From 4175ce3cf732e504c1e49d1e001042b403592e66 Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 24 Jul 2023 21:42:01 +0200 Subject: [PATCH] chore: update to main nixpkgs, include my temporary switch-to-configuration changes --- flake.lock | 62 +- hosts/ward/fs.nix | 1 - hosts/zackbiene/default.nix | 12 +- hosts/zackbiene/fs.nix | 36 +- hosts/zackbiene/secrets/local.nix.age | Bin 735 -> 599 bytes lib/disko.nix | 1 - modules/config/switch-to-configuration.pl | 962 +++++++++++++++++ modules/config/system.nix | 2 - modules/default.nix | 1 - modules/networking/hostapd.nix | 1197 --------------------- nix/installer-configuration.nix | 7 +- 11 files changed, 1024 insertions(+), 1257 deletions(-) create mode 100755 modules/config/switch-to-configuration.pl delete mode 100644 modules/networking/hostapd.nix diff --git a/flake.lock b/flake.lock index 7158503..a2c43d2 100644 --- a/flake.lock +++ b/flake.lock @@ -27,11 +27,11 @@ ] }, "locked": { - "lastModified": 1684153753, - "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "lastModified": 1689334118, + "narHash": "sha256-djk5AZv1yU84xlKFaVHqFWvH73U7kIRstXwUAnDJPsk=", "owner": "ryantm", "repo": "agenix", - "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "rev": "0d8c5325fc81daf00532e3e26c6752f7bcde1143", "type": "github" }, "original": { @@ -159,11 +159,11 @@ ] }, "locked": { - "lastModified": 1688544596, - "narHash": "sha256-/rbDM71Qpj4gMp54r9mQ2AdD10jEMtnrQ3b2Xf+HYTU=", + "lastModified": 1690148072, + "narHash": "sha256-R7bk2ij1b06Wc8S3L/guz6Mape5HtKp/YZUyJaxSFa8=", "owner": "nix-community", "repo": "disko", - "rev": "fc3c3817c9f1fcd405463c6a7f0f98baab97c692", + "rev": "713eb78002e69bd77f5a69595756fd2e564233f3", "type": "github" }, "original": { @@ -301,11 +301,11 @@ "systems": "systems_3" }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -364,11 +364,11 @@ ] }, "locked": { - "lastModified": 1688552611, - "narHash": "sha256-pV/1/AU1l5CNFeKmdJ1jofcaKHhtKAbxY4gazeCyoSo=", + "lastModified": 1690208251, + "narHash": "sha256-eb/KANeuQADVl5j4wVid4jyPCOMTorSI2+gqoXp3LME=", "owner": "nix-community", "repo": "home-manager", - "rev": "b23c7501f7e0a001486c9a5555a6c53ac7b08e85", + "rev": "d309a62ee81faec56dd31a263a0184b0e3227e36", "type": "github" }, "original": { @@ -414,8 +414,8 @@ ] }, "locked": { - "lastModified": 1687369979, - "narHash": "sha256-Dgiop+/ERu4e2Bolqd3H0ENWPQoZ5c4kSiQo8e73nKA=", + "lastModified": 1689768420, + "narHash": "sha256-j6i9S2UNoBIpkUvGmI3GZr+rX4YiwACZsMypwKJJ9Tw=", "type": "git", "url": "file:///root/projects/microvm.nix" }, @@ -427,11 +427,11 @@ }, "nixlib": { "locked": { - "lastModified": 1688259758, - "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=", + "lastModified": 1689469483, + "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6", + "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c", "type": "github" }, "original": { @@ -448,11 +448,11 @@ ] }, "locked": { - "lastModified": 1688349424, - "narHash": "sha256-/wRCJP2d9ZmfZKrREWthpDHIx/F02Z1J2bytbC+gUiU=", + "lastModified": 1690133435, + "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "cf341a2c94338eed91c35df291931ea775b31e99", + "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586", "type": "github" }, "original": { @@ -463,11 +463,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1686838567, - "narHash": "sha256-aqKCUD126dRlVSKV6vWuDCitfjFrZlkwNuvj5LtjRRU=", + "lastModified": 1690200740, + "narHash": "sha256-aRkEXGmCbAGcvDcdh/HB3YN+EvoPoxmJMOaqRZmf6vM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89", + "rev": "ba9650b14e83b365fb9e731f7d7c803f22d2aecf", "type": "github" }, "original": { @@ -499,10 +499,12 @@ }, "nixpkgs": { "locked": { - "lastModified": 1686319658, - "narHash": "sha256-Xb+zN3LkyOEKH9ydJEy3h0ch0MNEf0G7tmPbhy6r080=", - "type": "git", - "url": "file:///root/projects/nixpkgs-test" + "lastModified": 1690031011, + "narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "12303c652b881435065a98729eb7278313041e49", + "type": "github" }, "original": { "owner": "NixOS", @@ -584,11 +586,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1688596063, - "narHash": "sha256-9t7RxBiKWHygsqXtiNATTJt4lim/oSYZV3RG8OjDDng=", + "lastModified": 1689668210, + "narHash": "sha256-XAATwDkaUxH958yXLs1lcEOmU6pSEIkatY3qjqk8X0E=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "c8d18ba345730019c3faf412c96a045ade171895", + "rev": "eb433bff05b285258be76513add6f6c57b441775", "type": "github" }, "original": { diff --git a/hosts/ward/fs.nix b/hosts/ward/fs.nix index e24ed85..1e91b34 100644 --- a/hosts/ward/fs.nix +++ b/hosts/ward/fs.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: { disko.devices = { diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index 3c05184..cb85b84 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -8,14 +8,14 @@ ../../modules/optional/zfs.nix #./dnsmasq.nix - ./esphome.nix + #./esphome.nix ./fs.nix - ./home-assistant.nix - ./hostapd.nix - ./mosquitto.nix + #./home-assistant.nix + #./hostapd.nix + #./mosquitto.nix ./net.nix - ./nginx.nix - ./zigbee2mqtt.nix + #./nginx.nix + #./zigbee2mqtt.nix ]; # TODO boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"]; diff --git a/hosts/zackbiene/fs.nix b/hosts/zackbiene/fs.nix index ebf18d3..764926f 100644 --- a/hosts/zackbiene/fs.nix +++ b/hosts/zackbiene/fs.nix @@ -1,19 +1,29 @@ { - # TODO disko - fileSystems = { - "/" = { - device = "rpool/root/nixos"; - fsType = "zfs"; - options = ["zfsutil" "X-mount.mkdir"]; + config, + lib, + ... +}: { + disko.devices = { + disk = { + mmc = { + type = "disk"; + device = "/dev/disk/by-id/${config.repo.secrets.local.disk.mmc}"; + content = with lib.disko.gpt; { + type = "table"; + format = "gpt"; + partitions = [ + (partEfi "efi" "0%" "1GiB") + (partSwap "swap" "1GiB" "9GiB") + (partLuksZfs "rpool" "9GiB" "100%") + ]; + }; + }; }; - - "/boot" = { - device = "/dev/disk/by-uuid/c0bb3411-7af3-4901-83ea-eb2560b11784"; - fsType = "ext4"; + zpool = with lib.disko.zfs; { + rpool = defaultZpoolOptions // {datasets = defaultZfsDatasets;}; }; }; - swapDevices = [ - {device = "/dev/disk/by-uuid/a4a5fee7-2b6f-4cec-9ec9-fc4b71e8055a";} - ]; + boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.mmc}"]; + boot.initrd.luks.devices.enc-rpool.allowDiscards = true; } diff --git a/hosts/zackbiene/secrets/local.nix.age b/hosts/zackbiene/secrets/local.nix.age index a705ef4cf07805cfbe47557e00a6c8cd72200b24..d847ad725bf29584861c0985a43e09927b621d32 100644 GIT binary patch delta 578 zcmV-I0=@m;1=j?SAb&VDS}=5BYEgK0Xi7{@W_Wl(cynoKVQOzHXj*k;Q)Np*XmE8{ zM>tAWZwgFPM{GH2WkG8)ZE$OOYE(*aIB8i)SXwwML`GF;QdvSqb!BULS~yx$Sqd#a zAaH4REpRe5HXwL$Q)M_&AVFtUSyN?UGBZbZR8ebVHFj4^ZGSdeGHzK@bx$}&VtP+h zSw(DRa5HUIHf#!WR%$S3PhojXG*nVaZ8mW?XhLBzP(w^%GfYu8cQs^sW@$%pb1`N$ zNoxu%J|IYGEoX9NVRL05M`nFHAZAuoNg#74OdwNu3R8AtLo{?WWqD9-b2UOK*cDgw&Bo6{vHsotOg7rU=1j8=nRDU{ptJ4e#eD>`!K0mRF{dR+Q zX2oj;8d$4NKoZm=2`$NUR02*wN=NeaR|DFGy+_GQ*bC&8<7LSLn z1$p@yB&C1m6XaAb(+1S#ffAGFV9~a4$(=NK80nOH+18M0093W=BLeO-wX&ZDMOh zPc&tDX9`V3LUKZ7aAtT~S~zWFSVwDQMRqYWM>9BOa8g-OIV*NEHAiD>PDX85I0`L3 zAaH4REpRe5HXwL$Q)M_&AVDy0L{>sLRd-WZFI81xV`X%9Hh+3eMKd-wQbKKaba6#C zL~3(FLU(6VZB+_+IZaVTPjE>{FHvn;S7vHeOK5O3W-&8vXmUtHQAI;nRxmYIYG`MA zIZ+BNJ|I?kEoX9NVRK~)OmZ(%LUuHLrYdK zNm5jFb1z~rY=1;CRBB5&WkNS{Q)Ed&dNx6LYYJspFI7@cMJstpVN6a$Q!zs~SVL_u zX--f_W=k+|MtW0s3N0-yAZsf)N-$MbMN?!{OHX)7Vq;QEZ&gWna5PIsHdt9!GDBy0 za5ZCaPiinp3afw@_9Kz%sJUu%n+*lQ0y%T^&Fb?0;eQ6|$B0@+qzh37`KoX#x8%QC~i#qy|S89D>`ItS;waA@2pri=`9^^{UXLi~+Ip^eoA*F&dWrWKSN>Mu&zb3;r+S zoE=>BB!=vb!4(QYG~Pw-wunXd==4uJba2BhYe z;Vg7Ut%DwBmhmp9+$j-QeAB=TLlyDcXzCaQQ!lZ{eVjR}B<_R77whuQ-HM4D6>|HdrQ5ekk_wkpWY+ xeH^tts8&g4aQ(umrC=S={K3jQd_#)cE)M43!QCGGkAR}k(#9pqekv>{v+NLmBw7Ff diff --git a/lib/disko.nix b/lib/disko.nix index 6e0e64c..bc90f34 100644 --- a/lib/disko.nix +++ b/lib/disko.nix @@ -44,7 +44,6 @@ inputs: self: super: { zfs = rec { defaultZpoolOptions = { type = "zpool"; - mountRoot = "/mnt"; rootFsOptions = { compression = "zstd"; acltype = "posix"; diff --git a/modules/config/switch-to-configuration.pl b/modules/config/switch-to-configuration.pl new file mode 100755 index 0000000..d7f5044 --- /dev/null +++ b/modules/config/switch-to-configuration.pl @@ -0,0 +1,962 @@ +#! @perl@/bin/perl + +# Issue #166838 uncovered a situation in which a configuration not suitable +# for the target architecture caused a cryptic error message instead of +# a clean failure. Due to this mismatch, the perl interpreter in the shebang +# line wasn't able to be executed, causing this script to be misinterpreted +# as a shell script. +# +# Let's detect this situation to give a more meaningful error +# message. The following two lines are carefully written to be both valid Perl +# and Bash. +printf "Perl script erroneously interpreted as shell script,\ndoes target platform match nixpkgs.crossSystem platform?\n" && exit 1 + if 0; + +use strict; +use warnings; +use Config::IniFiles; +use File::Path qw(make_path); +use File::Basename; +use File::Slurp qw(read_file write_file edit_file); +use JSON::PP; +use IPC::Cmd; +use Sys::Syslog qw(:standard :macros); +use Cwd qw(abs_path); + +## no critic(ControlStructures::ProhibitDeepNests) +## no critic(ErrorHandling::RequireCarping) +## no critic(CodeLayout::ProhibitParensWithBuiltins) +## no critic(Variables::ProhibitPunctuationVars, Variables::RequireLocalizedPunctuationVars) +## no critic(InputOutput::RequireCheckedSyscalls, InputOutput::RequireBracedFileHandleWithPrint, InputOutput::RequireBriefOpen) +## no critic(ValuesAndExpressions::ProhibitNoisyQuotes, ValuesAndExpressions::ProhibitMagicNumbers, ValuesAndExpressions::ProhibitEmptyQuotes, ValuesAndExpressions::ProhibitInterpolationOfLiterals) +## no critic(RegularExpressions::ProhibitEscapedMetacharacters) + +# Location of activation scripts +my $out = "@out@"; +# System closure path to switch to +my $toplevel = "@toplevel@"; +# Path to the directory containing systemd tools of the old system +my $cur_systemd = abs_path("/run/current-system/sw/bin"); +# Path to the systemd store path of the new system +my $new_systemd = "@systemd@"; + +# To be robust against interruption, record what units need to be started etc. +# We read these files again every time this script starts to make sure we continue +# where the old (interrupted) script left off. +my $start_list_file = "/run/nixos/start-list"; +my $restart_list_file = "/run/nixos/restart-list"; +my $reload_list_file = "/run/nixos/reload-list"; + +# Parse restart/reload requests by the activation script. +# Activation scripts may write newline-separated