diff options
| author | Jan Tojnar <jtojnar@gmail.com> | 2020-08-23 02:00:50 +0200 |
|---|---|---|
| committer | Jan Tojnar <jtojnar@gmail.com> | 2020-08-23 02:00:50 +0200 |
| commit | 91104b5417275b780f6947b46a5c1bcc0d99f10b (patch) | |
| tree | f9530394ba9869c49b30171bb6006f04ba43abf8 /nixos | |
| parent | 4cf394ea3f173946363c40439b03ebcd92eb2bb4 (diff) | |
| parent | ddfa22167019726c015a5638e815d028031162e8 (diff) | |
| download | nixpkgs-91104b5417275b780f6947b46a5c1bcc0d99f10b.tar nixpkgs-91104b5417275b780f6947b46a5c1bcc0d99f10b.tar.gz nixpkgs-91104b5417275b780f6947b46a5c1bcc0d99f10b.tar.bz2 nixpkgs-91104b5417275b780f6947b46a5c1bcc0d99f10b.tar.lz nixpkgs-91104b5417275b780f6947b46a5c1bcc0d99f10b.tar.xz nixpkgs-91104b5417275b780f6947b46a5c1bcc0d99f10b.tar.zst nixpkgs-91104b5417275b780f6947b46a5c1bcc0d99f10b.zip | |
Merge branch 'master' into staging-next
Diffstat (limited to 'nixos')
35 files changed, 577 insertions, 376 deletions
diff --git a/nixos/doc/manual/configuration/gpu-accel.xml b/nixos/doc/manual/configuration/gpu-accel.xml index 9928121a56e..251e5c26ba4 100644 --- a/nixos/doc/manual/configuration/gpu-accel.xml +++ b/nixos/doc/manual/configuration/gpu-accel.xml @@ -70,35 +70,12 @@ Platform Vendor Advanced Micro Devices, Inc.</screen> Core Next</link> (GCN) GPUs are supported through the <package>rocm-opencl-icd</package> package. Adding this package to <xref linkend="opt-hardware.opengl.extraPackages"/> enables OpenCL - support. However, OpenCL Image support is provided through the - non-free <package>rocm-runtime-ext</package> package. This package can - be added to the same configuration option, but requires that - <varname>allowUnfree</varname> option is is enabled for nixpkgs. Full - OpenCL support on supported AMD GPUs is thus enabled as follows: + support: <programlisting><xref linkend="opt-hardware.opengl.extraPackages"/> = [ rocm-opencl-icd - rocm-runtime-ext ];</programlisting> </para> - - <para> - It is also possible to use the OpenCL Image extension without a - system-wide installation of the <package>rocm-runtime-ext</package> - package by setting the <varname>ROCR_EXT_DIR</varname> environment - variable to the directory that contains the extension: - - <screen><prompt>$</prompt> export \ -ROCR_EXT_DIR=`nix-build '<nixpkgs>' --no-out-link -A rocm-runtime-ext`/lib/rocm-runtime-ext</screen> - </para> - - <para> - With either approach, you can verify that OpenCL Image support - is indeed working with the <command>clinfo</command> command: - - <screen><prompt>$</prompt> clinfo | grep Image - Image support Yes</screen> - </para> </section> <section xml:id="sec-gpu-accel-opencl-intel"> diff --git a/nixos/doc/manual/man-nixos-enter.xml b/nixos/doc/manual/man-nixos-enter.xml index c32e1c7f8ca..f533d66099d 100644 --- a/nixos/doc/manual/man-nixos-enter.xml +++ b/nixos/doc/manual/man-nixos-enter.xml @@ -136,7 +136,7 @@ <filename>/mnt</filename>: </para> <screen> -# nixos-enter /mnt +# nixos-enter --root /mnt </screen> <para> Run a shell command: diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 7a06c06fed1..83bc2f82bbf 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -137,7 +137,7 @@ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; </listitem> <listitem> <para> - <varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certifcate authorities. + <varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certificate authorities. </para> </listitem> <listitem> @@ -156,6 +156,45 @@ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers). <varname>hardware.logitech.lcd.enable</varname> enables support for all hardware supported by the g15daemon project. </para> </listitem> + <listitem> + <para> + Zabbix now defaults to 5.0, updated from 4.4. Please carefully read through + <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade/sources">the upgrade guide</link> + and apply any changes required. Be sure to take special note of the section on + <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500#enabling_extended_range_of_numeric_float_values">enabling extended range of numeric (float) values</link> + as you will need to apply this database migration manually. + </para> + <para> + If you are using Zabbix Server with a MySQL or MariaDB database you should note that using a character set of <literal>utf8</literal> and a collate of <literal>utf8_bin</literal> has become mandatory with + this release. See the upstream <link xlink:href="https://support.zabbix.com/browse/ZBX-17357">issue</link> for further discussion. Before upgrading you should check the character set and collation used by + your database and ensure they are correct: +<programlisting> + SELECT + default_character_set_name, + default_collation_name + FROM + information_schema.schemata + WHERE + schema_name = 'zabbix'; +</programlisting> + If these values are not correct you should take a backup of your database and convert the character set and collation as required. Here is an + <link xlink:href="https://www.zabbix.com/forum/zabbix-help/396573-reinstall-after-upgrade?p=396891#post396891">example</link> of how to do so, taken from + the Zabbix forums: +<programlisting> + ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin; + + -- the following will produce a list of SQL commands you should subsequently execute + SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString + FROM information_schema.`COLUMNS` + WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci"; +</programlisting> + </para> + </listitem> + <listitem> + <para> + The NixOS module system now supports freeform modules as a mix between <literal>types.attrsOf</literal> and <literal>types.submodule</literal>. These allow you to explicitly declare a subset of options while still permitting definitions without an associated option. See <xref linkend='sec-freeform-modules'/> for how to use them. + </para> + </listitem> </itemizedlist> </section> @@ -199,12 +238,10 @@ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; in the source tree for downloaded modules instead of using go's <link xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module proxy protocol</link>. This storage format is simpler and therefore less - likekly to break with future versions of go. As a result + likely to break with future versions of go. As a result <literal>buildGoModule</literal> switched from <literal>modSha256</literal> to the <literal>vendorSha256</literal> - attribute to pin fetched version data. <literal>buildGoModule</literal> - still accepts <literal>modSha256</literal> with a warning, but support will - be removed in the next release. + attribute to pin fetched version