenberger
f5922de1d7 nixos/oci-containers: add support for environment files 2021-04-15 10:57:56 +02:00
Luke Granger-Brown
08b22e605b Merge remote-tracking branch 'upstream/staging-next' into down-integrate-staging 2021-04-12 18:49:01 +00:00
Jörg Thalheim
9af991a1b1
Merge pull request #117618 from Mic92/docker
nixos/docker: re-add network.target
2021-04-09 12:43:13 +01:00
Dmitry Kalinkin
219590673c
Merge branch 'staging-next' into staging
Conflicts:
	pkgs/development/python-modules/panel/default.nix
	pkgs/os-specific/linux/kernel/generic.nix
	pkgs/servers/home-assistant/default.nix
2021-04-08 22:42:26 -04:00
Luke Granger-Brown
1ce6b05ea1 nixos/libvirtd: add package option
At the moment, it's not possible to override the libvirtd package used
without supplying a nixpkgs overlay. Adding a package option makes
libvirtd more consistent and allows enabling e.g. ceph and iSCSI support
more easily.
2021-04-09 01:20:19 +02:00
Phillip Cloud
7c36ce8d3a nixos/containers: move extraConfig to settings model 2021-04-07 16:08:18 -04:00
Jan Tojnar
70babe5bcf Merge branch 'staging-next' into staging 2021-04-06 16:25:41 +02:00
Alyssa Ross
25208eeaba linux: remove xen_dom0 feature entirely
Xen is now enabled unconditionally on kernels that support it, so the
xen_dom0 feature doesn't do anything.  The isXen attribute will now
produce a deprecation warning and unconditionally return true.
Passing in a custom value for isXen is no longer supported.
2021-04-05 09:25:39 +00:00
Sandro Jäckel
9378fdf87e
iproute: deprecate alias 2021-04-04 01:43:46 +02:00
Izorkin
e65d8e4845
nixos/qemu-guest-agent: add statedir 2021-03-31 20:07:17 +03:00
Sandro
da7bf30372
nixos/containers: update example path to match defaults 2021-03-29 03:40:44 +02:00
Jörg Thalheim
0f4872b4c4
nixos/docker: re-add network.target
Currently if docker starts concurrently with
firewall.service/systemd-networkd it breaks both due to iptables/netlink
logs.
2021-03-25 22:06:54 +01:00
Domen Kožar
b992a92fa0
Merge pull request #117021 from AmineChikhaoui/gcp-cloud-images
add new Google Cloud image for the current release
2021-03-25 10:42:06 +01:00
zowoq
4b11122749 nixos/containers: add catatonit / init_path
https://github.com/containers/common/blob/master/docs/containers.conf.5.md

- Also drop unneeded true from ociSeccompBpfHook
2021-03-21 20:57:28 +01:00
AmineChikhaoui
606b49721f
add new Google Cloud image for the current release
update the create-gce.sh script with the ability to create public images
out of a GS object.
2021-03-21 14:04:09 -04:00
Lassulus
ba6d848c40
Merge pull request #112332 from urbas/amazon-init-options
virtualization/amazon-init: enable option
2021-03-07 18:39:05 +01:00
Johan Thomsen
7b5c38e973 nixos/kubernetes: docker -> containerd
also, nixos/containerd: module init
2021-03-07 12:51:14 +10:00
rnhmjoj
c0c288b70b nixos/libvirtd: remove systemd-udev-settle
This dependency has been added in 65eae4d, when NixOS switched to
systemd, as a substitute for the previous udevtrigger and hasn't been
touched since. It's probably unneeded as the upstream unit[1] doesn't
do it and I haven't found any mention of any problem in NixOS or the
upstream issue trackers.

