Merge staging-next into master

15 files changed, 189 insertions, 28 deletions

diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml
index 51a894269d9b..b92cefa441d8 100644
--- a/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixos/doc/manual/release-notes/rl-1909.xml
@@ -137,6 +137,40 @@
     </para>
    </listitem>
    <listitem>
+     <para>
+      The option <option>systemd.network.networks.&lt;name&gt;.routes.*.routeConfig.GatewayOnlink</option>
+      was renamed to <option>systemd.network.networks.&lt;name&gt;.routes.*.routeConfig.GatewayOnLink</option>
+      (capital <literal>L</literal>). This follows
+      <link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c">
+        upstreams renaming
+      </link> of the setting.
+     </para>
+   </listitem>
+   <listitem>
+    <para>
+      As of this release the NixOps feature <literal>autoLuks</literal> is deprecated. It no longer works
+      with our systemd version without manual intervention.
+    </para>
+    <para>
+      Whenever the usage of the module is detected the evaluation will fail with a message
+      explaining why and how to deal with the situation.
+    </para>
+    <para>
+      A new knob named <literal>nixops.enableDeprecatedAutoLuks</literal>
+      has been introduced to disable the eval failure and to acknowledge the notice was received and read.
+      If you plan on using the feature please note that it might break with subsequent updates.
+    </para>
+    <para>
+      Make sure you set the <literal>_netdev</literal> option for each of the file systems referring to block
+      devices provided by the autoLuks module. Not doing this might render the system in a
+      state where it doesn't boot anymore.
+    </para>
+    <para>
+      If you are actively using the <literal>autoLuks</literal> module please let us know in
+      <link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue #62211</link>.
+    </para>
+  </listitem>
+  <listitem>
     <para>
       The setopt declarations will be evaluated at the end of <literal>/etc/zshrc</literal>, so any code in <xref linkend="opt-programs.zsh.interactiveShellInit" />,
       <xref linkend="opt-programs.zsh.loginShellInit" /> and <xref linkend="opt-programs.zsh.promptInit" /> may break if it relies on those options being set.
@@ -211,6 +245,20 @@
       RuntimeDirectory and tmpfiles.
     </para>
    </listitem>
+   <listitem>
+    <para>
+      With the upgrade to systemd version 242 the <literal>systemd-timesyncd</literal>
+      service is no longer using <literal>DynamicUser=yes</literal>. In order for the
+      upgrade to work we rely on an activation script to move the state from the old
+      to the new directory. The older directory (prior <literal>19.09</literal>) was
+      <literal>/var/lib/private/systemd/timesync</literal>.
+    </para>
+    <para>
+      As long as the <literal>system.config.stateVersion</literal> is below
+      <literal>19.09</literal> the state folder will migrated to its proper location
+      (<literal>/var/lib/systemd/timesync</literal>), if required.
+    </para>
+  </listitem>
   <listitem>
     <para>
       Since version 0.1.19, <literal>cargo-vendor</literal> honors package
@@ -221,7 +269,6 @@
       vendored files for most Rust packages, the hash that use used to verify
       the dependencies, <literal>cargoSha256</literal>, also changes.
     </para>
-
     <para>
       The <literal>cargoSha256</literal> hashes of all in-tree derivations that
       use <literal>buildRustPackage</literal> have been updated to reflect this
diff --git a/nixos/modules/misc/nixops-autoluks.nix b/nixos/modules/misc/nixops-autoluks.nix
new file mode 100644
index 000000000000..2153c6f975ad
--- /dev/null
+++ b/nixos/modules/misc/nixops-autoluks.nix
@@ -0,0 +1,44 @@
+{ config, options, lib, ... }:
+let
+  path = [ "deployment" "autoLuks" ];
+  hasAutoLuksOption = lib.hasAttrByPath path options;
+  hasAutoLuksConfig = lib.hasAttrByPath path config && (lib.attrByPath path {} config) != {};
+
+  inherit (config.nixops) enableDeprecatedAutoLuks;
+in {
+  options.nixops.enableDeprecatedAutoLuks = lib.mkEnableOption "Enable the deprecated NixOps AutoLuks module";
+
+  config = {
+    assertions = [
+      {
+        assertion = if hasAutoLuksConfig then hasAutoLuksConfig && enableDeprecatedAutoLuks else true;
+        message = ''
+          ⚠️  !!! WARNING !!! ⚠️
+
+            NixOps autoLuks is deprecated. The feature was never widely used and the maintenance did outgrow the benefit.
+            If you still want to use the module:
+              a) Please raise your voice in the issue tracking usage of the module:
+                 https://github.com/NixOS/nixpkgs/issues/62211
+              b) make sure you set the `_netdev` option for each of the file
+                 systems referring to block devices provided by the autoLuks module.
+
+                 ⚠️ If you do not set the option your system will not boot anymore! ⚠️
+
+                  {
+                    fileSystems."/secret" = { options = [ "_netdev" ]; };
+                  }
+
+              b) set the option >nixops.enableDeprecatedAutoLuks = true< to remove this error.
+
+
+            For more details read through the following resources:
+              - https://github.com/NixOS/nixops/pull/1156
+              - https://github.com/NixOS/nixpkgs/issues/47550
+              - https://github.com/NixOS/nixpkgs/issues/62211
+              - https://github.com/NixOS/nixpkgs/pull/61321
+        '';
+      }
+    ];
+  };
+
+}
diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix
index c576cf4cb925..c9b374b6d7b1 100644
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -95,6 +95,7 @@ in
         PRETTY_NAME="NixOS ${cfg.version} (${cfg.codeName})"
         LOGO="nix-snowflake"
         HOME_URL="https://nixos.org/"
+        DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html"
         SUPPORT_URL="https://nixos.org/nixos/support.html"
         BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
       '';
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index bb2c0a8f180f..bb33d8e6d95a 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -84,6 +84,7 @@
   ./misc/nixpkgs.nix
   ./misc/passthru.nix
   ./misc/version.nix
+  ./misc/nixops-autoluks.nix
   ./programs/adb.nix
   ./programs/atop.nix
   ./programs/autojump.nix
diff --git a/nixos/modules/services/hardware/80-net-setup-link.rules b/nixos/modules/services/hardware/80-net-setup-link.rules
deleted file mode 100644
index 18547f170a3f..000000000000
--- a/nixos/modules/services/hardware/80-net-setup-link.rules
+++ /dev/null
@@ -1,13 +0,0 @@
-# Copied from systemd 203.
-ACTION=="remove", GOTO="net_name_slot_end"
-SUBSYSTEM!="net", GOTO="net_name_slot_end"
-NAME!="", GOTO="net_name_slot_end"
-
-IMPORT{cmdline}="net.ifnames"
-ENV{net.ifnames}=="0", GOTO="net_name_slot_end"
-
-NAME=="", ENV{ID_NET_NAME_ONBOARD}!="", NAME="$env{ID_NET_NAME_ONBOARD}"
-NAME=="", ENV{ID_NET_NAME_SLOT}!="", NAME="$env{ID_NET_NAME_SLOT}"
-NAME=="", ENV{ID_NET_NAME_PATH}!="", NAME="$env{ID_NET_NAME_PATH}"
-
-LABEL="net_name_slot_end"
diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix
index 0266286aaacf..cb2f1e6621ae 100644
--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@@ -116,10 +116,6 @@ let
         exit 1
       fi
 
