diff options
author | Jan Malakhovski <oxij@oxij.org> | 2018-03-10 14:41:34 +0000 |
---|---|---|
committer | Jan Malakhovski <oxij@oxij.org> | 2018-03-10 20:38:13 +0000 |
commit | 7079e744d4666db3af186899fe2fc0ef3cbeb842 (patch) | |
tree | d65e951be75dab998ecd2e8337e1c30e7722e28c /nixos | |
parent | 4eec6bc9c9cafac55dbf774a2fd30da7e5a79cc4 (diff) | |
parent | ddddca5c2fe1c93369404979ac194a1bc5d5fbaf (diff) | |
download | nixpkgs-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar nixpkgs-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar.gz nixpkgs-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar.bz2 nixpkgs-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar.lz nixpkgs-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar.xz nixpkgs-7079e744d4666db3af186899fe2fc0ef3cbeb842.tar.zst nixpkgs-7079e744d4666db3af186899fe2fc0ef3cbeb842.zip |
Merge branch 'master' into staging
Resolved the following conflicts (by carefully applying patches from the both branches since the fork point): pkgs/development/libraries/epoxy/default.nix pkgs/development/libraries/gtk+/3.x.nix pkgs/development/python-modules/asgiref/default.nix pkgs/development/python-modules/daphne/default.nix pkgs/os-specific/linux/systemd/default.nix
Diffstat (limited to 'nixos')
64 files changed, 1396 insertions, 1186 deletions
diff --git a/nixos/doc/manual/development/testing-installer.xml b/nixos/doc/manual/development/testing-installer.xml index 20c8d51815a..16bc8125d9f 100644 --- a/nixos/doc/manual/development/testing-installer.xml +++ b/nixos/doc/manual/development/testing-installer.xml @@ -11,15 +11,17 @@ tedious, so here is a quick way to see if the installer works properly: <screen> -$ nix-build -A config.system.build.nixos-install # mount -t tmpfs none /mnt +# nixos-generate-config --root /mnt +$ nix-build '<nixpkgs/nixos>' -A config.system.build.nixos-install # ./result/bin/nixos-install</screen> To start a login shell in the new NixOS installation in <filename>/mnt</filename>: <screen> -# ./result/bin/nixos-install --chroot +$ nix-build '<nixpkgs/nixos>' -A config.system.build.nixos-enter +# ./result/bin/nixos-enter </screen> </para> diff --git a/nixos/doc/manual/installation/installing-from-other-distro.xml b/nixos/doc/manual/installation/installing-from-other-distro.xml new file mode 100644 index 00000000000..ecd020a067a --- /dev/null +++ b/nixos/doc/manual/installation/installing-from-other-distro.xml @@ -0,0 +1,309 @@ +<!-- vim: set expandtab ts=2 softtabstop=2 shiftwidth=2 smarttab textwidth=80 wrapmargin=2 --> +<section + xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-installing-from-other-distro"> + + <title>Installing from another Linux distribution</title> + + <para> + Because Nix (the package manager) & Nixpkgs (the Nix packages + collection) can both be installed on any (most?) Linux distributions, + they can be used to install NixOS in various creative ways. You can, + for instance: + </para> + + <orderedlist> + <listitem><para>Install NixOS on another partition, from your existing + Linux distribution (without the use of a USB or optical + device!)</para></listitem> + + <listitem><para>Install NixOS on the same partition (in place!), from + your existing non-NixOS Linux distribution using + <literal>NIXOS_LUSTRATE</literal>.</para></listitem> + + <listitem><para>Install NixOS on your hard drive from the Live CD of + any Linux distribution.</para></listitem> + </orderedlist> + + <para>The first steps to all these are the same:</para> + + <orderedlist> + <listitem> + <para>Install the Nix package manager:</para> + + <para>Short version:</para> + + <screen> +$ bash <(curl https://nixos.org/nix/install) +$ . $HOME/.nix-profile/etc/profile.d/nix.sh # …or open a fresh shell</screen> + + <para>More details in the <link + xlink:href="https://nixos.org/nix/manual/#chap-quick-start"> + Nix manual</link></para> + </listitem> + + <listitem> + <para>Switch to the NixOS channel:</para> + + <para>If you've just installed Nix on a non-NixOS distribution, you + will be on the <literal>nixpkgs</literal> channel by + default.</para> + + <screen> +$ nix-channel --list +nixpkgs https://nixos.org/channels/nixpkgs-unstable</screen> + + <para>As that channel gets released without running the NixOS + tests, it will be safer to use the <literal>nixos-*</literal> + channels instead:</para> + + <screen> +$ nix-channel --add https://nixos.org/channels/nixos-<replaceable>version</replaceable> nixpkgs</screen> + + <para>You may want to throw in a <literal>nix-channel + --update</literal> for good measure.</para> + </listitem> + + <listitem> + <para>Install the NixOS installation tools:</para> + + <para>You'll need <literal>nixos-generate-config</literal> and + <literal>nixos-install</literal> and we'll throw in some man + pages and <literal>nixos-enter</literal> just in case you want + to chroot into your NixOS partition. They are installed by + default on NixOS, but you don't have NixOS yet..</para> + + <screen>$ nix-env -iE "_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]"</screen> + </listitem> + + <listitem> + <note><para>The following 5 steps are only for installing NixOS to + another partition. For installing NixOS in place using + <literal>NIXOS_LUSTRATE</literal>, skip ahead.</para></note> + + <para>Prepare your target partition:</para> + + <para>At this point it is time to prepare your target partition. + Please refer to the partitioning, file-system creation, and + mounting steps of <xref linkend="sec-installation" /></para> + + <para>If you're about to install NixOS in place using + <literal>NIXOS_LUSTRATE</literal> there is nothing to do for + this step.</para> + </listitem> + + <listitem> + <para>Generate your NixOS configuration:</para> + + <screen>$ sudo `which nixos-generate-config` --root /mnt</screen> + + <para>You'll probably want to edit the configuration files. Refer + to the <literal>nixos-generate-config</literal> step in <xref + linkend="sec-installation" /> for more information.</para> + + <para>Consider setting up the NixOS bootloader to give you the + ability to boot on your existing Linux partition. For instance, + if you're using GRUB and your existing distribution is running + Ubuntu, you may want to add something like this to your + <literal>configuration.nix</literal>:</para> + + <programlisting> +boot.loader.grub.extraEntries = '' + menuentry "Ubuntu" { + search --set=ubuntu --fs-uuid 3cc3e652-0c1f-4800-8451-033754f68e6e + configfile "($ubuntu)/boot/grub/grub.cfg" + } +'';</programlisting> + + <para>(You can find the appropriate UUID for your partition in + <literal>/dev/disk/by-uuid</literal>)</para> + </listitem> + + <listitem> + <para>Create the <literal>nixbld</literal> group and user on your + original distribution:</para> + + <screen> +$ sudo groupadd -g 30000 nixbld +$ sudo useradd -u 30000 -g nixbld -G nixbld nixbld</screen> + </listitem> + + <listitem> + <para>Download/build/install NixOS:</para> + + <warning><para>Once you complete this step, you might no longer be + able to boot on existing systems without the help of a + rescue USB drive or similar.</para></warning> + + <screen>$ sudo PATH="$PATH" NIX_PATH="$NIX_PATH" `which nixos-install` --root /mnt</screen> + + <para>Again, please refer to the <literal>nixos-install</literal> + step in <xref linkend="sec-installation" /> for more + information.</para> + + <para>That should be it for installation to another partition!</para> + </listitem> + + <listitem> + <para>Optionally, you may want to clean up your non-NixOS distribution:</para> + + <screen> +$ sudo userdel nixbld +$ sudo groupdel nixbld</screen> + + <para>If you do not wish to keep the Nix package mananager + installed either, run something like <literal>sudo rm -rv + ~/.nix-* /nix</literal> and remove the line that the Nix + installer added to your <literal>~/.profile</literal>.</para> + </listitem> + + <listitem> + <note><para>The following steps are only for installing NixOS in + place using + <literal>NIXOS_LUSTRATE</literal>:</para></note> + + <para>Generate your NixOS configuration:</para> + + <screen>$ sudo `which nixos-generate-config` --root /</screen> + + <para>Note that this will place the generated configuration files + in <literal>/etc/nixos</literal>. You'll probably want to edit + the configuration files. Refer to the + <literal>nixos-generate-config</literal> step in <xref + linkend="sec-installation" /> for more information.</para> + + <para>You'll likely want to set a root password for your first boot + using the configuration files because you won't have a chance + to enter a password until after you reboot. You can initalize + the root password to an empty one with this line: (and of course + don't forget to set one once you've rebooted or to lock the + account with <literal>sudo passwd -l root</literal> if you use + <literal>sudo</literal>)</para> + + <programlisting>users.extraUsers.root.initialHashedPassword = "";</programlisting> + </listitem> + + <listitem> + <para>Build the NixOS closure and install it in the + <literal>system</literal> profile:</para> + + <screen>$ nix-env -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' -I nixos-config=/etc/nixos/configuration.nix -iA system</screen> + </listitem> + + <listitem> + <para>Change ownership of the <literal>/nix</literal> tree to root + (since your Nix install was probably single user):</para> + + <screen>$ sudo chown -R 0.0 /nix</screen> + </listitem> + + <listitem> + <para>Set up the <literal>/etc/NIXOS</literal> and + <literal>/etc/NIXOS_LUSTRATE</literal> files:</para> + + <para><literal>/etc/NIXOS</literal> officializes that this is now a + NixOS partition (the bootup scripts require its presence).</para> + + <para><literal>/etc/NIXOS_LUSTRATE</literal> tells the NixOS bootup + scripts to move <emphasis>everything</emphasis> that's in the + root partition to <literal>/old-root</literal>. This will move + your existing distribution out of the way in the very early + stages of the NixOS bootup. There are exceptions (we do need to + keep NixOS there after all), so the NixOS lustrate process will + not touch:</para> + + <itemizedlist> + <listitem><para>The <literal>/nix</literal> + directory</para></listitem> + + <listitem><para>The <literal>/boot</literal> + directory</para></listitem> + + <listitem><para>Any file or directory listed in + <literal>/etc/NIXOS_LUSTRATE</literal> (one per + line)</para></listitem> + </itemizedlist> + + <note><para>Support for <literal>NIXOS_LUSTRATE</literal> was added + in NixOS 16.09. The act of "lustrating" refers to the + wiping of the existing distribution. Creating + <literal>/etc/NIXOS_LUSTRATE</literal> can also be used on + NixOS to remove all mutable files from your root partition + (anything that's not in <literal>/nix</literal> or + <literal>/boot</literal> gets "lustrated" on the next + boot.</para> + <para>lustrate /ˈlʌstreɪt/ verb.</para> + <para>purify by expiatory sacrifice, ceremonial washing, or + some other ritual action.</para></note> + + <para>Let's create the files:</para> + + <screen> +$ sudo touch /etc/NIXOS +$ sudo touch /etc/NIXOS_LUSTRATE</screen> + + <para>Let's also make sure the NixOS configuration files are kept + once we reboot on NixOS:</para> + + <screen> +$ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE</screen> + </listitem> + + <listitem> + <para>Finally, move the <literal>/boot</literal> directory of your + current distribution out of the way (the lustrate process will + take care of the rest once you reboot, but this one must be + moved out now because NixOS needs to install its own boot + files:</para> + + <warning><para>Once you complete this step, your current + distribution will no longer be bootable! If you didn't get + all the NixOS configuration right, especially those + settings pertaining to boot loading and root partition, + NixOS may not be bootable either. Have a USB rescue device + ready in case this happens. </para></warning> + + <screen> +$ sudo mv -v /boot /boot.bak && + sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot</screen> + + <para>Cross your fingers, reboot, hopefully you should get a NixOS + prompt!</para> + </listitem> + <listitem> + <para>If for some reason you want to revert to the old + distribution, you'll need to boot on a USB rescue disk and do + something along these lines:</para> + + <screen> +# mkdir root +# mount /dev/sdaX root +# mkdir root/nixos-root +# mv -v root/* root/nixos-root/ +# mv -v root/nixos-root/old-root/* root/ +# mv -v root/boot.bak root/boot # We had renamed this by hand earlier +# umount root +# reboot</screen> + + <para>This may work as is or you might also need to reinstall the + boot loader</para> + + <para>And of course, if you're happy with NixOS and no longer need + the old distribution:</para> + + <screen>sudo rm -rf /old-root</screen> + </listitem> + + <listitem> + <para>It's also worth noting that this whole process can be + automated. This is especially useful for Cloud VMs, where + provider do not provide NixOS. For instance, <link + xlink:href="https://github.com/elitak/nixos-infect">nixos-infect</link> + uses the lustrate process to convert Digital Ocean droplets to + NixOS from other distributions automatically.</para> + </listitem> + </orderedlist> +</section> diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index 2a5d1fc3ce8..e20b6574b72 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -401,5 +401,6 @@ drive (here <filename>/dev/sda</filename>). <xref linkend="ex-config" <xi:include href="installing-usb.xml" /> <xi:include href="installing-pxe.xml" /> <xi:include href="installing-virtualbox-guest.xml" /> +<xi:include href="installing-from-other-distro.xml" /> </chapter> diff --git a/nixos/doc/manual/man-nixos-enter.xml b/nixos/doc/manual/man-nixos-enter.xml new file mode 100644 index 00000000000..a2fbe07961d --- /dev/null +++ b/nixos/doc/manual/man-nixos-enter.xml @@ -0,0 +1,119 @@ +<refentry xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude"> + +<refmeta> + <refentrytitle><command>nixos-enter</command></refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">NixOS</refmiscinfo> + <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> +</refmeta> + +<refnamediv> + <refname><command>nixos-enter</command></refname> + <refpurpose>run a command in a NixOS chroot environment</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>nixos-enter</command> + <arg> + <arg choice='plain'><option>--root</option></arg> + <replaceable>root</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--system</option></arg> + <replaceable>system</replaceable> + </arg> + <arg> + <arg choice='plain'><option>-c</option></arg> + <replaceable>shell-command</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--help</option></arg> + </arg> + <arg> + <arg choice='plain'><option>--</option></arg> + <replaceable>arguments</replaceable> + </arg> + </cmdsynopsis> +</refsynopsisdiv> + + +<refsection><title>Description</title> + +<para>This command runs a command in a NixOS chroot environment, that +is, in a filesystem hierarchy previously prepared using +<command>nixos-install</command>.