678eed323f
Previously, secrets were named according to the initrd they were associated with. This created a problem: If secrets were changed whilst the initrd remained the same, there were two versions of the secrets with one initrd. The result was that only one version of the secrets would by recorded into the /boot partition and get used. AFAICT this would only be the oldest version of the secrets for the given initrd version. This manifests as #114594, which I found frustrating while trying to use initrd secrets for the first time. While developing the secrets I found I could not get new versions of the secrets to take effect. Additionally, it's a nasty issue to run into if you had cause to change the initrd secrets for credential rotation, etc, if you change them and discover you cannot, or alternatively that you can't roll back as you would expect. Additional changes in this patch. * Add a regression test that switching to another grub configuration with the alternate secrets works. This test relies on the fact that it is not changing the initrd. I have checked that the test fails if I undo my change. * Persist the useBootLoader disk state, similarly to other boot state. * I had to do this, otherwise I could not find a route to testing the alternate boot configuration. I did attempt a few different ways of testing this, including directly running install-grub.pl, but what I've settled on is most like what a user would do and avoids depending on lots of internal details. * Making tests that test the boot are a bit tricky (see hibernate.nix and installer.nix for inspiration), I found that in addition to having to copy quite a bit of code I still couldn't get things to work as desired since the bootloader state was being clobbered. My change to persist the useBootLoader state could break things, conceptually. I need some help here discovering if that is the case, possibly by letting this run through a staging CI if there is one. Fix #114594. cc potential reviewers: @lopsided98 (original implementer) @joachifm (original reviewer), @wkennington (numerous fixes to grub-install.pl), @lheckemann (wrote original secrets test). |
||
---|---|---|
.github | ||
doc | ||
lib | ||
maintainers | ||
nixos | ||
pkgs | ||
.editorconfig | ||
.git-blame-ignore-revs | ||
.gitattributes | ||
.gitignore | ||
.mailmap | ||
.version | ||
CONTRIBUTING.md | ||
COPYING | ||
default.nix | ||
flake.nix | ||
README.md |
Nixpkgs is a collection of over 80,000 software packages that can be installed with the Nix package manager. It also implements NixOS, a purely-functional Linux distribution.
Manuals
- NixOS Manual - how to install, configure, and maintain a purely-functional Linux distribution
- Nixpkgs Manual - contributing to Nixpkgs and using programming-language-specific Nix expressions
- Nix Package Manager Manual - how to write Nix expressions (programs), and how to use Nix command line tools
Community
- Discourse Forum
- Matrix Chat
- NixOS Weekly
- Community-maintained wiki
- Community-maintained list of ways to get in touch (Discord, Telegram, IRC, etc.)
Other Project Repositories
The sources of all official Nix-related projects are in the NixOS organization on GitHub. Here are some of the main ones:
- Nix - the purely functional package manager
- NixOps - the tool to remotely deploy NixOS machines
- nixos-hardware - NixOS profiles to optimize settings for different hardware
- Nix RFCs - the formal process for making substantial changes to the community
- NixOS homepage - the NixOS.org website
- hydra - our continuous integration system
- NixOS Artwork - NixOS artwork
Continuous Integration and Distribution
Nixpkgs and NixOS are built and tested by our continuous integration system, Hydra.
- Continuous package builds for unstable/master
- Continuous package builds for the NixOS 22.05 release
- Tests for unstable/master
- Tests for the NixOS 22.05 release
Artifacts successfully built with Hydra are published to cache at https://cache.nixos.org/. When successful build and test criteria are met, the Nixpkgs expressions are distributed via Nix channels.
Contributing
Nixpkgs is among the most active projects on GitHub. While thousands of open issues and pull requests might seem a lot at first, it helps consider it in the context of the scope of the project. Nixpkgs describes how to build tens of thousands of pieces of software and implements a Linux distribution. The GitHub Insights page gives a sense of the project activity.
Community contributions are always welcome through GitHub Issues and Pull Requests. When pull requests are made, our tooling automation bot, OfBorg will perform various checks to help ensure expression quality.
The Nixpkgs maintainers are people who have assigned themselves to maintain specific individual packages. We encourage people who care about a package to assign themselves as a maintainer. When a pull request is made against a package, OfBorg will notify the appropriate maintainer(s). The Nixpkgs committers are people who have been given permission to merge.
Most contributions are based on and merged into these branches:
master
is the main branch where all small contributions gostaging
is branched from master, changes that have a big impact on Hydra builds go to this branchstaging-next
is branched from staging and only fixes to stabilize and security fixes with a big impact on Hydra builds should be contributed to this branch. This branch is merged into master when deemed of sufficiently high quality
For more information about contributing to the project, please visit the contributing page.
Donations
The infrastructure for NixOS and related projects is maintained by a nonprofit organization, the NixOS Foundation. To ensure the continuity and expansion of the NixOS infrastructure, we are looking for donations to our organization.
You can donate to the NixOS foundation through SEPA bank transfers or by using Open Collective:
License
Nixpkgs is licensed under the MIT License.
Note: MIT license does not apply to the packages built by Nixpkgs, merely to the files in this repository (the Nix expressions, build scripts, NixOS modules, etc.). It also might not apply to patches included in Nixpkgs, which may be derivative works of the packages to which they apply. The aforementioned artifacts are all covered by the licenses of the respective packages.