diff options
Diffstat (limited to 'nixpkgs/nixos/modules/system')
| -rw-r--r-- | nixpkgs/nixos/modules/system/activation/activation-script.nix | 33 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/system/boot/luksroot.nix | 79 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/system/boot/networkd.nix | 40 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/system/boot/systemd-lib.nix | 8 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/system/boot/systemd.nix | 4 |
5 files changed, 158 insertions, 6 deletions
diff --git a/nixpkgs/nixos/modules/system/activation/activation-script.nix b/nixpkgs/nixos/modules/system/activation/activation-script.nix index ddfd1af4a31..495d77dfd49 100644 --- a/nixpkgs/nixos/modules/system/activation/activation-script.nix +++ b/nixpkgs/nixos/modules/system/activation/activation-script.nix @@ -162,6 +162,16 @@ in <literal>/usr/bin/env</literal>. ''; }; + + environment.ld-linux = mkOption { + default = false; + type = types.bool; + visible = false; + description = '' + Install symlink to ld-linux(8) system-wide to allow running unmodified ELF binaries. + It might be useful to run games or executables distributed inside jar files. + ''; + }; }; @@ -195,9 +205,30 @@ in '' else '' rm -f /usr/bin/env - rmdir --ignore-fail-on-non-empty /usr/bin /usr + rmdir -p /usr/bin || true ''; + system.activationScripts.ld-linux = + concatStrings ( + mapAttrsToList + (target: source: + if config.environment.ld-linux then '' + mkdir -m 0755 -p $(dirname ${target}) + ln -sfn ${escapeShellArg source} ${target}.tmp + mv -f ${target}.tmp ${target} # atomically replace + '' else '' + rm -f ${target} + rmdir $(dirname ${target}) || true + '') + { + "i686-linux" ."/lib/ld-linux.so.2" = "${pkgs.glibc.out}/lib/ld-linux.so.2"; + "x86_64-linux" ."/lib/ld-linux.so.2" = "${pkgs.pkgsi686Linux.glibc.out}/lib/ld-linux.so.2"; + "x86_64-linux" ."/lib64/ld-linux-x86-64.so.2" = "${pkgs.glibc.out}/lib64/ld-linux-x86-64.so.2"; + "aarch64-linux"."/lib/ld-linux-aarch64.so.1" = "${pkgs.glibc.out}/lib/ld-linux-aarch64.so.1"; + "armv7l-linux" ."/lib/ld-linux-armhf.so.3" = "${pkgs.glibc.out}/lib/ld-linux-armhf.so.3"; + }.${pkgs.stdenv.system} or {} + ); + system.activationScripts.specialfs = '' specialMount() { diff --git a/nixpkgs/nixos/modules/system/boot/luksroot.nix b/nixpkgs/nixos/modules/system/boot/luksroot.nix index 0bb8396a44f..31f1e22cda3 100644 --- a/nixpkgs/nixos/modules/system/boot/luksroot.nix +++ b/nixpkgs/nixos/modules/system/boot/luksroot.nix @@ -4,6 +4,7 @@ with lib; let luks = config.boot.initrd.luks; + kernelPackages = config.boot.kernelPackages; commonFunctions = '' die() { @@ -139,7 +140,7 @@ let umount /crypt-ramfs 2>/dev/null ''; - openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fallbackToPassword, ... }: assert name' == name; + openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, fallbackToPassword, ... }: assert name' == name; let csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}"; cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}"; @@ -387,7 +388,31 @@ let } ''} - ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) then '' + ${optionalString (luks.fido2Support && (fido2.credential != null)) '' + + open_with_hardware() { + local passsphrase + + ${if fido2.passwordLess then '' + export passphrase="" + '' else '' + read -rsp "FIDO2 salt for ${device}: " passphrase + echo + ''} + ${optionalString (lib.versionOlder kernelPackages.kernel.version "5.4") '' + echo "On systems with Linux Kernel < 5.4, it might take a while to initialize the CRNG, you