units to the restart +# file and switch-to-configuration will handle them. While +# `stopIfChanged = true` is ignored, switch-to-configuration will +# handle `restartIfChanged = false` and `reloadIfChanged = true`. +# This is the same as specifying a restart trigger in the NixOS module. +# +# The reload file asks the script to reload a unit. This is the same as +# specifying a reload trigger in the NixOS module and can be ignored if +# the unit is restarted in this activation. +my $restart_by_activation_file = "/run/nixos/activation-restart-list"; +my $reload_by_activation_file = "/run/nixos/activation-reload-list"; +my $dry_restart_by_activation_file = "/run/nixos/dry-activation-restart-list"; +my $dry_reload_by_activation_file = "/run/nixos/dry-activation-reload-list"; + +# The action that is to be performed (like switch, boot, test, dry-activate) +# Also exposed via environment variable from now on +my $action = shift(@ARGV); +$ENV{NIXOS_ACTION} = $action; + +# Expose the locale archive as an environment variable for systemctl and the activation script +if ("@localeArchive@" ne "") { + $ENV{LOCALE_ARCHIVE} = "@localeArchive@"; +} + +if (!defined($action) || ($action ne "switch" && $action ne "boot" && $action ne "test" && $action ne "dry-activate")) { + print STDERR <<"EOF"; +Usage: $0 [switch|boot|test] + +switch: make the configuration the boot default and activate now +boot: make the configuration the boot default +test: activate the configuration, but don\'t make it the boot default +dry-activate: show what would be done if this configuration were activated +EOF + exit(1); +} + +# This is a NixOS installation if it has /etc/NIXOS or a proper +# /etc/os-release. +if (!-f "/etc/NIXOS" && (read_file("/etc/os-release", err_mode => "quiet") // "") !~ /^ID="?@distroId@"?/msx) { + die("This is not a NixOS installation!\n"); +} + +make_path("/run/nixos", { mode => oct(755) }); +openlog("nixos", "", LOG_USER); + +# Install or update the bootloader. +if ($action eq "switch" || $action eq "boot") { + chomp(my $install_boot_loader = <<'EOFBOOTLOADER'); +@installBootLoader@ +EOFBOOTLOADER + system("$install_boot_loader $toplevel") == 0 or exit 1; +} + +# Just in case the new configuration hangs the system, do a sync now. +if (($ENV{"NIXOS_NO_SYNC"} // "") ne "1") { + system("@coreutils@/bin/sync", "-f", "/nix/store"); +} + +if ($action eq "boot") { + exit(0); +} + +# Check if we can activate the new configuration. +my $cur_init_interface_version = read_file("/run/current-system/init-interface-version", err_mode => "quiet") // ""; +my $new_init_interface_version = read_file("$toplevel/init-interface-version"); + +if ($new_init_interface_version ne $cur_init_interface_version) { + print STDERR <<'EOF'; +Warning: the new NixOS configuration has an ‘init’ that is +incompatible with the current configuration. The new configuration +won't take effect until you reboot the system. +EOF + exit(100); +} + +# Ignore SIGHUP so that we're not killed if we're running on (say) +# virtual console 1 and we restart the "tty1" unit. +$SIG{PIPE} = "IGNORE"; + +# Replacement for Net::DBus that calls busctl of the current systemd, parses +# it's json output and returns the response using only core modules to reduce +# dependencies on perlPackages in baseSystem +sub busctl_call_systemd1_mgr { + my (@args) = @_; + my $cmd = [ + "$cur_systemd/busctl", "--json=short", "call", "org.freedesktop.systemd1", + "/org/freedesktop/systemd1", "org.freedesktop.systemd1.Manager", + @args + ]; + + my ($ok, $err, undef, $stdout) = IPC::Cmd::run(command => $cmd); + die $err unless $ok; + + my $res = decode_json(join "", @$stdout); + return $res; +} + +# Asks the currently running systemd instance via dbus which units are active. +# Returns a hash where the key is the name of each unit and the value a hash +# of load, state, substate. +sub get_active_units { + my $units = busctl_call_systemd1_mgr("ListUnitsByPatterns", "asas", 0, 0)->{data}->[0]; + my $res = {}; + for my $item (@{$units}) { + my ($id, $description, $load_state, $active_state, $sub_state, + $following, $unit_path, $job_id, $job_type, $job_path) = @{$item}; + if ($following ne "") { + next; + } + if ($job_id == 0 and $active_state eq "inactive") { + next; + } + $res->{$id} = { load => $load_state, state => $active_state, substate => $sub_state }; + } + return $res; +} + +# Asks the currently running systemd instance whether a unit is currently active. +# Takes the name of the unit as an argument and returns a bool whether the unit is active or not. +sub unit_is_active { + my ($unit_name) = @_; + my $units = busctl_call_systemd1_mgr("ListUnitsByNames", "as", 1, , "--", $unit_name)->{data}->[0]; + if (scalar(@{$units}) == 0) { + return 0; + } + my $active_state = $units->[0]->[3]; + return $active_state eq "active" || $active_state eq "activating"; +} + +# Parse a fstab file, given its path. +# Returns a tuple of filesystems and swaps. +# +# Filesystems is a hash of mountpoint and { device, fsType, options } +# Swaps is a hash of device and { options } +sub parse_fstab { + my ($filename) = @_; + my ($fss, $swaps); + foreach my $line (read_file($filename, err_mode => "quiet")) { + chomp($line); + $line =~ s/^\s*\#.*//msx; + if ($line =~ /^\s*$/msx) { + next; + } + my @xs = split(/\s+/msx, $line); + if ($xs[2] eq "swap") { + $swaps->{$xs[0]} = { options => $xs[3] // "" }; + } else { + $fss->{$xs[1]} = { device => $xs[0], fsType => $xs[2], options => $xs[3] // "" }; + } + } + return ($fss, $swaps); +} + +# This subroutine takes a single ini file that specified systemd configuration +# like unit configuration and parses it into a hash where the keys are the sections +# of the unit file and the values are hashes themselves. These hashes have the unit file +# keys as their keys (left side of =) and an array of all values that were set as their +# values. If a value is empty (for example `ExecStart=`), then all current definitions are +# removed. +# +# Instead of returning the hash, this subroutine takes a hashref to return the data in. This +# allows calling the subroutine multiple times with the same hash to parse override files. +sub parse_systemd_ini { + my ($unit_contents, $path) = @_; + # Tie the ini file to a hash for easier access + tie(my %file_contents, "Config::IniFiles", (-file => $path, -allowempty => 1, -allowcontinue => 1)); ## no critic(Miscellanea::ProhibitTies) + + # Copy over all sections + foreach my $section_name (keys(%file_contents)) { + if ($section_name eq "Install") { + # Skip the [Install] section because it has no relevant keys for us + next; + } + # Copy over all keys + foreach my $ini_key (keys(%{$file_contents{$section_name}})) { + # Ensure the value is an array so it's easier to work with + my $ini_value = $file_contents{$section_name}{$ini_key}; + my @ini_values; + if (ref($ini_value) eq "ARRAY") { + @ini_values = @{$ini_value}; + } else { + @ini_values = $ini_value; + } + # Go over all values + for my $ini_value (@ini_values) { + # If a value is empty, it's an override that tells us to clean the value + if ($ini_value eq "") { + delete $unit_contents->{$section_name}->{$ini_key}; + next; + } + push(@{$unit_contents->{$section_name}->{$ini_key}}, $ini_value); + } + } + } + return; +} + +# This subroutine takes the path to a systemd configuration file (like a unit configuration), +# parses it, and returns a hash that contains the contents. The contents of this hash are +# explained in the `parse_systemd_ini` subroutine. Neither the sections nor the keys inside +# the sections are consistently sorted. +# +# If a directory with the same basename ending in .d exists next to the unit file, it will be +# assumed to contain override files which will be parsed as well and handled properly. +sub parse_unit { + my ($unit_path, $base_unit_path) = @_; + + # Parse the main unit and all overrides + my %unit_data; + # Replace \ with \\ so glob() still works with units that have a \ in them + # Valid characters in unit names are ASCII letters, digits, ":", "-", "_", ".", and "\" + $base_unit_path =~ s/\\/\\\\/gmsx; + $unit_path =~ s/\\/\\\\/gmsx; + + foreach (glob("${base_unit_path}{,.d/*.conf}")) { + parse_systemd_ini(\%unit_data, "$_") + } + # Handle drop-in template-unit instance overrides + if ($unit_path ne $base_unit_path) { + foreach (glob("${unit_path}.d/*.conf")) { + parse_systemd_ini(\%unit_data, "$_") + } + } + return %unit_data; +} + +# Checks whether a specified boolean in a systemd unit is true +# or false, with a default that is applied when the value is not set. +sub parse_systemd_bool { + my ($unit_config, $section_name, $bool_name, $default) = @_; + + my @values = @{$unit_config->{$section_name}{$bool_name} // []}; + # Return default if value is not set + if ((scalar(@values) < 1) || (not defined($values[-1]))) { + return $default; + } + # If value is defined multiple times, use the last definition + my $last_value = $values[-1]; + # These are valid values as of systemd.syntax(7) + return $last_value eq "1" || $last_value eq "yes" || $last_value eq "true" || $last_value eq "on"; +} + +# Writes a unit name into a given file to be more resilient against +# crashes of the script. Does nothing when the action is dry-activate. +sub record_unit { + my ($fn, $unit) = @_; + if ($action ne "dry-activate") { + write_file($fn, { append => 1 }, "$unit\n"); + } + return; +} + +# The opposite of record_unit, removes a unit name from a file +sub unrecord_unit { + my ($fn, $unit) = @_; + if ($action ne "dry-activate") { + edit_file(sub { s/^$unit\n//msx }, $fn); + } + return; +} + +# Compare the contents of two unit files and return whether the unit +# needs to be restarted or reloaded. If the units differ, the service +# is restarted unless the only difference is `X-Reload-Triggers` in the +# `Unit` section. If this is the only modification, the unit is reloaded +# instead of restarted. +# Returns: +# - 0 if the units are equal +# - 1 if the units are different and a restart action is required +# - 2 if the units are different and a reload action is required +sub compare_units { ## no critic(Subroutines::ProhibitExcessComplexity) + my ($cur_unit, $new_unit) = @_; + my $ret = 0; + # Keys to ignore in the [Unit] section + my %unit_section_ignores = map { $_ => 1 } qw( + X-Reload-Triggers + Description Documentation + OnFailure OnSuccess OnFailureJobMode + IgnoreOnIsolate StopWhenUnneeded + RefuseManualStart RefuseManualStop + AllowIsolate CollectMode + SourcePath + ); + + my $comp_array = sub { + my ($a, $b) = @_; + return join("\0", @{$a}) eq join("\0", @{$b}); + }; + + # Comparison hash for the sections + my %section_cmp = map { $_ => 1 } keys(%{$new_unit}); + # Iterate over the sections + foreach my $section_name (keys(%{$cur_unit})) { + # Missing section in the new unit? + if (not exists($section_cmp{$section_name})) { + # If the [Unit] section was removed, make sure that only keys + # were in it that are ignored + if ($section_name eq "Unit") { + foreach my $ini_key (keys(%{$cur_unit->{"Unit"}})) { + if (not defined($unit_section_ignores{$ini_key})) { + return 1; + } + } + next; # check the next section + } else { + return 1; + } + if ($section_name eq "Unit" and %{$cur_unit->{"Unit"}} == 1 and defined(%{$cur_unit->{"Unit"}}{"X-Reload-Triggers"})) { + # If a new [Unit] section was removed that only contained X-Reload-Triggers, + # do nothing. + next; + } else { + return 1; + } + } + delete $section_cmp{$section_name}; + # Comparison hash for the section contents + my %ini_cmp = map { $_ => 1 } keys(%{$new_unit->{$section_name}}); + # Iterate over the keys of the section + foreach my $ini_key (keys(%{$cur_unit->{$section_name}})) { + delete $ini_cmp{$ini_key}; + my @cur_value = @{$cur_unit->{$section_name}{$ini_key}}; + # If the key is missing in the new unit, they are different... + if (not $new_unit->{$section_name}{$ini_key}) { + # ... unless the key that is now missing is one of the ignored keys + if ($section_name eq "Unit" and defined($unit_section_ignores{$ini_key})) { + next; + } + return 1; + } + my @new_value = @{$new_unit->{$section_name}{$ini_key}}; + # If the contents are different, the units are different + if (not $comp_array->(\@cur_value, \@new_value)) { + # Check if only the reload triggers changed or one of the ignored keys + if ($section_name eq "Unit") { + if ($ini_key eq "X-Reload-Triggers") { + $ret = 2; + next; + } elsif (defined($unit_section_ignores{$ini_key})) { + next; + } + } + return 1; + } + } + # A key was introduced that was missing in the previous unit + if (%ini_cmp) { + if ($section_name eq "Unit") { + foreach my $ini_key (keys(%ini_cmp)) { + if ($ini_key eq "X-Reload-Triggers") { + $ret = 2; + } elsif (defined($unit_section_ignores{$ini_key})) { + next; + } else { + return 1; + } + } + } else { + return 1; + } + }; + } + # A section was introduced that was missing in the previous unit + if (%section_cmp) { + if (%section_cmp == 1 and defined($section_cmp{"Unit"})) { + foreach my $ini_key (keys(%{$new_unit->{"Unit"}})) { + if (not defined($unit_section_ignores{$ini_key})) { + return 1; + } elsif ($ini_key eq "X-Reload-Triggers") { + $ret = 2; + } + } + } else { + return 1; + } + } + + return $ret; +} + +# Called when a unit exists in both the old systemd and the new system and the units +# differ. This figures out of what units are to be stopped, restarted, reloaded, started, and skipped. +sub handle_modified_unit { ## no critic(Subroutines::ProhibitManyArgs, Subroutines::ProhibitExcessComplexity) + my ($unit, $base_name, $new_unit_file, $new_base_unit_file, $new_unit_info, $active_cur, $units_to_stop, $units_to_start, $units_to_reload, $units_to_restart, $units_to_skip) = @_; + + if ($unit eq "sysinit.target" || $unit eq "basic.target" || $unit eq "multi-user.target" || $unit eq "graphical.target" || $unit =~ /\.path$/msx || $unit =~ /\.slice$/msx) { + # Do nothing. These cannot be restarted directly. + + # Slices and Paths don't have to be restarted since + # properties (resource limits and inotify watches) + # seem to get applied on daemon-reload. + } elsif ($unit =~ /\.mount$/msx) { + # Reload the changed mount unit to force a remount. + # FIXME: only reload when Options= changed, restart otherwise + $units_to_reload->{$unit} = 1; + record_unit($reload_list_file, $unit); + } elsif ($unit =~ /\.socket$/msx) { + # FIXME: do something? + # Attempt to fix this: https://github.com/NixOS/nixpkgs/pull/141192 + # Revert of the attempt: https://github.com/NixOS/nixpkgs/pull/147609 + # More details: https://github.com/NixOS/nixpkgs/issues/74899#issuecomment-981142430 + } else { + my %new_unit_info = $new_unit_info ? %{$new_unit_info} : parse_unit($new_unit_file, $new_base_unit_file); + if (parse_systemd_bool(\%new_unit_info, "Service", "X-ReloadIfChanged", 0) and not $units_to_restart->{$unit} and not $units_to_stop->{$unit}) { + $units_to_reload->{$unit} = 1; + record_unit($reload_list_file, $unit); + } + elsif (!parse_systemd_bool(\%new_unit_info, "Service", "X-RestartIfChanged", 1) || parse_systemd_bool(\%new_unit_info, "Unit", "RefuseManualStop", 0) || parse_systemd_bool(\%new_unit_info, "Unit", "X-OnlyManualStart", 0)) { + $units_to_skip->{$unit} = 1; + } else { + # It doesn't make sense to stop and start non-services because + # they can't have ExecStop= + if (!parse_systemd_bool(\%new_unit_info, "Service", "X-StopIfChanged", 1) || $unit !~ /\.service$/msx) { + # This unit should be restarted instead of + # stopped and started. + $units_to_restart->{$unit} = 1; + record_unit($restart_list_file, $unit); + # Remove from units to reload so we don't restart and reload + if ($units_to_reload->{$unit}) { + delete $units_to_reload->{$unit}; + unrecord_unit($reload_list_file, $unit); + } + } else { + # If this unit is socket-activated, then stop the + # socket unit(s) as well, and restart the + # socket(s) instead of the service. + my $socket_activated = 0; + if ($unit =~ /\.service$/msx) { + my @sockets = split(/\s+/msx, join(" ", @{$new_unit_info{Service}{Sockets} // []})); + if (scalar(@sockets) == 0) { + @sockets = ("$base_name.socket"); + } + foreach my $socket (@sockets) { + if (defined($active_cur->{$socket})) { + # We can now be sure this is a socket-activate unit + + $units_to_stop->{$socket} = 1; + # Only restart sockets that actually + # exist in new configuration: + if (-e "$toplevel/etc/systemd/system/$socket") { + $units_to_start->{$socket} = 1; + if ($units_to_start eq $units_to_restart) { + record_unit($restart_list_file, $socket); + } else { + record_unit($start_list_file, $socket); + } + $socket_activated = 1; + } + # Remove from units to reload so we don't restart and reload + if ($units_to_reload->{$unit}) { + delete $units_to_reload->{$unit}; + unrecord_unit($reload_list_file, $unit); + } + } + } + } + + # If the unit is not socket-activated, record + # that this unit needs to be started below. + # We write this to a file to ensure that the + # service gets restarted if we're interrupted. + if (!$socket_activated) { + $units_to_start->{$unit} = 1; + if ($units_to_start eq $units_to_restart) { + record_unit($restart_list_file, $unit); + } else { + record_unit($start_list_file, $unit); + } + } + + $units_to_stop->{$unit} = 1; + # Remove from units to reload so we don't restart and reload + if ($units_to_reload->{$unit}) { + delete $units_to_reload->{$unit}; + unrecord_unit($reload_list_file, $unit); + } + } + } + } + return; +} + +# Figure out what units need to be stopped, started, restarted or reloaded. +my (%units_to_stop, %units_to_skip, %units_to_start, %units_to_restart, %units_to_reload); + +my %units_to_filter; # units not shown + +%units_to_start = map { $_ => 1 } + split(/\n/msx, read_file($start_list_file, err_mode => "quiet") // ""); + +%units_to_restart = map { $_ => 1 } + split(/\n/msx, read_file($restart_list_file, err_mode => "quiet") // ""); + +%units_to_reload = map { $_ => 1 } + split(/\n/msx, read_file($reload_list_file, err_mode => "quiet") // ""); + +my $active_cur = get_active_units(); +while (my ($unit, $state) = each(%{$active_cur})) { + my $cur_unit_file = "/etc/systemd/system/$unit"; + my $new_unit_file = "$toplevel/etc/systemd/system/$unit"; + + my $base_unit = $unit; + my $cur_base_unit_file = $cur_unit_file; + my $new_base_unit_file = $new_unit_file; + + # Detect template instances. + if (!-e $cur_unit_file && !-e $new_unit_file && $unit =~ /^(.*)@[^\.]*\.(.*)$/msx) { + $base_unit = "$1\@.$2"; + $cur_base_unit_file = "/etc/systemd/system/$base_unit"; + $new_base_unit_file = "$toplevel/etc/systemd/system/$base_unit"; + } + + my $base_name = $base_unit; + $base_name =~ s/\.[[:lower:]]*$//msx; + + if (-e $cur_base_unit_file && ($state->{state} eq "active" || $state->{state} eq "activating")) { + if (! -e $new_base_unit_file || abs_path($new_base_unit_file) eq "/dev/null") { + my %cur_unit_info = parse_unit($cur_unit_file, $cur_base_unit_file); + if (parse_systemd_bool(\%cur_unit_info, "Unit", "X-StopOnRemoval", 1)) { + $units_to_stop{$unit} = 1; + } + } + + elsif ($unit =~ /\.target$/msx) { + my %new_unit_info = parse_unit($new_unit_file, $new_base_unit_file); + + # Cause all active target units to be restarted below. + # This should start most changed units we stop here as + # well as any new dependencies (including new mounts and + # swap devices). FIXME: the suspend target is sometimes + # active after the system has resumed, which probably + # should not be the case. Just ignore it. + if ($unit ne "suspend.target" && $unit ne "hibernate.target" && $unit ne "hybrid-sleep.target") { + if (!(parse_systemd_bool(\%new_unit_info, "Unit", "RefuseManualStart", 0) || parse_systemd_bool(\%new_unit_info, "Unit", "X-OnlyManualStart", 0))) { + $units_to_start{$unit} = 1; + record_unit($start_list_file, $unit); + # Don't spam the user with target units that always get started. + $units_to_filter{$unit} = 1; + } + } + + # Stop targets that have X-StopOnReconfiguration set. + # This is necessary to respect dependency orderings + # involving targets: if unit X starts after target Y and + # target Y starts after unit Z, then if X and Z have both + # changed, then X should be restarted after Z. However, + # if target Y is in the "active" state, X and Z will be + # restarted at the same time because X's dependency on Y + # is already satisfied. Thus, we need to stop Y first. + # Stopping a target generally has no effect on other units + # (unless there is a PartOf dependency), so this is just a + # bookkeeping thing to get systemd to do the right thing. + if (parse_systemd_bool(\%new_unit_info, "Unit", "X-StopOnReconfiguration", 0)) { + $units_to_stop{$unit} = 1; + } + } + + else { + my %cur_unit_info = parse_unit($cur_unit_file, $cur_base_unit_file); + my %new_unit_info = parse_unit($new_unit_file, $new_base_unit_file); + my $diff = compare_units(\%cur_unit_info, \%new_unit_info); + if ($diff == 1) { + handle_modified_unit($unit, $base_name, $new_unit_file, $new_base_unit_file, \%new_unit_info, $active_cur, \%units_to_stop, \%units_to_start, \%units_to_reload, \%units_to_restart, \%units_to_skip); + } elsif ($diff == 2 and not $units_to_restart{$unit}) { + $units_to_reload{$unit} = 1; + record_unit($reload_list_file, $unit); + } + } + } +} + +# Converts a path to the name of a systemd mount unit that would be responsible +# for mounting this path. +sub path_to_unit_name { + my ($path) = @_; + # Use current version of systemctl binary before daemon is reexeced. + open(my $cmd, "-|", "$cur_systemd/systemd-escape", "--suffix=mount", "-p", $path) + or die "Unable to escape $path!