data. </para> </listitem> <listitem> @@ -213,7 +250,7 @@ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; <link xlink:href="https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/">deprecated in Grafana</link> and the <package>phantomjs</package> project is <link xlink:href="https://github.com/ariya/phantomjs/issues/15344#issue-302015362">currently unmaintained</link>. - It can still be enabled by providing <literal>phantomJsSupport = true</literal> to the package instanciation: + It can still be enabled by providing <literal>phantomJsSupport = true</literal> to the package instantiation: <programlisting>{ services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { phantomJsSupport = false; @@ -225,7 +262,7 @@ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; <para> The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal> as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal> - is 20.09 or higher. It also enables number of + is 20.09 or higher. It also enables a number of <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link> which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in <option>systemd.services.supybot.serviceConfig</option>. @@ -678,19 +715,34 @@ services.dokuwiki."mywiki" = { <listitem> <para> The <xref linkend="opt-services.postgresql.dataDir"/> option is now set to <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal> regardless of your - <xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.09</literal> or below + <xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below should double check what the value of their <xref linkend="opt-services.postgresql.dataDir"/> option is (<literal>/var/db/postgresql</literal>) and then explicitly set this value to maintain compatibility: <programlisting> services.postgresql.dataDir = "/var/db/postgresql"; </programlisting> </para> + <para> + The postgresql module now expects there to be a database super user account called <literal>postgres</literal> regardless of your <xref linkend="opt-system.stateVersion"/>. Users + with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below should run the following SQL statements as a + database super admin user before upgrading: +<programlisting> +CREATE ROLE postgres LOGIN SUPERUSER; +</programlisting> + </para> </listitem> <listitem> <para> The USBGuard module now removes options and instead hardcodes values for <literal>IPCAccessControlFiles</literal>, <literal>ruleFiles</literal>, and <literal>auditFilePath</literal>. Audit logs can be found in the journal. </para> </listitem> + <listitem> + <para> + The NixOS module system now evaluates option definitions more strictly, allowing it to detect a larger set of problems. + As a result, what previously evaluated may not do so anymore. + See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/82743#issuecomment-674520472">the PR that changed this</link> for more info. + </para> + </listitem> </itemizedlist> </section> @@ -907,6 +959,18 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; Fontconfig 2.10.x was removed from Nixpkgs - it hasn't been used in any nixpkgs package anymore. </para> </listitem> + <listitem> + <para> + The packages <package>perl</package>, <package>rsync</package> and <package>strace</package> were removed from <option>systemPackages</option>. If you need them, install them again with <code><xref linkend="opt-environment.systemPackages"/> = with pkgs; [ perl rsync strace ];</code> in your <filename>configuration.nix</filename>. + </para> + </listitem> + <listitem> + <para> + The <literal>undervolt</literal> option no longer needs to apply its + settings every 30s. If they still become undone, open an issue and restore + the previous behaviour using <literal>undervolt.useTimer</literal>. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/maintainers/scripts/ec2/create-amis.sh b/nixos/maintainers/scripts/ec2/create-amis.sh index 145eb49ced7..89e24f2ccfd 100755 --- a/nixos/maintainers/scripts/ec2/create-amis.sh +++ b/nixos/maintainers/scripts/ec2/create-amis.sh @@ -29,7 +29,7 @@ log() { echo "$@" >&2 } -if [ -z "$1" ]; then +if [ "$#" -ne 1 ]; then log "Usage: ./upload-amazon-image.sh IMAGE_OUTPUT" exit 1 fi diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 1b6848c652e..1f1044bc5af 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -190,13 +190,6 @@ let ln -s ${pkg.out}/etc/fonts/conf.d/*.conf \ $dst/ - # update 51-local.conf path to look at local.conf - rm $dst/51-local.conf - - substitute ${pkg.out}/etc/fonts/conf.d/51-local.conf \ - $dst/51-local.conf \ - --replace local.conf /etc/fonts/${pkg.configVersion}/local.conf - # 00-nixos-cache.conf ln -s ${cacheConf} $dst/00-nixos-cache.conf diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index ae9710e3518..b3c5c6f93f3 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -33,14 +33,11 @@ let pkgs.ncurses pkgs.netcat config.programs.ssh.package - pkgs.perl pkgs.procps - pkgs.rsync - pkgs.strace pkgs.su pkgs.time pkgs.utillinux - pkgs.which # 88K size + pkgs.which pkgs.zstd ]; diff --git a/nixos/modules/hardware/onlykey.nix b/nixos/modules/hardware/onlykey.nix index b6820fe0191..07358c8a878 100644 --- a/nixos/modules/hardware/onlykey.nix +++ b/nixos/modules/hardware/onlykey.nix @@ -26,7 +26,7 @@ with lib; ####### implementation config = mkIf config.hardware.onlykey.enable { - services.udev.extraRules = builtin.readFile ./onlykey.udev; + services.udev.extraRules = builtins.readFile ./onlykey.udev; }; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index bdb7fa3b12c..394da9a3889 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -321,7 +321,7 @@ in monetdb = 290; restic = 291; openvpn = 292; - meguca = 293; + # meguca = 293; # removed 2020-08-21 yarn = 294; hdfs = 295; mapred = 296; @@ -622,7 +622,7 @@ in monetdb = 290; restic = 291; openvpn = 292; - meguca = 293; + # meguca = 293; # removed 2020-08-21 yarn = 294; hdfs = 295; mapred = 296; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 522a7992919..aee1fdb368d 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -886,7 +886,6 @@ ./services/web-servers/lighttpd/collectd.nix ./services/web-servers/lighttpd/default.nix ./services/web-servers/lighttpd/gitweb.nix - ./services/web-servers/meguca.nix ./services/web-servers/mighttpd2.nix ./services/web-servers/minio.nix ./services/web-servers/molly-brown.nix diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index 2a2fe119d30..3b67d628f9f 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -26,6 +26,7 @@ pkgs.fuse pkgs.fuse3 pkgs.sshfs-fuse + pkgs.rsync pkgs.socat pkgs.screen diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 86cd3bf8dcf..1fe00e9142b 