-      ${optionalString config.networking.usePredictableInterfaceNames ''
-        cp ${./80-net-setup-link.rules} $out/80-net-setup-link.rules
-      ''}
-
       # If auto-configuration is disabled, then remove
       # udev's 80-drivers.rules file, which contains rules for
       # automatically calling modprobe.
@@ -282,6 +278,8 @@ in
 
     services.udev.path = [ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.utillinux udev ];
 
+    boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ];
+
     environment.etc =
       [ { source = udevRules;
           target = "udev/rules.d";
diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix
index 882db9130ea8..f1aa9064bef4 100644
--- a/nixos/modules/system/boot/networkd.nix
+++ b/nixos/modules/system/boot/networkd.nix
@@ -203,7 +203,7 @@ let
 
   checkRoute = checkUnitConfig "Route" [
     (assertOnlyFields [
-      "Gateway" "GatewayOnlink" "Destination" "Source" "Metric"
+      "Gateway" "GatewayOnLink" "Destination" "Source" "Metric"
       "IPv6Preference" "Scope" "PreferredSource" "Table" "Protocol" "Type"
       "InitialCongestionWindow" "InitialAdvertisedReceiveWindow" "QuickAck"
       "MTUBytes"
diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix
index 933dea1c6b81..cf35504e5182 100644
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@@ -943,7 +943,6 @@ in
     # Don't bother with certain units in containers.
     systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container";
     systemd.services.systemd-random-seed.unitConfig.ConditionVirtualization = "!container";
-
   };
 
