You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
736 lines
26 KiB
736 lines
26 KiB
# This module builds the initial ramdisk, which contains an init
|
|
# script that performs the first stage of booting the system: it loads
|
|
# the modules necessary to mount the root file system, then calls the
|
|
# init in the root file system to start the second boot stage.
|
|
|
|
{ config, lib, utils, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
udev = config.systemd.package;
|
|
|
|
kernel-name = config.boot.kernelPackages.kernel.name or "kernel";
|
|
|
|
modulesTree = config.system.modulesTree.override { name = kernel-name + "-modules"; };
|
|
firmware = config.hardware.firmware;
|
|
|
|
|
|
# Determine the set of modules that we need to mount the root FS.
|
|
modulesClosure = pkgs.makeModulesClosure {
|
|
rootModules = config.boot.initrd.availableKernelModules ++ config.boot.initrd.kernelModules;
|
|
kernel = modulesTree;
|
|
firmware = firmware;
|
|
allowMissing = false;
|
|
};
|
|
|
|
|
|
# The initrd only has to mount `/` or any FS marked as necessary for
|
|
# booting (such as the FS containing `/nix/store`, or an FS needed for
|
|
# mounting `/`, like `/` on a loopback).
|
|
fileSystems = filter utils.fsNeededForBoot config.system.build.fileSystems;
|
|
|
|
# A utility for enumerating the shared-library dependencies of a program
|
|
findLibs = pkgs.buildPackages.writeShellScriptBin "find-libs" ''
|
|
set -euo pipefail
|
|
|
|
declare -A seen
|
|
left=()
|
|
|
|
patchelf="${pkgs.buildPackages.patchelf}/bin/patchelf"
|
|
|
|
function add_needed {
|
|
rpath="$($patchelf --print-rpath $1)"
|
|
dir="$(dirname $1)"
|
|
for lib in $($patchelf --print-needed $1); do
|
|
left+=("$lib" "$rpath" "$dir")
|
|
done
|
|
}
|
|
|
|
add_needed "$1"
|
|
|
|
while [ ''${#left[@]} -ne 0 ]; do
|
|
next=''${left[0]}
|
|
rpath=''${left[1]}
|
|
ORIGIN=''${left[2]}
|
|
left=("''${left[@]:3}")
|
|
if [ -z ''${seen[$next]+x} ]; then
|
|
seen[$next]=1
|
|
|
|
# Ignore the dynamic linker which for some reason appears as a DT_NEEDED of glibc but isn't in glibc's RPATH.
|
|
case "$next" in
|
|
ld*.so.?) continue;;
|
|
esac
|
|
|
|
IFS=: read -ra paths <<< $rpath
|
|
res=
|
|
for path in "''${paths[@]}"; do
|
|
path=$(eval "echo $path")
|
|
if [ -f "$path/$next" ]; then
|
|
res="$path/$next"
|
|
echo "$res"
|
|
add_needed "$res"
|
|
break
|
|
fi
|
|
done
|
|
if [ -z "$res" ]; then
|
|
echo "Couldn't satisfy dependency $next" >&2
|
|
exit 1
|
|
fi
|
|
fi
|
|
done
|
|
'';
|
|
|
|
# Some additional utilities needed in stage 1, like mount, lvm, fsck
|
|
# etc. We don't want to bring in all of those packages, so we just
|
|
# copy what we need. Instead of using statically linked binaries,
|
|
# we just copy what we need from Glibc and use patchelf to make it
|
|
# work.
|
|
extraUtils = pkgs.runCommandCC "extra-utils"
|
|
{ nativeBuildInputs = [pkgs.buildPackages.nukeReferences];
|
|
allowedReferences = [ "out" ]; # prevent accidents like glibc being included in the initrd
|
|
}
|
|
''
|
|
set +o pipefail
|
|
|
|
mkdir -p $out/bin $out/lib
|
|
ln -s $out/bin $out/sbin
|
|
|
|
copy_bin_and_libs () {
|
|
[ -f "$out/bin/$(basename $1)" ] && rm "$out/bin/$(basename $1)"
