2023-05-23 19:55:48 -04:00
{
config ,
lib ,
pkgs ,
utils ,
. . .
} @ moduleArgs :
2012-03-15 13:54:23 +00:00
let
2025-06-06 11:07:10 +02:00
inherit ( lib )
any
attrValues
concatMapStrings
concatMapStringsSep
concatStringsSep
elem
filter
flip
head
literalExpression
mkDefault
mkEnableOption
mkIf
mkMerge
mkOption
optional
optionalAttrs
optionalString
toposort
types
;
inherit ( utils ) fsBefore ;
2024-12-03 11:35:02 +01:00
# https://wiki.archlinux.org/index.php/fstab#Filepath_spaces
escape = string : builtins . replaceStrings [ " " " \t " ] [ " \\ 0 4 0 " " \\ 0 1 1 " ] string ;
2012-03-15 13:54:23 +00:00
2017-02-15 13:22:48 +01:00
addCheckDesc =
desc : elemType : check :
types . addCheck elemType check // { description = " ${ elemType . description } ( w i t h c h e c k : ${ desc } ) " ; } ;
2020-08-14 07:25:50 +01:00
isNonEmpty = s : ( builtins . match " [ \t \n ] * " s ) = = null ;
nonEmptyStr = addCheckDesc " n o n - e m p t y " types . str isNonEmpty ;
2017-02-15 13:22:48 +01:00
2015-11-25 19:09:09 +00:00
fileSystems' = toposort fsBefore ( attrValues config . fileSystems ) ;
2019-08-13 21:52:01 +00:00
fileSystems =
if fileSystems' ? result then
2015-11-25 19:09:09 +00:00
# use topologically sorted fileSystems everywhere
fileSystems' . result
else
# the assertion below will catch this,
# but we fall back to the original order
# anyway so that other modules could check
# their assertions too
( attrValues config . fileSystems ) ;
2025-04-01 20:10:43 +02:00
2016-09-17 13:43:37 +03:00
specialFSTypes = [
" p r o c "
" s y s f s "
" t m p f s "
" r a m f s "
" d e v t m p f s "
" d e v p t s "
] ;
2025-04-01 20:10:43 +02:00
2020-05-21 09:10:47 +02:00
nonEmptyWithoutTrailingSlash = addCheckDesc " n o n - e m p t y w i t h o u t t r a i l i n g s l a s h " types . str (
s : isNonEmpty s && ( builtins . match " . + / " s ) = = null
) ;
2025-04-01 20:10:43 +02:00
2016-08-31 16:45:19 +03:00
coreFileSystemOpts =
{ name , config , . . . }:
2025-04-01 20:10:43 +02:00
{
2012-11-02 18:02:12 +01:00
options = {
2024-04-05 12:44:25 -07:00
enable = mkEnableOption " t h e f i l e s y s t e m m o u n t " // {
default = true ;
2025-04-01 20:10:43 +02:00
} ;
2020-05-21 09:10:47 +02:00
2016-08-31 16:45:19 +03:00
mountPoint = mkOption {
example = " / m n t / u s b " ;
type = nonEmptyWithoutTrailingSlash ;
description = " L o c a t i o n o f t h e m o u n t e d f i l e s y s t e m . " ;
} ;
2012-11-02 18:02:12 +01:00
2025-06-06 11:07:10 +02:00
stratis . poolUuid = mkOption {
2024-04-05 12:44:25 -07:00
type = types . uniq ( types . nullOr types . str ) ;
description = ''
UUID of the stratis pool that the fs is located in
2025-04-01 20:10:43 +02:00
'' ;
2024-04-05 12:44:25 -07:00
example = " 0 4 c 6 8 0 6 3 - 9 0 a 5 - 4 2 3 5 - b 9 d d - 6 1 8 0 0 9 8 a 2 0 d 9 " ;
default = null ;
} ;
2012-11-02 18:02:12 +01:00
device = mkOption {
default = null ;
example = " / d e v / s d a " ;
2020-05-21 09:10:47 +02:00
type = types . nullOr nonEmptyStr ;
2022-11-27 21:57:35 +01:00
description = " L o c a t i o n o f t h e d e v i c e . " ;
2012-11-02 18:02:12 +01:00
} ;
2023-05-16 22:48:36 -04:00
fsType = mkOption {
default = " a u t o " ;
example = " e x t 3 " ;
type = nonEmptyStr ;
description = " T y p e o f t h e f i l e s y s t e m . " ;
} ;
2012-11-02 18:02:12 +01:00
options = mkOption {
default = [ " d e f a u l t s " ] ;
example = [ " d a t a = j o u r n a l " ] ;
description = ''
2025-01-27 01:02:27 +01:00
Options used to mount the file system .