[1]: https://gitlab.com/libvirt/libvirt/-/blob/master/src/remote/libvirtd.service.in
2021-03-05 23:44:28 +01:00
Richard Marko
fc2fa3cda5 nixos/nixos-containers: default boot.enableContainers to true
Related to #85746 which addresses documentation issue,
digging deeper for a reason why this was disabled
was simply because it wasn't working which is not the case anymore.
2021-03-04 12:03:03 +01:00
rnhmjoj
24e45e308d
nixos/lxd: fixup of 4adcb006 2021-03-03 01:16:41 +01:00
Michele Guerini Rocco
ccc4bbdbe6
Merge pull request #114772 from rnhmjoj/anbox-no-udev-settle
nixos/anbox: remove systemd-udev-settle
2021-03-02 08:04:08 +01:00
rnhmjoj
879fcdf778
nixos/anbox: remove systemd-udev-settle
The anbox session manager seems to start without issues when
systemd-udev-settle is masked or the dependency removed.
2021-03-01 19:29:32 +01:00
rnhmjoj
b9dc818bd5
nixos/lxd: make start timeout configurable 2021-02-28 14:02:56 +01:00
rnhmjoj
4adcb00642
nixos/lxd: cleanup and misc fixes
- Actually use the zfsSupport option
- Add documentation URI to lxd.service
- Add lxd.socket to enable socket activatation
- Add proper dependencies and remove systemd-udev-settle from lxd.service
- Set up /var/lib/lxc/rootfs using systemd.tmpfiles
- Configure safe start and shutdown of lxd.service
- Configure restart on failures of lxd.service
2021-02-28 14:02:56 +01:00
Florian Klink
1624ae8a96
Merge pull request #100433 from Patryk27/fixes/38509
nixos/containers: allow containers with long names to create private networks
2021-02-26 21:35:07 +01:00
Patryk Wychowaniec
336ef2de99
nixos/containers: allow containers with long names to create private networks
Launching a container with a private network requires creating a
dedicated networking interface for it; name of that interface is derived
from the container name itself - e.g. a container named `foo` gets
attached to an interface named `ve-foo`.

An interface name can span up to IFNAMSIZ characters, which means that a
container name must contain at most IFNAMSIZ - 3 - 1 = 11 characters;
it's a limit that we validate using a build-time assertion.

This limit has been upgraded with Linux 5.8, as it allows for an
interface to contain a so-called altname, which can be much longer,
while remaining treated as a first-class citizen.

Since altnames have been supported natively by systemd for a while now,
due diligence on our side ends with dropping the name-assertion on newer
kernels.

This commit closes #38509.

systemd/systemd#14467
systemd/systemd#17220
https://lwn.net/Articles/794289/
2021-02-26 17:48:49 +01:00
WORLDofPEACE
1546bea850
Merge pull request #111462 from jakobrs/msize
nixos/qemu-vm: add virtualisation.msize option
2021-02-25 21:06:27 -05:00
nicoo
d7c15d0eec nixos/hyperv-guest: rngd was removed, no need to disable it 2021-02-21 01:34:56 +01:00
Florian Klink
d0be6dcd70
Merge pull request #110784 from talyz/gce-fetch-ssh-keys
google-compute-config: Reintroduce fetch-ssh-keys
2021-02-20 22:19:53 +01:00
talyz
95f96de78e
gce/fetch-ssh-keys: Put script in separate file, use PrivateTmp...
...check the script with shfmt and shellcheck + some other minor
refactoring.
2021-02-19 15:17:12 +01:00
ilian
29a6c9b9a3 nixos/hypervGuest: add Microsoft Synthetic Keyboard driver
Ensure that the HyperV keyboard driver is available in the early
stages of the boot process. This allows the user to enter a disk
encryption passphrase or repair a boot problem in an interactive
shell.
2021-02-17 08:01:34 +00:00
Matej Urbas
a6766bee7b virtualization/amazon-init: enable option 2021-02-15 18:44:34 +00:00
Maciej Krüger
8429831b67
Merge pull request #112746 from mkg20001/qemu-extra-disks 2021-02-14 13:20:44 +01:00
zowoq
37f1ed7ca4 nixos/podman: install systemd files
- install podman service and socket
- install podman tmpfile
2021-02-14 06:57:39 +10:00
Maciej Krüger
45b8e83128
qemu-vm: add virtualisation.fileSystems to allow extra vm mounts 2021-02-11 11:02:45 +01:00
adisbladis
6caa6cb3f5
Merge pull request #111924 from saschagrunert/cri-o-oci-hook
nixos/cri-o: add OCI seccomp bpf hook support
2021-02-06 12:03:44 +01:00
adisbladis
3c6035cd9a
Merge pull request #106767 from erikarvstedt/fix-container-pkgs-2
nixos-container: fix `nixpkgs` container options being ignored
2021-02-06 11:57:14 +01:00
Sascha Grunert
e2b7bdd08d
nixos/cri-o: add OCI seccomp bpf hook support
We now set the hooks dir correctly if the OCI hook is enabled. CRI-O
supports this specific hook from v1.20.0.