|
|
cp -pdv $1 $out/bin
|
|
}
|
|
|
|
# Copy BusyBox.
|
|
for BIN in ${pkgs.busybox}/{s,}bin/*; do
|
|
copy_bin_and_libs $BIN
|
|
done
|
|
|
|
# Copy some util-linux stuff.
|
|
copy_bin_and_libs ${pkgs.util-linux}/sbin/blkid
|
|
|
|
# Copy dmsetup and lvm.
|
|
copy_bin_and_libs ${getBin pkgs.lvm2}/bin/dmsetup
|
|
copy_bin_and_libs ${getBin pkgs.lvm2}/bin/lvm
|
|
|
|
# Add RAID mdadm tool.
|
|
copy_bin_and_libs ${pkgs.mdadm}/sbin/mdadm
|
|
copy_bin_and_libs ${pkgs.mdadm}/sbin/mdmon
|
|
|
|
# Copy udev.
|
|
copy_bin_and_libs ${udev}/bin/udevadm
|
|
copy_bin_and_libs ${udev}/lib/systemd/systemd-sysctl
|
|
for BIN in ${udev}/lib/udev/*_id; do
|
|
copy_bin_and_libs $BIN
|
|
done
|
|
# systemd-udevd is only a symlink to udevadm these days
|
|
ln -sf udevadm $out/bin/systemd-udevd
|
|
|
|
# Copy modprobe.
|
|
copy_bin_and_libs ${pkgs.kmod}/bin/kmod
|
|
ln -sf kmod $out/bin/modprobe
|
|
|
|
# Dirty hack to make sure the kernel properly loads modules
|
|
# such as ext4 on demand (e.g. on a `mount(2)` syscall). This is necessary
|
|
# because `kmod` isn't linked against `libpthread.so.0` anymore (since
|
|
# it was merged into `libc.so.6` since version `2.34`), but still needs
|
|
# to access it for some reason. This is not an issue in stage-1 itself
|
|
# because of the `LD_LIBRARY_PATH`-variable and anytime later because the rpath of
|
|
# kmod/modprobe points to glibc's `$out/lib` where `libpthread.so.6` exists.
|
|
# However, this is a problem when the kernel calls `modprobe` inside
|
|
# the initial ramdisk because it doesn't know about the
|
|
# `LD_LIBRARY_PATH` and the rpath was nuked.
|
|
#
|
|
# Also, we can't use `makeWrapper` here because `kmod` only does
|
|
# `modprobe` functionality if `argv[0] == "modprobe"`.
|
|
cat >$out/bin/modprobe-kernel <<EOF
|
|
#!$out/bin/ash
|
|
export LD_LIBRARY_PATH=$out/lib
|
|
exec $out/bin/modprobe "\$@"
|
|
EOF
|
|
chmod +x $out/bin/modprobe-kernel
|
|
|
|
# Copy resize2fs if any ext* filesystems are to be resized
|
|
${optionalString (any (fs: fs.autoResize && (lib.hasPrefix "ext" fs.fsType)) fileSystems) ''
|
|
# We need mke2fs in the initrd.
|
|
copy_bin_and_libs ${pkgs.e2fsprogs}/sbin/resize2fs
|
|
''}
|
|
|
|
# Copy multipath.
|
|
${optionalString config.services.multipath.enable ''
|
|
copy_bin_and_libs ${config.services.multipath.package}/bin/multipath
|
|
copy_bin_and_libs ${config.services.multipath.package}/bin/multipathd
|
|
# Copy lib/multipath manually.
|
|
cp -rpv ${config.services.multipath.package}/lib/multipath $out/lib
|
|
''}
|
|
|
|
# Copy secrets if needed.
|
|
#
|
|
# TODO: move out to a separate script; see #85000.
|
|
${optionalString (!config.boot.loader.supportsInitrdSecrets)
|
|
(concatStringsSep "\n" (mapAttrsToList (dest: source:
|
|
let source' = if source == null then dest else source; in
|
|
''
|
|
mkdir -p $(dirname "$out/secrets/${dest}")
|
|
# Some programs (e.g. ssh) doesn't like secrets to be
|
|
# symlinks, so we use `cp -L` here to match the
|
|
# behaviour when secrets are natively supported.
|
|
cp -Lr ${source'} "$out/secrets/${dest}"
|
|
''
|
|
) config.boot.initrd.secrets))
|
|
}
|
|
|
|
${config.boot.initrd.extraUtilsCommands}
|
|
|
|
# Copy ld manually since it isn't detected correctly
|
|
cp -pv ${pkgs.stdenv.cc.libc.out}/lib/ld*.so.? $out/lib
|
|
|
|
# Copy all of the needed libraries
|
|
find $out/bin $out/lib -type f | while read BIN; do
|
|
echo "Copying libs for executable $BIN"
|
|
for LIB in $(${findLibs}/bin/find-libs $BIN); do
|
|
TGT="$out/lib/$(basename $LIB)"
|
|
if [ ! -f "$TGT" ]; then
|
|
SRC="$(readlink -e $LIB)"
|
|
cp -pdv "$SRC" "$TGT"