</para> + +</refsection> + +<refsection><title>Options</title> + +<para>This command accepts the following options:</para> + +<variablelist> + + <varlistentry> + <term><option>--root</option></term> + <listitem> + <para>The path to the NixOS system you want to enter. It defaults to <filename>/mnt</filename>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--system</option></term> + <listitem> + <para>The NixOS system configuration to use. It defaults to + <filename>/nix/var/nix/profiles/system</filename>. You can enter + a previous NixOS configuration by specifying a path such as + <filename>/nix/var/nix/profiles/system-106-link</filename>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--command</option></term> + <term><option>-c</option></term> + <listitem> + <para>The bash command to execute.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--</option></term> + + <listitem><para>Interpret the remaining arguments as the program + name and arguments to be invoked. The program is not executed in a + shell.</para></listitem> + + </varlistentry> + +</variablelist> + +</refsection> + + +<refsection><title>Examples</title> + +<para>Start an interactive shell in the NixOS installation in +<filename>/mnt</filename>:</para> + +<screen> +# nixos-enter /mnt +</screen> + +<para>Run a shell command:</para> + +<screen> +# nixos-enter -c 'ls -l /; cat /proc/mounts' +</screen> + +<para>Run a non-shell command:</para> + +<screen> +# nixos-enter -- cat /proc/mounts +</screen> + +</refsection> + +</refentry> diff --git a/nixos/doc/manual/man-nixos-install.xml b/nixos/doc/manual/man-nixos-install.xml index 15c603256ca..c9887146989 100644 --- a/nixos/doc/manual/man-nixos-install.xml +++ b/nixos/doc/manual/man-nixos-install.xml @@ -26,8 +26,8 @@ <replaceable>root</replaceable> </arg> <arg> - <arg choice='plain'><option>--closure</option></arg> - <replaceable>closure</replaceable> + <arg choice='plain'><option>--system</option></arg> + <replaceable>path</replaceable> </arg> <arg> <arg choice='plain'><option>--no-channel-copy</option></arg> @@ -118,7 +118,7 @@ it.</para> </varlistentry> <varlistentry> - <term><option>--closure</option></term> + <term><option>--system</option></term> <listitem> <para>If this option is provided, <command>nixos-install</command> will install the specified closure rather than attempt to build one from <filename>/mnt/etc/nixos/configuration.nix</filename>.</para> diff --git a/nixos/doc/manual/man-pages.xml b/nixos/doc/manual/man-pages.xml index e945e0e6263..80a8458fbfe 100644 --- a/nixos/doc/manual/man-pages.xml +++ b/nixos/doc/manual/man-pages.xml @@ -15,7 +15,7 @@ </author> <copyright> - <year>2007-2015</year> + <year>2007-2018</year> <holder>Eelco Dolstra</holder> </copyright> @@ -25,6 +25,7 @@ <xi:include href="man-nixos-build-vms.xml" /> <xi:include href="man-nixos-generate-config.xml" /> <xi:include href="man-nixos-install.xml" /> + <xi:include href="man-nixos-enter.xml" /> <xi:include href="man-nixos-option.xml" /> <xi:include href="man-nixos-rebuild.xml" /> <xi:include href="man-nixos-version.xml" /> diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml index 5ed56bde665..b7f9fab44f3 100644 --- a/nixos/doc/manual/release-notes/release-notes.xml +++ b/nixos/doc/manual/release-notes/release-notes.xml @@ -9,6 +9,7 @@ <para>This section lists the release notes for each stable version of NixOS and current unstable revision.</para> +<xi:include href="rl-1809.xml" /> <xi:include href="rl-1803.xml" /> <xi:include href="rl-1709.xml" /> <xi:include href="rl-1703.xml" /> diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml index 9f80dcc2934..b755245a69f 100644 --- a/nixos/doc/manual/release-notes/rl-1803.xml +++ b/nixos/doc/manual/release-notes/rl-1803.xml @@ -20,6 +20,25 @@ has the following highlights: </para> <itemizedlist> <listitem> <para> + Nix now defaults to 2.0; see its + <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.0">release notes</link>. + </para> + </listitem> + + <listitem> + <para> + Linux kernel defaults to the 4.14 branch (it was 4.9). + </para> + </listitem> + + <listitem> + <para> + GCC defaults to 7.x (it was 6.x). + </para> + </listitem> + + <listitem> + <para> MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes have been made to the infrastructure involved: <itemizedlist> @@ -181,7 +200,7 @@ following incompatible changes:</para> </listitem> <listitem> <para> - <literal>lib.addPassthru drv passthru</literal> is removed. Use <literal>lib.extendDerivation true passthru drv</literal> instead. <emphasis role="strong">TODO: actually remove it before branching 18.03 off.</emphasis> + <literal>lib.addPassthru drv passthru</literal> is removed. Use <literal>lib.extendDerivation true passthru drv</literal> instead. </para> </listitem> <listitem> @@ -296,6 +315,13 @@ following incompatible changes:</para> <literal>nodejs-4_x</literal>, <literal>nodejs-slim-4_x</literal> and <literal>nodePackages_4_x</literal> are removed. </para> </listitem> + <listitem> + <para> + The <literal>pump.io</literal> NixOS module was removed. + It is now maintained as an + <link xlink:href="https://github.com/rvl/pump.io-nixos">external module</link>. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml new file mode 100644 index 00000000000..f44d9cad52f --- /dev/null +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -0,0 +1,82 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09"> + +<title>Release 18.09 (“??”, 2018/09/??)</title> + +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-highlights"> + +<title>Highlights</title> + +<para>In addition to numerous new and upgraded packages, this release +has the following highlights: </para> + +<itemizedlist> + <listitem> + <para> + TODO + </para> + </listitem> + +</itemizedlist> + +</section> +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-new-services"> + +<title>New Services</title> + +<para>The following new services were added since the last release:</para> + +<itemizedlist> + <listitem> + <para></para> + </listitem> +</itemizedlist> + +</section> +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-incompatibilities"> + +<title>Backward Incompatibilities</title> + +<para>When upgrading from a previous release, please be aware of the +following incompatible changes:</para> + +<itemizedlist> + <listitem> + <para> + </para> + </listitem> +</itemizedlist> + +</section> +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-notable-changes"> + +<title>Other Notable Changes</title> + +<itemizedlist> + <listitem> + <para> + </para> + </listitem> +</itemizedlist> + +</section> +</section> diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index b7a38760dd3..ebfb09db7b7 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -51,7 +51,7 @@ with lib; let format' = format; in let - format = if (format' == "qcow2-compressed") then "qcow2" else format'; + format = if format' == "qcow2-compressed" then "qcow2" else format'; compress = optionalString (format' == "qcow2-compressed") "-c"; @@ -84,6 +84,7 @@ let format' = format; in let nixpkgs = cleanSource pkgs.path; + # FIXME: merge with channel.nix / make-channel.nix. channelSources = pkgs.runCommand "nixos-${config.system.nixos.version}" {} '' mkdir -p $out cp -prd ${nixpkgs} $out/nixos @@ -95,13 +96,16 @@ let format' = format; in let echo -n ${config.system.nixos.versionSuffix} > $out/nixos/.version-suffix ''; - metaClosure = pkgs.writeText "meta" '' - ${config.system.build.toplevel} - ${config.nix.package.out} - ${channelSources} - ''; - - prepareImageInputs = with pkgs; [ rsync utillinux parted e2fsprogs lkl fakeroot config.system.build.nixos-prepare-root ] ++ stdenv.initialPath; + binPath = with pkgs; makeBinPath ( + [ rsync + utillinux + parted + e2fsprogs + lkl + config.system.build.nixos-install + config.system.build.nixos-enter + nix + ] ++ stdenv.initialPath); # I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate # image building logic. The comment right below this now appears in 4 different places in nixpkgs :) @@ -109,8 +113,10 @@ let format' = format; in let sources = map (x: x.source) contents; targets = map (x: x.target) contents; + closureInfo = pkgs.closureInfo { rootPaths = [ config.system.build.toplevel channelSources ]; }; + prepareImage = '' - export PATH=${makeBinPath prepareImageInputs} + export PATH=${binPath} # Yes, mkfs.ext4 takes different units in different contexts. Fun. sectorsToKilobytes() { @@ -168,11 +174,15 @@ let format' = format; in let fi done - # TODO: Nix really likes to chown things it creates to its current user... - fakeroot nixos-prepare-root $root ${channelSources} ${config.system.build.toplevel} closure + export HOME=$TMPDIR + + # Provide a Nix database so that nixos-install can copy closures. + export NIX_STATE_DIR=$TMPDIR/state + nix-store --load-db < ${closureInfo}/registration - # fakeroot seems to always give the owner write permissions, which we do not want - find $root/nix/store -mindepth 1 -maxdepth 1 -type f -o -type d | xargs chmod -R a-w + echo "running nixos-install..." + nixos-install --root $root --no-bootloader --no-root-passwd \ + --system ${config.system.build.toplevel} --channel ${channelSources} --substituters "" echo "copying staging root to image..." cptofs -p ${optionalString (partitionTableType != "none") "-P ${rootPartition}"} -t ${fsType} -i $diskImage $root/* / @@ -181,7 +191,6 @@ in pkgs.vmTools.runInLinuxVM ( pkgs.runCommand name { preVM = prepareImage; buildInputs = with pkgs; [ utillinux e2fsprogs dosfstools ]; - exportReferencesGraph = [ "closure" metaClosure ]; postVM = '' ${if format == "raw" then '' mv $diskImage $out/${filename} @@ -194,6 +203,8 @@ in pkgs.vmTools.runInLinuxVM ( memSize = 1024; } '' + export PATH=${binPath}:$PATH + rootDisk=${if partitionTableType != "none" then "/dev/vda${rootPartition}" else "/dev/vda"} # Some tools assume these exist @@ -218,15 +229,8 @@ in pkgs.vmTools.runInLinuxVM ( cp ${configFile} /mnt/etc/nixos/configuration.nix ''} - mount --rbind /dev $mountPoint/dev - mount --rbind /proc $mountPoint/proc - mount --rbind /sys $mountPoint/sys - # Set up core system link, GRUB, etc. - NIXOS_INSTALL_BOOTLOADER=1 chroot $mountPoint /nix/var/nix/profiles/system/bin/switch-to-configuration boot - - # TODO: figure out if I should activate, but for now I won't - # chroot $mountPoint /nix/var/nix/profiles/system/activate + NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root $mountPoint -- /nix/var/nix/profiles/system/bin/switch-to-configuration boot # The above scripts will generate a random machine-id and we don't want to bake a single ID into all our images rm -f $mountPoint/etc/machine-id diff --git a/nixos/lib/make-iso9660-image.nix b/nixos/lib/make-iso9660-image.nix index 75be70dbcb2..c6bafd48f9d 100644 --- a/nixos/lib/make-iso9660-image.nix +++ b/nixos/lib/make-iso9660-image.nix @@ -1,4 +1,4 @@ -{ stdenv, perl, pathsFromGraph, xorriso, syslinux +{ stdenv, perl, closureInfo, xorriso, syslinux , # The file name of the resulting ISO image. isoName ? "cd.iso" @@ -48,9 +48,9 @@ assert usbBootable -> isohybridMbrImage != ""; stdenv.mkDerivation { name = isoName; builder = ./make-iso9660-image.sh; - buildInputs = [perl xorriso syslinux]; + buildInputs = [ xorriso syslinux ]; - inherit isoName bootable bootImage compressImage volumeID pathsFromGraph efiBootImage efiBootable isohybridMbrImage usbBootable; + inherit isoName bootable bootImage compressImage volumeID efiBootImage efiBootable isohybridMbrImage usbBootable; # !!! should use XML. sources = map (x: x.source) contents; @@ -61,6 +61,5 @@ stdenv.mkDerivation { symlinks = map (x: x.symlink) storeContents; # For obtaining the closure of `storeContents'. - exportReferencesGraph = - map (x: [("closure-" + baseNameOf x.object) x.object]) storeContents; + closureInfo = closureInfo { rootPaths = map (x: x.object) storeContents; }; } diff --git a/nixos/lib/make-iso9660-image.sh b/nixos/lib/make-iso9660-image.sh index c623436f6c5..45cdef1ef4d 100644 --- a/nixos/lib/make-iso9660-image.sh +++ b/nixos/lib/make-iso9660-image.sh @@ -72,16 +72,15 @@ done # Add the closures of the top-level store objects. -storePaths=$(perl $pathsFromGraph closure-*) -for i in $storePaths; do +for i in $(< $closureInfo/store-paths); do addPath "${i:1}" "$i" done # Also include a manifest of the closures in a format suitable for # nix-store --load-db. -if [ -n "$object" ]; then - printRegistration=1 perl $pathsFromGraph closure-* > nix-path-registration +if [[ ${#objects[*]} != 0 ]]; then + cp $closureInfo/registration nix-path-registration addPath "nix-path-registration" "nix-path-registration" fi diff --git a/nixos/lib/make-squashfs.nix b/nixos/lib/make-squashfs.nix index 9d47a3222cc..7ab84e47f53 100644 --- a/nixos/lib/make-squashfs.nix +++ b/nixos/lib/make-squashfs.nix @@ -1,4 +1,4 @@ -{ stdenv, squashfsTools, perl, pathsFromGraph +{ stdenv, squashfsTools, closureInfo , # The root directory of the squashfs filesystem is filled with the # closures of the Nix store paths listed here. @@ -8,50 +8,18 @@ stdenv.mkDerivation { name = "squashfs.img"; - nativeBuildInputs = [perl squashfsTools]; - - # For obtaining the closure of `storeContents'. - exportReferencesGraph = - map (x: [("closure-" + baseNameOf x) x]) storeContents; + nativeBuildInputs = [ squashfsTools ]; buildCommand = '' - # Add the closures of the top-level store objects. - storePaths=$(perl ${pathsFromGraph} closure-*) - - # If a Hydra slave happens to have store paths with bad permissions/mtime, - # abort now so that they don't end up in ISO images in the channel. - # https://github.com/NixOS/nixpkgs/issues/32242 - hasBadPaths="" - for path in $storePaths; do - if [ -h "$path" ]; then - continue - fi - - mtime=$(stat -c %Y "$path") - mode=$(stat -c %a "$path") - - if [ "$mtime" != 1 ]; then - echo "Store path '$path' has an invalid mtime." - hasBadPaths=1 - fi - if [ "$mode" != 444 ] && [ "$mode" != 555 ]; then - echo "Store path '$path' has invalid permissions ($mode)." - hasBadPaths=1 - fi - done - - if [ -n "$hasBadPaths" ]; then - echo "You have bad paths in your store, please fix them." - exit 1 - fi + closureInfo=${closureInfo { rootPaths = storeContents; }} # Also include a manifest of the closures in a format suitable # for nix-store --load-db. - printRegistration=1 perl ${pathsFromGraph} closure-* > nix-path-registration + cp $closureInfo/registration nix-path-registration # Generate the squashfs image. - mksquashfs nix-path-registration $storePaths $out \ + mksquashfs nix-path-registration $(cat $closureInfo/store-paths) $out \ -keep-as-directory -all-root -b 1048576 -comp xz -Xdict-size 100% ''; } diff --git a/nixos/lib/testing.nix b/nixos/lib/testing.nix index efcafbaa555..d990a5f8b6a 100644 --- a/nixos/lib/testing.nix +++ b/nixos/lib/testing.nix @@ -3,7 +3,11 @@ with import ./build-vms.nix { inherit system minimal config; }; with pkgs; -rec { +let + jquery-ui = callPackage ./testing/jquery-ui.nix { }; + jquery = callPackage ./testing/jquery.nix { }; + +in rec { inherit pkgs; @@ -143,8 +147,8 @@ rec { test = passMeta (runTests driver); report = passMeta (releaseTools.gcovReport { coverageRuns = [ test ]; }); - in (if makeCoverageReport then report else test) // { - inherit nodes driver test; + in (if makeCoverageReport then report else test) // { + inherit nodes driver test; }; runInMachine = diff --git a/nixos/lib/testing/jquery-ui.nix b/nixos/lib/testing/jquery-ui.nix new file mode 100644 index 00000000000..e65107a3c2f --- /dev/null +++ b/nixos/lib/testing/jquery-ui.nix @@ -0,0 +1,24 @@ +{ stdenv, fetchurl, unzip }: + +stdenv.mkDerivation rec { + name = "jquery-ui-1.11.4"; + + src = fetchurl { + url = "http://jqueryui.com/resources/download/${name}.zip"; + sha256 = "0ciyaj1acg08g8hpzqx6whayq206fvf4whksz2pjgxlv207lqgjh"; + }; + + buildInputs = [ unzip ]; + + installPhase = + '' + mkdir -p "$out/js" + cp -rv . "$out/js" + ''; + + meta = { + homepage = http://jqueryui.com/; + description = "A library of JavaScript widgets and effects"; + platforms = stdenv.lib.platforms.all; + }; +} diff --git a/nixos/lib/testing/jquery.nix b/nixos/lib/testing/jquery.nix new file mode 100644 index 00000000000..103721cadc3 --- /dev/null +++ b/nixos/lib/testing/jquery.nix @@ -0,0 +1,36 @@ +{ stdenv, fetchurl, compressed ? true }: + +with stdenv.lib; + +stdenv.mkDerivation rec { + name = "jquery-1.11.3"; + + src = if compressed then + fetchurl { + url = "http://code.jquery.com/${name}.min.js"; + sha256 = "1f4glgxxn3jnvry3dpzmazj3207baacnap5w20gr2xlk789idfgc"; + } + else + fetchurl { + url = "http://code.jquery.com/${name}.js"; + sha256 = "1v956yf5spw0156rni5z77hzqwmby7ajwdcd6mkhb6zvl36awr90"; + }; + + unpackPhase = "true"; + + installPhase = + '' + mkdir -p "$out/js" + cp -v "$src" "$out/js/jquery.js" + ${optionalString compressed '' + (cd "$out/js" && ln -s jquery.js jquery.min.js) + ''} + ''; + + meta = with stdenv.lib; { + description = "JavaScript library designed to simplify the client-side scripting of HTML"; + homepage = http://jquery.com/; + license = licenses.mit; + platforms = platforms.all; + }; +} diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index c1102d55810..11e969b760e 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -529,6 +529,9 @@ in { system.activationScripts.users = stringAfter [ "stdio" ] '' + install -m 0700 -d /root + install -m 0755 -d /home + ${pkgs.perl}/bin/perl -w \ -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl \ -I${pkgs.perlPackages.JSON}/lib/perl5/site_perl \ diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index c2c36f02a14..d9646704e6f 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -34,10 +34,17 @@ in { options = { hardware.opengl.enable = mkOption { - description = "Whether this configuration requires OpenGL."; + description = '' + Whether to enable OpenGL drivers. This is needed to enable + OpenGL support in X11 systems, as well as for Wayland compositors + like sway, way-cooler and Weston. It is enabled by default + by the corresponding modules, so you do not usually have to + set it yourself, only if there is no module for your wayland + compositor of choice. See services.xserver.enable, + programs.sway.enable, and programs.way-cooler.enable. + ''; type = types.bool; default = false; - internal = true; }; hardware.opengl.driSupport = mkOption { diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 811449e9fe7..e7cbf415a22 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -331,8 +331,7 @@ in config.system.build.toplevel.drvPath; # Create the squashfs image that contains the Nix store. - system.build.squashfsStore = import ../../../lib/make-squashfs.nix { - inherit (pkgs) stdenv squashfsTools perl pathsFromGraph; + system.build.squashfsStore = pkgs.callPackage ../../../lib/make-squashfs.nix { storeContents = config.isoImage.storeContents; }; @@ -383,11 +382,8 @@ in boot.loader.timeout = 10; # Create the ISO image. - system.build.isoImage = import ../../../lib/make-iso9660-image.nix ({ - inherit (pkgs) stdenv perl pathsFromGraph xorriso syslinux; - + system.build.isoImage = pkgs.callPackage ../../../lib/make-iso9660-image.nix ({ inherit (config.isoImage) isoName compressImage volumeID contents; - bootable = true; bootImage = "/isolinux/isolinux.bin"; } // optionalAttrs config.isoImage.makeUsbBootable { diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix index 52239b61912..a4eda3c52dc 100644 --- a/nixos/modules/installer/netboot/netboot.nix +++ b/nixos/modules/installer/netboot/netboot.nix @@ -67,7 +67,7 @@ with lib; # Create the squashfs image that contains the Nix store. system.build.squashfsStore = import ../../../lib/make-squashfs.nix { - inherit (pkgs) stdenv squashfsTools perl pathsFromGraph; + inherit (pkgs) stdenv squashfsTools closureInfo; storeContents = config.netboot.storeContents; }; diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 131c779b1ab..4774cf39c03 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/gy4yv67gv3j6in0lalw37j353zdmfcwm-nix-1.11.16"; - i686-linux = "/nix/store/ifmyq5ryfxhhrzh62hiq65xyz1fwffga-nix-1.11.16"; - aarch64-linux = "/nix/store/y9mfv3sx75mbfibf1zna1kq9v98fk2nb-nix-1.11.16"; - x86_64-darwin = "/nix/store/hwpp7kia2f0in5ns2hiw41q38k30jpj2-nix-1.11.16"; + x86_64-linux = "/nix/store/6p2gambjac7xdkd2a7w1dsxdk1q5cq4d-nix-2.0"; + i686-linux = "/nix/store/zznnaijjk3nwx0cmpczxsvngmqzhl7r4-nix-2.0"; + aarch64-linux = "/nix/store/ci96w9kxfkmlc7x2vwqiz4da0r6abxnq-nix-2.0"; + x86_64-darwin = "/nix/store/xmi4fylvx4qc79ji9v5q3zfy9vfdy4sv-nix-2.0"; } diff --git a/nixos/modules/installer/tools/nixos-enter.sh b/nixos/modules/installer/tools/nixos-enter.sh new file mode 100644 index 00000000000..67939118961 --- /dev/null +++ b/nixos/modules/installer/tools/nixos-enter.sh @@ -0,0 +1,60 @@ +#! @shell@ + +set -e + +# Re-exec ourselves in a private mount namespace so that our bind +# mounts get cleaned up automatically. +if [ -z "$NIXOS_ENTER_REEXEC" ]; then + export NIXOS_ENTER_REEXEC=1 + if [ "$(id -u)" != 0 ]; then + extraFlags="-r" + fi + exec unshare --fork --mount --uts --mount-proc --pid $extraFlags -- "$0" "$@" +else + mount --make-rprivate / +fi + +mountPoint=/mnt +system=/nix/var/nix/profiles/system +command=($system/sw/bin/bash "--login") + +while [ "$#" -gt 0 ]; do + i="$1"; shift 1 + case "$i" in + --root) + mountPoint="$1"; shift 1 + ;; + --system) + system="$1"; shift 1 + ;; + --help) + exec man nixos-enter + exit 1 + ;; + --command|-c) + command=($system/sw/bin/bash "-c" "$1") + shift 1 + ;; + --) + command=("$@") + break + ;; + *) + echo "$0: unknown option \`$i'" + exit 1 + ;; + esac +done + +if [[ ! -e $mountPoint/etc/NIXOS ]]; then + echo "$0: '$mountPoint' is not a NixOS installation" >&2 + exit 126 +fi + +mkdir -m 0755 -p "$mountPoint/dev" +mount --rbind /dev "$mountPoint/dev" + +# Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings. +LOCALE_ARCHIVE=$system/sw/lib/locale/locale-archive chroot "$mountPoint" "$system/activate" >&2 || true + +exec chroot "$mountPoint" "${command[@]}" diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index f994d5b4bde..22c1e0fe9a3 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -1,35 +1,23 @@ #! @shell@ -# - make Nix store etc. -# - copy closure of Nix to target device -# - register validity -# - with a chroot to the target device: -# * nix-env -p /nix/var/nix/profiles/system -i <nix-expr for the configuration> -# * install the boot loader +set -e +shopt -s nullglob + +export PATH=@path@:$PATH # Ensure a consistent umask. umask 0022 -# Re-exec ourselves in a private mount namespace so that our bind -# mounts get cleaned up automatically. -if [ "$(id -u)" = 0 ]; then - if [ -z "$NIXOS_INSTALL_REEXEC" ]; then - export NIXOS_INSTALL_REEXEC=1 - exec unshare --mount --uts -- "$0" "$@" - else - mount --make-rprivate / - fi -fi - # Parse the command line for the -I flag extraBuildFlags=() -chrootCommand=(/run/current-system/sw/bin/bash) -buildUsersGroup="nixbld" + +mountPoint=/mnt +channelPath= while [ "$#" -gt 0 ]; do i="$1"; shift 1 case "$i" in - --max-jobs|-j|--cores|-I) + --max-jobs|-j|--cores|-I|--substituters) j="$1"; shift 1 extraBuildFlags+=("$i" "$j") ;; @@ -41,9 +29,11 @@ while [ "$#" -gt 0 ]; do --root) mountPoint="$1"; shift 1 ;; - --closure) - closure="$1"; shift 1 - buildUsersGroup="" + --system|--closure) + system="$1"; shift 1 + ;; + --channel) + channelPath="$1"; shift 1 ;; --no-channel-copy) noChannelCopy=1 @@ -57,17 +47,13 @@ while [ "$#" -gt 0 ]; do --show-trace) extraBuildFlags+=("$i") ;; - --chroot) - runChroot=1 - if [[ "$@" != "" ]]; then - chrootCommand=("$@") - fi - break - ;; --help) exec man nixos-install exit 1 ;; + --debug) + set -x + ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -75,132 +61,83 @@ while [ "$#" -gt 0 ]; do esac done -set -e -shopt -s nullglob - -if test -z "$mountPoint"; then - mountPoint=/mnt -fi - if ! test -e "$mountPoint"; then echo "mount point $mountPoint doesn't exist" exit 1 fi # Get the path of the NixOS configuration file. -if test -z "$NIXOS_CONFIG"; then - NIXOS_CONFIG=/etc/nixos/configuration.nix +if [[ -z $NIXOS_CONFIG ]]; then + NIXOS_CONFIG=$mountPoint/etc/nixos/configuration.nix fi -if [ ! -e "$mountPoint/$NIXOS_CONFIG" ] && [ -z "$closure" ]; then - echo "configuration file $mountPoint/$NIXOS_CONFIG doesn't exist" +if [[ ${NIXOS_CONFIG:0:1} != / ]]; then + echo "$0: \$NIXOS_CONFIG is not an absolute path" exit 1 fi - -# Builds will use users that are members of this group -extraBuildFlags+=(--option "build-users-group" "$buildUsersGroup") - -# Inherit binary caches from the host -# TODO: will this still work with Nix 1.12 now that it has no perl? Probably not... -binary_caches="$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')" -extraBuildFlags+=(--option "binary-caches" "$binary_caches") - -# We only need nixpkgs in the path if we don't already have a system closure to install -if [[ -z "$closure" ]]; then - nixpkgs="$(readlink -f "$(nix-instantiate --find-file nixpkgs)")" - export NIX_PATH="nixpkgs=$nixpkgs:nixos-config=$mountPoint/$NIXOS_CONFIG" -fi -unset NIXOS_CONFIG - -# These get created in nixos-prepare-root as well, but we want to make sure they're here in case we're -# running with --chroot. TODO: --chroot should just be split into a separate tool. -mkdir -m 0755 -p "$mountPoint/dev" "$mountPoint/proc" "$mountPoint/sys" - -# Set up some bind mounts we'll want regardless of chroot or not -mount --rbind /dev "$mountPoint/dev" -mount --rbind /proc "$mountPoint/proc" -mount --rbind /sys "$mountPoint/sys" - -# If we asked for a chroot, that means we're not actually installing anything (yeah I was confused too) -# and we just want to run a command in the context of a $mountPoint that we're assuming has already been -# set up by a previous nixos-install invocation. In that case we set up some remaining bind mounts and -# exec the requested command, skipping the rest of the installation procedure. -if [ -n "$runChroot" ]; then - mount -t tmpfs -o "mode=0755" none $mountPoint/run - rm -rf $mountPoint/var/run - ln -s /run $mountPoint/var/run - for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done - for f in /etc/passwd /etc/group; do touch $mountPoint/$f; [ -f "$f" ] && mount --rbind -o ro $f $mountPoint/$f; done - - if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then - echo "$0: installation not finished; cannot chroot into installation directory" - exit 1 - fi - ln -s /nix/var/nix/profiles/system $mountPoint/run/current-system - exec chroot $mountPoint "${chrootCommand[@]}" +if [[ ! -e $NIXOS_CONFIG && -z $system ]]; then + echo "configuration file $NIXOS_CONFIG doesn't exist" + exit 1 fi -# A place to drop temporary closures +# A place to drop temporary stuff. trap "rm -rf $tmpdir" EXIT tmpdir="$(mktemp -d)" -# Build a closure (on the host; we then copy it into the guest) -function closure() { - nix-build "${extraBuildFlags[@]}" --no-out-link -E "with import <nixpkgs> {}; runCommand \"closure\" { exportReferencesGraph = [ \"x\" (buildEnv { name = \"env\"; paths = [ ($1) stdenv ]; }) ]; } \"cp x \$out\"" -} - -system_closure="$tmpdir/system.closure" -# Use a FIFO for piping nix-store --export into nix-store --import, saving disk -# I/O and space. nix-store --import is run by nixos-prepare-root. -mkfifo $system_closure - -if [ -z "$closure" ]; then - expr="(import <nixpkgs/nixos> {}).system" - system_root="$(nix-build -E "$expr")" - system_closure="$(closure "$expr")" -else - system_root=$closure - # Create a temporary file ending in .closure (so nixos-prepare-root knows to --import it) to transport the store closure - # to the filesytem we're preparing. Also delete it on exit! - # Run in background to avoid blocking while trying to write to the FIFO - # $system_closure refers to - nix-store --export $(nix-store -qR $closure) > $system_closure & -fi - -channel_root="$(nix-env -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")" -channel_closure="$tmpdir/channel.closure" -nix-store --export $channel_root > $channel_closure - -# Populate the target root directory with the basics -@prepare_root@/bin/nixos-prepare-root "$mountPoint" "$channel_root" "$system_root" @nixClosure@ "$system_closure" "$channel_closure" - -# nixos-prepare-root doesn't