Merge pull request #263203 from nikstur/replace-activation

+2 -2

nixos/modules/config/mysql.nix

··· 429 429 ''; 430 430 }; 431 431 432 - # Activation script to append the password from the password file 432 + # preStart script to append the password from the password file 433 433 # to the configuration files. It also fixes the owner of the 434 434 # libnss-mysql-root.cfg because it is changed to root after the 435 435 # password is appended. 436 - system.activationScripts.mysql-auth-passwords = '' 436 + systemd.services.mysql.preStart = '' 437 437 if [[ -r ${cfg.passwordFile} ]]; then 438 438 org_umask=$(umask) 439 439 umask 0077

+4 -7

nixos/modules/config/nix-channel.nix

··· 97 97 98 98 nix.settings.nix-path = mkIf (! cfg.channel.enable) (mkDefault ""); 99 99 100 - system.activationScripts.nix-channel = mkIf cfg.channel.enable 101 - (stringAfter [ "etc" "users" ] '' 102 - # Subscribe the root user to the NixOS channel by default. 103 - if [ ! -e "/root/.nix-channels" ]; then 104 - echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels" 105 - fi 106 - ''); 100 + systemd.tmpfiles.rules = lib.mkIf cfg.channel.enable [ 101 + "f /root/.nix-channels -" 102 + ''w "/root/.nix-channels" - - - - "${config.system.defaultChannel} nixos\n"'' 103 + ]; 107 104 }; 108 105 }

+12 -3

nixos/modules/security/duosec.nix

··· 193 193 source = "${pkgs.duo-unix.out}/bin/login_duo"; 194 194 }; 195 195 196 - system.activationScripts = { 197 - login_duo = mkIf cfg.ssh.enable '' 196 + systemd.services.login-duo = lib.mkIf cfg.ssh.enable { 197 + wantedBy = [ "sysinit.target" ]; 198 + before = [ "sysinit.target" ]; 199 + unitConfig.DefaultDependencies = false; 200 + script = '' 198 201 if test -f "${cfg.secretKeyFile}"; then 199 202 mkdir -m 0755 -p /etc/duo 200 203 ··· 209 212 mv -fT "$conf" /etc/duo/login_duo.conf 210 213 fi 211 214 ''; 212 - pam_duo = mkIf cfg.pam.enable '' 215 + }; 216 + 217 + systemd.services.pam-duo = lib.mkIf cfg.ssh.enable { 218 + wantedBy = [ "sysinit.target" ]; 219 + before = [ "sysinit.target" ]; 220 + unitConfig.DefaultDependencies = false; 221 + script = '' 213 222 if test -f "${cfg.secretKeyFile}"; then 214 223 mkdir -m 0755 -p /etc/duo 215 224

+28 -23

nixos/modules/security/wrappers/default.nix

··· 275 275 mrpx ${wrap.source}, 276 276 '') wrappers; 277 277 278 - ###### wrappers activation script 279 - system.activationScripts.wrappers = 280 - lib.stringAfter [ "specialfs" "users" ] 281 - '' 282 - chmod 755 "${parentWrapperDir}" 278 + systemd.services.suid-sgid-wrappers = { 279 + description = "Create SUID/SGID Wrappers"; 280 + wantedBy = [ "sysinit.target" ]; 281 + before = [ "sysinit.target" ]; 282 + unitConfig.DefaultDependencies = false; 283 + unitConfig.RequiresMountsFor = [ "/nix/store" "/run/wrappers" ]; 284 + serviceConfig.Type = "oneshot"; 285 + script = '' 286 + chmod 755 "${parentWrapperDir}" 283 287 284 - # We want to place the tmpdirs for the wrappers to the parent dir. 285 - wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) 286 - chmod a+rx "$wrapperDir" 288 + # We want to place the tmpdirs for the wrappers to the parent dir. 289 + wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) 290 + chmod a+rx "$wrapperDir" 287 291 288 - ${lib.concatStringsSep "\n" mkWrappedPrograms} 292 + ${lib.concatStringsSep "\n" mkWrappedPrograms} 289 293 290 - if [ -L ${wrapperDir} ]; then 291 - # Atomically replace the symlink 292 - # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ 293 - old=$(readlink -f ${wrapperDir}) 294 - if [ -e "${wrapperDir}-tmp" ]; then 295 - rm --force --recursive "${wrapperDir}-tmp" 296 - fi 297 - ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" 298 - mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" 299 - rm --force --recursive "$old" 300 - else 301 - # For initial setup 302 - ln --symbolic "$wrapperDir" "${wrapperDir}" 294 + if [ -L ${wrapperDir} ]; then 295 + # Atomically replace the symlink 296 + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ 297 + old=$(readlink -f ${wrapperDir}) 298 + if [ -e "${wrapperDir}-tmp" ]; then 299 + rm --force --recursive "${wrapperDir}-tmp" 303 300 fi 304 - ''; 301 + ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" 302 + mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" 303 + rm --force --recursive "$old" 304 + else 305 + # For initial setup 306 + ln --symbolic "$wrapperDir" "${wrapperDir}" 307 + fi 308 + ''; 309 + }; 305 310 306 311 ###### wrappers consistency checks 307 312 system.checks = lib.singleton (pkgs.runCommandLocal

