diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-10-15 01:34:36 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-10-15 01:34:36 +0200 |
commit | adf4e67dd414babe715e17eaf5dfbc8d63a06cae (patch) | |
tree | 53a5e209186782fc1127b778bab773be9d7d6a57 /nixos | |
parent | 850a9bf3f2c65c98452640162262e7a807f7609f (diff) | |
parent | c3c77ae81271cce85e0117a1dd316fdcf94be74b (diff) | |
download | nixpkgs-adf4e67dd414babe715e17eaf5dfbc8d63a06cae.tar nixpkgs-adf4e67dd414babe715e17eaf5dfbc8d63a06cae.tar.gz nixpkgs-adf4e67dd414babe715e17eaf5dfbc8d63a06cae.tar.bz2 nixpkgs-adf4e67dd414babe715e17eaf5dfbc8d63a06cae.tar.lz nixpkgs-adf4e67dd414babe715e17eaf5dfbc8d63a06cae.tar.xz nixpkgs-adf4e67dd414babe715e17eaf5dfbc8d63a06cae.tar.zst nixpkgs-adf4e67dd414babe715e17eaf5dfbc8d63a06cae.zip |
Merge remote-tracking branch 'origin/staging' into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 14 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2111.section.md | 4 | ||||
-rw-r--r-- | nixos/modules/hardware/printers.nix | 9 | ||||
-rw-r--r-- | nixos/modules/security/ca.nix | 19 | ||||
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 7 | ||||
-rw-r--r-- | nixos/modules/virtualisation/libvirtd.nix | 2 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/custom-ca.nix | 8 | ||||
-rw-r--r-- | nixos/tests/printing.nix | 12 | ||||
-rw-r--r-- | nixos/tests/systemd-cryptenroll.nix | 55 |
10 files changed, 90 insertions, 41 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 700ad741c00..17035df345a 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -17,6 +17,12 @@ <itemizedlist> <listitem> <para> + <literal>iptables</literal> now uses + <literal>nf_tables</literal> backend. + </para> + </listitem> + <listitem> + <para> PHP now defaults to PHP 8.0, updated from 7.4. </para> </listitem> @@ -375,6 +381,14 @@ </listitem> <listitem> <para> + Since <literal>iptables</literal> now uses + <literal>nf_tables</literal> backend and + <literal>ipset</literal> doesn’t support it, some applications + (ferm, shorewall, firehol) may have limited functionality. + </para> + </listitem> + <listitem> + <para> The <literal>paperless</literal> module and package have been removed. All users should migrate to the successor <literal>paperless-ng</literal> instead. The Paperless project diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index ab1e94d59f1..94c79b9452a 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -6,6 +6,8 @@ In addition to numerous new and upgraded packages, this release has the followin ## Highlights {#sec-release-21.11-highlights} +- `iptables` now uses `nf_tables` backend. + - PHP now defaults to PHP 8.0, updated from 7.4. - kOps now defaults to 1.21.1, which uses containerd as the default runtime. @@ -114,6 +116,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The `security.wrappers` option now requires to always specify an owner, group and whether the setuid/setgid bit should be set. This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe. +- Since `iptables` now uses `nf_tables` backend and `ipset` doesn't support it, some applications (ferm, shorewall, firehol) may have limited functionality. + - The `paperless` module and package have been removed. All users should migrate to the successor `paperless-ng` instead. The Paperless project [has been archived](https://github.com/the-paperless-project/paperless/commit/9b0063c9731f7c5f65b1852cb8caff97f5e40ba4) diff --git a/nixos/modules/hardware/printers.nix b/nixos/modules/hardware/printers.nix index 7bab4f7038d..ef07542950b 100644 --- a/nixos/modules/hardware/printers.nix +++ b/nixos/modules/hardware/printers.nix @@ -116,19 +116,14 @@ in { description = "Ensure NixOS-configured CUPS printers"; wantedBy = [ "multi-user.target" ]; requires = [ cupsUnit ]; - # in contrast to cups.socket, for cups.service, this is actually not enough, - # as the cups service reports its activation before clients can actually interact with it. - # Because of this, commands like `lpinfo -v` will report a bad file descriptor - # due to the missing UNIX socket without sufficient sleep time. after = [ cupsUnit ]; serviceConfig = { Type = "oneshot"; + RemainAfterExit = true; }; - # sleep 10 is required to wait until cups.service is actually initialized and has created its UNIX socket file - script = (optionalString (!config.services.printing.startWhenNeeded) "sleep 10\n") - + (concatMapStringsSep "\n" ensurePrinter cfg.ensurePrinters) + script = concatMapStringsSep "\n" ensurePrinter cfg.ensurePrinters + optionalString (cfg.ensureDefaultPrinter != null) (ensureDefaultPrinter cfg.ensureDefaultPrinter); }; }; diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 83c15f90f92..f71d9d90ec5 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -8,12 +8,10 @@ let cacertPackage = pkgs.cacert.override { blacklist = cfg.caCertificateBlacklist; + extraCertificateFiles = cfg.certificateFiles; + extraCertificateStrings = cfg.certificates; }; - - caCertificates = pkgs.runCommand "ca-certificates.crt" { - files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; - preferLocalBuild = true; - } "awk 1 $files > $out"; # awk ensures a newline between each pair of consecutive files + caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; in @@ -74,16 +72,17 @@ in config = { - security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ]; - # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. - environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates; + environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; # Old NixOS compatibility. - environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates; + environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; # CentOS/Fedora