NixOS
diff --git a/‎nixos/maintainers/scripts/ec2/amazon-image.nix‎
Lines changed: 1 addition & 1 deletion b/‎nixos/maintainers/scripts/ec2/amazon-image.nix‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎nixos/modules/image/repart-verity-store.nix‎
Lines changed: 19 additions & 5 deletions b/‎nixos/modules/image/repart-verity-store.nix‎
Lines changed: 19 additions & 5 deletions
diff --git a/‎nixos/modules/image/repart.nix‎
Lines changed: 41 additions & 30 deletions b/‎nixos/modules/image/repart.nix‎
Lines changed: 41 additions & 30 deletions
diff --git a/‎nixos/modules/services/databases/mysql.nix‎
Lines changed: 1 addition & 13 deletions b/‎nixos/modules/services/databases/mysql.nix‎
Lines changed: 1 addition & 13 deletions
diff --git a/‎nixos/modules/system/boot/luksroot.nix‎
Lines changed: 2 additions & 2 deletions b/‎nixos/modules/system/boot/luksroot.nix‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎nixos/tests/appliance-repart-image-verity-store.nix‎
Lines changed: 54 additions & 50 deletions b/‎nixos/tests/appliance-repart-image-verity-store.nix‎
Lines changed: 54 additions & 50 deletions
diff --git a/‎nixos/tests/appliance-repart-image.nix‎
Lines changed: 1 addition & 1 deletion b/‎nixos/tests/appliance-repart-image.nix‎
Lines changed: 1 addition & 1 deletion
@@ -66,7 +66,7 @@ in
         "qcow2"
         "vpc"
       ];
-      default = "vpc";
+      default = "raw";
       description = "The image format to output";
     };
   };
 
@@ -89,13 +89,20 @@ in
       };
     };
 
+    fileSystems."/nix/store" = lib.mkDefault {
+      device = "/usr/nix/store";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+
     image.repart.partitions = {
       # dm-verity hash partition
       ${cfg.partitionIds.store-verity}.repartConfig = {
         Type = lib.mkDefault partitionTypes.usr-verity;
         Verity = "hash";
         VerityMatchKey = lib.mkDefault verityMatchKey;
         Label = lib.mkDefault "store-verity";
+        Minimize = lib.mkDefault "best";
       };
       # dm-verity data partition that contains the nix store
       ${cfg.partitionIds.store} = {
@@ -106,23 +113,29 @@ in
           Format = lib.mkDefault "erofs";
           VerityMatchKey = lib.mkDefault verityMatchKey;
           Label = lib.mkDefault "store";
+          Minimize = lib.mkDefault "best";
         };
       };
 
     };
 
     system.build = {
+      finalImage = lib.warn "system.build.finalImage has been renamed to system.build.image" config.system.build.image;
 
       # intermediate system image without ESP
       intermediateImage =
-        (config.system.build.image.override {
+        (config.image.repart.image.override {
           # always disable compression for the intermediate image
           compression.enable = false;
         }).overrideAttrs
           (
             _: previousAttrs: {
               # make it easier to identify the intermediate image in build logs
-              pname = "${previousAttrs.pname}-intermediate";
+              name =
+                if previousAttrs ? pname then
+                  "${previousAttrs.pname}-${previousAttrs.version}-intermediate"
+                else
+                  "${previousAttrs.name}-intermediate";
 
               # do not prepare the ESP, this is done in the final image
               systemdRepartFlags = previousAttrs.systemdRepartFlags ++ [ "--defer-partitions=esp" ];
@@ -162,8 +175,8 @@ in
         );
 
       # final system image that is created from the intermediate image by injecting the UKI from above
-      finalImage =
-        (config.system.build.image.override {
+      image = lib.mkOverride 99 (
+        (config.image.repart.image.override {
           # continue building with existing intermediate image
           createEmpty = false;
         }).overrideAttrs
@@ -216,7 +229,8 @@ in
                 rm -v repart-output_orig.json
               '';
             }
-          );
+          )
+      );
     };
   };
 
 
@@ -282,6 +282,15 @@ in
       '';
     };
 
+    image = lib.mkOption {
+      type = lib.types.package;
+      internal = true;
+      readOnly = true;
+      description = ''
+        The image built by this module. Used as the default for `system.build.image`.
+      '';
+    };
+
     assertions = lib.mkOption {
       type = options.assertions.type;
       default = [ ];
@@ -356,6 +365,37 @@ in
 
         finalPartitions = lib.mapAttrs addClosure cfg.partitions;
 
