Merge remote-tracking branch 'upstream/master' into hardened-stdenv

2025-07-13 13:40:28 +03:00 · 2016-07-19 10:37:02 +00:00 · 2016-07-19 10:37:02 +00:00 · 203846b9de
commit 203846b9de
parent 6539901c7f b54009fdfb
282 changed files with 4189 additions and 7149 deletions
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@ -36,7 +36,7 @@ let
          ${optionalString (header != null) "--header=${header}"} \
          ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \
          > /.luksopen_args
-        get_password "Enter LUKS Passphrase" cryptsetup-askpass
+        cryptsetup-askpass
        rm /.luksopen_args
    }

@ -78,7 +78,9 @@ let
        for try in $(seq 3); do

            ${optionalString yubikey.twoFactor ''
-            k_user="$(get_password "Enter two-factor passphrase" cat)"
+            echo -n "Enter two-factor passphrase: "
+            read -s k_user
+            echo
            ''}

            if [ ! -z "$k_user" ]; then
@ -461,26 +463,6 @@ in
      ''}
    '';

-    boot.initrd.preDeviceCommands = ''
-      get_password() {
-        local ret
-        local reply
-        local tty_stat
-
-        tty_stat="$(stty -g)"
-        stty -echo
-        for i in `seq 1 3`; do
-          echo -n "$1: "
-          read reply
-          echo "$reply" | "$2"
-          if [ "$?" = "0" ]; then
-            break
-          fi
-        done
-        stty "$tty_stat"
-      }
-    '';
-
    boot.initrd.preLVMCommands = concatStrings (mapAttrsToList openCommand preLVM);
    boot.initrd.postDeviceCommands = concatStrings (mapAttrsToList openCommand postLVM);

--- a/nixos/modules/system/boot/plymouth.nix
+++ b/nixos/modules/system/boot/plymouth.nix
@ -112,6 +112,7 @@ in
      sed -i '/loginctl/d' $out/71-seat.rules
    '';

+    # We use `mkAfter` to ensure that LUKS password prompt would be shown earlier than the splash screen.
    boot.initrd.preLVMCommands = mkAfter ''
      mkdir -p /etc/plymouth
      ln -s ${configFile} /etc/plymouth/plymouthd.conf
@ -121,7 +122,16 @@ in
      ln -s $extraUtils/lib/plymouth /etc/plymouth/plugins

      plymouthd --mode=boot --pid-file=/run/plymouth/pid --attach-to-session
-      plymouth --show-splash
+      plymouth show-splash
+    '';
+
+    boot.initrd.postMountCommands = ''
+      plymouth update-root-fs --new-root-dir="$targetRoot"
+    '';
+
+    # `mkBefore` to ensure that any custom prompts would be visible.
+    boot.initrd.preFailCommands = mkBefore ''
+      plymouth quit --wait
    '';

  };
--- a/nixos/modules/system/boot/stage-1-init.sh
+++ b/nixos/modules/system/boot/stage-1-init.sh
@ -14,8 +14,7 @@ export LVM_SUPPRESS_FD_WARNINGS=true
 fail() {
    if [ -n "$panicOnFail" ]; then exit 1; fi

-    # If we have a splash screen started, quit it.
-    command -v plymouth >/dev/null 2>&1 && plymouth quit
+    @preFailCommands@

    # If starting stage 2 failed, allow the user to repair the problem
    # in an interactive shell.
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@ -208,7 +208,7 @@ let
    inherit (config.boot) resumeDevice devSize runSize;

    inherit (config.boot.initrd) checkJournalingFS
-      preLVMCommands preDeviceCommands postDeviceCommands postMountCommands kernelModules;
+      preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules;

    resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}")
                    (filter (sd: (sd ? label || hasPrefix "/dev/" sd.device) && !sd.randomEncryption) config.swapDevices);
@ -336,6 +336,14 @@ in
      '';
    };

+    boot.initrd.preFailCommands = mkOption {
+      default = "";
+      type = types.lines;
+      description = ''
+        Shell commands to be executed before the failure prompt is shown.
+      '';
+    };
+
    boot.initrd.extraUtilsCommands = mkOption {
      internal = true;
      default = "";
--- a/nixos/modules/system/boot/systemd-lib.nix
+++ b/nixos/modules/system/boot/systemd-lib.nix
@ -176,7 +176,7 @@ rec {
      ${optionalString (type == "system") ''
        # Stupid misc. symlinks.
        ln -s ${cfg.defaultUnit} $out/default.target
-
+        ln -s ${cfg.ctrlAltDelUnit} $out/ctrl-alt-del.target
        ln -s rescue.target $out/kbrequest.target

        mkdir -p $out/getty.target.wants/
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@ -120,7 +120,6 @@ let
      "systemd-poweroff.service"
      "halt.target"
      "systemd-halt.service"
-      "ctrl-alt-del.target"
      "shutdown.target"
      "umount.target"
      "final.target"
@ -162,7 +161,6 @@ let
      "systemd-hostnamed.service"
      "systemd-binfmt.service"
    ]
-
    ++ cfg.additionalUpstreamSystemUnits;

  upstreamSystemWants =
@ -485,6 +483,15 @@ in
      description = "Default unit started when the system boots.";
    };

+    systemd.ctrlAltDelUnit = mkOption {
+      default = "reboot.target";
+      type = types.str;
+      example = "poweroff.target";
+      description = ''
+        Target that should be started when Ctrl-Alt-Delete is pressed.
+      '';
+    };
+
    systemd.globalEnvironment = mkOption {
      type = types.attrs;
      default = {};