+10 -7

nixos/modules/services/mail/mlmmj.nix

··· 143 143 144 144 environment.systemPackages = [ pkgs.mlmmj ]; 145 145 146 - system.activationScripts.mlmmj = '' 147 - ${pkgs.coreutils}/bin/mkdir -p ${stateDir} ${spoolDir}/${cfg.listDomain} 148 - ${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${spoolDir} 149 - ${concatMapLines (createList cfg.listDomain) cfg.mailLists} 150 - ${pkgs.postfix}/bin/postmap /etc/postfix/virtual 151 - ${pkgs.postfix}/bin/postmap /etc/postfix/transport 152 - ''; 146 + systemd.tmpfiles.rules = [ 147 + ''d "${stateDir}" -'' 148 + ''d "${spoolDir}/${cfg.listDomain}" -'' 149 + ''Z "${spoolDir}" - "${cfg.user}" "${cfg.group}" -'' 150 + ]; 153 151 154 152 systemd.services.mlmmj-maintd = { 155 153 description = "mlmmj maintenance daemon"; ··· 158 156 Group = cfg.group; 159 157 ExecStart = "${pkgs.mlmmj}/bin/mlmmj-maintd -F -d ${spoolDir}/${cfg.listDomain}"; 160 158 }; 159 + preStart = '' 160 + ${concatMapLines (createList cfg.listDomain) cfg.mailLists} 161 + ${pkgs.postfix}/bin/postmap /etc/postfix/virtual 162 + ${pkgs.postfix}/bin/postmap /etc/postfix/transport 163 + ''; 161 164 }; 162 165 163 166 systemd.timers.mlmmj-maintd = {

+3 -5

nixos/modules/services/monitoring/ups.nix

··· 239 239 240 240 power.ups.schedulerRules = mkDefault "${pkgs.nut}/etc/upssched.conf.sample"; 241 241 242 - system.activationScripts.upsSetup = stringAfter [ "users" "groups" ] 243 - '' 244 - # Used to store pid files of drivers. 245 - mkdir -p /var/state/ups 246 - ''; 242 + systemd.tmpfiles.rules = [ 243 + "d /var/state/ups -" 244 + ]; 247 245 248 246 249 247 /*

+19 -17

nixos/modules/services/networking/iscsi/initiator.nix

··· 52 52 ''; 53 53 environment.etc."iscsi/initiatorname.iscsi".text = "InitiatorName=${cfg.name}"; 54 54 55 - system.activationScripts.iscsid = let 56 - extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' 57 - if [ -f "${cfg.extraConfigFile}" ]; then 58 - printf "\n# The following is from ${cfg.extraConfigFile}:\n" 59 - cat "${cfg.extraConfigFile}" 60 - else 61 - echo "Warning: services.openiscsi.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 62 - fi 63 - ''; 64 - in '' 65 - ( 66 - cat ${config.environment.etc."iscsi/iscsid.conf.fragment".source} 67 - ${extraCfgDumper} 68 - ) > /etc/iscsi/iscsid.conf 69 - ''; 70 - 71 55 systemd.packages = [ cfg.package ]; 72 56 73 - systemd.services."iscsid".wantedBy = [ "multi-user.target" ]; 57 + systemd.services."iscsid" = { 58 + wantedBy = [ "multi-user.target" ]; 59 + preStart = 60 + let 61 + extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' 62 + if [ -f "${cfg.extraConfigFile}" ]; then 63 + printf "\n# The following is from ${cfg.extraConfigFile}:\n" 64 + cat "${cfg.extraConfigFile}" 65 + else 66 + echo "Warning: services.openiscsi.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 67 + fi 68 + ''; 69 + in '' 70 + ( 71 + cat ${config.environment.etc."iscsi/iscsid.conf.fragment".source} 72 + ${extraCfgDumper} 73 + ) > /etc/iscsi/iscsid.conf 74 + ''; 75 + }; 74 76 systemd.sockets."iscsid".wantedBy = [ "sockets.target" ]; 75 77 76 78 systemd.services."iscsi" = mkIf cfg.enableAutoLoginOut {