|
|
fi
|
|
done
|
|
done
|
|
|
|
# Strip binaries further than normal.
|
|
chmod -R u+w $out
|
|
stripDirs "$STRIP" "lib bin" "-s"
|
|
|
|
# Run patchelf to make the programs refer to the copied libraries.
|
|
find $out/bin $out/lib -type f | while read i; do
|
|
if ! test -L $i; then
|
|
nuke-refs -e $out $i
|
|
fi
|
|
done
|
|
|
|
find $out/bin -type f | while read i; do
|
|
if ! test -L $i; then
|
|
echo "patching $i..."
|
|
patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true
|
|
fi
|
|
done
|
|
|
|
if [ -z "${toString (pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform)}" ]; then
|
|
# Make sure that the patchelf'ed binaries still work.
|
|
echo "testing patched programs..."
|
|
$out/bin/ash -c 'echo hello world' | grep "hello world"
|
|
export LD_LIBRARY_PATH=$out/lib
|
|
$out/bin/mount --help 2>&1 | grep -q "BusyBox"
|
|
$out/bin/blkid -V 2>&1 | grep -q 'libblkid'
|
|
$out/bin/udevadm --version
|
|
$out/bin/dmsetup --version 2>&1 | tee -a log | grep -q "version:"
|
|
LVM_SYSTEM_DIR=$out $out/bin/lvm version 2>&1 | tee -a log | grep -q "LVM"
|
|
$out/bin/mdadm --version
|
|
${optionalString config.services.multipath.enable ''
|
|
($out/bin/multipath || true) 2>&1 | grep -q 'need to be root'
|
|
($out/bin/multipathd || true) 2>&1 | grep -q 'need to be root'
|
|
''}
|
|
|
|
${config.boot.initrd.extraUtilsCommandsTest}
|
|
fi
|
|
''; # */
|
|
|
|
|
|
# Networkd link files are used early by udev to set up interfaces early.
|
|
# This must be done in stage 1 to avoid race conditions between udev and
|
|
# network daemons.
|
|
linkUnits = pkgs.runCommand "link-units" {
|
|
allowedReferences = [ extraUtils ];
|
|
preferLocalBuild = true;
|
|
} (''
|
|
mkdir -p $out
|
|
cp -v ${udev}/lib/systemd/network/*.link $out/
|
|
'' + (
|
|
let
|
|
links = filterAttrs (n: v: hasSuffix ".link" n) config.systemd.network.units;
|
|
files = mapAttrsToList (n: v: "${v.unit}/${n}") links;
|
|
in
|
|
concatMapStringsSep "\n" (file: "cp -v ${file} $out/") files
|
|
));
|
|
|
|
udevRules = pkgs.runCommand "udev-rules" {
|
|
allowedReferences = [ extraUtils ];
|
|
preferLocalBuild = true;
|
|
} ''
|
|
mkdir -p $out
|
|
|
|
echo 'ENV{LD_LIBRARY_PATH}="${extraUtils}/lib"' > $out/00-env.rules
|
|
|
|
cp -v ${udev}/lib/udev/rules.d/60-cdrom_id.rules $out/
|
|
cp -v ${udev}/lib/udev/rules.d/60-persistent-storage.rules $out/
|
|
cp -v ${udev}/lib/udev/rules.d/75-net-description.rules $out/
|
|
cp -v ${udev}/lib/udev/rules.d/80-drivers.rules $out/
|
|
cp -v ${udev}/lib/udev/rules.d/80-net-setup-link.rules $out/
|
|
cp -v ${pkgs.lvm2}/lib/udev/rules.d/*.rules $out/
|
|
${config.boot.initrd.extraUdevRulesCommands}
|
|
|
|
for i in $out/*.rules; do
|
|
substituteInPlace $i \
|
|
--replace ata_id ${extraUtils}/bin/ata_id \
|
|
