tpm2.target was functionally useless without these services and this
generator. When systemd-cryptsetup-generator creates
systemd-cryptsetup@.service units, they are ordered after
systemd-tpm2-setup-early.service, not tpm2.target. These services are
themselves ordered after tpm2.target.
Note: The systemd-tpm2-setup(-early) services will serve no *function*
under a normal NixOS system at the moment. Because of their
ConditionSecurity=measured-uki, they will always be skipped, unless
you are building an appliance with the system.build.uki feature. Thus,
these are enabled solely for their systemd unit ordering properties.
This module provides some abstraction for a multi-stage build to create
a dm-verity protected NixOS repart image.
The opinionated approach realized by this module is to first create an
immutable, verity-protected nix store partition, then embed the root
hash of the corresponding verity hash partition in a UKI, that is then
injected into the ESP of the resulting image.
The UKI can then precisely identify the corresponding data from which
the entire system is bootstrapped.
The module comes with a script that checks the UKI used in the final
image corresponds to the intermediate image created in the first step.
This is necessary to notice incompatible substitutions of
non-reproducible store paths, for example when working with distributed
builds, or when offline-signing the UKI.
For some reason, chromium, which is still the nixpkgs version hangs
inside the normal test vm, while working fine in .driverInteractive.
I suspect that might have to do with the existence of a display in
.driverInteractive. Neither vm does run X11 or wayland.
The assertion message should include the `nixpkgs.config` value, however
it currently includes the entire `nixpkgs.config` _option_.
This means the type, declarations, definitions, etc were all printed.
smartctl_exporter already runs with SupplementaryGroups "disk", which
gives full access to SATA drives, but NVMe devices are owned by
root:root, resulting in no access:
[...] msg="Smartctl open device: /dev/nvme0 failed: Permission denied"
This patch introduces a "smartctl-exporter-access" supplementary
group, and an udev rule with setfacl to give the exporter access to NVMe
drives, without changing the base root:root ownership.
Fixes https://github.com/NixOS/nixpkgs/issues/210041
Only restart `systemd-udevd.service` if udev rules in `/etc/udev/rules`
actually changed. The paths of `services.udev.packages` may change
frequently but the resulting udev rules built by `udevRulesFor`
likely change less often.
This has the added benefit of not adding `services.udev.packages` to
the system closure if they are only used for their udev rules
(issue #308937).
This reverts commit 89eb93dc3f.
It broken setups where /etc/wpa_supplicant.conf is configured
imperatively and reloading of the service on configuration changes.
This reverts commit 2e702d07bb.
Segfaults during evaluation in yet-to-be-determined circumstances.
Investigation is ongoing, reverting for now to be safe.
Upstream issue: https://github.com/NixOS/nix/issues/11547