2017-02-15 13:22:48 +01:00
See { manpage } ` mount ( 8 ) ` for common options .
2025-04-01 20:10:43 +02:00
'' ;
2017-02-15 13:22:48 +01:00
type = types . nonEmptyListOf nonEmptyStr ;
2012-11-02 18:02:12 +01:00
} ;
depends = mkOption {
default = [ ] ;
example = [ " / p e r s i s t " ] ;
2017-02-15 13:22:48 +01:00
type = types . listOf nonEmptyWithoutTrailingSlash ;
2012-11-02 18:02:12 +01:00
description = ''
2020-05-21 09:10:47 +02:00
List of paths that should be mounted before this one . This filesystem's
{ option } ` device ` and { option } ` mountPoint ` are always
checked and do not need to be included explicitly . If a path is added
to this list , any other filesystem whose mount point is a parent of
the path will be mounted before this filesystem . The paths do not need
2012-11-02 18:02:12 +01:00
to actually be the { option } ` mountPoint ` of some other filesystem .
'' ;
} ;
2016-09-01 12:18:33 +03:00
} ;
2012-11-02 18:02:12 +01:00
2020-05-21 09:10:47 +02:00
config = {
mountPoint = mkDefault name ;
device = mkIf ( elem config . fsType specialFSTypes ) ( mkDefault config . fsType ) ;
} ;
2016-08-31 16:45:19 +03:00
} ;
fileSystemOpts =
{ config , . . . }:
2025-04-01 20:10:43 +02:00
{
2016-08-31 16:45:19 +03:00
options = {
label = mkOption {
2023-05-29 16:14:18 -04:00
default = null ;
2016-08-31 16:45:19 +03:00
example = " r o o t - p a r t i t i o n " ;
type = types . nullOr nonEmptyStr ;
description = " L a b e l o f t h e d e v i c e ( i f a n y ) . " ;
} ;
autoFormat = mkOption {
2015-09-24 18:13:14 +02:00
default = false ;
type = types . bool ;
description = ''
2016-08-31 16:45:19 +03:00
If the device does not currently contain a filesystem ( as
2024-03-02 12:40:40 +01:00
determined by { command } ` blkid ` ) , then automatically
2012-11-02 18:02:12 +01:00
format it with the filesystem type specified in
{ option } ` fsType ` . Use with caution .
2025-04-01 20:10:43 +02:00
'' ;
} ;
2016-08-31 16:45:19 +03:00
formatOptions = mkOption {
2023-05-29 16:14:18 -04:00
visible = false ;
type = types . unspecified ;
2016-08-31 16:45:19 +03:00
default = null ;
} ;
2012-11-02 18:02:12 +01:00
autoResize = mkOption {
default = false ;
type = types . bool ;
description = ''
If set , the filesystem is grown to its maximum size before
being mounted . ( This is typically the size of the containing
2024-03-02 12:40:40 +01:00
partition . ) This is currently only supported for ext2/3/4
2012-11-02 18:02:12 +01:00
filesystems that are mounted during early boot .