Signed-off-by: Sascha Grunert <mail@saschagrunert.de>
2021-02-05 11:04:49 +01:00
Jörg Thalheim
57cfa03b03
Merge pull request #111591 from Mic92/zfs-kube 2021-02-02 11:56:58 +00:00
Robert Hensing
a4f4d86e92
Merge pull request #111583 from mikroskeem/more-docker-fixes
docker: fix socket activation race
2021-02-01 19:13:38 +01:00
Jörg Thalheim
9c6a9d0458
nixos/lxd: refactor to use zfs.package/enabled property 2021-02-01 17:59:18 +01:00
Mark Vainomaa
9360e789c6
docker: fix socket activation race 2021-02-01 18:14:43 +02:00
jakobrs
278843e979 nixos/qemu-vm: add virtualisation.msize option 2021-01-31 18:41:22 +01:00
Fritz Otlinghaus
d7c39c01ae
nixos/xen: add types 2021-01-31 13:47:57 +01:00
Simon Žlender
ede24160fc nixos/oci-containers: Remove dep on system.path 2021-01-29 18:29:07 +01:00
Simon Žlender
683f0b8938 nixos/oci-containers: Use docker.package 2021-01-28 21:27:50 +01:00
talyz
dd6ebb7871
google-compute-config: Reintroduce fetch-ssh-keys
Reintroduce the `fetch-ssh-keys` service so that GCE images that work
with NixOps can once again be built. Also, reformat the code a bit.

The service was removed in 88570538b3,
likely due to a comment saying it should be removed. It was still
needed for images to work with NixOps, however, and probably needed to
be replaced or rewritten rather than removed.
2021-01-25 14:14:00 +01:00
volth
bc0d605cf1 treewide: fix double quoted strings in meta.description
Signed-off-by: Ben Siraphob <bensiraphob@gmail.com>
2021-01-24 19:56:59 +07:00
Pavol Rusnak
66dc9dbb59
nixos/modules: stdenv.lib -> lib 2021-01-17 21:40:51 +01:00
Aaron Andersen
6b0ba74baa
Merge pull request #109099 from jpotier/fix-deprecation-warning-azure-agent
nixos/azure-agent: fix deprecation warning
2021-01-16 07:52:05 -05:00
Milan Pässler
4000091123
nixos/docker: change misleading error message
The socketActivation option was removed, but later on socket activation
was added back without the option to disable it. The description now reflects
that socket activation is used unconditionally in the current setup.
2021-01-15 15:00:11 +01:00
Mark Vainomaa
a81c27cd54
docker: fix systemd socket activation 2021-01-15 15:53:31 +02:00
Erik Arvstedt
9a283a038d
nixos-container: fix nixpkgs container options being ignored
Since the introduction of option `containers.<name>.pkgs`, the
`nixpkgs.*` options (including `nixpkgs.pkgs`, `nixpkgs.config`, ...) were always
ignored in container configs, which broke existing containers.

This was due to `containers.<name>.pkgs` having two separate effects:
(1) It sets the source for the modules that are used to evaluate the container.
(2) It sets the `pkgs` arg (`_module.args.pkgs`) that is used inside the container
    modules.
    This happens even when the default value of `containers.<name>.pkgs` is unchanged, in which
    case the container `pkgs` arg is set to the pkgs of the host system.
    Previously, the `pkgs` arg was determined by the `containers.<name>.config.nixpkgs.*` options.