currently do anything with file ownership, so we set it up here instead -chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store +sub="auto?trusted=1" +# Build the system configuration in the target filesystem. +if [[ -z $system ]]; then + echo "building the configuration in $NIXOS_CONFIG..." + outLink="$tmpdir/system" + nix build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ + --extra-substituters "$sub" \ + -f '<nixpkgs/nixos>' system -I "nixos-config=$NIXOS_CONFIG" + system=$(readlink -f $outLink) +fi +# Set the system profile to point to the configuration. TODO: combine +# this with the previous step once we have a nix-env replacement with +# a progress bar. +nix-env --store "$mountPoint" "${extraBuildFlags[@]}" \ + --extra-substituters "$sub" \ + -p $mountPoint/nix/var/nix/profiles/system --set "$system" + +# Copy the NixOS/Nixpkgs sources to the target as the initial contents +# of the NixOS channel. +if [[ -z $noChannelCopy ]]; then + if [[ -z $channelPath ]]; then + channelPath="$(nix-env -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")" + fi + if [[ -n $channelPath ]]; then + echo "copying channel..." + mkdir -p $mountPoint/nix/var/nix/profiles/per-user/root + nix-env --store "$mountPoint" "${extraBuildFlags[@]}" --extra-substituters "$sub" \ + -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet + install -m 0700 -d $mountPoint/root/.nix-defexpr + ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels + fi +fi -# Grub needs an mtab. -ln -sfn /proc/mounts $mountPoint/etc/mtab +# Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out. +mkdir -m 0755 -p "$mountPoint/etc" +touch "$mountPoint/etc/NIXOS" # Switch to the new system configuration. This will install Grub with # a menu default pointing at the kernel/initrd/etc of the new # configuration. -echo "finalising the installation..." -if [ -z "$noBootLoader" ]; then - NIXOS_INSTALL_BOOTLOADER=1 chroot $mountPoint \ - /nix/var/nix/profiles/system/bin/switch-to-configuration boot +if [[ -z $noBootLoader ]]; then + echo "installing the boot loader..." + # Grub needs an mtab. + ln -sfn /proc/mounts $mountPoint/etc/mtab + NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot fi -# Run the activation script. -chroot $mountPoint /nix/var/nix/profiles/system/activate - - -# Ask the user to set a root password. -if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then - echo "setting root password..." - chroot $mountPoint /run/wrappers/bin/passwd +# Ask the user to set a root password, but only if the passwd command +# exists (i.e. when mutable user accounts are enabled). +if [[ -z $noRootPasswd ]] && [ -t 0 ]; then + nixos-enter --root "$mountPoint" -c '[[ -e /nix/var/nix/profiles/system/sw/bin/passwd ]] && echo "setting root password..." && /nix/var/nix/profiles/system/sw/bin/passwd' fi - echo "installation finished!" diff --git a/nixos/modules/installer/tools/nixos-prepare-root.sh b/nixos/modules/installer/tools/nixos-prepare-root.sh deleted file mode 100644 index ed5af234fec..00000000000 --- a/nixos/modules/installer/tools/nixos-prepare-root.sh +++ /dev/null @@ -1,104 +0,0 @@ -#! @shell@ - -# This script's goal is to perform all "static" setup of a filesystem structure from pre-built store paths. Everything -# in here should run in a non-root context and inside a Nix builder. It's designed primarily to be called from image- -# building scripts and from nixos-install, but because it makes very few assumptions about the context in which it runs, -# it could be useful in other contexts as well. -# -# Current behavior: -# - set up basic filesystem structure -# - make Nix store etc. -# - copy Nix, system, channel, and misceallaneous closures to target Nix store -# - register validity of all paths in the target store -# - set up channel and system profiles - -# Ensure a consistent umask. -umask 0022 - -set -e - -mountPoint="$1" -channel="$2" -system="$3" -shift 3 -closures="$@" - -PATH="@coreutils@/bin:@nix@/bin:@perl@/bin:@utillinux@/bin:@rsync@/bin" - -if ! test -e "$mountPoint"; then - echo "mount point $mountPoint doesn't exist" - exit 1 -fi - -# Create a few of the standard directories in the target root directory. -install -m 0755 -d $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home -install -m 01777 -d $mountPoint/tmp -install -m 0755 -d $mountPoint/tmp/root -install -m 0755 -d $mountPoint/var -install -m 0700 -d $mountPoint/root - -ln -sf /run $mountPoint/var/run - -# Create the necessary Nix directories on the target device -install -m 0755 -d \ - $mountPoint/nix/var/nix/gcroots \ - $mountPoint/nix/var/nix/temproots \ - $mountPoint/nix/var/nix/userpool \ - $mountPoint/nix/var/nix/profiles \ - $mountPoint/nix/var/nix/db \ - $mountPoint/nix/var/log/nix/drvs - -install -m 1775 -d $mountPoint/nix/store - -# All Nix operations below should operate on our target store, not /nix/store. -# N.B: this relies on Nix 1.12 or higher -export NIX_REMOTE=local?root=$mountPoint - -# Copy our closures to the Nix store on the target mount point, unless they're already there. -for i in $closures; do - # We support closures both in the format produced by `nix-store --export` and by `exportReferencesGraph`, - # mostly because there doesn't seem to be a single format that can be produced outside of a nix build and - # inside one. See https://github.com/NixOS/nix/issues/1242 for more discussion. - if [[ "$i" =~ \.closure$ ]]; then - echo "importing serialized closure $i to $mountPoint..." - nix-store --import < $i - else - # There has to be a better way to do this, right? - echo "copying closure $i to $mountPoint..." - for j in $(perl @pathsFromGraph@ $i); do - echo " $j... " - rsync -a $j $mountPoint/nix/store/ - done - - nix-store --option build-users-group root --register-validity < $i - fi -done - -# Create the required /bin/sh symlink; otherwise lots of things -# (notably the system() function) won't work. -if [ ! -x $mountPoint/@shell@ ]; then - echo "Error: @shell@ wasn't included in the closure" >&2 - exit 1 -fi -install -m 0755 -d $mountPoint/bin -ln -sf @shell@ $mountPoint/bin/sh - -echo "setting the system closure to '$system'..." -nix-env "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/system --set "$system" - -ln -sfn /nix/var/nix/profiles/system $mountPoint/run/current-system - -# Copy the NixOS/Nixpkgs sources to the target as the initial contents of the NixOS channel. -install -m 0755 -d $mountPoint/nix/var/nix/profiles -install -m 1777 -d $mountPoint/nix/var/nix/profiles/per-user -install -m 0755 -d $mountPoint/nix/var/nix/profiles/per-user/root - -if [ -z "$noChannelCopy" ] && [ -n "$channel" ]; then - echo "copying channel..." - nix-env --option build-use-substitutes false "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channel" --quiet -fi -install -m 0700 -d $mountPoint/root/.nix-defexpr -ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels - -# Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out. -touch $mountPoint/etc/NIXOS diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index eab5f114766..beac9e29d59 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -1,7 +1,9 @@ # This module generates nixos-install, nixos-rebuild, # nixos-generate-config, etc. -{ config, pkgs, modulesPath, ... }: +{ config, lib, pkgs, modulesPath, ... }: + +with lib; let cfg = config.installer; @@ -16,28 +18,11 @@ let src = ./nixos-build-vms/nixos-build-vms.sh; }; - nixos-prepare-root = makeProg { - name = "nixos-prepare-root"; - src = ./nixos-prepare-root.sh; - - nix = pkgs.nixUnstable; - inherit (pkgs) perl pathsFromGraph rsync utillinux coreutils; - }; - nixos-install = makeProg { name = "nixos-install"; src = ./nixos-install.sh; - - inherit (pkgs) perl pathsFromGraph rsync; nix = config.nix.package.out; - cacert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - root_uid = config.ids.uids.root; - nixbld_gid = config.ids.gids.nixbld; - prepare_root = nixos-prepare-root; - - nixClosure = pkgs.runCommand "closure" - { exportReferencesGraph = ["refs" config.nix.package.out]; } - "cp refs $out"; + path = makeBinPath [ nixos-enter ]; }; nixos-rebuild = @@ -69,6 +54,11 @@ let inherit (config.system.nixos) version codeName revision; }; + nixos-enter = makeProg { + name = "nixos-enter"; + src = ./nixos-enter.sh; + }; + in { @@ -77,16 +67,16 @@ in environment.systemPackages = [ nixos-build-vms - nixos-prepare-root nixos-install nixos-rebuild nixos-generate-config nixos-option nixos-version + nixos-enter ]; system.build = { - inherit nixos-install nixos-prepare-root nixos-generate-config nixos-option nixos-rebuild; + inherit nixos-install nixos-prepare-root nixos-generate-config nixos-option nixos-rebuild nixos-enter; }; }; diff --git a/nixos/modules/installer/virtualbox-demo.nix b/nixos/modules/installer/virtualbox-demo.nix index 5316cfce906..13a0d7f4f6e 100644 --- a/nixos/modules/installer/virtualbox-demo.nix +++ b/nixos/modules/installer/virtualbox-demo.nix @@ -19,4 +19,6 @@ with lib; # Add some more video drivers to give X11 a shot at working in # VMware and QEMU. services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" "modesetting" ]; + + powerManagement.enable = false; } diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 8d775ffc82d..39a24cfecc5 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -233,7 +233,7 @@ calibre-server = 213; heapster = 214; bepasty = 215; - pumpio = 216; + # pumpio = 216; # unused, removed 2018-02-24 nm-openvpn = 217; mathics = 218; ejabberd = 219; @@ -514,7 +514,7 @@ xtreemfs = 212; calibre-server = 213; bepasty = 215; - pumpio = 216; + # pumpio = 216; # unused, removed 2018-02-24 nm-openvpn = 217; mathics = 218; ejabberd = 219; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 3bb65c6b295..e7f28c670be 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -642,7 +642,6 @@ ./services/web-apps/nexus.nix ./services/web-apps/pgpkeyserver-lite.nix ./services/web-apps/matomo.nix - ./services/web-apps/pump.io.nix ./services/web-apps/restya-board.nix ./services/web-apps/tt-rss.nix ./services/web-apps/selfoss.nix diff --git a/nixos/modules/profiles/demo.nix b/nixos/modules/profiles/demo.nix index ef6fd77b5f8..c3ee6e98371 100644 --- a/nixos/modules/profiles/demo.nix +++ b/nixos/modules/profiles/demo.nix @@ -10,4 +10,10 @@ password = "demo"; uid = 1000; }; + + services.xserver.displayManager.sddm.autoLogin = { + enable = true; + relogin = true; + user = "demo"; + }; } diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 506a6ee3eaa..43f06c219f8 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -72,7 +72,13 @@ with lib; # To speed up installation a little bit, include the complete # stdenv in the Nix store on the CD. - system.extraDependencies = with pkgs; [ stdenv stdenvNoCC busybox ]; + system.extraDependencies = with pkgs; + [ + stdenv + stdenvNoCC # for runCommand + busybox + jq # for closureInfo + ]; # Show all debug messages from the kernel but don't log refused packets # because we have the firewall enabled. This makes installs from the diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 1a62f04972d..c0967316c0c 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -126,7 +126,7 @@ in programs.bash = { shellInit = '' - . ${config.system.build.setEnvironment} + ${config.system.build.setEnvironment.text} ${cfge.shellInit} ''; diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 5102bfef032..f689250dc61 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -108,7 +108,7 @@ in if [ -n "$__ETC_ZSHENV_SOURCED" ]; then return; fi export __ETC_ZSHENV_SOURCED=1 - . ${config.system.build.setEnvironment} + ${config.system.build.setEnvironment.text} ${cfge.shellInit} diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index e884098cb08..a67c61eb994 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -7,8 +7,10 @@ let cfg = config.services.openldap; openldap = pkgs.openldap; + dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents; configFile = pkgs.writeText "slapd.conf" cfg.extraConfig; - + configOpts = if cfg.configDir == null then "-f ${configFile}" + else "-F ${cfg.configDir}"; in { @@ -81,6 +83,34 @@ in ''' ''; }; + + declarativeContents = mkOption { + type = with types; nullOr lines; + default = null; + description = '' + Declarative contents for the LDAP database, in LDIF format. + + Note a few facts when using it. First, the database + <emphasis>must</emphasis> be stored in the directory defined by + <code>dataDir</code>. Second, all <code>dataDir</code> will be erased + when starting the LDAP server. Third, modifications to the database + are not prevented, they are just dropped on the next reboot of the + server. Finally, performance-wise the database and indexes are rebuilt + on each server startup, so this will slow down server startup, + especially with large databases. + ''; + example = '' + dn: dc=example,dc=org + objectClass: domain + dc: example + + dn: ou=users,dc=example,dc=org + objectClass = organizationalUnit + ou: users + + # ... + ''; + }; }; }; @@ -88,7 +118,7 @@ in ###### implementation - config = mkIf config.services.openldap.enable { + config = mkIf cfg.enable { environment.systemPackages = [ openldap ]; @@ -98,11 +128,21 @@ in after = [ "network.target" ]; preStart = '' mkdir -p /var/run/slapd - chown -R ${cfg.user}:${cfg.group} /var/run/slapd - mkdir -p ${cfg.dataDir} - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} + chown -R "${cfg.user}:${cfg.group}" /var/run/slapd + ${optionalString (cfg.declarativeContents != null) '' + rm -Rf "${cfg.dataDir}" + ''} + mkdir -p "${cfg.dataDir}" + ${optionalString (cfg.declarativeContents != null) '' + ${openldap.out}/bin/slapadd ${configOpts} -l ${dataFile} + ''} + chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}" ''; - serviceConfig.ExecStart = "${openldap.out}/libexec/slapd -u ${cfg.user} -g ${cfg.group} -d 0 -h \"${concatStringsSep " " cfg.urlList}\" ${if cfg.configDir == null then "-f "+configFile else "-F "+cfg.configDir}"; + serviceConfig.ExecStart = + "${openldap.out}/libexec/slapd -d 0 " + + "-u '${cfg.user}' -g '${cfg.group}' " + + "-h '${concatStringsSep " " cfg.urlList}' " + + "${configOpts}"; }; users.extraUsers.openldap = diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index c076f90e540..484079ed62d 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -33,9 +33,9 @@ let sh = pkgs.runtimeShell; binshDeps = pkgs.writeReferencesToFile sh; in - pkgs.runCommand "nix.conf" { extraOptions = cfg.extraOptions; inherit binshDeps; } '' + pkgs.runCommand "nix.conf" { extraOptions = cfg.extraOptions; } '' ${optionalString (!isNix20) '' - extraPaths=$(for i in $(cat binshDeps); do if test -d $i; then echo $i; fi; done) + extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done) ''} cat > $out <<END # WARNING: this file is generated from the nix.