nixos-enter sets up /etc/resolv.conf as a bind mount from the host
system, so trying to activate a system that sets
`environment.etc."resolv.conf"` (e.g. with systemd-resolved enabled)
results in an unhelpful warning.
Skip linking /etc/resolv.conf if we're in a nixos-enter environment, as
determined by the IN_NIXOS_ENTER environment variable.
Make the warnings more helpful, indicating which file we failed to link.
Unlink temporary files in case of failure.
That version has a regression that leaves some machines unbootable.
While we wait for the fix (252.2) to land in master, this is a workaround that
should save people some pain.
To reduce size, stage 1 (the initrd) is populated by copying specific
binaries in, then copying the libraries specifically needed by those
binaries. `patchelf` is then used to make the binaries search in the
directory where these libraries are copied to instead of their original
store paths.
Some filesystems (e.g. ZFS) do not guarantee that copying the same files
in the same order into a given directory will result in `find` returning
them in any particular order (though the order appears consistent so
long as the directory is not modified).
Therefore, when the binaries are scanned for libraries to copy in, they
might be scanned in a different order each time the derivation is built.
If two binaries need two different libraries with the same name, then a
different instance of the library might be copied in first, changing the
derivation contents and breaking reproducibility.
This turns out to be the case with `libudev.so.1` from both `systemd`
(needed by e.g. `mdadm`) and `systemdMinimal` (needed by e.g.
`dmsetup`). This issue is fixed by sorting the list of binaries to be
scanned instead of relying on filesystem order so that the same instance
always gets seen and copied first.
Both before this change (at least on ext4) and after this change
(without any options that affect stage 1), this is the `libudev.so.1`
from `systemdMinimal` by way of `dmsetup`. Whether this is appropriate
and how much the two different systemd configurations and udev libraries
need to be involved is a topic left for future work.
We separate the different steps (injecting the toplevel and injecting
the specialisations) so that it's easy to document what each snippet is
actually doing.
Yes I know it's dirty to link the rendered HTML, but linking
`#sec-kernel-config` breaks the manual build for me with the following
error:
element link: validity error : IDREF attribute linkend references an unknown ID "sec-kernel-config"
This is something that should probably be fixed, but for the current
change I'd argue that this is good enough (in fact even the
`nix.settings`-option uses that hack).
- The default cipher is BF-CBC, which openvpn refuses to use by default.
Switched to AES-256-CBC.
- openvpn does not require an external "ip" executable anymore, and does
not support the "ipconfig" option by default, so remove that option.
When no interfaces are managed by systemd-networkd, it will
unconditionally fail. This option allows it to be disabled in those
situations where it prevents system switches from succeeding.
The placement of this option under `nix` was misleading, as it is not
configuration of the Nix daemon, but rather configuration of the NixOS
boot process and how it mounts the Nix store. As such, make it an option
of `boot` to clarify what it actually affects, and imply that it will
only take effect on a reboot.
Since it no longer has the context of nix, adjust the name to include
it.
Or else systemd-oomd gets marked as failed due to
"Userspace Out-Of-Memory (OOM) Killer was skipped because of a failed condition check (ConditionControlGroupController=v2)."
and cause the system to enter degraded state.
Ref https://github.com/NixOS/nixpkgs/issues/195085
