diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2021-09-22 18:01:01 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-09-22 18:01:01 +0000 |
| commit | 09a7436fcc41b9bb83707ac8b1f02b18e317c720 (patch) | |
| tree | 4ad1ba24f1a7eafd9bb58ad9ba4b125d3bd7d929 /nixos | |
| parent | bb7e33ce565293e228a7d718c653c98238a2c685 (diff) | |
| parent | 8ef88fb10bc4e26ea3f18c34b73edf2e96ef5d7a (diff) | |
| download | nixpkgs-09a7436fcc41b9bb83707ac8b1f02b18e317c720.tar nixpkgs-09a7436fcc41b9bb83707ac8b1f02b18e317c720.tar.gz nixpkgs-09a7436fcc41b9bb83707ac8b1f02b18e317c720.tar.bz2 nixpkgs-09a7436fcc41b9bb83707ac8b1f02b18e317c720.tar.lz nixpkgs-09a7436fcc41b9bb83707ac8b1f02b18e317c720.tar.xz nixpkgs-09a7436fcc41b9bb83707ac8b1f02b18e317c720.tar.zst nixpkgs-09a7436fcc41b9bb83707ac8b1f02b18e317c720.zip | |
Merge master into staging-next
Diffstat (limited to 'nixos')
26 files changed, 120 insertions, 56 deletions
diff --git a/nixos/modules/config/krb5/default.nix b/nixos/modules/config/krb5/default.nix index c2302451d70..6db2a7e4039 100644 --- a/nixos/modules/config/krb5/default.nix +++ b/nixos/modules/config/krb5/default.nix @@ -84,7 +84,7 @@ in { type = types.package; default = pkgs.krb5Full; defaultText = "pkgs.krb5Full"; - example = literalExample "pkgs.heimdalFull"; + example = literalExample "pkgs.heimdal"; description = '' The Kerberos implementation that will be present in <literal>environment.systemPackages</literal> after enabling this diff --git a/nixos/modules/programs/atop.nix b/nixos/modules/programs/atop.nix index b45eb16e3ea..918c228b3f5 100644 --- a/nixos/modules/programs/atop.nix +++ b/nixos/modules/programs/atop.nix @@ -141,8 +141,15 @@ in // mkService cfg.atopgpu.enable "atopgpu" [ atop ]; timers = mkTimer cfg.atopRotateTimer.enable "atop-rotate" [ atop ]; }; - security.wrappers = - lib.mkIf cfg.setuidWrapper.enable { atop = { source = "${atop}/bin/atop"; }; }; + + security.wrappers = lib.mkIf cfg.setuidWrapper.enable { + atop = + { setuid = true; + owner = "root"; + group = "root"; + source = "${atop}/bin/atop"; + }; + }; } ); } diff --git a/nixos/modules/programs/plotinus.nix b/nixos/modules/programs/plotinus.nix index e3549c79588..2c90a41ba02 100644 --- a/nixos/modules/programs/plotinus.nix +++ b/nixos/modules/programs/plotinus.nix @@ -30,7 +30,7 @@ in ###### implementation config = mkIf cfg.enable { - environment.variables.XDG_DATA_DIRS = [ "${pkgs.plotinus}/share/gsettings-schemas/${pkgs.plotinus.name}" ]; + environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.plotinus}/share/gsettings-schemas/${pkgs.plotinus.name}" ]; environment.variables.GTK3_MODULES = [ "${pkgs.plotinus}/lib/libplotinus.so" ]; }; } diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 33d217ba60e..f2c76a56d8d 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -5,28 +5,33 @@ with lib; let cfg = config.services.kubernetes; - defaultContainerdConfigFile = pkgs.writeText "containerd.toml" '' - version = 2 - root = "/var/lib/containerd" - state = "/run/containerd" - oom_score = 0 - - [grpc] - address = "/run/containerd/containerd.sock" + defaultContainerdSettings = { + version = 2; + root = "/var/lib/containerd"; + state = "/run/containerd"; + oom_score = 0; + + grpc = { + address = "/run/containerd/containerd.sock"; + }; - [plugins."io.containerd.grpc.v1.cri"] - sandbox_image = "pause:latest" + plugins."io.containerd.grpc.v1.cri" = { + sandbox_image = "pause:latest"; - [plugins."io.containerd.grpc.v1.cri".cni] - bin_dir = "/opt/cni/bin" - max_conf_num = 0 + cni = { + bin_dir = "/opt/cni/bin"; + max_conf_num = 0; + }; - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] - runtime_type = "io.containerd.runc.v2" + containerd.runtimes.runc = { + runtime_type = "io.containerd.runc.v2"; + }; - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes."io.containerd.runc.v2".options] - SystemdCgroup = true - ''; + containerd.runtimes."io.containerd.runc.v2".options = { + SystemdCgroup = true; + }; + }; + }; mkKubeConfig = name: conf: pkgs.writeText "${name}-kubeconfig" (builtins.toJSON { apiVersion = "v1"; @@ -248,7 +253,7 @@ in { (mkIf cfg.kubelet.enable { virtualisation.containerd = { enable = mkDefault true; - configFile = mkDefault defaultContainerdConfigFile; + settings = mkDefault defaultContainerdSettings; }; }) diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index 89360f4bf37..400d6e67044 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -217,6 +217,7 @@ in { home = "${dataDir}"; createHome = true; isSystemUser = true; + group = "dnscrypt-wrapper"; }; users.groups.dnscrypt-wrapper = { }; diff --git a/nixos/modules/services/networking/flannel.nix b/nixos/modules/services/networking/flannel.nix index 32a7eb3ed69..2d67a2a2ad2 100644 --- a/nixos/modules/services/networking/flannel.nix +++ b/nixos/modules/services/networking/flannel.nix @@ -164,7 +164,7 @@ in { path = [ pkgs.iptables ]; preStart = optionalString (cfg.storageBackend == "etcd") '' echo "setting network configuration" - until ${pkgs.etcdctl}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' + until ${pkgs.etcd}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' do echo "setting network configuration, retry" sleep 1 diff --git a/nixos/modules/services/search/meilisearch.nix b/nixos/modules/services/search/meilisearch.nix index 913a885993c..9ed1a0e9053 100644 --- a/nixos/modules/services/search/meilisearch.nix +++ b/nixos/modules/services/search/meilisearch.nix @@ -8,7 +8,7 @@ let in { - meta.maintainers = with maintainers; [ filalex77 ]; + meta.maintainers = with maintainers; [ Br1ght0ne ]; ###### interface diff --git a/nixos/modules/services/system/kerberos/heimdal.nix b/nixos/modules/services/system/kerberos/heimdal.nix index f0e56c7951a..837c59caa56 100644 --- a/nixos/modules/services/system/kerberos/heimdal.nix +++ b/nixos/modules/services/system/kerberos/heimdal.nix @@ -27,7 +27,7 @@ in { # No documentation about correct triggers, so guessing at them. - config = mkIf (cfg.enable && kerberos == pkgs.heimdalFull) { + config = mkIf (cfg.enable && kerberos == pkgs.heimdal) { systemd.services.kadmind = { description = "Kerberos Administration Daemon"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 325caba07ea..66b0f4f258d 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -223,7 +223,6 @@ in krb5 = discoverTests (import ./krb5 {}); ksm = handleTest ./ksm.nix {}; kubernetes = handleTestOn ["x86_64-linux"] ./kubernetes {}; - latestKernel.hardened = handleTest ./hardened.nix { latestKernel = true; }; latestKernel.login = handleTest ./login.nix { latestKernel = true; }; leaps = handleTest ./leaps.nix {}; libreddit = handleTest ./libreddit.nix {}; diff --git a/nixos/tests/atop.nix b/nixos/tests/atop.nix index 1f8b005041f..f7a90346f3d 100644 --- a/nixos/tests/atop.nix +++ b/nixos/tests/atop.nix @@ -105,8 +105,6 @@ let assertions = rec { }; in { - name = "atop"; - justThePackage = makeTest { name = "atop-justThePackage"; machine = { diff --git a/nixos/tests/cntr.nix b/nixos/tests/cntr.nix index 8cffd97459d..66847075620 100644 --- a/nixos/tests/cntr.nix +++ b/nixos/tests/cntr.nix @@ -9,7 +9,7 @@ let makeTest { name = "cntr-${backend}"; - meta = { maintainers = with lib.maintainers; [ srk mic92 ]; }; + meta = { maintainers = with lib.maintainers; [ sorki mic92 ]; }; nodes = { ${backend} = { pkgs, ... }: { diff --git a/nixos/tests/ec2.nix b/nixos/tests/ec2.nix index df067248016..aa3c2b7051f 100644 --- a/nixos/tests/ec2.nix +++ b/nixos/tests/ec2.nix @@ -24,6 +24,11 @@ let ln -s vda1 /dev/xvda1 ''; + # In a NixOS test the serial console is occupied by the "backdoor" + # (see testing/test-instrumentation.nix) and is incompatible with + # the configuration in virtualisation/amazon-image.nix. + systemd.services."serial-getty@ttyS0".enable = mkForce false; + # Needed by nixos-rebuild due to the lack of network # access. Determined by trial and error. system.extraDependencies = with pkgs; ( [ diff --git a/nixos/tests/enlightenment.nix b/nixos/tests/enlightenment.nix index cc1da649d49..4623574ce92 100644 --- a/nixos/tests/enlightenment.nix +++ b/nixos/tests/enlightenment.nix @@ -11,8 +11,8 @@ import ./make-test-python.nix ({ pkgs, ...} : imports = [ ./common/user-account.nix ]; services.xserver.enable = true; services.xserver.desktopManager.enlightenment.enable = true; - services.xserver.displayManager.lightdm = { - enable = true; + services.xserver.displayManager = { + lightdm.enable = true; autoLogin = { enable = true; user = "alice"; diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index b76ae83a328..da7e0972e13 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "hardened"; meta = with pkgs.lib.maintainers; { maintainers = [ joachifm ]; @@ -10,8 +10,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; users.users.sybil = { isNormalUser = true; group = "wheel"; }; imports = [ ../modules/profiles/hardened.nix ]; - boot.kernelPackages = - lib.mkIf latestKernel pkgs.linuxPackages_latest_hardened; environment.memoryAllocator.provider = "graphene-hardened"; nix.useSandbox = false; virtualisation.emptyDiskImages = [ 4096 ]; diff --git a/nixos/tests/kerberos/heimdal.nix b/nixos/tests/kerberos/heimdal.nix index 8abae667d04..391a61cc9a9 100644 --- a/nixos/tests/kerberos/heimdal.nix +++ b/nixos/tests/kerberos/heimdal.nix @@ -9,7 +9,7 @@ import ../make-test-python.nix ({pkgs, ...}: { }; krb5 = { enable = true; - kerberos = pkgs.heimdalFull; + kerberos = pkgs.heimdal; libdefaults = { default_realm = "FOO.BAR"; }; diff --git a/nixos/tests/meilisearch.nix b/nixos/tests/meilisearch.nix index ef5781458ff..c379bda74c5 100644 --- a/nixos/tests/meilisearch.nix +++ b/nixos/tests/meilisearch.nix @@ -10,7 +10,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: ''; in { name = "meilisearch"; - meta.maintainers = with lib.maintainers; [ filalex77 ]; + meta.maintainers = with lib.maintainers; [ Br1ght0ne ]; machine = { ... }: { environment.systemPackages = with pkgs; [ curl jq ]; diff --git a/nixos/tests/minio.nix b/nixos/tests/minio.nix index e49c517098a..ad51f738d49 100644 --- a/nixos/tests/minio.nix +++ b/nixos/tests/minio.nix @@ -28,7 +28,10 @@ in { machine = { pkgs, ... }: { services.minio = { enable = true; - inherit accessKey secretKey; + rootCredentialsFile = pkgs.writeText "minio-credentials" '' + MINIO_ROOT_USER=${accessKey} + MINIO_ROOT_PASSWORD=${secretKey} + ''; }; environment.systemPackages = [ pkgs.minio-client ]; diff --git a/nixos/tests/mpv.nix b/nixos/tests/mpv.nix index bcfc17cf332..9e44862cb1b 100644 --- a/nixos/tests/mpv.nix +++ b/nixos/tests/mpv.nix @@ -14,7 +14,7 @@ in { environment.systemPackages = [ pkgs.curl - (pkgs.mpv-with-scripts.override { + (pkgs.wrapMpv pkgs.mpv-unwrapped { scripts = [ pkgs.mpvScripts.simple-mpv-webui ]; }) ]; diff --git a/nixos/tests/mysql/mariadb-galera-mariabackup.nix b/nixos/tests/mysql/mariadb-galera-mariabackup.nix index 1c73bc854a5..10682c361d1 100644 --- a/nixos/tests/mysql/mariadb-galera-mariabackup.nix +++ b/nixos/tests/mysql/mariadb-galera-mariabackup.nix @@ -4,6 +4,16 @@ let mysqlenv-common = pkgs.buildEnv { name = "mysql-path-env-common"; pathsToLink = [ "/bin" ]; paths = with pkgs; [ bash gawk gnutar inetutils which ]; }; mysqlenv-mariabackup = pkgs.buildEnv { name = "mysql-path-env-mariabackup"; pathsToLink = [ "/bin" ]; paths = with pkgs; [ gzip iproute2 netcat procps pv socat ]; }; + # Common user configuration + users = { ... }: + { + users.users.testuser = { + isSystemUser = true; + group = "testusers"; + }; + users.groups.testusers = { }; + }; + in { name = "mariadb-galera-mariabackup"; meta = with pkgs.lib.maintainers; { @@ -17,6 +27,7 @@ in { galera_01 = { pkgs, ... }: { + imports = [ users ]; networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -31,7 +42,6 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-mariabackup ]; }; @@ -75,6 +85,7 @@ in { galera_02 = { pkgs, ... }: { + imports = [ users ]; networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -89,7 +100,6 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-mariabackup ]; }; @@ -122,6 +132,7 @@ in { galera_03 = { pkgs, ... }: { + imports = [ users ]; networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -136,7 +147,6 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-mariabackup ]; }; diff --git a/nixos/tests/mysql/mariadb-galera-rsync.nix b/nixos/tests/mysql/mariadb-galera-rsync.nix index 709a8b5085c..701e01e8871 100644 --- a/nixos/tests/mysql/mariadb-galera-rsync.nix +++ b/nixos/tests/mysql/mariadb-galera-rsync.nix @@ -4,6 +4,16 @@ let mysqlenv-common = pkgs.buildEnv { name = "mysql-path-env-common"; pathsToLink = [ "/bin" ]; paths = with pkgs; [ bash gawk gnutar inetutils which ]; }; mysqlenv-rsync = pkgs.buildEnv { name = "mysql-path-env-rsync"; pathsToLink = [ "/bin" ]; paths = with pkgs; [ lsof procps rsync stunnel ]; }; + # Common user configuration + users = { ... }: + { + users.users.testuser = { + isSystemUser = true; + group = "testusers"; + }; + users.groups.testusers = { }; + }; + in { name = "mariadb-galera-rsync"; meta = with pkgs.lib.maintainers; { @@ -17,6 +27,7 @@ in { galera_04 = { pkgs, ... }: { + imports = [ users ]; networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -31,7 +42,6 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-rsync ]; }; @@ -70,6 +80,7 @@ in { galera_05 = { pkgs, ... }: { + imports = [ users ]; networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -84,7 +95,6 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-rsync ]; }; @@ -116,6 +126,7 @@ in { galera_06 = { pkgs, ... }: { + imports = [ users ]; networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -130,7 +141,6 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-rsync ]; }; diff --git a/nixos/tests/mysql/mysql.nix b/nixos/tests/mysql/mysql.nix index 2ec9c3d50a3..dce5fa26acf 100644 --- a/nixos/tests/mysql/mysql.nix +++ b/nixos/tests/mysql/mysql.nix @@ -1,4 +1,26 @@ -import ./../make-test-python.nix ({ pkgs, ...} : { +import ./../make-test-python.nix ({ pkgs, ...}: + + +let + # Setup common users + users = { ... }: + { + users.groups.testusers = { }; + + users.users.testuser = { + isSystemUser = true; + group = "testusers"; + }; + + users.users.testuser2 = { + isSystemUser = true; + group = "testusers"; + }; + }; + +in + +{ name = "mysql"; meta = with pkgs.lib.maintainers; { maintainers = [ eelco shlevy ]; @@ -9,8 +31,8 @@ import ./../make-test-python.nix ({ pkgs, ...