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -48,6 +48,7 @@ with lib; instead, or any other display manager in NixOS as they all support auto-login. '') (mkRemovedOptionModule [ "services" "dnscrypt-proxy" ] "Use services.dnscrypt-proxy2 instead") + (mkRemovedOptionModule [ "services" "meguca" ] "Use meguca has been removed from nixpkgs") (mkRemovedOptionModule ["hardware" "brightnessctl" ] '' The brightnessctl module was removed because newer versions of brightnessctl don't require the udev rules anymore (they can use the diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 1f63e7b88bd..29635dbe864 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -150,6 +150,14 @@ let ''; }; + extraLegoFlags = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Additional global flags to pass to all lego commands. + ''; + }; + extraLegoRenewFlags = mkOption { type = types.listOf types.str; default = []; @@ -157,6 +165,14 @@ let Additional flags to pass to lego renew. ''; }; + + extraLegoRunFlags = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Additional flags to pass to lego run. + ''; + }; }; }; @@ -313,9 +329,10 @@ in ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ] ++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains) ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ]) - ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; + ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)] + ++ data.extraLegoFlags; certOpts = optionals data.ocspMustStaple [ "--must-staple" ]; - runOpts = escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts); + runOpts = escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts ++ data.extraLegoRunFlags); renewOpts = escapeShellArgs (globalOpts ++ [ "renew" "--days" (toString cfg.validMinDays) ] ++ certOpts ++ data.extraLegoRenewFlags); diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 3e16b5907dd..c726a08e34f 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -225,14 +225,15 @@ in Contents of the <filename>recovery.conf</filename> file. ''; }; + superUser = mkOption { type = types.str; - default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root"; + default = "postgres"; internal = true; + readOnly = true; description = '' - NixOS traditionally used 'root' as superuser, most other distros use 'postgres'. - From 17.09 we also try to follow this standard. Internal since changing this value - would lead to breakage while setting up databases. + PostgreSQL superuser account to use for various operations. Internal since changing + this value would lead to breakage while setting up databases. ''; }; }; @@ -310,6 +311,35 @@ in ''} ''; + # Wait for PostgreSQL to be ready to accept connections. + postStart = + '' + PSQL="psql --port=${toString cfg.port}" + + while ! $PSQL -d postgres -c "" 2> /dev/null; do + if ! kill -0 "$MAINPID"; then exit 1; fi + sleep 0.1 + done + + if test -e "${cfg.dataDir}/.first_startup"; then + ${optionalString (cfg.initialScript != null) '' + $PSQL -f "${cfg.initialScript}" -d postgres + ''} + rm -f "${cfg.dataDir}/.first_startup" + fi + '' + optionalString (cfg.ensureDatabases != []) '' + ${concatMapStrings (database: '' + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"' + '') cfg.ensureDatabases} + '' + '' + ${concatMapStrings (user: '' + $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' + ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' + $PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' + '') user.ensurePermissions)} + '') cfg.ensureUsers} + ''; + serviceConfig = mkMerge [ { ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "postgres"; @@ -329,40 +359,6 @@ in TimeoutSec = 120; ExecStart = "${postgresql}/bin/postgres"; - - # Wait for PostgreSQL to be ready to accept connections. - ExecStartPost = - let - setupScript = pkgs.writeScript "postgresql-setup" ('' - #!${pkgs.runtimeShell} -e - - PSQL="${pkgs.utillinux}/bin/runuser -u ${cfg.superUser} -- psql --port=${toString cfg.port}" - - while ! $PSQL -d postgres -c "" 2> /dev/null; do - if ! kill -0 "$MAINPID"; then exit 1; fi - sleep 0.1 - done - - if test -e "${cfg.dataDir}/.first_startup"; then - ${optionalString (cfg.initialScript != null) '' - $PSQL -f "${cfg.initialScript}" -d postgres - ''} - rm -f "${cfg.dataDir}/.first_startup" - fi - '' + optionalString (cfg.ensureDatabases != []) '' - ${concatMapStrings (database: '' - $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"' - '') cfg.ensureDatabases} - '' + '' - ${concatMapStrings (user: '' - $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' - ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' - $PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' - '') user.ensurePermissions)} - '') cfg.ensureUsers} - ''); - in - "+${setupScript}"; } (mkIf (cfg.dataDir == "/var/lib/postgresql/${cfg.package.psqlSchema}") { StateDirectory = "postgresql postgresql/${cfg.package.psqlSchema}"; diff --git a/nixos/modules/services/editors/emacs.xml b/nixos/modules/services/editors/emacs.xml index 74c60014dce..05f87df43bc 100644 --- a/nixos/modules/services/editors/emacs.xml +++ b/nixos/modules/services/editors/emacs.xml @@ -53,11 +53,11 @@ <varname>emacs</varname> </term> <term> - <varname>emacs25</varname> + <varname>emacs</varname> </term> <listitem> <para> - The latest stable version of Emacs 25 using the + The latest stable version of Emacs using the <link xlink:href="http://www.gtk.org">GTK 2</link> widget toolkit. @@ -66,11 +66,11 @@ </varlistentry> <varlistentry> <term> - <varname>emacs25-nox</varname> + <varname>emacs-nox</varname> </term> <listitem> <para> - Emacs 25 built without any dependency on X11 libraries. + Emacs built without any dependency on X11 libraries. </para> </listitem> </varlistentry> @@ -79,11 +79,11 @@ <varname>emacsMacport</varname> </term> <term> - <varname>emacs25Macport</varname> + <varname>emacsMacport</varname> </term> <listitem> <para> - Emacs 25 with the "Mac port" patches, providing a more native look and + Emacs with the "Mac port" patches, providing a more native look and feel under macOS. </para> </listitem> diff --git a/nixos/modules/services/hardware/undervolt.nix b/nixos/modules/services/hardware/undervolt.nix index 828032dc573..054ffa35050 100644 --- a/nixos/modules/services/hardware/undervolt.nix +++ b/nixos/modules/services/hardware/undervolt.nix @@ -103,6 +103,17 @@ in The temperature target on battery power in Celsius degrees. ''; }; + + useTimer = mkOption { + type = types.bool; + default = false; + description = '' + Whether to set a timer that applies the undervolt settings every 30s. + This will cause spam in the journal but might be required for some + hardware