nixos/version: validate system.stateVersion (#317858)
This commit is contained in:
commit
3df1783166
@ -331,6 +331,10 @@
|
||||
- `zx` was updated to v8, which introduces several breaking changes.
|
||||
See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information.
|
||||
|
||||
- `system.stateVersion` is now validated. If you never changed this yourself, you don't need to do anything. If your `stateVersion` is not a valid NixOS release version (e.g. "24.11" is valid),
|
||||
your system was already at risk of experiencing silent incompatible state updates. If your previous value is a well-formed version but not a valid release (e.g. "23.12"),
|
||||
round down to the nearest actual release. If it wasn't a well-formed version (e.g. "nixos-unstable"), set it to the version of NixOS that you originally installed.
|
||||
|
||||
- The `portunus` package and service do not support weak password hashes anymore.
|
||||
If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing.
|
||||
Then, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all existing user accounts to strong password hashes.
|
||||
|
@ -44,6 +44,49 @@ let
|
||||
};
|
||||
initrdRelease = pkgs.writeText "initrd-release" (attrsToText initrdReleaseContents);
|
||||
|
||||
checkRelease = version:
|
||||
let
|
||||
parts = lib.versions.splitVersion version;
|
||||
isVersion = lib.length parts == 2 && lib.all (p: lib.stringLength p == 2) parts;
|
||||
majorVersion = lib.toIntBase10 (lib.elemAt parts 0);
|
||||
minorVersion = lib.elemAt parts 1;
|
||||
|
||||
versionPatterns = [
|
||||
# only 13.10
|
||||
{ fromMajor = 13; minor = [ "10" ]; }
|
||||
# 14.04 and 14.12
|
||||
{ fromMajor = 14; minor = [ "04" "12" ]; }
|
||||
# only 15.09
|
||||
{ fromMajor = 15; minor = [ "09" ]; }
|
||||
# 16.03 to 20.09
|
||||
{ fromMajor = 16; minor = [ "03" "09" ]; }
|
||||
# from 21.05
|
||||
{ fromMajor = 21; minor = [ "05" "11" ]; }
|
||||
];
|
||||
|
||||
# find the versioning pattern that applies by looking for the first
|
||||
# major version newer than `majorVersion`, and picking the previous pattern
|
||||
patternIndex = lib.lists.findFirstIndex
|
||||
({ fromMajor, ... }: fromMajor > majorVersion)
|
||||
(lib.length versionPatterns)
|
||||
versionPatterns;
|
||||
|
||||
validMinorVersions =
|
||||
if patternIndex == 0
|
||||
then []
|
||||
else (lib.elemAt versionPatterns (patternIndex - 1)).minor;
|
||||
|
||||
correctMinorVersion = lib.elem minorVersion validMinorVersions;
|
||||
notNewerThanNixpkgs = lib.versionAtLeast trivial.release version;
|
||||
in isVersion && correctMinorVersion && notNewerThanNixpkgs;
|
||||
|
||||
releaseType = types.addCheck
|
||||
(types.strMatching "[[:digit:]]{2}\\.[[:digit:]]{2}")
|
||||
checkRelease // {
|
||||
name = "nixosRelease";
|
||||
description = "NixOS release version, e.g. \"${trivial.release}\"";
|
||||
descriptionClass = "nonRestrictiveClause";
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
@ -70,7 +113,7 @@ in
|
||||
|
||||
release = mkOption {
|
||||
readOnly = true;
|
||||
type = types.str;
|
||||
type = releaseType;
|
||||
default = trivial.release;
|
||||
description = "The NixOS release (e.g. `16.03`).";
|
||||
};
|
||||
@ -151,7 +194,7 @@ in
|
||||
};
|
||||
|
||||
stateVersion = mkOption {
|
||||
type = types.str;
|
||||
type = releaseType;
|
||||
# TODO Remove this and drop the default of the option so people are forced to set it.
|
||||
# Doing this also means fixing the comment in nixos/modules/testing/test-instrumentation.nix
|
||||
apply = v:
|
||||
|
Loading…
Reference in New Issue
Block a user