} : { { pkgs, ... }: { - users.users.testuser = { isSystemUser = true; }; - users.users.testuser2 = { isSystemUser = true; }; + imports = [ users ]; + services.mysql.enable = true; services.mysql.initialDatabases = [ { name = "testdb3"; schema = ./testdb.sql; } @@ -40,12 +62,12 @@ import ./../make-test-python.nix ({ pkgs, ...} : { { pkgs, ... }: { + imports = [ users ]; + # prevent oom: # Kernel panic - not syncing: Out of memory: compulsory panic_on_oom is enabled virtualisation.memorySize = 1024; - users.users.testuser = { isSystemUser = true; }; - users.users.testuser2 = { isSystemUser = true; }; services.mysql.enable = true; services.mysql.initialDatabases = [ { name = "testdb3"; schema = ./testdb.sql; } @@ -75,8 +97,8 @@ import ./../make-test-python.nix ({ pkgs, ...} : { { pkgs, ... }: { - users.users.testuser = { isSystemUser = true; }; - users.users.testuser2 = { isSystemUser = true; }; + imports = [ users ]; + services.mysql.enable = true; services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' ALTER USER root@localhost IDENTIFIED WITH unix_socket; diff --git a/nixos/tests/postfixadmin.nix b/nixos/tests/postfixadmin.nix index aba5e3eed10..b2712f4699a 100644 --- a/nixos/tests/postfixadmin.nix +++ b/nixos/tests/postfixadmin.nix @@ -1,6 +1,6 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "postfixadmin"; - meta = with pkgs.stdenv.lib.maintainers; { + meta = with pkgs.lib.maintainers; { maintainers = [ globin ]; }; diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 61cdbbcf455..38b93c4087c 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -555,7 +555,11 @@ let WorkingDirectory = "/var/spool/mail"; }; }; - users.users.mailexporter.isSystemUser = true; + users.users.mailexporter = { + isSystemUser = true; + group = "mailexporter"; + }; + users.groups.mailexporter = {}; }; exporterTest = '' wait_for_unit("postfix.service") diff --git a/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix b/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix index 94f17605e00..68836c73072 100644 --- a/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix +++ b/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix @@ -42,6 +42,8 @@ import ./make-test-python.nix ({pkgs, ...}: { # DO NOT COPY THIS TO PRODUCTION AS IS. Think about it at least twice. # Everyone on the "isp" machine will be able to add routes to the kernel. security.wrappers.add-dhcpd-lease = { + owner = "root"; + group = "root"; source = pkgs.writeShellScript "add-dhcpd-lease" '' exec ${pkgs.iproute2}/bin/ip -6 route replace "$1" via "$2" ''; diff --git a/nixos/tests/tigervnc.nix b/nixos/tests/tigervnc.nix index c0a52808b27..092eaf238d8 100644 --- a/nixos/tests/tigervnc.nix +++ b/nixos/tests/tigervnc.nix @@ -6,7 +6,7 @@ with import ../lib/testing-python.nix { inherit system pkgs; }; makeTest { name = "tigervnc"; - meta = with pkgs.stdenv.lib.maintainers; { + meta = with pkgs.lib.maintainers; { maintainers = [ lheckemann ]; }; diff --git a/nixos/tests/wasabibackend.nix b/nixos/tests/wasabibackend.nix index 1832698ab69..75730fe24d0 100644 --- a/nixos/tests/wasabibackend.nix +++ b/nixos/tests/wasabibackend.nix @@ -14,7 +14,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { port = 18332; }; }; - services.bitcoind = { + services.bitcoind."testnet" = { enable = true; testnet = true; rpc.users = { |