might want to use linuxPackages_latest." + echo "Please move your mouse to create needed randomness." + ''} + echo "Waiting for your FIDO2 device..." + fido2luks -i open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase + if [ $? -ne 0 ]; then + echo "No FIDO2 key found, falling back to normal open procedure" + open_normally + fi + } + ''} + + ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) then '' open_with_hardware '' else '' open_normally @@ -608,6 +633,31 @@ in }); }; + fido2 = { + credential = mkOption { + default = null; + example = "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"; + type = types.str; + description = "The FIDO2 credential ID."; + }; + + gracePeriod = mkOption { + default = 10; + type = types.int; + description = "Time in seconds to wait for the FIDO2 key."; + }; + + passwordLess = mkOption { + default = false; + type = types.bool; + description = '' + Defines whatever to use an empty string as a default salt. + + Enable only when your device is PIN protected, such as <link xlink:href="https://trezor.io/">Trezor</link>. + ''; + }; + }; + yubikey = mkOption { default = null; description = '' @@ -706,6 +756,15 @@ in and a Yubikey to work with this feature. ''; }; + + boot.initrd.luks.fido2Support = mkOption { + default = false; + type = types.bool; + description = '' + Enables support for authenticating with FIDO2 devices. + ''; + }; + }; config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) { @@ -714,6 +773,14 @@ in [ { assertion = !(luks.gpgSupport && luks.yubikeySupport); message = "Yubikey and GPG Card may not be used at the same time."; } + + { assertion = !(luks.gpgSupport && luks.fido2Support); + message = "FIDO2 and GPG Card may not be used at the same time."; + } + + { assertion = !(luks.fido2Support && luks.yubikeySupport); + message = "FIDO2 and Yubikey may not be used at the same time."; + } ]; # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested @@ -753,6 +820,11 @@ in chmod +x $out/bin/openssl-wrap ''} + ${optionalString luks.fido2Support '' + copy_bin_and_libs ${pkgs.fido2luks}/bin/fido2luks + ''} + + ${optionalString luks.gpgSupport '' copy_bin_and_libs ${pkgs.gnupg}/bin/gpg copy_bin_and_libs ${pkgs.gnupg}/bin/gpg-agent @@ -783,6 +855,9 @@ in $out/bin/gpg-agent --version $out/bin/scdaemon --version ''} + ${optionalString luks.fido2Support '' + $out/bin/fido2luks --version + ''} ''; boot.initrd.preFailCommands = postCommands; diff --git a/nixpkgs/nixos/modules/system/boot/networkd.nix b/nixpkgs/nixos/modules/system/boot/networkd.nix index 3e289a63139..56a9d6b1138 100644 --- a/nixpkgs/nixos/modules/system/boot/networkd.nix +++ b/nixpkgs/nixos/modules/system/boot/networkd.nix @@ -49,7 +49,7 @@ let (assertValueOneOf "Kind" [ "bond" "bridge" "dummy" "gre" "gretap" "ip6gre" "ip6tnl" "ip6gretap" "ipip" "ipvlan" "macvlan" "macvtap" "sit" "tap" "tun" "veth" "vlan" "vti" "vti6" - "vxlan" "geneve" "vrf" "vcan" "vxcan" "wireguard" "netdevsim" + "vxlan" "geneve" "vrf" "vcan" "vxcan" "wireguard" "netdevsim" "xfrm" ]) (assertByteFormat "MTUBytes") (assertMacAddress "MACAddress") @@ -172,6 +172,14 @@ let (assertValueOneOf "AllSlavesActive" boolValues) ]; + checkXfrm = checkUnitConfig "Xfrm" [ + (assertOnlyFields [ + "InterfaceId" "Independent" + ]) + (assertRange "InterfaceId" 1 4294967295) + (assertValueOneOf "Independent" boolValues) + ]; + checkNetwork = checkUnitConfig "Network" [ (assertOnlyFields [ "Description" "DHCP" "DHCPServer" "LinkLocalAddressing" "IPv4LLRoute" @@ -182,7 +190,7 @@ let "IPv6HopLimit" "IPv4ProxyARP" "IPv6ProxyNDP" "IPv6ProxyNDPAddress" "IPv6PrefixDelegation" "IPv6MTUBytes" "Bridge" "Bond" "VRF" "VLAN" "IPVLAN" "MACVLAN" "VXLAN" "Tunnel" "ActiveSlave" "PrimarySlave" - "ConfigureWithoutCarrier" + "ConfigureWithoutCarrier" "Xfrm" ]) # Note: For DHCP the values both, none, v4, v6 are deprecated (assertValueOneOf "DHCP" ["yes" "no" "ipv4" "ipv6" "both" "none" "v4" "v6"]) @@ -477,6 +485,18 @@ let ''; }; + xfrmConfig = mkOption { + default = {}; + example = { InterfaceId = 1; }; + type = types.addCheck (types.attrsOf unitOption) checkXfrm; + description = '' + Each attribute in this set specifies an option in the + <literal>[Xfrm]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.netdev</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + }; addressOptions = { @@ -712,6 +732,16 @@ let ''; }; + xfrm = mkOption { + default = [ ]; + type = types.listOf types.str; + description = '' + A list of xfrm interfaces to be added to the network section of the + unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + addresses = mkOption { default = [ ]; type = with types; listOf (submodule addressOptions); @@ -810,6 +840,11 @@ let ${attrsToSection def.bondConfig} ''} + ${optionalString (def.xfrmConfig != { }) '' + [Xfrm] + ${attrsToSection def.xfrmConfig} + + ''} ${optionalString (def.wireguardConfig != { }) '' [WireGuard] ${attrsToSection def.wireguardConfig} @@ -847,6 +882,7 @@ let ${concatStringsSep "\n" (map (s: "MACVLAN=${s}") def.macvlan)} ${concatStringsSep "\n" (map (s: "VXLAN=${s}") def.vxlan)} ${concatStringsSep "\n" (map (s: "Tunnel=${s}") def.tunnel)} + ${concatStringsSep "\n" (map (s: "Xfrm=${s}") def.xfrm)} ${optionalString (def.dhcpConfig != { }) '' [DHCP] diff --git a/nixpkgs/nixos/modules/system/boot/systemd-lib.nix b/nixpkgs/nixos/modules/system/boot/systemd-lib.nix index 28ad4f121bb..fd1a5b9f62c 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd-lib.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd-lib.nix @@ -147,7 +147,13 @@ in rec { done # Symlink all units provided listed in systemd.packages. - for i in ${toString cfg.packages}; do + packages="${toString cfg.packages}" + + # Filter duplicate directories + declare -A unique_packages + for k in $packages ; do unique_packages[$k]=1 ; done + + for i in ''${!unique_packages[@]}; do for fn in $i/etc/systemd/${type}/* $i/lib/systemd/${type}/*; do if ! [[ "$fn" =~ .wants$ ]]; then if [[ -d "$fn" ]]; then diff --git a/nixpkgs/nixos/modules/system/boot/systemd.nix b/nixpkgs/nixos/modules/system/boot/systemd.nix index c438bb216e7..941df5797c6 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd.nix @@ -869,11 +869,15 @@ in "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/home.conf".source = "${systemd}/example/tmpfiles.d/home.conf"; "tmpfiles.d/journal-nocow.conf".source = "${systemd}/example/tmpfiles.d/journal-nocow.conf"; + "tmpfiles.d/portables.conf".source = "${systemd}/example/tmpfiles.d/portables.conf"; "tmpfiles.d/static-nodes-permissions.conf".source = "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf"; "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; + "tmpfiles.d/systemd-nologin.conf".source = "${systemd}/example/tmpfiles.d/systemd-nologin.conf"; "tmpfiles.d/systemd-nspawn.conf".source = "${systemd}/example/tmpfiles.d/systemd-nspawn.conf"; "tmpfiles.d/systemd-tmp.conf".source = "${systemd}/example/tmpfiles.d/systemd-tmp.conf"; + "tmpfiles.d/tmp.conf".source = "${systemd}/example/tmpfiles.d/tmp.conf"; "tmpfiles.d/var.conf".source = "${systemd}/example/tmpfiles.d/var.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; |