When the option list is empty, the fstab generator does not
automatically add "defaults" and generates a non-working fstab (since it
just emits two spaces around where the options would have been which is
only technically one fstab separator).
According to a ZFS issue about hibernation causing data corruption:
https://github.com/openzfs/zfs/issues/12842
The way this happens is if the system force imports a pool that was
suspended during hibernation. I've had this happen twice on NixOS and
I'd like to avoid having this happen again, to me or others.
To do this I've added an assertion that makes sure you can't have
`forceImportRoot` or `forceImportAll` enabled with `allowHibernation`.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Version 251.6 of systemd introduced a small change[1] that now checks
whether the fsck command is available in *addition* to the filesystem
specific fsck.$fsname executable.
When bumping systemd to version 251.7 on our side[2], we introduced that
change. This subsequently caused our "fsck" test to fail and it looks
like this was an oversight during the pull request[3] introducing the
bump.
Since the fsck wrapper binary is in util-linux, I decided to address
this by adding util-linux to fsPackages because util-linux is already
part of the closure of any NixOS system so the impact should be pretty
low.
[1]: 73db7d9932
[2]: 844a08cc06
[3]: https://github.com/NixOS/nixpkgs/pull/199618
Signed-off-by: aszlig <aszlig@nix.build>
This change fixes this system journal warning for
`fileSystems.<name>.fsType = "nfs4"` configurations:
systemd-fstab-generator[714]: Checking was requested for "192.168.0.6:/data", but it is not a device.
Some mount options might include path names and those often contain spaces and
therefore must be escaped. An example which prompted me to make this change is
the path of a btrfs subvolume.
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
While it might seem odd, 0.0.0.0/0 or ::/0 gateways are valid and
commonly used on point-to-point links (e.g. a wireguard tunnel) to
indicate that all traffic needs to be sent to a given interface.
systemd-networkd actually documents this as a valid configuration in its
man pages [1].
Tested to do the right thing in one of my NixOS containers using
a Wireguard tunnel as its default route.
[1] https://www.freedesktop.org/software/systemd/man/systemd.network.html#DefaultRouteOnDevice=
...if cfgExpandOnBoot == "all", otherwise it fails during runtime:
```
Aug 06 19:38:05 nixos zpool-expand-pools-start[981]: /nix/store/ka3vivdray82mi9dql12yf258gkw643l-unit-script-zpool-expand-pools-start/bin/zpool-expand-pools-start: line 3: zpool: command not found
```
This commit prevents warning messages like
```
systemd-fstab-generator: Checking was requested for "/path/to/device", but it is not a device.
```
in `dmesg` when one of the filesystems 9p, cifs, prl_fs or vmhgfs is added to the list of `fileSystems`.
This happens because the generated /etc/fstab entry contains a non-zero fsck pass number, which doesn't make sense for these filesystems.
now nix-doc-munge will not introduce whitespace changes when it replaces
manpage references with the MD equivalent.
no change to the manpage, changes to the HTML manual are whitespace only.
make (almost) all links appear on only a single line, with no
unnecessary whitespace, using double quotes for attributes. this lets us
automatically convert them to markdown easily.
the few remaining links are extremely long link in a gnome module, we'll
come back to those at a later date.
our xslt already replaces double line breaks with a paragraph close and
reopen. not using explicit para tags lets nix-doc-munge convert more
descriptions losslessly.
only whitespace changes to generated documents, except for two
strongswan options gaining paragraph two breaks they arguably should've
had anyway.
the conversion procedure is simple:
- find all things that look like options, ie calls to either `mkOption`
or `lib.mkOption` that take an attrset. remember the attrset as the
option
- for all options, find a `description` attribute who's value is not a
call to `mdDoc` or `lib.mdDoc`
- textually convert the entire value of the attribute to MD with a few
simple regexes (the set from mdize-module.sh)
- if the change produced a change in the manual output, discard
- if the change kept the manual unchanged, add some text to the
description to make sure we've actually found an option. if the
manual changes this time, keep the converted description
this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
Without this change, configurations like
```nix
fileSystems."/path/to/bindMountedDirectory" = {
device = "/path/to/originalDirectory";
options = [ "bind" ];
};
```
will lead to a warning message in `dmesg`:
```
systemd-fstab-generator: Checking was requested for "/path/to/originalDirectory", but it is not a device.