'' ;
} ;
2015-10-04 03:14:53 +02:00
noCheck = mkOption {
2023-05-29 16:14:18 -04:00
default = false ;
type = types . bool ;
description = " D i s a b l e r u n n i n g f s c k o n t h i s f i l e s y s t e m . " ;
2015-10-04 03:14:53 +02:00
} ;
2015-09-24 18:13:14 +02:00
} ;
2025-06-06 11:07:10 +02:00
config . device = mkIf ( config . label != null ) ( mkDefault " / d e v / d i s k / b y - l a b e l / ${ escape config . label } " ) ;
2025-04-01 20:10:43 +02:00
2012-11-02 18:02:12 +01:00
config . options =
2025-04-01 20:10:43 +02:00
let
2012-11-02 18:02:12 +01:00
inInitrd = utils . fsNeededForBoot config ;
2025-04-01 20:10:43 +02:00
in
2023-05-23 19:55:48 -04:00
mkMerge [
2023-05-29 16:14:55 -04:00
( mkIf config . autoResize [ " x - s y s t e m d . g r o w f s " ] )
2012-11-02 18:02:12 +01:00
( mkIf config . autoFormat [ " x - s y s t e m d . m a k e f s " ] )
( mkIf ( utils . fsNeededForBoot config ) [ " x - i n i t r d . m o u n t " ] )
2025-04-01 20:10:43 +02:00
( mkIf
2012-11-02 18:02:12 +01:00
# With scripted stage 1, depends is implemented by sorting 'config.system.build.fileSystems'
( lib . length config . depends > 0 && ( inInitrd -> moduleArgs . config . boot . initrd . systemd . enable ) )
( map ( x : " x - s y s t e m d . r e q u i r e s - m o u n t s - f o r = ${ optionalString inInitrd " / s y s r o o t " } ${ x } " ) config . depends )
2025-04-01 20:10:43 +02:00
)
2012-11-02 18:02:12 +01:00
] ;
} ;
2016-08-27 13:29:38 +03:00
# Makes sequence of `specialMount device mountPoint options fsType` commands.
# `systemMount` should be defined in the sourcing script.
makeSpecialMounts =
mounts :
pkgs . writeText " m o u n t s . s h " (
concatMapStringsSep " \n " ( mount : ''
specialMount " ${ mount . device } " " ${ mount . mountPoint } " " ${ concatStringsSep " , " mount . options } " " ${ mount . fsType } "
'' ) m o u n t s
) ;
2022-08-16 09:33:28 -04:00
makeFstabEntries =
let
2022-12-20 23:05:02 -05:00
fsToSkipCheck =
[
" n o n e "
" a u t o "
" o v e r l a y "
" i s o 9 6 6 0 "
" b i n d f s "
" u d f "
" b t r f s "
" z f s "
" t m p f s "
" b c a c h e f s "
" n f s "
" n f s 4 "
" n i l f s 2 "
" v b o x s f "
" s q u a s h f s "
" g l u s t e r f s "
" a p f s "
" 9 p "
" c i f s "
" p r l _ f s "
" v m h g f s "
]
++ lib . optionals ( ! config . boot . initrd . checkJournalingFS ) [
" e x t 3 "
" e x t 4 "
" r e i s e r f s "
" x f s "
" j f s "
" f 2 f s "
] ;
2022-08-16 09:33:28 -04:00
isBindMount = fs : builtins . elem " b i n d " fs . options ;
skipCheck =
fs : fs . noCheck || fs . device = = " n o n e " || builtins . elem fs . fsType fsToSkipCheck || isBindMount fs ;
2023-09-27 18:31:05 -04:00
in
fstabFileSystems :
{ }:
concatMapStrings (
fs :
2023-09-27 14:33:21 -04:00
(
if fs . device != null then
escape fs . device
2022-08-16 09:33:28 -04:00
else
throw " N o d e v i c e s p e c i f i e d f o r m o u n t p o i n t ‘ ${ fs . mountPoint } ’ . "
)
2022-12-16 00:16:55 -05:00
+ " "
+ escape fs . mountPoint
2022-08-16 09:33:28 -04:00
+ " "
+ fs . fsType
2023-05-29 16:14:55 -04:00
+ " "
+ escape ( builtins . concatStringsSep " , " fs . options )
2022-12-20 23:05:02 -05:00
+ " 0 "
+ (
if skipCheck fs then
" 0 "
else if fs . mountPoint = = " / " then
" 1 "
else
" 2 "
)
2022-08-16 09:33:28 -04:00
+ " \n "
) fstabFileSystems ;
2023-09-27 18:31:05 -04:00
initrdFstab = pkgs . writeText " i n i t r d - f s t a b " (
makeFstabEntries ( filter utils . fsNeededForBoot fileSystems ) { }
) ;
2022-08-16 09:33:28 -04:00
2012-03-15 13:54:23 +00:00
in
2012-10-12 17:32:36 -04:00
2009-10-12 16:36:19 +00:00
{
###### interface
2009-05-27 23:14:38 +00:00
options = {