* options in diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index e9a035d17d3..f83fb7a6d5d 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -335,6 +335,7 @@ in { preStart = '' mkdir -m 700 -p /etc/NetworkManager/system-connections + mkdir -m 700 -p /etc/ipsec.d mkdir -m 755 -p ${stateDirs} ''; }; diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index 3e865e3b76a..8499e7c0f7c 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -55,6 +55,8 @@ in environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile; serviceConfig = { + Restart = "always"; + RestartSec = "5s"; ExecStart = "${pkgs.nix-serve}/bin/nix-serve " + "--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}"; User = "nix-serve"; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 3a3f64221c4..707d24b9220 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -32,13 +32,13 @@ let ${caConf} ''; - strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' + strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' charon { ${if managePlugins then "load_modular = no" else ""} ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} plugins { stroke { - secrets_file = ${ipsecSecrets secrets} + secrets_file = ${secretsFile} } } } @@ -135,7 +135,18 @@ in }; }; - config = with cfg; mkIf enable { + + config = with cfg; + let + secretsFile = ipsecSecrets cfg.secrets; + in + mkIf enable + { + + # here we should use the default strongswan ipsec.secrets and + # append to it (default one is empty so not a pb for now) + environment.etc."ipsec.secrets".source = secretsFile; + systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; @@ -143,11 +154,15 @@ in wants = [ "keys.target" ]; after = [ "network-online.target" "keys.target" ]; environment = { - STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; }; + STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; }; serviceConfig = { ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; }; + preStart = '' + # with 'nopeerdns' setting, ppp writes into this folder + mkdir -m 700 -p /etc/ppp + ''; }; }; } diff --git a/nixos/modules/services/web-apps/pump.io-configure.js b/nixos/modules/services/web-apps/pump.io-configure.js deleted file mode 100644 index 1fbf346a34c..00000000000 --- a/nixos/modules/services/web-apps/pump.io-configure.js +++ /dev/null @@ -1,23 +0,0 @@ -var fs = require('fs'); - -var opts = JSON.parse(fs.readFileSync("/dev/stdin").toString()); -var config = opts.config; - -var readSecret = function(filename) { - return fs.readFileSync(filename).toString().trim(); -}; - -if (opts.secretFile) { - config.secret = readSecret(opts.secretFile); -} -if (opts.dbPasswordFile) { - config.params.dbpass = readSecret(opts.dbPasswordFile); -} -if (opts.smtpPasswordFile) { - config.smtppass = readSecret(opts.smtpPasswordFile); -} -if (opts.spamClientSecretFile) { - config.spamclientsecret = readSecret(opts.opts.spamClientSecretFile); -} - -fs.writeFileSync(opts.outputFile, JSON.stringify(config)); diff --git a/nixos/modules/services/web-apps/pump.io.nix b/nixos/modules/services/web-apps/pump.io.nix deleted file mode 100644 index 27ae6851636..00000000000 --- a/nixos/modules/services/web-apps/pump.io.nix +++ /dev/null @@ -1,438 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.pumpio; - dataDir = "/var/lib/pump.io"; - runDir = "/run/pump.io"; - user = "pumpio"; - - optionalSet = condition: value: if condition then value else {}; - - configScript = ./pump.io-configure.js; - configOptions = { - outputFile = "${runDir}/config.json"; - config = - (optionalSet (cfg.driver != "disk") { - driver = cfg.driver; - }) // - { - params = (optionalSet (cfg.driver == "disk") { dir = dataDir; }) // - (optionalSet (cfg.driver == "mongodb" || cfg.driver == "redis") { - host = cfg.dbHost; - port = cfg.dbPort; - dbname = cfg.dbName; - dbuser = cfg.dbUser; - dbpass = cfg.dbPassword; - }) // - (optionalSet (cfg.driver == "memcached") { - host = cfg.dbHost; - port = cfg.dbPort; - }) // cfg.driverParams; - secret = cfg.secret; - - address = cfg.address; - port = cfg.port; - - noweb = false; - urlPort = cfg.urlPort; - hostname = cfg.hostname; - favicon = cfg.favicon; - - site = cfg.site; - owner = cfg.owner; - ownerURL = cfg.ownerURL; - - key = cfg.sslKey; - cert = cfg.sslCert; - bounce = false; - - spamhost = cfg.spamHost; - spamclientid = cfg.spamClientId; - spamclientsecret = cfg.spamClientSecret; - - requireEmail = cfg.requireEmail; - smtpserver = cfg.smtpHost; - smtpport = cfg.smtpPort; - smtpuser = cfg.smtpUser; - smtppass = cfg.smtpPassword; - smtpusessl = cfg.smtpUseSSL; - smtpfrom = cfg.smtpFrom; - - nologger = false; - enableUploads = cfg.enableUploads; - datadir = dataDir; - debugClient = false; - firehose = cfg.firehose; - disableRegistration = cfg.disableRegistration; - - inherit (cfg) secretFile dbPasswordFile smtpPasswordFile spamClientSecretFile; - } // - (optionalSet (cfg.port < 1024) { - serverUser = user; # have pump.io listen then drop privileges - }) // cfg.extraConfig; -}; in { - options = { - - services.pumpio = { - - enable = mkEnableOption "Pump.io social streams server"; - - secret = mkOption { - type = types.nullOr types.str; - default = null; - example = "my dog has fleas"; - description = '' - A session-generating secret, server-wide password. Warning: - this is stored in cleartext in the Nix store! - ''; - }; - - secretFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-secret"; - description = '' - A file containing the session-generating secret, - server-wide password. - ''; - }; - - site = mkOption { - type = types.str; - example = "Awesome Sauce"; - description = "Name of the server"; - }; - - owner = mkOption { - type = types.str; - default = ""; - example = "Awesome Inc."; - description = "Name of owning entity, if you want to link to it."; - }; - - ownerURL = mkOption { - type = types.str; - default = ""; - example = "https://pump.io"; - description = "URL of owning entity, if you want to link to it."; - }; - - address = mkOption { - type = types.str; - default = "localhost"; - description = '' - Web server listen address. - ''; - }; - - port = mkOption { - type = types.int; - default = 31337; - description = '' - Port to listen on. Defaults to 31337, which is suitable for - running behind a reverse proxy. For a standalone server, - use 443. - ''; - }; - - hostname = mkOption { - type = types.nullOr types.str; - default = "localhost"; - description = '' - The hostname of the server, used for generating - URLs. Defaults to "localhost" which doesn't do much for you. - ''; - }; - - urlPort = mkOption { - type = types.int; - default = 443; - description = '' - Port to use for generating URLs. This basically has to be - either 80 or 443 because the host-meta and Webfinger - protocols don't make any provision for HTTP/HTTPS servers - running on other ports. - ''; - }; - - favicon = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Local filesystem path to the favicon.ico file to use. This - will be served as "/favicon.ico" by the server. - ''; - }; - - enableUploads = mkOption { - type = types.bool; - default = true; - description = '' - If you want to disable file uploads, set this to false. Uploaded files will be stored - in ${dataDir}/uploads. - ''; - }; - - sslKey = mkOption { - type = types.path; - example = "${dataDir}/myserver.key"; - default = ""; - description = '' - The path to the server certificate private key. The - certificate is required, but it can be self-signed. - ''; - }; - - sslCert = mkOption { - type = types.path; - example = "${dataDir}/myserver.crt"; - default = ""; - description = '' - The path to the server certificate. The certificate is - required, but it can be self-signed. - ''; - }; - - firehose = mkOption { - type = types.str; - default = "ofirehose.com"; - description = '' - Firehose host running the ofirehose software. Defaults to - "ofirehose.com". Public notices will be ping this firehose - server and from there go out to search engines and the - world. If you want to disconnect from the public web, set - this to something falsy. - ''; - }; - - disableRegistration = mkOption { - type = types.bool; - default = false; - description = '' - Disables registering new users on the site through the Web - or the API. - ''; - }; - - requireEmail = mkOption { - type = types.bool; - default = false; - description = "Require an e-mail address to register."; - }; - - extraConfig = mkOption { - default = { }; - description = '' - Extra configuration options which are serialized to json and added - to the pump.io.json config file. - ''; - }; - - driver = mkOption { - type = types.enum [ "mongodb" "disk" "lrucache" "memcached" "redis" ]; - default = "mongodb"; - description = "Type of database. Corresponds to a nodejs databank driver."; - }; - - driverParams = mkOption { - default = { }; - description = "Extra parameters for the driver."; - }; - - dbHost = mkOption { - type = types.str; - default = "localhost"; - description = "The database host to connect to."; - }; - - dbPort = mkOption { - type = types.int; - default = 27017; - description = "The port that the database is listening on."; - }; - - dbName = mkOption { - type = types.str; - default = "pumpio"; - description = "The name of the database to use."; - }; - - dbUser = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The username. Defaults to null, meaning no authentication. - ''; - }; - - dbPassword = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The password corresponding to dbUser. Warning: this is - stored in cleartext in the Nix store! - ''; - }; - - dbPasswordFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-dbpassword"; - description = '' - A file containing the password corresponding to dbUser. - ''; - }; - - smtpHost = mkOption { - type = types.nullOr types.str; - default = null; - example = "localhost"; - description = '' - Server to use for sending transactional email. If it's not - set up, no email is sent and features like password recovery - and email notification won't work. - ''; - }; - - smtpPort = mkOption { - type = types.int; - default = 25; - description = '' - Port to connect to on SMTP server. - ''; - }; - - smtpUser = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Username to use to connect to SMTP server. Might not be - necessary for some servers. - ''; - }; - - smtpPassword = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Password to use to connect to SMTP server. Might not be - necessary for some servers. Warning: this is stored in - cleartext in the Nix store! - ''; - }; - - smtpPasswordFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-smtppassword"; - description = '' - A file containing the password used to connect to SMTP - server. Might not be necessary for some servers. - ''; - }; - - - smtpUseSSL = mkOption { - type = types.bool; - default = false; - description = '' - Only use SSL with the SMTP server. By default, a SSL - connection is negotiated using TLS. You may need to change - the smtpPort value if you set this. - ''; - }; - - smtpFrom = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Email address to use in the "From:" header of outgoing - notifications. Defaults to 'no-reply@' plus the site - hostname. - ''; - }; - - spamHost = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Host running activityspam software to use to test updates - for spam. - ''; - }; - spamClientId = mkOption { - type = types.nullOr types.str; - default = null; - description = "OAuth pair for spam server."; - }; - spamClientSecret = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - OAuth pair for spam server. Warning: this is - stored in cleartext in the Nix store! - ''; - }; - spamClientSecretFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-spamclientsecret"; - description = '' - A file containing the OAuth key for the spam server. - ''; - }; - }; - - }; - - config = mkIf cfg.enable { - warnings = let warn = k: optional (cfg.${k} != null) - "config.services.pumpio.${k} is insecure. Use ${k}File instead."; - in concatMap warn [ "secret" "dbPassword" "smtpPassword" "spamClientSecret" ]; - - assertions = [ - { assertion = !