```
This happens because the generated /etc/fstab entry contains a non-zero fsck pass number, which doesn't make sense for a bind mount.
Tell zpool-list(8) to format output rather than modifying it afterwards.
Furthermore, pool names may contain spaces and would thus break due to
awk(1)'s word splitting.
Although unlikely, ZFS happily accepts names like 'zroot/foo -r'.
Escape names and separate command line options from arguments to avoid
any kind of misinterpretation.
Previously this wasn't done in the `forEach`-expression for
`cfg.interfaces` and thus `networking.useDHCP` didn't have any effect if
no further interface was statically configured.
This includes disabling some features in the initrd by default, this is
only done when the new initrd is used. Namely, ext and bcache are
disabled by default. bcache gets an own enable option while ext is
detected like any other filesystem.
Some systems should not be rebooted at just any time. If the upgrade process takes too long, for instance because of a
slow internet connection, or if the upgrade service is ran during production hours, we want to allow to define a window
outside of which a reboot will not be performed.
The system will then reboot on the next run of the upgrade service which finishes inside the reboot window.
E.g. we can run the update service twice per week, once during the night and once during the day, but reboots are only
allowed during the night. By doing so, a system that is usually shut down during the night will still receive updates
and systems that are turned on 24/7 can be rebooted outside of production hours.
Co-authored-by: Silvan Mosberger <github@infinisil.com>
Commit ca58bd0a50 broke the test networking.networkd.static. This happened because the test sets `networking.defaultGateway`. This is implemented by adding the gateway to the list of `routes` using `mkDefault`. The `routes` are then overridden by an empty list in the newly added code. Replace `mkDefault` with `id` so the two lists are merged and everything (hopefully) works as expected.
See https://github.com/NixOS/nixpkgs/pull/144590 for a more context.
some options have default that are best described in prose, such as
defaults that depend on the system stateVersion, defaults that are
derivations specific to the surrounding context, or those where the
expression is much longer and harder to understand than a simple text
snippet.
Remove PrivateDevices to silence warning about SnapRAID being
unable to access disk UUIDs.
Add CAP_FOWNER when touch is enabled so file time stamps can be
set.
this setting was added in 2016 in commit
bcdd81d9e1
the posibility to preferTempAddress was added to
nixos/network-interface in 2018 in commit
1fec496f38
preferTempAddress was renamed to tempAddress
in 2020 in commit 2485e6399e
therefore this setting is redundant since nm will use the sysctl option
nixos/network-interfaces: add default to sysctl so that the value for it
is set
networkmanager falls back to it
https://man.archlinux.org/man/NetworkManager.conf.5
The parentheses prevent the `continue` line from working by running the
enclosed in a subshell -- I noticed that ZFS would start asking me for
my password to encrypted child datasets, even though they were not
specified in `requestEncryptionCredentials`. The following logs would
also be present in the import unit's journal:
Oct 31 22:13:17 host systemd[1]: Starting Import ZFS pool "pool"...
Oct 31 22:13:44 host zfs-import-pool-start[3711]: importing ZFS pool "pool"...