+3 -2

nixos/modules/services/networking/spiped.nix

··· 197 197 script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`"; 198 198 }; 199 199 200 - system.activationScripts.spiped = optionalString (cfg.config != {}) 201 - "mkdir -p /var/lib/spiped"; 200 + systemd.tmpfiles.rules = lib.mkIf (cfg.config != { }) [ 201 + "d /var/lib/spiped -" 202 + ]; 202 203 203 204 # Setup spiped config files 204 205 environment.etc = mapAttrs' (name: cfg: nameValuePair "spiped/${name}.spec"

+15 -15

nixos/modules/services/networking/strongswan-swanctl/module.nix

··· 43 43 44 44 # The swanctl command complains when the following directories don't exist: 45 45 # See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory 46 - system.activationScripts.strongswan-swanctl-etc = stringAfter ["etc"] '' 47 - mkdir -p '/etc/swanctl/x509' # Trusted X.509 end entity certificates 48 - mkdir -p '/etc/swanctl/x509ca' # Trusted X.509 Certificate Authority certificates 49 - mkdir -p '/etc/swanctl/x509ocsp' 50 - mkdir -p '/etc/swanctl/x509aa' # Trusted X.509 Attribute Authority certificates 51 - mkdir -p '/etc/swanctl/x509ac' # Attribute Certificates 52 - mkdir -p '/etc/swanctl/x509crl' # Certificate Revocation Lists 53 - mkdir -p '/etc/swanctl/pubkey' # Raw public keys 54 - mkdir -p '/etc/swanctl/private' # Private keys in any format 55 - mkdir -p '/etc/swanctl/rsa' # PKCS#1 encoded RSA private keys 56 - mkdir -p '/etc/swanctl/ecdsa' # Plain ECDSA private keys 57 - mkdir -p '/etc/swanctl/bliss' 58 - mkdir -p '/etc/swanctl/pkcs8' # PKCS#8 encoded private keys of any type 59 - mkdir -p '/etc/swanctl/pkcs12' # PKCS#12 containers 60 - ''; 46 + systemd.tmpfiles.rules = [ 47 + "d /etc/swanctl/x509 -" # Trusted X.509 end entity certificates 48 + "d /etc/swanctl/x509ca -" # Trusted X.509 Certificate Authority certificates 49 + "d /etc/swanctl/x509ocsp -" 50 + "d /etc/swanctl/x509aa -" # Trusted X.509 Attribute Authority certificates 51 + "d /etc/swanctl/x509ac -" # Attribute Certificates 52 + "d /etc/swanctl/x509crl -" # Certificate Revocation Lists 53 + "d /etc/swanctl/pubkey -" # Raw public keys 54 + "d /etc/swanctl/private -" # Private keys in any format 55 + "d /etc/swanctl/rsa -" # PKCS#1 encoded RSA private keys 56 + "d /etc/swanctl/ecdsa -" # Plain ECDSA private keys 57 + "d /etc/swanctl/bliss -" 58 + "d /etc/swanctl/pkcs8 -" # PKCS#8 encoded private keys of any type 59 + "d /etc/swanctl/pkcs12 -" # PKCS#12 containers 60 + ]; 61 61 62 62 systemd.services.strongswan-swanctl = { 63 63 description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl";

-5

nixos/modules/services/system/nix-daemon.nix

··· 249 249 250 250 services.xserver.displayManager.hiddenUsers = attrNames nixbldUsers; 251 251 252 - system.activationScripts.nix = stringAfter [ "etc" "users" ] 253 - '' 254 - install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user 255 - ''; 256 - 257 252 # Legacy configuration conversion. 258 253 nix.settings = mkMerge [ 259 254 (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })

+3 -3

nixos/modules/services/web-apps/mattermost.nix

··· 287 287 288 288 # The systemd service will fail to execute the preStart hook 289 289 # if the WorkingDirectory does not exist 290 - system.activationScripts.mattermost = '' 291 - mkdir -p "${cfg.statePath}" 292 - ''; 290 + systemd.tmpfiles.rules = [ 291 + ''d "${cfg.statePath}" -'' 292 + ]; 293 293 294 294 systemd.services.mattermost = { 295 295 description = "Mattermost chat service";

+3 -5

nixos/modules/services/web-servers/stargazer.nix

··· 204 204 }; 205 205 206 206 # Create default cert store 207 - system.activationScripts.makeStargazerCertDir = 208 - lib.optionalAttrs (cfg.store == /var/lib/gemini/certs) '' 209 - mkdir -p /var/lib/gemini/certs 210 - chown -R ${cfg.user}:${cfg.group} /var/lib/gemini/certs 211 - ''; 207 + systemd.tmpfiles.rules = lib.mkIf (cfg.store == /var/lib/gemini/certs) [ 208 + ''d /var/lib/gemini/certs - "${cfg.user}" "${cfg.group}" -'' 209 + ]; 212 210 213 211 users.users = lib.optionalAttrs (cfg.user == "stargazer") { 214 212 stargazer = {

+9 -39

nixos/modules/system/activation/activation-script.nix

··· 55 55 # used as a garbage collection root. 56 56 ln -sfn "$(readlink -f "$systemConfig")" /run/current-system 57 57 58 - # Prevent the current configuration from being garbage-collected. 59 - mkdir -p /nix/var/nix/gcroots 60 - ln -sfn /run/current-system /nix/var/nix/gcroots/current-system 61 - 62 58 exit $_status 63 59 ''; 64 60 ··· 233 229 config = { 234 230 235 231 system.activationScripts.stdio = ""; # obsolete 236 - 237 - system.activationScripts.var = 238 - '' 239 - # Various log/runtime directories. 232 + system.activationScripts.var = ""; # obsolete 233 + system.activationScripts.specialfs = ""; # obsolete 240 234 241 - mkdir -p /var/tmp 242 - chmod 1777 /var/tmp 243 - 244 - # Empty, immutable home directory of many system accounts. 245 - mkdir -p /var/empty 246 - # Make sure it's really empty 247 - ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true 248 - find /var/empty -mindepth 1 -delete 249 - chmod 0555 /var/empty 250 - chown root:root /var/empty 251 - ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true 252 - ''; 235 + systemd.tmpfiles.rules = [ 236 + # Prevent the current configuration from being garbage-collected. 237 + "d /nix/var/nix/gcroots -" 238 + "L+ /nix/var/nix/gcroots/current-system - - - - /run/current-system" 239 + "D /var/empty 0555 root root -" 240 + "h /var/empty - - - - +i" 241 + ]; 253 242 254 243 system.activationScripts.usrbinenv = if config.environment.usrbinenv != null 255 244 then '' ··· 261 250 else '' 262 251 rm -f /usr/bin/env 263 252 rmdir --ignore-fail-on-non-empty /usr/bin /usr 264 - ''; 265 - 266 - system.activationScripts.specialfs = 267 - '' 268 - specialMount() { 269 - local device="$1" 270 - local mountPoint="$2" 271 - local options="$3" 272 - local fsType="$4" 273 - 274 - if mountpoint -q "$mountPoint"; then 275 - local options="remount,$options" 276 - else 277 - mkdir -p "$mountPoint" 278 - chmod 0755 "$mountPoint" 279 - fi 280 - mount -t "$fsType" -o "$options" "$device" "$mountPoint" 281 - } 282 - source ${config.system.build.earlyMountScript} 283 253 ''; 284 254 285 255 systemd.user = {