(isNull cfg.secret && isNull cfg.secretFile); - message = "pump.io needs a secretFile configured"; - } - ]; - - systemd.services."pump.io" = - { description = "Pump.io - stream server that does most of what people really want from a social network"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = '' - mkdir -p ${dataDir}/uploads - mkdir -p ${runDir} - chown pumpio:pumpio ${dataDir}/uploads ${runDir} - chmod 770 ${dataDir}/uploads ${runDir} - - ${pkgs.nodejs}/bin/node ${configScript} <<EOF - ${builtins.toJSON configOptions} - EOF - - chgrp pumpio ${configOptions.outputFile} - chmod 640 ${configOptions.outputFile} - ''; - - serviceConfig = { - ExecStart = "${pkgs.pumpio}/bin/pump -c ${configOptions.outputFile}"; - PermissionsStartOnly = true; - User = if cfg.port < 1024 then "root" else user; - Group = user; - }; - environment = { NODE_ENV = "production"; }; - }; - - users.extraGroups.pumpio.gid = config.ids.gids.pumpio; - users.extraUsers.pumpio = { - group = "pumpio"; - uid = config.ids.uids.pumpio; - description = "Pump.io user"; - home = dataDir; - createHome = true; - }; - }; -} diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index c784f4756d1..8f7a56189a0 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -505,7 +505,7 @@ let ${cfg.database.name}'' else if cfg.database.type == "mysql" then '' - echo '${e}' | ${pkgs.mysql}/bin/mysql \ + echo '${e}' | ${pkgs.sudo}/bin/sudo -u ${cfg.user} ${config.services.mysql.package}/bin/mysql \ -u ${cfg.database.user} \ ${optionalString (cfg.database.password != null) "-p${cfg.database.password}"} \ ${optionalString (cfg.database.host != null) "-h ${cfg.database.host} -P ${toString dbPort}"} \ diff --git a/nixos/modules/services/web-servers/tomcat.nix b/nixos/modules/services/web-servers/tomcat.nix index 0b2e5c0b69d..aa94e0e976c 100644 --- a/nixos/modules/services/web-servers/tomcat.nix +++ b/nixos/modules/services/web-servers/tomcat.nix @@ -19,11 +19,7 @@ in options = { services.tomcat = { - - enable = mkOption { - default = false; - description = "Whether to enable Apache Tomcat"; - }; + enable = mkEnableOption "Apache Tomcat"; package = mkOption { type = types.package; @@ -36,10 +32,30 @@ in }; baseDir = mkOption { + type = lib.types.path; default = "/var/tomcat"; description = "Location where Tomcat stores configuration files, webapplications and logfiles"; }; + logDirs = mkOption { + default = []; + type = types.listOf types.path; + description = "Directories to create in baseDir/logs/"; + }; + + extraConfigFiles = mkOption { + default = []; + type = types.listOf types.path; + description = "Extra configuration files to pull into the tomcat conf directory"; + }; + + extraEnvironment = mkOption { + type = types.listOf types.str; + default = []; + example = [ "ENVIRONMENT=production" ]; + description = "Environment Variables to pass to the tomcat service"; + }; + extraGroups = mkOption { default = []; example = [ "users" ]; @@ -47,31 +63,46 @@ in }; user = mkOption { + type = types.str; default = "tomcat"; description = "User account under which Apache Tomcat runs."; }; group = mkOption { + type = types.str; default = "tomcat"; description = "Group account under which Apache Tomcat runs."; }; javaOpts = mkOption { + type = types.either (types.listOf types.str) types.str; default = ""; description = "Parameters to pass to the Java Virtual Machine which spawns Apache Tomcat"; }; catalinaOpts = mkOption { + type = types.either (types.listOf types.str) types.str; default = ""; description = "Parameters to pass to the Java Virtual Machine which spawns the Catalina servlet container"; }; sharedLibs = mkOption { + type = types.listOf types.str; default = []; description = "List containing JAR files or directories with JAR files which are libraries shared by the web applications"; }; + serverXml = mkOption { + type = types.lines; + default = ""; + description = " + Verbatim server.xml configuration. + This is mutually exclusive with the virtualHosts options. + "; + }; + commonLibs = mkOption { + type = types.listOf types.str; default = []; description = "List containing JAR files or directories with JAR files which are libraries shared by the web applications and the servlet container"; }; @@ -84,11 +115,21 @@ in }; virtualHosts = mkOption { + type = types.listOf (types.submodule { + options = { + name = mkOption { + type = types.listOf types.str; + description = "name of the virtualhost"; + default = []; + }; + }; + }); default = []; description = "List consisting of a virtual host name and a list of web applications to deploy on each virtual host"; }; logPerVirtualHost = mkOption { + type = types.bool; default = false; description = "Whether to enable logging per virtual host."; }; @@ -104,11 +145,13 @@ in enable = mkOption { default = false; + type = types.bool; description = "Whether to enable an Apache Axis2 container"; }; services = mkOption { default = []; + type = types.listOf types.str; description = "List containing AAR files or directories with AAR files which are web services to be deployed on Axis2"; }; @@ -140,130 +183,104 @@ in description = "Apache Tomcat server"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; preStart = '' # Create the base directory - mkdir -p ${cfg.baseDir} + mkdir -p \ + ${cfg.baseDir}/{conf,virtualhosts,logs,temp,lib,shared/lib,webapps,work} + chown ${cfg.user}:${cfg.group} \ + ${cfg.baseDir}/{conf,virtualhosts,logs,temp,lib,shared/lib,webapps,work} # Create a symlink to the bin directory of the tomcat component ln -sfn ${tomcat}/bin ${cfg.baseDir}/bin - # Create a conf/ directory - mkdir -p ${cfg.baseDir}/conf - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/conf - # Symlink the config files in the conf/ directory (except for catalina.properties and server.xml) - for i in $(ls ${tomcat}/conf | grep -v catalina.properties | grep -v server.xml) - do - ln -sfn ${tomcat}/conf/$i ${cfg.baseDir}/conf/`basename $i` + for i in $(ls ${tomcat}/conf | grep -v catalina.properties | grep -v server.xml); do + ln -sfn ${tomcat}/conf/$i ${cfg.baseDir}/conf/`basename $i` done - # Create subdirectory for virtual hosts - mkdir -p ${cfg.baseDir}/virtualhosts + ${if cfg.extraConfigFiles != [] then '' + for i in ${toString cfg.extraConfigFiles}; do + ln -sfn $i ${cfg.baseDir}/conf/`basename $i` + done + '' else ""} # Create a modified catalina.properties file # Change all references from CATALINA_HOME to CATALINA_BASE and add support for shared libraries sed -e 's|''${catalina.home}|''${catalina.base}|g' \ - -e 's|shared.loader=|shared.loader=''${catalina.base}/shared/lib/*.jar|' \ - ${tomcat}/conf/catalina.properties > ${cfg.baseDir}/conf/catalina.properties - - # Create a modified server.xml which also includes all virtual hosts - sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\ ${ - toString (map (virtualHost: ''<Host name=\"${virtualHost.name}\" appBase=\"virtualhosts/${virtualHost.name}/webapps\" unpackWARs=\"true\" autoDeploy=\"true\" xmlValidation=\"false\" xmlNamespaceAware=\"false\" >${if cfg.logPerVirtualHost then ''<Valve className=\"org.apache.catalina.valves.AccessLogValve\" directory=\"logs/${virtualHost.name}\" prefix=\"${virtualHost.name}_access_log.\" pattern=\"combined\" resolveHosts=\"false\"/>'' else ""}</Host>'') cfg.virtualHosts)}" \ - ${tomcat}/conf/server.xml > ${cfg.baseDir}/conf/server.xml - - # Create a logs/ directory - mkdir -p ${cfg.baseDir}/logs - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs - ${if cfg.logPerVirtualHost then - toString (map (h: '' - mkdir -p ${cfg.baseDir}/logs/${h.name} - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/${h.name} - '') cfg.virtualHosts) else ''''} - - # Create a temp/ directory - mkdir -p ${cfg.baseDir}/temp - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/temp - - # Create a lib/ directory - mkdir -p ${cfg.baseDir}/lib - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/lib - - # Create a shared/lib directory - mkdir -p ${cfg.baseDir}/shared/lib - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/shared/lib - - # Create a webapps/ directory - mkdir -p ${cfg.baseDir}/webapps - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/webapps + -e 's|shared.loader=|shared.loader=''${catalina.base}/shared/lib/*.jar|' \ + ${tomcat}/conf/catalina.properties > ${cfg.baseDir}/conf/catalina.properties + + ${if cfg.serverXml != "" then '' + cp -f ${pkgs.writeTextDir "server.xml" cfg.serverXml}/* ${cfg.baseDir}/conf/ + '' else '' + # Create a modified server.xml which also includes all virtual hosts + sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\ ${toString (map (virtualHost: ''<Host name=\"${virtualHost.name}\" appBase=\"virtualhosts/${virtualHost.name}/webapps\" unpackWARs=\"true\" autoDeploy=\"true\" xmlValidation=\"false\" xmlNamespaceAware=\"false\" >${if cfg.logPerVirtualHost then ''<Valve className=\"org.apache.catalina.valves.AccessLogValve\" directory=\"logs/${virtualHost.name}\" prefix=\"${virtualHost.name}_access_log.\" pattern=\"combined\" resolveHosts=\"false\"/>'' else ""}</Host>'') cfg.virtualHosts)}" \ + ${tomcat}/conf/server.xml > ${cfg.baseDir}/conf/server.xml + '' + } + ${optionalString (cfg.logDirs != []) '' + for i in ${toString cfg.logDirs}; do + mkdir -p ${cfg.baseDir}/logs/$i + chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/$i + done + ''} + ${optionalString cfg.logPerVirtualHost (toString (map (h: '' + mkdir -p ${cfg.baseDir}/logs/${h.name} + chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/${h.name} + '') cfg.virtualHosts))} # Symlink all the given common libs files or paths into the lib/ directory - for i in ${tomcat} ${toString cfg.commonLibs} - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the common/lib/ directory - ln -sfn $i ${cfg.baseDir}/lib/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/lib/* - do - ln -sfn $j ${cfg.baseDir}/lib/`basename $j` - done - fi + for i in ${tomcat} ${toString cfg.commonLibs}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the common/lib/ directory + ln -sfn $i ${cfg.baseDir}/lib/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/lib/*; do + ln -sfn $j ${cfg.baseDir}/lib/`basename $j` + done + fi done # Symlink all the given shared libs files or paths into the shared/lib/ directory - for i in ${toString cfg.sharedLibs} - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the common/lib/ directory - ln -sfn $i ${cfg.baseDir}/shared/lib/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/shared/lib/* - do - ln -sfn $j ${cfg.baseDir}/shared/lib/`basename $j` - done - fi + for i in ${toString cfg.sharedLibs}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the common/lib/ directory + ln -sfn $i ${cfg.baseDir}/shared/lib/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/shared/lib/*; do + ln -sfn $j ${cfg.baseDir}/shared/lib/`basename $j` + done + fi done # Symlink all the given web applications files or paths into the webapps/ directory - for i in ${toString cfg.webapps} - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the webapps/ directory - ln -sfn $i ${cfg.baseDir}/webapps/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/webapps/* - do - ln -sfn $j ${cfg.baseDir}/webapps/`basename $j` - done + for i in ${toString cfg.webapps}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the webapps/ directory + ln -sfn $i ${cfg.baseDir}/webapps/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/*; do + ln -sfn $j ${cfg.baseDir}/webapps/`basename $j` + done - # Also symlink the configuration files if they are included - if [ -d $i/conf/Catalina ] - then - for j in $i/conf/Catalina/* - do - mkdir -p ${cfg.baseDir}/conf/Catalina/localhost - ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` - done - fi + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + mkdir -p ${cfg.baseDir}/conf/Catalina/localhost + ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` + done fi + fi done ${toString (map (virtualHost: '' @@ -275,94 +292,79 @@ in # Symlink all the given web applications files or paths into the webapps/ directory # of this virtual host - for i in "${if virtualHost ? webapps then toString virtualHost.webapps else ""}" - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the webapps/ directory - ln -sfn $i ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/webapps/* - do - ln -sfn $j ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $j` - done - - # Also symlink the configuration files if they are included - if [ -d $i/conf/Catalina ] - then - for j in $i/conf/Catalina/* - do - mkdir -p ${cfg.baseDir}/conf/Catalina/${virtualHost.name} - ln -sfn $j ${cfg.baseDir}/conf/Catalina/${virtualHost.name}/`basename $j` - done - fi + for i in "${if virtualHost ? webapps then toString virtualHost.webapps else ""}"; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the webapps/ directory + ln -sfn $i ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/*; do + ln -sfn $j ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $j` + done + + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + mkdir -p ${cfg.baseDir}/conf/Catalina/${virtualHost.name} + ln -sfn $j ${cfg.baseDir}/conf/Catalina/${virtualHost.name}/`basename $j` + done fi + fi done - - '' - ) cfg.virtualHosts) } - - # Create a work/ directory - mkdir -p ${cfg.baseDir}/work - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/work - - ${if cfg.axis2.enable then - '' - # Copy the Axis2 web application - cp -av ${pkgs.axis2}/webapps/axis2 ${cfg.baseDir}/webapps - - # Turn off addressing, which causes many errors - sed -i -e 's%<module ref="addressing"/>%<!-- <module ref="addressing"/> -->%' ${cfg.baseDir}/webapps/axis2/WEB-INF/conf/axis2.xml - - # Modify permissions on the Axis2 application - chown -R ${cfg.user}:${cfg.group} ${cfg.baseDir}/webapps/axis2 - - # Symlink all the given web service files or paths into the webapps/axis2/WEB-INF/services directory - for i in ${toString cfg.axis2.services} - do - if [ -f $i ] - then - # If the given web service is a file, symlink it into the webapps/axis2/WEB-INF/services - ln -sfn $i ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/webapps/axis2/WEB-INF/services/* - do - ln -sfn $j ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $j` - done - - # Also symlink the configuration files if they are included - if [ -d $i/conf/Catalina ] - then - for j in $i/conf/Catalina/* - do - ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` - done - fi - fi - done - '' - else ""} - ''; - - script = '' - ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c 'CATALINA_BASE=${cfg.baseDir} JAVA_HOME=${cfg.jdk} JAVA_OPTS="${cfg.javaOpts}" CATALINA_OPTS="${cfg.catalinaOpts}" ${tomcat}/bin/startup.sh' - ''; - - preStop = '' - echo "Stopping tomcat..." - CATALINA_BASE=${cfg.baseDir} JAVA_HOME=${cfg.jdk} ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c ${tomcat}/bin/shutdown.sh + '') cfg.virtualHosts)} + + ${optionalString cfg.axis2.enable '' + # Copy the Axis2 web application + cp -av ${pkgs.axis2}/webapps/axis2 ${cfg.baseDir}/webapps + + # Turn off addressing, which causes many errors + sed -i -e 's%<module ref="addressing"/>%<!