2009-06-11 16:03:57 +00:00
fileSystems = mkOption {
2013-11-18 16:26:39 +01:00
default = { } ;
2021-10-03 18:06:03 +02:00
example = literalExpression ''
2016-06-19 01:02:24 -06:00
{
" / " . device = " / d e v / h d a 1 " ;
" / d a t a " = {
device = " / d e v / h d a 2 " ;
fsType = " e x t 3 " ;
options = [ " d a t a = j o u r n a l " ] ;
} ;
" / b i g d i s k " . label = " b i g d i s k " ;
}
'' ;
2020-08-23 01:28:45 +02:00
type = types . attrsOf (
types . submodule [
coreFileSystemOpts
fileSystemOpts
2025-04-01 20:10:43 +02:00
]
2020-08-23 01:28:45 +02:00
) ;
2024-04-05 12:44:25 -07:00
apply = lib . filterAttrs ( _ : fs : fs . enable ) ;
2012-03-09 14:37:58 +00:00
description = ''
2009-05-27 23:14:38 +00:00
The file systems to be mounted . It must include an entry for
2013-10-28 13:36:45 +01:00
the root directory ( ` mountPoint = " / " ` ) . Each
2009-05-27 23:14:38 +00:00
entry in the list is an attribute set with the following fields :
` mountPoint ` , ` device ` ,
` fsType ` ( a file system type recognised by
{ command } ` mount ` ; defaults to
2013-10-28 13:36:45 +01:00
` " a u t o " ` ) , and ` options `
2009-05-27 23:14:38 +00:00
( the mount options passed to { command } ` mount ` using the
2015-10-21 17:37:14 +00:00
{ option } ` - o ` flag ; defaults to ` [ " d e f a u l t s " ] ` ) .
2022-08-15 07:16:25 +02:00
2009-05-27 23:14:38 +00:00
Instead of specifying ` device ` , you can also
specify a volume label ( ` label ` ) for file
2022-08-13 11:35:46 +02:00
systems that support it , such as ext2/ext3 ( see { command } ` mke2fs - L ` ) .
2012-03-09 14:37:58 +00:00
'' ;
2009-05-27 23:14:38 +00:00
} ;
2011-09-14 18:20:50 +00:00
2012-03-09 14:37:58 +00:00
system . fsPackages = mkOption {
2009-05-27 23:14:38 +00:00
internal = true ;
2012-03-09 14:37:58 +00:00
default = [ ] ;
description = " P a c k a g e s s u p p l y i n g f i l e s y s t e m m o u n t e r s a n d c h e c k e r s . " ;
} ;
boot . supportedFilesystems = mkOption {
2024-02-18 23:35:17 +01:00
default = { } ;
2025-06-06 11:07:10 +02:00
example = literalExpression ''
2024-02-18 23:35:17 +01:00
{
btrfs = true ;
zfs = lib . mkForce false ;
}
'' ;
type = types . coercedTo ( types . listOf types . str ) (
enabled : lib . listToAttrs ( map ( fs : lib . nameValuePair fs true ) enabled )
) ( types . attrsOf types . bool ) ;
description = ''
Names of supported filesystem types , or an attribute set of file system types
and their state . The set form may be used together with ` lib . mkForce ` to
explicitly disable support for specific filesystems , e . g . to disable ZFS
with an unsupported kernel .
'' ;
2012-03-09 14:37:58 +00:00
} ;
2016-08-31 16:45:19 +03:00
boot . specialFileSystems = mkOption {
default = { } ;
2020-08-23 01:28:45 +02:00
type = types . attrsOf ( types . submodule coreFileSystemOpts ) ;
2024-04-05 12:44:25 -07:00
apply = lib . filterAttrs ( _ : fs : fs . enable ) ;
2016-08-31 16:45:19 +03:00
internal = true ;
description = ''
Special filesystems that are mounted very early during boot .
'' ;
} ;
2022-03-27 13:23:44 +02:00
boot . devSize = mkOption {
default = " 5 % " ;
example = " 3 2 m " ;
type = types . str ;
description = ''
2025-01-27 01:03:14 +01:00
Size limit for the /dev tmpfs . Look at { manpage } ` mount ( 8 ) ` , tmpfs size option ,
2022-03-27 13:23:44 +02:00
for the accepted syntax .
'' ;
} ;
boot . devShmSize = mkOption {
default = " 5 0 % " ;
example = " 2 5 6 m " ;
type = types . str ;
description = ''
2025-01-27 01:03:14 +01:00
Size limit for the /dev/shm tmpfs . Look at { manpage } ` mount ( 8 ) ` , tmpfs size option ,
2022-03-27 13:23:44 +02:00
for the accepted syntax .
