nixos/waagent: init module

[codgician]

Adds a module for waagent (Windows Azure Linux Agent), providing services.waagent option. With this change, the options available in waagent.conf could be defined using services.waagent.settings, which fix #272460.

The format of waagent.settings follow: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux#configuration:

• Typed options included in the module are a subset of the publicly documented ones in above link. I left out ones that may not be properly supported in NixOS due to its immutable nature (mostly Provisioning options, and they should be covered by cloud-init anyway in default configuration).
• Users are still able to declare these options due to settings has a type of freeform.

Below provides an example of services.waagent (used as test) with further explanations in comments:

services.waagent = {
  enable = true;
  package = pkgs.waagent;
  # Allow defining extraPackages to add binaries into waagent's PATH environment
  extraPackages = [ pkgs.btrfs-progs ];
  # Settings are kept in alignment of waagent.conf options.
  # Undocumented options that are not explicitly defined in the module are also accepted for flexibility.
  settings = {
    Provisioning = {
      # Boolean values will be converted to "y" or "n"
      Enable = false;
      Agent = "waagent";
      DeleteRootPassword = false;
      RegenerateSshHostKeyPair = false;
      SshHostKeyPairType = "ed25519";
      MonitorHostName = false;
    };
    ResourceDisk = {
      Format = false;
      # List values will be concatenated with comma
      MountOptions = [
        "compress=lzo"
        "mode=0600"
      ];
    };

    # int values will also be converted to string
    OS.RootDeviceScsiTimeout = 300;

    # null values will make the option omitted in generated waagent.conf
    HttpProxy = {
      Host = null;
      Port = null;
    };

    CGroups = {
      # Declaring undocumented options are also supported
      EnforceLimits = false;
      # Empty lists will also be omitted
      Excluded = [];
    };
  };
};

The resulting /etc/waagent.conf of above definition should be:

AutoUpdate.Enable=n
CGroups.EnforceLimits=n
Logs.Verbose=n 
OS.EnableRDMA=n
OS.RootDeviceScsiTimeout=300
Provisioning.Agent=waagent
Provisioning.DeleteRootPassword=n
Provisioning.Enable=n
Provisioning.MonitorHostName=n
Provisioning.RegenerateSshHostKeyPair=n 
Provisioning.SshHostKeyPairType=ed25519
ResourceDisk.EnableSwap=n
ResourceDisk.FileSystem=ext4
ResourceDisk.Format=n
ResourceDisk.MountOptions=compress=lzo,mode=0600
ResourceDisk.MountPoint=/mnt/resource
ResourceDisk.SwapSizeMB=0

Some other notable changes include:

• Updated waagent.service definition referencing unit tests of Azure/WALinuxAgent
• Added deprecation warning for existing azure-agent.nix (which is not imported automatically).
• Added test for ensuring the correctness of generated /etc/waagent.conf.
• Added passthru.updateScript for waagent package, and added myself as maintainer.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[codgician]

@ofborg build waagent

[getchoo]

I'm not very familiar with anything Azure, so I'm not sure how much help I can be -- but here are some issues I found on the Nix code side. Everything else looks good at a glance

[getchoo]

Suggested change

	tests = {
	tests = lib.optionalAttrs stdenv.hostPlatform.isLinux {

These prevents OfBorg from attempting to evaluate and build this test on non-Linux platforms (where it will never work)

[codgician]

In the latest iteration I added meta.platforms = lib.platforms.linux; to make this package Linux-only, as the project does not support Darwin officially.

[getchoo]

passthru.tests are still evaluated on Darwin regardless IIRC

[codgician]

@ofborg build waagent

[codgician]

@ofborg build waagent

[getchoo]

Not sure how to test this, but everything LGTM

Should probably have someone else actually test it before a merge, though :p

[codgician]

Not sure how to test this, but everything LGTM

Should probably have someone else actually test it before a merge, though :p

I did some quick tests on my existing Azure VM and made sure it is compatible with existing configurations.

If anyone is interested one can fork codgician:azure-aarch64-nixos and change the flake's nixpkgs input to the branch of this PR for generating a new vhdx to upload and validate with new Azure VM.

[flokli]

Let's get this in! Thanks for the work.

[camelpunch]

Hey there! We found that after this change, OpenSSL errors prevented new machines from completing their provisioning. The openssl binary was expected to be at /usr/bin/openssl.

The fix for us was to set:

services.waagent.settings.OS.OpensslPath = "${pkgs.openssl}/bin/openssl";

Not sure where the fix should go: perhaps a rewrite of /usr/bin/openssl paths, or this setting always applied to the config unless it's changed away from a default?

[flokli]

We already add openssl to the $PATH of waagent. Ideally we can patch waagent source to pick it up from there.

[codgician]

Hey there! We found that after this change, OpenSSL errors prevented new machines from completing their provisioning. The openssl binary was expected to be at /usr/bin/openssl.

The fix for us was to set:

services.waagent.settings.OS.OpensslPath = "${pkgs.openssl}/bin/openssl";

Not sure where the fix should go: perhaps a rewrite of /usr/bin/openssl paths, or this setting always applied to the config unless it's changed away from a default?

This is intended to be fixed with #359365, where a default value of ervices.waagent.settings.OS.OpensslPath would be added.