\n"; + my $escaped = do { local $/ = undef; <$cmd> }; + chomp($escaped); + close($cmd) or die("Unable to close systemd-escape pipe"); + return $escaped; +} + +# Compare the previous and new fstab to figure out which filesystems +# need a remount or need to be unmounted. New filesystems are mounted +# automatically by starting local-fs.target. FIXME: might be nicer if +# we generated units for all mounts; then we could unify this with the +# unit checking code above. +my ($cur_fss, $cur_swaps) = parse_fstab("/etc/fstab"); +my ($new_fss, $new_swaps) = parse_fstab("$toplevel/etc/fstab"); +foreach my $mount_point (keys(%{$cur_fss})) { + my $cur = $cur_fss->{$mount_point}; + my $new = $new_fss->{$mount_point}; + my $unit = path_to_unit_name($mount_point); + if (!defined($new)) { + # Filesystem entry disappeared, so unmount it. + $units_to_stop{$unit} = 1; + } elsif ($cur->{fsType} ne $new->{fsType} || $cur->{device} ne $new->{device}) { + # Filesystem type or device changed, so unmount and mount it. + $units_to_stop{$unit} = 1; + $units_to_start{$unit} = 1; + record_unit($start_list_file, $unit); + } elsif ($cur->{options} ne $new->{options}) { + # Mount options changes, so remount it. + $units_to_reload{$unit} = 1; + record_unit($reload_list_file, $unit); + } +} + +# Also handles swap devices. +foreach my $device (keys(%{$cur_swaps})) { + my $cur = $cur_swaps->{$device}; + my $new = $new_swaps->{$device}; + if (!defined($new)) { + # Swap entry disappeared, so turn it off. Can't use + # "systemctl stop" here because systemd has lots of alias + # units that prevent a stop from actually calling + # "swapoff". + if ($action eq "dry-activate") { + print STDERR "would stop swap device: $device\n"; + } else { + print STDERR "stopping swap device: $device\n"; + system("@utillinux@/sbin/swapoff", $device); + } + } + # FIXME: update swap options (i.e. its priority). +} + + +# Should we have systemd re-exec itself? +my $cur_pid1_path = abs_path("/proc/1/exe") // "/unknown"; +my $cur_systemd_system_config = abs_path("/etc/systemd/system.conf") // "/unknown"; +my $new_pid1_path = abs_path("$new_systemd/lib/systemd/systemd") or die; +my $new_systemd_system_config = abs_path("$toplevel/etc/systemd/system.conf") // "/unknown"; + +my $restart_systemd = $cur_pid1_path ne $new_pid1_path; +if ($cur_systemd_system_config ne $new_systemd_system_config) { + $restart_systemd = 1; +} + +# Takes an array of unit names and returns an array with the same elements, +# except all units that are also in the global variable `unitsToFilter`. +sub filter_units { + my ($units) = @_; + my @res; + foreach my $unit (sort(keys(%{$units}))) { + if (!defined($units_to_filter{$unit})) { + push(@res, $unit); + } + } + return @res; +} + +my @units_to_stop_filtered = filter_units(\%units_to_stop); + + +# Show dry-run actions. +if ($action eq "dry-activate") { + if (scalar(@units_to_stop_filtered) > 0) { + print STDERR "would stop the following units: ", join(", ", @units_to_stop_filtered), "\n"; + } + if (scalar(keys(%units_to_skip)) > 0) { + print STDERR "would NOT stop the following changed units: ", join(", ", sort(keys(%units_to_skip))), "\n"; + } + + print STDERR "would activate the configuration...\n"; + system("$out/dry-activate", "$out"); + + # Handle the activation script requesting the restart or reload of a unit. + foreach (split(/\n/msx, read_file($dry_restart_by_activation_file, err_mode => "quiet") // "")) { + my $unit = $_; + my $new_unit_file = "$toplevel/etc/systemd/system/$unit"; + my $base_unit = $unit; + my $new_base_unit_file = $new_unit_file; + + # Detect template instances. + if (!-e $new_unit_file && $unit =~ /^(.*)@[^\.]*\.(.*)$/msx) { + $base_unit = "$1\@.$2"; + $new_base_unit_file = "$toplevel/etc/systemd/system/$base_unit"; + } + + my $base_name = $base_unit; + $base_name =~ s/\.[[:lower:]]*$//msx; + + # Start units if they were not active previously + if (not defined($active_cur->{$unit})) { + $units_to_start{$unit} = 1; + next; + } + + handle_modified_unit($unit, $base_name, $new_unit_file, $new_base_unit_file, undef, $active_cur, \%units_to_restart, \%units_to_restart, \%units_to_reload, \%units_to_restart, \%units_to_skip); + } + unlink($dry_restart_by_activation_file); + + foreach (split(/\n/msx, read_file($dry_reload_by_activation_file, err_mode => "quiet") // "")) { + my $unit = $_; + + if (defined($active_cur->{$unit}) and not $units_to_restart{$unit} and not $units_to_stop{$unit}) { + $units_to_reload{$unit} = 1; + record_unit($reload_list_file, $unit); + } + } + unlink($dry_reload_by_activation_file); + + if ($restart_systemd) { + print STDERR "would restart systemd\n"; + } + if (scalar(keys(%units_to_reload)) > 0) { + print STDERR "would reload the following units: ", join(", ", sort(keys(%units_to_reload))), "\n"; + } + if (scalar(keys(%units_to_restart)) > 0) { + print STDERR "would restart the following units: ", join(", ", sort(keys(%units_to_restart))), "\n"; + } + my @units_to_start_filtered = filter_units(\%units_to_start); + if (scalar(@units_to_start_filtered)) { + print STDERR "would start the following units: ", join(", ", @units_to_start_filtered), "\n"; + } + exit 0; +} + + +syslog(LOG_NOTICE, "switching to system configuration $toplevel"); + +if (scalar(keys(%units_to_stop)) > 0) { + if (scalar(@units_to_stop_filtered)) { + print STDERR "stopping the following units: ", join(", ", @units_to_stop_filtered), "\n"; + } + # Use current version of systemctl binary before daemon is reexeced. + system("$cur_systemd/systemctl", "stop", "--", sort(keys(%units_to_stop))); +} + +if (scalar(keys(%units_to_skip)) > 0) { + print STDERR "NOT restarting the following changed units: ", join(", ", sort(keys(%units_to_skip))), "\n"; +} + +# Activate the new configuration (i.e., update /etc, make accounts, +# and so on). +my $res = 0; +print STDERR "activating the configuration...\n"; +system("$out/activate", "$out") == 0 or $res = 2; + +# Handle the activation script requesting the restart or reload of a unit. +foreach (split(/\n/msx, read_file($restart_by_activation_file, err_mode => "quiet") // "")) { + my $unit = $_; + my $new_unit_file = "$toplevel/etc/systemd/system/$unit"; + my $base_unit = $unit; + my $new_base_unit_file = $new_unit_file; + + # Detect template instances. + if (!-e $new_unit_file && $unit =~ /^(.*)@[^\.]*\.(.*)$/msx) { + $base_unit = "$1\@.$2"; + $new_base_unit_file = "$toplevel/etc/systemd/system/$base_unit"; + } + + my $base_name = $base_unit; + $base_name =~ s/\.[[:lower:]]*$//msx; + + # Start units if they were not active previously + if (not defined($active_cur->{$unit})) { + $units_to_start{$unit} = 1; + record_unit($start_list_file, $unit); + next; + } + + handle_modified_unit($unit, $base_name, $new_unit_file, $new_base_unit_file, undef, $active_cur, \%units_to_restart, \%units_to_restart, \%units_to_reload, \%units_to_restart, \%units_to_skip); +} +# We can remove the file now because it has been propagated to the other restart/reload files +unlink($restart_by_activation_file); + +foreach (split(/\n/msx, read_file($reload_by_activation_file, err_mode => "quiet") // "")) { + my $unit = $_; + + if (defined($active_cur->{$unit}) and not $units_to_restart{$unit} and not $units_to_stop{$unit}) { + $units_to_reload{$unit} = 1; + record_unit($reload_list_file, $unit); + } +} +# We can remove the file now because it has been propagated to the other reload file +unlink($reload_by_activation_file); + +# Restart systemd if necessary. Note that this is done using the +# current version of systemd, just in case the new one has trouble +# communicating with the running pid 1. +if ($restart_systemd) { + print STDERR "restarting systemd...\n"; + system("$cur_systemd/systemctl", "daemon-reexec") == 0 or $res = 2; +} + +# Forget about previously failed services. +system("$new_systemd/bin/systemctl", "reset-failed"); + +# Make systemd reload its units. +system("$new_systemd/bin/systemctl", "daemon-reload") == 0 or $res = 3; + +# Reload user units +open(my $list_active_users, "-|", "$new_systemd/bin/loginctl", "list-users", "--no-legend") || die("Unable to call loginctl"); +while (my $f = <$list_active_users>) { + if ($f !~ /^\s*(?\d+)\s+(?\S+)/msx) { + next; + } + my ($uid, $name) = ($+{uid}, $+{user}); + print STDERR "reloading user units for $name...\n"; + + system("@su@", "-s", "@shell@", "-l", $name, "-c", + "export XDG_RUNTIME_DIR=/run/user/$uid; " . + "$cur_systemd/systemctl --user daemon-reexec; " . + "$new_systemd/bin/systemctl --user start nixos-activation.service"); +} + +close($list_active_users) || die("Unable to close the file handle to loginctl"); + +# Set the new tmpfiles +print STDERR "setting up tmpfiles\n"; +system("$new_systemd/bin/systemd-tmpfiles", "--create", "--remove", "--exclude-prefix=/dev") == 0 or $res = 3; + +# Before reloading we need to ensure that the units are still active. They may have been +# deactivated because one of their requirements got stopped. If they are inactive +# but should have been reloaded, the user probably expects them to be started. +if (scalar(keys(%units_to_reload)) > 0) { + for my $unit (keys(%units_to_reload)) { + if (!unit_is_active($unit)) { + # Figure out if we need to start the unit + my %unit_info = parse_unit("$toplevel/etc/systemd/system/$unit", "$out/etc/systemd/system/$unit"); + if (!