This commit reverts the breaking change (2) while adding a backwards-compatible way to achieve (1).
It removes option `pkgs` and adds option `nixpkgs` which implements (1).
Existing users of `pkgs` are informed by an error message to use option
`nixpkgs` or to achieve only (2) by setting option `containers.<name>.config.nixpkgs.pkgs`.
2021-01-15 12:49:42 +01:00
Jörg Thalheim
f3042e3078
Merge pull request #108862 from cpcloud/refactor-nvidia-containers 2021-01-15 11:10:09 +00:00
Mark Vainomaa
b451286b1f
docker: 19.03.4 -> 20.10.2 (#108960)
This commit refactors the build process to handle Docker engine and
CLI split.
2021-01-13 11:33:14 +01:00
Martin Potier
de02ae9350
nixos/azure-agent: fix deprecation warning 2021-01-12 13:00:38 +02:00
Amine Chikhaoui
ecf84de70c
ec2-amis: 2020-11-23 update (#104740) 2021-01-11 12:37:14 -05:00
Phillip Cloud
a873cbc218 nixos/podman: use shared config drvs to populate podman module 2021-01-10 08:54:37 -05:00
Phillip Cloud
3e57cbdd3c nixos/podman: remove assertion that docker and podman nvidia runtimes cannot both be enabled 2021-01-10 08:54:37 -05:00
Phillip Cloud
50f70cb8ed nixos/podman: remove nvidia-container-runtime/config.toml creation from module 2021-01-10 08:54:37 -05:00
Phillip Cloud
8f1a64953e nixos/docker: remove nvidia-container-runtime/config.toml creation from module 2021-01-10 08:54:37 -05:00
Phillip Cloud
890a298409 nvidia-docker: wrapProgram to pickup needed runc executable 2021-01-08 09:29:56 -05:00
Phillip Cloud
c9955d06be nixos/podman: add nvidia runtime support 2021-01-08 09:29:55 -05:00
Sandro
58514b3428
Merge pull request #108380 from Patryk27/fixes/lxd-cgroup-v2
nixos/lxd: disable cgroup v2 when LXD is active
2021-01-08 00:23:35 +01:00
Alyssa Ross
6c3d21aff9
nixos/getty: rename from services.mingetty
It's been 8.5 years since NixOS used mingetty, but the option was
never renamed (despite the file definining the module being renamed in
9f5051b76c ("Rename mingetty module to agetty")).

I've chosen to rename it to services.getty here, rather than
services.agetty, because getty is implemantation-neutral and also the
name of the unit that is generated.
2021-01-05 09:09:42 +00:00
Patryk Wychowaniec
30ccbe8eec
nixos/lxd: disable cgroup v2 when LXD is active 2021-01-04 11:25:30 +01:00
lewo
7a6a0577f6
Merge pull request #107610 from puffnfresh/patch-3
oci-containers: fix containers attribute in docs
2020-12-31 09:39:25 +01:00
Niklas Hambüchen
9424925867
Merge pull request #85244 from tomberek/tomberek/amazon-init
amazon-init: add xz to PATH
2020-12-31 01:50:19 +01:00
Brian McKenna
1c73baa8c8
oci-containers: fix containers attribute in docs 2020-12-26 16:06:30 +11:00
Vladimír Čunát
57a787c9fa
Revert Merge #107275: nixos: fix "nixos-rebuild ...
... build-vm-with-bootloader" for EFI systems

This reverts commit 20257280d9, reversing
changes made to 926a1b2094.
It broke nixosTests.installer.simpleUefiSystemdBoot
and right now channel is lagging behing for two weeks.
2020-12-23 21:24:24 +01:00
Bjørn Forsman
39fad297fd nixos: fix "nixos-rebuild build-vm-with-bootloader" for EFI systems
`nixos-rebuild build-vm-with-bootloader` currently fails with the
default NixOS EFI configuration:

  $ cat >configuration.nix <<EOF
  {
    fileSystems."/".device = "/dev/sda1";
    boot.loader.systemd-boot.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;
  }
  EOF

  $ nixos-rebuild build-vm-with-bootloader -I nixos-config=$PWD/configuration.nix -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/nixos-20.09.tar.gz
  [...]
  insmod: ERROR: could not insert module /nix/store/1ibmgfr13r8b6xyn4f0wj115819f359c-linux-5.4.83/lib/modules/5.4.83/kernel/fs/efivarfs/efivarfs.ko.xz: No such device
  mount: /sys/firmware/efi/efivars: mount point does not exist.
  [    1.908328] reboot: Power down
  builder for '/nix/store/dx2ycclyknvibrskwmii42sgyalagjxa-nixos-boot-disk.drv' failed with exit code 32
  [...]

