pyrox.dev
+2
nixos/doc/manual/release-notes/rl-2305.section.md
+2
nixos/doc/manual/release-notes/rl-2305.section.md
···- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code).+- `boot.bootspec.enable` (internal option) is now enabled by default because [RFC-0125](https://github.com/NixOS/rfcs/pull/125) was merged. This means you will have a bootspec document called `boot.json` generated for each system and specialisation in the top-level. This is useful to enable advanced boot usecases in NixOS such as SecureBoot.
+20
-7
nixos/modules/system/activation/bootspec.cue
+20
-7
nixos/modules/system/activation/bootspec.cue
······
+18
-26
nixos/modules/system/activation/bootspec.nix
+18
-26
nixos/modules/system/activation/bootspec.nix
···label = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})";initrdSecrets = "${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets";······document = "Document"; # Universal validator for any version as long the schema is correctly set.···-enable = lib.mkEnableOption (lib.mdDoc "Enable generation of RFC-0125 bootspec in $system/bootspec, e.g. /run/current-system/bootspec");+enable = lib.mkEnableOption (lib.mdDoc "the generation of RFC-0125 bootspec in $system/boot.json, e.g. /run/current-system/boot.json")+enableValidation = lib.mkEnableOption (lib.mdDoc ''the validation of bootspec documents for each build.+This will introduce Go in the build-time closure as we are relying on [Cuelang](https://cuelang.org/) for schema validation.+# NOTE(RaitoBezarius): this is not enough to validate: extensions."osRelease" = drv; those are picked up by cue validation.···-The schema is not definitive and features are not guaranteed to be stable until RFC-0125 is merged.
+2
-1
nixos/modules/system/activation/top-level.nix
+2
-1
nixos/modules/system/activation/top-level.nix
···
+7
-5
nixos/tests/bootspec.nix
+7
-5
nixos/tests/bootspec.nix
···+bootspec = json.loads(machine.succeed("jq -r '.\"org.nixos.bootspec.v1\"' /run/current-system/boot.json"))assert all(key in bootspec for key in ('initrd', 'initrdSecrets')), "Bootspec should contain initrd or initrdSecrets field when initrd is enabled"···-sp_in_parent = json.loads(machine.succeed("jq -r '.v1.specialisation.something' /run/current-system/boot.json"))+sp_in_parent = json.loads(machine.succeed("jq -r '.\"org.nixos.specialisation.v1\".something' /run/current-system/boot.json"))sp_in_fs = json.loads(machine.succeed("cat /run/current-system/specialisation/something/boot.json"))+assert sp_in_parent['org.nixos.bootspec.v1'] == sp_in_fs['org.nixos.bootspec.v1'], "Bootspecs of the same specialisation are different!"······-bootspec_os_release = machine.succeed("cat $(jq -r '.v1.extensions.osRelease' /run/current-system/boot.json)")+bootspec_os_release = machine.succeed("cat $(jq -r '.\"org.nix-tests.product\".osRelease' /run/current-system/boot.json)")assert current_os_release == bootspec_os_release, "Filename referenced by extension has unexpected contents"