diff options
| author | stuebinm <stuebinm@in.tum.de> | 2022-06-30 22:24:44 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-30 22:24:44 +0200 |
| commit | c3e03d1199ac2b3a9fb0c5367b5062d6b6e1eae0 (patch) | |
| tree | ff97c1cb7cfbd296cadfcc5cdcf582f02faf63f3 /nixos | |
| parent | ef75aab6125710231873bc04b9a6507228d4e814 (diff) | |
| parent | f7cbcafc021f513f6bb97165afb117c54347a7bc (diff) | |
| download | nixpkgs-c3e03d1199ac2b3a9fb0c5367b5062d6b6e1eae0.tar nixpkgs-c3e03d1199ac2b3a9fb0c5367b5062d6b6e1eae0.tar.gz nixpkgs-c3e03d1199ac2b3a9fb0c5367b5062d6b6e1eae0.tar.bz2 nixpkgs-c3e03d1199ac2b3a9fb0c5367b5062d6b6e1eae0.tar.lz nixpkgs-c3e03d1199ac2b3a9fb0c5367b5062d6b6e1eae0.tar.xz nixpkgs-c3e03d1199ac2b3a9fb0c5367b5062d6b6e1eae0.tar.zst nixpkgs-c3e03d1199ac2b3a9fb0c5367b5062d6b6e1eae0.zip | |
Merge branch 'master' into nextcloud-secrets
Diffstat (limited to 'nixos')
451 files changed, 11126 insertions, 4654 deletions
diff --git a/nixos/doc/manual/administration/declarative-containers.section.md b/nixos/doc/manual/administration/declarative-containers.section.md index 0d9d4017ed8..00fd244bb91 100644 --- a/nixos/doc/manual/administration/declarative-containers.section.md +++ b/nixos/doc/manual/administration/declarative-containers.section.md @@ -40,7 +40,7 @@ section for details on container networking.) To disable the container, just remove it from `configuration.nix` and run `nixos-rebuild switch`. Note that this will not delete the root directory of the -container in `/var/lib/containers`. Containers can be destroyed using +container in `/var/lib/nixos-containers`. Containers can be destroyed using the imperative method: `nixos-container destroy foo`. Declarative containers can be started and stopped using the diff --git a/nixos/doc/manual/administration/imperative-containers.section.md b/nixos/doc/manual/administration/imperative-containers.section.md index 05196bf5d81..f45991780c4 100644 --- a/nixos/doc/manual/administration/imperative-containers.section.md +++ b/nixos/doc/manual/administration/imperative-containers.section.md @@ -10,8 +10,8 @@ You create a container with identifier `foo` as follows: # nixos-container create foo ``` -This creates the container's root directory in `/var/lib/containers/foo` -and a small configuration file in `/etc/containers/foo.conf`. It also +This creates the container's root directory in `/var/lib/nixos-containers/foo` +and a small configuration file in `/etc/nixos-containers/foo.conf`. It also builds the container's initial system configuration and stores it in `/nix/var/nix/profiles/per-container/foo/system`. You can modify the initial configuration of the container on the command line. For diff --git a/nixos/doc/manual/configuration/xfce.chapter.md b/nixos/doc/manual/configuration/xfce.chapter.md index b0ef6682aae..ee60d465e3b 100644 --- a/nixos/doc/manual/configuration/xfce.chapter.md +++ b/nixos/doc/manual/configuration/xfce.chapter.md @@ -24,11 +24,16 @@ Some Xfce programs are not installed automatically. To install them manually (system wide), put them into your [](#opt-environment.systemPackages) from `pkgs.xfce`. -## Thunar Plugins {#sec-xfce-thunar-plugins .unnumbered} +## Thunar {#sec-xfce-thunar-plugins .unnumbered} + +Thunar (the Xfce file manager) is automatically enabled when Xfce is +enabled. To enable Thunar without enabling Xfce, use the configuration +option [](#opt-programs.thunar.enable) instead of simply adding +`pkgs.xfce.thunar` to [](#opt-environment.systemPackages). If you\'d like to add extra plugins to Thunar, add them to -[](#opt-services.xserver.desktopManager.xfce.thunarPlugins). -You shouldn\'t just add them to [](#opt-environment.systemPackages). +[](#opt-programs.thunar.plugins). You shouldn\'t just add them to +[](#opt-environment.systemPackages). ## Troubleshooting {#sec-xfce-troubleshooting .unnumbered} diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index bcb5d0d02f7..1cd769b6a54 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -133,12 +133,12 @@ let # ^ redirect assumes xmllint doesn’t print to stdout } - lintrng manual-combined.xml - lintrng man-pages-combined.xml - mkdir $out cp manual-combined.xml $out/ cp man-pages-combined.xml $out/ + + lintrng $out/manual-combined.xml + lintrng $out/man-pages-combined.xml ''; olinkDB = runCommand "manual-olinkdb" diff --git a/nixos/doc/manual/development/activation-script.section.md b/nixos/doc/manual/development/activation-script.section.md index df683662404..1aee252fdde 100644 --- a/nixos/doc/manual/development/activation-script.section.md +++ b/nixos/doc/manual/development/activation-script.section.md @@ -54,7 +54,7 @@ possiblility into account that they have to create them first. ## NixOS snippets {#sec-activation-script-nixos-snippets} There are some snippets NixOS enables by default because disabling them would -most likely break you system. This section lists a few of them and what they +most likely break your system. This section lists a few of them and what they do: - `binsh` creates `/bin/sh` which points to the runtime shell diff --git a/nixos/doc/manual/development/option-declarations.section.md b/nixos/doc/manual/development/option-declarations.section.md index 2e11218e823..79914f2cb6c 100644 --- a/nixos/doc/manual/development/option-declarations.section.md +++ b/nixos/doc/manual/development/option-declarations.section.md @@ -56,7 +56,14 @@ The function `mkOption` accepts the following arguments. `description` : A textual description of the option, in DocBook format, that will be - included in the NixOS manual. + included in the NixOS manual. During the migration process from DocBook + to CommonMark the description may also be written in CommonMark, but has + to be wrapped in `lib.mdDoc` to differentiate it from DocBook. See + the nixpkgs manual for [the list of CommonMark extensions]( + https://nixos.org/nixpkgs/manual/#sec-contributing-markup) + supported by NixOS documentation. + + New documentation should preferably be written as CommonMark. ## Utility functions for common option patterns {#sec-option-declarations-util} @@ -120,14 +127,14 @@ lib.mkOption { ```nix lib.mkPackageOption pkgs "GHC" { default = [ "ghc" ]; - example = "pkgs.haskell.package.ghc922.ghc.withPackages (hkgs: [ hkgs.primes ])"; + example = "pkgs.haskell.package.ghc923.ghc.withPackages (hkgs: [ hkgs.primes ])"; } # is like lib.mkOption { type = lib.types.package; default = pkgs.ghc; defaultText = lib.literalExpression "pkgs.ghc"; - example = lib.literalExpression "pkgs.haskell.package.ghc922.ghc.withPackages (hkgs: [ hkgs.primes ])"; + example = lib.literalExpression "pkgs.haskell.package.ghc923.ghc.withPackages (hkgs: [ hkgs.primes ])"; description = "The GHC package to use."; } ``` diff --git a/nixos/doc/manual/development/option-types.section.md b/nixos/doc/manual/development/option-types.section.md index 00f1d85bdb6..9b35e663014 100644 --- a/nixos/doc/manual/development/option-types.section.md +++ b/nixos/doc/manual/development/option-types.section.md @@ -220,6 +220,25 @@ Value types are types that take a value parameter. requires using a function: `the-submodule = { ... }: { options = { ... }; }`. +`types.deferredModule` + +: Whereas `submodule` represents an option tree, `deferredModule` represents + a module value, such as a module file or a configuration. + + It can be set multiple times. + + Module authors can use its value in `imports`, in `submoduleWith`'s `modules` + or in `evalModules`' `modules` parameter, among other places. + + Note that `imports` must be evaluated before the module fixpoint. Because + of this, deferred modules can only be imported into "other" fixpoints, such + as submodules. + + One use case for this type is the type of a "default" module that allow the + user to affect all submodules in an `attrsOf submodule` at once. This is + more convenient and discoverable than expecting the module user to + type-merge with the `attrsOf submodule` option. + ## Composed Types {#sec-option-types-composed} Composed types are types that take a type as parameter. `listOf @@ -308,6 +327,10 @@ The option set can be defined directly ([Example: Directly defined submodule](#ex-submodule-direct)) or as reference ([Example: Submodule defined as a reference](#ex-submodule-reference)). +Note that even if your submodule’s options all have a default value, +you will still need to provide a default value (e.g. an empty attribute set) +if you want to allow users to leave it undefined. + ::: {#ex-submodule-direct .example} ::: {.title} **Example: Directly defined submodule** diff --git a/nixos/doc/manual/development/writing-nixos-tests.section.md b/nixos/doc/manual/development/writing-nixos-tests.section.md index e5ee1cb01ff..f4f4056ad98 100644 --- a/nixos/doc/manual/development/writing-nixos-tests.section.md +++ b/nixos/doc/manual/development/writing-nixos-tests.section.md @@ -332,6 +332,19 @@ repository): ''; ``` +Similarly, the type checking of test scripts can be disabled in the following +way: + +```nix +import ./make-test-python.nix { + skipTypeCheck = true; + nodes.machine = + { config, pkgs, ... }: + { configuration… + }; +} +``` + ## Failing tests early {#ssec-failing-tests-early} To fail tests early when certain invariables are no longer met (instead of waiting for the build to time out), the decorator `polling_condition` is provided. For example, if we are testing a program `foo` that should not quit after being started, we might write the following: @@ -380,3 +393,25 @@ with foo_running: def foo_running(): machine.succeed("pgrep -x foo") ``` + +## Adding Python packages to the test script {#ssec-python-packages-in-test-script} + +When additional Python libraries are required in the test script, they can be +added using the parameter `extraPythonPackages`. For example, you could add +`numpy` like this: + +```nix +import ./make-test-python.nix +{ + extraPythonPackages = p: [ p.numpy ]; + + nodes = { }; + + testScript = '' + import numpy as np + assert str(np.zeros(4) == "array([0., 0., 0., 0.])") + ''; +} +``` + +In that case, `numpy` is chosen from the generic `python3Packages`. diff --git a/nixos/doc/manual/from_md/administration/declarative-containers.section.xml b/nixos/doc/manual/from_md/administration/declarative-containers.section.xml index 7b35520d567..b8179dca1f8 100644 --- a/nixos/doc/manual/from_md/administration/declarative-containers.section.xml +++ b/nixos/doc/manual/from_md/administration/declarative-containers.section.xml @@ -48,8 +48,8 @@ containers.database = { <literal>configuration.nix</literal> and run <literal>nixos-rebuild switch</literal>. Note that this will not delete the root directory of the container in - <literal>/var/lib/containers</literal>. Containers can be destroyed - using the imperative method: + <literal>/var/lib/nixos-containers</literal>. Containers can be + destroyed using the imperative method: <literal>nixos-container destroy foo</literal>. </para> <para> diff --git a/nixos/doc/manual/from_md/administration/imperative-containers.section.xml b/nixos/doc/manual/from_md/administration/imperative-containers.section.xml index 59ecfdee5af..865fc468939 100644 --- a/nixos/doc/manual/from_md/administration/imperative-containers.section.xml +++ b/nixos/doc/manual/from_md/administration/imperative-containers.section.xml @@ -14,8 +14,9 @@ </programlisting> <para> This creates the container’s root directory in - <literal>/var/lib/containers/foo</literal> and a small configuration - file in <literal>/etc/containers/foo.conf</literal>. It also builds + <literal>/var/lib/nixos-containers/foo</literal> and a small + configuration file in + <literal>/etc/nixos-containers/foo.conf</literal>. It also builds the container’s initial system configuration and stores it in <literal>/nix/var/nix/profiles/per-container/foo/system</literal>. You can modify the initial configuration of the container on the diff --git a/nixos/doc/manual/from_md/configuration/xfce.chapter.xml b/nixos/doc/manual/from_md/configuration/xfce.chapter.xml index f96ef2e8c48..42e70d1d81d 100644 --- a/nixos/doc/manual/from_md/configuration/xfce.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/xfce.chapter.xml @@ -27,13 +27,19 @@ services.picom = { <literal>pkgs.xfce</literal>. </para> <section xml:id="sec-xfce-thunar-plugins"> - <title>Thunar Plugins</title> + <title>Thunar</title> <para> - If you'd like to add extra plugins to Thunar, add them to - <xref linkend="opt-services.xserver.desktopManager.xfce.thunarPlugins" />. - You shouldn't just add them to + Thunar (the Xfce file manager) is automatically enabled when Xfce + is enabled. To enable Thunar without enabling Xfce, use the + configuration option <xref linkend="opt-programs.thunar.enable" /> + instead of simply adding <literal>pkgs.xfce.thunar</literal> to <xref linkend="opt-environment.systemPackages" />. </para> + <para> + If you'd like to add extra plugins to Thunar, add them to + <xref linkend="opt-programs.thunar.plugins" />. You shouldn't just + add them to <xref linkend="opt-environment.systemPackages" />. + </para> </section> <section xml:id="sec-xfce-troubleshooting"> <title>Troubleshooting</title> diff --git a/nixos/doc/manual/from_md/development/activation-script.section.xml b/nixos/doc/manual/from_md/development/activation-script.section.xml index 0d9e911216e..981ebf37e60 100644 --- a/nixos/doc/manual/from_md/development/activation-script.section.xml +++ b/nixos/doc/manual/from_md/development/activation-script.section.xml @@ -73,7 +73,7 @@ system.activationScripts.my-activation-script = { <title>NixOS snippets</title> <para> There are some snippets NixOS enables by default because disabling - them would most likely break you system. This section lists a few + them would most likely break your system. This section lists a few of them and what they do: </para> <itemizedlist spacing="compact"> diff --git a/nixos/doc/manual/from_md/development/option-declarations.section.xml b/nixos/doc/manual/from_md/development/option-declarations.section.xml index 91867c22410..03ec48f35fd 100644 --- a/nixos/doc/manual/from_md/development/option-declarations.section.xml +++ b/nixos/doc/manual/from_md/development/option-declarations.section.xml @@ -94,7 +94,17 @@ options = { <listitem> <para> A textual description of the option, in DocBook format, that - will be included in the NixOS manual. + will be included in the NixOS manual. During the migration + process from DocBook to CommonMark the description may also be + written in CommonMark, but has to be wrapped in + <literal>lib.mdDoc</literal> to differentiate it from DocBook. + See the nixpkgs manual for + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-contributing-markup">the + list of CommonMark extensions</link> supported by NixOS + documentation. + </para> + <para> + New documentation should preferably be written as CommonMark. </para> </listitem> </varlistentry> @@ -183,14 +193,14 @@ lib.mkOption { <programlisting language="bash"> lib.mkPackageOption pkgs "GHC" { default = [ "ghc" ]; - example = "pkgs.haskell.package.ghc922.ghc.withPackages (hkgs: [ hkgs.primes ])"; + example = "pkgs.haskell.package.ghc923.ghc.withPackages (hkgs: [ hkgs.primes ])"; } # is like lib.mkOption { type = lib.types.package; default = pkgs.ghc; defaultText = lib.literalExpression "pkgs.ghc"; - example = lib.literalExpression "pkgs.haskell.package.ghc922.ghc.withPackages (hkgs: [ hkgs.primes ])"; + example = lib.literalExpression "pkgs.haskell.package.ghc923.ghc.withPackages (hkgs: [ hkgs.primes ])"; description = "The GHC package to use."; } </programlisting> diff --git a/nixos/doc/manual/from_md/development/option-types.section.xml b/nixos/doc/manual/from_md/development/option-types.section.xml index 44472929270..929d5302ed4 100644 --- a/nixos/doc/manual/from_md/development/option-types.section.xml +++ b/nixos/doc/manual/from_md/development/option-types.section.xml @@ -427,6 +427,43 @@ </itemizedlist> </listitem> </varlistentry> + <varlistentry> + <term> + <literal>types.deferredModule</literal> + </term> + <listitem> + <para> + Whereas <literal>submodule</literal> represents an option + tree, <literal>deferredModule</literal> represents a module + value, such as a module file or a configuration. + </para> + <para> + It can be set multiple times. + </para> + <para> + Module authors can use its value in + <literal>imports</literal>, in + <literal>submoduleWith</literal><quote>s + <literal>modules</literal> or in + <literal>evalModules</literal></quote> + <literal>modules</literal> parameter, among other places. + </para> + <para> + Note that <literal>imports</literal> must be evaluated + before the module fixpoint. Because of this, deferred + modules can only be imported into <quote>other</quote> + fixpoints, such as submodules. + </para> + <para> + One use case for this type is the type of a + <quote>default</quote> module that allow the user to affect + all submodules in an <literal>attrsOf submodule</literal> at + once. This is more convenient and discoverable than + expecting the module user to type-merge with the + <literal>attrsOf submodule</literal> option. + </para> + </listitem> + </varlistentry> </variablelist> </section> <section xml:id="sec-option-types-composed"> @@ -617,6 +654,12 @@ (<link linkend="ex-submodule-reference">Example: Submodule defined as a reference</link>). </para> + <para> + Note that even if your submodule’s options all have a default + value, you will still need to provide a default value (e.g. an + empty attribute set) if you want to allow users to leave it + undefined. + </para> <anchor xml:id="ex-submodule-direct" /> <para> <emphasis role="strong">Example: Directly defined diff --git a/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml b/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml index 7ce3e4cb290..46367bdd345 100644 --- a/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml +++ b/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml @@ -590,6 +590,19 @@ import ./make-test-python.nix { # fmt: on ''; </programlisting> + <para> + Similarly, the type checking of test scripts can be disabled in + the following way: + </para> + <programlisting language="bash"> +import ./make-test-python.nix { + skipTypeCheck = true; + nodes.machine = + { config, pkgs, ... }: + { configuration… + }; +} +</programlisting> </section> <section xml:id="ssec-failing-tests-early"> <title>Failing tests early</title> @@ -652,4 +665,30 @@ def foo_running(): ``` </programlisting> </section> + <section xml:id="ssec-python-packages-in-test-script"> + <title>Adding Python packages to the test script</title> + <para> + When additional Python libraries are required in the test script, + they can be added using the parameter + <literal>extraPythonPackages</literal>. For example, you could add + <literal>numpy</literal> like this: + </para> + <programlisting language="bash"> +import ./make-test-python.nix +{ + extraPythonPackages = p: [ p.numpy ]; + + nodes = { }; + + testScript = '' + import numpy as np + assert str(np.zeros(4) == "array([0., 0., 0., 0.])") + ''; +} +</programlisting> + <para> + In that case, <literal>numpy</literal> is chosen from the generic + <literal>python3Packages</literal>. + </para> + </section> </section> diff --git a/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml b/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml index 525531a4781..024a24379dd 100644 --- a/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml @@ -248,7 +248,7 @@ $ nix-env -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' -I nixos-co (since your Nix install was probably single user): </para> <programlisting> -$ sudo chown -R 0.0 /nix +$ sudo chown -R 0:0 /nix </programlisting> </listitem> <listitem> diff --git a/nixos/doc/manual/from_md/installation/installing-kexec.section.xml b/nixos/doc/manual/from_md/installation/installing-kexec.section.xml new file mode 100644 index 00000000000..46ea0d59b6c --- /dev/null +++ b/nixos/doc/manual/from_md/installation/installing-kexec.section.xml @@ -0,0 +1,94 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-booting-via-kexec"> + <title><quote>Booting</quote> into NixOS via kexec</title> + <para> + In some cases, your system might already be booted into/preinstalled + with another Linux distribution, and booting NixOS by attaching an + installation image is quite a manual process. + </para> + <para> + This is particularly useful for (cloud) providers where you can’t + boot a custom image, but get some Debian or Ubuntu installation. + </para> + <para> + In these cases, it might be easier to use <literal>kexec</literal> + to <quote>jump into NixOS</quote> from the running system, which + only assumes <literal>bash</literal> and <literal>kexec</literal> to + be installed on the machine. + </para> + <para> + Note that kexec may not work correctly on some hardware, as devices + are not fully re-initialized in the process. In practice, this + however is rarely the case. + </para> + <para> + To build the necessary files from your current version of nixpkgs, + you can run: + </para> + <programlisting> +nix-build -A kexec.x86_64-linux '<nixpkgs/nixos/release.nix>' +</programlisting> + <para> + This will create a <literal>result</literal> directory containing + the following: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>bzImage</literal> (the Linux kernel) + </para> + </listitem> + <listitem> + <para> + <literal>initrd</literal> (the initrd file) + </para> + </listitem> + <listitem> + <para> + <literal>kexec-boot</literal> (a shellscript invoking + <literal>kexec</literal>) + </para> + </listitem> + </itemizedlist> + <para> + These three files are meant to be copied over to the other already + running Linux Distribution. + </para> + <para> + Note it’s symlinks pointing elsewhere, so <literal>cd</literal> in, + and use <literal>scp * root@$destination</literal> to copy it over, + rather than rsync. + </para> + <para> + Once you finished copying, execute <literal>kexec-boot</literal> + <emphasis>on the destination</emphasis>, and after some seconds, the + machine should be booting into an (ephemeral) NixOS installation + medium. + </para> + <para> + In case you want to describe your own system closure to kexec into, + instead of the default installer image, you can build your own + <literal>configuration.nix</literal>: + </para> + <programlisting language="bash"> +{ modulesPath, ... }: { + imports = [ + (modulesPath + "/installer/netboot/netboot-minimal.nix") + ]; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "my-ssh-pubkey" + ]; +} +</programlisting> + <programlisting> +nix-build '<nixpkgs/nixos>' \ + --arg configuration ./configuration.nix + --attr config.system.build.kexecTree +</programlisting> + <para> + Make sure your <literal>configuration.nix</literal> does still + import <literal>netboot-minimal.nix</literal> (or + <literal>netboot-base.nix</literal>). + </para> +</section> diff --git a/nixos/doc/manual/from_md/installation/installing.chapter.xml b/nixos/doc/manual/from_md/installation/installing.chapter.xml index aee0b30a707..19ff841f5a6 100644 --- a/nixos/doc/manual/from_md/installation/installing.chapter.xml +++ b/nixos/doc/manual/from_md/installation/installing.chapter.xml @@ -638,6 +638,7 @@ $ passwd eelco <title>Additional installation notes</title> <xi:include href="installing-usb.section.xml" /> <xi:include href="installing-pxe.section.xml" /> + <xi:include href="installing-kexec.section.xml" /> <xi:include href="installing-virtualbox-guest.section.xml" /> <xi:include href="installing-from-other-distro.section.xml" /> <xi:include href="installing-behind-a-proxy.section.xml" /> diff --git a/nixos/doc/manual/from_md/installation/upgrading.chapter.xml b/nixos/doc/manual/from_md/installation/upgrading.chapter.xml index e3b77d4c365..11fe1d317cc 100644 --- a/nixos/doc/manual/from_md/installation/upgrading.chapter.xml +++ b/nixos/doc/manual/from_md/installation/upgrading.chapter.xml @@ -12,7 +12,7 @@ <listitem> <para> <emphasis>Stable channels</emphasis>, such as - <link xlink:href="https://nixos.org/channels/nixos-21.11"><literal>nixos-21.11</literal></link>. + <link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.05</literal></link>. These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), @@ -33,7 +33,7 @@ <listitem> <para> <emphasis>Small channels</emphasis>, such as - <link xlink:href="https://nixos.org/channels/nixos-21.11-small"><literal>nixos-21.11-small</literal></link> + <link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.05-small</literal></link> or <link xlink:href="https://nixos.org/channels/nixos-unstable-small"><literal>nixos-unstable-small</literal></link>. These are identical to the stable and unstable channels @@ -60,8 +60,8 @@ <para> When you first install NixOS, you’re automatically subscribed to the NixOS channel that corresponds to your installation source. For - instance, if you installed from a 21.11 ISO, you will be subscribed - to the <literal>nixos-21.11</literal> channel. To see which NixOS + instance, if you installed from a 22.05 ISO, you will be subscribed + to the <literal>nixos-22.05</literal> channel. To see which NixOS channel you’re subscribed to, run the following as root: </para> <programlisting> @@ -76,17 +76,17 @@ nixos https://nixos.org/channels/nixos-unstable </programlisting> <para> (Be sure to include the <literal>nixos</literal> parameter at the - end.) For instance, to use the NixOS 21.11 stable channel: + end.) For instance, to use the NixOS 22.05 stable channel: </para> <programlisting> -# nix-channel --add https://nixos.org/channels/nixos-21.11 nixos +# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos </programlisting> <para> If you have a server, you may want to use the <quote>small</quote> channel instead: </para> <programlisting> -# nix-channel --add https://nixos.org/channels/nixos-21.11-small nixos +# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos </programlisting> <para> And if you want to live on the bleeding edge: @@ -146,7 +146,7 @@ system.autoUpgrade.allowReboot = true; also specify a channel explicitly, e.g. </para> <programlisting language="bash"> -system.autoUpgrade.channel = https://nixos.org/channels/nixos-21.11; +system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05; </programlisting> </section> </chapter> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index b61a0268dee..d9ebbe74d54 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -569,8 +569,9 @@ <listitem> <para> The NixOS VM test framework, - <literal>pkgs.nixosTest</literal>/<literal>make-test-python.nix</literal>, - now requires detaching commands such as + <literal>pkgs.nixosTest</literal>/<literal>make-test-python.nix</literal> + (<literal>pkgs.testers.nixosTest</literal> since 22.05), now + requires detaching commands such as <literal>succeed("foo &")</literal> and <literal>succeed("foo | xclip -i")</literal> to close stdout. This can be done with a redirect such as diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 05b3822cab7..245250e7091 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1,9 +1,5 @@ <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-22.05"> - <title>Release 22.05 (“Quokka”, 2022.05/??)