Oct 31 22:13:44 host zfs-import-pool-start[4017]:pool/nix/store/39zij3xcxn4w38v6x8f88bx8y91nv0rm-unit-script-zfs-import-pool-start/bin/zfs-import-pool-start: line 31: continue: only meaningful in a `for', `while', or `until' loop
Oct 31 22:13:44 host zfs-import-pool-start[4020]:pool/nix/store/39zij3xcxn4w38v6x8f88bx8y91nv0rm-unit-script-zfs-import-pool-start/bin/zfs-import-pool-start: line 31: continue: only meaningful in a `for', `while', or `until' loop
Oct 31 22:15:14 host zfs-import-pool-start[4023]: Failed to query password: Timer expired
Oct 31 22:15:14 host zfs-import-pool-start[4024]: Key load error: encryption failure
Oct 31 22:15:14 host systemd[1]: zfs-import-pool.service: Main process exited, code=exited, status=255/EXCEPTION
Oct 31 22:15:14 host systemd[1]: zfs-import-pool.service: Failed with result 'exit-code'.
Oct 31 22:15:14 host systemd[1]: Failed to start Import ZFS pool "pool".
allows configuration of foo-over-udp decapsulation endpoints. sadly networkd
seems to lack the features necessary to support local and peer address
configuration, so those are only supported when using scripted configuration.
5.7+ comes with a native exfat implementation, exfatprogs should be used instead.
The exfat package puts a "mount.exfat" binary in the path, which causes
mount to prefer the FUSE version to the non-fuse one. There's no way to
disable the binary, so switch to exfatprogs.
This should barely increase the size of the initrd, because these are all symlinks.
With this, systems with dm-cache/lvmcache can also be booted, although the kernel modules for the relevant dm targets still need to be added to the initrd with boot.initrd.kernelModules.
If the pstore module is builtin, it nonetheless can take considerable
time to register a backend despite /sys/fs/pstore already appearing
mounted, so the condition is moved into the main script to extend
waiting for the backend to this case.
systemd's modprobe@.service does not require success so mount-pstore
executed despite a non-present pstore module, leading to an error about
the /sys/fs/pstore mountpoint not existing on CONFIG_PSTORE=n systems.
According to fstab(5), unlike last two fields `fs_freq` and `fs_passno`,
the 4-th field `fs_mntops` is NOT optional, though it works when omitted.
For best-practice and easier to be parsed by other programs, we should always
write `defaults` as default mount options for swap devices.
The `networking.hostname` option was changed to not permit periods
in names, due to a strict reading of RFC 1123. For users who need
the hostname to be fully qualified, the networking.hostName option
suggests using boot.kernel.sysctl."kernel.hostname" as a workaround.
This option works correctly at boot time, but every "nixos-rebuild
switch" will change the hostname back to the unqualified version.
This commit brings the activation script in line with the
documentation's recommendation.
This reverts commit d349582c07.
The workaround initially applied isn't necessary anymore, as 247.3
contains the following commit:
> 242fc1d261 network: fix IPv6PrivacyExtensions=kernel handling
… which fixes https://github.com/systemd/systemd/issues/18003.
If the machine is powered off when the zpool-trim timer is supposed to
trigger (usually around midnight) then the timer will be skipped
outright in favor of the next instance.
For desktop systems which are usually powered off at this time, zpool
trimming will never be run which can degrade SSD performance.
By marking the timer as `Persistent = yes` we ensure that it will run at
the first possible opportunity after the trigger date is reached.
We currently build CONFIG_IPV6=m.
This seems to be not really well-supported in mainline kernels - see
https://lore.kernel.org/netdev/20201115224509.2020651-1-flokli@flokli.de/T/#u
Compiling it as a module doesn't give too much benefit - even for people
who did explicitly set `enableIPv6` to false, the `ipv6` module was
still loaded, as soon as another module was loaded that requires it
(bridge,br_netfilter,wireguard,ip6table_mangle,sctp,…).
By compiling it in, we only loose the possibility to not add it to
`boot.kernelModules` anymore (as it's part of the kernel directly). The
space savings are negligible.
People wanting to disable IPv6 still get the appropriate sysctls and
options set (while having the kernel code loaded), nothing is really
changing here.
Systemd dependencies for scripted mode
were refactored according to analysis in #34586.
networking.vswitches can now be used with systemd-networkd,
although they are not supported by the daemon, a nixos receipe
creates the switch and attached required interfaces (just like
the scripted version).