   # FIXME: Remove these eventually.
@@ -952,5 +951,4 @@ in
       (mkRenamedOptionModule [ "boot" "systemd" "targets" ] [ "systemd" "targets" ])
       (mkRenamedOptionModule [ "boot" "systemd" "services" ] [ "systemd" "services" ])
     ];
-
 }
diff --git a/nixos/modules/system/boot/timesyncd.nix b/nixos/modules/system/boot/timesyncd.nix
index 8d8bfe5900a9..8282cdd6f3aa 100644
--- a/nixos/modules/system/boot/timesyncd.nix
+++ b/nixos/modules/system/boot/timesyncd.nix
@@ -40,6 +40,15 @@ with lib;
     users.users.systemd-timesync.uid = config.ids.uids.systemd-timesync;
     users.groups.systemd-timesync.gid = config.ids.gids.systemd-timesync;
 
+    system.activationScripts.systemd-timesyncd-migration = mkIf (versionOlder config.system.stateVersion "19.09") ''
+      # workaround an issue of systemd-timesyncd not starting due to upstream systemd reverting their dynamic users changes
+      #  - https://github.com/NixOS/nixpkgs/pull/61321#issuecomment-492423742
+      #  - https://github.com/systemd/systemd/issues/12131
+      if [ -L /var/lib/systemd/timesync ]; then
+        rm /var/lib/systemd/timesync
+        mv /var/lib/private/systemd/timesync /var/lib/systemd/timesync
+      fi
+    '';
   };
 
 }
diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix
index 2318bdd1d582..857aaf1e6e30 100644
--- a/nixos/modules/tasks/network-interfaces-systemd.nix
+++ b/nixos/modules/tasks/network-interfaces-systemd.nix
@@ -12,7 +12,7 @@ let
     i.ipv4.addresses
     ++ optionals cfg.enableIPv6 i.ipv6.addresses;
 
-  dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "none";
+  dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "no";
 
   slaves =
     concatLists (map (bond: bond.interfaces) (attrValues cfg.bonds))
@@ -59,7 +59,14 @@ in
           in {
             DHCP = override (dhcpStr cfg.useDHCP);
           } // optionalAttrs (gateway != [ ]) {
-            gateway = override gateway;
+            routes = override [
+              {
+                routeConfig = {
+                  Gateway = gateway;
+                  GatewayOnLink = false;
+                };
+              }
+            ];
           } // optionalAttrs (domains != [ ]) {
             domains = override domains;
           };
diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix
index ed4cfa7805e2..1a11d9ce7c26 100644
--- a/nixos/modules/testing/test-instrumentation.nix
+++ b/nixos/modules/testing/test-instrumentation.nix
@@ -129,9 +129,6 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; };
     users.users.root.initialHashedPassword = mkOverride 150 "";
 
     services.xserver.displayManager.job.logToJournal = true;
-
-    # set default stateVersion to avoid warnings during eval
-    system.stateVersion = mkDefault "18.03";
   };
 
 }
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 912e4f552313..3872970343a9 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -240,6 +240,7 @@ in
   syncthing-relay = handleTest ./syncthing-relay.nix {};
   systemd = handleTest ./systemd.nix {};
   systemd-confinement = handleTest ./systemd-confinement.nix {};
+  systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
   pdns-recursor = handleTest ./pdns-recursor.nix {};
   taskserver = handleTest ./taskserver.nix {};
   telegraf = handleTest ./telegraf.nix {};
diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix
index 0c101037aa7f..2e7e4b2f1d69 100644
--- a/nixos/tests/containers-imperative.nix
+++ b/nixos/tests/containers-imperative.nix
@@ -35,7 +35,17 @@ import ./make-test.nix ({ pkgs, ...} : {
       ];
     };
 