</title> - <para> - In addition to numerous new and upgraded packages, this release has - the following highlights: - </para> + <title>Release 22.05 (“Quokka”, 2022.05/30)</title> <itemizedlist spacing="compact"> <listitem> <para> @@ -14,50 +10,36 @@ </itemizedlist> <section xml:id="sec-release-22.05-highlights"> <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> <itemizedlist> <listitem> - <para> - The <literal>firefox</literal> browser on - <literal>x86_64-linux</literal> is now making use of - profile-guided optimization resulting in a much more - responsive browsing experience. - </para> +<literallayout>Nix has been updated from 2.3 to 2.8. This mainly brings experimental support for Flakes, but also marks the <literal>nix</literal> command as experimental which now has to be enabled via the configuration explicitly. For more information and instructions for upgrades, see the relase notes for <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html">nix-2.4</link>, +<link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html">nix-2.5</link>, <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html">nix-2.6</link>, <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html">nix-2.7</link> and <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.8.html">nix-2.8</link></literallayout> </listitem> <listitem> <para> - <literal>security.acme.defaults</literal> has been added to - simplify configuring settings for many certificates at once. - This also opens up the the option to use DNS-01 validation - when using <literal>enableACME</literal> on web server virtual - hosts (e.g. - <literal>services.nginx.virtualHosts.*.enableACME</literal>). + The <literal>firefox</literal> browser on + <literal>x86_64-linux</literal> now makes use of + profile-guided optimisation, resulting in a much more + responsive browsing experience. </para> </listitem> <listitem> <para> GNOME has been upgraded to 42. Please take a look at their <link xlink:href="https://release.gnome.org/42/">Release - Notes</link> for details. Notably, it replaces gedit with - GNOME Text Editor, GNOME Terminal with GNOME Console (formerly - King’s Cross), and GNOME Screenshot with a tool built into the - Shell. - </para> - </listitem> - <listitem> - <para> - PHP 8.1 is now available + Notes</link> for details. In particular, it replaces gedit + with GNOME Text Editor, GNOME Terminal with GNOME Console + (formerly King’s Cross) and GNOME Screenshot by a tool + integrated into the Shell. </para> </listitem> <listitem> <para> - Mattermost has been updated to extended support release 6.3, - as the previously packaged extended support release 5.37 is - <link xlink:href="https://docs.mattermost.com/upgrade/extended-support-release.html">reaching - its end of life</link>. Migrations may take a while, see the - <link xlink:href="https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release">changelog</link> - and - <link xlink:href="https://docs.mattermost.com/upgrade/important-upgrade-notes.html">important - upgrade notes</link>. + PHP 8.1 is now available. </para> </listitem> <listitem> @@ -75,21 +57,22 @@ </listitem> <listitem> <para> - The new - <link xlink:href="https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook"><literal>postgresqlTestHook</literal></link> - runs a PostgreSQL server for the duration of package checks. + Pulseaudio has been updated to version 15.0 and now optionally + <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/15.0/#supportforldacandaptxbluetoothcodecsplussbcxqsbcwithhigher-qualityparameters">supports + additional Bluetooth audio codecs</link> such as aptX or LDAC, + with codec switching available in + <literal>pavucontrol</literal>. This feature is disabled by + default, but can be enabled with the option + <literal>hardware.pulseaudio.package = pkgs.pulseaudioFull;</literal>. + Existing third-party modules that offered similar functions, + such as <literal>pulseaudio-modules-bt</literal> or + <literal>pulseaudio-hsphfpd</literal>, are obsolete and have + been removed. </para> </listitem> <listitem> <para> - <link xlink:href="https://kops.sigs.k8s.io"><literal>kops</literal></link> - defaults to 1.22.4, which will enable - <link xlink:href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html">Instance - Metadata Service Version 2</link> and require tokens on new - clusters with Kubernetes 1.22. This will increase security by - default, but may break some types of workloads. See the - <link xlink:href="https://kops.sigs.k8s.io/releases/1.22-notes/">release - notes</link> for details. + PostgreSQL now defaults to major version 14. </para> </listitem> <listitem> @@ -108,6 +91,24 @@ default. </para> </listitem> + <listitem> + <para> + The GNOME and Plasma installation CDs now use + <literal>pkgs.calamares</literal> and + <literal>pkgs.calamares-nixos-extensions</literal> to allow + users to easily install and set up NixOS with a GUI. + </para> + </listitem> + <listitem> + <para> + <literal>security.acme.defaults</literal> has been added to + simplify the configuration of settings for many certificates + at once. This also opens up the option to use DNS-01 + validation when using <literal>enableACME</literal> web server + virtual hosts (e.g. + <literal>services.nginx.virtualHosts.*.enableACME</literal>). + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-new-services"> @@ -115,6 +116,16 @@ <itemizedlist> <listitem> <para> + <link xlink:href="https://1password.com/">1password</link>, + command-lines and graphic interface for 1Password. Available + as + <link linkend="opt-programs._1password.enable">programs._1password</link> + and + <link linkend="opt-programs._1password.enable">programs._1password-gui</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw">aesmd</link>, the Intel SGX Architectural Enclave Service Manager. Available as @@ -123,39 +134,109 @@ </listitem> <listitem> <para> - <link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless - Docker</link>, a <literal>systemd --user</literal> Docker - service which runs without root permissions. Available as - <link xlink:href="options.html#opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>. + <link xlink:href="https://github.com/mbrubeck/agate">agate</link>, + a very simple server for the Gemini hypertext protocol. + Available as + <link linkend="opt-services.agate.enable">services.agate</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://conduit.rs/">matrix-conduit</link>, - a simple, fast and reliable chat server powered by matrix. - Available as - <link xlink:href="option.html#opt-services.matrix-conduit.enable">services.matrix-conduit</link>. + <link xlink:href="https://github.com/linux-apfs/linux-apfs-rw">apfs</link>, + a kernel module for mounting the Apple File System (APFS). </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/vvilhonen/nethoscope">nethoscope</link>, - listen to your network traffic. Available as - <link linkend="opt-programs.nethoscope.enable">programs.nethoscope</link>. + <link xlink:href="https://gitlab.com/DarkElvenAngel/argononed">argonone</link>, + a replacement daemon for the Raspberry Pi Argon One power + button and cooler. Available at + <link xlink:href="options.html#opt-services.hardware.argonone.enable">services.hardware.argonone</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>, - a lightweight shipper for forwarding and centralizing log - data. Available as - <link linkend="opt-services.filebeat.enable">services.filebeat</link>. + <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm">ArchiSteamFarm</link>, + a C# application with primary purpose of idling Steam cards + from multiple accounts simultaneously. Available as + <link linkend="opt-services.archisteamfarm.enable">services.archisteamfarm</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/linux-apfs/linux-apfs-rw">apfs</link>, - a kernel module for mounting the Apple File System (APFS). + <link xlink:href="https://loic-sharma.github.io/BaGet/">BaGet</link>, + a lightweight NuGet and symbol server. Available at + <link linkend="opt-services.baget.enable">services.baget</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/xddxdd/bird-lg-go">bird-lg</link>, + a BGP looking glass for Bird Routing. Available as + <link linkend="opt-services.bird-lg.package">services.bird-lg</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://0xerr0r.github.io/blocky/">blocky</link>, + fast and lightweight DNS proxy as ad-blocker for local network + with many features. Available as + <link linkend="opt-services.blocky.enable">services.blocky</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/kissgyorgy/cloudflare-dyndns">cloudflare-dyndns</link>, + CloudFlare Dynamic DNS client. Available as + <link linkend="opt-services.cloudflare-dyndns.enable">services.cloudflare-dyndns</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://corosync.github.io/corosync/">Corosync</link> + and + <link xlink:href="https://clusterlabs.org/pacemaker/">Pacemaker</link>, + A open-source high availability resource manager. Available as + <link linkend="opt-services.corosync.enable">services.corosync</link> + and + <link linkend="opt-services.pacemaker.enable">services.pacemaker</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/lakinduakash/linux-wifi-hotspot">create_ap</link>, + a module for creating wifi hotspots using the program + linux-wifi-hotspot. Available as + <link linkend="opt-services.create_ap.enable">services.create_ap</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.envoyproxy.io/">Envoy</link>, a + high-performance reverse proxy. Available as + <link linkend="opt-services.envoy.enable">services.envoy</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://ergo.chat">ergochat</link>, a modern + IRC with IRCv3 features. Available as + <link linkend="opt-services.ergochat.enable">services.ergochat</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/audreyt/ethercalc">ethercalc</link>, + an online collaborative spreadsheet. Available as + <link linkend="opt-services.ethercalc.enable">services.ethercalc</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>, + a lightweight shipper for forwarding and centralizing log + data. Available as + <link linkend="opt-services.filebeat.enable">services.filebeat</link>. </para> </listitem> <listitem> @@ -163,42 +244,46 @@ <link xlink:href="https://frrouting.org/">FRRouting</link>, a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as - <link linkend="opt-services.frr.babel.enable">services.frr</link> + <link linkend="opt-services.frr.babel.enable">services.frr</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/hifi/heisenbridge">heisenbridge</link>, - a bouncer-style Matrix IRC bridge. Available as - <link xlink:href="options.html#opt-services.heisenbridge.enable">services.heisenbridge</link>. + <link xlink:href="https://grafana.com/oss/mimir/">Grafana + Mimir</link>, an open source, horizontally scalable, highly + available, multi-tenant, long-term storage for Prometheus. + Available as + <link linkend="opt-services.mimir.enable">services.mimir</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://snowflake.torproject.org/">snowflake-proxy</link>, - a system to defeat internet censorship. Available as - <link xlink:href="options.html#opt-services.snowflake-proxy.enable">services.snowflake-proxy</link>. + <link xlink:href="https://hastebin.com/about.md">Haste</link>, + a pastebin written in node.js. Available as + <link linkend="opt-services.haste-server.enable">services.haste</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://ergo.chat">ergochat</link>, a modern - IRC with IRCv3 features. Available as - <link xlink:href="options.html#opt-services.ergochat.enable">services.ergochat</link>. + <link xlink:href="https://github.com/juanfont/headscale">headscale</link>, + an Open Source implementation of the + <link xlink:href="https://tailscale.io">Tailscale</link> + Control Server. Available as + <link linkend="opt-services.headscale.enable">services.headscale</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/ngoduykhanh/PowerDNS-Admin">PowerDNS-Admin</link>, - a web interface for the PowerDNS server. Available at - <link xlink:href="options.html#opt-services.powerdns-admin.enable">services.powerdns-admin</link>. + <link xlink:href="https://github.com/hifi/heisenbridge">heisenbridge</link>, + a bouncer-style Matrix IRC bridge. Available as + <link linkend="opt-services.heisenbridge.enable">services.heisenbridge</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/postgres/pgadmin4">pgadmin4</link>, - an admin interface for the PostgreSQL database. Available at - <link xlink:href="options.html#opt-services.pgadmin.enable">services.pgadmin</link>. + <link xlink:href="https://github.com/aarond10/https_dns_proxy">https-dns-proxy</link>, + DNS to DNS over HTTPS (DoH) proxy. Available as + <link linkend="opt-services.https-dns-proxy.enable">services.https-dns-proxy</link>. </para> </listitem> <listitem> @@ -206,7 +291,7 @@ <link xlink:href="https://github.com/sezanzeb/input-remapper">input-remapper</link>, an easy to use tool to change the mapping of your input device buttons. Available at - <link xlink:href="options.html#opt-services.input-remapper.enable">services.input-remapper</link>. + <link linkend="opt-services.input-remapper.enable">services.input-remapper</link>. </para> </listitem> <listitem> @@ -214,101 +299,133 @@ <link xlink:href="https://invoiceplane.com">InvoicePlane</link>, web application for managing and creating invoices. Available at - <link xlink:href="options.html#opt-services.invoiceplane.enable">services.invoiceplane</link>. + <link linkend="opt-services.invoiceplane.sites._name_.enable">services.invoiceplane</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://maddy.email">maddy</link>, a - composable all-in-one mail server. Available as - <link xlink:href="options.html#opt-services.maddy.enable">services.maddy</link>. + <link xlink:href="https://userbase.kde.org/K3b">k3b</link>, + the KDE disk burning application. Available as + <link linkend="opt-programs.k3b.enable">programs.k3b</link>. </para> </listitem> <listitem> <para> <link xlink:href="https://www.scorchworks.com/K40whisperer/k40whisperer.html">K40-Whisperer</link>, a program to control cheap Chinese laser cutters. Available as - <link xlink:href="options.html#opt-programs.k4-whisperer.enable">programs.k40-whisperer.enable</link>. + <link linkend="opt-programs.k40-whisperer.enable">programs.k40-whisperer.enable</link>. Users must add themselves to the <literal>k40</literal> group to be able to access the device. </para> </listitem> <listitem> <para> + <link xlink:href="https://kanidm.github.io/kanidm/stable/">kanidm</link>, + an identity management server written in Rust. Available as + <link linkend="opt-services.kanidm.enableServer">services.kanidm</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://maddy.email/">Maddy</link>, a free + an open source mail server. Availabe as + <link linkend="opt-services.maddy.enable">services.maddy</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://conduit.rs/">matrix-conduit</link>, + a simple, fast and reliable chat server powered by matrix. + Available as + <link xlink:href="option.html#opt-services.matrix-conduit.enable">services.matrix-conduit</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://moosefs.com">Moosefs</link>, fault + tolerant petabyte distributed file system. Available as + <link linkend="opt-services.moosefs.master.enable">moosefs</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/mozilla-mobile/mozilla-vpn-client">mozillavpn</link>, the client for the <link xlink:href="https://vpn.mozilla.org/">Mozilla VPN</link> service. Available as - <link xlink:href="options.html#opt-services.mozillavpn">services.mozillavpn</link>. + <link linkend="opt-services.mozillavpn.enable">services.mozillavpn</link>. </para> </listitem> <listitem> <para> <link xlink:href="https://github.com/mgumz/mtr-exporter">mtr-exporter</link>, a Prometheus exporter for mtr metrics. Available as - <link xlink:href="options.html#opt-services.mtr-exporter.enable">services.mtr-exporter</link>. + <link linkend="opt-services.mtr-exporter.enable">services.mtr-exporter</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/prometheus-pve/prometheus-pve-exporter">prometheus-pve-exporter</link>, - a tool that exposes information from the Proxmox VE API for - use by Prometheus. Available as - <link xlink:href="options.html#opt-services.prometheus.exporters.pve">services.prometheus.exporters.pve</link>. + <link xlink:href="https://nbd.sourceforge.io/">nbd</link>, a + Network Block Device server. Available as + <link linkend="opt-services.nbd.server.enable">services.nbd</link>. </para> </listitem> <listitem> <para> <link xlink:href="https://github.com/netbox-community/netbox">netbox</link>, infrastructure resource modeling (IRM) tool. Available as - <link xlink:href="options.html#opt-services.netbox.enable">services.netbox</link>. + <link linkend="opt-services.netbox.enable">services.netbox</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://tetrd.app">tetrd</link>, share your - internet connection from your device to your PC and vice versa - through a USB cable. Available at - <link linkend="opt-services.tetrd.enable">services.tetrd</link>. + <link xlink:href="https://github.com/vvilhonen/nethoscope">nethoscope</link>, + listen to your network traffic. Available as + <link linkend="opt-programs.nethoscope.enable">programs.nethoscope</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/mbrubeck/agate">agate</link>, - a very simple server for the Gemini hypertext protocol. - Available as - <link xlink:href="options.html#opt-services.agate.enable">services.agate</link>. + <link xlink:href="https://nifi.apache.org">nifi</link>, an + easy to use, powerful, and reliable system to process and + distribute data. Available as + <link linkend="opt-services.nifi.enable">services.nifi</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm">ArchiSteamFarm</link>, - a C# application with primary purpose of idling Steam cards - from multiple accounts simultaneously. Available as - <link xlink:href="options.html#opt-services.archisteamfarm.enable">services.archisteamfarm</link>. + <link xlink:href="https://github.com/Mic92/nix-ld">nix-ld</link>, + Run unpatched dynamic binaries on NixOS. Available as + <link linkend="opt-programs.nix-ld.enable">programs.nix-ld</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://goteleport.com">teleport</link>, - allows engineers and security professionals to unify access - for SSH servers, Kubernetes clusters, web applications, and - databases across all environments. Available at - <link linkend="opt-services.teleport.enable">services.teleport</link>. + <link xlink:href="http://www.nncpgo.org">NNCP</link>, NNCP + (Node to Node copy) utilities and configuration, Available as + <link linkend="opt-programs.nncp.enable">programs.nncp</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://loic-sharma.github.io/BaGet/">BaGet</link>, - a lightweight NuGet and symbol server. Available at - <link linkend="opt-services.baget.enable">services.baget</link>. + <link xlink:href="https://github.com/postgres/pgadmin4">pgadmin4</link>, + an admin interface for the PostgreSQL database. Available at + <link linkend="opt-services.pgadmin.enable">services.pgadmin</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://moosefs.com">moosefs</link>, fault - tolerant petabyte distributed file system. Available as - <link linkend="opt-services.moosefs.client.enable">moosefs</link>. + <link xlink:href="https://github.com/ngoduykhanh/PowerDNS-Admin">PowerDNS-Admin</link>, + a web interface for the PowerDNS server. Available at + <link linkend="opt-services.powerdns-admin.enable">services.powerdns-admin</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prometheus-pve/prometheus-pve-exporter">prometheus-pve-exporter</link>, + a tool that exposes information from the Proxmox VE API for + use by Prometheus. Available as + <link linkend="opt-services.prometheus.exporters.pve.enable">services.prometheus.exporters.pve</link>. </para> </listitem> <listitem> @@ -320,88 +437,145 @@ </listitem> <listitem> <para> - <link xlink:href="https://github.com/rfjakob/systembus-notify">systembus-notify</link>, - allow system level notifications to reach the users. Available + <link xlink:href="https://public-inbox.org">Public + Inbox</link>, an <quote>archives first</quote> approach to + mailing lists. Available as + <link linkend="opt-services.public-inbox.enable">services.public-inbox</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/fleaz/r53-ddns">r53-ddns</link>, + a small tool to run your own DDNS service via AWS Route53. + Available as + <link linkend="opt-services.r53-ddns.enable">services.r53-ddns</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://ddvk.github.io/rmfakecloud/">rmfakecloud</link>, + a clone of the cloud sync the remarkable tablet. Available as + <link linkend="opt-services.rmfakecloud.enable">services.rmfakecloud</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless + Docker</link>, a <literal>systemd --user</literal> Docker + service which runs without root permissions. Available as + <link linkend="opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.rstudio.com/products/rstudio/#rstudio-server">rstudio-server</link>, + a browser-based version of the RStudio IDE for the R + programming language. Available as + <link linkend="opt-services.rstudio-server.enable">services.rstudio-server</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/aler9/rtsp-simple-server">rtsp-simple-server</link>, + ready-to-use RTSP / RTMP / HLS server and proxy that allows to + read, publish and proxy video and audio streams. Available as + <link linkend="opt-services.rtsp-simple-server.enable">services.rtsp-simple-server</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://snipeitapp.com">Snipe-IT</link>, a + free open source IT asset/license management system. Available as - <link xlink:href="opt-services.systembus-notify.enable">services.systembus-notify</link>. - Please keep in mind that this service should only be enabled - on machines with fully trusted users, as any local user is - able to DoS user sessions by spamming notifications. + <link linkend="opt-services.snipe-it.enable">services.snipe-it</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/audreyt/ethercalc">ethercalc</link>, - an online collaborative spreadsheet. Available as - <link xlink:href="options.html#opt-services.ethercalc.enable">services.ethercalc</link>. + <link xlink:href="https://snowflake.torproject.org/">snowflake-proxy</link>, + a system to defeat internet censorship. Available as + <link linkend="opt-services.snowflake-proxy.enable">services.snowflake-proxy</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://nbd.sourceforge.io/">nbd</link>, a - Network Block Device server. Available as - <link xlink:href="options.html#opt-services.nbd.server.enable">services.nbd</link>. + <link xlink:href="https://sslmate.com/">sslmate-agent</link>, + a daemon for managing SSL/TLS certificates on a server. + Available as + <link xlink:href="services.sslmate-agent.enable">services.sslmate-agent</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/Mic92/nix-ld">nix-ld</link>, - Run unpatched dynamic binaries on NixOS. Available as - <link xlink:href="options.html#opt-programs.nix-ld.enable">programs.nix-ld</link>. + <link xlink:href="https://starship.rs">starship</link>, a + minimal, blazing-fast, and infinitely customizable prompt for + any shell. Available at + <link linkend="opt-programs.starship.enable">programs.startship</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://timetagger.app">timetagger</link>, - an open source time-tracker with an intuitive user experience - and powerful reporting. - <link xlink:href="options.html#opt-services.timetagger.enable">services.timetagger</link>. + <link xlink:href="https://github.com/rfjakob/systembus-notify">systembus-notify</link>, + allow system level notifications to reach the users. Available + as + <link xlink:href="opt-services.systembus-notify.enable">services.systembus-notify</link>. + Please keep in mind that this service should only be enabled + on machines with fully trusted users, as any local user is + able to DoS user sessions by spamming notifications. </para> </listitem> <listitem> <para> - <link xlink:href="https://www.rstudio.com/products/rstudio/#rstudio-server">rstudio-server</link>, - a browser-based version of the RStudio IDE for the R - programming language. Available as - <link xlink:href="options.html#opt-services.rstudio-server.enable">services.rstudio-server</link>. + <link xlink:href="https://goteleport.com">teleport</link>, + allows