+        image =
+          let
+            fileSystems = lib.filter (f: f != null) (
+              lib.mapAttrsToList (_n: v: v.repartConfig.Format or null) cfg.partitions
+            );
+
+            format = pkgs.formats.ini { listsAsDuplicateKeys = true; };
+
+            definitionsDirectory = utils.systemdUtils.lib.definitions "repart.d" format (
+              lib.mapAttrs (_n: v: { Partition = v.repartConfig; }) cfg.finalPartitions
+            );
+
+            mkfsEnv = mkfsOptionsToEnv cfg.mkfsOptions;
+            val = pkgs.callPackage ./repart-image.nix {
+              systemd = cfg.package;
+              inherit (config.image) baseName;
+              inherit (cfg)
+                name
+                version
+                compression
+                split
+                seed
+                imageSize
+                sectorSize
+                finalPartitions
+                ;
+              inherit fileSystems definitionsDirectory mkfsEnv;
+            };
+          in
+          lib.asserts.checkAssertWarn cfg.assertions cfg.warnings val;
+
         assertions = lib.mapAttrsToList (
           fileName: partitionConfig:
           let
@@ -401,36 +441,7 @@ in
         );
       };
 
-    system.build.image =
-      let
-        fileSystems = lib.filter (f: f != null) (
-          lib.mapAttrsToList (_n: v: v.repartConfig.Format or null) cfg.partitions
-        );
-
-        format = pkgs.formats.ini { listsAsDuplicateKeys = true; };
-
-        definitionsDirectory = utils.systemdUtils.lib.definitions "repart.d" format (
-          lib.mapAttrs (_n: v: { Partition = v.repartConfig; }) cfg.finalPartitions
-        );
-
-        mkfsEnv = mkfsOptionsToEnv cfg.mkfsOptions;
-        val = pkgs.callPackage ./repart-image.nix {
-          systemd = cfg.package;
-          inherit (config.image) baseName;
-          inherit (cfg)
-            name
-            version
-            compression
-            split
-            seed
-            imageSize
-            sectorSize
-            finalPartitions
-            ;
-          inherit fileSystems definitionsDirectory mkfsEnv;
-        };
-      in
-      lib.asserts.checkAssertWarn cfg.assertions cfg.warnings val;
+    system.build.image = cfg.image;
   };
 
   meta.maintainers = with lib.maintainers; [
 
@@ -9,9 +9,6 @@ let
   cfg = config.services.mysql;
 
   isMariaDB = lib.getName cfg.package == lib.getName pkgs.mariadb;
-  isOracle = lib.getName cfg.package == lib.getName pkgs.mysql84;
-  # Oracle MySQL has supported "notify" service type since 8.0
-  hasNotify = isMariaDB || (isOracle && lib.versionAtLeast cfg.package.version "8.0");
 
   mysqldOptions = "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${cfg.package}";
 
@@ -576,15 +573,6 @@ in
           superUser = if isMariaDB then cfg.user else "root";
         in
         ''
-          ${lib.optionalString (!hasNotify) ''
-            # Wait until the MySQL server is available for use
-            while [ ! -e /run/mysqld/mysqld.sock ]
-            do
-                echo "MySQL daemon not yet started. Waiting for 1 second..."
-                sleep 1
-            done
-          ''}
-
           ${lib.optionalString isMariaDB ''
             # If MariaDB is used in an Galera cluster, we have to check if the sync is done,
             # or it will fail to init the database while joining, so we get in an broken non recoverable state
@@ -689,7 +677,7 @@ in
 
       serviceConfig = lib.mkMerge [
         {
-          Type = if hasNotify then "notify" else "simple";
+          Type = "notify";
           Restart = "on-abnormal";
           RestartSec = "5s";
 
 
@@ -214,7 +214,7 @@ let
 
                       # and try reading it from /dev/console with a timeout
                       IFS= read -t 1 -r passphrase
-                      if [ -n "$passphrase" ]; then
+                      if [ $? = 0 ]; then
                          ${
                            if luks.reusePassphrases then
                              ''
@@ -232,7 +232,7 @@ let
                   fi
               done
               echo -n "Verifying passphrase for ${dev.device}..."
-              echo -n "$passphrase" | ${csopen} --key-file=-
+              echo "$passphrase" | ${csopen}
               if [ $? == 0 ]; then
                   echo " - success"
                   ${
 
@@ -10,31 +10,20 @@
     willibutz
   ];
 
-  nodes.machine =
-    {
-      config,
-      lib,
-      pkgs,
-      ...
-    }:
+  defaults =
+    { config, lib, ... }:
     let
       inherit (config.image.repart.verityStore) partitionIds;
     in
     {
       imports = [ ../modules/image/repart.nix ];
 