'' ;
} ;
boot . runSize = mkOption {
default = " 2 5 % " ;
example = " 2 5 6 m " ;
type = types . str ;
description = ''
2025-01-27 01:03:14 +01:00
Size limit for the /run tmpfs . Look at { manpage } ` mount ( 8 ) ` , tmpfs size option ,
2022-03-27 13:23:44 +02:00
for the accepted syntax .
'' ;
} ;
2009-05-27 23:14:38 +00:00
} ;
2009-10-12 16:36:19 +00:00
###### implementation
2009-05-27 23:14:38 +00:00
2009-10-12 16:36:19 +00:00
config = {
2009-05-27 23:14:38 +00:00
2015-11-25 19:09:09 +00:00
assertions =
let
ls = sep : concatMapStringsSep sep ( x : x . mountPoint ) ;
2023-05-29 16:14:55 -04:00
resizableFSes = [
" e x t 3 "
" e x t 4 "
" b t r f s "
" x f s "
] ;
notAutoResizable = fs : fs . autoResize && ! ( builtins . elem fs . fsType resizableFSes ) ;
2015-11-25 19:09:09 +00:00
in
[
2019-08-13 21:52:01 +00:00
{
assertion = ! ( fileSystems' ? cycle ) ;
2015-11-25 19:09:09 +00:00
message = " T h e ‘ f i l e S y s t e m s ’ o p t i o n c a n ' t b e t o p o l o g i c a l l y s o r t e d : m o u n t p o i n t d e p e n d e n c y p a t h ${ ls " - > " fileSystems' . cycle } l o o p s t o ${ ls " , " fileSystems' . loops } " ;
}
2019-03-16 12:51:18 +01:00
{
assertion = ! ( any notAutoResizable fileSystems ) ;
message =
let
fs = head ( filter notAutoResizable fileSystems ) ;
2023-05-29 16:14:55 -04:00
in
''
Mountpoint ' $ { fs . mountPoint } ' : ' autoResize = true' is not supported for ' fsType = " ${ fs . fsType } " '
$ { optionalString ( fs . fsType = = " a u t o " ) " f s T y p e h a s t o b e e x p l i c i t l y s e t a n d " }
only the following support it : $ { lib . concatStringsSep " , " resizableFSes } .
'' ;
2019-03-16 12:51:18 +01:00
}
2023-05-29 16:14:18 -04:00
{
assertion = ! ( any ( fs : fs . formatOptions != null ) fileSystems ) ;
2024-12-08 15:40:56 +03:00
message = ''
2023-05-29 16:14:18 -04:00
' fileSystems . <name> . formatOptions' has been removed , since
systemd-makefs does not support any way to provide formatting
2025-04-01 20:10:43 +02:00
options .
'' ;
}
]
2023-05-29 16:14:18 -04:00
++ lib . map ( fs : {
2024-12-08 15:40:56 +03:00
assertion = fs . label != null -> fs . device = = " / d e v / d i s k / b y - l a b e l / ${ escape fs . label } " ;
2025-02-23 22:01:44 +01:00
message = ''
2023-05-29 16:14:18 -04:00
The filesystem with mount point $ { fs . mountPoint } has its label and device set to inconsistent values :
2024-12-08 15:40:56 +03:00
label : $ { toString fs . label }
device : $ { toString fs . device }
2023-05-29 16:14:18 -04:00
' filesystems . <name> . label' and ' filesystems . <name> . device' are mutually exclusive . Please set only one .
'' ;
2024-12-08 15:40:56 +03:00
} ) fileSystems ;
2015-11-25 19:09:09 +00:00
# Export for use in other modules
system . build . fileSystems = fileSystems ;
2016-08-31 16:45:19 +03:00
system . build . earlyMountScript = makeSpecialMounts ( toposort fsBefore (
attrValues config . boot . specialFileSystems
) ) . result ;
2015-11-25 19:09:09 +00:00
2012-11-02 18:02:12 +01:00
boot . supportedFilesystems = map ( fs : fs . fsType ) fileSystems ;