engineers and security professionals to unify access + for SSH servers, Kubernetes clusters, web applications, and + databases across all environments. Available at + <link linkend="opt-services.teleport.enable">services.teleport</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/juanfont/headscale">headscale</link>, - an Open Source implementation of the - <link xlink:href="https://tailscale.io">Tailscale</link> - Control Server. Available as - <link xlink:href="options.html#opt-services.headscale.enable">services.headscale</link> + <link xlink:href="https://tetrd.app">tetrd</link>, share your + internet connection from your device to your PC and vice versa + through a USB cable. Available at + <link linkend="opt-services.tetrd.enable">services.tetrd</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/lakinduakash/linux-wifi-hotspot">create_ap</link>, - a module for creating wifi hotspots using the program - linux-wifi-hotspot. Available as - <link xlink:href="options.html#opt-services.create_ap.enable">services.create_ap</link>. + <link xlink:href="https://upterm.dev">uptermd</link>, an + open-source solution for sharing terminal sessions instantly + over the public internet via secure tunnels. Available at + <link linkend="opt-services.uptermd.enable">services.uptermd</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://0xerr0r.github.io/blocky/">blocky</link>, - fast and lightweight DNS proxy as ad-blocker for local network - with many features. + <link xlink:href="https://github.com/darrylb123/usbrelay">usbrelayd</link>, + an USB Relay MQTT daemon. Available as + <link linkend="opt-services.usbrelayd.enable">services.usbrelayd</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://clusterlabs.org/pacemaker/">pacemaker</link> - cluster resource manager + <link xlink:href="https://github.com/miquels/webdav-server-rs">webdav-server-rs</link>, + Webdav server in rust. Available as + <link linkend="opt-services.webdav-server-rs.enable">services.webdav-server-rs</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://nifi.apache.org">nifi</link>, an - easy to use, powerful, and reliable system to process and - distribute data. Available as - <link xlink:href="options.html#opt-services.nifi.enable">services.nifi</link>. + <link xlink:href="https://github.com/gin66/wg_netmanager">wg-netmanager</link>, + the Wireguard network manager. Available as + <link linkend="opt-services.wg-netmanager.enable">services.wg-netmanager</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://zammad.org/">Zammad</link>, a + web-based, open source user support/ticketing solution. + Available as + <link linkend="opt-services.zammad.enable">services.zammad</link>. </para> </listitem> </itemizedlist> @@ -445,6 +619,15 @@ </listitem> <listitem> <para> + The update of the haskell package set brings with it a new + version of the <literal>xmonad</literal> module, which will + break your configuration if you use <literal>launch</literal> + as entrypoint. The example code the corresponding nixos module + was adjusted, you may want to have a look at it. + </para> + </listitem> + <listitem> + <para> The <literal>home-assistant</literal> module now requires users that don’t want their configuration to be managed declaratively to set @@ -473,6 +656,50 @@ </listitem> <listitem> <para> + The configuration and state directories used by + <literal>nixos-containers</literal> have been moved from + <literal>/etc/containers</literal> and + <literal>/var/lib/containers</literal> to + <literal>/etc/nixos-containers</literal> and + <literal>/var/lib/nixos-containers</literal>. + </para> + <para> + If you are changing <literal>system.stateVersion</literal> to + <literal>"22.05"</literal> manually on an existing + system you are responsible for migrating these directories + yourself. + </para> + <para> + This is to improve compatibility with + <literal>libcontainer</literal> based software such as Podman + and Skopeo which assumes they have ownership over + <literal>/etc/containers</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>lib.systems.supported</literal> has been removed, as + it was overengineered for determining the systems to support + in the nixpkgs flake. The list of systems exposed by the + nixpkgs flake can now be accessed as + <literal>lib.systems.flakeExposed</literal>. + </para> + </listitem> + <listitem> + <para> + For new installations + <literal>virtualisation.oci-containers.backend</literal> is + now set to <literal>podman</literal> by default. If you still + want to use Docker on systems where + <literal>system.stateVersion</literal> is set to to + <literal>"22.05"</literal> set + <literal>virtualisation.oci-containers.backend = "docker";</literal>.Old + systems with older <literal>stateVersion</literal>s stay with + <quote>docker</quote>. + </para> + </listitem> + <listitem> + <para> <literal>security.klogd</literal> was removed. Logging of kernel messages is handled by systemd since Linux 3.5. </para> @@ -566,6 +793,25 @@ </listitem> <listitem> <para> + <literal>openldap</literal> (and therefore the slapd LDAP + server) were updated to version 2.6.2. The project introduced + backwards-incompatible changes, namely the removal of the bdb, + hdb, ndb, and shell backends in slapd. Therefore before + updating, dump your database <literal>slapcat -n 1</literal> + in LDIF format, and reimport it after updating your + <literal>services.openldap.settings</literal>, which + represents your <literal>cn=config</literal>. + </para> + <para> + Additionally with 2.5 the argon2 module was included in the + standard distrubtion and renamed from + <literal>pw-argon2</literal> to <literal>argon2</literal>. + Remember to update your <literal>olcModuleLoad</literal> entry + in <literal>cn=config</literal>. + </para> + </listitem> + <listitem> + <para> <literal>openssh</literal> has been update to 8.9p1, changing the FIDO security key middleware interface. </para> @@ -768,7 +1014,7 @@ }; extraConfigFiles = [ - /run/keys/matrix-synapse/secrets.yaml + "/run/keys/matrix-synapse/secrets.yaml" ]; }; } @@ -776,7 +1022,9 @@ <para> The secrets in your original config should be migrated into a YAML file that is included via - <literal>extraConfigFiles</literal>. + <literal>extraConfigFiles</literal>. The filename must be + quoted to prevent nix from copying it to the (world readable) + store. </para> <para> Additionally a few option defaults have been synced up with @@ -791,6 +1039,11 @@ to the new location if the <literal>stateVersion</literal> is updated. </para> + <para> + As of Synapse 1.58.0, the old groups/communities feature has + been disabled by default. It will be completely removed with + Synapse 1.61.0. + </para> </listitem> <listitem> <para> @@ -1070,6 +1323,16 @@ </listitem> <listitem> <para> + <literal>teleport</literal> has been upgraded to major version + 9. Please see upstream + <link xlink:href="https://goteleport.com/docs/setup/operations/upgrading/">upgrade + instructions</link> and + <link xlink:href="https://goteleport.com/docs/changelog/#900">release + notes</link>. + </para> + </listitem> + <listitem> + <para> For <literal>pkgs.python3.pkgs.ipython</literal>, its direct dependency <literal>pkgs.python3.pkgs.matplotlib-inline</literal> (which @@ -1266,7 +1529,7 @@ <literal>systemd-shutdown</literal> is now properly linked on shutdown to unmount all filesystems and device mapper devices cleanly. This can be disabled using - <literal>boot.systemd.shutdown.enable</literal>. + <literal>systemd.shutdownRamfs.enable</literal>. </para> </listitem> <listitem> @@ -1334,6 +1597,16 @@ </listitem> <listitem> <para> + <literal>services.zookeeper</literal> has a new option + <literal>jre</literal> for specifying the JRE to start + zookeeper with. It defaults to the JRE that + <literal>pkgs.zookeeper</literal> was wrapped with, instead of + <literal>pkgs.jre</literal>. This changes the JRE to + <literal>pkgs.jdk11_headless</literal> by default. + </para> + </listitem> + <listitem> + <para> <literal>pkgs.pgadmin</literal> now refers to <literal>pkgs.pgadmin4</literal>. <literal>pgadmin3</literal> has been removed. @@ -1341,6 +1614,16 @@ </listitem> <listitem> <para> + <literal>pkgs.minetestclient_4</literal> and + <literal>pkgs.minetestserver_4</literal> have been removed, as + the last 4.x release was in 2018. + <literal>pkgs.minetestclient</literal> (equivalent to + <literal>pkgs.minetest</literal> ) and + <literal>pkgs.minetestserver</literal> can be used instead. + </para> + </listitem> + <listitem> + <para> <literal>pkgs.noto-fonts-cjk</literal> is now deprecated in favor of <literal>pkgs.noto-fonts-cjk-sans</literal> and <literal>pkgs.noto-fonts-cjk-serif</literal> because they each @@ -1495,6 +1778,19 @@ </listitem> <listitem> <para> + The default version of <literal>nextcloud</literal> is + <emphasis role="strong">nextcloud24</emphasis>. Please note + that it’s <emphasis role="strong">not</emphasis> possible to + upgrade <literal>nextcloud</literal> across multiple major + versions! This means it’s e.g. not possible to upgrade from + <literal>nextcloud22</literal> to + <literal>nextcloud24</literal> in a single deploy and most + <literal>21.11</literal> users will have to upgrade to + <literal>nextcloud23</literal> first. + </para> + </listitem> + <listitem> + <para> <literal>pkgs.vimPlugins.onedark-nvim</literal> now refers to <link xlink:href="https://github.com/navarasu/onedark.nvim">navarasu/onedark.nvim</link> (formerly refers to @@ -1701,6 +1997,43 @@ </listitem> <listitem> <para> + <link xlink:href="https://kops.sigs.k8s.io"><literal>kops</literal></link> + defaults to 1.23.2, which will enable + <link xlink:href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html">Instance + Metadata Service Version 2</link> and require tokens on new + clusters with Kubernetes >= 1.22. This will increase + security by default, but may break some types of workloads. + The default behaviour for + <literal>spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS</literal> + has changed from <literal>true</literal> to + <literal>false</literal>. Cilium now has + <literal>disable-cnp-status-updates: true</literal> by + default. Set this to false if you rely on the + CiliumNetworkPolicy status fields. Support for Kubernetes + 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS + 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been + removed. See the + <link xlink:href="https://kops.sigs.k8s.io/releases/1.22-notes/">1.22 + release notes</link> and + <link xlink:href="https://kops.sigs.k8s.io/releases/1.23-notes/">1.23 + release notes</link> for more details, including other + significant changes. + </para> + </listitem> + <listitem> + <para> + Mattermost has been upgraded to extended support version 6.3 + as the previously packaged extended support version 5.37 is + <link xlink:href="https://docs.mattermost.com/upgrade/extended-support-release.html">reaching + end of life</link>. Migration may take some time, see the + <link xlink:href="https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release">changelog</link> + and + <link xlink:href="https://docs.mattermost.com/upgrade/important-upgrade-notes.html">important + upgrade notes</link>. + </para> + </listitem> + <listitem> + <para> The <literal>writers.writePyPy2</literal>/<literal>writers.writePyPy3</literal> and corresponding @@ -1746,6 +2079,59 @@ </listitem> <listitem> <para> + Mastodon now uses <literal>services.redis.servers</literal> to + start a new redis server, instead of using a global redis + server. This improves compatibility with other services that + use redis. + </para> + <para> + Note that this will recreate the redis database, although + according to the + <link xlink:href="https://docs.joinmastodon.org/admin/backups/">Mastodon + docs</link>, this is almost harmless: + </para> + <blockquote> + <para> + Losing the Redis database is almost harmless: The only + irrecoverable data will be the contents of the Sidekiq + queues and scheduled retries of previously failed jobs. The + home and list feeds are stored in Redis, but can be + regenerated with tootctl. + </para> + </blockquote> + <para> + If you do want to save the redis database, you can use the + following commands: + </para> + <programlisting language="bash"> +redis-cli save +cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb" +</programlisting> + </listitem> + <listitem> + <para> + Peertube now uses services.redis.servers to start a new redis + server, instead of using a global redis server. This improves + compatibility with other services that use redis. + </para> + <para> + Redis database is used for storage only cache and job queue. + More information can be found here - + <link xlink:href="https://docs.joinpeertube.org/contribute-architecture">Peertube + architecture</link>. + </para> + <para> + If you do want to save the redis database, you can use the + following commands before upgrade OS: + </para> + <programlisting language="bash"> +redis-cli save +sudo mkdir /var/lib/redis-peertube +sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb +</programlisting> + </listitem> + <listitem> + <para> If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable <literal>NIXOS_OZONE_WL=1</literal> @@ -1917,13 +2303,6 @@ </listitem> <listitem> <para> - A new module was added for the Envoy reverse proxy, providing - the options <literal>services.envoy.enable</literal> and - <literal>services.envoy.settings</literal>. - </para> - </listitem> - <listitem> - <para> The option <literal>services.duplicati.dataDir</literal> has been added to allow changing the location of duplicati’s files. @@ -2119,15 +2498,6 @@ </listitem> <listitem> <para> - A new module was added for the - <link xlink:href="https://starship.rs/">Starship</link> shell - prompt, providing the options - <literal>programs.starship.enable</literal> and - <literal>programs.starship.settings</literal>. - </para> - </listitem> - <listitem> - <para> The <link xlink:href="https://dino.im">Dino</link> XMPP client was updated to 0.3, adding support for audio and video calls. </para> @@ -2174,6 +2544,14 @@ </listitem> <listitem> <para> + The <literal>phpPackages.box</literal> package has been + updated from 2.7.5 to 3.16.0. See the + <link xlink:href="https://github.com/box-project/box/blob/master/UPGRADE.md#from-27-to-30">upgrade + guide</link> for more details. + </para> + </listitem> + <listitem> + <para> The <literal>zrepl</literal> package has been updated from 0.4.0 to 0.5: </para> @@ -2272,6 +2650,14 @@ </listitem> <listitem> <para> + <literal>mercury</literal> was updated to 22.01.1, which has + some breaking changes + (<link xlink:href="https://dl.mercurylang.org/release/release-notes-22.01.html">Mercury + 22.01 news</link>). + </para> + </listitem> + <listitem> + <para> xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in @@ -2318,6 +2704,14 @@ </listitem> <listitem> <para> + The default <literal>scribus</literal> version is now 1.5, + while version 1.4 is still available as + <literal>scribus_1_4</literal> + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/172700">#172700</link>). + </para> + </listitem> + <listitem> + <para> The Nextcloud module now supports to create a Mysql database automatically with <literal>services.nextcloud.database.createLocally</literal> @@ -2326,6 +2720,16 @@ </listitem> <listitem> <para> + The Nextcloud module now allows setting the value of the + <literal>max-age</literal> directive of the + <literal>Strict-Transport-Security</literal> HTTP header, + which is now controlled by the + <literal>services.nextcloud.https</literal> option, rather + than <literal>services.nginx.recommendedHttpHeaders</literal>. + </para> + </listitem> + <listitem> + <para> The <literal>spark3</literal> package has been updated from 3.1.2 to 3.2.1 (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/160075">#160075</link>): @@ -2351,12 +2755,6 @@ </listitem> <listitem> <para> - The <literal>programs.nncp</literal> options were added for - generating host-global NNCP configuration. - </para> - </listitem> - <listitem> - <para> The option <literal>services.snapserver.openFirewall</literal> will no longer default to <literal>true</literal> starting with NixOS 22.11. Enable it explicitly if you need to control @@ -2364,6 +2762,61 @@ hosts. </para> </listitem> + <listitem> + <para> + The option + <link xlink:href="options.html#opt-networking.useDHCP">networking.useDHCP</link> + isn’t deprecated anymore. When using + <link xlink:href="options.html#opt-networking.useNetworkd"><literal>systemd-networkd</literal></link>, + a generic <literal>.network</literal>-unit is added which + enables DHCP for each interface matching + <literal>en*</literal>, <literal>eth*</literal> or + <literal>wl*</literal> with priority 99 (which means that it + doesn’t have any effect if such an interface is matched by a + <literal>.network-</literal>unit with a lower priority). In + case of scripted networking, no behavior was changed. + </para> + </listitem> + <listitem> + <para> + The new + <link xlink:href="https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook"><literal>postgresqlTestHook</literal></link> + runs a PostgreSQL server for the duration of package checks. + </para> + </listitem> + <listitem> + <para> + <literal>zfs</literal> was updated from 2.1.4 to 2.1.5, + enabling it to be used with Linux kernel 5.18. + </para> + </listitem> + <listitem> + <para> + <literal>stdenv.mkDerivation</literal> now supports a + self-referencing <literal>finalAttrs:</literal> parameter + containing the final <literal>mkDerivation</literal> arguments + including overrides. <literal>drv.overrideAttrs</literal> now + supports two parameters + <literal>finalAttrs: previousAttrs:</literal>. This allows + packaging configuration to be overridden in a consistent + manner by providing an alternative to + <literal>rec {}</literal> syntax. + </para> + <para> + Additionally, <literal>passthru</literal> can now reference + <literal>finalAttrs.finalPackage</literal> containing the + final package, including attributes such as the output paths + and <literal>overrideAttrs</literal>. + </para> + <para> + New language integrations can be simplified by overriding a + <quote>prototype</quote> package containing the + language-specific logic. This removes the need for a extra + layer of overriding for the <quote>generic builder</quote> + arguments, thus removing a usability problem and source of + error. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml new file mode 100644 index 00000000000..4072a6f88c9 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -0,0 +1,327 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-22.11"> + <title>Release 22.11 (“Raccoon”, 2022.11/??)</title> + <para> + Support is planned until the end of June 2023, handing over to + 23.05. + </para> + <section xml:id="sec-release-22.11-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + During cross-compilation, tests are now executed if the test + suite can be executed by the build platform. This is the case + when doing “native” cross-compilation where the build and host + platforms are largely the same, but the nixpkgs’ cross + compilation infrastructure is used, e.g. + <literal>pkgsStatic</literal> and <literal>pkgsLLVM</literal>. + Another possibility is that the build platform is a superset + of the host platform, e.g. when cross-compiling from + <literal>x86_64-unknown-linux</literal> to + <literal>i686-unknown-linux</literal>. The predicate gating + test suite execution is the newly added + <literal>canExecute</literal> predicate: You can e.g. check if + <literal>stdenv.buildPlatform</literal> can execute binaries + built for <literal>stdenv.hostPlatform</literal> (i.e. + produced by <literal>stdenv.cc</literal>) by evaluating + <literal>stdenv.buildPlatform.canExecute stdenv.hostPlatform</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>nixpkgs.hostPlatform</literal> and + <literal>nixpkgs.buildPlatform</literal> options have been + added. These cover and override the + <literal>nixpkgs.{system,localSystem,crossSystem}</literal> + options. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>hostPlatform</literal> is the platform or + <quote><literal>system</literal></quote> string of the + NixOS system described by the configuration. + </para> + </listitem> + <listitem> + <para> + <literal>buildPlatform</literal> is the platform that is + responsible for building the NixOS configuration. It + defaults to the <literal>hostPlatform</literal>, for a + non-cross build configuration. To cross compile, set + <literal>buildPlatform</literal> to a different value. + </para> + </listitem> + </itemizedlist> + <para> + The new options convey the same information, but with fewer + options, and following the Nixpkgs terminology. + </para> + <para> + The existing options + <literal>nixpkgs.{system,localSystem,crossSystem}</literal> + have not been formally deprecated, to allow for evaluation of + the change and to allow for a transition period so that in + time the ecosystem can switch without breaking compatibility + with any supported NixOS release. + </para> + </listitem> + <listitem> + <para> + <literal>nixos-generate-config</literal> now generates + configurations that can be built in pure mode. This is + achieved by setting the new + <literal>nixpkgs.hostPlatform</literal> option. + </para> + <para> + You may have to unset the <literal>system</literal> parameter + in <literal>lib.nixosSystem</literal>, or similarly remove + definitions of the + <literal>nixpkgs.{system,localSystem,crossSystem}</literal> + options. + </para> + <para> + Alternatively, you can remove the + <literal>hostPlatform</literal> line and use NixOS like you + would in NixOS 22.05 and earlier. + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 8.1, updated from 8.0. + </para> + </listitem> + <listitem> + <para> + <literal>hardware.nvidia</literal> has a new option + <literal>open</literal> that can be used to opt in the + opensource version of NVIDIA kernel driver. Note that the + driver’s support for GeForce and Workstation GPUs is still + alpha quality, see + <link xlink:href="https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/">NVIDIA + Releases Open-Source GPU Kernel Modules</link> for the + official announcement. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.11-new-services"> + <title>New Services</title> + <itemizedlist> + <listitem> + <para> + <link xlink:href="https://github.com/jollheef/appvm">appvm</link>, + Nix based app VMs. Available as + <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://dragonflydb.io/">dragonflydb</link>, + a modern replacement for Redis and Memcached. Available as + <link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>, + a hardware True Random Number Generator dongle. Available as + <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/aiberia/persistent-evdev">persistent-evdev</link>, + a daemon to add virtual proxy devices that mirror a physical + input device but persist even if the underlying hardware is + hot-plugged. Available as + <link linkend="opt-services.persistent-evdev.enable">services.persistent-evdev</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://schleuder.org/">schleuder</link>, a + mailing list manager with PGP support. Enable using + <link linkend="opt-services.schleuder.enable">services.schleuder</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.expressvpn.com">expressvpn</link>, + the CLI client for ExpressVPN. Available as + <link linkend="opt-services.expressvpn.enable">services.expressvpn</link>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.11-incompatibilities"> + <title>Backward Incompatibilities</title> + <itemizedlist> + <listitem> + <para> + The <literal>isCompatible</literal> predicate checking CPU + compatibility is no longer exposed by the platform sets + generated using <literal>lib.systems.elaborate</literal>. In + most cases you will want to use the new + <literal>canExecute</literal> predicate instead which also + considers the kernel / syscall interface. It is briefly + described in the release’s + <link linkend="sec-release-22.11-highlights">highlights + section</link>. + <literal>lib.systems.parse.isCompatible</literal> still + exists, but has changed semantically: Architectures with + differing endianness modes are <emphasis>no longer considered + compatible</emphasis>. + </para> + </listitem> + <listitem> + <para> + <literal>ngrok</literal> has been upgraded from 2.3.40 to + 3.0.4. Please see + <link xlink:href="https://ngrok.com/docs/guides/upgrade-v2-v3">the + upgrade guide</link> and + <link xlink:href="https://ngrok.com/docs/ngrok-agent/changelog">changelog</link>. + Notably, breaking changes are that the config file format has + changed and support for single hypen arguments was dropped. + </para> + </listitem> + <listitem> + <para> + <literal>i18n.supportedLocales</literal> is now by default + only generated with the locales set in + <literal>i18n.defaultLocale</literal> and + <literal>i18n.extraLocaleSettings</literal>. This got + partially copied over from the minimal profile and reduces the + final system size by up to 200MB. If you require all locales + installed set the option to + <literal>[ "all" ]</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>isPowerPC</literal> predicate, found on + <literal>platform</literal> attrsets + (<literal>hostPlatform</literal>, + <literal>buildPlatform</literal>, + <literal>targetPlatform</literal>, etc) has been removed in + order to reduce confusion. The predicate was was defined such + that it matches only the 32-bit big-endian members of the + POWER/PowerPC family, despite having a name which would imply + a broader set of systems. If you were using this predicate, + you can replace <literal>foo.isPowerPC</literal> with + <literal>(with foo; isPower && is32bit && isBigEndian)</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>bsp-layout</literal> no longer uses the command + <literal>cycle</literal> to switch to other window layouts, as + it got replaced by the commands <literal>previous</literal> + and <literal>next</literal>. + </para> + </listitem> + <listitem> + <para> + The Barco ClickShare driver/client package + <literal>pkgs.clickshare-csc1</literal> and the option + <literal>programs.clickshare-csc1.enable</literal> have been + removed, as it requires <literal>qt4</literal>, which reached + its end-of-life 2015 and will no longer be supported by + nixpkgs. + <link xlink:href="https://www.barco.com/de/support/knowledge-base/4380-can-i-use-linux-os-with-clickshare-base-units">According + to Barco</link> many of their base unit models can be used + with Google Chrome and the Google Cast extension. + </para> + </listitem> + <listitem> + <para> + PHP 7.4 is no longer supported due to upstream not supporting + this version for the entire lifecycle of the 22.11 release. + </para> + </listitem> + <listitem> + <para> + riak package removed along with + <literal>services.riak</literal> module, due to lack of + maintainer to update the package. + </para> + </listitem> + <listitem> + <para> + (Neo)Vim can not be configured with + <literal>configure.pathogen</literal> anymore to reduce + maintainance burden. Use <literal>configure.packages</literal> + instead. + </para> + </listitem> + <listitem> + <para> + <literal>k3s</literal> no longer supports docker as runtime + due to upstream dropping support. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.11-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + The <literal>xplr</literal> package has been updated from + 0.18.0 to 0.19.0, which brings some breaking changes. See the + <link xlink:href="https://github.com/sayanarijit/xplr/releases/tag/v0.19.0">upstream + release notes</link> for more details. + </para> + </listitem> + <listitem> + <para> + A new module was added for the Saleae Logic device family, + providing the options + <literal>hardware.saleae-logic.enable</literal> and + <literal>hardware.saleae-logic.package</literal>. + </para> + </listitem> + <listitem> + <para> + Matrix Synapse now requires entries in the + <literal>state_group_edges</literal> table to be unique, in + order to prevent accidentally introducing duplicate + information (for example, because a database backup was + restored multiple times). If your Synapse database already has + duplicate rows in this table, this could fail with an error + and require manual remediation. + </para> + </listitem> + <listitem> + <para> + memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2. + It is now the upstream version from https://www.memtest.org/, + as coreboot’s fork is no longer available. + </para> + </listitem> + <listitem> + <para> + There is a new module for the <literal>thunar</literal> + program (the Xfce file manager), which depends on the + <literal>xfconf</literal> dbus service, and also has a dbus + service and a systemd unit. The option + <literal>services.xserver.desktopManager.xfce.thunarPlugins</literal> + has been renamed to + <literal>programs.thunar.plugins</literal>, and in a future + release it may be removed. + </para> + </listitem> + <listitem> + <para> + There is a new module for the <literal>xfconf</literal> + program (the Xfce configuration storage system), which has a + dbus service. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/installation/installing-from-other-distro.section.md b/nixos/doc/manual/installation/installing-from-other-distro.section.md index d9060eb89c3..fa8806f791d 100644 --- a/nixos/doc/manual/installation/installing-from-other-distro.section.md +++ b/nixos/doc/manual/installation/installing-from-other-distro.section.md @@ -177,7 +177,7 @@ The first steps to all these are the same: was probably single user): ```ShellSession - $ sudo chown -R 0.0 /nix + $ sudo chown -R 0:0 /nix ``` 1. Set up the `/etc/NIXOS` and `/etc/NIXOS_LUSTRATE` files: diff --git a/nixos/doc/manual/installation/installing-kexec.section.md b/nixos/doc/manual/installation/installing-kexec.section.md new file mode 100644 index 00000000000..286cbbda6a6 --- /dev/null +++ b/nixos/doc/manual/installation/installing-kexec.section.md @@ -0,0 +1,64 @@ +# "Booting" into NixOS via kexec {#sec-booting-via-kexec} + +In some cases, your system might already be booted into/preinstalled with +another Linux distribution, and booting NixOS by attaching an installation +image is quite a manual process. + +This is particularly useful for (cloud) providers where you can't boot a custom +image, but get some Debian or Ubuntu installation. + +In these cases, it might be easier to use `kexec` to "jump into NixOS" from the +running system, which only assumes `bash` and `kexec` to be installed on the +machine. + +Note that kexec may not work correctly on some hardware, as devices are not +fully re-initialized in the process. In practice, this however is rarely the +case. + +To build the necessary files from your current version of nixpkgs, +you can run: + +```ShellSession +nix-build -A kexec.x86_64-linux '<nixpkgs/nixos/release.nix>' +``` + +This will create a `result` directory containing the following: + - `bzImage` (the Linux kernel) + - `initrd` (the initrd file) + - `kexec-boot` (a shellscript invoking `kexec`) + +These three files are meant to be copied over to the other already running +Linux Distribution. + +Note it's symlinks pointing elsewhere, so `cd` in, and use +`scp * root@$destination` to copy it over, rather than rsync. + +Once you finished copying, execute `kexec-boot` *on the destination*, and after +some seconds, the machine should be booting into an (ephemeral) NixOS +installation medium. + +In case you want to describe your own system closure to kexec into, instead of +the default installer image, you can build your own `configuration.nix`: + +```nix +{ modulesPath, ... }: { + imports = [ + (modulesPath + "/installer/netboot/netboot-minimal.nix") + ]; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "my-ssh-pubkey" + ]; +} +``` + + +```ShellSession +nix-build '<nixpkgs/nixos>' \ + --arg configuration ./configuration.nix + --attr config.system.build.kexecTree +``` + +Make sure your `configuration.nix` does still import `netboot-minimal.nix` (or +`netboot-base.nix`). diff --git a/nixos/doc/manual/installation/installing.chapter.md b/nixos/doc/manual/installation/installing.chapter.md index 8a46d68ae3b..7e830f8e458 100644 --- a/nixos/doc/manual/installation/installing.chapter.md +++ b/nixos/doc/manual/installation/installing.chapter.md @@ -476,6 +476,7 @@ With a partitioned disk. ```{=docbook} <xi:include href="installing-usb.section.xml" /> <xi:include href="installing-pxe.section.xml" /> +<xi:include href="installing-kexec.section.xml" /> <xi:include href="installing-virtualbox-guest.section.xml" /> <xi:include href="installing-from-other-distro.section.xml" /> <xi:include href="installing-behind-a-proxy.section.xml" /> diff --git a/nixos/doc/manual/installation/upgrading.chapter.md b/nixos/doc/manual/installation/upgrading.chapter.md index faeefc4451d..2644979bc9d 100644 --- a/nixos/doc/manual/installation/upgrading.chapter.md +++ b/nixos/doc/manual/installation/upgrading.chapter.md @@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated automatically from NixOS's Git repository after certain tests have passed and all packages have been built. These channels are: -- *Stable channels*, such as [`nixos-21.11`](https://nixos.org/channels/nixos-21.11). +- *Stable channels*, such as [`nixos-22.05`](https://nixos.org/channels/nixos-22.05). These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not @@ -19,7 +19,7 @@ passed and all packages have been built. These channels are: radical changes between channel updates. It's not recommended for production systems. -- *Small channels*, such as [`nixos-21.11-small`](https://nixos.org/channels/nixos-21.11-small) +- *Small channels*, such as [`nixos-22.05-small`](https://nixos.org/channels/nixos-22.05-small) or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small). These are identical to the stable and unstable channels described above, except that they contain fewer binary packages. This means they get updated @@ -38,8 +38,8 @@ newest supported stable release. When you first install NixOS, you're automatically subscribed to the NixOS channel that corresponds to your installation source. For -instance, if you installed from a 21.11 ISO, you will be subscribed to -the `nixos-21.11` channel. To see which NixOS channel you're subscribed +instance, if you installed from a 22.05 ISO, you will be subscribed to +the `nixos-22.05` channel. To see which NixOS channel you're subscribed to, run the following as root: ```ShellSession @@ -54,16 +54,16 @@ To switch to a different NixOS channel, do ``` (Be sure to include the `nixos` parameter at the end.) For instance, to -use the NixOS 21.11 stable channel: +use the NixOS 22.05 stable channel: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-21.11 nixos +# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos ``` If you have a server, you may want to use the "small" channel instead: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-21.11-small nixos +# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos ``` And if you want to live on the bleeding edge: @@ -114,5 +114,5 @@ the new generation contains a different kernel, initrd or kernel modules. You can also specify a channel explicitly, e.g. ```nix -system.autoUpgrade.channel = https://nixos.org/channels/nixos-21.11; +system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05; ``` diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml index 216fea67775..ee5009faf6f 100644 --- a/nixos/doc/manual/release-notes/release-notes.xml +++ b/nixos/doc/manual/release-notes/release-notes.xml @@ -8,6 +8,7 @@ This section lists the release notes for each stable version of NixOS and current unstable revision. </para> + <xi:include href="../from_md/release-notes/rl-2211.section.xml" /> <xi:include href="../from_md/release-notes/rl-2205.section.xml" /> <xi:include href="../from_md/release-notes/rl-2111.section.xml" /> <xi:include href="../from_md/release-notes/rl-2105.section.xml" /> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 310d32cfdd7..e673d6721a3 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -166,7 +166,7 @@ In addition to numerous new and upgraded packages, this release has the followin ## Backward Incompatibilities {#sec-release-21.11-incompatibilities} -- The NixOS VM test framework, `pkgs.nixosTest`/`make-test-python.nix`, now requires detaching commands such as `succeed("foo &")` and `succeed("foo | xclip -i")` to close stdout. +- The NixOS VM test framework, `pkgs.nixosTest`/`make-test-python.nix` (`pkgs.testers.nixosTest` since 22.05), now requires detaching commands such as `succeed("foo &")` and `succeed("foo | xclip -i")` to close stdout. This can be done with a redirect such as `succeed("foo >&2 &")`. This breaking change was necessitated by a race condition causing tests to fail or hang. It applies to all methods that invoke commands on the nodes, including `execute`, `succeed`, `fail`, `wait_until_succeeds`, `wait_until_fails`. diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 16c59ce3ddd..e83a7cd43b8 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -1,119 +1,177 @@ -# Release 22.05 (“Quokka”, 2022.05/??) {#sec-release-22.05} - -In addition to numerous new and upgraded packages, this release has the following highlights: +# Release 22.05 (“Quokka”, 2022.05/30) {#sec-release-22.05} - Support is planned until the end of December 2022, handing over to 22.11. ## Highlights {#sec-release-22.05-highlights} -- The `firefox` browser on `x86_64-linux` is now making use of - profile-guided optimization resulting in a much more responsive - browsing experience. +In addition to numerous new and upgraded packages, this release has the following highlights: -- `security.acme.defaults` has been added to simplify configuring - settings for many certificates at once. This also opens up the - the option to use DNS-01 validation when using `enableACME` on - web server virtual hosts (e.g. `services.nginx.virtualHosts.*.enableACME`). +- Nix has been updated from 2.3 to 2.8. This mainly brings experimental support + for Flakes, but also marks the `nix` command as experimental which now has to + be enabled via the configuration explicitly. For more information and + instructions for upgrades, see the + relase notes for [nix-2.4](https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html), + [nix-2.5](https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html), + [nix-2.6](https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html), + [nix-2.7](https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html) and + [nix-2.8](https://nixos.org/manual/nix/stable/release-notes/rl-2.8.html) -- GNOME has been upgraded to 42. Please take a look at their [Release Notes](https://release.gnome.org/42/) for details. Notably, it replaces gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly King’s Cross), and GNOME Screenshot with a tool built into the Shell. +- The `firefox` browser on `x86_64-linux` now makes use of profile-guided + optimisation, resulting in a much more responsive browsing experience. -- PHP 8.1 is now available +- GNOME has been upgraded to 42. Please take a look at their [Release + Notes](https://release.gnome.org/42/) for details. In particular, it replaces + gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly + King's Cross) and GNOME Screenshot by a tool integrated into the Shell. -- Mattermost has been updated to extended support release 6.3, as the previously packaged extended support release 5.37 is [reaching its end of life](https://docs.mattermost.com/upgrade/extended-support-release.html). - Migrations may take a while, see the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release) - and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html). +- PHP 8.1 is now available. - systemd services can now set [systemd.services.\<name\>.reloadTriggers](#opt-systemd.services) instead of `reloadIfChanged` for a more granular distinction between reloads and restarts. - Systemd has been upgraded to the version 250. -- The new [`postgresqlTestHook`](https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook) runs a PostgreSQL server for the duration of package checks. +- Pulseaudio has been updated to version 15.0 and now optionally + [supports additional Bluetooth audio codecs](https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/15.0/#supportforldacandaptxbluetoothcodecsplussbcxqsbcwithhigher-qualityparameters) + such as aptX or LDAC, with codec switching available in `pavucontrol`. This + feature is disabled by default, but can be enabled with the option + `hardware.pulseaudio.package = pkgs.pulseaudioFull;`. Existing third-party + modules that offered similar functions, such as `pulseaudio-modules-bt` or + `pulseaudio-hsphfpd`, are obsolete and have been removed. -- [`kops`](https://kops.sigs.k8s.io) defaults to 1.22.4, which will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) and require tokens on new clusters with Kubernetes 1.22. This will increase security by default, but may break some types of workloads. See the [release notes](https://kops.sigs.k8s.io/releases/1.22-notes/) for details. +- PostgreSQL now defaults to major version 14. - Module authors can use `mkRenamedOptionModuleWith` to automate the deprecation cycle without annoying out-of-tree module authors and their users. - The default GHC version has been updated from 8.10.7 to 9.0.2. `pkgs.haskellPackages` and `pkgs.ghc` will now use this version by default. +- The GNOME and Plasma installation CDs now use `pkgs.calamares` and `pkgs.calamares-nixos-extensions` to allow users to easily install and set up NixOS with a GUI. + +- `security.acme.defaults` has been added to simplify the configuration of + settings for many certificates at once. This also opens up the option to use + DNS-01 validation when using `enableACME` web server virtual hosts (e.g. + `services.nginx.virtualHosts.*.enableACME`). + ## New Services {#sec-release-22.05-new-services} +- [1password](https://1password.com/), command-lines and graphic interface for 1Password. Available as [programs._1password](#opt-programs._1password.enable) and [programs._1password-gui](#opt-programs._1password.enable). + - [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable). -- [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](options.html#opt-virtualisation.docker.rootless.enable). +- [agate](https://github.com/mbrubeck/agate), a very simple server for the Gemini hypertext protocol. Available as [services.agate](#opt-services.agate.enable). -- [matrix-conduit](https://conduit.rs/), a simple, fast and reliable chat server powered by matrix. Available as [services.matrix-conduit](option.html#opt-services.matrix-conduit.enable). +- [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS). -- [nethoscope](https://github.com/vvilhonen/nethoscope), listen to your network traffic. Available as [programs.nethoscope](#opt-programs.nethoscope.enable). +- [argonone](https://gitlab.com/DarkElvenAngel/argononed), a replacement daemon for the Raspberry Pi Argon One power button and cooler. Available at [services.hardware.argonone](options.html#opt-services.hardware.argonone.enable). + +- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](#opt-services.archisteamfarm.enable). + +- [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable). + +- [bird-lg](https://github.com/xddxdd/bird-lg-go), a BGP looking glass for Bird Routing. Available as [services.bird-lg](#opt-services.bird-lg.package). + +- [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features. Available as [services.blocky](#opt-services.blocky.enable). + +- [cloudflare-dyndns](https://github.com/kissgyorgy/cloudflare-dyndns), CloudFlare Dynamic DNS client. Available as [services.cloudflare-dyndns](#opt-services.cloudflare-dyndns.enable). + +- [Corosync](https://corosync.github.io/corosync/) and [Pacemaker](https://clusterlabs.org/pacemaker/), A open-source high availability resource manager. Available as [services.corosync](#opt-services.corosync.enable) and [services.pacemaker](#opt-services.pacemaker.enable). + +- [create_ap](https://github.com/lakinduakash/linux-wifi-hotspot), a module for creating wifi hotspots using the program linux-wifi-hotspot. Available as [services.create_ap](#opt-services.create_ap.enable). + +- [Envoy](https://www.envoyproxy.io/), a high-performance reverse proxy. Available as [services.envoy](#opt-services.envoy.enable). + +- [ergochat](https://ergo.chat), a modern IRC with IRCv3 features. Available as [services.ergochat](#opt-services.ergochat.enable). + +- [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative spreadsheet. Available as [services.ethercalc](#opt-services.ethercalc.enable). - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable). -- [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS). +- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as [services.frr](#opt-services.frr.babel.enable). -- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as [services.frr](#opt-services.frr.babel.enable) +- [Grafana Mimir](https://grafana.com/oss/mimir/), an open source, horizontally scalable, highly available, multi-tenant, long-term storage for Prometheus. Available as [services.mimir](#opt-services.mimir.enable). -- [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable). +- [Haste](https://hastebin.com/about.md), a pastebin written in node.js. Available as [services.haste](#opt-services.haste-server.enable). -- [snowflake-proxy](https://snowflake.torproject.org/), a system to defeat internet censorship. Available as [services.snowflake-proxy](options.html#opt-services.snowflake-proxy.enable). +- [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](#opt-services.headscale.enable). -- [ergochat](https://ergo.chat), a modern IRC with IRCv3 features. Available as [services.ergochat](options.html#opt-services.ergochat.enable). +- [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](#opt-services.heisenbridge.enable). -- [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](options.html#opt-services.powerdns-admin.enable). +- [https-dns-proxy](https://github.com/aarond10/https_dns_proxy), DNS to DNS over HTTPS (DoH) proxy. Available as [services.https-dns-proxy](#opt-services.https-dns-proxy.enable). -- [pgadmin4](https://github.com/postgres/pgadmin4), an admin interface for the PostgreSQL database. Available at [services.pgadmin](options.html#opt-services.pgadmin.enable). +- [input-remapper](https://github.com/sezanzeb/input-remapper), an easy to use tool to change the mapping of your input device buttons. Available at [services.input-remapper](#opt-services.input-remapper.enable). -- [input-remapper](https://github.com/sezanzeb/input-remapper), an easy to use tool to change the mapping of your input device buttons. Available at [services.input-remapper](options.html#opt-services.input-remapper.enable). +- [InvoicePlane](https://invoiceplane.com), web application for managing and creating invoices. Available at [services.invoiceplane](#opt-services.invoiceplane.sites._name_.enable). -- [InvoicePlane](https://invoiceplane.com), web application for managing and creating invoices. Available at [services.invoiceplane](options.html#opt-services.invoiceplane.enable). +- [k3b](https://userbase.kde.org/K3b), the KDE disk burning application. Available as [programs.k3b](#opt-programs.k3b.enable). -- [maddy](https://maddy.email), a composable all-in-one mail server. Available as [services.maddy](options.html#opt-services.maddy.enable). +- [K40-Whisperer](https://www.scorchworks.com/K40whisperer/k40whisperer.html), a program to control cheap Chinese laser cutters. Available as [programs.k40-whisperer.enable](#opt-programs.k40-whisperer.enable). Users must add themselves to the `k40` group to be able to access the device. -- [K40-Whisperer](https://www.scorchworks.com/K40whisperer/k40whisperer.html), a program to control cheap Chinese laser cutters. Available as [programs.k40-whisperer.enable](options.html#opt-programs.k4-whisperer.enable). Users must add themselves to the `k40` group to be able to access the device. +- [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust. Available as [services.kanidm](#opt-services.kanidm.enableServer) -- [mozillavpn](https://github.com/mozilla-mobile/mozilla-vpn-client), the client for the [Mozilla VPN](https://vpn.mozilla.org/) service. Available as [services.mozillavpn](options.html#opt-services.mozillavpn). +- [Maddy](https://maddy.email/), a free an open source mail server. Availabe as [services.maddy](#opt-services.maddy.enable). -- [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](options.html#opt-services.mtr-exporter.enable). +- [matrix-conduit](https://conduit.rs/), a simple, fast and reliable chat server powered by matrix. Available as [services.matrix-conduit](option.html#opt-services.matrix-conduit.enable). -- [prometheus-pve-exporter](https://github.com/prometheus-pve/prometheus-pve-exporter), a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as [services.prometheus.exporters.pve](options.html#opt-services.prometheus.exporters.pve). +- [Moosefs](https://moosefs.com), fault tolerant petabyte distributed file system. Available as [moosefs](#opt-services.moosefs.master.enable). -- [netbox](https://github.com/netbox-community/netbox), infrastructure resource modeling (IRM) tool. Available as [services.netbox](options.html#opt-services.netbox.enable). +- [mozillavpn](https://github.com/mozilla-mobile/mozilla-vpn-client), the client for the [Mozilla VPN](https://vpn.mozilla.org/) service. Available as [services.mozillavpn](#opt-services.mozillavpn.enable). -- [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable). +- [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](#opt-services.mtr-exporter.enable). -- [agate](https://github.com/mbrubeck/agate), a very simple server for the Gemini hypertext protocol. Available as [services.agate](options.html#opt-services.agate.enable). +- [nbd](https://nbd.sourceforge.io/), a Network Block Device server. Available as [services.nbd](#opt-services.nbd.server.enable). -- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable). +- [netbox](https://github.com/netbox-community/netbox), infrastructure resource modeling (IRM) tool. Available as [services.netbox](#opt-services.netbox.enable). -- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable). +- [nethoscope](https://github.com/vvilhonen/nethoscope), listen to your network traffic. Available as [programs.nethoscope](#opt-programs.nethoscope.enable). -- [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable). +- [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](#opt-services.nifi.enable). + +- [nix-ld](https://github.com/Mic92/nix-ld), Run unpatched dynamic binaries on NixOS. Available as [programs.nix-ld](#opt-programs.nix-ld.enable). -- [moosefs](https://moosefs.com), fault tolerant petabyte distributed file system. - Available as [moosefs](#opt-services.moosefs.client.enable). +- [NNCP](http://www.nncpgo.org), NNCP (Node to Node copy) utilities and configuration, Available as [programs.nncp](#opt-programs.nncp.enable). + +- [pgadmin4](https://github.com/postgres/pgadmin4), an admin interface for the PostgreSQL database. Available at [services.pgadmin](#opt-services.pgadmin.enable). + +- [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](#opt-services.powerdns-admin.enable). + +- [prometheus-pve-exporter](https://github.com/prometheus-pve/prometheus-pve-exporter), a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as [services.prometheus.exporters.pve](#opt-services.prometheus.exporters.pve.enable). - [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable). -- [systembus-notify](https://github.com/rfjakob/systembus-notify), allow system level notifications to reach the users. Available as [services.systembus-notify](opt-services.systembus-notify.enable). Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications. +- [Public Inbox](https://public-inbox.org), an "archives first" approach to mailing lists. Available as [services.public-inbox](#opt-services.public-inbox.enable). + +- [r53-ddns](https://github.com/fleaz/r53-ddns), a small tool to run your own DDNS service via AWS Route53. Available as [services.r53-ddns](#opt-services.r53-ddns.enable). + +- [rmfakecloud](https://ddvk.github.io/rmfakecloud/), a clone of the cloud sync the remarkable tablet. Available as [services.rmfakecloud](#opt-services.rmfakecloud.enable). + +- [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](#opt-virtualisation.docker.rootless.enable). + +- [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](#opt-services.rstudio-server.enable). + +- [rtsp-simple-server](https://github.com/aler9/rtsp-simple-server), ready-to-use RTSP / RTMP / HLS server and proxy that allows to read, publish and proxy video and audio streams. Available as [services.rtsp-simple-server](#opt-services.rtsp-simple-server.enable). -- [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative - spreadsheet. Available as [services.ethercalc](options.html#opt-services.ethercalc.enable). +- [Snipe-IT](https://snipeitapp.com), a free open source IT asset/license management system. Available as [services.snipe-it](#opt-services.snipe-it.enable). -- [nbd](https://nbd.sourceforge.io/), a Network Block Device server. Available as [services.nbd](options.html#opt-services.nbd.server.enable). +- [snowflake-proxy](https://snowflake.torproject.org/), a system to defeat internet censorship. Available as [services.snowflake-proxy](#opt-services.snowflake-proxy.enable). -- [nix-ld](https://github.com/Mic92/nix-ld), Run unpatched dynamic binaries on NixOS. Available as [programs.nix-ld](options.html#opt-programs.nix-ld.enable). +- [sslmate-agent](https://sslmate.com/), a daemon for managing SSL/TLS certificates on a server. Available as [services.sslmate-agent](services.sslmate-agent.enable). -- [timetagger](https://timetagger.app), an open source time-tracker with an intuitive user experience and powerful reporting. [services.timetagger](options.html#opt-services.timetagger.enable). +- [starship](https://starship.rs), a minimal, blazing-fast, and infinitely customizable prompt for any shell. Available at [programs.startship](#opt-programs.starship.enable). -- [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](options.html#opt-services.rstudio-server.enable). +- [systembus-notify](https://github.com/rfjakob/systembus-notify), allow system level notifications to reach the users. Available as [services.systembus-notify](opt-services.systembus-notify.enable). Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications. + +- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable). + +- [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable). -- [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](options.html#opt-services.headscale.enable) +- [uptermd](https://upterm.dev), an open-source solution for sharing terminal sessions instantly over the public internet via secure tunnels. Available at [services.uptermd](#opt-services.uptermd.enable). -- [create_ap](https://github.com/lakinduakash/linux-wifi-hotspot), a module for creating wifi hotspots using the program linux-wifi-hotspot. Available as [services.create_ap](options.html#opt-services.create_ap.enable). +- [usbrelayd](https://github.com/darrylb123/usbrelay), an USB Relay MQTT daemon. Available as [services.usbrelayd](#opt-services.usbrelayd.enable). -- [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features. +- [webdav-server-rs](https://github.com/miquels/webdav-server-rs), Webdav server in rust. Available as [services.webdav-server-rs](#opt-services.webdav-server-rs.enable). -- [pacemaker](https://clusterlabs.org/pacemaker/) cluster resource manager +- [wg-netmanager](https://github.com/gin66/wg_netmanager), the Wireguard network manager. Available as [services.wg-netmanager](#opt-services.wg-netmanager.enable). -- [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](options.html#opt-services.nifi.enable). +- [Zammad](https://zammad.org/), a web-based, open source user support/ticketing solution. Available as [services.zammad](#opt-services.zammad.enable). <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -137,6 +195,10 @@ In addition to numerous new and upgraded packages, this release has the followin `useLLVM`. So instead of `(ghc.withPackages (p: [])).override { withLLVM = true; }`, one needs to use `(ghc.withPackages.override { useLLVM = true; }) (p: [])`. +- The update of the haskell package set brings with it a new version of the `xmonad` + module, which will break your configuration if you use `launch` as entrypoint. The + example code the corresponding nixos module was adjusted, you may want to have a look at it. + - The `home-assistant` module now requires users that don't want their configuration to be managed declaratively to set `services.home-assistant.config = null;`. This is required @@ -151,6 +213,21 @@ In addition to numerous new and upgraded packages, this release has the followin org-contrib, refer to the ones in `pkgs.emacsPackages.elpaPackages` and `pkgs.emacsPackages.nongnuPackages` where the new versions will release. +- The configuration and state directories used by `nixos-containers` have been + moved from `/etc/containers` and `/var/lib/containers` to + `/etc/nixos-containers` and `/var/lib/nixos-containers`. + + If you are changing `system.stateVersion` to `"22.05"` manually on an existing + system you are responsible for migrating these directories yourself. + + This is to improve compatibility with `libcontainer` based software such as Podman and Skopeo + which assumes they have ownership over `/etc/containers`. + +- `lib.systems.supported` has been removed, as it was overengineered for determining the systems to support in the nixpkgs flake. The list of systems exposed by the nixpkgs flake can now be accessed as `lib.systems.flakeExposed`. + +- For new installations `virtualisation.oci-containers.backend` is now set to `podman` by default. + If you still want to use Docker on systems where `system.stateVersion` is set to to `"22.05"` set `virtualisation.oci-containers.backend = "docker";`.Old systems with older `stateVersion`s stay with "docker". + - `security.klogd` was removed. Logging of kernel messages is handled by systemd since Linux 3.5. @@ -199,6 +276,10 @@ In addition to numerous new and upgraded packages, this release has the followin - In the ncdns module, the default value of `services.ncdns.address` has been changed to the IPv6 loopback address (`::1`). +- `openldap` (and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your database `slapcat -n 1` in LDIF format, and reimport it after updating your `services.openldap.settings`, which represents your `cn=config`. + + Additionally with 2.5 the argon2 module was included in the standard distrubtion and renamed from `pw-argon2` to `argon2`. Remember to update your `olcModuleLoad` entry in `cn=config`. + - `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface. - `git` no longer hardcodes the path to openssh' ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your enviroment consider adding `openssh` to it or switching to `gitFull`. @@ -317,18 +398,20 @@ In addition to numerous new and upgraded packages, this release has the followin }; extraConfigFiles = [ - /run/keys/matrix-synapse/secrets.yaml + "/run/keys/matrix-synapse/secrets.yaml" ]; }; } ``` - The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`. + The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`. The filename must be quoted to prevent nix from copying it to the (world readable) store. Additionally a few option defaults have been synced up with upstream default values, for example the `max_upload_size` grew from `10M` to `50M`. For the same reason, the default `media_store_path` was changed from `${dataDir}/media` to `${dataDir}/media_store` if `system.stateVersion` is at least `22.05`. Files will need to be manually moved to the new location if the `stateVersion` is updated. + As of Synapse 1.58.0, the old groups/communities feature has been disabled by default. It will be completely removed with Synapse 1.61.0. + - The Keycloak package (`pkgs.keycloak`) has been switched from the Wildfly version, which will soon be deprecated, to the Quarkus based version. The Keycloak service (`services.keycloak`) has been updated @@ -451,6 +534,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details. +- `teleport` has been upgraded to major version 9. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and [release notes](https://goteleport.com/docs/changelog/#900). + - For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline` (which is really an adapter to integrate matplotlib in ipython if it is installed) does not depend on `pkgs.python3.pkgs.matplotlib` anymore. @@ -500,7 +585,7 @@ In addition to numerous new and upgraded packages, this release has the followin - `systemd-nspawn@.service` settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set `systemd.nspawn.<name>.execConfig.PrivateUsers = false` -- `systemd-shutdown` is now properly linked on shutdown to unmount all filesystems and device mapper devices cleanly. This can be disabled using `boot.systemd.shutdown.enable`. +- `systemd-shutdown` is now properly linked on shutdown to unmount all filesystems and device mapper devices cleanly. This can be disabled using `systemd.shutdownRamfs.enable`. - The Tor SOCKS proxy is now actually disabled if `services.tor.client.enable` is set to `false` (the default). If you are using this functionality but didn't change the setting or set it to `false`, you now need to set it to `true`. @@ -528,8 +613,14 @@ In addition to numerous new and upgraded packages, this release has the followin you should change the package you refer to. If you don't need them update your commands from `otelcontribcol` to `otelcorecol` and enjoy a 7x smaller binary. +- `services.zookeeper` has a new option `jre` for specifying the JRE to start + zookeeper with. It defaults to the JRE that `pkgs.zookeeper` was wrapped with, + instead of `pkgs.jre`. This changes the JRE to `pkgs.jdk11_headless` by default. + - `pkgs.pgadmin` now refers to `pkgs.pgadmin4`. `pgadmin3` has been removed. +- `pkgs.minetestclient_4` and `pkgs.minetestserver_4` have been removed, as the last 4.x release was in 2018. `pkgs.minetestclient` (equivalent to `pkgs.minetest` ) and `pkgs.minetestserver` can be used instead. + - `pkgs.noto-fonts-cjk` is now deprecated in favor of `pkgs.noto-fonts-cjk-sans` and `pkgs.noto-fonts-cjk-serif` because they each have different release schedules. To maintain compatibility with prior releases of Nixpkgs, @@ -579,6 +670,10 @@ In addition to numerous new and upgraded packages, this release has the followin - The `vpnc` package has been changed to use GnuTLS instead of OpenSSL by default for licensing reasons. +- The default version of `nextcloud` is **nextcloud24**. Please note that it's **not** possible to upgrade + `nextcloud` across multiple major versions! This means it's e.g. not possible to upgrade from `nextcloud22` + to `nextcloud24` in a single deploy and most `21.11` users will have to upgrade to `nextcloud23` first. + - `pkgs.vimPlugins.onedark-nvim` now refers to [navarasu/onedark.nvim](https://github.com/navarasu/onedark.nvim) (formerly refers to [olimorris/onedarkpro.nvim](https://github.com/olimorris/onedarkpro.nvim)). @@ -640,6 +735,13 @@ In addition to numerous new and upgraded packages, this release has the followin - The configuration portion of the `nix-daemon` module has been reworked and exposed as [nix.settings](options.html#opt-nix-settings): * Legacy options have been mapped to the corresponding options under under [nix.settings](options.html#opt-nix.settings) and will be deprecated when NixOS 21.11 reaches end of life. * [nix.buildMachines.publicHostKey](options.html#opt-nix.buildMachines.publicHostKey) has been added. + +- [`kops`](https://kops.sigs.k8s.io) defaults to 1.23.2, which will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) and require tokens on new clusters with Kubernetes >= 1.22. This will increase security by default, but may break some types of workloads. The default behaviour for `spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS` has changed from `true` to `false`. Cilium now has `disable-cnp-status-updates: true` by default. Set this to false if you rely on the CiliumNetworkPolicy status fields. Support for Kubernetes 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been removed. See the [1.22 release notes](https://kops.sigs.k8s.io/releases/1.22-notes/) and [1.23 release notes](https://kops.sigs.k8s.io/releases/1.23-notes/) for more details, including other significant changes. + +- Mattermost has been upgraded to extended support version 6.3 as the previously + packaged extended support version 5.37 is [reaching end of life](https://docs.mattermost.com/upgrade/extended-support-release.html). + Migration may take some time, see the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release) + and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html). - The `writers.writePyPy2`/`writers.writePyPy3` and corresponding `writers.writePyPy2Bin`/`writers.writePyPy3Bin` convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added. @@ -652,6 +754,31 @@ In addition to numerous new and upgraded packages, this release has the followin By default auto-upgrade will now run immediately if it would have been triggered at least once during the time when the timer was inactive. +- Mastodon now uses `services.redis.servers` to start a new redis server, instead of using a global redis server. + This improves compatibility with other services that use redis. + + Note that this will recreate the redis database, although according to the [Mastodon docs](https://docs.joinmastodon.org/admin/backups/), + this is almost harmless: + > Losing the Redis database is almost harmless: The only irrecoverable data will be the contents of the Sidekiq queues and scheduled retries of previously failed jobs. + > The home and list feeds are stored in Redis, but can be regenerated with tootctl. + + If you do want to save the redis database, you can use the following commands: + ```bash + redis-cli save + cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb" + ``` +- Peertube now uses services.redis.servers to start a new redis server, instead of using a global redis server. + This improves compatibility with other services that use redis. + + Redis database is used for storage only cache and job queue. More information can be found here - [Peertube architecture](https://docs.joinpeertube.org/contribute-architecture). + + If you do want to save the redis database, you can use the following commands before upgrade OS: + ```bash + redis-cli save + sudo mkdir /var/lib/redis-peertube + sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb + ``` + - If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable `NIXOS_OZONE_WL=1` (for example via @@ -718,7 +845,6 @@ In addition to numerous new and upgraded packages, this release has the followin If you are using only a window manager without a desktop manager, you need to enable `services.xserver.desktopManager.runXdgAutostartIfNone` or using the `dex` package to make `fcitx5` work. -- A new module was added for the Envoy reverse proxy, providing the options `services.envoy.enable` and `services.envoy.settings`. - The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files. @@ -764,9 +890,6 @@ In addition to numerous new and upgraded packages, this release has the followin - The default value for `programs.spacefm.settings.graphical_su` got unset. It previously pointed to `gksu` which has been removed. -- A new module was added for the [Starship](https://starship.rs/) shell prompt, - providing the options `programs.starship.enable` and `programs.starship.settings`. - - The [Dino](https://dino.im) XMPP client was updated to 0.3, adding support for audio and video calls. - `services.mattermost.plugins` has been added to allow the declarative installation of Mattermost plugins. @@ -782,6 +905,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The `vscode-extensions.ionide.ionide-fsharp` package has been updated to 6.0.0 and now requires .NET 6.0. +- The `phpPackages.box` package has been updated from 2.7.5 to 3.16.0. See the [upgrade guide](https://github.com/box-project/box/blob/master/UPGRADE.md#from-27-to-30) for more details. + - The `zrepl` package has been updated from 0.4.0 to 0.5: - The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume. @@ -811,6 +936,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The polkit service, available at `security.polkit.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. +- `mercury` was updated to 22.01.1, which has some breaking changes ([Mercury 22.01 news](https://dl.mercurylang.org/release/release-notes-22.01.html)). + - xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in kernel 5.15. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than 5.10, you need to format them with `mkfs.xfs -m bigtime=0 -m inobtcount=0`. @@ -822,18 +949,46 @@ In addition to numerous new and upgraded packages, this release has the followin - The `nss` package was split into `nss_esr` and `nss_latest`, with `nss` being an alias for `nss_esr`. This was done to ease maintenance of `nss` and dependent high-profile packages like `firefox`. +- The default `scribus` version is now 1.5, while version 1.4 is still available as `scribus_1_4` ([#172700](https://github.com/NixOS/nixpkgs/pull/172700)). + - The Nextcloud module now supports to create a Mysql database automatically with `services.nextcloud.database.createLocally` enabled. +- The Nextcloud module now allows setting the value of the `max-age` directive of the `Strict-Transport-Security` HTTP header, which is now controlled by the `services.nextcloud.https` option, rather than `services.nginx.recommendedHttpHeaders`. + - The `spark3` package has been updated from 3.1.2 to 3.2.1 ([#160075](https://github.com/NixOS/nixpkgs/pull/160075)): - Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`. - The `spark3` package is now usable on `aarch64-darwin` as a result of [#158613](https://github.com/NixOS/nixpkgs/pull/158613) and [#158992](https://github.com/NixOS/nixpkgs/pull/158992). -- The `programs.nncp` options were added for generating host-global NNCP configuration. - - The option `services.snapserver.openFirewall` will no longer default to `true` starting with NixOS 22.11. Enable it explicitly if you need to control Snapserver remotely or connect streamig clients from other hosts. +- The option [networking.useDHCP](options.html#opt-networking.useDHCP) isn't deprecated anymore. + When using [`systemd-networkd`](options.html#opt-networking.useNetworkd), a generic + `.network`-unit is added which enables DHCP for each interface matching `en*`, `eth*` + or `wl*` with priority 99 (which means that it doesn't have any effect if such an interface is matched + by a `.network-`unit with a lower priority). In case of scripted networking, no behavior + was changed. + +- The new [`postgresqlTestHook`](https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook) runs a PostgreSQL server for the duration of package checks. + +- `zfs` was updated from 2.1.4 to 2.1.5, enabling it to be used with Linux kernel 5.18. + +- `stdenv.mkDerivation` now supports a self-referencing `finalAttrs:` parameter + containing the final `mkDerivation` arguments including overrides. + `drv.overrideAttrs` now supports two parameters `finalAttrs: previousAttrs:`. + This allows packaging configuration to be overridden in a consistent manner by + providing an alternative to `rec {}` syntax. + + Additionally, `passthru` can now reference `finalAttrs.finalPackage` containing + the final package, including attributes such as the output paths and + `overrideAttrs`. + + New language integrations can be simplified by overriding a "prototype" + package containing the language-specific logic. This removes the need for a + extra layer of overriding for the "generic builder" arguments, thus removing a + usability problem and source of error. + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md new file mode 100644 index 00000000000..3cc06bfd3dc --- /dev/null +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -0,0 +1,121 @@ +# Release 22.11 (“Raccoon”, 2022.11/??) {#sec-release-22.11} + +Support is planned until the end of June 2023, handing over to 23.05. + +## Highlights {#sec-release-22.11-highlights} + +In addition to numerous new and upgraded packages, this release has the following highlights: + +- During cross-compilation, tests are now executed if the test suite can be executed + by the build platform. This is the case when doing “native” cross-compilation + where the build and host platforms are largely the same, but the nixpkgs' cross + compilation infrastructure is used, e.g. `pkgsStatic` and `pkgsLLVM`. Another + possibility is that the build platform is a superset of the host platform, e.g. when + cross-compiling from `x86_64-unknown-linux` to `i686-unknown-linux`. + The predicate gating test suite execution is the newly added `canExecute` + predicate: You can e.g. check if `stdenv.buildPlatform` can execute binaries + built for `stdenv.hostPlatform` (i.e. produced by `stdenv.cc`) by evaluating + `stdenv.buildPlatform.canExecute stdenv.hostPlatform`. + +- The `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options have been added. + These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options. + + - `hostPlatform` is the platform or "`system`" string of the NixOS system + described by the configuration. + - `buildPlatform` is the platform that is responsible for building the NixOS + configuration. It defaults to the `hostPlatform`, for a non-cross + build configuration. To cross compile, set `buildPlatform` to a different + value. + + The new options convey the same information, but with fewer options, and + following the Nixpkgs terminology. + + The existing options `nixpkgs.{system,localSystem,crossSystem}` have not + been formally deprecated, to allow for evaluation of the change and to allow + for a transition period so that in time the ecosystem can switch without + breaking compatibility with any supported NixOS release. + +- `nixos-generate-config` now generates configurations that can be built in pure + mode. This is achieved by setting the new `nixpkgs.hostPlatform` option. + + You may have to unset the `system` parameter in `lib.nixosSystem`, or similarly + remove definitions of the `nixpkgs.