Fix it by setting virtualisation.useEFIBoot = true in qemu-vm.nix, when
efi is needed.

And remove the now unneeded configuration in
./nixos/tests/systemd-boot.nix, since it's handled globally.

Before:
* release-20.03: successful build, unsuccessful run
* release-20.09 (and master): unsuccessful build

After:
* Successful build and run.

Fixes https://github.com/NixOS/nixpkgs/issues/107255
2020-12-21 08:55:13 +01:00
Jens Nolte
ad6c2dea6a nixos/nixos-container: Always apply extraVeth ip configuration
Fixes that `containers.<name>.extraVeths.<name>` configuration was not
always applied.

When configuring `containers.<name>.extraVeths.<name>` and not
configuring one of `containers.<name>.localAddress`, `.localAddress6`,
`.hostAddress`, `.hostAddress6` or `.hostBridge` the veth was created,
but otherwise no configuration (i.e. no ip) was applied.

nixos-container always configures the primary veth (when `.localAddress`
or `.hostAddress` is set) to be the containers default gateway, so
this fix is required to create a veth in containers that use a different
default gateway.

To test this patch configure the following container and check if the
addresses are applied:
```
  containers.testveth = {
    extraVeths.testveth = {
      hostAddress = "192.168.13.2";
      localAddress = "192.168.13.1";
    };
    config = {...}:{};
  };
```
2020-12-19 04:32:05 +01:00
Erik Arvstedt
77c4fc2e89
nixos-container: simplify 'pkgs' option type
Set the default value directly instead of using a `null` proxy value.
2020-12-15 20:25:59 +01:00
Erik Arvstedt
29385f0560
nixos-containers: remove redundant eval-config args
The values of these args are identical to the default values defined
in `eval-config.nix`.
Note especially that `lib` is not reevaluated.
2020-12-15 20:25:59 +01:00
Frederik Rietdijk
b2a3891e12 Merge master into staging-next 2020-11-27 15:09:19 +01:00
Graham Christensen
bc49a0815a
utillinux: rename to util-linux 2020-11-24 12:42:06 -05:00
Frederik Rietdijk
587538d087 Merge staging-next into staging 2020-11-23 18:10:33 +01:00
zowoq
dbbd289982 nixos/*: fix indentation 2020-11-23 08:42:51 +10:00
Florian Klink
c76891314d
Merge pull request #104094 from flokli/systemd-unified-cgroup-hierarchy
systemd: switch to unified cgroup hierarchy by default
2020-11-22 22:35:42 +01:00
Jack Kelly
43bfd7e5b1 {ec2,openstack}-metadata-fetcher: unconditionally fetch metadata
The metadata fetcher scripts run each time an instance starts, and it
is not safe to assume that responses from the instance metadata
service (IMDS) will be as they were on first boot.

Example: an EC2 instance can have its user data changed while
the instance is stopped. When the instance is restarted, we want to
see the new user data applied.
2020-11-22 11:04:46 +10:00
Jack Kelly
8c39655de3 {ec2,openstack}-metadata-fetcher: introduce wget_imds function 2020-11-22 11:04:46 +10:00
Jack Kelly
f8c3027812 openstack-metadata-fetcher: stop lying in log message 2020-11-22 11:04:46 +10:00
Graham Christensen
f2cfecdec3
nixos ami: preflight the imds token
According to Freenode's ##AWS, the metadata server can sometimes
take a few moments to get its shoes on, and the very first boot
of a machine can see failed requests for a few moments.
2020-11-19 13:56:44 -05:00
Graham Christensen
83ea88e03f
nixos: ec2 ami: support IMDSv2
AWS's metadata service has two versions. Version 1 allowed plain HTTP
requests to get metadata. However, this was frequently abused when a
user could trick an AWS-hosted server in to proxying requests to the
metadata service. Since the metadata service is frequently used to
generate AWS access keys, this is pretty gnarly. Version two is
identical except it requires the caller to request a token and provide
it on each request.

Today, starting a NixOS AMI in EC2 where the metadata service is
configured to only allow v2 requests fails: the user's SSH key is not
placed, and configuration provided by the user-data is not applied.
The server is useless. This patch addresses that.