+27 -24

nixos/modules/system/boot/binfmt.nix

··· 20 20 optionalString fixBinary "F"; 21 21 in ":${name}:${type}:${offset'}:${magicOrExtension}:${mask'}:${interpreter}:${flags}"; 22 22 23 - activationSnippet = name: { interpreter, wrapInterpreterInShell, ... }: if wrapInterpreterInShell then '' 24 - rm -f /run/binfmt/${name} 25 - cat > /run/binfmt/${name} << 'EOF' 26 - #!${pkgs.bash}/bin/sh 27 - exec -- ${interpreter} "$@" 28 - EOF 29 - chmod +x /run/binfmt/${name} 30 - '' else '' 31 - rm -f /run/binfmt/${name} 32 - ln -s ${interpreter} /run/binfmt/${name} 33 - ''; 23 + mkInterpreter = name: { interpreter, wrapInterpreterInShell, ... }: 24 + if wrapInterpreterInShell 25 + then pkgs.writeShellScript "${name}-interpreter" '' 26 + #!${pkgs.bash}/bin/sh 27 + exec -- ${interpreter} "$@" 28 + '' 29 + else interpreter; 34 30 35 31 getEmulator = system: (lib.systems.elaborate { inherit system; }).emulator pkgs; 36 32 getQemuArch = system: (lib.systems.elaborate { inherit system; }).qemuArch; ··· 318 314 319 315 environment.etc."binfmt.d/nixos.conf".source = builtins.toFile "binfmt_nixos.conf" 320 316 (lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine config.boot.binfmt.registrations)); 321 - system.activationScripts.binfmt = stringAfter [ "specialfs" ] '' 322 - mkdir -p /run/binfmt 323 - chmod 0755 /run/binfmt 324 - ${lib.concatStringsSep "\n" (lib.mapAttrsToList activationSnippet config.boot.binfmt.registrations)} 325 - ''; 326 - systemd = lib.mkIf (config.boot.binfmt.registrations != {}) { 327 - additionalUpstreamSystemUnits = [ 328 - "proc-sys-fs-binfmt_misc.automount" 329 - "proc-sys-fs-binfmt_misc.mount" 330 - "systemd-binfmt.service" 331 - ]; 332 - services.systemd-binfmt.restartTriggers = [ (builtins.toJSON config.boot.binfmt.registrations) ]; 333 - }; 317 + 318 + systemd = lib.mkMerge [ 319 + ({ tmpfiles.rules = [ 320 + "d /run/binfmt 0755 -" 321 + ] ++ lib.mapAttrsToList 322 + (name: interpreter: 323 + "L+ /run/binfmt/${name} - - - - ${interpreter}" 324 + ) 325 + (lib.mapAttrs mkInterpreter config.boot.binfmt.registrations); 326 + }) 327 + 328 + (lib.mkIf (config.boot.binfmt.registrations != {}) { 329 + additionalUpstreamSystemUnits = [ 330 + "proc-sys-fs-binfmt_misc.automount" 331 + "proc-sys-fs-binfmt_misc.mount" 332 + "systemd-binfmt.service" 333 + ]; 334 + services.systemd-binfmt.restartTriggers = [ (builtins.toJSON config.boot.binfmt.registrations) ]; 335 + }) 336 + ]; 334 337 }; 335 338 }

+22 -23

nixos/modules/system/boot/timesyncd.nix

··· 46 46 wantedBy = [ "sysinit.target" ]; 47 47 aliases = [ "dbus-org.freedesktop.timesync1.service" ]; 48 48 restartTriggers = [ config.environment.etc."systemd/timesyncd.conf".source ]; 49 + 50 + preStart = ( 51 + # Ensure that we have some stored time to prevent 52 + # systemd-timesyncd to resort back to the fallback time. If 53 + # the file doesn't exist we assume that our current system 54 + # clock is good enough to provide an initial value. 55 + '' 56 + if ! [ -f /var/lib/systemd/timesync/clock ]; then 57 + test -d /var/lib/systemd/timesync || mkdir -p /var/lib/systemd/timesync 58 + touch /var/lib/systemd/timesync/clock 59 + fi 60 + '' + 61 + # workaround an issue of systemd-timesyncd not starting due to upstream systemd reverting their dynamic users changes 62 + # - https://github.com/NixOS/nixpkgs/pull/61321#issuecomment-492423742 63 + # - https://github.com/systemd/systemd/issues/12131 64 + (lib.optionalString (versionOlder config.system.stateVersion "19.09") '' 65 + if [ -L /var/lib/systemd/timesync ]; then 66 + rm /var/lib/systemd/timesync 67 + mv /var/lib/private/systemd/timesync /var/lib/systemd/timesync 68 + fi 69 + '') 70 + ); 49 71 }; 50 72 51 73 environment.etc."systemd/timesyncd.conf".text = '' ··· 59 81 group = "systemd-timesync"; 60 82 }; 61 83 users.groups.systemd-timesync.gid = config.ids.gids.systemd-timesync; 62 - 63 - system.activationScripts.systemd-timesyncd-migration = 64 - # workaround an issue of systemd-timesyncd not starting due to upstream systemd reverting their dynamic users changes 65 - # - https://github.com/NixOS/nixpkgs/pull/61321#issuecomment-492423742 66 - # - https://github.com/systemd/systemd/issues/12131 67 - mkIf (versionOlder config.system.stateVersion "19.09") '' 68 - if [ -L /var/lib/systemd/timesync ]; then 69 - rm /var/lib/systemd/timesync 70 - mv /var/lib/private/systemd/timesync /var/lib/systemd/timesync 71 - fi 72 - ''; 73 - system.activationScripts.systemd-timesyncd-init-clock = 74 - # Ensure that we have some stored time to prevent systemd-timesyncd to 75 - # resort back to the fallback time. 76 - # If the file doesn't exist we assume that our current system clock is 77 - # good enough to provide an initial value. 78 - '' 79 - if ! [ -f /var/lib/systemd/timesync/clock ]; then 80 - test -d /var/lib/systemd/timesync || mkdir -p /var/lib/systemd/timesync 81 - touch /var/lib/systemd/timesync/clock 82 - fi 83 - ''; 84 84 }; 85 - 86 85 }