under specific conditions. + Enable this if your undervolt settings don't hold. + ''; + }; }; config = mkIf cfg.enable { @@ -114,6 +125,11 @@ in path = [ pkgs.undervolt ]; description = "Intel Undervolting Service"; + + # Apply undervolt on boot, nixos generation switch and resume + wantedBy = [ "multi-user.target" "post-resume.target" ]; + after = [ "post-resume.target" ]; # Not sure why but it won't work without this + serviceConfig = { Type = "oneshot"; Restart = "no"; @@ -121,7 +137,7 @@ in }; }; - systemd.timers.undervolt = { + systemd.timers.undervolt = mkIf cfg.useTimer { description = "Undervolt timer to ensure voltage settings are always applied"; partOf = [ "undervolt.service" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix index 565618b27a8..7d6102b8255 100644 --- a/nixos/modules/services/logging/logrotate.nix +++ b/nixos/modules/services/logging/logrotate.nix @@ -5,54 +5,93 @@ with lib; let cfg = config.services.logrotate; - pathOptions = { + pathOpts = { options = { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable log rotation for this path. This can be used to explicitly disable + logging that has been configured by NixOS. + ''; + }; + path = mkOption { type = types.str; - description = "The path to log files to be rotated"; + description = '' + The path to log files to be rotated. + ''; }; + user = mkOption { - type = types.str; - description = "The user account to use for rotation"; + type = with types; nullOr str; + default = null; + description = '' + The user account to use for rotation. + ''; }; + group = mkOption { - type = types.str; - description = "The group to use for rotation"; + type = with types; nullOr str; + default = null; + description = '' + The group to use for rotation. + ''; }; + frequency = mkOption { - type = types.enum [ - "daily" "weekly" "monthly" "yearly" - ]; + type = types.enum [ "daily" "weekly" "monthly" "yearly" ]; default = "daily"; - description = "How often to rotate the logs"; + description = '' + How often to rotate the logs. + ''; }; + keep = mkOption { type = types.int; default = 20; - description = "How many rotations to keep"; + description = '' + How many rotations to keep. + ''; }; + extraConfig = mkOption { type = types.lines; default = ""; - description = "Extra logrotate config options for this path"; + description = '' + Extra logrotate config options for this path. Refer to + <link xlink:href="https://linux.die.net/man/8/logrotate"/> for details. + ''; + }; + + priority = mkOption { + type = types.int; + default = 1000; + description = '' + Order of this logrotate block in relation to the others. The semantics are + the same as with `lib.mkOrder`. Smaller values have a greater priority. + ''; }; }; - }; - pathConfig = options: '' - "${options.path}" { - su ${options.user} ${options.group} - ${options.frequency} + config.extraConfig = '' missingok notifempty - rotate ${toString options.keep} - ${options.extraConfig} + ''; + }; + + mkConf = pathOpts: '' + # generated by NixOS using the `services.logrotate.paths.${pathOpts.name}` attribute set + "${pathOpts.path}" { + ${optionalString (pathOpts.user != null || pathOpts.group != null) "su ${pathOpts.user} ${pathOpts.group}"} + ${pathOpts.frequency} + rotate ${toString pathOpts.keep} + ${pathOpts.extraConfig} } ''; - configFile = pkgs.writeText "logrotate.conf" ( - (concatStringsSep "\n" ((map pathConfig cfg.paths) ++ [cfg.extraConfig])) - ); + paths = sortProperties (mapAttrsToList (name: pathOpts: pathOpts // { name = name; }) (filterAttrs (_: pathOpts: pathOpts.enable) cfg.paths)); + configFile = pkgs.writeText "logrotate.conf" (concatStringsSep "\n" ((map mkConf paths) ++ [ cfg.extraConfig ])); in { @@ -65,41 +104,66 @@ in enable = mkEnableOption "the logrotate systemd service"; paths = mkOption { - type = types.listOf (types.submodule pathOptions); - default = []; - description = "List of attribute sets with paths to rotate"; - example = { - "/var/log/myapp/*.log" = { - user = "myuser"; - group = "mygroup"; - rotate = "weekly"; - keep = 5; - }; - }; + type = with types; attrsOf (submodule pathOpts); + default = {}; + description = '' + Attribute set of paths to rotate. The order each block appears in the generated configuration file + can be controlled by the <link linkend="opt-services.logrotate.paths._name_.priority">priority</link> option + using the same semantics as `lib.mkOrder`. Smaller values have a greater priority. + ''; + example = literalExample '' + { + httpd = { + path = "/var/log/httpd/*.log"; + user = config.services.httpd.user; + group = config.services.httpd.group; + keep = 7; + }; + + myapp = { + path = "/var/log/myapp/*.log"; + user = "myuser"; + group = "mygroup"; + frequency = "weekly"; + keep = 5; + priority = 1; + }; + } + ''; }; extraConfig = mkOption { default = ""; type = types.lines; description = '' - Extra contents to add to the logrotate config file. - See https://linux.die.net/man/8/logrotate + Extra contents to append to the logrotate configuration file. Refer to + <link xlink:href="https://linux.die.net/man/8/logrotate"/> for details. ''; }; }; }; config = mkIf cfg.enable { - systemd.services.logrotate = { - description = "Logrotate Service"; - wantedBy = [ "multi-user.target" ]; - startAt = "*-*-* *:05:00"; + assertions = mapAttrsToList (name: pathOpts: + { assertion = (pathOpts.user != null) == (pathOpts.group != null); + message = '' + If either of `services.logrotate.paths.${name}.user` or `services.logrotate.paths.${name}.group` are specified then *both* must be specified. + ''; + } + ) cfg.paths; - serviceConfig.Restart = "no"; - serviceConfig.User = "root"; + systemd.services.logrotate = { + description = "Logrotate Service"; + wantedBy = [ "multi-user.target" ]; + startAt = "*-*-* *:05:00"; script = '' exec ${pkgs.logrotate}/sbin/logrotate ${configFile} ''; + + serviceConfig = { + Restart = "no"; + User = "root"; + }; }; }; } diff --git a/nixos/modules/services/logging/logstash.nix b/nixos/modules/services/logging/logstash.nix index 21a83803fd8..bf92425f998 100644 --- a/nixos/modules/services/logging/logstash.nix +++ b/nixos/modules/services/logging/logstash.nix @@ -4,13 +4,9 @@ with lib; let cfg = config.services.logstash; - pluginPath = lib.concatStringsSep ":" cfg.plugins; - havePluginPath = lib.length cfg.plugins > 0; ops = lib.optionalString; verbosityFlag = "--log.level " + cfg.logLevel; - pluginsPath = "--path.plugins ${pluginPath}"; - logstashConf = pkgs.writeText "logstash.conf" '' input { ${cfg.inputConfig} @@ -173,7 +169,7 @@ in ExecStart = concatStringsSep " " (filter (s: stringLength s != 0) [ "${cfg.package}/bin/logstash" "-w ${toString