2012-03-09 14:37:58 +00:00
2009-10-12 16:36:19 +00:00
# Add the mount helpers to the system path so that `mount' can find them.
2022-11-15 17:45:38 -05:00
system . fsPackages = [ pkgs . dosfstools ] ;
2012-10-12 17:32:36 -04:00
2017-08-19 18:50:53 +02:00
environment . systemPackages =
with pkgs ;
[
fuse3
fuse
]
++ config . system . fsPackages ;
2011-09-14 18:20:50 +00:00
2013-02-03 14:12:49 +01:00
environment . etc . fstab . text =
2014-12-29 02:53:37 +01:00
let
2020-12-28 00:09:42 +09:00
swapOptions =
sw :
concatStringsSep " , " (
2021-06-24 20:58:18 +03:00
sw . options
2020-12-28 00:09:42 +09:00
++ optional ( sw . priority != null ) " p r i = ${ toString sw . priority } "
++
optional ( sw . discardPolicy != null )
" d i s c a r d ${ optionalString ( sw . discardPolicy != " b o t h " ) " = ${ toString sw . discardPolicy } " } "
) ;
2014-12-29 02:53:37 +01:00
in
''
2013-02-03 14:12:49 +01:00
# This is a generated file. Do not edit!
2016-08-24 20:37:21 +02:00
#
# To make changes, edit the fileSystems and swapDevices NixOS options
# in your /etc/nixos/configuration.nix file.
2020-12-03 12:39:23 +01:00
#
# <file system> <mount point> <type> <options> <dump> <pass>
2013-02-03 14:12:49 +01:00
# Filesystems.
2022-08-16 09:33:28 -04:00
$ { makeFstabEntries fileSystems { } }
2013-02-03 14:12:49 +01:00
2025-06-06 11:07:10 +02:00
$ { optionalString ( config . swapDevices != [ ] ) " # S w a p d e v i c e s . " }
2021-02-23 00:56:27 +08:00
$ { flip concatMapStrings config . swapDevices ( sw : " ${ sw . realDevice } n o n e s w a p ${ swapOptions sw } \n " ) }
2013-02-03 14:12:49 +01:00
'' ;
2010-06-04 14:22:11 +00:00
2022-12-16 00:16:55 -05:00
boot . initrd . systemd . storePaths = [ initrdFstab ] ;
boot . initrd . systemd . managerEnvironment . SYSTEMD_SYSROOT_FSTAB = initrdFstab ;
boot . initrd . systemd . services . initrd-parse-etc . environment . SYSTEMD_SYSROOT_FSTAB = initrdFstab ;
2022-08-16 09:33:28 -04:00
2012-10-12 15:08:44 -04:00
# Provide a target that pulls in all filesystems.
2013-01-16 12:33:18 +01:00
systemd . targets . fs = {
2012-10-12 15:08:44 -04:00
description = " A l l F i l e S y s t e m s " ;
wants = [
" l o c a l - f s . t a r g e t "
" r e m o t e - f s . t a r g e t "
] ;
} ;
2023-05-29 16:14:18 -04:00
systemd . services = {
2020-12-02 00:52:54 +01:00
# Mount /sys/fs/pstore for evacuating panic logs and crashdumps from persistent storage onto the disk using systemd-pstore.
# This cannot be done with the other special filesystems because the pstore module (which creates the mount point) is not loaded then.
" m o u n t - p s t o r e " = {
serviceConfig = {
Type = " o n e s h o t " ;
2021-05-25 23:52:46 +02:00
# skip on kernels without the pstore module
ExecCondition = " ${ pkgs . kmod } / b i n / m o d p r o b e - b p s t o r e " ;
2021-05-30 03:29:52 +02:00
ExecStart = pkgs . writeShellScript " m o u n t - p s t o r e . s h " ''
2020-12-02 00:52:54 +01:00
set - eu
2021-05-30 03:29:52 +02:00
# if the pstore module is builtin it will have mounted the persistent store automatically. it may also be already mounted for other reasons.
$ { pkgs . util-linux } /bin/mountpoint - q /sys/fs/pstore || $ { pkgs . util-linux } /bin/mount - t pstore - o nosuid , noexec , nodev pstore /sys/fs/pstore
2021-07-26 16:04:50 +00:00
# wait up to 1.5 seconds for the backend to be registered and the files to appear. a systemd path unit cannot detect this happening; and succeeding after a restart would not start dependent units.