-  testScript =
+  testScript = let
+    tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" ''
+      {
+        systemd.tmpfiles.rules = [ "d /foo - - - - -" ];
+        systemd.services.foo = {
+          serviceConfig.Type = "oneshot";
+          script = "ls -al /foo";
+          wantedBy = [ "multi-user.target" ];
+        };
+      }
+    ''; in
     ''
       # Make sure we have a NixOS tree (required by ‘nixos-container create’).
       $machine->succeed("PAGER=cat nix-env -qa -A nixos.hello >&2");
@@ -93,6 +103,15 @@ import ./make-test.nix ({ pkgs, ...} : {
       $machine->succeed("nixos-container stop $id1");
       $machine->succeed("nixos-container start $id1");
 
+      # Ensure tmpfiles are present
+      $machine->log("creating container tmpfiles");
+      $machine->succeed("nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}");
+      $machine->log("created, starting…");
+      $machine->succeed("nixos-container start tmpfiles");
+      $machine->log("done starting, investigating…");
+      $machine->succeed("echo \$(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;");
+      $machine->succeed("nixos-container destroy tmpfiles");
+
       # Execute commands via the root shell.
       $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die;
 
diff --git a/nixos/tests/radicale.nix b/nixos/tests/radicale.nix
index bf22fc9291af..607964255640 100644
--- a/nixos/tests/radicale.nix
+++ b/nixos/tests/radicale.nix
@@ -85,7 +85,7 @@ in
       $radicale->succeed('mv /tmp/collections-new/collection-root /tmp/collections');
       $radicale->succeed('${switchToConfig "radicale2_verify"} >&2');
       $radicale->waitUntilFails('systemctl status radicale');
-      my ($retcode, $logs) = $radicale->execute('journalctl -u radicale -n 5');
+      my ($retcode, $logs) = $radicale->execute('journalctl -u radicale -n 10');
       if ($retcode != 0 || index($logs, 'Verifying storage') == -1) {
         die "Radicale 2 didn't verify storage"
       }
diff --git a/nixos/tests/systemd-timesyncd.nix b/nixos/tests/systemd-timesyncd.nix
new file mode 100644
index 000000000000..d12b8eb2bf7e
--- /dev/null
+++ b/nixos/tests/systemd-timesyncd.nix
@@ -0,0 +1,52 @@
+# Regression test for systemd-timesync having moved the state directory without
+# upstream providing a migration path. https://github.com/systemd/systemd/issues/12131
+
+import ./make-test.nix (let
+  common = { lib, ... }: {
+    # override the `false` value from the qemu-vm base profile
+    services.timesyncd.enable = lib.mkForce true;
+  };
+  mkVM = conf: { imports = [ conf common ]; };
+in {
+  name = "systemd-timesyncd";
+  nodes = {
+    current = mkVM {};
+    pre1909 = mkVM ({lib, ... }: with lib; {
+      # create the path that should be migrated by our activation script when
+      # upgrading to a newer nixos version
+      system.stateVersion = "19.03";
+      system.activationScripts.simulate-old-timesync-state-dir = mkBefore ''
+        rm -f /var/lib/systemd/timesync
+        mkdir -p /var/lib/systemd /var/lib/private/systemd/timesync
+        ln -s /var/lib/private/systemd/timesync /var/lib/systemd/timesync
+        chown systemd-timesync: /var/lib/private/systemd/timesync
+      '';
+    });
+  };
+
+  testScript = ''
+    startAll;
+    $current->succeed('systemctl status systemd-timesyncd.service');
+    # on a new install with a recent systemd there should not be any
+    # leftovers from the dynamic user mess
+    $current->succeed('test -e /var/lib/systemd/timesync');
+    $current->succeed('test ! -L /var/lib/systemd/timesync');
+
+    # timesyncd should be running on the upgrading system since we fixed the
+    # file bits in the activation script
+    $pre1909->succeed('systemctl status systemd-timesyncd.service');
+
+    # the path should be gone after the migration
+    $pre1909->succeed('test ! -e /var/lib/private/systemd/timesync');
+
+    # and the new path should no longer be a symlink
+    $pre1909->succeed('test -e /var/lib/systemd/timesync');
+    $pre1909->succeed('test ! -L /var/lib/systemd/timesync');
+
+    # after a restart things should still work and not fail in the activation
+    # scripts and cause the boot to fail..
+    $pre1909->shutdown;
+    $pre1909->start;
+    $pre1909->succeed('systemctl status systemd-timesyncd.service');
+  '';
+})