{system,localSystem,crossSystem}` options. + + Alternatively, you can remove the `hostPlatform` line and use NixOS like you + would in NixOS 22.05 and earlier. + +- PHP now defaults to PHP 8.1, updated from 8.0. + +- `hardware.nvidia` has a new option `open` that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [NVIDIA Releases Open-Source GPU Kernel Modules](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for the official announcement. + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +## New Services {#sec-release-22.11-new-services} + +- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable). + +- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable). + +- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. + Available as [services.infnoise](options.html#opt-services.infnoise.enable). +- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable). + +- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable). + +- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable). + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +## Backward Incompatibilities {#sec-release-22.11-incompatibilities} + +- The `isCompatible` predicate checking CPU compatibility is no longer exposed + by the platform sets generated using `lib.systems.elaborate`. In most cases + you will want to use the new `canExecute` predicate instead which also + considers the kernel / syscall interface. It is briefly described in the + release's [highlights section](#sec-release-22.11-highlights). + `lib.systems.parse.isCompatible` still exists, but has changed semantically: + Architectures with differing endianness modes are *no longer considered compatible*. + +- `ngrok` has been upgraded from 2.3.40 to 3.0.4. Please see [the upgrade guide](https://ngrok.com/docs/guides/upgrade-v2-v3) + and [changelog](https://ngrok.com/docs/ngrok-agent/changelog). Notably, breaking changes are that the config file format has + changed and support for single hypen arguments was dropped. + +- `i18n.supportedLocales` is now by default only generated with the locales set in `i18n.defaultLocale` and `i18n.extraLocaleSettings`. + This got partially copied over from the minimal profile and reduces the final system size by up to 200MB. + If you require all locales installed set the option to ``[ "all" ]``. + +- The `isPowerPC` predicate, found on `platform` attrsets (`hostPlatform`, `buildPlatform`, `targetPlatform`, etc) has been removed in order to reduce confusion. The predicate was was defined such that it matches only the 32-bit big-endian members of the POWER/PowerPC family, despite having a name which would imply a broader set of systems. If you were using this predicate, you can replace `foo.isPowerPC` with `(with foo; isPower && is32bit && isBigEndian)`. + +- `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`. + +- The Barco ClickShare driver/client package `pkgs.clickshare-csc1` and the option `programs.clickshare-csc1.enable` have been removed, + as it requires `qt4`, which reached its end-of-life 2015 and will no longer be supported by nixpkgs. + [According to Barco](https://www.barco.com/de/support/knowledge-base/4380-can-i-use-linux-os-with-clickshare-base-units) many of their base unit models can be used with Google Chrome and the Google Cast extension. + +- PHP 7.4 is no longer supported due to upstream not supporting this + version for the entire lifecycle of the 22.11 release. + +- riak package removed along with `services.riak` module, due to lack of maintainer to update the package. + +- (Neo)Vim can not be configured with `configure.pathogen` anymore to reduce maintainance burden. +Use `configure.packages` instead. + +- `k3s` no longer supports docker as runtime due to upstream dropping support. + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +## Other Notable Changes {#sec-release-22.11-notable-changes} + +- The `xplr` package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the [upstream release notes](https://github.com/sayanarijit/xplr/releases/tag/v0.19.0) for more details. + +- A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`. + +- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation. + +- memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2. It is now the upstream version from https://www.memtest.org/, as coreboot's fork is no longer available. + +- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed. + +- There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service. + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/lib/build-vms.nix b/nixos/lib/build-vms.nix index 05d9ce89dbd..18af49db177 100644 --- a/nixos/lib/build-vms.nix +++ b/nixos/lib/build-vms.nix @@ -38,7 +38,7 @@ rec { { key = "no-revision"; # Make the revision metadata constant, in order to avoid needless retesting. # The human version (e.g. 21.05-pre) is left as is, because it is useful - # for external modules that test with e.g. nixosTest and rely on that + # for external modules that test with e.g. testers.nixosTest and rely on that # version number. config.system.nixos.revision = mkForce "constant-nixos-revision"; } diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index 2daaa8a1186..3b58ef29797 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -50,11 +50,6 @@ let # they way through, but has the last priority behind everything else. nixpkgs.system = lib.mkDefault system; - # Stash the value of the `system` argument. When using `nesting.children` - # we want to have the same default value behavior (immediately above) - # without any interference from the user's configuration. - nixpkgs.initialSystem = system; - _module.args.pkgs = lib.mkIf (pkgs_ != null) (lib.mkForce pkgs_); }; }; diff --git a/nixos/lib/make-ext4-fs.nix b/nixos/lib/make-ext4-fs.nix index 416beeb32f2..b8e1b8d24c4 100644 --- a/nixos/lib/make-ext4-fs.nix +++ b/nixos/lib/make-ext4-fs.nix @@ -78,6 +78,15 @@ pkgs.stdenv.mkDerivation { # get rid of the unnecessary slack here--but see # https://github.com/NixOS/nixpkgs/issues/125121 for caveats. + # shrink to fit + resize2fs -M $img + + # Add 16 MebiByte to the current_size + new_size=$(dumpe2fs -h $img | awk -F: \ + '/Block count/{count=$2} /Block size/{size=$2} END{print (count*size+16*2**20)/size}') + + resize2fs $img $new_size + if [ ${builtins.toString compressImage} ]; then echo "Compressing image" zstd -v --no-progress ./$img -o $out diff --git a/nixos/lib/make-options-doc/default.nix b/nixos/lib/make-options-doc/default.nix index 57652dd5db1..6649fc41d41 100644 --- a/nixos/lib/make-options-doc/default.nix +++ b/nixos/lib/make-options-doc/default.nix @@ -20,6 +20,12 @@ , lib , options , transformOptions ? lib.id # function for additional tranformations of the options +, documentType ? "appendix" # TODO deprecate "appendix" in favor of "none" + # and/or rename function to moduleOptionDoc for clean slate + + # If you include more than one option list into a document, you need to + # provide different ids. +, variablelistId ? "configuration-variable-list" , revision ? "" # Specify revision for the options # a set of options the docs we are generating will be merged into, as if by recursiveUpdate. # used to split the options doc build into a static part (nixos/modules) and a dynamic part @@ -45,8 +51,11 @@ let else if lib.isFunction x then "<function>" else x; - optionsList = lib.flip map optionsListVisible - (opt: transformOptions opt + rawOpts = lib.optionAttrSetToDocList options; + transformedOpts = map transformOptions rawOpts; + filteredOpts = lib.filter (opt: opt.visible && !opt.internal) transformedOpts; + optionsList = lib.flip map filteredOpts + (opt: opt // lib.optionalAttrs (opt ? example) { example = substSpecial opt.example; } // lib.optionalAttrs (opt ? default) { default = substSpecial opt.default; } // lib.optionalAttrs (opt ? type) { type = substSpecial opt.type; } @@ -88,9 +97,6 @@ let ''; in "<itemizedlist>${lib.concatStringsSep "\n" (map (p: describe (unpack p)) packages)}</itemizedlist>"; - # Remove invisible and internal options. - optionsListVisible = lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList options); - optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList); in rec { @@ -110,7 +116,15 @@ in rec { optionsJSON = pkgs.runCommand "options.json" { meta.description = "List of NixOS options in JSON format"; - buildInputs = [ pkgs.brotli ]; + buildInputs = [ + pkgs.brotli + (let + self = (pkgs.python3Minimal.override { + inherit self; + includeSiteCustomize = true; + }); + in self.withPackages (p: [ p.mistune_2_0 ])) + ]; options = builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix)); } @@ -121,9 +135,13 @@ in rec { ${ if baseOptionsJSON == null - then "cp $options $dst/options.json" + then '' + # `cp $options $dst/options.json`, but with temporary + # markdown processing + python ${./mergeJSON.py} $options <(echo '{}') > $dst/options.json + '' else '' - ${pkgs.python3Minimal}/bin/python ${./mergeJSON.py} \ + python ${./mergeJSON.py} \ ${lib.optionalString warningsAreErrors "--warnings-are-errors"} \ ${baseOptionsJSON} $options \ > $dst/options.json @@ -161,7 +179,9 @@ in rec { ${pkgs.python3Minimal}/bin/python ${./sortXML.py} $optionsXML sorted.xml ${pkgs.libxslt.bin}/bin/xsltproc \ + --stringparam documentType '${documentType}' \ --stringparam revision '${revision}' \ + --stringparam variablelistId '${variablelistId}' \ -o intermediate.xml ${./options-to-docbook.xsl} sorted.xml ${pkgs.libxslt.bin}/bin/xsltproc \ -o "$out" ${./postprocess-option-descriptions.xsl} intermediate.xml diff --git a/nixos/lib/make-options-doc/mergeJSON.py b/nixos/lib/make-options-doc/mergeJSON.py index 44a188a08c9..33e5172270b 100644 --- a/nixos/lib/make-options-doc/mergeJSON.py +++ b/nixos/lib/make-options-doc/mergeJSON.py @@ -41,6 +41,154 @@ def unpivot(options: Dict[Key, Option]) -> Dict[str, JSON]: result[opt.name] = opt.value return result +# converts in-place! +def convertMD(options: Dict[str, Any]) -> str: + import mistune + import re + from xml.sax.saxutils import escape, quoteattr + + admonitions = { + '.warning': 'warning', + '.important': 'important', + '.note': 'note' + } + class Renderer(mistune.renderers.BaseRenderer): + def _get_method(self, name): + try: + return super(Renderer, self)._get_method(name) + except AttributeError: + def not_supported(*args, **kwargs): + raise NotImplementedError("md node not supported yet", name, args, **kwargs) + return not_supported + + def text(self, text): + return escape(text) + def paragraph(self, text): + return text + "\n\n" + def newline(self): + return "<literallayout>\n</literallayout>" + def codespan(self, text): + return f"<literal>{escape(text)}</literal>" + def block_code(self, text, info=None): + info = f" language={quoteattr(info)}" if info is not None else "" + return f"<programlisting{info}>\n{escape(text)}</programlisting>" + def link(self, link, text=None, title=None): + if link[0:1] == '#': + attr = "linkend" + link = quoteattr(link[1:]) + else: + # try to faithfully reproduce links that were of the form <link href="..."/> + # in docbook format + if text == link: + text = "" + attr = "xlink:href" + link = quoteattr(link) + return f"<link {attr}={link}>{text}</link>" + def list(self, text, ordered, level, start=None): + if ordered: + raise NotImplementedError("ordered lists not supported yet") + return f"<itemizedlist>\n{text}\n</itemizedlist>" + def list_item(self, text, level): + return f"<listitem><para>{text}</para></listitem>\n" + def block_text(self, text): + return text + def emphasis(self, text): + return f"<emphasis>{text}</emphasis>" + def strong(self, text): + return f"<emphasis role=\"strong\">{text}</emphasis>" + def admonition(self, text, kind): + if kind not in admonitions: + raise NotImplementedError(f"admonition {kind} not supported yet") + tag = admonitions[kind] + # we don't keep whitespace here because usually we'll contain only + # a single paragraph and the original docbook string is no longer + # available to restore the trailer. + return f"<{tag}><para>{text.rstrip()}</para></{tag}>" + def block_quote(self, text): + return f"<blockquote><para>{text}</para></blockquote>" + def command(self, text): + return f"<command>{escape(text)}</command>" + def option(self, text): + return f"<option>{escape(text)}</option>" + def file(self, text): + return f"<filename>{escape(text)}</filename>" + def manpage(self, page, section): + title = f"<refentrytitle>{escape(page)}</refentrytitle>" + vol = f"<manvolnum>{escape(section)}</manvolnum>" + return f"<citerefentry>{title}{vol}</citerefentry>" + + def finalize(self, data): + return "".join(data) + + plugins = [] + + COMMAND_PATTERN = r'\{command\}`(.*?)`' + def command(md): + def parse(self, m, state): + return ('command', m.group(1)) + md.inline.register_rule('command', COMMAND_PATTERN, parse) + md.inline.rules.append('command') + plugins.append(command) + + FILE_PATTERN = r'\{file\}`(.*?)`' + def file(md): + def parse(self, m, state): + return ('file', m.group(1)) + md.inline.register_rule('file', FILE_PATTERN, parse) + md.inline.rules.append('file') + plugins.append(file) + + OPTION_PATTERN = r'\{option\}`(.*?)`' + def option(md): + def parse(self, m, state): + return ('option', m.group(1)) + md.inline.register_rule('option', OPTION_PATTERN, parse) + md.inline.rules.append('option') + plugins.append(option) + + MANPAGE_PATTERN = r'\{manpage\}`(.*?)\((.+?)\)`' + def manpage(md): + def parse(self, m, state): + return ('manpage', m.group(1), m.group(2)) + md.inline.register_rule('manpage', MANPAGE_PATTERN, parse) + md.inline.rules.append('manpage') + plugins.append(manpage) + + ADMONITION_PATTERN = re.compile(r'^::: \{([^\n]*?)\}\n(.*?)^:::\n', flags=re.MULTILINE|re.DOTALL) + def admonition(md): + def parse(self, m, state): + return { + 'type': 'admonition', + 'children': self.parse(m.group(2), state), + 'params': [ m.group(1) ], + } + md.block.register_rule('admonition', ADMONITION_PATTERN, parse) + md.block.rules.append('admonition') + plugins.append(admonition) + + def convertString(text: str) -> str: + rendered = mistune.markdown(text, renderer=Renderer(), plugins=plugins) + # keep trailing spaces so we can diff the generated XML to check for conversion bugs. + return rendered.rstrip() + text[len(text.rstrip()):] + + def optionIs(option: Dict[str, Any], key: str, typ: str) -> bool: + if key not in option: return False + if type(option[key]) != dict: return False + if '_type' not in option[key]: return False + return option[key]['_type'] == typ + + for (name, option) in options.items(): + if optionIs(option, 'description', 'mdDoc'): + option['description'] = convertString(option['description']['text']) + if optionIs(option, 'example', 'literalMD'): + docbook = convertString(option['example']['text']) + option['example'] = { '_type': 'literalDocBook', 'text': docbook } + if optionIs(option, 'default', 'literalMD'): + docbook = convertString(option['default']['text']) + option['default'] = { '_type': 'literalDocBook', 'text': docbook } + + return options + warningsAreErrors = sys.argv[1] == "--warnings-are-errors" optOffset = 1 if warningsAreErrors else 0 options = pivot(json.load(open(sys.argv[1 + optOffset], 'r'))) @@ -50,7 +198,7 @@ overrides = pivot(json.load(open(sys.argv[2 + optOffset], 'r'))) for (k, v) in options.items(): # The _module options are not declared in nixos/modules if v.value['loc'][0] != "_module": - v.value['declarations'] = list(map(lambda s: f'nixos/modules/{s}', v.value['declarations'])) + v.value['declarations'] = list(map(lambda s: f'nixos/modules/{s}' if isinstance(s, str) else s, v.value['declarations'])) # merge both descriptions for (k, v) in overrides.items(): @@ -92,4 +240,4 @@ if hasWarnings and warningsAreErrors: file=sys.stderr) sys.exit(1) -json.dump(unpivot(options), fp=sys.stdout) +json.dump(convertMD(unpivot(options)), fp=sys.stdout) diff --git a/nixos/lib/make-options-doc/options-to-docbook.xsl b/nixos/lib/make-options-doc/options-to-docbook.xsl index b286f7b5e2c..978d5e2468a 100644 --- a/nixos/lib/make-options-doc/options-to-docbook.xsl +++ b/nixos/lib/make-options-doc/options-to-docbook.xsl @@ -12,15 +12,36 @@ <xsl:output method='xml' encoding="UTF-8" /> <xsl:param name="revision" /> + <xsl:param name="documentType" /> <xsl:param name="program" /> + <xsl:param name="variablelistId" /> <xsl:template match="/expr/list"> - <appendix xml:id="appendix-configuration-options"> - <title>Configuration Options</title> - <variablelist xml:id="configuration-variable-list"> + <xsl:choose> + <xsl:when test="$documentType = 'appendix'"> + <appendix xml:id="appendix-configuration-options"> + <title>Configuration Options</title> + <xsl:call-template name="variable-list"/> + </appendix> + </xsl:when> + <xsl:otherwise> + <xsl:call-template name="variable-list"/> + </xsl:otherwise> + </xsl:choose> + </xsl:template> + + <xsl:template name="variable-list"> + <variablelist> + <xsl:attribute name="id" namespace="http://www.w3.org/XML/1998/namespace"><xsl:value-of select="$variablelistId"/></xsl:attribute> <xsl:for-each select="attrs"> - <xsl:variable name="id" select="concat('opt-', str:replace(str:replace(str:replace(str:replace(attr[@name = 'name']/string/@value, '*', '_'), '<', '_'), '>', '_'), ':', '_'))" /> + <xsl:variable name="id" select=" + concat('opt-', + translate( + attr[@name = 'name']/string/@value, + '*< >[]:', + '_______' + ))" /> <varlistentry> <term xlink:href="#{$id}"> <xsl:attribute name="xml:id"><xsl:value-of select="$id"/></xsl:attribute> @@ -96,7 +117,6 @@ </xsl:for-each> </variablelist> - </appendix> </xsl:template> @@ -195,6 +215,23 @@ <xsl:template match="attr[@name = 'declarations' or @name = 'definitions']"> <simplelist> + <!-- + Example: + opt.declarations = [ { name = "foo/bar.nix"; url = "https://github.com/....."; } ]; + --> + <xsl:for-each select="list/attrs[attr[@name = 'name']]"> + <member><filename> + <xsl:if test="attr[@name = 'url']"> + <xsl:attribute name="xlink:href"><xsl:value-of select="attr[@name = 'url']/string/@value"/></xsl:attribute> + </xsl:if> + <xsl:value-of select="attr[@name = 'name']/string/@value"/> + </filename></member> + </xsl:for-each> + + <!-- + When the declarations/definitions are raw strings, + fall back to hardcoded location logic, specific to Nixpkgs. + --> <xsl:for-each select="list/string"> <member><filename> <!-- Hyperlink the filename either to the NixOS Subversion diff --git a/nixos/lib/systemd-types.nix b/nixos/lib/systemd-types.nix index 71962fab2e1..961b6d7f985 100644 --- a/nixos/lib/systemd-types.nix +++ b/nixos/lib/systemd-types.nix @@ -1,4 +1,4 @@ -{ lib, systemdUtils }: +{ lib, systemdUtils, pkgs }: with systemdUtils.lib; with systemdUtils.unitOptions; @@ -34,4 +34,36 @@ rec { automounts = with types; listOf (submodule [ stage2AutomountOptions unitConfig automountConfig ]); initrdAutomounts = with types; attrsOf (submodule [ stage1AutomountOptions unitConfig automountConfig ]); + + initrdContents = types.attrsOf (types.submodule ({ config, options, name, ... }: { + options = { + enable = mkEnableOption "copying of this file and symlinking it" // { default = true; }; + + target = mkOption { + type = types.path; + description = '' + Path of the symlink. + ''; + default = name; + }; + + text = mkOption { + default = null; + type = types.nullOr types.lines; + description = "Text of the file."; + }; + + source = mkOption { + type = types.path; + description = "Path of the source file."; + }; + }; + + config = { + source = mkIf (config.text != null) ( + let name' = "initrd-" + baseNameOf name; + in mkDerivedConfig options.text (pkgs.writeText name') + ); + }; + })); } diff --git a/nixos/lib/systemd-unit-options.nix b/nixos/lib/systemd-unit-options.nix index 02e91fdf1e6..cae82433d85 100644 --- a/nixos/lib/systemd-unit-options.nix +++ b/nixos/lib/systemd-unit-options.nix @@ -20,10 +20,15 @@ in rec { merge = loc: defs: let defs' = filterOverrides defs; - defs'' = getValues defs'; in - if isList (head defs'') - then concatLists defs'' + if isList (head defs').value + then concatMap (def: + if builtins.typeOf def.value == "list" + then def.value + else + throw "The definitions for systemd unit options should be either all lists, representing repeatable options, or all non-lists, but for the option ${showOption loc}, the definitions are a mix of list and non-list ${lib.options.showDefs defs'}" + ) defs' + else mergeEqualOption loc defs'; }; diff --git a/nixos/lib/test-driver/default.nix b/nixos/lib/test-driver/default.nix index 3aee9134318..e3786622c3c 100644 --- a/nixos/lib/test-driver/default.nix +++ b/nixos/lib/test-driver/default.nix @@ -10,6 +10,7 @@ , socat , tesseract4 , vde2 +, extraPythonPackages ? (_ : []) }: python3Packages.buildPythonApplication rec { @@ -17,14 +18,25 @@ python3Packages.buildPythonApplication rec { version = "1.1"; src = ./.; - propagatedBuildInputs = [ coreutils netpbm python3Packages.colorama python3Packages.ptpython qemu_pkg socat vde2 ] - ++ (lib.optionals enableOCR [ imagemagick_light tesseract4 ]); + propagatedBuildInputs = [ + coreutils + netpbm + python3Packages.colorama + python3Packages.ptpython + qemu_pkg + socat + vde2 + ] + ++ (lib.optionals enableOCR [ imagemagick_light tesseract4 ]) + ++ extraPythonPackages python3Packages; doCheck = true; checkInputs = with python3Packages; [ mypy pylint black ]; checkPhase = '' mypy --disallow-untyped-defs \ --no-implicit-optional \ + --pretty \ + --no-color-output \ --ignore-missing-imports ${src}/test_driver pylint --errors-only --enable=unused-import ${src}/test_driver black --check --diff ${src}/test_driver diff --git a/nixos/lib/test-driver/setup.py b/nixos/lib/test-driver/setup.py index 476c7b2dab2..1719b988db6 100644 --- a/nixos/lib/test-driver/setup.py +++ b/nixos/lib/test-driver/setup.py @@ -4,6 +4,7 @@ setup( name="nixos-test-driver", version='1.1', packages=find_packages(), + package_data={"test_driver": ["py.typed"]}, entry_points={ "console_scripts": [ "nixos-test-driver=test_driver:main", diff --git a/nixos/lib/test-driver/test_driver/machine.py b/nixos/lib/test-driver/test_driver/machine.py index 035e3ffe897..3ff3cf5645f 100644 --- a/nixos/lib/test-driver/test_driver/machine.py +++ b/nixos/lib/test-driver/test_driver/machine.py @@ -682,7 +682,7 @@ class Machine: with self.nested("waiting for {} to appear on tty {}".format(regexp, tty)): retry(tty_matches) - def send_chars(self, chars: List[str]) -> None: + def send_chars(self, chars: str) -> None: with self.nested("sending keys ‘{}‘".format(chars)): for char in chars: self.send_key(char) diff --git a/nixos/lib/test-driver/test_driver/py.typed b/nixos/lib/test-driver/test_driver/py.typed new file mode 100644 index 00000000000..e69de29bb2d --- /dev/null +++ b/nixos/lib/test-driver/test_driver/py.typed diff --git a/nixos/lib/test-script-prepend.py b/nixos/lib/test-script-prepend.py new file mode 100644 index 00000000000..15e59ce0104 --- /dev/null +++ b/nixos/lib/test-script-prepend.py @@ -0,0 +1,42 @@ +# This file contains type hints that can be prepended to Nix test scripts so they can be type +# checked. + +from test_driver.driver import Driver +from test_driver.vlan import VLan +from test_driver.machine import Machine +from test_driver.logger import Logger +from typing import Callable, Iterator, ContextManager, Optional, List, Dict, Any, Union +from typing_extensions import Protocol +from pathlib import Path + + +class RetryProtocol(Protocol): + def __call__(self, fn: Callable, timeout: int = 900) -> None: + raise Exception("This is just type information for the Nix test driver") + + +class PollingConditionProtocol(Protocol): + def __call__( + self, + fun_: Optional[Callable] = None, + *, + seconds_interval: float = 2.0, + description: Optional[str] = None, + ) -> Union[Callable[[Callable], ContextManager], ContextManager]: + raise Exception("This is just type information for the Nix test driver") + + +start_all: Callable[[], None] +subtest: Callable[[str], ContextManager[None]] +retry: RetryProtocol +test_script: Callable[[], None] +machines: List[Machine] +vlans: List[VLan] +driver: Driver +log: Logger +create_machine: Callable[[Dict[str, Any]], Machine] +run_tests: Callable[[], None] +join_all: Callable[[], None] +serial_stdout_off: Callable[[], None] +serial_stdout_on: Callable[[], None] +polling_condition: PollingConditionProtocol diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index cd2bb2f9d4d..4bb1689ffd7 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -50,14 +50,16 @@ rec { , qemu_pkg ? pkgs.qemu_test , enableOCR ? false , skipLint ? false + , skipTypeCheck ? false , passthru ? {} , interactive ? false + , extraPythonPackages ? (_ :[]) }: let # Reifies and correctly wraps the python test driver for # the respective qemu version and with or without ocr support testDriver = pkgs.callPackage ./test-driver { - inherit enableOCR; + inherit enableOCR extraPythonPackages; qemu_pkg = qemu_test; imagemagick_light = imagemagick_light.override { inherit libtiff; }; tesseract4 = tesseract4.override { enableLanguages = [ "eng" ]; }; @@ -85,7 +87,7 @@ rec { nodeHostNames = let nodesList = map (c: c.config.system.name) (lib.attrValues nodes); - in nodesList ++ lib.optional (lib.length nodesList == 1) "machine"; + in nodesList ++ lib.optional (lib.length nodesList == 1 && !lib.elem "machine" nodesList) "machine"; # TODO: This is an implementation error and needs fixing # the testing famework cannot legitimately restrict hostnames further @@ -100,6 +102,9 @@ rec { then testScript { inherit nodes; } else testScript; + uniqueVlans = lib.unique (builtins.concatLists vlans); + vlanNames = map (i: "vlan${toString i}: VLan;") uniqueVlans; + machineNames = map (name: "${name}: Machine;") nodeHostNames; in if lib.length invalidNodeNames > 0 then throw '' @@ -113,18 +118,35 @@ rec { else lib.warnIf skipLint "Linting is disabled" (runCommand testDriverName { inherit testName; - nativeBuildInputs = [ makeWrapper ]; + nativeBuildInputs = [ makeWrapper mypy ]; + buildInputs = [ testDriver ]; testScript = testScript'; preferLocalBuild = true; passthru = passthru // { inherit nodes; }; + meta.mainProgram = "nixos-test-driver"; } '' mkdir -p $out/bin vmStartScripts=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)) - echo -n "$testScript" > $out/test-script + + ${lib.optionalString (!skipTypeCheck) '' + # prepend type hints so the test script can be type checked with mypy + cat "${./test-script-prepend.py}" >> testScriptWithTypes + echo "${builtins.toString machineNames}" >> testScriptWithTypes + echo "${builtins.toString vlanNames}" >> testScriptWithTypes + echo -n "$testScript" >> testScriptWithTypes + + mypy --no-implicit-optional \ + --pretty \ + --no-color-output \ + testScriptWithTypes + ''} + + echo -n "$testScript" >> $out/test-script + ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-test-driver ${testDriver}/bin/generate-driver-symbols @@ -151,6 +173,7 @@ rec { , testScript , enableOCR ? false , name ? "unnamed" + , skipTypeCheck ? false # Skip linting (mainly intended for faster dev cycles) , skipLint ? false , passthru ? {} @@ -160,6 +183,7 @@ rec { (if meta.description or null != null then builtins.unsafeGetAttrPos "description" meta else builtins.unsafeGetAttrPos "testScript" t) + , extraPythonPackages ? (_ : []) } @ t: let mkNodes = qemu_pkg: @@ -206,19 +230,19 @@ rec { )]; }; in - lib.warnIf (t?machine) "In test `${name}': The `machine' attribute in NixOS tests (pkgs.nixosTest / make-test-pyton.nix / testing-python.nix / makeTest) is deprecated. Please use the equivalent `nodes.machine'." + lib.warnIf (t?machine) "In test `${name}': The `machine' attribute in NixOS tests (pkgs.nixosTest / make-test-python.nix / testing-python.nix / makeTest) is deprecated. Please use the equivalent `nodes.machine'." build-vms.buildVirtualNetwork ( nodes // lib.optionalAttrs (machine != null) { inherit machine; } ); driver = setupDriverForTest { - inherit testScript enableOCR skipLint passthru; + inherit testScript enableOCR skipTypeCheck skipLint passthru extraPythonPackages; testName = name; qemu_pkg = pkgs.qemu_test; nodes = mkNodes pkgs.qemu_test; }; driverInteractive = setupDriverForTest { - inherit testScript enableOCR skipLint passthru; + inherit testScript enableOCR skipTypeCheck skipLint passthru extraPythonPackages; testName = name; qemu_pkg = pkgs.qemu; nodes = mkNodes pkgs.qemu; diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index 497d98aa4d1..d7671a37499 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -213,6 +213,6 @@ rec { systemdUtils = { lib = import ./systemd-lib.nix { inherit lib config pkgs; }; unitOptions = import ./systemd-unit-options.nix { inherit lib systemdUtils; }; - types = import ./systemd-types.nix { inherit lib systemdUtils; }; + types = import ./systemd-types.nix { inherit lib systemdUtils pkgs; }; }; } diff --git a/nixos/maintainers/scripts/ec2/create-amis.sh b/nixos/maintainers/scripts/ec2/create-amis.sh index 797fe03e209..0c1656efaf1 100755 --- a/nixos/maintainers/scripts/ec2/create-amis.sh +++ b/nixos/maintainers/scripts/ec2/create-amis.sh @@ -26,12 +26,32 @@ var ${home_region:=eu-west-1} var ${bucket:=nixos-amis} var ${service_role_name:=vmimport} -var ${regions:=eu-west-1 eu-west-2 eu-west-3 eu-central-1 eu-north-1 - us-east-1 us-east-2 us-west-1 us-west-2 +# Output of the command: +# > aws ec2 describe-regions --all-regions --query "Regions[].