+6 -12

nixos/modules/tasks/network-interfaces.nix

··· 1406 1406 val = tempaddrValues.${opt}.sysctl; 1407 1407 in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val)); 1408 1408 1409 - # Set the host and domain names in the activation script. Don't 1410 - # clear it if it's not configured in the NixOS configuration, 1411 - # since it may have been set by dhcpcd in the meantime. 1412 - system.activationScripts.hostname = let 1413 - effectiveHostname = config.boot.kernel.sysctl."kernel.hostname" or cfg.hostName; 1414 - in optionalString (effectiveHostname != "") '' 1415 - hostname "${effectiveHostname}" 1416 - ''; 1417 - system.activationScripts.domain = 1418 - optionalString (cfg.domain != null) '' 1419 - domainname "${cfg.domain}" 1420 - ''; 1409 + systemd.services.domainname = lib.mkIf (cfg.domain != null) { 1410 + wantedBy = [ "sysinit.target" ]; 1411 + before = [ "sysinit.target" ]; 1412 + unitConfig.DefaultDependencies = false; 1413 + serviceConfig.ExecStart = ''domainname "${cfg.domain}"''; 1414 + }; 1421 1415 1422 1416 environment.etc.hostid = mkIf (cfg.hostId != null) { source = hostidFile; }; 1423 1417 boot.initrd.systemd.contents."/etc/hostid" = mkIf (cfg.hostId != null) { source = hostidFile; };

+16

nixos/tests/activation/nix-channel.nix

··· 1 + { lib, ... }: 2 + 3 + { 4 + 5 + name = "activation-nix-channel"; 6 + 7 + meta.maintainers = with lib.maintainers; [ nikstur ]; 8 + 9 + nodes.machine = { 10 + nix.channel.enable = true; 11 + }; 12 + 13 + testScript = '' 14 + print(machine.succeed("cat /root/.nix-channels")) 15 + ''; 16 + }

+18

nixos/tests/activation/var.nix

··· 1 + { lib, ... }: 2 + 3 + { 4 + 5 + name = "activation-var"; 6 + 7 + meta.maintainers = with lib.maintainers; [ nikstur ]; 8 + 9 + nodes.machine = { }; 10 + 11 + testScript = '' 12 + assert machine.succeed("stat -c '%a' /var/tmp") == "1777\n" 13 + assert machine.succeed("stat -c '%a' /var/empty") == "555\n" 14 + assert machine.succeed("stat -c '%U' /var/empty") == "root\n" 15 + assert machine.succeed("stat -c '%G' /var/empty") == "root\n" 16 + assert "i" in machine.succeed("lsattr -d /var/empty") 17 + ''; 18 + }

+2

nixos/tests/all-tests.nix

··· 266 266 esphome = handleTest ./esphome.nix {}; 267 267 etc = pkgs.callPackage ../modules/system/etc/test.nix { inherit evalMinimalConfig; }; 268 268 activation = pkgs.callPackage ../modules/system/activation/test.nix { }; 269 + activation-var = runTest ./activation/var.nix; 270 + activation-nix-channel = runTest ./activation/nix-channel.nix; 269 271 etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {}; 270 272 etcd-cluster = handleTestOn ["x86_64-linux"] ./etcd-cluster.nix {}; 271 273 etebase-server = handleTest ./etebase-server.nix {};