-      virtualisation.fileSystems = lib.mkVMOverride {
+      virtualisation.fileSystems = lib.mkVMOverride { };
+      fileSystems = {
         "/" = {
           fsType = "tmpfs";
           options = [ "mode=0755" ];
         };
-
-        # bind-mount the store
-        "/nix/store" = {
-          device = "/usr/nix/store";
-          fsType = "none";
-          options = [ "bind" ];
-        };
       };
 
       image.repart = {
@@ -55,12 +44,6 @@
               SizeMinBytes = if config.nixpkgs.hostPlatform.isx86_64 then "64M" else "96M";
             };
           };
-          ${partitionIds.store-verity}.repartConfig = {
-            Minimize = "best";
-          };
-          ${partitionIds.store}.repartConfig = {
-            Minimize = "best";
-          };
         };
       };
 
@@ -75,50 +58,71 @@
         initrd.systemd.enable = true;
       };
 
-      system.image = {
-        id = "nixos-appliance";
-        version = "1";
-      };
+      system.image.id = "nixos-appliance";
 
       # don't create /usr/bin/env
       # this would require some extra work on read-only /usr
       # and it is not a strict necessity
       system.activationScripts.usrbinenv = lib.mkForce "";
     };
 
+  nodes.machine = {
+    system.image.version = "1";
+  };
+
+  nodes.without-version = { };
+
   testScript =
     { nodes, ... }: # python
     ''
       import os
       import subprocess
       import tempfile
 
-      tmp_disk_image = tempfile.NamedTemporaryFile()
-
-      subprocess.run([
+      def create_disk_image(qemu_img, backing_file):
+        tmp = tempfile.NamedTemporaryFile()
+        subprocess.run([
+          qemu_img,
+          "create",
+          "-f",
+          "qcow2",
+          "-b",
+          backing_file,
+          "-F",
+          "raw",
+          tmp.name,
+        ], check=True)
+        return tmp
+
+      def run_verity_tests(machine):
+        with subtest("Running with volatile root"):
+          machine.succeed("findmnt --kernel --type tmpfs /")
+
+        with subtest("/nix/store is backed by dm-verity protected fs"):
+          verity_info = machine.succeed("dmsetup info --target verity usr")
+          assert "ACTIVE" in verity_info, f"unexpected verity info: {verity_info}"
+
+          backing_device = machine.succeed("df --output=source /nix/store | tail -n1").strip()
+          assert "/dev/mapper/usr" == backing_device, f"unexpected backing device: {backing_device}"
+
+      tmp_disk_machine = create_disk_image(
         "${nodes.machine.virtualisation.qemu.package}/bin/qemu-img",
-        "create",
-        "-f",
-        "qcow2",
-        "-b",
-        "${nodes.machine.system.build.finalImage}/${nodes.machine.image.repart.imageFile}",
-        "-F",
-        "raw",
-        tmp_disk_image.name,
-      ])
-
-      os.environ['NIX_DISK_IMAGE'] = tmp_disk_image.name
-
+        "${nodes.machine.system.build.image}/${nodes.machine.image.filePath}",
+      )
+      os.environ['NIX_DISK_IMAGE'] = tmp_disk_machine.name
       machine.wait_for_unit("default.target")
-
-      with subtest("Running with volatile root"):
-        machine.succeed("findmnt --kernel --type tmpfs /")
-
-      with subtest("/nix/store is backed by dm-verity protected fs"):
-        verity_info = machine.succeed("dmsetup info --target verity usr")
-        assert "ACTIVE" in verity_info,f"unexpected verity info: {verity_info}"
-
-        backing_device = machine.succeed("df --output=source /nix/store | tail -n1").strip()
-        assert "/dev/mapper/usr" == backing_device,"unexpected backing device: {backing_device}"
+      run_verity_tests(machine)
+      with subtest("Image version is set"):
+        machine.succeed("grep IMAGE_VERSION=1 /etc/os-release")
+
+      tmp_disk_without_version = create_disk_image(
+        "${nodes."without-version".virtualisation.qemu.package}/bin/qemu-img",
+        "${nodes."without-version".system.build.image}/${nodes."without-version".image.filePath}",
+      )
+      os.environ['NIX_DISK_IMAGE'] = tmp_disk_without_version.name
+      without_version.wait_for_unit("default.target")
+      run_verity_tests(without_version)
+      with subtest("Image version is not set"):
+        without_version.succeed('grep IMAGE_VERSION="" /etc/os-release')
     '';
 }
@@ -109,7 +109,7 @@ in
         "-f",
         "qcow2",
         "-b",
-        "${nodes.machine.system.build.image}/${nodes.machine.image.repart.imageFile}",
+        "${nodes.machine.system.build.image}/${nodes.machine.image.filePath}",
         "-F",
         "raw",
         tmp_disk_image.name,