{Name:RegionName}" --output text | sort +var ${regions:= + af-south-1 + ap-east-1 + ap-northeast-1 + ap-northeast-2 + ap-northeast-3 + ap-south-1 + ap-southeast-1 + ap-southeast-2 + ap-southeast-3 ca-central-1 - ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 - ap-south-1 ap-east-1 - sa-east-1} + eu-central-1 + eu-north-1 + eu-south-1 + eu-west-1 + eu-west-2 + eu-west-3 + me-south-1 + sa-east-1 + us-east-1 + us-east-2 + us-west-1 + us-west-2 + } regions=($regions) diff --git a/nixos/maintainers/scripts/lxd/lxd-image.nix b/nixos/maintainers/scripts/lxd/lxd-image.nix index c76b9fcc7f7..6aa3f2f5584 100644 --- a/nixos/maintainers/scripts/lxd/lxd-image.nix +++ b/nixos/maintainers/scripts/lxd/lxd-image.nix @@ -27,7 +27,7 @@ with lib; networking.useDHCP = false; networking.interfaces.eth0.useDHCP = true; - # As this is intended as a stadalone image, undo some of the minimal profile stuff + # As this is intended as a standalone image, undo some of the minimal profile stuff documentation.enable = true; documentation.nixos.enable = true; environment.noXlibs = false; diff --git a/nixos/modules/config/console.nix b/nixos/modules/config/console.nix index 5b07901f990..97e6405db91 100644 --- a/nixos/modules/config/console.nix +++ b/nixos/modules/config/console.nix @@ -46,9 +46,9 @@ in type = with types; either str path; default = "Lat2-Terminus16"; example = "LatArCyrHeb-16"; - description = '' + description = mdDoc '' The font used for the virtual consoles. Leave empty to use - whatever the <command>setfont</command> program considers the + whatever the {command}`setfont` program considers the default font. Can be either a font name or a path to a PSF font file. ''; @@ -149,8 +149,11 @@ in ''); boot.initrd.systemd.contents = { - "/etc/kbd".source = "${consoleEnv config.boot.initrd.systemd.package.kbd}/share"; "/etc/vconsole.conf".source = vconsoleConf; + # Add everything if we want full console setup... + "/etc/kbd" = lib.mkIf cfg.earlySetup { source = "${consoleEnv config.boot.initrd.systemd.package.kbd}/share"; }; + # ...but only the keymaps if we don't + "/etc/kbd/keymaps" = lib.mkIf (!cfg.earlySetup) { source = "${consoleEnv config.boot.initrd.systemd.package.kbd}/share/keymaps"; }; }; boot.initrd.systemd.storePaths = [ "${config.boot.initrd.systemd.package}/lib/systemd/systemd-vconsole-setup" @@ -180,7 +183,7 @@ in ]; }) - (mkIf cfg.earlySetup { + (mkIf (cfg.earlySetup && !config.boot.initrd.systemd.enable) { boot.initrd.extraUtilsCommands = '' mkdir -p $out/share/consolefonts ${if substring 0 1 cfg.font == "/" then '' @@ -194,10 +197,6 @@ in cp -L $font $out/share/consolefonts/font.psf fi ''; - assertions = [{ - assertion = !config.boot.initrd.systemd.enable; - message = "console.earlySetup is implied by systemd stage 1"; - }]; }) ])) ]; diff --git a/nixos/modules/config/debug-info.nix b/nixos/modules/config/debug-info.nix index 2942ae5905d..78de26fda44 100644 --- a/nixos/modules/config/debug-info.nix +++ b/nixos/modules/config/debug-info.nix @@ -9,21 +9,20 @@ with lib; environment.enableDebugInfo = mkOption { type = types.bool; default = false; - description = '' + description = mdDoc '' Some NixOS packages provide debug symbols. However, these are not included in the system closure by default to save disk space. Enabling this option causes the debug symbols to appear - in <filename>/run/current-system/sw/lib/debug/.build-id</filename>, - where tools such as <command>gdb</command> can find them. + in {file}`/run/current-system/sw/lib/debug/.build-id`, + where tools such as {command}`gdb` can find them. If you need debug symbols for a package that doesn't provide them by default, you can enable them as follows: - <programlisting> - nixpkgs.config.packageOverrides = pkgs: { - hello = pkgs.hello.overrideAttrs (oldAttrs: { - separateDebugInfo = true; - }); - }; - </programlisting> + + nixpkgs.config.packageOverrides = pkgs: { + hello = pkgs.hello.overrideAttrs (oldAttrs: { + separateDebugInfo = true; + }); + }; ''; }; diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 1e68fef7ce7..a10a8c6428a 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -65,7 +65,7 @@ let ${fcBool cfg.hinting.autohint} </edit> <edit mode="append" name="hintstyle"> - <const>hintslight</const> + <const>${cfg.hinting.style}</const> </edit> <edit mode="append" name="antialias"> ${fcBool cfg.antialias} @@ -226,7 +226,6 @@ in (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "fonts" "fontconfig" "useEmbeddedBitmaps" ]) (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ]) (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) - (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "") (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "") (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "") (mkRemovedOptionModule [ "fonts" "fontconfig" "dpi" ] "Use display server-specific options") @@ -349,6 +348,20 @@ in fonts, but better than unhinted fonts. ''; }; + + style = mkOption { + type = types.enum [ "hintnone" "hintslight" "hintmedium" "hintfull" ]; + default = "hintslight"; + description = '' + Hintstyle is the amount of font reshaping done to line up + to the grid. + + hintslight will make the font more fuzzy to line up to the grid + but will be better in retaining font shape, while hintfull will + be a crisp font that aligns well to the pixel grid but will lose + a greater amount of font shape. + ''; + }; }; includeUserConf = mkOption { diff --git a/nixos/modules/config/i18n.nix b/nixos/modules/config/i18n.nix index 5b8d5b21449..c55726d09c6 100644 --- a/nixos/modules/config/i18n.nix +++ b/nixos/modules/config/i18n.nix @@ -53,7 +53,18 @@ with lib; supportedLocales = mkOption { type = types.listOf types.str; - default = ["all"]; + default = builtins.map (l: l + "/UTF-8") + (unique ( + [ config.i18n.defaultLocale ] ++ + (attrValues (filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings)) + )); + defaultText = literalExpression '' + builtins.map (l: l + "/UTF-8") + (unique ( + [ config.i18n.defaultLocale ] ++ + (attrValues (filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings)) + )) + ''; example = ["en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1"]; description = '' List of locales that the system should support. The value diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index 26ce561013b..5a21cb45d52 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -223,10 +223,10 @@ foreach my $u (@{$spec->{users}}) { } # Ensure home directory incl. ownership and permissions. - if ($u->{createHome}) { - make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home} and ! $is_dry; + if ($u->{createHome} and !$is_dry) { + make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home}; chown $u->{uid}, $u->{gid}, $u->{home}; - chmod 0700, $u->{home}; + chmod oct($u->{homeMode}), $u->{home}; } if (defined $u->{passwordFile}) { diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index b0f96c754fa..d3bdf218c33 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -48,7 +48,7 @@ let services such as SSH, or indirectly via <command>su</command> or <command>sudo</command>). This should only be used for e.g. bootable live systems. Note: this is different from setting an empty password, - which ca be achieved using <option>users.users.<name?>.password</option>. + which can be achieved using <option>users.users.<name?>.password</option>. If set to <literal>null</literal> (default) this user will not be able to log in using a password (i.e. via <command>login</command> @@ -139,6 +139,12 @@ let description = "The user's home directory."; }; + homeMode = mkOption { + type = types.strMatching "[0-7]{1,5}"; + default = "700"; + description = "The user's home directory mode in numeric format. See chmod(1). The mode is only applied if <option>users.users.<name>.createHome</option> is true."; + }; + cryptHomeLuks = mkOption { type = with types; nullOr str; default = null; @@ -319,6 +325,7 @@ let group = mkDefault "users"; createHome = mkDefault true; home = mkDefault "/home/${config.name}"; + homeMode = mkDefault "700"; useDefaultShell = mkDefault true; isSystemUser = mkDefault false; }) @@ -430,7 +437,7 @@ let inherit (cfg) mutableUsers; users = mapAttrsToList (_: u: { inherit (u) - name uid group description home createHome isSystemUser + name uid group description home homeMode createHome isSystemUser password passwordFile hashedPassword autoSubUidGidRange subUidRanges subGidRanges initialPassword initialHashedPassword; diff --git a/nixos/modules/config/xdg/icons.nix b/nixos/modules/config/xdg/icons.nix index c83fdc251ef..1e91670cf03 100644 --- a/nixos/modules/config/xdg/icons.nix +++ b/nixos/modules/config/xdg/icons.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; { @@ -23,6 +23,12 @@ with lib; "/share/pixmaps" ]; + environment.systemPackages = [ + # Empty icon theme that contains index.theme file describing directories + # where toolkits should look for icons installed by apps. + pkgs.hicolor-icon-theme + ]; + # libXcursor looks for cursors in XCURSOR_PATH # it mostly follows the spec for icons # See: https://www.x.org/releases/current/doc/man/man3/Xcursor.3.xhtml Themes diff --git a/nixos/modules/config/xdg/portal.nix b/nixos/modules/config/xdg/portal.nix index 088f2af59e2..1e6ddd7c4a2 100644 --- a/nixos/modules/config/xdg/portal.nix +++ b/nixos/modules/config/xdg/portal.nix @@ -1,10 +1,30 @@ { config, pkgs, lib, ... }: -with lib; +let + inherit (lib) + mkEnableOption + mkIf + mkOption + mkRenamedOptionModule + teams + types; +in { imports = [ (mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ]) + + ({ config, lib, options, ... }: + let + from = [ "xdg" "portal" "gtkUsePortal" ]; + fromOpt = lib.getAttrFromPath from options; + in + { + warnings = lib.mkIf config.xdg.portal.gtkUsePortal [ + "The option `${lib.showOption from}' defined in ${lib.showFiles fromOpt.files} has been deprecated. Setting the variable globally with `environment.sessionVariables' NixOS option can have unforseen side-effects." + ]; + } + ) ]; meta = { @@ -32,11 +52,12 @@ with lib; gtkUsePortal = mkOption { type = types.bool; + visible = false; default = false; description = '' Sets environment variable <literal>GTK_USE_PORTAL</literal> to <literal>1</literal>. - This is needed for packages ran outside Flatpak to respect and use XDG Desktop Portals. - For example, you'd need to set this for non-flatpak Firefox to use native filechoosers. + This will force GTK-based programs ran outside Flatpak to respect and use XDG Desktop Portals + for features like file chooser but it is an unsupported hack that can easily break things. Defaults to <literal>false</literal> to respect its opt-in nature. ''; }; diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index 5b60b17312f..89a1217dfb3 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -27,7 +27,8 @@ in { }; hardware.enableRedistributableFirmware = mkOption { - default = false; + default = config.hardware.enableAllFirmware; + defaultText = lib.literalExpression "config.hardware.enableAllFirmware"; type = types.bool; description = '' Turn on this option if you want to enable all the firmware with a license allowing redistribution. @@ -71,7 +72,7 @@ in { }) (mkIf cfg.enableAllFirmware { assertions = [{ - assertion = !cfg.enableAllFirmware || (config.nixpkgs.config.allowUnfree or false); + assertion = !cfg.enableAllFirmware || config.nixpkgs.config.allowUnfree; message = '' the list of hardware.enableAllFirmware contains non-redistributable licensed firmware files. This requires nixpkgs.config.allowUnfree to be true. @@ -82,9 +83,11 @@ in { broadcom-bt-firmware b43Firmware_5_1_138 b43Firmware_6_30_163_46 - b43FirmwareCutter xow_dongle-firmware - ] ++ optional pkgs.stdenv.hostPlatform.isx86 facetimehd-firmware; + ] ++ optionals pkgs.stdenv.hostPlatform.isx86 [ + facetimehd-calibration + facetimehd-firmware + ]; }) (mkIf cfg.wirelessRegulatoryDatabase { hardware.firmware = [ pkgs.wireless-regdb ]; diff --git a/nixos/modules/hardware/device-tree.nix b/nixos/modules/hardware/device-tree.nix index be67116ad50..5a8a8e27bee 100644 --- a/nixos/modules/hardware/device-tree.nix +++ b/nixos/modules/hardware/device-tree.nix @@ -36,14 +36,11 @@ let /plugin/; / { compatible = "raspberrypi"; - fragment@0 { - target-path = "/soc"; - __overlay__ { - pps { - compatible = "pps-gpio"; - status = "okay"; - }; - }; + }; + &{/soc} { + pps { + compatible = "pps-gpio"; + status = "okay"; }; }; ''; @@ -88,13 +85,14 @@ let # Compile single Device Tree overlay source # file (.dts) into its compiled variant (.dtbo) - compileDTS = name: f: pkgs.callPackage({ dtc }: pkgs.stdenv.mkDerivation { + compileDTS = name: f: pkgs.callPackage({ stdenv, dtc }: stdenv.mkDerivation { name = "${name}-dtbo"; nativeBuildInputs = [ dtc ]; buildCommand = '' - dtc -I dts ${f} -O dtb -@ -o $out + $CC -E -nostdinc -I${getDev cfg.kernelPackage}/lib/modules/${cfg.kernelPackage.modDirVersion}/source/scripts/dtc/include-prefixes -undef -D__DTS__ -x assembler-with-cpp ${f} | \ + dtc -I dts -O dtb -@ -o $out ''; }) {}; diff --git a/nixos/modules/hardware/gpgsmartcards.nix b/nixos/modules/hardware/gpgsmartcards.nix index 6e5fcda6b85..4c1d0cc5b2a 100644 --- a/nixos/modules/hardware/gpgsmartcards.nix +++ b/nixos/modules/hardware/gpgsmartcards.nix @@ -19,7 +19,7 @@ let # per debian's udev deb hook (https://man7.org/linux/man-pages/man1/dh_installudev.1.html) destination = "60-scdaemon.rules"; - scdaemonUdevRulesPkg = pkgs.runCommandNoCC "scdaemon-udev-rules" {} '' + scdaemonUdevRulesPkg = pkgs.runCommand "scdaemon-udev-rules" {} '' loc="$out/lib/udev/rules.d/" mkdir -p "''${loc}" cp "${scdaemonRules}" "''${loc}/${destination}" diff --git a/nixos/modules/hardware/keyboard/uhk.nix b/nixos/modules/hardware/keyboard/uhk.nix new file mode 100644 index 00000000000..bf2d739c3a9 --- /dev/null +++ b/nixos/modules/hardware/keyboard/uhk.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.hardware.keyboard.uhk; +in +{ + options.hardware.keyboard.uhk = { + enable = mkEnableOption '' + non-root access to the firmware of UHK keyboards. + You need it when you want to flash a new firmware on the keyboard. + Access to the keyboard is granted to users in the "input" group. + You may want to install the uhk-agent package. + ''; + + }; + + config = mkIf cfg.enable { + services.udev.packages = [ pkgs.uhk-udev-rules ]; + }; +} diff --git a/nixos/modules/hardware/new-lg4ff.nix b/nixos/modules/hardware/new-lg4ff.nix new file mode 100644 index 00000000000..3c7f66f8d89 --- /dev/null +++ b/nixos/modules/hardware/new-lg4ff.nix @@ -0,0 +1,29 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + cfg = config.hardware.new-lg4ff; + kernelPackages = config.boot.kernelPackages; +in { + options.hardware.new-lg4ff = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables improved Linux module drivers for Logitech driving wheels. + This will replace the existing in-kernel hid-logitech modules. + Works most notably on the Logitech G25, G27, G29 and Driving Force (GT). + ''; + }; + }; + + config = lib.mkIf cfg.enable { + boot = { + extraModulePackages = [ kernelPackages.new-lg4ff ]; + kernelModules = [ "hid-logitech-new" ]; + }; + }; + + meta.maintainers = with lib.maintainers; [ matthiasbenaets ]; +} diff --git a/nixos/modules/hardware/raid/hpsa.nix b/nixos/modules/hardware/raid/hpsa.nix index c4977e3fd70..120348a74bf 100644 --- a/nixos/modules/hardware/raid/hpsa.nix +++ b/nixos/modules/hardware/raid/hpsa.nix @@ -8,7 +8,10 @@ let version = "2.40-13.0"; src = pkgs.fetchurl { - url = "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/${pname}-${version}_amd64.deb"; + urls = [ + "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/${pname}-${version}_amd64.deb" + "http://apt.netangels.net/pool/main/h/hpssacli/${pname}-${version}_amd64.deb" + ]; sha256 = "11w7fwk93lmfw0yya4jpjwdmgjimqxx6412sqa166g1pz4jil4sw"; }; @@ -37,7 +40,7 @@ let homepage = "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/"; license = licenses.unfreeRedistributable; platforms = [ "x86_64-linux" ]; - maintainers = with maintainers; [ volth ]; + maintainers = with maintainers; [ ]; }; }; in { diff --git a/nixos/modules/hardware/saleae-logic.nix b/nixos/modules/hardware/saleae-logic.nix new file mode 100644 index 00000000000..a3810d640c4 --- /dev/null +++ b/nixos/modules/hardware/saleae-logic.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.hardware.saleae-logic; +in +{ + options.hardware.saleae-logic = { + enable = lib.mkEnableOption "udev rules for Saleae Logic devices"; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.saleae-logic-2; + defaultText = lib.literalExpression "pkgs.saleae-logic-2"; + description = '' + Saleae Logic package to use. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + services.udev.packages = [ cfg.package ]; + }; + + meta.maintainers = with lib.maintainers; [ chivay ]; +} diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 6899eb4e196..b4717719661 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -163,8 +163,19 @@ in ''; }; + hardware.nvidia.forceFullCompositionPipeline = lib.mkOption { + default = false; + type = types.bool; + description = '' + Whether to force-enable the full composition pipeline. + This sometimes fixes screen tearing issues. + This has been reported to reduce the performance of some OpenGL applications and may produce issues in WebGL. + It also drastically increases the time the driver needs to clock down after load. + ''; + }; + hardware.nvidia.package = lib.mkOption { - type = lib.types.package; + type = types.package; default = config.boot.kernelPackages.nvidiaPackages.stable; defaultText = literalExpression "config.boot.kernelPackages.nvidiaPackages.stable"; description = '' @@ -172,6 +183,14 @@ in ''; example = literalExpression "config.boot.kernelPackages.nvidiaPackages.legacy_340"; }; + + hardware.nvidia.open = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether to use the open source kernel module + ''; + }; }; config = let @@ -220,6 +239,11 @@ in ); message = "Required files for driver based power management don't exist."; } + + { + assertion = cfg.open -> (cfg.package ? open && cfg.package ? firmware); + message = "This version of NVIDIA driver does not provide a corresponding opensource kernel driver"; + } ]; # If Optimus/PRIME is enabled, we: @@ -255,13 +279,18 @@ in '' BusID "${pCfg.nvidiaBusId}" ${optionalString syncCfg.allowExternalGpu "Option \"AllowExternalGpus\""} - ${optionalString cfg.powerManagement.finegrained "Option \"NVreg_DynamicPowerManagement=0x02\""} ''; screenSection = '' Option "RandRRotation" "on" - ${optionalString syncCfg.enable "Option \"AllowEmptyInitialConfiguration\""} - ''; + '' + optionalString syncCfg.enable '' + Option "AllowEmptyInitialConfiguration" + '' + optionalString cfg.forceFullCompositionPipeline '' + Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}" + Option "AllowIndirectGLXProtocol" "off" + Option "TripleBuffer" "on" + '' + ; }; services.xserver.serverLayoutSection = optionalString syncCfg.enable '' @@ -348,7 +377,8 @@ in ++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced"; - boot.extraModulePackages = [ nvidia_x11.bin ]; + boot.extraModulePackages = if cfg.open then [ nvidia_x11.open ] else [ nvidia_x11.bin ]; + hardware.firmware = lib.optional cfg.open nvidia_x11.firmware; # nvidia-uvm is required by CUDA applications. boot.kernelModules = [ "nvidia-uvm" ] ++ @@ -356,17 +386,20 @@ in # If requested enable modesetting via kernel parameter. boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1" - ++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1"; + ++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1" + ++ optional cfg.open "nvidia.NVreg_OpenRmEnableUnsupportedGpus=1"; services.udev.extraRules = '' # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. - KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" - KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" - KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'" + KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c 195 255'" + KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c 195 254'" + KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", PROGRAM="${pkgs.gnugrep}/bin/grep 'Device Minor:' /proc/driver/nvidia/gpus/%b/information", \ + RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%c{3} c 195 %c{3}" KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" - KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" - '' + optionalString cfg.powerManagement.finegrained '' + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 1'" + '' + optionalString cfg.powerManagement.finegrained ( + optionalString (versionOlder config.boot.kernelPackages.kernel.version "5.5") '' # Remove NVIDIA USB xHCI Host Controller devices, if present ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1" @@ -375,7 +408,7 @@ in # Remove NVIDIA Audio devices, if present ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1" - + '' + '' # Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto" ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto" @@ -383,7 +416,7 @@ in # Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on" ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on" - ''; + ''); boot.extraModprobeConfig = mkIf cfg.powerManagement.finegrained '' options nvidia "NVreg_DynamicPowerManagement=0x02" diff --git a/nixos/modules/hardware/video/webcam/facetimehd.nix b/nixos/modules/hardware/video/webcam/facetimehd.nix index b13f103350e..c48eac5e9c1 100644 --- a/nixos/modules/hardware/video/webcam/facetimehd.nix +++ b/nixos/modules/hardware/video/webcam/facetimehd.nix @@ -14,6 +14,18 @@ in options.hardware.facetimehd.enable = mkEnableOption "facetimehd kernel module"; + options.hardware.facetimehd.withCalibration = mkOption { + default = false; + example = true; + type = types.bool; + description = '' + Whether to include sensor calibration files for facetimehd. + This makes colors look much better but is experimental, see + <link xlink:href="https://github.com/patjak/facetimehd/wiki/Extracting-the-sensor-calibration-files"/> + for details. + ''; + }; + config = mkIf cfg.enable { boot.kernelModules = [ "facetimehd" ]; @@ -22,7 +34,8 @@ in boot.extraModulePackages = [ kernelPackages.facetimehd ]; - hardware.firmware = [ pkgs.facetimehd-firmware ]; + hardware.firmware = [ pkgs.facetimehd-firmware ] + ++ optional cfg.withCalibration pkgs.facetimehd-calibration; # unload module during suspend/hibernate as it crashes the whole system powerManagement.powerDownCommands = '' diff --git a/nixos/modules/i18n/input-method/fcitx5.nix b/nixos/modules/i18n/input-method/fcitx5.nix index 6fea28e2234..9ef0285f7b9 100644 --- a/nixos/modules/i18n/input-method/fcitx5.nix +++ b/nixos/modules/i18n/input-method/fcitx5.nix @@ -5,7 +5,9 @@ with lib; let im = config.i18n.inputMethod; cfg = im.fcitx5; - fcitx5Package = pkgs.fcitx5-with-addons.override { inherit (cfg) addons; }; + addons = cfg.addons ++ optional cfg.enableRimeData pkgs.rime-data; + fcitx5Package = pkgs.fcitx5-with-addons.override { inherit addons; }; + whetherRimeDataDir = any (p: p.pname == "fcitx5-rime") cfg.addons; in { options = { i18n.inputMethod.fcitx5 = { @@ -17,16 +19,30 @@ in { Enabled Fcitx5 addons. ''; }; + + enableRimeData = mkEnableOption "default rime-data with fcitx5-rime"; }; }; config = mkIf (im.enabled == "fcitx5") { i18n.inputMethod.package = fcitx5Package; - environment.variables = { - GTK_IM_MODULE = "fcitx"; - QT_IM_MODULE = "fcitx"; - XMODIFIERS = "@im=fcitx"; - }; + environment = mkMerge [{ + variables = { + GTK_IM_MODULE = "fcitx"; + QT_IM_MODULE = "fcitx"; + XMODIFIERS = "@im=fcitx"; + QT_PLUGIN_PATH = [ "${fcitx5Package}/${pkgs.qt6.qtbase.qtPluginPrefix}" ]; + }; + } + (mkIf whetherRimeDataDir { + pathsToLink = [ + "/share/rime-data" + ]; + + variables = { + NIX_RIME_DATA_DIR = "/run/current-system/sw/share/rime-data"; + }; + })]; }; } diff --git a/nixos/modules/i18n/input-method/ibus.nix b/nixos/modules/i18n/input-method/ibus.nix index c5b0cbc2150..907f6451fce 100644 --- a/nixos/modules/i18n/input-method/ibus.nix +++ b/nixos/modules/i18n/input-method/ibus.nix @@ -23,6 +23,8 @@ let Name=IBus Type=Application Exec=${ibusPackage}/bin/ibus-daemon --daemonize --xim ${impanel} + # GNOME will launch ibus using systemd + NotShowIn=GNOME; ''; }; in @@ -67,7 +69,7 @@ in programs.dconf.packages = [ ibusPackage ]; services.dbus.packages = [ - ibusAutostart + ibusPackage ]; environment.variables = { diff --git a/nixos/modules/installer/cd-dvd/channel.nix b/nixos/modules/installer/cd-dvd/channel.nix index 92164d65e53..2f91cd39881 100644 --- a/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixos/modules/installer/cd-dvd/channel.nix @@ -39,7 +39,8 @@ in echo "unpacking the NixOS/Nixpkgs sources..." mkdir -p /nix/var/nix/profiles/per-user/root ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ - -i ${channelSources} --quiet --option build-use-substitutes false + -i ${channelSources} --quiet --option build-use-substitutes false \ + ${optionalString config.boot.initrd.systemd.enable "--option sandbox false"} # There's an issue with pivot_root mkdir -m 0700 -p /root/.nix-defexpr ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels mkdir -m 0755 -p /var/lib/nixos diff --git a/nixos/modules/installer/cd-dvd/installation-cd-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-base.nix index 618057618d0..3f92b779d60 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-base.