+8 -9

nixos/tests/grafana/provision/default.nix

··· 22 22 }; 23 23 }; 24 24 25 - system.activationScripts.setup-grafana = { 26 - deps = [ "users" ]; 27 - text = '' 28 - mkdir -p /var/lib/grafana/dashboards 29 - chown -R grafana:grafana /var/lib/grafana 30 - chmod 0700 -R /var/lib/grafana/dashboards 31 - cp ${pkgs.writeText "test.json" (builtins.readFile ./test_dashboard.json)} /var/lib/grafana/dashboards/ 32 - ''; 33 - }; 25 + systemd.tmpfiles.rules = 26 + let 27 + dashboard = pkgs.writeText "test.json" (builtins.readFile ./test_dashboard.json); 28 + in 29 + [ 30 + "d /var/lib/grafana/dashboards 0700 grafana grafana -" 31 + "C+ /var/lib/grafana/dashboards/test.json - - - - ${dashboard}" 32 + ]; 34 33 }; 35 34 36 35 extraNodeConfs = {

+3 -8

nixos/tests/opensearch.nix

··· 31 31 services.opensearch.dataDir = "/var/opensearch_test"; 32 32 services.opensearch.user = "open_search"; 33 33 services.opensearch.group = "open_search"; 34 - system.activationScripts.createDirectory = { 35 - text = '' 36 - mkdir -p "/var/opensearch_test" 37 - chown open_search:open_search /var/opensearch_test 38 - chmod 0700 /var/opensearch_test 39 - ''; 40 - deps = [ "users" "groups" ]; 41 - }; 34 + systemd.tmpfiles.rules = [ 35 + "d /var/opensearch_test 0700 open_search open_search -" 36 + ]; 42 37 users = { 43 38 groups.open_search = {}; 44 39 users.open_search = {

+9 -4

nixos/tests/stunnel.nix

··· 17 17 }; 18 18 }; 19 19 makeCert = { config, pkgs, ... }: { 20 - system.activationScripts.create-test-cert = stringAfter [ "users" ] '' 21 - ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa -nodes -out /test-cert.pem -keyout /test-key.pem -subj /CN=${config.networking.hostName} 22 - ( umask 077; cat /test-key.pem /test-cert.pem > /test-key-and-cert.pem ) 23 - chown stunnel /test-key.pem /test-key-and-cert.pem 20 + systemd.services.create-test-cert = { 21 + wantedBy = [ "sysinit.target" ]; 22 + before = [ "sysinit.target" ]; 23 + unitConfig.DefaultDependencies = false; 24 + script = '' 25 + ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa -nodes -out /test-cert.pem -keyout /test-key.pem -subj /CN=${config.networking.hostName} 26 + ( umask 077; cat /test-key.pem /test-cert.pem > /test-key-and-cert.pem ) 27 + chown stunnel /test-key.pem /test-key-and-cert.pem 24 28 ''; 29 + }; 25 30 }; 26 31 serverCommon = { pkgs, ... }: { 27 32 networking.firewall.allowedTCPPorts = [ 443 ];

+7 -6

nixos/tests/systemd-timesyncd.nix

··· 15 15 # create the path that should be migrated by our activation script when 16 16 # upgrading to a newer nixos version 17 17 system.stateVersion = "19.03"; 18 - system.activationScripts.simulate-old-timesync-state-dir = lib.mkBefore '' 19 - rm -f /var/lib/systemd/timesync 20 - mkdir -p /var/lib/systemd /var/lib/private/systemd/timesync 21 - ln -s /var/lib/private/systemd/timesync /var/lib/systemd/timesync 22 - chown systemd-timesync: /var/lib/private/systemd/timesync 23 - ''; 18 + systemd.tmpfiles.rules = [ 19 + "r /var/lib/systemd/timesync -" 20 + "d /var/lib/systemd -" 21 + "d /var/lib/private/systemd/timesync -" 22 + "L /var/lib/systemd/timesync - - - - /var/lib/private/systemd/timesync" 23 + "d /var/lib/private/systemd/timesync - systemd-timesync systemd-timesync -" 24 + ]; 24 25 }); 25 26 }; 26 27