Fixes#228141, which describes an issue where detaching Yubikey during the boot process
causes cryptsetup to write empty passphrase instead of the challenge-response salt stored
on the boot drive.
This fixes notably the fact that /dev/zfs was not usable anymore as a user,
and potentially other things.
Tracked in systemd upstream under issue number 28653, 28765.
This is an early preparation for systemd v254 which causes some patch reflows
and EFI-related cleanups to their new build system with elf2efi, requiring pyelftools
as a Python packge.
Historically, we allowed downgrade of DNSSEC, but some folks argue
this may decrease actually the security posture to do opportunistic DNSSEC.
In addition, the current implementation of (opportunistic) DNSSEC validation
is broken against "in the wild" servers which are usually slightly non-compliant.
systemd upstream recommended to me (in personal communication surrounding
the All Systems Go 2023 conference) to disable DNSSEC validation until
they work on it in a significant capacity, ideally, by next year.
it should be checking that it is not a broken symlink but bash
conditionals are difficult
-d was causing the directory to not be created if it does not exist
```
$ install -m 0755 -d $PWD/hello
$ ls
hello/
$ ln -s something notexist
'notexist' -> 'something'
$ ls -l
lrwxrwxrwx artturin artturin 9 B Sat Sep 9 06:59:44 2023 notexist@ ⇒ something
drwxr-xr-x artturin artturin 2 B Sat Sep 9 06:59:36 2023 hello/
$ install -m 0755 -d $PWD/notexist
install: cannot change permissions of ‘/home/artturin/nixgits/my-nixpkgs/test/notexist’: No such file or directory
```
Underneath, systemd-networkd’s reload is just `networkctl reload`. Per
`man networkctl`, calling `reload` is expected to fully handle new,
modified, and removed .network files, but it only handles *new* .netdev
files. For simplicity, assume .network -> reload and .netdev -> restart.
It’s desirable to perform reload instead of restart, as restart has the
potential to bring down interfaces, resulting in a loss of network
connectivity.
Just like with system-wide tmpfiles, call `systemd-tmpfiles --create
--remove` for users during activation. This fixes an issue where new
entries in a user's tmpfiles are not reflected after activation, only at
boot when the user service systemd-tmpfiles-setup.service runs or only
after running systemd-tmpfiles manually.
Before this commit there was no way to access (boot into) specialisation of previous generations from grub,even tho they are there.
This commit will add grub submenu for each generation if the generation has any specialisation.
Which will allow you to boot into them.
Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
We should sometimes restart the units rather than reloading them so the
changes are actually applied. / and /nix are explicitly excluded because
there was some very old issue where these were unmounted. I don't think
this will affect many people since most people use fstab mounts instead
but I plan to adapt this behavior for fstab mounts as well in the future
(once I wrote a test for the fstab thingies).
When I boot there's a warning `stage-2-init: install: cannot change permissions of '/etc/nixos': No such file or directory`
because my /etc/nixos is a symlink to $HOME/dotfiles.
```
/etc/nixos -> /home/artturin/dotfiles
```
These lines were added in 56b4653904
This avoids creating a build-time reference on `boot.kernelParams` if
the configuration does not use a kernel, i.e., `boot.kernel.enable` is
set to `false`.
There is only other `with` with a somewhat broad scope, `with pkgs`, but
it's used in a place where it would become awkward to change out. And
anyway its scope is rather limited still.
With a limited testing of all packaged GRUB 2 themes (pkgs.nixos-grub2-theme)
this is tested to work.
Without this change, the theme loading will error out (waiting for a key press).
With this change, the theme loads and works as expected.