-- <module ref="addressing"/> -->%' ${cfg.baseDir}/webapps/axis2/WEB-INF/conf/axis2.xml + + # Modify permissions on the Axis2 application + chown -R ${cfg.user}:${cfg.group} ${cfg.baseDir}/webapps/axis2 + + # Symlink all the given web service files or paths into the webapps/axis2/WEB-INF/services directory + for i in ${toString cfg.axis2.services}; do + if [ -f $i ]; then + # If the given web service is a file, symlink it into the webapps/axis2/WEB-INF/services + ln -sfn $i ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/axis2/WEB-INF/services/*; do + ln -sfn $j ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $j` + done + + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` + done + fi + fi + done + ''} ''; + serviceConfig = { + Type = "forking"; + PermissionsStartOnly = true; + PIDFile="/run/tomcat/tomcat.pid"; + RuntimeDirectory = "tomcat"; + User = cfg.user; + Environment=[ + "CATALINA_BASE=${cfg.baseDir}" + "CATALINA_PID=/run/tomcat/tomcat.pid" + "JAVA_HOME='${cfg.jdk}'" + "JAVA_OPTS='${builtins.toString cfg.javaOpts}'" + "CATALINA_OPTS='${builtins.toString cfg.catalinaOpts}'" + ] ++ cfg.extraEnvironment; + ExecStart = "${tomcat}/bin/startup.sh"; + ExecStop = "${tomcat}/bin/shutdown.sh"; + }; }; - }; - } diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index b5e93683091..9d30155a723 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -9,6 +9,10 @@ let xEnv = config.systemd.services."display-manager".environment; cfg = dmcfg.lightdm; + dmDefault = xcfg.desktopManager.default; + wmDefault = xcfg.windowManager.default; + hasDefaultUserSession = dmDefault != "none" || wmDefault != "none"; + inherit (pkgs) stdenv lightdm writeScript writeText; # lightdm runs with clearenv(), but we need a few things in the enviornment for X to startup @@ -54,14 +58,13 @@ let autologin-user-timeout = ${toString cfg.autoLogin.timeout} autologin-session = ${defaultSessionName} ''} + ${optionalString hasDefaultUserSession '' + user-session=${defaultSessionName} + ''} ${cfg.extraSeatDefaults} ''; - defaultSessionName = - let - dm = xcfg.desktopManager.default; - wm = xcfg.windowManager.default; - in dm + optionalString (wm != "none") ("+" + wm); + defaultSessionName = dmDefault + optionalString (wmDefault != "none") ("+" + wmDefault); in { # Note: the order in which lightdm greeter modules are imported @@ -179,6 +182,14 @@ in default session: ${defaultSessionName} is not valid. ''; } + { assertion = hasDefaultUserSession -> elem defaultSessionName dmcfg.session.names; + message = '' + services.xserver.desktopManager.default and + services.xserver.windowMananger.default are not set to valid + values. The current default session: ${defaultSessionName} + is not valid. + ''; + } { assertion = !cfg.greeter.enable -> (cfg.autoLogin.enable && cfg.autoLogin.timeout == 0); message = '' LightDM can only run without greeter if automatic login is enabled and the timeout for it diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index dd7929285cd..c563614caaa 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -117,14 +117,7 @@ in config = { - system.activationScripts.stdio = - '' - # Needed by some programs. - ln -sfn /proc/self/fd /dev/fd - ln -sfn /proc/self/fd/0 /dev/stdin - ln -sfn /proc/self/fd/1 /dev/stdout - ln -sfn /proc/self/fd/2 /dev/stderr - ''; + system.activationScripts.stdio = ""; # obsolete system.activationScripts.var = '' diff --git a/nixos/modules/system/boot/initrd-network.nix b/nixos/modules/system/boot/initrd-network.nix index 4a6e1c7e56e..33862b0965c 100644 --- a/nixos/modules/system/boot/initrd-network.nix +++ b/nixos/modules/system/boot/initrd-network.nix @@ -23,6 +23,8 @@ let fi ''; + udhcpcArgs = toString cfg.udhcpc.extraArgs; + in { @@ -47,6 +49,16 @@ in ''; }; + boot.initrd.network.udhcpc.extraArgs = mkOption { + default = []; + type = types.listOf types.str; + description = '' + Additional command-line arguments passed verbatim to udhcpc if + <option>boot.initrd.network.enable</option> and <option>networking.useDHCP</option> + are enabled. + ''; + }; + boot.initrd.network.postCommands = mkOption { default = ""; type = types.lines; @@ -91,7 +103,7 @@ in # Acquire a DHCP lease. echo "acquiring IP address via DHCP..." - udhcpc --quit --now --script ${udhcpcScript} && hasNetwork=1 + udhcpc --quit --now --script ${udhcpcScript} ${udhcpcArgs} && hasNetwork=1 fi '' diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 8b390e1b60c..54dfb53fd30 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallbackToPassword, ... }: assert name' == name; '' # Wait for a target (e.g. device, keyFile, header, ...) to appear. wait_target() { @@ -43,8 +43,17 @@ let open_normally() { echo luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \ ${optionalString (header != null) "--header=${header}"} \ - ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \ > /.luksopen_args + ${optionalString (keyFile != null) '' + ${optionalString fallbackToPassword "if [ -e ${keyFile} ]; then"} + echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \ + >> /.luksopen_args + ${optionalString fallbackToPassword '' + else + echo "keyfile ${keyFile} not found -- fallback to interactive unlocking" + fi + ''} + ''} cryptsetup-askpass rm /.luksopen_args } @@ -324,6 +333,16 @@ in ''; }; + fallbackToPassword = mkOption { + default = false; + type = types.bool; + description = '' + Whether to fallback to interactive passphrase prompt if the keyfile + cannot be found. This will prevent unattended boot should the keyfile + go missing. + ''; + }; + yubikey = mkOption { default = null; description = '' diff --git a/nixos/modules/system/boot/modprobe.nix b/nixos/modules/system/boot/modprobe.nix index b915a98d537..dee0ab470c9 100644 --- a/nixos/modules/system/boot/modprobe.nix +++ b/nixos/modules/system/boot/modprobe.nix @@ -54,7 +54,7 @@ with lib; environment.systemPackages = [ pkgs.kmod ]; - system.activationScripts.modprobe = + system.activationScripts.modprobe = stringAfter ["specialfs"] '' # Allow the kernel to find our wrapped modprobe (which searches # in the right location in the Nix store for kernel modules). diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 7bf7a51a241..eea10613ea5 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -650,11 +650,7 @@ let unitFiles = map (name: { target = "systemd/network/${name}"; source = "${cfg.units.${name}.unit}/${name}"; - }) (attrNames cfg.units) ++ - (map (entry: { - target = "systemd/network/${entry}"; - source = "${config.systemd.package}/lib/systemd/network/${entry}"; - }) (attrNames (builtins.readDir "${config.systemd.package}/lib/systemd/network"))); + }) (attrNames cfg.units); in { diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 46aed44bf10..9d2c580d62a 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -82,7 +82,6 @@ ln -s /proc/mounts /etc/mtab mkdir -m 01777 -p /tmp mkdir -m 0755 -p /var/{log,lib,db} /nix/var /etc/nixos/ \ /run/lock /home /bin # for the /bin/sh symlink -install -m 0700 -d /root # Miscellaneous boot time cleanup. diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 8aa5163ce22..630fe6d114c 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -288,6 +288,17 @@ let ${i} '')}" > /run/${n}.interfaces + ${optionalString config.virtualisation.libvirtd.enable '' + # Enslave dynamically added interfaces which may be lost on nixos-rebuild + for uri in qemu:///system lxc:///; do + for dom in $(${pkgs.libvirt}/bin/virsh -c $uri list --name); do + ${pkgs.libvirt}/bin/virsh -c $uri dumpxml "$dom" | \ + ${pkgs.xmlstarlet}/bin/xmlstarlet sel -t -m "//domain/devices/interface[@type='bridge'][source/@bridge='${n}'][target/@dev]" -v "concat('ip link set ',target/@dev,' master ',source/@bridge,';')" | \ + ${pkgs.bash}/bin/bash + done + done + ''} + # Enable stp on the interface ${optionalString v.rstp '' echo 2 >/sys/class/net/${n}/bridge/stp_state diff --git a/nixos/modules/virtualisation/parallels-guest.nix b/nixos/modules/virtualisation/parallels-guest.nix index fc0409e9ec7..36ca7f356d4 100644 --- a/nixos/modules/virtualisation/parallels-guest.nix +++ b/nixos/modules/virtualisation/parallels-guest.nix @@ -3,9 +3,7 @@ with lib; let - - prl-tools = config.boot.kernelPackages.prl-tools; - + prl-tools = config.hardware.parallels.package; in { @@ -22,6 +20,26 @@ in ''; }; + autoMountShares = mkOption { + type = types.bool; + default = true; + description = '' + Control prlfsmountd service. When this service is running, shares can not be manually + mounted through `mount -t prl_fs ...` as this service will remount and trample any set options. + Recommended to enable for simple file sharing, but extended share use such as for code should + disable this to manually mount shares. + ''; + }; + + package = mkOption { + type = types.package; + default = config.boot.kernelPackages.prl-tools; + defaultText = "config.boot.kernelPackages.prl-tools"; + example = literalExample "config.boot.kernelPackages.prl-tools"; + description = '' + Defines which package to use for prl-tools. Override to change the version. + ''; + }; }; }; @@ -67,7 +85,7 @@ in }; }; - systemd.services.prlfsmountd = { + systemd.services.prlfsmountd = mkIf config.hardware.parallels.autoMountShares { description = "Parallels Shared Folders Daemon"; wantedBy = [ "multi-user.target" ]; serviceConfig = rec { diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index afc5a42f8b4..cf57868acef 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -241,6 +241,12 @@ in ''; target = "default/xendomains"; } + ] + ++ lib.optionals (builtins.compareVersions cfg.package.version "4.10" >= 0) [ + # in V 4.10 oxenstored requires /etc/xen/oxenstored.conf to start + { source = "${cfg.package}/etc/xen/oxenstored.conf"; + target = "xen/oxenstored.conf"; + } ]; # Xen provides udev rules. @@ -262,7 +268,7 @@ in mkdir -p /var/lib/xen # so we create them here unconditionally. grep -q control_d /proc/xen/capabilities ''; - serviceConfig = if cfg.package.version < "4.8" then + serviceConfig = if (builtins.compareVersions cfg.package.version "4.8" < 0) then { ExecStart = '' ${cfg.stored}${optionalString cfg.trace " -T /var/log/xen/xenstored-trace.log"} --no-fork ''; @@ -275,7 +281,7 @@ in NotifyAccess = "all"; }; postStart = '' - ${optionalString (cfg.package.version < "4.8") '' + ${optionalString (builtins.compareVersions cfg.package.version "4.8" < 0) '' time=0 timeout=30 # Wait for xenstored to actually come up, timing out after 30 seconds @@ -320,7 +326,7 @@ in serviceConfig = { ExecStart = '' ${cfg.package}/bin/xenconsoled\ - ${optionalString ((cfg.package.version >= "4.8")) " -i"}\ + ${optionalString ((builtins.compareVersions cfg.package.version "4.8" >= 0)) " -i"}\ ${optionalString cfg.trace " --log=all --log-dir=/var/log/xen"} ''; }; diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 9d4a551a958..e010b532a68 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -52,17 +52,17 @@ in rec { (all nixos.dummy) (all nixos.manual) - nixos.iso_minimal.x86_64-linux - nixos.iso_minimal.i686-linux - nixos.iso_graphical.x86_64-linux - nixos.ova.x86_64-linux + nixos.iso_minimal.x86_64-linux or [] + nixos.iso_minimal.i686-linux or [] + nixos.iso_graphical.x86_64-linux or [] + nixos.ova.x86_64-linux or [] #(all nixos.tests.containers) - nixos.tests.chromium.x86_64-linux + nixos.tests.chromium.x86_64-linux or [] (all nixos.tests.firefox) (all nixos.tests.firewall) (all nixos.tests.gnome3) - nixos.tests.installer.zfsroot.x86_64-linux # ZFS is 64bit only + nixos.tests.installer.zfsroot.x86_64-linux or [] # ZFS is 64bit only (all nixos.tests.installer.lvm) (all nixos.tests.installer.luksroot) (all nixos.tests.installer.separateBoot) @@ -81,7 +81,7 @@ in rec { (all nixos.tests.boot.uefiUsb) (all nixos.tests.boot-stage1) (all nixos.tests.hibernate) - nixos.tests.docker.x86_64-linux + nixos.tests.docker.x86_64-linux or [] (all nixos.tests.ecryptfs) (all nixos.tests.env) (all nixos.tests.ipv6) diff --git a/nixos/release-small.nix b/nixos/release-small.nix index 2b532c70763..4bfb9a423f7 100644 --- a/nixos/release-small.nix +++ b/nixos/release-small.nix @@ -50,6 +50,10 @@ in rec { separateBoot simple; }; + boot = { + inherit (nixos'.tests.boot) + biosCdrom; + }; }; }; diff --git a/nixos/release.nix b/nixos/release.nix index 473b11313be..a1310a409a1 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -1,4 +1,4 @@ -{ nixpkgs ? { outPath = (import ../lib).cleanSource ./..; revCount = 56789; shortRev = "gfedcba"; } +{ nixpkgs ? { outPath = (import ../lib).cleanSource ./..; revCount = 130979; shortRev = "gfedcba"; } , stableBranch ? false , supportedSystems ? [ "x86_64-linux" "aarch64-linux" ] }: @@ -16,7 +16,11 @@ let inherit system; } // args); - callTestOnTheseSystems = systems: fn: args: forTheseSystems systems (system: hydraJob (importTest fn args system)); + # Note: only supportedSystems are considered. + callTestOnTheseSystems = systems: fn: args: + forTheseSystems + (intersectLists supportedSystems systems) + (system: hydraJob (importTest fn args system)); callTest = callTestOnTheseSystems supportedSystems; callSubTests = callSubTestsOnTheseSystems supportedSystems; @@ -231,7 +235,7 @@ in rec { tests.buildbot = callTest tests/buildbot.nix {}; tests.cadvisor = callTestOnTheseSystems ["x86_64-linux"] tests/cadvisor.nix {}; tests.ceph = callTestOnTheseSystems ["x86_64-linux"] tests/ceph.nix {}; - tests.chromium = (callSubTestsOnTheseSystems ["x86_64-linux"] tests/chromium.nix {}).stable; + tests.chromium = (callSubTestsOnTheseSystems ["x86_64-linux"] tests/chromium.nix {}).stable or {}; tests.cjdns = callTest tests/cjdns.nix {}; tests.cloud-init = callTest tests/cloud-init.nix {}; tests.containers-ipv4 = callTest tests/containers-ipv4.nix {}; @@ -252,8 +256,8 @@ in rec { tests.dnscrypt-proxy = callTestOnTheseSystems ["x86_64-linux"] tests/dnscrypt-proxy.nix {}; tests.ecryptfs = callTest tests/ecryptfs.nix {}; tests.etcd = callTestOnTheseSystems ["x86_64-linux"] tests/etcd.nix {}; - tests.ec2-nixops = (callSubTestsOnTheseSystems ["x86_64-linux"] tests/ec2.nix {}).boot-ec2-nixops; - tests.ec2-config = (callSubTestsOnTheseSystems ["x86_64-linux"] tests/ec2.nix {}).boot-ec2-config; + tests.ec2-nixops = (callSubTestsOnTheseSystems ["x86_64-linux"] tests/ec2.nix {}).boot-ec2-nixops or {}; + tests.ec2-config = (callSubTestsOnTheseSystems ["x86_64-linux"] tests/ec2.nix {}).boot-ec2-config or {}; tests.elk = callSubTestsOnTheseSystems ["x86_64-linux"] tests/elk.nix {}; tests.env = callTest tests/env.nix {}; tests.ferm = callTest tests/ferm.nix {}; @@ -274,6 +278,7 @@ in rec { tests.hibernate = callTest tests/hibernate.nix {}; tests.home-assistant = callTest tests/home-assistant.nix { }; tests.hound = callTest tests/hound.nix {}; + tests.hocker-fetchdocker = callTest tests/hocker-fetchdocker {}; tests.i3wm = callTest tests/i3wm.nix {}; tests.initrd-network-ssh = callTest tests/initrd-network-ssh {}; tests.installer = callSubTests tests/installer.nix {}; @@ -291,7 +296,7 @@ in rec { tests.kernel-copperhead = callTest tests/kernel-copperhead.nix {}; tests.kernel-latest = callTest tests/kernel-latest.nix {}; tests.kernel-lts = callTest tests/kernel-lts.nix {}; - tests.kubernetes = hydraJob (import tests/kubernetes/default.nix { system = "x86_64-linux"; }); + tests.kubernetes = callSubTestsOnTheseSystems ["x86_64-linux"] tests/kubernetes/default.nix {}; tests.latestKernel.login = callTest tests/login.nix { latestKernel = true; }; tests.ldap = callTest tests/ldap.nix {}; #tests.lightdm = callTest tests/lightdm.nix {}; @@ -325,6 +330,7 @@ in rec { tests.leaps = callTest tests/leaps.nix { }; tests.nsd = callTest tests/nsd.nix {}; tests.openssh = callTest tests/openssh.nix {}; + tests.openldap = callTest tests/openldap.nix {}; tests.owncloud = callTest tests/owncloud.nix {}; tests.pam-oath-login = callTest tests/pam-oath-login.nix {}; #tests.panamax = callTestOnTheseSystems ["x86_64-linux"] tests/panamax.nix {}; @@ -339,7 +345,6 @@ in rec { tests.printing = callTest tests/printing.nix {}; tests.prometheus = callTest tests/prometheus.nix {}; tests.proxy = callTest tests/proxy.nix {}; - tests.pumpio = callTest tests/pump.io.nix {}; # tests.quagga = callTest tests/quagga.nix {}; tests.quake3 = callTest tests/quake3.nix {}; tests.rabbitmq = callTest tests/rabbitmq.nix {}; @@ -355,6 +360,7 @@ in rec { tests.snapper = callTest tests/snapper.nix {}; tests.statsd = callTest tests/statsd.nix {}; tests.sudo = callTest tests/sudo.nix {}; + tests.systemd = callTest tests/systemd.nix {}; tests.switchTest = callTest tests/switch-test.nix {}; tests.taskserver = callTest tests/taskserver.nix {}; tests.tomcat = callTest tests/tomcat.nix {}; diff --git a/nixos/tests/boot.nix b/nixos/tests/boot.nix index fc52cd09f20..301d9d0f817 100644 --- a/nixos/tests/boot.nix +++ b/nixos/tests/boot.nix @@ -24,6 +24,12 @@ let my $machine = createMachine({ ${machineConfig}, qemuFlags => '-m 768' }); $machine->start; $machine->waitForUnit("multi-user.target"); + $machine->succeed("nix verify -r --no-trust /run/current-system"); + + # Test whether the channel got installed correctly. + $machine->succeed("nix-instantiate --dry-run '<nixpkgs>' -A hello"); + $machine->succeed("nix-env --dry-run -iA nixos.procps"); + $machine->shutdown; ''; }; diff --git a/nixos/tests/hocker-fetchdocker/default.nix b/nixos/tests/hocker-fetchdocker/default.nix new file mode 100644 index 00000000000..4f30f01e403 --- /dev/null +++ b/nixos/tests/hocker-fetchdocker/default.nix @@ -0,0 +1,15 @@ +import ../make-test.nix ({ pkgs, ...