TRIES = 15
2021-05-30 03:29:52 +02:00
while [ " $ ( c a t / s y s / m o d u l e / p s t o r e / p a r a m e t e r s / b a c k e n d ) " = " ( n u l l ) " ] ; do
if ( ( $ TRIES ) ) ; then
sleep 0 .1
TRIES = $ ( ( TRIES-1 ) )
else
echo " P e r s i s t e n t S t o r a g e b a c k e n d w a s n o t r e g i s t e r e d i n t i m e . " > & 2
2021-07-26 16:04:50 +00:00
break
2021-05-30 03:29:52 +02:00
fi
2020-12-02 00:52:54 +01:00
done
'' ;
RemainAfterExit = true ;
} ;
unitConfig = {
ConditionVirtualization = " ! c o n t a i n e r " ;
DefaultDependencies = false ; # needed to prevent a cycle
2025-04-01 20:10:43 +02:00
} ;
2023-11-30 15:34:11 -08:00
before = [
2020-12-02 00:52:54 +01:00
" s y s t e m d - p s t o r e . s e r v i c e "
2023-11-30 15:34:11 -08:00
" s h u t d o w n . t a r g e t "
2025-04-01 20:10:43 +02:00
] ;
2023-11-30 15:34:11 -08:00
conflicts = [ " s h u t d o w n . t a r g e t " ] ;
2020-12-02 00:52:54 +01:00
wantedBy = [ " s y s t e m d - p s t o r e . s e r v i c e " ] ;
} ;
2025-04-01 20:10:43 +02:00
} ;
2006-12-21 14:22:40 +00:00
nixos/filesystems: ensure keys gid on /run/keys mountpoint
boot.specialFileSystems is used to describe mount points to be set up in
stage 1 and 2.
We use it to create /run/keys already there, so sshd-in-initrd scenarios
can consume keys sent over through nixops send-keys.
However, it seems the kernel only supports the gid=… option for tmpfs,
not ramfs, causing /run/keys to be owned by the root group, not keys
group.
This was/is worked around in nixops by running a chown root:keys
/run/keys whenever pushing keys [1], and as machines had to have pushed keys
to be usable, this was pretty much always the case.
This is causing regressions in setups not provisioned via nixops, that
still use /run/keys for secrets (through cloud provider startup scripts
for example), as suddenly being an owner of the "keys" group isn't
enough to access the folder.
This PR removes the defunct gid=… option in the mount script called in
stage 1 and 2, and introduces a tmpfiles rule which takes care of fixing
up permissions as part of sysinit.target (very early in systemd bootup,
so before regular services are started).
In case of nixops deployments, this doesn't change anything.
nixops-based deployments receiving secrets from nixops send-keys in
initrd will simply have the permissions already set once tmpfiles is
started.
Fixes #42344
[1]: https://github.com/NixOS/nixops/blob/884d6c3994b227eb09c307e5d25d6885c9af8220/nixops/backends/__init__.py#L267-L269
2020-02-05 01:53:26 +01:00
systemd . tmpfiles . rules = [
2020-02-11 21:41:04 +01:00
" d / r u n / k e y s 0 7 5 0 r o o t ${ toString config . ids . gids . keys } "
" z / r u n / k e y s 0 7 5 0 r o o t ${ toString config . ids . gids . keys } "
nixos/filesystems: ensure keys gid on /run/keys mountpoint
boot.specialFileSystems is used to describe mount points to be set up in
stage 1 and 2.
We use it to create /run/keys already there, so sshd-in-initrd scenarios
can consume keys sent over through nixops send-keys.
However, it seems the kernel only supports the gid=… option for tmpfs,
not ramfs, causing /run/keys to be owned by the root group, not keys
group.
This was/is worked around in nixops by running a chown root:keys
/run/keys whenever pushing keys [1], and as machines had to have pushed keys
to be usable, this was pretty much always the case.
This is causing regressions in setups not provisioned via nixops, that
still use /run/keys for secrets (through cloud provider startup scripts
for example), as suddenly being an owner of the "keys" group isn't
enough to access the folder.
This PR removes the defunct gid=… option in the mount script called in
stage 1 and 2, and introduces a tmpfiles rule which takes care of fixing
up permissions as part of sysinit.target (very early in systemd bootup,
so before regular services are started).