--replace scsi_id ${extraUtils}/bin/scsi_id \
|
|
--replace cdrom_id ${extraUtils}/bin/cdrom_id \
|
|
--replace ${pkgs.coreutils}/bin/basename ${extraUtils}/bin/basename \
|
|
--replace ${pkgs.util-linux}/bin/blkid ${extraUtils}/bin/blkid \
|
|
--replace ${getBin pkgs.lvm2}/bin ${extraUtils}/bin \
|
|
--replace ${pkgs.mdadm}/sbin ${extraUtils}/sbin \
|
|
--replace ${pkgs.bash}/bin/sh ${extraUtils}/bin/sh \
|
|
--replace ${udev} ${extraUtils}
|
|
done
|
|
|
|
# Work around a bug in QEMU, which doesn't implement the "READ
|
|
# DISC INFORMATION" SCSI command:
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=609049
|
|
# As a result, `cdrom_id' doesn't print
|
|
# ID_CDROM_MEDIA_TRACK_COUNT_DATA, which in turn prevents the
|
|
# /dev/disk/by-label symlinks from being created. We need these
|
|
# in the NixOS installation CD, so use ID_CDROM_MEDIA in the
|
|
# corresponding udev rules for now. This was the behaviour in
|
|
# udev <= 154. See also
|
|
# http://www.spinics.net/lists/hotplug/msg03935.html
|
|
substituteInPlace $out/60-persistent-storage.rules \
|
|
--replace ID_CDROM_MEDIA_TRACK_COUNT_DATA ID_CDROM_MEDIA
|
|
''; # */
|
|
|
|
|
|
# The init script of boot stage 1 (loading kernel modules for
|
|
# mounting the root FS).
|
|
bootStage1 = pkgs.substituteAll {
|
|
src = ./stage-1-init.sh;
|
|
|
|
shell = "${extraUtils}/bin/ash";
|
|
|
|
isExecutable = true;
|
|
|
|
postInstall = ''
|
|
echo checking syntax
|
|
# check both with bash
|
|
${pkgs.buildPackages.bash}/bin/sh -n $target
|
|
# and with ash shell, just in case
|
|
${pkgs.buildPackages.busybox}/bin/ash -n $target
|
|
'';
|
|
|
|
inherit linkUnits udevRules extraUtils modulesClosure;
|
|
|
|
inherit (config.boot) resumeDevice;
|
|
|
|
inherit (config.system.build) earlyMountScript;
|
|
|
|
inherit (config.boot.initrd) checkJournalingFS verbose
|
|
preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules;
|
|
|
|
resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}")
|
|
(filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption.enable
|
|
# Don't include zram devices
|
|
&& !(hasPrefix "/dev/zram" sd.device)
|
|
) config.swapDevices);
|
|
|
|
fsInfo =
|
|
let f = fs: [ fs.mountPoint (if fs.device != null then fs.device else "/dev/disk/by-label/${fs.label}") fs.fsType (builtins.concatStringsSep "," fs.options) ];
|
|
in pkgs.writeText "initrd-fsinfo" (concatStringsSep "\n" (concatMap f fileSystems));
|
|
|
|
setHostId = optionalString (config.networking.hostId != null) ''
|
|
hi="${config.networking.hostId}"
|
|
${if pkgs.stdenv.isBigEndian then ''
|
|
echo -ne "\x''${hi:0:2}\x''${hi:2:2}\x''${hi:4:2}\x''${hi:6:2}" > /etc/hostid
|
|
'' else ''
|
|
echo -ne "\x''${hi:6:2}\x''${hi:4:2}\x''${hi:2:2}\x''${hi:0:2}" > /etc/hostid
|
|
''}
|
|
'';
|
|
};