Note the dependency on curl is not a joyful one, and it expand the
initrd by 30M. However, see the added comment for more information
about why this is needed. Note the idea of using `echo` and `nc` are
laughable. Don't do that.
2020-11-19 13:00:56 -05:00
Florian Klink
d22b3ed4bc systemd: switch to unified cgroup hierarchy by default
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.

Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.

Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.

Fixes #73800
2020-11-19 16:56:46 +01:00
Graham Christensen
21339b41bf
nixos: openstack: have its own metadata fetcher expression
These two APIs have diverged over time and are no longer compatible.
2020-11-18 11:42:32 -05:00
Kevin Cox
dce7cc111a
Merge pull request #96912 from atlaua/aranea/qemu-vm-kernel-config
nixos/qemu-vm: Fix and update system.requiredKernelConfig entries
2020-11-11 07:29:14 -05:00
AmineChikhaoui
43907de6a7
ec2-amis: update AMIs to use gpt partition table
Use changes made as part of #102182.
2020-11-05 20:58:08 -05:00
Mira Ressel
a7de454a76 nixos/qemu-vm: Update system.requiredKernelConfig
Verify that all kernel modules which are required for mounting
/nix/store in the VM are present.
2020-10-30 22:22:58 +01:00
Mira Ressel
8ee970442b nixos/qemu-vm: Don't require CONFIG_EXPERIMENTAL
The kernel stopped using this config option with version 3.9 (back in
2013!).
2020-10-30 22:22:57 +01:00
Mira Ressel
ef5268bcab nixos/qemu-vm: Fix condition in requiredKernelConfig
'optional' just takes a single item rather than a list
2020-10-30 22:22:13 +01:00
Graham Christensen
c851030763
amazon-image: random.trust_cpu=on to cut 10s from boot
Ubuntu and other distros already have this set via kernel config.
2020-10-30 13:45:19 -04:00
AmineChikhaoui
8cae6703ef
ec2-amis: add stable NixOS 20.09 AMIs
Fixes #101694
2020-10-27 08:52:15 -04:00
rnhmjoj
bc2188b083
nixos: fix qemu_test being used in normal VMs
This is an attempt to fixup PR #49403.
2020-10-21 16:38:04 +02:00
Andreas Rammhold
f6cd17269e
Merge pull request #49403 from andir/qemu_test_reduce_closure
qemu_test: disable features that are not needed for tests (closure 641 -> 335.3M)
2020-10-21 00:41:01 +02:00
Joseph D. Long
a2ee5cbb05
nixos/vagrant-virtualbox-image: init (#101120)
Co-authored-by: zimbatm <zimbatm@zimbatm.com>
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
2020-10-20 11:09:46 +02:00
Andreas Rammhold
e127ba7873
nixos/qemu-guest-agent: make the QEMU guest agent package configurable 2020-10-19 17:58:10 +02:00
Vladimír Čunát
420f89ceb2
Revert "apparmor: fix and improve the service"
This reverts commit fb6d63f3fd.

I really hope this finally fixes #99236: evaluation on Hydra.
This time I really did check basically the same commit on Hydra:
https://hydra.nixos.org/eval/1618011

Right now I don't have energy to find what exactly is wrong in the
commit, and it doesn't seem important in comparison to nixos-unstable
channel being stuck on a commit over one week old.
2020-10-07 12:22:18 +02:00
Michael Raskin
31a4e2e28b
Merge pull request #93457 from ju1m/apparmor
apparmor: fix and improve the service
2020-09-27 13:07:38 +00:00
zowoq
008de9ca3c nixos/{containers,cri-o,podman}: move copyFile to nixos/lib/utils 2020-09-24 10:01:47 +10:00
Sascha Grunert
eac4389021 nixos/cri-o: add networkDir option
The new option can be used to specify the network directory for CNI
plugin configurations.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-09-24 07:35:35 +10:00
Linus Heckemann
4c8dabed17
Merge pull request #97826 from lheckemann/spice-usb-redir
nixos/spice-usb-redirection: init
2020-09-19 07:52:23 +02:00
Sascha Grunert
e363aef498 nixos/cri-o: remove deprecated manage_ns_lifecycle option
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-09-17 17:50:57 +10:00
Linus Heckemann
ad7b27b4c8 fixup: address @jtojnar's review comments 2020-09-12 17:00:44 +02:00
Linus Heckemann
e2fd022d63 nixos/spice-usb-redirection: init
Fixes #39618
2020-09-12 09:16:31 +02:00
worldofpeace
dd2727773a Revert "nixos/qemu-vm: support nix run"
This reverts commit 02590c9620.