In case of nixops deployments, this doesn't change anything.
nixops-based deployments receiving secrets from nixops send-keys in
initrd will simply have the permissions already set once tmpfiles is
started.
Fixes #42344
[1]: https://github.com/NixOS/nixops/blob/884d6c3994b227eb09c307e5d25d6885c9af8220/nixops/backends/__init__.py#L267-L269
2020-02-05 01:53:26 +01:00
] ;
2016-08-27 13:29:38 +03:00
# Sync mount options with systemd's src/core/mount-setup.c: mount_table.
2016-08-31 16:45:19 +03:00
boot . specialFileSystems =
{
2016-08-27 13:29:38 +03:00
" / p r o c " = {
fsType = " p r o c " ;
options = [
" n o s u i d "
" n o e x e c "
" n o d e v "
] ;
} ;
2017-02-18 20:06:09 +03:00
" / r u n " = {
fsType = " t m p f s " ;
options = [
" n o s u i d "
" n o d e v "
" s t r i c t a t i m e "
" m o d e = 7 5 5 "
" s i z e = ${ config . boot . runSize } "
2016-08-27 13:29:38 +03:00
] ;
} ;
" / d e v " = {
fsType = " d e v t m p f s " ;
options = [
" n o s u i d "
" s t r i c t a t i m e "
" m o d e = 7 5 5 "
" s i z e = ${ config . boot . devSize } "
] ;
} ;
" / d e v / s h m " = {
fsType = " t m p f s " ;
options = [
" n o s u i d "
" n o d e v "
" s t r i c t a t i m e "
" m o d e = 1 7 7 7 "
" s i z e = ${ config . boot . devShmSize } "
2017-08-30 09:50:29 +10:00
] ;
} ;
" / d e v / p t s " = {
fsType = " d e v p t s " ;
options = [
" n o s u i d "
" n o e x e c "
" m o d e = 6 2 0 "
" p t m x m o d e = 0 6 6 6 "
" g i d = ${ toString config . ids . gids . tty } "
2025-04-01 20:10:43 +02:00
] ;
} ;
nixos/filesystems: ensure keys gid on /run/keys mountpoint
boot.specialFileSystems is used to describe mount points to be set up in
stage 1 and 2.
We use it to create /run/keys already there, so sshd-in-initrd scenarios
can consume keys sent over through nixops send-keys.
However, it seems the kernel only supports the gid=… option for tmpfs,
not ramfs, causing /run/keys to be owned by the root group, not keys
group.
This was/is worked around in nixops by running a chown root:keys
/run/keys whenever pushing keys [1], and as machines had to have pushed keys
to be usable, this was pretty much always the case.
This is causing regressions in setups not provisioned via nixops, that
still use /run/keys for secrets (through cloud provider startup scripts
for example), as suddenly being an owner of the "keys" group isn't
enough to access the folder.
This PR removes the defunct gid=… option in the mount script called in
stage 1 and 2, and introduces a tmpfiles rule which takes care of fixing
up permissions as part of sysinit.target (very early in systemd bootup,
so before regular services are started).
In case of nixops deployments, this doesn't change anything.
nixops-based deployments receiving secrets from nixops send-keys in
initrd will simply have the permissions already set once tmpfiles is
started.
Fixes #42344
[1]: https://github.com/NixOS/nixops/blob/884d6c3994b227eb09c307e5d25d6885c9af8220/nixops/backends/__init__.py#L267-L269
2020-02-05 01:53:26 +01:00
# To hold secrets that shouldn't be written to disk
" / r u n / k e y s " = {
fsType = " r a m f s " ;
options = [
" n o s u i d "
" n o d e v "
" m o d e = 7 5 0 "
] ;
} ;
2016-09-07 02:55:26 +03:00
}
// optionalAttrs ( ! config . boot . isContainer ) {
# systemd-nspawn populates /sys by itself, and remounting it causes all
# kinds of weird issues (most noticeably, waiting for host disk device
# nodes).
" / s y s " = {
fsType = " s y s f s " ;
options = [
" n o s u i d "
" n o e x e c "
" n o d e v "
] ;
2016-08-27 13:29:38 +03:00
} ;
2025-04-01 20:10:43 +02:00
} ;
2016-08-27 13:29:38 +03:00
2009-03-06 12:27:33 +00:00
} ;
2009-08-11 21:10:33 +00:00
2006-12-21 14:22:40 +00:00
}