compatibility. - environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates; + environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; + + # P11-Kit trust source. + environment.etc."ssl/trust-source".source = "${cacertPackage.p11kit}/etc/ssl/trust-source"; }; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 2a826e0f087..74daf0ae9fa 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -502,13 +502,6 @@ in { systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; - # override unit as recommended by upstream - see https://github.com/NixOS/nixpkgs/issues/88089 - # TODO: keep an eye on modem-manager releases as this will eventually be added to the upstream unit - systemd.services.ModemManager.serviceConfig.ExecStart = [ - "" - "${pkgs.modemmanager}/sbin/ModemManager --filter-policy=STRICT" - ]; - systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile overrideNameserversScript ]; diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 77b43d9d843..55ec76b4c95 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -168,7 +168,7 @@ in { etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: "allow ${e}") cfg.allowedBridges; systemPackages = with pkgs; [ libressl.nc iptables cfg.package cfg.qemuPackage ]; - etc.ethertypes.source = "${pkgs.ebtables}/etc/ethertypes"; + etc.ethertypes.source = "${pkgs.iptables}/etc/ethertypes"; }; boot.kernelModules = [ "tun" ]; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index a6eb2c03258..bd02c7af10d 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -430,6 +430,7 @@ in systemd-binfmt = handleTestOn ["x86_64-linux"] ./systemd-binfmt.nix {}; systemd-boot = handleTest ./systemd-boot.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; + systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {}; systemd-journal = handleTest ./systemd-journal.nix {}; systemd-networkd = handleTest ./systemd-networkd.nix {}; systemd-networkd-dhcpserver = handleTest ./systemd-networkd-dhcpserver.nix {}; diff --git a/nixos/tests/custom-ca.nix b/nixos/tests/custom-ca.nix index 05cfbbb2fdf..4480519c7ed 100644 --- a/nixos/tests/custom-ca.nix +++ b/nixos/tests/custom-ca.nix @@ -109,9 +109,7 @@ in environment.systemPackages = with pkgs; [ xdotool - # Firefox was disabled here, because we needed to disable p11-kit support in nss, - # which is why it will not use the system certificate store for the time being. - # firefox + firefox chromium qutebrowser midori @@ -153,9 +151,7 @@ in machine.fail("curl -fv https://bad.example.com") browsers = { - # Firefox was disabled here, because we needed to disable p11-kit support in nss, - # which is why it will not use the system certificate store for the time being. - #"firefox": "Security Risk", + "firefox": "Security Risk", "chromium": "not private", "qutebrowser -T": "Certificate error", "midori": "Security" diff --git a/nixos/tests/printing.nix b/nixos/tests/printing.nix index badcb99a57a..6338fd8d8ac 100644 --- a/nixos/tests/printing.nix +++ b/nixos/tests/printing.nix @@ -53,18 +53,10 @@ in { start_all() - with subtest("Make sure that cups is up on both sides"): + with subtest("Make sure that cups is up on both sides and printers are set up"): serviceServer.wait_for_unit("cups.service") serviceClient.wait_for_unit("cups.service") - - with subtest( - "Wait until cups is fully initialized and ensure-printers has " - "executed with 10s delay" - ): - serviceClient.sleep(20) - socketActivatedClient.wait_until_succeeds( - "systemctl show ensure-printers | grep -q -E 'code=exited ; status=0'" - ) + socketActivatedClient.wait_for_unit("ensure-printers.service") def test_printing(client, server): diff --git a/nixos/tests/systemd-cryptenroll.nix b/nixos/tests/systemd-cryptenroll.nix new file mode 100644 index 00000000000..2c436f2de89 --- /dev/null +++ b/nixos/tests/systemd-cryptenroll.nix @@ -0,0 +1,55 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "systemd-cryptenroll"; + meta = with pkgs.lib.maintainers; { + maintainers = [ ymatsiuk ]; + }; + + machine = { pkgs, lib, ... }: { + environment.systemPackages = [ pkgs.cryptsetup ]; + virtualisation = { + emptyDiskImages = [ 512 ]; + memorySize = 1024; + qemu.options = [ + "-chardev socket,id=chrtpm,path=/tmp/swtpm-sock" + "-tpmdev emulator,id=tpm0,chardev=chrtpm" + "-device tpm-tis,tpmdev=tpm0" + ]; + }; + }; + + testScript = '' + import subprocess + import tempfile + + def start_swtpm(tpmstate): + subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir="+tpmstate, "--ctrl", "type=unixio,path=/tmp/swtpm-sock", "--log", "level=0", "--tpm2"]) + + with tempfile.TemporaryDirectory() as tpmstate: + start_swtpm(tpmstate) + machine.start() + + # Verify the TPM device is available and accessible by systemd-cryptenroll + machine.succeed("test -e /dev/tpm0") + machine.succeed("test -e /dev/tpmrm0") + machine.succeed("systemd-cryptenroll --tpm2-device=list") + + # Create LUKS partition + machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -") + # Enroll new LUKS key and bind it to Secure Boot state + # For more details on PASSWORD variable, check the following issue: + # https://github.com/systemd/systemd/issues/20955 + machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb") + # Add LUKS partition to /etc/crypttab to test auto unlock + machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab") + machine.shutdown() + + start_swtpm(tpmstate) + machine.start() + + # Test LUKS partition automatic unlock on boot + machine.wait_for_unit("systemd-cryptsetup@luks.service") + # Wipe TPM2 slot + machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb") + ''; +}) + |