(parse_systemd_bool(\%unit_info, "Unit", "RefuseManualStart", 0) || parse_systemd_bool(\%unit_info, "Unit", "X-OnlyManualStart", 0))) { + $units_to_start{$unit} = 1; + record_unit($start_list_file, $unit); + } + # Don't reload the unit, reloading would fail + delete %units_to_reload{$unit}; + unrecord_unit($reload_list_file, $unit); + } + } +} +# Reload units that need it. This includes remounting changed mount +# units. +if (scalar(keys(%units_to_reload)) > 0) { + print STDERR "reloading the following units: ", join(", ", sort(keys(%units_to_reload))), "\n"; + system("$new_systemd/bin/systemctl", "reload", "--", sort(keys(%units_to_reload))) == 0 or $res = 4; + unlink($reload_list_file); +} + +# Restart changed services (those that have to be restarted rather +# than stopped and started). +if (scalar(keys(%units_to_restart)) > 0) { + print STDERR "restarting the following units: ", join(", ", sort(keys(%units_to_restart))), "\n"; + system("$new_systemd/bin/systemctl", "restart", "--", sort(keys(%units_to_restart))) == 0 or $res = 4; + unlink($restart_list_file); +} + +# Start all active targets, as well as changed units we stopped above. +# The latter is necessary because some may not be dependencies of the +# targets (i.e., they were manually started). FIXME: detect units +# that are symlinks to other units. We shouldn't start both at the +# same time because we'll get a "Failed to add path to set" error from +# systemd. +my @units_to_start_filtered = filter_units(\%units_to_start); +if (scalar(@units_to_start_filtered)) { + print STDERR "starting the following units: ", join(", ", @units_to_start_filtered), "\n" +} +system("$new_systemd/bin/systemctl", "start", "--", sort(keys(%units_to_start))) == 0 or $res = 4; +unlink($start_list_file); + + +# Print failed and new units. +my (@failed, @new); +my $active_new = get_active_units(); +while (my ($unit, $state) = each(%{$active_new})) { + if ($state->{state} eq "failed") { + push(@failed, $unit); + next; + } + + if ($state->{substate} eq "auto-restart") { + # A unit in auto-restart substate is a failure *if* it previously failed to start + open(my $main_status_fd, "-|", "$new_systemd/bin/systemctl", "show", "--value", "--property=ExecMainStatus", $unit) || die("Unable to call 'systemctl show'"); + my $main_status = do { local $/ = undef; <$main_status_fd> }; + close($main_status_fd) || die("Unable to close 'systemctl show' fd"); + chomp($main_status); + + if ($main_status ne "0") { + push(@failed, $unit); + next; + } + } + + # Ignore scopes since they are not managed by this script but rather + # created and managed by third-party services via the systemd dbus API. + # This only lists units that are not failed (including ones that are in auto-restart but have not failed previously) + if ($state->{state} ne "failed" && !defined($active_cur->{$unit}) && $unit !~ /\.scope$/msx) { + push(@new, $unit); + } +} + +if (scalar(@new) > 0) { + print STDERR "the following new units were started: ", join(", ", sort(@new)), "\n" +} + +if (scalar(@failed) > 0) { + my @failed_sorted = sort(@failed); + print STDERR "warning: the following units failed: ", join(", ", @failed_sorted), "\n\n"; + system("$new_systemd/bin/systemctl status --no-pager --full '" . join("' '", @failed_sorted) . "' >&2"); + $res = 4; +} + +if ($res == 0) { + syslog(LOG_NOTICE, "finished switching to system configuration $toplevel"); +} else { + syslog(LOG_ERR, "switching to system configuration $toplevel failed (status $res)"); +} + +exit($res); diff --git a/modules/config/system.nix b/modules/config/system.nix index 5dfb651..7120c82 100644 --- a/modules/config/system.nix +++ b/modules/config/system.nix @@ -5,6 +5,4 @@ time.timeZone = lib.mkDefault "Europe/Berlin"; i18n.defaultLocale = "C.UTF-8"; console.keyMap = "de-latin1-nodeadkeys"; - - systemd.enableUnifiedCgroupHierarchy = true; } diff --git a/modules/default.nix b/modules/default.nix index 71d56e0..ccbcbe6 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -26,7 +26,6 @@ ./meta/wireguard-proxy.nix ./meta/wireguard.nix - ./networking/hostapd.nix ./networking/interface-naming.nix ./networking/provided-domains.nix diff --git a/modules/networking/hostapd.nix b/modules/networking/hostapd.nix deleted file mode 100644 index 335b6ca..0000000 --- a/modules/networking/hostapd.nix +++ /dev/null @@ -1,1197 +0,0 @@ -{ - config, - lib, - pkgs, - utils, - ... -}: -# All hope abandon ye who enter here. hostapd's configuration -# format is ... special, and you won't be able to infer any -# of their assumptions from just reading the "documentation" -# (i.e. the example config). Also, do NOT try to make this RFC 42 -# compatible. The format is non-standard, some options may repeat, -# are order-dependent, or completely switch into another global context. -# Assume footguns at all points - to make informed decisions you -# will probably need to look at hostapd's code. You have been warned, -# proceed with care. -let - inherit - (lib) - attrNames - attrValues - concatLists - concatMap - concatMapStrings - concatStringsSep - count - escapeShellArg - filter - getAttr - hasPrefix - imap0 - length - literalExpression - maintainers - mapAttrsToList - mdDoc - mkIf - mkOption - optional - optionals - optionalString - stringLength - toLower - types - unique - ; - - cfg = config.services.hostapd; - - bool01 = b: - if b - then "1" - else "0"; - - genSaePasswordEntry = entry: - "sae_password=${entry.password}" - + optionalString (entry.mac != null) "|mac=${entry.mac}" - + optionalString (entry.vlanid != null) "|vlanid=${toString entry.vlanid}" - + optionalString (entry.pk != null) "|pk=${entry.pk}" - + optionalString (entry.id != null) "|id=${entry.id}" - + "\n"; - - # Generates the configuration for a single BSS (i.e. WiFi network) - writeBssConfig = radio: radioCfg: bss: bssCfg: bssIdx: let - pairwiseCiphers = - concatStringsSep " " (unique (bssCfg.authentication.pairwiseCiphers - ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "CCMP-256" "GCMP" "GCMP-256"])); - in - pkgs.writeText "hostapd-radio-${radio}-bss-${bss}.conf" '' - ##### BSS ${toString bssIdx}: ${bss} ####################################### - - ${ - if bssIdx == 0 - then "interface" - else "bss" - }=${bss} - ${optionalString (bssCfg.bssid != null) '' - bssid=${bssCfg.bssid} - ''} - ssid=${bssCfg.ssid} - utf8_ssid=${bool01 bssCfg.utf8Ssid} - - logger_syslog=-1 - logger_syslog_level=${toString bssCfg.logLevel} - logger_stdout=-1 - logger_stdout_level=${toString bssCfg.logLevel} - ctrl_interface=/run/hostapd - ctrl_interface_group=${bssCfg.group} - - # Set the MAC-address access control mode - macaddr_acl=${bssCfg.macAcl} - ${optionalString (bssCfg.macAllow != [] || bssCfg.macAllowFile != null || bssCfg.authentication.saeAddToMacAllow) '' - accept_mac_file=/run/hostapd/${bss}.mac.allow - ''} - ${optionalString (bssCfg.macDeny != [] || bssCfg.macDenyFile != null) '' - deny_mac_file=/run/hostapd/${bss}.mac.deny - ''} - # Only allow WPA, disable insecure WEP - auth_algs=1 - ignore_broadcast_ssid=${bssCfg.ignoreBroadcastSsid} - # Always enable QoS, which is required for 802.11n and above - wmm_enabled=1 - ap_isolate=${bool01 bssCfg.apIsolate} - - ##### IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w=${bssCfg.managementFrameProtection} - ${optionalString (bssCfg.authentication.mode == "none") '' - wpa=0 - ''} - ${optionalString (bssCfg.authentication.mode == "wpa3-sae") '' - wpa=2 - wpa_key_mgmt=SAE - # Derive PWE using both hunting-and-pecking loop and hash-to-element - sae_pwe=2 - # Prevent downgrade attacks by indicating to clients that they should - # disable any transition modes from now on. - transition_disable=0x01 - ''} - ${optionalString (bssCfg.authentication.mode == "wpa3-sae-transition") '' - wpa=2 - wpa_key_mgmt=WPA-PSK-SHA256 SAE - ''} - ${optionalString (bssCfg.authentication.mode == "wpa2-sha256") '' - wpa=2 - wpa_key_mgmt=WPA-PSK-SHA256 - ''} - ${optionalString (bssCfg.authentication.mode != "none") '' - wpa_pairwise=${pairwiseCiphers} - rsn_pairwise=${pairwiseCiphers} - ''} - - ${optionalString (bssCfg.authentication.wpaPassword != null) '' - wpa_passphrase=${bssCfg.authentication.wpaPassword} - ''} - ${optionalString (bssCfg.authentication.wpaPskFile != null) '' - wpa_passphrase=${bssCfg.authentication.wpaPskFile} - ''} - ${optionalString (bssCfg.authentication.saePasswords != []) (concatMapStrings genSaePasswordEntry bssCfg.authentication.saePasswords)} - ''; - - writeRadioBaseConfig = radio: radioCfg: - pkgs.writeText "hostapd-radio-${radio}-base.conf" '' - driver=${radioCfg.driver} - - ##### IEEE 802.11 general configuration ####################################### - ${optionalString (radioCfg.countryCode != null) '' - country_code=${radioCfg.countryCode} - # IEEE 802.11d: Limit to frequencies allowed in country - ieee80211d=1 - # IEEE 802.11h: Enable radar detection and DFS (Dynamic Frequency Selection) - ieee80211h=1 - ''} - hw_mode=${radioCfg.hwMode} - channel=${toString radioCfg.channel} - noscan=${bool01 radioCfg.noScan} - - ${optionalString radioCfg.wifi4.enable '' - ##### IEEE 802.11n (WiFi 4) related configuration ####################################### - ieee80211n=1 - ${optionalString radioCfg.wifi4.require "require_ht=1"} - ht_capab=${concatMapStrings (x: "[${x}]") radioCfg.wifi4.capabilities} - ''} - - ${optionalString radioCfg.wifi5.enable '' - ##### IEEE 802.11ac (WiFi 5) related configuration ##################################### - ieee80211ac=1 - ${optionalString radioCfg.wifi5.require "require_vht=1"} - vht_oper_chwidth=${radioCfg.wifi5.operatingChannelWidth} - vht_capab=${concatMapStrings (x: "[${x}]") radioCfg.wifi5.capabilities} - ''} - - ${ # ieee80211ax support must be enabled in hostapd, - # so the enable option cannot be included unconditionally - optionalString radioCfg.wifi6.enable '' - ##### IEEE 802.11ax (WiFi 6) related configuration ##################################### - ieee80211ax=1 - ${optionalString radioCfg.wifi6.require "require_he=1"} - he_oper_chwidth=${radioCfg.wifi6.operatingChannelWidth} - he_su_beamformer=${bool01 radioCfg.wifi6.singleUserBeamformer} - he_su_beamformee=${bool01 radioCfg.wifi6.singleUserBeamformee} - he_mu_beamformer=${bool01 radioCfg.wifi6.multiUserBeamformer} - '' - } - - ${ # ieee80211be support must be enabled in hostapd, - # so the enable option cannot be included unconditionally - optionalString radioCfg.wifi7.enable '' - ##### IEEE 802.11be (WiFi 7) related configuration ##################################### - ieee80211be=1 - eht_oper_chwidth=${radioCfg.wifi7.operatingChannelWidth} - eht_su_beamformer=${bool01 radioCfg.wifi7.singleUserBeamformer} - eht_su_beamformee=${bool01 radioCfg.wifi7.singleUserBeamformee} - eht_mu_beamformer=${bool01 radioCfg.wifi7.multiUserBeamformer} - '' - } - ''; - - makeRadioRuntimeFiles = radio: radioCfg: - pkgs.writeShellScript "make-hostapd-${radio}-files" ('' - set -euo pipefail - - hostapd_config_file=/run/hostapd/${escapeShellArg radio}.hostapd.conf - rm -f "$hostapd_config_file" - cp ${writeRadioBaseConfig