} : { + name = "test-hocker-fetchdocker"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ixmatus ]; + }; + + machine = import ./machine.nix; + + testScript = '' + startAll; + + $machine->waitForUnit("sockets.target"); + $machine->waitUntilSucceeds("docker run registry-1.docker.io/v2/library/hello-world:latest"); + ''; +}) diff --git a/nixos/tests/hocker-fetchdocker/hello-world-container.nix b/nixos/tests/hocker-fetchdocker/hello-world-container.nix new file mode 100644 index 00000000000..a127875264e --- /dev/null +++ b/nixos/tests/hocker-fetchdocker/hello-world-container.nix @@ -0,0 +1,19 @@ +{ fetchDockerConfig, fetchDockerLayer, fetchdocker }: +fetchdocker rec { + name = "hello-world"; + registry = "https://registry-1.docker.io/v2/"; + repository = "library"; + imageName = "hello-world"; + tag = "latest"; + imageConfig = fetchDockerConfig { + inherit tag registry repository imageName; + sha256 = "1ivbd23hyindkahzfw4kahgzi6ibzz2ablmgsz6340vc6qr1gagj"; + }; + imageLayers = let + layer0 = fetchDockerLayer { + inherit registry repository imageName; + layerDigest = "ca4f61b1923c10e9eb81228bd46bee1dfba02b9c7dac1844527a734752688ede"; + sha256 = "1plfd194fwvsa921ib3xkhms1yqxxrmx92r2h7myj41wjaqn2kya"; + }; + in [ layer0 ]; + } diff --git a/nixos/tests/hocker-fetchdocker/machine.nix b/nixos/tests/hocker-fetchdocker/machine.nix new file mode 100644 index 00000000000..12c58a01224 --- /dev/null +++ b/nixos/tests/hocker-fetchdocker/machine.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: +{ nixpkgs.config.packageOverrides = pkgs': { + hello-world-container = pkgs'.callPackage ./hello-world-container.nix { }; + }; + + virtualisation.docker = { + enable = true; + package = pkgs.docker; + }; + + systemd.services.docker-load-fetchdocker-image = { + description = "Docker load hello-world-container"; + wantedBy = [ "multi-user.target" ]; + wants = [ "docker.service" "local-fs.target" ]; + after = [ "docker.service" "local-fs.target" ]; + + script = '' + ${pkgs.hello-world-container}/compositeImage.sh | ${pkgs.docker}/bin/docker load + ''; + + serviceConfig = { + Type = "oneshot"; + }; + }; +} + diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 637cbb45709..c12919540a3 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -145,7 +145,7 @@ let # Check that the daemon works, and that non-root users can run builds (this will build a new profile generation through the daemon) $machine->succeed("su alice -l -c 'nix-env -iA nixos.procps' >&2"); - # We need to a writable nix-store on next boot. + # We need a writable Nix store on next boot. $machine->copyFileFromHost( "${ makeConfig { inherit bootLoader grubVersion grubDevice grubIdentifier grubUseEfi extraConfig; forceGrubReinstallCount = 1; } }", "/etc/nixos/configuration.nix"); @@ -195,8 +195,7 @@ let }; nodes = { - # The configuration of the machine used to run "nixos-install". It - # also has a web server that simulates cache.nixos.org. + # The configuration of the machine used to run "nixos-install". machine = { config, lib, pkgs, ... }: @@ -208,7 +207,6 @@ let virtualisation.diskSize = 8 * 1024; virtualisation.memorySize = 1024; - virtualisation.writableStore = true; # Use a small /dev/vdb as the root disk for the # installer. This ensures the target disk (/dev/vda) is @@ -245,6 +243,11 @@ let ++ optionals (bootLoader == "grub" && grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ]; nix.binaryCaches = mkForce [ ]; + nix.extraOptions = + '' + hashed-mirrors = + connect-timeout = 1 + ''; }; }; diff --git a/nixos/tests/keymap.nix b/nixos/tests/keymap.nix index eec674e227d..caa5f7107c2 100644 --- a/nixos/tests/keymap.nix +++ b/nixos/tests/keymap.nix @@ -50,38 +50,7 @@ let machine.i18n.consoleKeyMap = mkOverride 900 layout; machine.services.xserver.layout = mkOverride 900 layout; machine.imports = [ ./common/x11.nix extraConfig ]; - machine.services.xserver.displayManager.slim = { - enable = true; - - # Use a custom theme in order to get best OCR results - theme = pkgs.runCommand "slim-theme-ocr" { - nativeBuildInputs = [ pkgs.imagemagick ]; - } '' - mkdir "$out" - convert -size 1x1 xc:white "$out/background.jpg" - convert -size 200x100 xc:white "$out/panel.jpg" - cat > "$out/slim.theme" <<EOF - background_color #ffffff - background_style tile - - input_fgcolor #000000 - msg_color #000000 - - session_color #000000 - session_font Verdana:size=16:bold - - username_msg Username: - username_font Verdana:size=16:bold - username_color #000000 - username_x 50% - username_y 40% - - password_msg Password: - password_x 50% - password_y 40% - EOF - ''; - }; + machine.services.xserver.displayManager.slim.enable = true; testScript = '' sub waitCatAndDelete ($) { diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index 6de17518214..4fd9466dc50 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -1,11 +1,13 @@ # Miscellaneous small tests that don't warrant their own VM run. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test.nix ({ pkgs, ...} : rec { name = "misc"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco chaoflow ]; }; + foo = pkgs.writeText "foo" "Hello World"; + machine = { config, lib, pkgs, ... }: with lib; @@ -27,10 +29,17 @@ import ./make-test.nix ({ pkgs, ...} : { security.sudo = { enable = true; wheelNeedsPassword = false; }; boot.kernel.sysctl."vm.swappiness" = 1; boot.kernelParams = [ "vsyscall=emulate" ]; + system.extraDependencies = [ foo ]; }; testScript = '' + subtest "nix-db", sub { + my $json = $machine->succeed("nix path-info --json ${foo}"); + $json =~ /"narHash":"sha256:0afw0d9j1hvwiz066z93jiddc33nxg6i6qyp26vnqyglpyfivlq5"/ or die "narHash not set"; + $json =~ /"narSize":128/ or die "narSize not set"; + }; + subtest "nixos-version", sub { $machine->succeed("[ `nixos-version | wc -w` = 2 ]"); }; diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix new file mode 100644 index 00000000000..1178701c609 --- /dev/null +++ b/nixos/tests/openldap.nix @@ -0,0 +1,35 @@ +import ./make-test.nix { + name = "dovecot"; + + machine = { pkgs, ... }: { + services.openldap = { + enable = true; + extraConfig = '' + include ${pkgs.openldap}/etc/schema/core.schema + include ${pkgs.openldap}/etc/schema/cosine.schema + include ${pkgs.openldap}/etc/schema/inetorgperson.schema + include ${pkgs.openldap}/etc/schema/nis.schema + database bdb + suffix dc=example + directory /var/db/openldap + rootdn cn=root,dc=example + rootpw notapassword + ''; + declarativeContents = '' + dn: dc=example + objectClass: domain + dc: example + + dn: ou=users,dc=example + objectClass: organizationalUnit + ou: users + ''; + }; + }; + + testScript = '' + $machine->succeed('systemctl status openldap.service'); + $machine->waitForUnit('openldap.service'); + $machine->succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"'); + ''; +} diff --git a/nixos/tests/pump.io.nix b/nixos/tests/pump.io.nix deleted file mode 100644 index 0991ed3fce1..00000000000 --- a/nixos/tests/pump.io.nix +++ /dev/null @@ -1,89 +0,0 @@ -# This test runs pump.io with mongodb, listing on port 443. - -import ./make-test.nix ({ pkgs, ...} : let - snakeOilKey = '' - -----BEGIN PRIVATE KEY----- - MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqVemio78R41Tz - MnR2zFD/wFT0iScOpFkuytNmuPf28FLaa9wSBWmuAGbEi7wBIfw8/bUqFBTQp2G1 - m1cmcCKxhmvvOkGs89eM131s1lW/bXU3zYso4e7724kHwU65jRlQs6cFWIlmW7V5 - 3HQobP05dy+zPpujPPSlOQ0qYViR1s+RgZI8r0wS2ZDsliNtQwBLJSIvX6XVnXLo - F/HmF4/ySJ9pL2AxQXCwZE8SfCzHpArs9COIqTaAuwB79kxWSFQJewmab74BXiM6 - 9FMCtHON24Pl7OR9sRJHH8rMEzUumppmUeCNEzABjzQQ7svR18cmbzRWetp0tT9Y - 7rj6URHHAgMBAAECggEAGmbCldDnlrAzxJY3cwpsK5f2EwkHIr/aiuQpLCzTUlUh - onVBYRGxtaSeSSyXcV2BKTrxz5nZOBYZkPqI4Y5T8kwxgpz2/QW2jUABUtNN6yPe - HU4gma+bSTJX5PnTZ/M0z0tpQezdLx5b3I2M+48ZGMUegZvcp8qU6N8U6VK5VbFD - DMTGL4b+Kc9HScRkCJjU3FfQcqf9Ml5w9jzHSeHImYEDrG0nX8N8EImRCBXbgxCl - 5XT1h6LFUGdr+N6n2w56+6l8OZZVmwj1NdF6NJybUQl4Y7b0niA+5czzjRt/YUjZ - HW0fXmx3XlbYGWYdMdS+VaIW6pkUpm8kZkqjngqLwQKBgQDfhbFQmg9lsJQ8/dQZ - WzRNsozHKWkQiZbW5sXBWygJbAB3Hc8gvQkuZe9TVyF99cznRj6ro6pGZjP0rTdY - 3ACTL+ygRArcIR6VsJCIr6nPvBLpOoNb8TQeKPmHC2gnSP9zaT/K2lldYISKNaYQ - 0seB2gvZhIgMgWtZtmb3jdgl9wKBgQDDFdknXgvFgB+y96//9wTu2WWuE5yQ5yB7 - utAcHNO9rx5X1tJqxymYh+iE8HUN25By+96SpNMQFI+0wNGVB00YWNBKtyepimWN - EUCojTy+MIXIjrLcvviEePsI4TPWYf8XtZeiYtcczYrt/wPQUYaDb8LBRfpIfmhr - rCGW93s+sQKBgEDOKTeeQyKPjJsWWL01RTfVsZ04s155FcOeyu0heb0plAT1Ho12 - YUgTg8zc8Tfs4QiYxCjNXdvlW+Dvq6FWv8/s0CUzNRbXf1+U/oKys4AoHi+CqH0q - tJqd9KKjuwHQ10dl13n/znMVPbg4j7pG8lMCnfblxvAhQbeT+8yAUo/HAoGBAL3t - /n4KXNGK3NHDvXEp0H6t3wWsiEi3DPQJO+Wy1x8caCFCv5c/kaqz3tfWt0+njSm1 - N8tzdx13tzVWaHV8Jz3l8dxcFtxEJnxB6L5wy0urOAS7kT3DG3b1xgmuH2a//7fY - jumE60NahcER/2eIh7pdS7IZbAO6NfVmH0m4Zh/xAoGAbquh60sAfLC/1O2/4Xom - PHS7z2+TNpwu4ou3nspxfigNQcTWzzzTVFLnaTPg+HKbLRXSWysjssmmj5u3lCyc - S2M9xuhApa9CrN/udz4gEojRVsTla/gyLifIZ3CtTn2QEQiIJEMxM+59KAlkgUBo - 9BeZ03xTaEZfhVZ9bEN30Ak= - -----END PRIVATE KEY----- - ''; - - snakeOilCert = '' - -----BEGIN CERTIFICATE----- - MIICvjCCAaagAwIBAgIJANhA6+PPhomZMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV - BAMMDGIwOTM0YWMwYWZkNTAeFw0xNTExMzAxNzQ3MzVaFw0yNTExMjcxNzQ3MzVa - MBcxFTATBgNVBAMMDGIwOTM0YWMwYWZkNTCCASIwDQYJKoZIhvcNAQEBBQADggEP - ADCCAQoCggEBAKpV6aKjvxHjVPMydHbMUP/AVPSJJw6kWS7K02a49/bwUtpr3BIF - aa4AZsSLvAEh/Dz9tSoUFNCnYbWbVyZwIrGGa+86Qazz14zXfWzWVb9tdTfNiyjh - 7vvbiQfBTrmNGVCzpwVYiWZbtXncdChs/Tl3L7M+m6M89KU5DSphWJHWz5GBkjyv - TBLZkOyWI21DAEslIi9fpdWdcugX8eYXj/JIn2kvYDFBcLBkTxJ8LMekCuz0I4ip - NoC7AHv2TFZIVAl7CZpvvgFeIzr0UwK0c43bg+Xs5H2xEkcfyswTNS6ammZR4I0T - MAGPNBDuy9HXxyZvNFZ62nS1P1juuPpREccCAwEAAaMNMAswCQYDVR0TBAIwADAN - BgkqhkiG9w0BAQsFAAOCAQEAd2w9rxi6qF9WV8L3rHnTE7uu0ldtdgJlCASx6ouj - TleOnjfEg+kH8r8UbmRV5vsTDn1Qp5JGDYxfytRUQwLb1zTLde0xotx37E3LY8Wr - sD6Al4t8sHywB/hc5dy29TgG0iyG8LKZrkwytLvDZ814W3OwpN2rpEz6pdizdHNn - jsoDEngZiDHvLjIyE0cDkFXkeYMGXOnBUeOcu4nfu4C5eKs3nXGGAcNDbDRIuLoE - BZExUBY+YSs6JBvh5tvRqLVW0Dz0akEcjb/jhwS2LmDip8Pdoxx4Q1jPKEu38zrr - Vd5WD2HJhLb9u0UxVp9vfWIUDgydopV5ZmWCQ5YvNepb1w== - -----END CERTIFICATE----- - ''; -in { - name = "pumpio"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ rvl ]; - }; - - nodes = { - one = - { config, pkgs, ... }: - { - services = { - pumpio = { - port = 443; - enable = true; - sslCert = pkgs.writeText "snakeoil.cert" snakeOilCert; - sslKey = pkgs.writeText "snakeoil.pem" snakeOilKey; - secretFile = pkgs.writeText "secretFile" "test123"; - site = "test"; - }; - mongodb.enable = true; - mongodb.extraConfig = '' - storage.journal.enabled: false - ''; - }; - systemd.services.mongodb.unitConfig.Before = "pump.io.service"; - systemd.services."pump.io".unitConfig.Requires = "mongodb.service"; - }; - }; - - testScript = '' - startAll; - - $one->waitForUnit("pump.io.service"); - $one->waitUntilSucceeds("curl -k https://localhost"); - ''; -}) diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix new file mode 100644 index 00000000000..2df6f341c4e --- /dev/null +++ b/nixos/tests/systemd.nix @@ -0,0 +1,66 @@ +import ./make-test.nix { + name = "systemd"; + + machine = { lib, ... }: { + imports = [ common/user-account.nix common/x11.nix ]; + + virtualisation.emptyDiskImages = [ 512 ]; + + fileSystems = lib.mkVMOverride { + "/test-x-initrd-mount" = { + device = "/dev/vdb"; + fsType = "ext2"; + autoFormat = true; + noCheck = true; + options = [ "x-initrd.mount" ]; + }; + }; + + systemd.extraConfig = "DefaultEnvironment=\"XXX_SYSTEM=foo\""; + systemd.user.extraConfig = "DefaultEnvironment=\"XXX_USER=bar\""; + services.journald.extraConfig = "Storage=volatile"; + services.xserver.displayManager.auto.user = "alice"; + + systemd.services.testservice1 = { + description = "Test Service 1"; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + if [ "$XXX_SYSTEM" = foo ]; then + touch /system_conf_read + fi + ''; + }; + + systemd.user.services.testservice2 = { + description = "Test Service 2"; + wantedBy = [ "default.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + if [ "$XXX_USER" = bar ]; then + touch "$HOME/user_conf_read" + fi + ''; + }; + }; + + testScript = '' + $machine->waitForX; + + # Regression test for https://github.com/NixOS/nixpkgs/issues/35415 + subtest "configuration files are recognized by systemd", sub { + $machine->succeed('test -e /system_conf_read'); + $machine->succeed('test -e /home/alice/user_conf_read'); + $machine->succeed('test -z $(ls -1 /var/log/journal)'); + }; + + # Regression test for https://github.com/NixOS/nixpkgs/issues/35268 + subtest "file system with x-initrd.mount is not unmounted", sub { + $machine->shutdown; + $machine->waitForUnit('multi-user.target'); + # If the file system was unmounted during the shutdown the file system + # has a last mount time, because the file system wasn't checked. + $machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"'); + }; + ''; +} |