|
|
|
|
|
|
# The closure of the init script of boot stage 1 is what we put in
|
|
# the initial RAM disk.
|
|
initialRamdisk = pkgs.makeInitrd {
|
|
name = "initrd-${kernel-name}";
|
|
inherit (config.boot.initrd) compressor compressorArgs prepend;
|
|
|
|
contents =
|
|
[ { object = bootStage1;
|
|
symlink = "/init";
|
|
}
|
|
{ object = pkgs.writeText "mdadm.conf" config.boot.initrd.services.swraid.mdadmConf;
|
|
symlink = "/etc/mdadm.conf";
|
|
}
|
|
{ object = pkgs.runCommand "initrd-kmod-blacklist-ubuntu" {
|
|
src = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf";
|
|
preferLocalBuild = true;
|
|
} ''
|
|
target=$out
|
|
${pkgs.buildPackages.perl}/bin/perl -0pe 's/## file: iwlwifi.conf(.+?)##/##/s;' $src > $out
|
|
'';
|
|
symlink = "/etc/modprobe.d/ubuntu.conf";
|
|
}
|
|
{ object = config.environment.etc."modprobe.d/nixos.conf".source;
|
|
symlink = "/etc/modprobe.d/nixos.conf";
|
|
}
|
|
{ object = pkgs.kmod-debian-aliases;
|
|
symlink = "/etc/modprobe.d/debian.conf";
|
|
}
|
|
] ++ lib.optionals config.services.multipath.enable [
|
|
{ object = pkgs.runCommand "multipath.conf" {
|
|
src = config.environment.etc."multipath.conf".text;
|
|
preferLocalBuild = true;
|
|
} ''
|
|
target=$out
|
|
printf "$src" > $out
|
|
substituteInPlace $out \
|
|
--replace ${config.services.multipath.package}/lib ${extraUtils}/lib
|
|
'';
|
|
symlink = "/etc/multipath.conf";
|
|
}
|
|
] ++ (lib.mapAttrsToList
|
|
(symlink: options:
|
|
{
|
|
inherit symlink;
|
|
object = options.source;
|
|
}
|
|
)
|
|
config.boot.initrd.extraFiles);
|
|
};
|
|
|
|
# Script to add secret files to the initrd at bootloader update time
|
|
initialRamdiskSecretAppender =
|
|
let
|
|
compressorExe = initialRamdisk.compressorExecutableFunction pkgs;
|
|
in pkgs.writeScriptBin "append-initrd-secrets"
|
|
''
|
|
#!${pkgs.bash}/bin/bash -e
|
|
function usage {
|
|
echo "USAGE: $0 INITRD_FILE" >&2
|
|
echo "Appends this configuration's secrets to INITRD_FILE" >&2
|
|
}
|
|
|
|
if [ $# -ne 1 ]; then
|
|
usage
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$1"x = "--helpx" ]; then
|
|
usage
|
|
exit 0
|
|
fi
|
|
|
|
${lib.optionalString (config.boot.initrd.secrets == {})
|
|
"exit 0"}
|
|
|
|
export PATH=${pkgs.coreutils}/bin:${pkgs.libarchive}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin
|
|
|
|
function cleanup {
|
|
if [ -n "$tmp" -a -d "$tmp" ]; then
|
|
rm -fR "$tmp"
|
|
fi
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
tmp=$(mktemp -d ''${TMPDIR:-/tmp}/initrd-secrets.XXXXXXXXXX)
|
|
|
|
${lib.concatStringsSep "\n" (mapAttrsToList (dest: source:
|
|
let source' = if source == null then dest else toString source; in
|
|
''
|
|
mkdir -p $(dirname "$tmp/.initrd-secrets/${dest}")
|
|
cp -a ${source'} "$tmp/.initrd-secrets/${dest}"
|
|
''
|
|
) config.boot.initrd.secrets)
|
|
}
|
|
|
|
(cd "$tmp" && find . -print0 | sort -z | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @-) | \
|
|
${compressorExe} ${lib.escapeShellArgs initialRamdisk.compressorArgs} >> "$1"
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
options = {
|
|
|
|
boot.resumeDevice = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
example = "/dev/sda3";
|
|
description = ''
|
|
Device for manual resume attempt during boot. This should be used primarily
|
|
if you want to resume from file. If left empty, the swap partitions are used.
|
|
Specify here the device where the file resides.