02590c9620 (commitcomment-42078853)
2020-09-06 19:45:10 -04:00
worldofpeace
02590c9620 nixos/qemu-vm: support nix run 2020-09-06 14:57:51 -04:00
Julien Moutinho
fb6d63f3fd apparmor: fix and improve the service 2020-09-06 07:43:03 +02:00
WORLDofPEACE
18348c7829
Merge pull request #96042 from rnhmjoj/loaOf
treewide: completely remove types.loaOf
2020-09-02 08:45:37 -04:00
Sascha Grunert
27b0c4b151 nixos/containers: add oci-seccomp-bpf-hook
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-09-02 21:53:37 +10:00
rnhmjoj
20d491a317
treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
Sascha Grunert
46a0aa4176 nixos/cri-o: unset hooks dir to avoid dir creation on startup
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-09-01 18:04:54 +10:00
Lassulus
e453860b8f
Merge pull request #86236 from ThibautMarty/fix-nullOr-types
treewide: fix modules options types where the default is null
2020-08-26 18:21:29 +02:00
Antoine Eiche
8595a0d6b9 Remove docker-preloader module and test 2020-08-23 10:49:13 +02:00
Sascha Grunert
ddfa221670 cri-o: add loobpack CNI config to module
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-08-23 09:32:40 +10:00
Sascha Grunert
71dd85bffa cri-o: add pinns path and witch to crio.conf.d config style
This adds the pinns path to the configuration let CRI-O start properly.
We also change the configuration to the new drop-in syntax.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-08-21 12:09:20 +10:00
Florian Klink
da88c6eee5 nixos/railcar: fix typo 2020-08-07 18:00:28 +02:00
Jörg Thalheim
ba930d8679
nixos/modules: remove trailing whitespace
This leads to ci failure otherwise if the file gets changed.
git-blame can ignore whitespace changes.
2020-08-07 14:45:39 +01:00
John Ericson
3a512ab84e
Merge pull request #60246 from dfordivam/virtualbox-add-extra-disk
nixos/modules/virtualization: Options to add an extra disk in virtualbox VM
2020-08-02 13:13:52 -04:00
ajs124
c708c41c11 qemu-vm: fix master eval 2020-07-21 20:14:49 +02:00
Bas van Dijk
d06de760f8 nixos/modules/system/activation/top-level.nix: allow overriding system.name
The toplevel derivations of systems that have `networking.hostName`
set to `""` (because they want their hostname to be set by DHCP) used
to be all named
`nixos-system-unnamed-${config.system.nixos.label}`.
This makes them hard to distinguish.

A similar problem existed in NixOS tests where `vmName` is used in the
`testScript` to refer to the VM. It defaulted to the
`networking.hostName` which when set to `""` won't allow you to refer
to the machine from the `testScript`.

This commit makes the `system.name` configurable. It still defaults to:

```
if config.networking.hostName == ""
then "unnamed"
else config.networking.hostName;
```

but in case `networking.hostName` needs to be to `""` the
`system.name` can be set to a distinguishable name.
2020-07-20 13:44:18 +02:00
06kellyjac
9edb189fa1 nixos/containers: correct isNormaUser to isNormalUser
Correct a small spelling slip up
2020-07-19 16:26:14 +01:00
Jörg Thalheim
eb66a32a56
Merge pull request #76487 from ryneeverett/lockkernelmodules-docker 2020-07-18 10:35:34 +01:00
ryneeverett
f12581a7a3 nixos/docker: explicitly load kernel modules
This is analogous to #70447.