radio radioCfg} "$hostapd_config_file" - - ${optionalString (radioCfg.extraConfig != "") '' - cat >> "$hostapd_config_file" <> "$hostapd_config_file" - ''} - '' - + concatStringsSep "\n" (imap0 (i: f: f i) (mapAttrsToList ( - bss: bssCfg: bssIdx: let - # All MAC addresses from SAE entries that aren't the wildcard address - saeMacs = filter (mac: mac != null && (toLower mac) != "ff:ff:ff:ff:ff:ff") (map (x: x.mac) bssCfg.authentication.saePasswords); - in - '' - #### BSS configuration: ${bss} - - mac_allow_file=/run/hostapd/${escapeShellArg bss}.mac.allow - rm -f "$mac_allow_file" - touch "$mac_allow_file" - - mac_deny_file=/run/hostapd/${escapeShellArg bss}.mac.deny - rm -f "$mac_deny_file" - touch "$mac_deny_file" - - cat ${writeBssConfig radio radioCfg bss bssCfg bssIdx} >> "$hostapd_config_file" - - '' - + concatStringsSep "\n" ( - optional (bssCfg.macAllow != []) '' - cat >> "$mac_allow_file" <> "$mac_allow_file" - '' - # Populate mac allow list from saePasswords - ++ optional (bssCfg.authentication.saeAddToMacAllow && saeMacs != []) '' - cat >> "$mac_allow_file" <> "$mac_allow_file" - '' - # Create combined mac.deny list from macDeny and macDenyFile - ++ optional (bssCfg.macDeny != []) '' - cat >> "$mac_deny_file" <> "$mac_deny_file" - '' - # Add WPA passphrase from file if necessary - ++ optional (bssCfg.authentication.wpaPasswordFile != null) '' - cat >> "$hostapd_config_file" <> "$hostapd_config_file" - '' - # Finally append extraConfig if necessary. - ++ optional (bssCfg.extraConfig != "") '' - cat >> "$hostapd_config_file" <> "$hostapd_config_file" - '' - ) - ) - radioCfg.networks))); - - runtimeConfigFiles = mapAttrsToList (radio: _: "/run/hostapd/${radio}.hostapd.conf") cfg.radios; -in { - meta.maintainers = with maintainers; [oddlama]; - - options = { - services.hostapd = { - enable = mkOption { - type = types.bool; - default = false; - description = mdDoc '' - Whether to enable hostapd. hostapd is a user space daemon for access point and - authentication servers. It implements IEEE 802.11 access point management, - IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS - authentication server. - ''; - }; - - radios = mkOption { - default = {}; - example = literalExpression '' - { - # Simple 2.4GHz AP - wlp2s0 = { - # countryCode = "US"; - networks.wlp2s0 = { - ssid = "AP 1"; - authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible. - }; - }; - - # WiFi 5 (5GHz) with two advertised networks - wlp3s0 = { - hwMode = "a"; - channel = 0; # Enable automatic channel selection (ACS). Use only if your hardware supports it. - # countryCode = "US"; - networks.wlp3s0 = { - ssid = "My AP"; - authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible. - }; - networks.wlp3s0-1 = { - ssid = "Open AP with WiFi5"; - authentication.mode = "none"; - }; - }; - - # Legacy WPA2 example - wlp4s0 = { - # countryCode = "US"; - networks.wlp4s0 = { - ssid = "AP 2"; - authentication = { - mode = "wpa2-sha256"; - wpaPassword = "a flakey password"; # Use wpaPasswordFile if possible. - }; - }; - }; - } - ''; - description = mdDoc '' - This option allows you to define APs for one or multiple physical radios. - At least one radio must be specified. - - For each radio, hostapd requires a separate logical interface (like wlp3s0, wlp3s1, ...). - A default interface is usually be created automatically by your system, but to use - multiple radios with a single device, you will likely have to use {command}`iw` to create - additional logical interfaces. - - Each physical radio can only support a single hardware-mode that is configured via - ({option}`services.hostapd.radios..hwMode`). To create a dual-band - or tri-band AP, you will have to use a device that has multiple physical radios - and supports configuring multiple APs (Refer to valid interface combinations in - {command}`iw list`). - ''; - type = types.attrsOf (types.submodule { - options = { - driver = mkOption { - default = "nl80211"; - example = "none"; - type = types.str; - description = mdDoc '' - The driver {command}`hostapd` will use. - {var}`nl80211` is used with all Linux mac80211 drivers. - {var}`none` is used if building a standalone RADIUS server that does - not control any wireless/wired driver. - Most applications will probably use the default. - ''; - }; - - noScan = mkOption { - type = types.bool; - default = false; - description = mdDoc '' - Disables scan for overlapping BSSs in HT40+/- mode. - Caution: turning this on will likely violate regulatory requirements! - ''; - }; - - countryCode = mkOption { - default = null; - example = "US"; - type = types.nullOr types.str; - description = mdDoc '' - Country code (ISO/IEC 3166-1). Used to set regulatory domain. - Set as needed to indicate country in which device is operating. - This can limit available channels and transmit power. - These two octets are used as the first two octets of the Country String - (dot11CountryString). - - Setting this will force you to also enable IEEE 802.11d and IEEE 802.11h. - - IEEE 802.11d: This advertises the countryCode and the set of allowed channels - and transmit power levels based on the regulatory limits. - - IEEE802.11h: This enables radar detection and DFS (Dynamic Frequency Selection) - support if available. DFS support is required on outdoor 5 GHz channels in most - countries of the world. - ''; - }; - - hwMode = mkOption { - default = "g"; - type = types.enum ["a" "b" "g" "ad" "any"]; - description = mdDoc '' - Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz), - g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used - with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this - needs to be set to hw_mode=a. For IEEE 802.11ax (HE) on 6 GHz this needs - to be set to hw_mode=a. When using ACS (see `channel` parameter), the - special value "any" can be used to indicate that any supported band may be selected. - This special case is currently only supported with hardware for which the driver - implements offloaded ACS. - - Most likely you want to select 'a' (5GHz & 6GHz a/n/ac/ax) or 'g' (2.4GHz b/g/n) here. - ''; - }; - - channel = mkOption { - default = 7; - example = 11; - type = types.int; - description = mdDoc '' - The channel to operate on. Use 0 to enable ACS (Automatic Channel Selection). - Beware that not every device supports ACS in which case {command}`hostapd` - will fail to start. - ''; - }; - - extraConfig = mkOption { - default = ""; - example = '' - acs_exclude_dfs=1 - ''; - type = types.lines; - description = mdDoc '' - Extra configuration options to put at the end of global initialization, before defining BSSes. - To find out which options are global and which are per-bss you have to read hostapd's source code, - this is non-trivial and not documented otherwise. - ''; - }; - - #### IEEE 802.11n (WiFi 4) related configuration - - wifi4 = { - enable = mkOption { - default = true; - type = types.bool; - description = mdDoc '' - Enables support for IEEE 802.11n (WiFi 4, HT). - This is enabled by default, since the vase majority of devices - are expected to support this. - ''; - }; - - capabilities = mkOption { - type = types.listOf types.str; - default = ["HT40" "HT40-" "SHORT-GI-20" "SHORT-GI-40"]; - example = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"]; - description = mdDoc '' - HT (High Throughput) capabilities given as a list of flags. - Please refer to the hostapd documentation for allowed values and - only set values supported by your physical adapter. - - The default contains common values supported by most adapters. - ''; - }; - - require = mkOption { - default = false; - type = types.bool; - description = mdDoc "Require stations (clients) to support WiFi 4 (HT) and disassociate them if they don't."; - }; - }; - - #### IEEE 802.11ac (WiFi 5) related configuration - - wifi5 = { - enable = mkOption { - default = true; - type = types.bool; - description = mdDoc "Enables support for IEEE 802.11ac (WiFi 5, VHT)"; - }; - - capabilities = mkOption { - type = types.listOf types.str; - default = []; - example = ["SHORT-GI-80" "TX-STBC-2BY1" "RX-STBC-1" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN"]; - description = mdDoc '' - VHT (Very High Throughput) capabilities given as a list of flags. - Please refer to the hostapd documentation for allowed values and - only set values supported by your physical adapter. - ''; - }; - - require = mkOption { - default = false; - type = types.bool; - description = mdDoc "Require stations (clients) to support WiFi 5 (VHT) and disassociate them if they don't."; - }; - - operatingChannelWidth = mkOption { - default = "20or40"; - type = types.enum ["20or40" "80" "160" "80+80"]; - apply = x: - getAttr x { - "20or40" = "0"; - "80" = "1"; - "160" = "2"; - "80+80" = "3"; - }; - description = mdDoc '' - Determines the operating channel width for VHT. - - - {var}`"20or40"`: 20 or 40 MHz operating channel width - - {var}`"80"`: 80 MHz channel width - - {var}`"160"`: 160 MHz channel width - - {var}`"80+80"`: 80+80 MHz channel width - ''; - }; - }; - - #### IEEE 802.11ax (WiFi 6) related configuration - - wifi6 = { - enable = mkOption { - # TODO Change this default once WiFi 6 is enabled in hostapd upstream - default = false; - type = types.bool; - description = mdDoc "Enables support for IEEE 802.11ax (WiFi 6, HE)"; - }; - - require = mkOption { - default = false; - type = types.bool; - description = mdDoc "Require stations (clients) to support WiFi 6 (HE) and disassociate them if they don't."; - }; - - singleUserBeamformer = mkOption { - default = false; - type = types.bool; - description = mdDoc "HE single user beamformer support"; - }; - - singleUserBeamformee = mkOption { - default = false; - type = types.bool; - description = mdDoc "HE single user beamformee support"; - }; - - multiUserBeamformer = mkOption { - default = false; - type = types.bool; - description = mdDoc "HE multi user beamformee support"; - }; - - operatingChannelWidth = mkOption { - default = "20or40"; - type = types.enum ["20or40" "80" "160" "80+80"]; - apply = x: - getAttr x { - "20or40" = "0"; - "80" = "1"; - "160" = "2"; - "80+80" = "3"; - }; - description = mdDoc '' - Determines the operating channel width for HE. - - - {var}`"20or40"`: 20 or 40 MHz operating channel width - - {var}`"80"`: 80 MHz channel width - - {var}`"160"`: 160 MHz channel width - - {var}`"80+80"`: 80+80 MHz channel width - ''; - }; - }; - - #### IEEE 802.11be (WiFi 7) related configuration - - wifi7 = { - enable = mkOption { - # FIXME: Change this to true once WiFi 7 is stable and hostapd is built with CONFIG_IEEE80211BE by default - default = false; - type = types.bool; - description = mdDoc '' - Enables support for IEEE 802.11be (WiFi 7, EHT). This is currently experimental - and requires you to manually enable CONFIG_IEEE80211BE when building hostapd. - ''; - }; - - singleUserBeamformer = mkOption { - default = false; - type = types.bool; - description = mdDoc "EHT single user beamformer support"; - }; - - singleUserBeamformee = mkOption { - default = false; - type = types.bool; - description = mdDoc "EHT single user beamformee support"; - }; - - multiUserBeamformer = mkOption { - default = false; - type = types.bool; - description = mdDoc "EHT multi user beamformee support"; - }; - - operatingChannelWidth = mkOption { - default = "20or40"; - type = types.enum ["20or40" "80" "160" "80+80"]; - apply = x: - getAttr x { - "20or40" = "0"; - "80" = "1"; - "160" = "2"; - "80+80" = "3"; - }; - description = mdDoc '' - Determines the operating channel width for EHT. - - - {var}`"20or40"`: 20 or 40 MHz operating channel width - - {var}`"80"`: 80 MHz channel width - - {var}`"160"`: 160 MHz channel width - - {var}`"80+80"`: 80+80 MHz channel width - ''; - }; - }; - - #### BSS definitions - - networks = mkOption { - default = {}; - example = literalExpression '' - { - wlp2s0 = { - ssid = "Primary advertised network"; - authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible. - }; - wlp2s0-1 = { - ssid = "Secondary advertised network (Open)"; - authentication.mode = "none"; - }; - } - ''; - description = mdDoc '' - This defines a BSS, colloquially known as a WiFi network. - You have to specify at least one. - ''; - type = types.attrsOf (types.submodule { - options = { - logLevel = mkOption { - default = 2; - type = types.int; - description = mdDoc '' - Levels (minimum value for logged events): - 0 = verbose debugging - 1 = debugging - 2 = informational messages - 3 = notification - 4 = warning - ''; - }; - - group = mkOption { - default = "wheel"; - example = "network"; - type = types.str; - description = mdDoc '' - Members of this group can access the control socket for this interface. - ''; - }; - - utf8Ssid = mkOption { - default = true; - type = types.bool; - description = mdDoc "Whether the SSID is to be interpreted using UTF-8 encoding."; - }; - - ssid = mkOption { - default = config.system.nixos.distroId; - defaultText = literalExpression "config.system.nixos.distroId"; - example = "❄️ cool ❄️"; - type = types.str; - description = mdDoc "SSID to be used in IEEE 802.11 management frames."; - }; - - bssid = mkOption { - type = types.uniq (types.nullOr types.str); - default = null; - example = "11:22:33:44:55:66"; - description = mdDoc '' - Specifies the BSSID for this BSS. Usually determined automatically, - but for now you have to manually specify them when using multiple BSS. - Try assigning related addresses from the locally administered MAC address ranges, - by reusing the hardware address but replacing the second nibble with 2, 6, A or E. - (e.g. if real address is `XX:XX:XX:XX:XX`, try `X2:XX:XX:XX:XX:XX`, `X6:XX:XX:XX:XX:XX`, ... - for the second, third, ... BSS) - ''; - }; - - macAcl = mkOption { - default = "deny"; - type = types.enum ["deny" "allow" "radius"]; - apply = x: - getAttr x { - "deny" = "0"; - "allow" = "1"; - "radius" = "2"; - }; - description = mdDoc '' - Station MAC address -based authentication. The following modes are available: - - - {var}`"deny"`: Allow unless listed in {option}`macDeny` (default) - - {var}`"allow"`: Deny unless listed in {option}`macAllow` - - {var}`"radius"`: Use external radius server, but check both {option}`macAllow` and {option}`macDeny` first - - Please note that this kind of access control requires a driver that uses - hostapd to take care of management frame processing and as such, this can be - used with driver=hostap or driver=nl80211, but not with driver=atheros. - ''; - }; - - macAllow = mkOption { - type = types.listOf types.str; - default = []; - example = ["11:22:33:44:55:66"]; - description = mdDoc '' - Specifies the MAC addresses to allow if {option}`macAcl` is set to {var}`"allow"` or {var}`"radius"`. - These values will be world-readable in the Nix store. Values will automatically be merged with - {option}`macAllowFile` if necessary. - ''; - }; - - macAllowFile = mkOption { - type = types.uniq (types.nullOr types.path); - default = null; - description = mdDoc '' - Specifies a file containing the MAC addresses to allow if {option}`macAcl` is set to {var}`"allow"` or {var}`"radius"`. - The file should contain exactly one MAC address per line. Comments and empty lines are ignored, - only lines starting with a valid MAC address will be considered (e.g. `11:22:33:44:55:66`) and - any content after the MAC address is ignored. - ''; - }; - - macDeny = mkOption { - type = types.listOf types.str; - default = []; - example = ["11:22:33:44:55:66"]; - description = mdDoc '' - Specifies the MAC addresses to deny if {option}`macAcl` is set to {var}`"deny"` or {var}`"radius"`. - These values will be world-readable in the Nix store. Values will automatically be merged with - {option}`macDenyFile` if necessary. - ''; - }; - - macDenyFile = mkOption { - type = types.uniq (types.nullOr types.path); - default = null; - description = mdDoc '' - Specifies a file containing the MAC addresses to deny if {option}`macAcl` is set to {var}`"deny"` or {var}`"radius"`. - The file should contain exactly one MAC address per line. Comments and empty lines are ignored, - only lines starting with a valid MAC address will be considered (e.g. `11:22:33:44:55:66`) and - any content after the MAC address is ignored. - ''; - }; - - ignoreBroadcastSsid = mkOption { - default = "disabled"; - type = types.enum ["disabled" "empty" "clear"]; - apply = x: - getAttr x { - "disabled" = "0"; - "empty" = "1"; - "clear" = "2"; - }; - description = mdDoc '' - Send empty SSID in beacons and ignore probe request frames that do not - specify full SSID, i.e., require stations to know SSID. Note that this does - not increase security, since your clients will then broadcast the SSID instead, - which can increase congestion. - - - {var}`"disabled"`: Advertise ssid normally. - - {var}`"empty"`: send empty (length=0) SSID in beacon and ignore probe request for broadcast SSID - - {var}`"clear"`: clear SSID (ASCII 0), but keep the original length (this may be required with some - legacy clients that do not support empty SSID) and ignore probe requests for broadcast SSID. Only - use this if empty does not work with your clients. - ''; - }; - - apIsolate = mkOption { - default = false; - type = types.bool; - description = mdDoc '' - Isolate traffic between stations (clients) and prevent them from - communicating with each other. - ''; - }; - - extraConfig = mkOption { - default = ""; - example = '' - multi_ap=1 - ''; - type = types.lines; - description = mdDoc "Extra configuration options to put at the end of this interface's hostapd.conf."; - }; - - #### IEEE 802.11i (WPA) configuration - - authentication = { - mode = mkOption { - default = "wpa3-sae"; - type = types.enum ["none" "wpa2-sha256" "wpa3-sae-transition" "wpa3-sae"]; - description = mdDoc '' - Selects the authentication mode for this AP. - - - {var}`"none"`: Don't configure any authentication. This will disable wpa alltogether - and create an open AP. Use {option}`extraConfig` together with this option if you - want to configure the authentication manually. Any password options will still be - effective, if set. - - {var}`"wpa2-sha256"`: WPA2-Personal using SHA256 (IEEE 802.11i/RSN). Passwords are set - using {option}`wpaPassword` or preferably by {option}`wpaPasswordFile` or {option}`wpaPskFile`. - - {var}`"wpa3-sae-transition"`: Use WPA3-Personal (SAE) if possible, otherwise fallback - to WPA2-SHA256. Only use if necessary and switch to the newer WPA3-SAE when possible. - You will have to specify both {option}`wpaPassword` and {option}`saePasswords` (or one of their alternatives). - - {var}`"wpa3-sae"`: Use WPA3-Personal (SAE). This is currently the recommended way to - setup a secured WiFi AP (as of March 2023) and therefore the default. Passwords are set - using either {option}`saePasswords` or preferably {option}`saePasswordsFile`. - ''; - }; - - pairwiseCiphers = mkOption { - default = ["CCMP"]; - example = ["CCMP-256" "GCMP-256"]; - type = types.listOf types.str; - description = mdDoc '' - Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets). - By default this allows just CCMP, which is the only commonly supported secure option. - Use {option}`enableRecommendedPairwiseCiphers` to also enable newer recommended ciphers. - - Please refer to the hostapd documentation for allowed values. Generally, only - CCMP or GCMP modes should be considered safe options. Most devices support CCMP while - GCMP is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher. - ''; - }; - - enableRecommendedPairwiseCiphers = mkOption { - default = false; - example = true; - type = types.bool; - description = mdDoc '' - Additionally enable the recommended set of pairwise ciphers. - This enables newer secure ciphers, additionally to those defined in {option}`pairwiseCiphers`. - You will have to test whether your hardware supports these by trial-and-error, because - even if `iw list` indicates hardware support, your driver might not expose it. - - Beware {command}`hostapd` will most likely not return a useful error message in case - this is enabled despite the driver or hardware not supporting the newer ciphers. - Look out for messages like `Failed to set beacon parameters`. - ''; - }; - - wpaPassword = mkOption { - default = null; - example = "a flakey password"; - type = types.uniq (types.nullOr types.str); - description = mdDoc '' - Sets the password for WPA-PSK that will be converted to the pre-shared key. - The password length must be in the range [8, 63] characters. While some devices - may allow arbitrary characters (such as UTF-8) to be used, but the standard specifies - that each character in the passphrase must be an ASCII character in the range [0x20, 0x7e] - (IEEE Std. 802.11i-2004, Annex H.4.1). Use emojis at your own risk. - - Not used when {option}`mode` is {var}`"wpa3-sae"`. - - Warning: This password will get put into a world-readable file in the Nix store! - Using {option}`wpaPasswordFile` or {option}`wpaPskFile` instead is