|
|
You should also use <varname>boot.kernelParams</varname> to specify
|
|
<literal><replaceable>resume_offset</replaceable></literal>.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.enable = mkOption {
|
|
type = types.bool;
|
|
default = !config.boot.isContainer;
|
|
defaultText = literalExpression "!config.boot.isContainer";
|
|
description = ''
|
|
Whether to enable the NixOS initial RAM disk (initrd). This may be
|
|
needed to perform some initialisation tasks (like mounting
|
|
network/encrypted file systems) before continuing the boot process.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.extraFiles = mkOption {
|
|
default = { };
|
|
type = types.attrsOf
|
|
(types.submodule {
|
|
options = {
|
|
source = mkOption {
|
|
type = types.package;
|
|
description = "The object to make available inside the initrd.";
|
|
};
|
|
};
|
|
});
|
|
description = ''
|
|
Extra files to link and copy in to the initrd.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.prepend = mkOption {
|
|
default = [ ];
|
|
type = types.listOf types.str;
|
|
description = ''
|
|
Other initrd files to prepend to the final initrd we are building.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.checkJournalingFS = mkOption {
|
|
default = true;
|
|
type = types.bool;
|
|
description = ''
|
|
Whether to run <command>fsck</command> on journaling filesystems such as ext3.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.preLVMCommands = mkOption {
|
|
default = "";
|
|
type = types.lines;
|
|
description = ''
|
|
Shell commands to be executed immediately before LVM discovery.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.preDeviceCommands = mkOption {
|
|
default = "";
|
|
type = types.lines;
|
|
description = ''
|
|
Shell commands to be executed before udev is started to create
|
|
device nodes.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.postDeviceCommands = mkOption {
|
|
default = "";
|
|
type = types.lines;
|
|
description = ''
|
|
Shell commands to be executed immediately after stage 1 of the
|
|
boot has loaded kernel modules and created device nodes in
|
|
<filename>/dev</filename>.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.postMountCommands = mkOption {
|
|
default = "";
|
|
type = types.lines;
|
|
description = ''
|
|
Shell commands to be executed immediately after the stage 1
|
|
filesystems have been mounted.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.preFailCommands = mkOption {
|
|
default = "";
|
|
type = types.lines;
|
|
description = ''
|
|
Shell commands to be executed before the failure prompt is shown.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.extraUtilsCommands = mkOption {
|
|
internal = true;
|
|
default = "";
|
|
type = types.lines;
|
|
description = ''
|
|
Shell commands to be executed in the builder of the
|
|
extra-utils derivation. This can be used to provide
|
|
additional utilities in the initial ramdisk.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.extraUtilsCommandsTest = mkOption {
|
|
internal = true;
|
|
default = "";
|
|
type = types.lines;
|
|
description = ''
|
|
Shell commands to be executed in the builder of the
|
|
extra-utils derivation after patchelf has done its
|
|
job. This can be used to test additional utilities
|
|
copied in extraUtilsCommands.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.extraUdevRulesCommands = mkOption {
|
|
internal = true;
|
|
default = "";
|
|
type = types.lines;
|
|
description = ''
|
|
Shell commands to be executed in the builder of the
|
|
udev-rules derivation. This can be used to add
|
|
additional udev rules in the initial ramdisk.
|
|
'';
|
|
};
|
|
|
|
boot.initrd.compressor = mkOption {
|
|
default = (
|
|
if lib.versionAtLeast config.boot.kernelPackages.kernel.version "5.9"
|
|
then "zstd"
|
|
else "gzip"
|
|
);
|
|
defaultText = literalDocBook "<literal>zstd</literal> if the kernel supports it (5.9+), <literal>gzip</literal> if not";
|
|
type = types.either types.str (types.functionTo types.str);
|
|
description = ''
|
|
The compressor to use on the initrd image. May be any of:
|
|
|
|
<itemizedlist>
|
|
<listitem><para>The name of one of the predefined compressors, see <filename>pkgs/build-support/kernel/initrd-compressor-meta.nix</filename> for the definitions.</para></listitem>
|
|
<listitem><para>A function which, given the nixpkgs package set, returns the path to a compressor tool, e.g. <literal>pkgs: "''${pkgs.pigz}/bin/pigz"</literal></para></listitem>
|
|
<listitem><para>(not recommended, because it does not work when cross-compiling) the full path to a compressor tool, e.g. <literal>"''${pkgs.pigz}/bin/pigz"</literal></para></listitem>
|
|
</itemizedlist>
|
|
|
|
The given program should read data from stdin and write it to stdout compressed.
|
|
'';
|
|
example = "xz";
|
|
};
|
|
|
|
boot.initrd.compressorArgs = mkOption {
|
|
default = null;
|
|
type = types.nullOr (types.listOf types.str);
|
|
description = "Arguments to pass to the compressor for the initrd image, or null to use the compressor's defaults.";
|
|
};
|
|
|
|
boot.initrd.secrets = mkOption
|
|
{ default = {};
|
|
type = types.attrsOf (types.nullOr types.path);
|
|
description =
|
|
''
|
|
Secrets to append to the initrd. The attribute name is the
|
|
path the secret should have inside the initrd, the value
|
|
is the path it should be copied from (or null for the same
|
|
path inside and out).