Vlans and internal interfaces are implemented following the
template format i.e. each interface is
described using an attributeSet (vlan and type at the moment).
If vlan is present, then interface is added to the vswitch with
given tag (access mode). Type internal enabled vswitch to create
interfaces (see openvswitch docs).
Added configuration for configuring supported openFlow version on
the vswitch
This commit is a split from the original PR #35127.
This reverts commit fb6d63f3fd.
I really hope this finally fixes#99236: evaluation on Hydra.
This time I really did check basically the same commit on Hydra:
https://hydra.nixos.org/eval/1618011
Right now I don't have energy to find what exactly is wrong in the
commit, and it doesn't seem important in comparison to nixos-unstable
channel being stuck on a commit over one week old.
Conform to RFC 1123 [0], specifically to "2.1 Host Names and Numbers",
which allow starting host name with alphanumerical instead of alphabetical characters.
RFC 1123 updates RFC 952 [1], which is referenced in "man 5 hosts".
[0]: https://tools.ietf.org/html/rfc1123
[1]: https://tools.ietf.org/html/rfc952
rfkill was subsumed by util-linux in 2017 [1], and the upstream has not
been updated in over 5 years [2]. This package shadows the rfkill from
util-linux, so it can be completely removed with no breaking changes,
because util-linux is in the base package set in nixos/system-path.
[1] d17fb726b5
[2] https://git.sipsolutions.net/rfkill.git/log/
- Give a more accurate description of how fileSystems.<name/>.neededForBoot
works
- Give a more detailed description of how fileSystems.<name/>.encrypted.keyFile
works
This change introduces more fine-grained requestEncryptionCredentials.
While previously when requestEncryptionCredentials = true, the
credentials for all imported pools and all datasets in these imported
pools were requested, it is now possible to select exactly the pools and
datasets for which credentials should be requested.
It is still possible to set requestEncryptionCredentials = true, which
continues to act as a wildcard for all pools and datasets, so the change
is backwards compatible.
This fixes a regression from 993baa587c which requires
networking.hostName to be a valid DNS label [0].
Unfortunately we missed the fact that the hostnames may also be empty,
if the user wants to obtain it from a DHCP server. This is even required
by a few modules/images (e.g. Amazon EC2, Azure, and Google Compute).
[0]: https://github.com/NixOS/nixpkgs/pull/76542#issuecomment-638138666
The `networking.interfaces.<name?>.proxyARP` option previously mentioned it would also enable IPv6 forwarding and `proxy_ndp`.
However, the `proxy_ndp` option was never actually set (the non-existing `net.ipv6.conf.proxy_arp` sysctl was set
instead). In addition `proxy_ndp` also needs individual entries for each ip to proxy for.
Proxy ARP and Proxy NDP are two different concepts, and enabling the latter
should be a conscious decision.
This commit removes the broken NDP support, and disables explicitly
enabling IPv6 forwarding (which is the default in most cases anyways)
Fixes#62339.
The `network-link-${i.name}` units raced with other things trying to
configure the interface, or ran before the interface was available.
Instead of running our own set of shell scripts on boot, and hoping
they're executed at the right time, we can make use of udev to configure
the interface *while they appear*, by providing `.link` files in
/etc/systemd/network/*.link to set MACAddress and MTUBytes.
This doesn't require networkd to be enabled, and is populated properly
on non-networkd systems since
https://github.com/NixOS/nixpkgs/pull/82941.
This continues clean-up work done in
https://github.com/NixOS/nixpkgs/pull/85170 for the scripted networking
stack.
The only leftover part of the `network-link-${i.name}` unit (bringing
the interface up) is moved to the beginning of the
`network-addresses-${i.name}` unit.
Fixes: https://github.com/NixOS/nixpkgs/issues/74471
Closes: https://github.com/NixOS/nixpkgs/pull/87116