cfg.filterWorkers}" - (ops havePluginPath pluginsPath) + (concatMapStringsSep " " (x: "--path.plugins ${x}") cfg.plugins) "${verbosityFlag}" "-f ${logstashConf}" "--path.settings ${logstashSettingsDir}" diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 51cbcbf1cbc..c166ef68f29 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ options, config, lib, pkgs, ... }: with lib; @@ -83,11 +83,11 @@ let ) ( - optionalString (cfg.mailboxes != []) '' + optionalString (cfg.mailboxes != {}) '' protocol imap { namespace inbox { inbox=yes - ${concatStringsSep "\n" (map mailboxConfig cfg.mailboxes)} + ${concatStringsSep "\n" (map mailboxConfig (attrValues cfg.mailboxes))} } } '' @@ -131,12 +131,13 @@ let special_use = \${toString mailbox.specialUse} '' + "}"; - mailboxes = { ... }: { + mailboxes = { name, ... }: { options = { name = mkOption { - type = types.nullOr (types.strMatching ''[^"]+''); + type = types.strMatching ''[^"]+''; example = "Spam"; - default = null; + default = name; + readOnly = true; description = "The name of the mailbox."; }; auto = mkOption { @@ -335,19 +336,11 @@ in }; mailboxes = mkOption { - type = with types; let m = submodule mailboxes; in either (listOf m) (attrsOf m); + type = with types; coercedTo + (listOf unspecified) + (list: listToAttrs (map (entry: { name = entry.name; value = removeAttrs entry ["name"]; }) list)) + (attrsOf (submodule mailboxes)); default = {}; - apply = x: - if isList x then warn "Declaring `services.dovecot2.mailboxes' as a list is deprecated and will break eval in 21.03!" x - else mapAttrsToList (name: value: - if value.name != null - then throw '' - When specifying dovecot2 mailboxes as attributes, declaring - a `name'-attribute is prohibited! The name ${value.name} should - be the attribute key! - '' - else value // { inherit name; } - ) x; example = literalExample '' { Spam = { specialUse = "Junk"; auto = "create"; }; @@ -471,6 +464,10 @@ in environment.systemPackages = [ dovecotPkg ]; + warnings = mkIf (any isList options.services.dovecot2.mailboxes.definitions) [ + "Declaring `services.dovecot2.mailboxes' as a list is deprecated and will break eval in 21.03! See the release notes for more info for migration." + ]; + assertions = [ { assertion = intersectLists cfg.protocols [ "pop3" "imap" ] != []; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 5d8de3b1bbd..425f35f37cb 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -54,7 +54,7 @@ let '') gitlabConfig.production.repositories.storages))} ''; - gitlabShellConfig = { + gitlabShellConfig = flip recursiveUpdate cfg.extraShellConfig { user = cfg.user; gitlab_url = "http+unix://${pathUrlQuote gitlabSocket}"; http_settings.self_signed_cert = false; @@ -517,6 +517,12 @@ in { ''; }; + extraShellConfig = mkOption { + type = types.attrs; + default = {}; + description = "Extra configuration to merge into shell-config.yml"; + }; + extraConfig = mkOption { type = types.attrs; default = {}; diff --git a/nixos/modules/services/misc/gollum.nix b/nixos/modules/services/misc/gollum.nix index 8842e1e4d90..0c9c7548305 100644 --- a/nixos/modules/services/misc/gollum.nix +++ b/nixos/modules/services/misc/gollum.nix @@ -50,6 +50,12 @@ in description = "Parse and interpret emoji tags"; }; + h1-title = mkOption { + type = types.bool; + default = false; + description = "Use the first h1 as page title"; + }; + branch = mkOption { type = types.str; default = "master"; @@ -102,6 +108,7 @@ in --ref ${cfg.branch} \ ${optionalString cfg.mathjax "--mathjax"} \ ${optionalString cfg.emoji "--emoji"} \ + ${optionalString cfg.h1-title "--h1-title"} \ ${optionalString (cfg.allowUploads != null) "--allow-uploads ${cfg.allowUploads}"} \ ${cfg.stateDir} ''; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 6ecdfb57dc3..0493dadea94 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -16,6 +16,14 @@ in description = "User account under which Jellyfin runs."; }; + package = mkOption { + type = types.package; + example = literalExample "pkgs.jellyfin"; + description = '' + Jellyfin package to use. + ''; + }; + group = mkOption { type = types.str; default = "jellyfin"; @@ -35,11 +43,16 @@ in Group = cfg.group; StateDirectory = "jellyfin"; CacheDirectory = "jellyfin"; - ExecStart = "${pkgs.jellyfin}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; + ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; Restart = "on-failure"; }; }; + services.jellyfin.package = mkDefault ( + if versionAtLeast config.system.stateVersion "20.09" then pkgs.jellyfin + else pkgs.jellyfin_10_5 + ); + users.users = mkIf (cfg.user == "jellyfin") { jellyfin = { group = cfg.group; diff --git a/nixos/modules/services/monitoring/monit.nix b/nixos/modules/services/monitoring/monit.nix index ca935227217..aa51b83912c 100644 --- a/nixos/modules/services/monitoring/monit.nix +++ b/nixos/modules/services/monitoring/monit.nix @@ -4,19 +4,29 @@ with lib; let cfg = config.services.monit; + extraConfig = pkgs.writeText "monitConfig" cfg.extraConfig; in { + imports = [ + (mkRenamedOptionModule [ "services" "monit" "config" ] ["services" "monit" "extraConfig" ]) + ]; + options.services.monit = { enable = mkEnableOption "Monit"; - config = mkOption { + configFiles = mkOption { + type = types.listOf types.path; + default = []; + description = "List of paths to be included in the monitrc file"; + }; + + extraConfig = mkOption { type = types.lines; default = ""; - description = "monitrc content"; + description = "Additional monit config as string"; }; - }; config = mkIf cfg.enable { @@ -24,7 +34,7 @@ in environment.systemPackages = [ pkgs.monit ]; environment.etc.monitrc = { - text = cfg.config; + text = concatMapStringsSep "\n" (path: "include ${path}") (cfg.configFiles ++ [extraConfig]); mode = "0400"; }; diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index a3612be3cc2..c72b4abfcdc 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -20,7 +20,7 @@ let ${pkgs.coreutils}/bin/cat << EOF From: smartd on ${host} <${nm.sender}> To: undisclosed-recipients:; - Subject: SMART error on $SMARTD_DEVICESTRING: $SMARTD_FAILTYPE + Subject: $SMARTD_SUBJECT $SMARTD_FULLMESSAGE EOF @@ -239,11 +239,7 @@ in systemd.services.smartd = { description = "S.M.A.R.T. Daemon"; - wantedBy = [ "multi-user.target" ]; - - path = [ pkgs.nettools ]; # for hostname and dnsdomanname calls in smartd - serviceConfig.ExecStart = "${pkgs.smartmontools}/sbin/smartd ${lib.concatStringsSep " " cfg.extraOptions} --no-fork --configfile=${smartdConf}"; }; diff --git a/nixos/modules/services/monitoring/zabbix-proxy.nix b/nixos/modules/services/monitoring/zabbix-proxy.nix index d51507c91a1..2c8b8b92cb3 100644 --- a/nixos/modules/services/monitoring/zabbix-proxy.nix +++ b/nixos/modules/services/monitoring/zabbix-proxy.nix @@ -5,8 +5,8 @@ let pgsql = config.services.postgresql; mysql = config.services.mysql; - inherit (lib) mkDefault mkEnableOption mkIf mkMerge mkOption; - inherit (lib) attrValues concatMapStringsSep literalExample optional optionalAttrs optionalString types; + inherit (lib) mkAfter mkDefault mkEnableOption mkIf mkMerge mkOption; + inherit (lib) attrValues concatMapStringsSep getName literalExample optional optionalAttrs optionalString types; inherit (lib.generators) toKeyValue; user = "zabbix"; @@ -232,14 +232,15 @@ in services.mysql = optionalAttrs mysqlLocal { enable = true; package = mkDefault pkgs.mariadb; - ensureDatabases = [ cfg.database.name ]; - ensureUsers = [ - { name = cfg.database.user; - ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; - } - ]; }; + systemd.services.mysql.postStart = mkAfter (optionalString mysqlLocal '' + ( echo "CREATE DATABASE IF NOT EXISTS \`${cfg.database.name}\` CHARACTER SET utf8 COLLATE utf8_bin;" + echo "CREATE USER IF NOT EXISTS '${cfg.database.user}'@'localhost' IDENTIFIED WITH ${if (getName config.services.mysql.package == getName pkgs.mariadb) then "unix_socket" else "auth_socket"};" + echo "GRANT ALL PRIVILEGES ON \`${cfg.database.name}\`.* TO '${cfg.database.user}'@'localhost';" + ) | ${config.services.mysql.package}/bin/mysql -N + ''); + services.postgresql = optionalAttrs pgsqlLocal { enable = true; ensureDatabases = [ cfg.database.name ]; diff --git a/nixos/modules/services/monitoring/zabbix-server.nix b/nixos/modules/services/monitoring/zabbix-server.nix index df09488a8cc..c8658634ecb 100644 --- a/nixos/modules/services/monitoring/zabbix-server.nix +++ b/nixos/modules/services/monitoring/zabbix-server.nix @@ -5,8 +5,8 @@ let pgsql = config.services.postgresql; mysql = config.services.mysql; - inherit (lib) mkDefault mkEnableOption mkIf mkMerge mkOption; - inherit (lib) attrValues concatMapStringsSep literalExample optional optionalAttrs optionalString types; + inherit (lib) mkAfter mkDefault mkEnableOption mkIf mkMerge mkOption; + inherit (lib) attrValues concatMapStringsSep getName literalExample optional optionalAttrs optionalString types; inherit (lib.generators) toKeyValue; user = "zabbix"; @@ -220,14 +220,15 @@ in services.mysql = optionalAttrs mysqlLocal { enable = true; package = mkDefault pkgs.mariadb; - ensureDatabases = [ cfg.database.name ]; - ensureUsers = [ - { name = cfg.database.user; - ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; - } - ]; }; + systemd.services.mysql.postStart = mkAfter (optionalString mysqlLocal '' + ( echo "CREATE DATABASE IF NOT EXISTS \`${cfg.database.name}\` CHARACTER SET utf8 COLLATE utf8_bin;" + echo "CREATE USER IF NOT EXISTS '${cfg.database.user}'@'localhost' IDENTIFIED WITH ${if (getName config.services.mysql.package == getName pkgs.mariadb) then "unix_socket" else "auth_socket"};" + echo "GRANT ALL PRIVILEGES ON \`${cfg.database.name}\`.* TO '${cfg.database.user}'@'localhost';" + ) | ${config.services.mysql.package}/bin/mysql -N + ''); + services.postgresql = optionalAttrs pgsqlLocal { enable = true; ensureDatabases = [ cfg.database.name ]; diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index e1d1217943b..fc4c2945394 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -10,6 +10,12 @@ let pkg = cfg.package.out; + apachectl = pkgs.runCommand "apachectl" { meta.priority = -1; } '' + mkdir -p $out/bin + cp ${pkg}/bin/apachectl $out/bin/apachectl + sed -i $out/bin/apachectl -e 's|$HTTPD -t|$HTTPD -t -f ${httpdConf}|' + ''; + httpdConf = cfg.configFile; php = cfg.phpPackage.override { apacheHttpd = pkg; }; @@ -650,10 +656,29 @@ in postRun = "systemctl reload httpd.service"; }) (filterAttrs (name: hostOpts: hostOpts.enableACME) cfg.virtualHosts); - environment.systemPackages = [ pkg ]; + environment.systemPackages = [ + apachectl + pkg + ]; - # required for "apachectl configtest" - environment.etc."httpd/httpd.conf".source = httpdConf; + services.logrotate = optionalAttrs (cfg.logFormat != "none") { + enable = mkDefault true; + paths.httpd = { + path = "${cfg.logDir}/*.log"; + user = cfg.user; + group = cfg.group; + frequency = "daily"; + keep = 28; + extraConfig = '' + sharedscripts + compress + delaycompress + postrotate + systemctl reload httpd.service > /dev/null 2>/dev/null || true + endscript + ''; + }; + }; services.httpd.phpOptions = '' diff --git a/nixos/modules/services/web-servers/meguca.nix b/nixos/modules/services/web-servers/meguca.nix deleted file mode 100644 index 5a00070dc94..00000000000 --- a/nixos/modules/services/web-servers/meguca.nix +++ /dev/null @@ -1,174 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - cfg = config.services.meguca; - postgres = config.services.postgresql; -in with lib; { - options.services.meguca = { - enable = mkEnableOption "meguca"; - - dataDir = mkOption { - type = types.path; - default = "/var/lib/meguca"; - example = "/home/okina/meguca"; - description = "Location where meguca stores it's database and links."; - }; - - password = mkOption { - type = types.str; - default = "meguca"; - example = "dumbpass"; - description = "Password for the meguca database."; - }; - - passwordFile = mkOption { - type = types.path; - default = "/run/keys/meguca-password-file"; - example = "/home/okina/meguca/keys/pass"; - description = "Password file for the meguca database."; - }; - - reverseProxy = mkOption { - type = types.nullOr types.str; - default = null; - example = "192.168.1.5"; - description = "Reverse proxy IP."; - }; - - sslCertificate = mkOption { - type = types.nullOr types.str; - default = null; - example = "/home/okina/meguca/ssl.cert"; - description = "Path to the SSL certificate."; - }; - - listenAddress = mkOption { - type = types.nullOr types.str; - default = null; - example = "127.0.0.1:8000"; - description = "Listen on a specific IP address and port."; - }; - - cacheSize = mkOption { - type = types.nullOr types.int; - default = null; - example = 256; - description = "Cache size in MB."; - }; - - postgresArgs = mkOption { - type = types.str; - example = "user=meguca password=dumbpass dbname=meguca sslmode=disable"; - description = "Postgresql connection arguments."; - }; - - postgresArgsFile = mkOption { - type = types.path; - default = "/run/keys/meguca-postgres-args"; - example = "/home/okina/meguca/keys/postgres"; - description = "Postgresql connection arguments file."; - }; - - compressTraffic = mkOption { - type = types.bool; - default = false; - description = "Compress all traffic with gzip."; - }; - - assumeReverseProxy = mkOption { - type = types.bool; - default = false; - description = "Assume the server is behind a reverse proxy, when resolving client IPs."; - }; - - httpsOnly = mkOption { - type = types.bool; - default = false; - description = "Serve and listen only through HTTPS."; - }; - - videoPaths = mkOption { - type = types.listOf types.path; - default = []; - example = [ "/home/okina/Videos/tehe_pero.webm" ]; - description = "Videos that will be symlinked into www/videos."; - }; - }; - - config = mkIf cfg.enable { - security.sudo.enable = cfg.enable; - services.postgresql.enable = cfg.enable; - services.postgresql.package = pkgs.postgresql_11; - services.meguca.passwordFile = mkDefault (pkgs.writeText "meguca-password-file" cfg.password); - services.meguca.postgresArgsFile = mkDefault (pkgs.writeText "meguca-postgres-args" cfg.postgresArgs); - services.meguca.postgresArgs = mkDefault "user=meguca password=${cfg.password} dbname=meguca sslmode=disable"; - - systemd.services.meguca = { - description = "meguca"; - after = [ "network.target" "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = '' - # Ensure folder exists or create it and links and permissions are correct - mkdir -p ${escapeShellArg cfg.dataDir}/www - rm -rf ${escapeShellArg cfg.dataDir}/www/videos - ln -sf ${pkgs.meguca}/share/meguca/www/* ${escapeShellArg cfg.dataDir}/www - unlink ${escapeShellArg cfg.dataDir}/www/videos - mkdir -p ${escapeShellArg cfg.dataDir}/www/videos - - for vid in ${escapeShellArg cfg.videoPaths}; do - ln -sf $vid ${escapeShellArg cfg.dataDir}/www/videos - done - - chmod 750 ${escapeShellArg cfg.dataDir} - chown -R meguca:meguca ${escapeShellArg cfg.dataDir} - - # Ensure the database is correct or create it - ${pkgs.sudo}/bin/sudo -u ${postgres.superUser} ${postgres.package}/bin/createuser \ - -SDR meguca || true - ${pkgs.sudo}/bin/sudo -u ${postgres.superUser} ${postgres.package}/bin/createdb \ - -T template0 -E UTF8 -O meguca meguca || true - ${pkgs.sudo}/bin/sudo -u meguca ${postgres.package}/bin/psql \ - -c "ALTER ROLE meguca WITH PASSWORD '$(cat ${escapeShellArg cfg.passwordFile})';" || true - ''; - - script = '' - cd ${escapeShellArg cfg.dataDir} - - ${pkgs.meguca}/bin/meguca -d "$(cat ${escapeShellArg cfg.postgresArgsFile})"'' - + optionalString (cfg.reverseProxy != null) " -R ${cfg.reverseProxy}" - + optionalString (cfg.sslCertificate != null) " -S ${cfg.sslCertificate}" - + optionalString (cfg.listenAddress != null) " -a ${cfg.listenAddress}" - + optionalString (cfg.cacheSize != null) " -c ${toString cfg.cacheSize}" - + optionalString (cfg.compressTraffic) " -g" - + optionalString (cfg.assumeReverseProxy) " -r" - + optionalString (cfg.httpsOnly) " -s" + " start"; - - serviceConfig = { - PermissionsStartOnly = true; - Type = "forking"; - User = "meguca"; - Group = "meguca"; - ExecStop = "${pkgs.meguca}/bin/meguca stop"; - }; - }; - - users = { - groups.meguca.gid = config.ids.gids.meguca; - - users.meguca = { - description = "meguca server service user"; - home = cfg.dataDir; - createHome = true; - group = "meguca"; - uid = config.ids.uids.meguca; - }; - }; - }; - - imports = [ - (mkRenamedOptionModule [ "services" "meguca" "baseDir" ] [ "services" "meguca" "dataDir" ]) - ]; - - meta.maintainers = with maintainers; [ chiiruno ]; -} diff --git a/nixos/modules/services/x11/imwheel.nix b/nixos/modules/services/x11/imwheel.nix index 3923df498e7..51f72dadbd4 100644 --- a/nixos/modules/services/x11/imwheel.nix +++ b/nixos/modules/services/x11/imwheel.nix @@ -61,7 +61,8 @@ in "--kill" ] ++ cfg.extraOptions); ExecStop = "${pkgs.procps}/bin/pkill imwheel"; - Restart = "on-failure"; + RestartSec = 3; + Restart = "always"; }; }; }; diff --git a/nixos/modules/services/x11/window-managers/xmonad.nix b/nixos/modules/services/x11/window-managers/xmonad.nix index 30c59b88f82..070758720fe 100644 --- a/nixos/modules/services/x11/window-managers/xmonad.nix +++ b/nixos/modules/services/x11/window-managers/xmonad.nix @@ -82,12 +82,11 @@ in services.xserver.windowManager = { session = [{ name = "xmonad"; - start = if (cfg.config != null) then '' - ${xmonadBin} - waitPID=$! - '' else '' - systemd-cat -t xmonad ${xmonad}/bin/xmonad & - waitPID=$! + start = let + xmonadCommand = if (cfg.config != null) then xmonadBin else "${xmonad}/bin/xmonad"; + in '' + systemd-cat -t xmonad ${xmonadCommand} & + waitPID=$! ''; }]; }; diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 54e3a691b2f..0c1be71cf53 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -378,12 +378,14 @@ mountFS() { mkdir -p "/mnt-root$mountPoint" - # For CIFS mounts, retry a few times before giving up. + # For ZFS and CIFS mounts, retry a few times before giving up. + # We do this for ZFS as a workaround for issue NixOS/nixpkgs#25383. local n=0 while true; do mount "/mnt-root$mountPoint" && break - if [ "$fsType" != cifs -o "$n" -ge 10 ]; then fail; break; fi + if [ \( "$fsType" != cifs -a "$fsType" != zfs \) -o "$n" -ge 10 ]; then fail; break; fi echo "retrying..." + sleep 1 n=$((n + 1)) done diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix index f267c97b178..9c818eee73b 100644 --- a/nixos/modules/virtualisation/cri-o.nix +++ b/nixos/modules/virtualisation/cri-o.nix @@ -85,7 +85,7 @@ in environment.etc."crictl.yaml".source = copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml"; - environment.etc."crio/crio.conf".text = '' + environment.etc."crio/crio.conf.d/00-default.conf".text = '' [crio] storage_driver = "${cfg.storageDriver}" @@ -100,6 +100,7 @@ in cgroup_manager = "systemd" log_level = "${cfg.logLevel}" manage_ns_lifecycle = true + pinns_path = "${cfg.package}/bin/pinns" ${optionalString (cfg.runtime != null) '' default_runtime = "${cfg.runtime}" @@ -109,6 +110,7 @@ in ''; environment.etc."cni/net.d/10-crio-bridge.conf".source = copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/10-crio-bridge.conf"; + environment.etc."cni/net.d/99-loopback.conf".source = copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/99-loopback.conf"; # Enable common /etc/containers configuration virtualisation.containers.enable = true; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index a4a62d85a59..0ce5f89b27c 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -34,6 +34,7 @@ in bind = handleTest ./bind.nix {}; bitcoind = handleTest ./bitcoind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; + bitwarden = handleTest ./bitwarden.nix {}; blockbook-frontend = handleTest ./blockbook-frontend.nix {}; buildkite-agents = handleTest ./buildkite-agents.nix {}; boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64 diff --git a/nixos/tests/bitwarden.nix b/nixos/tests/bitwarden.nix new file mode 100644 index 00000000000..a47c77cec21 --- /dev/null +++ b/nixos/tests/bitwarden.nix @@ -0,0 +1,188 @@ +{ system ? builtins.currentSystem +, config ? { } +, pkgs ? import ../.. { inherit system config; } +}: + +# These tests will: +# * Set up a bitwarden-rs server +# * Have Firefox use the web vault to create an account, log in, and save a password to the valut +# * Have the bw cli log in and read that password from the vault +# +# Note that Firefox must be on the same machine as the server for WebCrypto APIs to be available (or HTTPS must be configured) +# +# The same tests should work without modification on the official bitwarden server, if we ever package that. + +with import ../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; +let + backends = [ "sqlite" "mysql" "postgresql" ]; + + dbPassword = "please_dont_hack"; + + userEmail = "meow@example.com"; + userPassword = "also_super_secret_ZJWpBKZi668QGt"; # Must be complex to avoid interstitial warning on the signup page + + storedPassword = "seeeecret"; + + makeBitwardenTest = backend: makeTest { + name = "bitwarden_rs-${backend}"; + meta = { + maintainers = with pkgs.stdenv.lib.maintainers; [ jjjollyjim ]; + }; + + nodes = { + server = { pkgs, ... }: + let backendConfig = { + mysql = { + services.mysql = { + enable = true; + initialScript = pkgs.writeText "mysql-init.sql" '' + CREATE DATABASE bitwarden; + CREATE USER 'bitwardenuser'@'localhost' IDENTIFIED BY '${dbPassword}'; + GRANT ALL ON `bitwarden`.* TO 'bitwardenuser'@'localhost'; + FLUSH PRIVILEGES; + ''; + package = pkgs.mysql; + }; + + services.bitwarden_rs.config.databaseUrl = "mysql://bitwardenuser:${dbPassword}@localhost/bitwarden"; + + systemd.services.bitwarden_rs.after = [ "mysql.service" ]; + }; + + postgresql = { + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "postgresql-init.sql" '' + CREATE DATABASE bitwarden; + CREATE USER bitwardenuser WITH PASSWORD '${dbPassword}'; + GRANT ALL PRIVILEGES ON DATABASE bitwarden TO bitwardenuser; + ''; + }; + + services.bitwarden_rs.config.databaseUrl = "postgresql://bitwardenuser:${dbPassword}@localhost/bitwarden"; + + systemd.services.bitwarden_rs.after = [ "postgresql.service" ]; + }; + + sqlite = { }; + }; + in + mkMerge [ + backendConfig.${backend} + { + services.bitwarden_rs = { + enable = true; + dbBackend = backend; + config.rocketPort = 80; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + + environment.systemPackages = + let + testRunner = pkgs.writers.writePython3Bin "test-runner" + { + libraries = [ pkgs.python3Packages.selenium ]; + } '' + from selenium.webdriver import Firefox + from selenium.webdriver.firefox.options import Options + from selenium.webdriver.support.ui import WebDriverWait + from selenium.webdriver.support import expected_conditions as EC + + options = Options() + options.add_argument('--headless') + driver = Firefox(options=options) + + driver.implicitly_wait(20) + driver.get('http://localhost/#/register') + + wait = WebDriverWait(driver, 10) + + wait.until(EC.title_contains("Create Account")) + + driver.find_element_by_css_selector('input#email').send_keys( + '${userEmail}' + ) + driver.find_element_by_css_selector('input#name').send_keys( + 'A Cat' + ) + driver.find_element_by_css_selector('input#masterPassword').send_keys( + '${userPassword}' + ) + driver.find_element_by_css_selector('input#masterPasswordRetype').send_keys( + '${userPassword}' + ) + + driver.find_element_by_xpath("//button[contains(., 'Submit')]").click() + + wait.until_not(EC.title_contains("Create Account")) + + driver.find_element_by_css_selector('input#masterPassword').send_keys( + '${userPassword}' + ) + driver.find_element_by_xpath("//button[contains(., 'Log In')]").click() + + wait.until(EC.title_contains("My Vault")) + + driver.find_element_by_xpath("//button[contains(., 'Add Item')]").click() + + driver.find_element_by_css_selector('input#name').send_keys( + 'secrets' + ) + driver.find_element_by_css_selector('input#loginPassword').send_keys( + '${storedPassword}' + ) + + driver.find_element_by_xpath("//button[contains(., 'Save')]").click() + ''; + in + [ pkgs.firefox-unwrapped pkgs.geckodriver testRunner ]; + + virtualisation.memorySize = 768; + } + ]; + + client = { pkgs, ... }: + { + environment.systemPackages = [ pkgs.bitwarden-cli ]; + }; + }; + + testScript = '' + start_all() + server.wait_for_unit("bitwarden_rs.service") + server.wait_for_open_port(80) + + with subtest("configure the cli"): + client.succeed("bw --nointeraction config server http://server") + + with subtest("can't login to nonexistant account"): + client.fail( + "bw --nointeraction --raw login ${userEmail} ${userPassword}" + ) + + with subtest("use the web interface to sign up, log in, and save a password"): + server.succeed("PYTHONUNBUFFERED=1 test-runner | systemd-cat -t test-runner") + + with subtest("log in with the cli"): + key = client.succeed( + "bw --nointeraction --raw login ${userEmail} ${userPassword}" + ).strip() + + with subtest("sync with the cli"): + client.succeed(f"bw --nointeraction --raw --session {key} sync -f") + + with subtest("get the password with the cli"): + password = client.succeed( + f"bw --nointeraction --raw --session {key} list items | ${pkgs.jq}/bin/jq -r .[].login.password" + ) + assert password.strip() == "${storedPassword}" + ''; + }; +in +builtins.listToAttrs ( + map + (backend: { name = backend; value = makeBitwardenTest backend; }) + backends +) diff --git a/nixos/tests/prometheus.nix b/nixos/tests/prometheus.nix index bce489168f9..af2aa66a552 100644 --- a/nixos/tests/prometheus.nix +++ b/nixos/tests/prometheus.nix @@ -158,7 +158,10 @@ in import ./make-test-python.nix { s3 = { pkgs, ... } : { # Minio requires at least 1GiB of free disk space to run. - virtualisation.diskSize = 2 * 1024; + virtualisation = { + diskSize = 2 * 1024; + memorySize = 1024; + }; networking.firewall.allowedTCPPorts = [ minioPort ]; services.minio = { @@ -235,7 +238,7 @@ in import ./make-test-python.nix { # Test if the Thanos bucket command is able to retrieve blocks from the S3 bucket # and check if the blocks have the correct labels: store.succeed( - "thanos bucket ls " + "thanos tools bucket ls " + "--objstore.config-file=${nodes.store.config.services.thanos.store.objstore.config-file} " + "--output=json | " + "jq .thanos.labels.some_label | " diff --git a/nixos/tests/transmission.nix b/nixos/tests/transmission.nix index f4f2186be1f..37c0352dcfb 100644 --- a/nixos/tests/transmission.nix +++ b/nixos/tests/transmission.nix @@ -9,6 +9,8 @@ import ./make-test-python.nix ({ pkgs, ...} : { networking.firewall.allowedTCPPorts = [ 9091 ]; + security.apparmor.enable = true; + services.transmission.enable = true; }; |