|
|
'';
|
|
example = literalExpression
|
|
''
|
|
{ "/etc/dropbear/dropbear_rsa_host_key" =
|
|
./secret-dropbear-key;
|
|
}
|
|
'';
|
|
};
|
|
|
|
boot.initrd.supportedFilesystems = mkOption {
|
|
default = [ ];
|
|
example = [ "btrfs" ];
|
|
type = types.listOf types.str;
|
|
description = "Names of supported filesystem types in the initial ramdisk.";
|
|
};
|
|
|
|
boot.initrd.verbose = mkOption {
|
|
default = true;
|
|
type = types.bool;
|
|
description =
|
|
''
|
|
Verbosity of the initrd. Please note that disabling verbosity removes
|
|
only the mandatory messages generated by the NixOS scripts. For a
|
|
completely silent boot, you might also want to set the two following
|
|
configuration options:
|
|
|
|
<itemizedlist>
|
|
<listitem><para><literal>boot.consoleLogLevel = 0;</literal></para></listitem>
|
|
<listitem><para><literal>boot.kernelParams = [ "quiet" "udev.log_level=3" ];</literal></para></listitem>
|
|
</itemizedlist>
|
|
'';
|
|
};
|
|
|
|
boot.loader.supportsInitrdSecrets = mkOption
|
|
{ internal = true;
|
|
default = false;
|
|
type = types.bool;
|
|
description =
|
|
''
|
|
Whether the bootloader setup runs append-initrd-secrets.
|
|
If not, any needed secrets must be copied into the initrd
|
|
and thus added to the store.
|
|
'';
|
|
};
|
|
|
|
fileSystems = mkOption {
|
|
type = with lib.types; attrsOf (submodule {
|
|
options.neededForBoot = mkOption {
|
|
default = false;
|
|
type = types.bool;
|
|
description = ''
|
|
If set, this file system will be mounted in the initial ramdisk.
|
|
Note that the file system will always be mounted in the initial
|
|
ramdisk if its mount point is one of the following:
|
|
${concatStringsSep ", " (
|
|
forEach utils.pathsNeededForBoot (i: "<filename>${i}</filename>")
|
|
)}.
|
|
'';
|
|
};
|
|
});
|
|
};
|
|
|
|
};
|
|
|
|
config = mkIf config.boot.initrd.enable {
|
|
assertions = [
|
|
{ assertion = any (fs: fs.mountPoint == "/") fileSystems;
|
|
message = "The ‘fileSystems’ option does not specify your root file system.";
|
|
}
|
|
{ assertion = let inherit (config.boot) resumeDevice; in
|
|
resumeDevice == "" || builtins.substring 0 1 resumeDevice == "/";
|
|
message = "boot.resumeDevice has to be an absolute path."
|
|
+ " Old \"x:y\" style is no longer supported.";
|
|
}
|
|
# TODO: remove when #85000 is fixed
|
|
{ assertion = !config.boot.loader.supportsInitrdSecrets ->
|
|
all (source:
|
|
builtins.isPath source ||
|
|
(builtins.isString source && hasPrefix builtins.storeDir source))
|
|
(attrValues config.boot.initrd.secrets);
|
|
message = ''
|
|
boot.loader.initrd.secrets values must be unquoted paths when
|
|
using a bootloader that doesn't natively support initrd
|
|
secrets, e.g.:
|
|
|
|
boot.initrd.secrets = {
|
|
"/etc/secret" = /path/to/secret;
|
|
};
|
|
|
|
Note that this will result in all secrets being stored
|
|
world-readable in the Nix store!
|
|
'';
|
|
}
|
|
];
|
|
|
|
system.build = mkMerge [
|
|
{ inherit bootStage1 initialRamdiskSecretAppender extraUtils; }
|
|
|
|
# generated in nixos/modules/system/boot/systemd/initrd.nix
|
|
(mkIf (!config.boot.initrd.systemd.enable) { inherit initialRamdisk; })
|
|
];
|
|
|
|
system.requiredKernelConfig = with config.lib.kernelConfig; [
|
|
(isYes "TMPFS")
|
|
(isYes "BLK_DEV_INITRD")
|
|
];
|
|
|
|
boot.initrd.supportedFilesystems = map (fs: fs.fsType) fileSystems;
|
|
};
|
|
|
|
imports = [
|
|
(mkRenamedOptionModule [ "boot" "initrd" "mdadmConf" ] [ "boot" "initrd" "services" "swraid" "mdadmConf" ])
|
|
];
|
|
}
|
|
|