recommended. - ''; - }; - - wpaPasswordFile = mkOption { - default = null; - type = types.uniq (types.nullOr types.path); - description = mdDoc '' - Sets the password for WPA-PSK. Follows the same rules as {option}`wpaPassword`, - but reads the password from the given file to prevent the password from being - put into the Nix store. - - Not used when {option}`mode` is {var}`"wpa3-sae"`. - ''; - }; - - wpaPskFile = mkOption { - default = null; - type = types.uniq (types.nullOr types.path); - description = mdDoc '' - Sets the password(s) for WPA-PSK. Similar to {option}`wpaPasswordFile`, - but additionally allows specifying multiple passwords, and some other options. - - Each line, except for empty lines and lines starting with #, must contain a - MAC address and either a 64-hex-digit PSK or a password separated with a space. - The password must follow the same rules as outlined in {option}`wpaPassword`. - The special MAC address `00:00:00:00:00:00` can be used to configure PSKs - that any client can use. - - An optional key identifier can be added by prefixing the line with `keyid=` - An optional VLAN ID can be specified by prefixing the line with `vlanid=`. - An optional WPS tag can be added by prefixing the line with `wps=<0/1>` (default: 0). - Any matching entry with that tag will be used when generating a PSK for a WPS Enrollee - instead of generating a new random per-Enrollee PSK. - - Not used when {option}`mode` is {var}`"wpa3-sae"`. - ''; - }; - - saePasswords = mkOption { - default = []; - example = literalExpression '' - [ - # Any client may use these passwords - { password = "Wi-Figure it out"; } - { password = "second password for everyone"; mac = "ff:ff:ff:ff:ff:ff"; } - - # Only the client with MAC-address 11:22:33:44:55:66 can use this password - { password = "sekret pazzword"; mac = "11:22:33:44:55:66"; } - ] - ''; - description = mdDoc '' - Sets allowed passwords for WPA3-SAE. - - The last matching (based on peer MAC address and identifier) entry is used to - select which password to use. An empty string has the special meaning of - removing all previously added entries. - - Warning: These entries will get put into a world-readable file in - the Nix store! Using {option}`saePasswordFile` instead is recommended. - - Not used when {option}`mode` is {var}`"wpa2-sha256"`. - ''; - type = types.listOf (types.submodule { - options = { - password = mkOption { - example = "a flakey password"; - type = types.str; - description = mdDoc '' - The password for this entry. SAE technically imposes no restrictions on - password length or character set. But due to limitations of {command}`hostapd`'s - config file format, a true newline character cannot be parsed. - - Warning: This password will get put into a world-readable file in - the Nix store! Using {option}`wpaPasswordFile` or {option}`wpaPskFile` is recommended. - ''; - }; - - mac = mkOption { - default = null; - example = "11:22:33:44:55:66"; - type = types.uniq (types.nullOr types.str); - description = mdDoc '' - If this attribute is not included, or if is set to the wildcard address (`ff:ff:ff:ff:ff:ff`), - the entry is available for any station (client) to use. If a specific peer MAC address is included, - only a station with that MAC address is allowed to use the entry. - ''; - }; - - vlanid = mkOption { - default = null; - example = 1; - type = types.uniq (types.nullOr types.int); - description = mdDoc "If this attribute is given, all clients using this entry will get tagged with the given VLAN ID."; - }; - - pk = mkOption { - default = null; - example = ""; - type = types.uniq (types.nullOr types.str); - description = mdDoc '' - If this attribute is given, SAE-PK will be enabled for this connection. - This prevents evil-twin attacks, but a public key is required additionally to connect. - (Essentially adds pubkey authentication such that the client can verify identity of the AP) - ''; - }; - - id = mkOption { - default = null; - example = ""; - type = types.uniq (types.nullOr types.str); - description = mdDoc '' - If this attribute is given with non-zero length, it will set the password identifier - for this entry. It can then only be used with that identifier. - ''; - }; - }; - }); - }; - - saePasswordsFile = mkOption { - default = null; - type = types.uniq (types.nullOr types.path); - description = mdDoc '' - Sets the password for WPA3-SAE. Follows the same rules as {option}`saePasswords`, - but reads the entries from the given file to prevent them from being - put into the Nix store. - - One entry per line, empty lines and lines beginning with # will be ignored. - Each line must match the following format, although the order of optional - parameters doesn't matter: - `[|mac=][|vlanid=][|pk=][|id=]` - - Not used when {option}`mode` is {var}`"wpa2-sha256"`. - ''; - }; - - saeAddToMacAllow = mkOption { - type = types.bool; - default = false; - description = mdDoc '' - If set, all sae password entries that have a non-wildcard MAC associated to - them will additionally be used to populate the MAC allow list. This is - additional to any entries set via {option}`macAllow` or {option}`macAllowFile`. - ''; - }; - }; - - managementFrameProtection = mkOption { - default = "required"; - type = types.enum ["disabled" "optional" "required"]; - apply = x: - getAttr x { - "disabled" = "0"; - "optional" = "1"; - "required" = "2"; - }; - description = mdDoc '' - Management frame protection (MFP) authenticates management frames - to prevent deauthentication (or related) attacks. - - - {var}`"disabled"`: No management frame protection - - {var}`"optional"`: Use MFP if a connection allows it - - {var}`"required"`: Force MFP for all clients - ''; - }; - }; - }); - }; - }; - }); - }; - }; - }; - - config = mkIf cfg.enable { - assertions = - [ - { - assertion = cfg.radios != {}; - message = "At least one radio must be configured with hostapd!"; - } - ] - # Radio warnings - ++ (concatLists (mapAttrsToList ( - radio: radioCfg: - [ - { - assertion = radioCfg.networks != {}; - message = "hostapd radio ${radio}: At least one network must be configured!"; - } - { - assertion = radioCfg.hwMode == "a" -> radioCfg.wifi5.enable; - message = ''hostapd radio ${radio}: Must set at least wifi5.enable=true in order to use hwMode="a"''; - } - { - assertion = length (filter (bss: bss == radio) (attrNames radioCfg.networks)) == 1; - message = ''hostapd radio ${radio}: Exactly one network must be named like the radio, for reasons internal to hostapd.''; - } - ] - # BSS warnings - ++ (concatLists (mapAttrsToList (bss: bssCfg: let - auth = bssCfg.authentication; - countWpaPasswordDefinitions = count (x: x != null) [ - auth.wpaPassword - auth.wpaPasswordFile - auth.wpaPskFile - ]; - in [ - { - assertion = hasPrefix radio bss; - message = "hostapd radio ${radio} bss ${bss}: The bss (network) name ${bss} is invalid. It must be prefixed by the radio name for reasons internal to hostapd. A valid name would be e.g. ${radio}, ${radio}-1, ..."; - } - { - assertion = (length (attrNames radioCfg.networks) > 1) -> (auth.bssid != null); - message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.''; - } - { - assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == "2"; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"''; - } - { - assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != "0"; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"''; - } - { - assertion = countWpaPasswordDefinitions <= 1; - message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)''; - } - { - assertion = auth.wpaPassword != null -> (stringLength auth.wpaPassword >= 8 && stringLength auth.wpaPassword <= 63); - message = ''hostapd radio ${radio} bss ${bss}: uses a wpaPassword of invalid length (must be in [8,63]).''; - } - { - assertion = auth.saePasswords == [] || auth.saePasswordsFile == null; - message = ''hostapd radio ${radio} bss ${bss}: must use only one SAE password option (saePasswords or saePasswordsFile)''; - } - { - assertion = auth.mode == "wpa3-sae" -> (auth.saePasswords != [] || auth.saePasswordsFile != null); - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires defining a sae password option''; - } - { - assertion = auth.mode == "wpa3-sae-transition" -> (auth.saePasswords != [] || auth.saePasswordsFile != null) && countWpaPasswordDefinitions == 1; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode requires defining both a wpa password option and a sae password option''; - } - { - assertion = auth.mode == "wpa2-sha256" -> countWpaPasswordDefinitions == 1; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA2-SHA256 which requires defining a wpa password option''; - } - ]) - radioCfg.networks)) - ) - cfg.radios)); - - environment.systemPackages = [pkgs.hostapd]; - - services.udev.packages = with pkgs; [crda]; - - systemd.services.hostapd = { - description = "IEEE 802.11 Host Access-Point Daemon"; - - path = [pkgs.hostapd]; - after = map (radio: "sys-subsystem-net-devices-${utils.escapeSystemdPath radio}.device") (attrNames cfg.radios); - bindsTo = map (radio: "sys-subsystem-net-devices-${utils.escapeSystemdPath radio}.device") (attrNames cfg.radios); - wantedBy = ["multi-user.target"]; - - # Create merged configuration and acl files for each radio (and their bsses) prior to starting - preStart = concatStringsSep "\n" (mapAttrsToList makeRadioRuntimeFiles cfg.radios); - - serviceConfig = { - ExecStart = "${pkgs.hostapd}/bin/hostapd ${concatStringsSep " " runtimeConfigFiles}"; - Restart = "always"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - RuntimeDirectory = "hostapd"; - - # Hardening - LockPersonality = true; - MemoryDenyWriteExecute = true; - DevicePolicy = "closed"; - DeviceAllow = "/dev/rfkill rw"; - NoNewPrivileges = true; - PrivateUsers = false; # hostapd requires true root access. - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - ProtectSystem = "strict"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - "AF_UNIX" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - "@chown" - ]; - UMask = "0077"; - }; - }; - }; - disabledModules = ["services/networking/hostapd.nix"]; -} diff --git a/nix/installer-configuration.nix b/nix/installer-configuration.nix index a3b24c2..6fc326e 100644 --- a/nix/installer-configuration.nix +++ b/nix/installer-configuration.nix @@ -1,9 +1,4 @@ -{ - pkgs, - lib, - ... -}: { - isoImage.isoName = lib.mkForce "nixos.iso"; +{pkgs, ...}: { system.stateVersion = "23.11"; nix.extraOptions = '' experimental-features = nix-command flakes