With security.lockKernelModules=true, docker commands result in the following
error without at least loading veth:

$ docker run hello-world
/nix/store/mr50kaan2vs4gc40ymwncb2vci25aq7z-docker-19.03.2/libexec/docker/docker: Error response from daemon: failed to create endpoint epic_kare on network bridge: failed to add the host (veth8b381f3) <=> sandbox (veth348e197) pair interfaces: operation not supported.
ERRO[0003] error waiting for container: context canceled
2020-07-18 02:31:25 +00:00
adisbladis
5733967290
nixos.users-groups: Set up subuid/subgid mappings for all normal users
This is required by (among others) Podman to run containers in rootless mode.

Other distributions such as Fedora and Ubuntu already set up these mappings.

The scheme with a start UID/GID offset starting at 100000 and increasing in 65536 increments is copied from Fedora.
2020-07-13 13:15:02 +02:00
Graham Christensen
84ecbc9a19
libvirtd: don't start libvirtd-tcp.socket by default
Per upstream:

> libvirtd-tcp.socket - the unit file corresponding to the TCP 16509
> port for non-TLS remote access. This socket should not be configured
> to start on boot until the administrator has configured a suitable
> authentication mechanism.
2020-07-08 19:50:23 -04:00
Niklas Hambüchen
d4d9d9c552
Merge pull request #92122 from nh2/qemu-vm-fix-useBootLoader
qemu-vm: Fix useBootLoader, remove `/boot` read-only restriction
2020-07-06 22:06:20 +02:00
Daniel Fullmer
0b4e216775 qemu-vm: treat EFI vars as state, similarly to diskImage 2020-07-06 12:09:37 -07:00
Daniel Fullmer
fec163d21c qemu-vm: add EFI support for aarch64 2020-07-06 12:09:36 -07:00
Daniel Fullmer
d7e3312ab1 qemu-vm: split EFI NVRAM into CODE and VARS 2020-07-06 12:08:41 -07:00
Daniel Fullmer
4d14826825 qemu-vm: allow bootloader to set EFI vars
Without this, systemd-boot does not add an EFI boot entry for itself.
The reason it worked before this fix is because it would fall back to
the default installed \EFI\BOOT\BOOTX64.EFI
2020-07-06 12:07:49 -07:00
Divam
d127d85173 Options to add an extra disk in virtual box VM. 2020-07-06 15:45:18 +09:00
Jan Tojnar
07cebeffb8
Merge pull request #86473 from bachp/virtualbox-vmsvga 2020-07-05 04:11:44 +02:00
Niklas Hambüchen
5b16d4c9ce qemu-vm.nix: Fix device name hardcodes on useBootLoader.
boot.loader.grub.device` was hardcoded to `bootDevice`, which is
wrong, because that's the device for `/`, and with `useBootLoader`
the boot loader is not on that device.

This bug probably came into existence because of bad naming;
`virtualisation.bootDevice` has description
"The disk to be used for the root filesystem", which is very confusing;
it should be `.rootDevice` then!
Unfortunately, the description is right and the attribute name is wrong,
so it is not easy to change this without deprecation.

This commit ensures that even if you use `useBootLoader` and
`diskInterface == "scsi"`, the created VM can boot through, and can run
`nixos-rebuild afterwards.

It also adds extra commentary to explain what's going on in this module
in general in relation to `useBootLoader`.
2020-07-04 14:47:36 +02:00
Niklas Hambüchen
2fa351b6a5 qemu-vm.nix: Do not mount /boot read-only.
There does not seem to be a good reason to do this, and it breaks running
`nixos-rebuild boot --install-bootloader` inside the VM.
2020-07-04 14:44:33 +02:00
Chuck
e74755c422 nixos/qemu-vm: Don't assume boot drive is always vdb 2020-07-04 14:40:42 +02:00
Chuck
a5e211dd7f nixos/qemu-vm: Generalize drive naming 2020-07-03 19:36:45 -07:00
Chuck
800639f287 nixos/qemu-vm: Refactor: Combine duplicate disk definitions 2020-07-03 11:31:43 -07:00
zowoq
e89446656d nixos/{podman,containers}: libpod.conf -> containers.conf 2020-06-26 08:09:36 +10:00
Pascal Bach
f29063ff0b nixos/virtualbox-image: change graphics adapter to vmswga 2020-06-17 18:43:28 +02:00