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-base.nix @@ -46,5 +46,5 @@ with lib; done ''; - system.stateVersion = mkDefault "18.03"; + system.stateVersion = lib.mkDefault lib.trivial.release; } diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix index fa19daf1328..8c7bac6f6cc 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix @@ -35,22 +35,35 @@ with lib; # Enable sound in graphical iso's. hardware.pulseaudio.enable = true; - environment.systemPackages = [ + # VM guest additions to improve host-guest interaction + services.spice-vdagentd.enable = true; + services.qemuGuest.enable = true; + virtualisation.vmware.guest.enable = true; + virtualisation.hypervGuest.enable = true; + services.xe-guest-utilities.enable = true; + # The VirtualBox guest additions rely on an out-of-tree kernel module + # which lags behind kernel releases, potentially causing broken builds. + virtualisation.virtualbox.guest.enable = false; + + # Enable plymouth + boot.plymouth.enable = true; + + environment.defaultPackages = with pkgs; [ # Include gparted for partitioning disks. - pkgs.gparted + gparted # Include some editors. - pkgs.vim - pkgs.bvi # binary editor - pkgs.joe + vim + nano # Include some version control tools. - pkgs.git + git + rsync # Firefox for reading the manual. - pkgs.firefox + firefox - pkgs.glxinfo + glxinfo ]; } diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix new file mode 100644 index 00000000000..d015e10c11d --- /dev/null +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix @@ -0,0 +1,60 @@ +# This module defines a NixOS installation CD that contains GNOME. + +{ pkgs, ... }: + +{ + imports = [ ./installation-cd-graphical-calamares.nix ]; + + isoImage.edition = "gnome"; + + services.xserver.desktopManager.gnome = { + # Add Firefox and other tools useful for installation to the launcher + favoriteAppsOverride = '' + [org.gnome.shell] + favorite-apps=[ 'firefox.desktop', 'nixos-manual.desktop', 'org.gnome.Console.desktop', 'org.gnome.Nautilus.desktop', 'gparted.desktop', 'io.calamares.calamares.desktop' ] + ''; + + # Override GNOME defaults to disable GNOME tour and disable suspend + extraGSettingsOverrides = '' + [org.gnome.shell] + welcome-dialog-last-shown-version='9999999999' + [org.gnome.desktop.session] + idle-delay=0 + [org.gnome.settings-daemon.plugins.power] + sleep-inactive-ac-type='nothing' + sleep-inactive-battery-type='nothing' + ''; + + extraGSettingsOverridePackages = [ pkgs.gnome.gnome-settings-daemon ]; + + enable = true; + }; + + # Theme calamares with GNOME theme + qt5 = { + enable = true; + platformTheme = "gnome"; + }; + + # Fix scaling for calamares on wayland + environment.variables = { + QT_QPA_PLATFORM = "$([[ $XDG_SESSION_TYPE = \"wayland\" ]] && echo \"wayland\")"; + }; + + services.xserver.displayManager = { + gdm = { + enable = true; + # autoSuspend makes the machine automatically suspend after inactivity. + # It's possible someone could/try to ssh'd into the machine and obviously + # have issues because it's inactive. + # See: + # * https://github.com/NixOS/nixpkgs/pull/63790 + # * https://gitlab.gnome.org/GNOME/gnome-control-center/issues/22 + autoSuspend = false; + }; + autoLogin = { + enable = true; + user = "nixos"; + }; + }; +} diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix new file mode 100644 index 00000000000..a4c46d58c85 --- /dev/null +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix @@ -0,0 +1,49 @@ +# This module defines a NixOS installation CD that contains X11 and +# Plasma 5. + +{ pkgs, ... }: + +{ + imports = [ ./installation-cd-graphical-calamares.nix ]; + + isoImage.edition = "plasma5"; + + services.xserver = { + desktopManager.plasma5 = { + enable = true; + }; + + # Automatically login as nixos. + displayManager = { + sddm.enable = true; + autoLogin = { + enable = true; + user = "nixos"; + }; + }; + }; + + environment.systemPackages = with pkgs; [ + # Graphical text editor + kate + ]; + + system.activationScripts.installerDesktop = let + + # Comes from documentation.nix when xserver and nixos.enable are true. + manualDesktopFile = "/run/current-system/sw/share/applications/nixos-manual.desktop"; + + homeDir = "/home/nixos/"; + desktopDir = homeDir + "Desktop/"; + + in '' + mkdir -p ${desktopDir} + chown nixos ${homeDir} ${desktopDir} + + ln -sfT ${manualDesktopFile} ${desktopDir + "nixos-manual.desktop"} + ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop ${desktopDir + "gparted.desktop"} + ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop ${desktopDir + "org.kde.konsole.desktop"} + ln -sfT ${pkgs.calamares-nixos}/share/applications/io.calamares.calamares.desktop ${desktopDir + "io.calamares.calamares.desktop"} + ''; + +} diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix new file mode 100644 index 00000000000..8a6d30d1801 --- /dev/null +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix @@ -0,0 +1,20 @@ +# This module adds the calamares installer to the basic graphical NixOS +# installation CD. + +{ pkgs, ... }: +let + calamares-nixos-autostart = pkgs.makeAutostartItem { name = "io.calamares.calamares"; package = pkgs.calamares-nixos; }; +in +{ + imports = [ ./installation-cd-graphical-base.nix ]; + + environment.systemPackages = with pkgs; [ + # Calamares for graphical installation + libsForQt5.kpmcore + calamares-nixos + calamares-nixos-autostart + calamares-nixos-extensions + # Needed for calamares QML module packagechooserq + libsForQt5.full + ]; +} diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 303493741f3..573b31b439c 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -1,8 +1,6 @@ # This module defines a NixOS installation CD that contains GNOME. -{ lib, ... }: - -with lib; +{ ... }: { imports = [ ./installation-cd-graphical-base.nix ]; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix index 098c2b2870b..5c7617c9f8c 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix @@ -1,9 +1,7 @@ # This module defines a NixOS installation CD that contains X11 and # Plasma 5. -{ config, lib, pkgs, ... }: - -with lib; +{ pkgs, ... }: { imports = [ ./installation-cd-graphical-base.nix ]; diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 860e240b43d..d1ccc6c2072 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -369,10 +369,10 @@ let ${lib.optionalString (refindBinary != null) '' # GRUB apparently cannot do "chainloader" operations on "CD". if [ "\$root" != "cd0" ]; then - # Force root to be the FAT partition - # Otherwise it breaks rEFInd's boot - search --set=root --no-floppy --fs-uuid 1234-5678 menuentry 'rEFInd' --class refind { + # Force root to be the FAT partition + # Otherwise it breaks rEFInd's boot + search --set=root --no-floppy --fs-uuid 1234-5678 chainloader (\$root)/EFI/boot/${refindBinary} } fi @@ -400,10 +400,8 @@ let # dates (cp -p, touch, mcopy -m, faketime for label), IDs (mkfs.vfat -i) '' mkdir ./contents && cd ./contents - cp -rp "${efiDir}"/EFI . - mkdir ./boot - cp -p "${config.boot.kernelPackages.kernel}/${config.system.boot.loader.kernelFile}" \ - "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}" ./boot/ + mkdir -p ./EFI/boot + cp -rp "${efiDir}"/EFI/boot/{grub.cfg,*.efi} ./EFI/boot # Rewrite dates for everything in the FS find . -exec touch --date=2000-01-01 {} + @@ -421,11 +419,11 @@ let faketime "2000-01-01 00:00:00" mkfs.vfat -i 12345678 -n EFIBOOT "$out" # Force a fixed order in mcopy for better determinism, and avoid file globbing - for d in $(find EFI boot -type d | sort); do + for d in $(find EFI -type d | sort); do faketime "2000-01-01 00:00:00" mmd -i "$out" "::/$d" done - for f in $(find EFI boot -type f | sort); do + for f in $(find EFI -type f | sort); do mcopy -pvm -i "$out" "$f" "::/$f" done @@ -481,7 +479,7 @@ in + lib.optionalString (isx86_32 || isx86_64) "-Xbcj x86" # Untested but should also reduce size for these platforms + lib.optionalString (isAarch32 || isAarch64) "-Xbcj arm" - + lib.optionalString (isPowerPC) "-Xbcj powerpc" + + lib.optionalString (isPower && is32bit && isBigEndian) "-Xbcj powerpc" + lib.optionalString (isSparc) "-Xbcj sparc"; description = '' Compression settings to use for the squashfs nix store. diff --git a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix index 458e313a3f7..329bd329dc1 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix @@ -87,19 +87,19 @@ in boot.initrd.availableKernelModules = [ "mvsdio" "reiserfs" "ext3" "ums-cypress" "rtc_mv" "ext4" ]; - boot.postBootCommands = + boot.postBootCommands = lib.mkIf (!boot.initrd.systemd.enable) '' mkdir -p /mnt cp ${dummyConfiguration} /etc/nixos/configuration.nix ''; - boot.initrd.extraUtilsCommands = + boot.initrd.extraUtilsCommands = lib.mkIf (!boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.util-linux}/sbin/hwclock ''; - boot.initrd.postDeviceCommands = + boot.initrd.postDeviceCommands = lib.mkIf (!boot.initrd.systemd.enable) '' hwclock -s ''; diff --git a/nixos/modules/installer/kexec/kexec-boot.nix b/nixos/modules/installer/kexec/kexec-boot.nix deleted file mode 100644 index 95ab774468c..00000000000 --- a/nixos/modules/installer/kexec/kexec-boot.nix +++ /dev/null @@ -1,51 +0,0 @@ -# This module exposes a config.system.build.kexecBoot attribute, -# which returns a directory with kernel, initrd and a shell script -# running the necessary kexec commands. - -# It's meant to be scp'ed to a machine with working ssh and kexec binary -# installed. - -# This is useful for (cloud) providers where you can't boot a custom image, but -# get some Debian or Ubuntu installation. - -{ pkgs -, modulesPath -, config -, ... -}: -{ - imports = [ - (modulesPath + "/installer/netboot/netboot-minimal.nix") - ]; - - config = { - system.build.kexecBoot = - let - kexecScript = pkgs.writeScript "kexec-boot" '' - #!/usr/bin/env bash - if ! kexec -v >/dev/null 2>&1; then - echo "kexec not found: please install kexec-tools" 2>&1 - exit 1 - fi - SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) - kexec --load ''${SCRIPT_DIR}/bzImage \ - --initrd=''${SCRIPT_DIR}/initrd.gz \ - --command-line "init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}" - kexec -e - ''; in - pkgs.linkFarm "kexec-tree" [ - { - name = "initrd.gz"; - path = "${config.system.build.netbootRamdisk}/initrd"; - } - { - name = "bzImage"; - path = "${config.system.build.kernel}/bzImage"; - } - { - name = "kexec-boot"; - path = kexecScript; - } - ]; - }; -} diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix index a459e7304cd..3127bdc436f 100644 --- a/nixos/modules/installer/netboot/netboot.nix +++ b/nixos/modules/installer/netboot/netboot.nix @@ -101,6 +101,37 @@ with lib; boot ''; + # A script invoking kexec on ./bzImage and ./initrd.gz. + # Usually used through system.build.kexecTree, but exposed here for composability. + system.build.kexecScript = pkgs.writeScript "kexec-boot" '' + #!/usr/bin/env bash + if ! kexec -v >/dev/null 2>&1; then + echo "kexec not found: please install kexec-tools" 2>&1 + exit 1 + fi + SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + kexec --load ''${SCRIPT_DIR}/bzImage \ + --initrd=''${SCRIPT_DIR}/initrd.gz \ + --command-line "init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}" + kexec -e + ''; + + # A tree containing initrd.gz, bzImage and a kexec-boot script. + system.build.kexecTree = pkgs.linkFarm "kexec-tree" [ + { + name = "initrd.gz"; + path = "${config.system.build.netbootRamdisk}/initrd"; + } + { + name = "bzImage"; + path = "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}"; + } + { + name = "kexec-boot"; + path = config.system.build.kexecScript; + } + ]; + boot.loader.timeout = 10; boot.postBootCommands = diff --git a/nixos/modules/installer/sd-card/sd-image-aarch64.nix b/nixos/modules/installer/sd-card/sd-image-aarch64.nix index 321793882f4..cf01005fdc8 100644 --- a/nixos/modules/installer/sd-card/sd-image-aarch64.nix +++ b/nixos/modules/installer/sd-card/sd-image-aarch64.nix @@ -39,6 +39,12 @@ # Supported in newer board revisions arm_boost=1 + [cm4] + # Enable host mode on the 2711 built-in XHCI USB controller. + # This line should be removed if the legacy DWC2 controller is required + # (e.g. for USB device mode) or if USB support is not required. + otg_mode=1 + [all] # Boot in 64-bit mode. arm_64bit=1 @@ -65,6 +71,9 @@ cp ${pkgs.ubootRaspberryPi4_64bit}/u-boot.bin firmware/u-boot-rpi4.bin cp ${pkgs.raspberrypi-armstubs}/armstub8-gic.bin firmware/armstub8-gic.bin cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-4-b.dtb firmware/ + cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-400.dtb firmware/ + cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-cm4.dtb firmware/ + cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-cm4s.dtb firmware/ ''; populateRootCommands = '' mkdir -p ./files/boot diff --git a/nixos/modules/installer/sd-card/sd-image.nix b/nixos/modules/installer/sd-card/sd-image.nix index 7560c682517..c0335ea4875 100644 --- a/nixos/modules/installer/sd-card/sd-image.nix +++ b/nixos/modules/installer/sd-card/sd-image.nix @@ -18,7 +18,7 @@ with lib; let rootfsImage = pkgs.callPackage ../../../lib/make-ext4-fs.nix ({ inherit (config.sdImage) storePaths; - compressImage = true; + compressImage = config.sdImage.compressImage; populateImageCommands = config.sdImage.populateRootCommands; volumeLabel = "NIXOS_SD"; } // optionalAttrs (config.sdImage.rootPartitionUUID != null) { @@ -174,7 +174,8 @@ in mtools, libfaketime, util-linux, zstd }: stdenv.mkDerivation { name = config.sdImage.imageName; - nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime util-linux zstd ]; + nativeBuildInputs = [ dosfstools e2fsprogs libfaketime mtools util-linux ] + ++ lib.optional config.sdImage.compressImage zstd; inherit (config.sdImage) imageName compressImage; @@ -189,14 +190,18 @@ in echo "file sd-image $img" >> $out/nix-support/hydra-build-products fi + root_fs=${rootfsImage} + ${lib.optionalString config.sdImage.compressImage '' + root_fs=./root-fs.img echo "Decompressing rootfs image" - zstd -d --no-progress "${rootfsImage}" -o ./root-fs.img + zstd -d --no-progress "${rootfsImage}" -o $root_fs + ''} # Gap in front of the first partition, in MiB gap=${toString config.sdImage.firmwarePartitionOffset} # Create the image file sized to fit /boot/firmware and /, plus slack for the gap. - rootSizeBlocks=$(du -B 512 --apparent-size ./root-fs.img | awk '{ print $1 }') + rootSizeBlocks=$(du -B 512 --apparent-size $root_fs | awk '{ print $1 }') firmwareSizeBlocks=$((${toString config.sdImage.firmwareSize} * 1024 * 1024 / 512)) imageSize=$((rootSizeBlocks * 512 + firmwareSizeBlocks * 512 + gap * 1024 * 1024)) truncate -s $imageSize $img @@ -214,7 +219,7 @@ in # Copy the rootfs into the SD image eval $(partx $img -o START,SECTORS --nr 2 --pairs) - dd conv=notrunc if=./root-fs.img of=$img seek=$START count=$SECTORS + dd conv=notrunc if=$root_fs of=$img seek=$START count=$SECTORS # Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img eval $(partx $img -o START,SECTORS --nr 1 --pairs) diff --git a/nixos/modules/installer/tools/get-version-suffix b/nixos/modules/installer/tools/get-version-suffix index b8972cd57d2..8d72905cdcb 100644 --- a/nixos/modules/installer/tools/get-version-suffix +++ b/nixos/modules/installer/tools/get-version-suffix @@ -1,14 +1,15 @@ getVersion() { local dir="$1" rev= - if [ -e "$dir/.git" ]; then + gitDir="$dir/.git" + if [ -e "$gitDir" ]; then if [ -z "$(type -P git)" ]; then echo "warning: Git not found; cannot figure out revision of $dir" >&2 return fi cd "$dir" - rev=$(git rev-parse --short HEAD) - if git describe --always --dirty | grep -q dirty; then + rev=$(git --git-dir="$gitDir" rev-parse --short HEAD) + if git --git-dir="$gitDir" describe --always --dirty | grep -q dirty; then rev+=M fi fi diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 1707935ad5b..bd09724ebfa 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,7 +1,7 @@ { - x86_64-linux = "/nix/store/yx36yzxpw1hn4fz8iyf1rfyd56jg3yf4-nix-2.8.0"; - i686-linux = "/nix/store/c0hg806zvwg800qbszzj8ff4a224kjgf-nix-2.8.0"; - aarch64-linux = "/nix/store/wic2832ll53q392r2wks4xr2nrk7p8p5-nix-2.8.0"; - x86_64-darwin = "/nix/store/5yqdvnkmkrhl36xh0qy31pymdphjimdd-nix-2.8.0"; - aarch64-darwin = "/nix/store/izc9592szrnpv8n86hr88bhpyc9g6b4s-nix-2.8.0"; + x86_64-linux = "/nix/store/6g4fla3vkcxihph282a0v3cd10709y7c-nix-2.9.1"; + i686-linux = "/nix/store/j143221z44469zx21f5m9a47x7y1jpr5-nix-2.9.1"; + aarch64-linux = "/nix/store/c4z3vy1sgm49la8bvmdrrpssgk4iw2nk-nix-2.9.1"; + x86_64-darwin = "/nix/store/cqdwb7khf6zg94bz7lnvfjqx6z775qaw-nix-2.9.1"; + aarch64-darwin = "/nix/store/1brkxcs287n1px2i4fq39l7h51hjv0f8-nix-2.9.1"; } diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index fb5d3ba4732..0e6320e4695 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -84,6 +84,15 @@ sub debug { } +# nixpkgs.system +my ($status, @systemLines) = runCommand("nix-instantiate --impure --eval --expr builtins.currentSystem"); +if ($status != 0 || join("", @systemLines) =~ /error/) { + die "Failed to retrieve current system type from nix.\n"; +} +chomp(my $system = @systemLines[0]); +push @attrs, "nixpkgs.hostPlatform = lib.mkDefault $system;"; + + my $cpuinfo = read_file "/proc/cpuinfo"; @@ -291,6 +300,12 @@ if ($virt eq "oracle") { push @attrs, "virtualisation.virtualbox.guest.enable = true;" } +# Check if we're a Parallels guest. If so, enable the guest additions. +# It is blocked by https://github.com/systemd/systemd/pull/23859 +if ($virt eq "parallels") { + push @attrs, "hardware.parallels.enable = true;"; + push @attrs, "nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ \"prl-tools\" ];"; +} # Likewise for QEMU. if ($virt eq "qemu" || $virt eq "kvm" || $virt eq "bochs") { @@ -581,17 +596,19 @@ ${\join "", (map { " $_\n" } (uniq @attrs))}} EOF sub generateNetworkingDhcpConfig { + # FIXME disable networking.useDHCP by default when switching to networkd. my $config = <<EOF; - # The global useDHCP flag is deprecated, therefore explicitly set to false here. - # Per-interface useDHCP will be mandatory in the future, so this generated config - # replicates the default behaviour. - networking.useDHCP = lib.mkDefault false; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; EOF foreach my $path (glob "/sys/class/net/*") { my $dev = basename($path); if ($dev ne "lo") { - $config .= " networking.interfaces.$dev.useDHCP = lib.mkDefault true;\n"; + $config .= " # networking.interfaces.$dev.useDHCP = lib.mkDefault true;\n"; } } diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index bf5ec0f9690..04be272742c 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -34,7 +34,7 @@ let name = "nixos-generate-config"; src = ./nixos-generate-config.pl; perl = "${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl"; - detectvirt = "${pkgs.systemd}/bin/systemd-detect-virt"; + detectvirt = "${config.systemd.package}/bin/systemd-detect-virt"; btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; inherit (config.system.nixos-generate-config) configuration desktopConfiguration; xserverEnabled = config.services.xserver.enable; @@ -177,6 +177,10 @@ in # users.users.jane = { # isNormalUser = true; # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # packages = with pkgs; [ + # firefox + # thunderbird + # ]; # }; # List packages installed in system profile. To search, run: @@ -184,7 +188,6 @@ in # environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget - # firefox # ]; # Some programs need SUID wrappers, can be configured further or are diff --git a/nixos/modules/misc/documentation.nix b/nixos/modules/misc/documentation.nix index 8e28d3336fa..b031ff2f2be 100644 --- a/nixos/modules/misc/documentation.nix +++ b/nixos/modules/misc/documentation.nix @@ -178,19 +178,12 @@ in man.generateCaches = mkOption { type = types.bool; default = false; - description = '' + description = mdDoc '' Whether to generate the manual page index caches. This allows searching for a page or - keyword using utilities like - <citerefentry> - <refentrytitle>apropos</refentrytitle> - <manvolnum>1</manvolnum> - </citerefentry> - and the <literal>-k</literal> option of - <citerefentry> - <refentrytitle>man</refentrytitle> - <manvolnum>1</manvolnum> - </citerefentry>. + keyword using utilities like {manpage}`apropos(1)` + and the `-k` option of + {manpage}`man(1)`. ''; }; @@ -216,16 +209,14 @@ in dev.enable = mkOption { type = types.bool; default = false; - description = '' + description = mdDoc '' Whether to install documentation targeted at developers. - <itemizedlist> - <listitem><para>This includes man pages targeted at developers if <option>documentation.man.enable</option> is - set (this also includes "devman" outputs).</para></listitem> - <listitem><para>This includes info pages targeted at developers if <option>documentation.info.enable</option> - is set (this also includes "devinfo" outputs).</para></listitem> - <listitem><para>This includes other pages targeted at developers if <option>documentation.doc.enable</option> - is set (this also includes "devdoc" outputs).</para></listitem> - </itemizedlist> + * This includes man pages targeted at developers if {option}`documentation.man.enable` is + set (this also includes "devman" outputs). + * This includes info pages targeted at developers if {option}`documentation.info.enable` + is set (this also includes "devinfo" outputs). + * This includes other pages targeted at developers if {option}`documentation.doc.enable` + is set (this also includes "devdoc" outputs). ''; }; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 7d1faa50f4b..60794cef362 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -3,7 +3,7 @@ # IMPORTANT! # We only add static uids and gids for services where it is not feasible -# to change uids/gids on service start, in example a service with a lot of +# to change uids/gids on service start, for example a service with a lot of # files. Please also check if the service is applicable for systemd's # DynamicUser option and does not need a uid/gid allocation at all. # Systemd can also change ownership of service directories using the @@ -236,7 +236,7 @@ in gitit = 202; riemanntools = 203; subsonic = 204; - riak = 205; + # riak = 205; # unused, remove 2022-07-22 #shout = 206; # dynamically allocated as of 2021-09-18 gateone = 207; namecoin = 208; @@ -553,7 +553,7 @@ in gitit = 202; riemanntools = 203; subsonic = 204; - riak = 205; + # riak = 205;#unused, removed 2022-06-22 #shout = 206; #unused gateone = 207; namecoin = 208; diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix index 192c9ec413c..50495eebe4c 100644 --- a/nixos/modules/misc/locate.nix +++ b/nixos/modules/misc/locate.nix @@ -250,7 +250,7 @@ in }; warnings = optional (isMorPLocate && cfg.localuser != null) - "mlocate does not support the services.locate.localuser option; updatedb will run as root. (Silence with services.locate.localuser = null.)" + "mlocate and plocate do not support the services.locate.localuser option. updatedb will run as root. Silence this warning by setting services.locate.localuser = null." ++ optional (isFindutils && cfg.pruneNames != [ ]) "findutils locate does not support pruning by directory component" ++ optional (isFindutils && cfg.pruneBindMounts) diff --git a/nixos/modules/misc/man-db.nix b/nixos/modules/misc/man-db.nix index 8bd329bc4e0..7aeb02d883a 100644 --- a/nixos/modules/misc/man-db.nix +++ b/nixos/modules/misc/man-db.nix @@ -23,11 +23,11 @@ in ++ lib.optionals config.documentation.dev.enable [ "devman" ]; ignoreCollisions = true; }; - defaultText = lib.literalDocBook "all man pages in <option>config.environment.systemPackages</option>"; - description = '' - The manual pages to generate caches for if <option>documentation.man.generateCaches</option> + defaultText = lib.literalMD "all man pages in {option}`config.environment.systemPackages`"; + description = lib.mdDoc '' + The manual pages to generate caches for if {option}`documentation.man.generateCaches` is enabled. Must be a path to a directory with man pages under - <literal>/share/man</literal>; see the source for an example. + `/share/man`; see the source for an example. Advanced users can make this a content-addressed derivation to save a few rebuilds. ''; }; diff --git a/nixos/modules/misc/mandoc.nix b/nixos/modules/misc/mandoc.nix index 3da60f2f8e6..838f2087656 100644 --- a/nixos/modules/misc/mandoc.nix +++ b/nixos/modules/misc/mandoc.nix @@ -53,7 +53,9 @@ in { # see: https://inbox.vuxu.org/mandoc-tech/20210906171231.GF83680@athene.usta.de/T/#e85f773c1781e3fef85562b2794f9cad7b2909a3c extraSetup = lib.mkIf config.documentation.man.generateCaches '' ${makewhatis} -T utf8 ${ - lib.concatMapStringsSep " " (path: "\"$out/${path}\"") cfg.manPath + lib.concatMapStringsSep " " (path: + "$out/" + lib.escapeShellArg path + ) cfg.manPath } ''; }; diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 69967c8a760..ad017aff816 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -55,9 +55,46 @@ let check = builtins.isAttrs; }; - defaultPkgs = import ../../.. { - inherit (cfg) config overlays localSystem crossSystem; - }; + hasBuildPlatform = opt.buildPlatform.highestPrio < (mkOptionDefault {}).priority; + hasHostPlatform = opt.hostPlatform.isDefined; + hasPlatform = hasHostPlatform || hasBuildPlatform; + + # Context for messages + hostPlatformLine = optionalString hasHostPlatform "${showOptionWithDefLocs opt.hostPlatform}"; + buildPlatformLine = optionalString hasBuildPlatform "${showOptionWithDefLocs opt.buildPlatform}"; + platformLines = optionalString hasPlatform '' + Your system configuration configures nixpkgs with platform parameters: + ${hostPlatformLine + }${buildPlatformLine + }''; + + legacyOptionsDefined = + optional (opt.localSystem.highestPrio < (mkDefault {}).priority) opt.system + ++ optional (opt.localSystem.highestPrio < (mkOptionDefault {}).priority) opt.localSystem + ++ optional (opt.crossSystem.highestPrio < (mkOptionDefault {}).priority) opt.crossSystem + ; + + defaultPkgs = + if opt.hostPlatform.isDefined + then + let isCross = cfg.buildPlatform != cfg.hostPlatform; + systemArgs = + if isCross + then { + localSystem = cfg.buildPlatform; + crossSystem = cfg.hostPlatform; + } + else { + localSystem = cfg.hostPlatform; + }; + in + import ../../.. ({ + inherit (cfg) config overlays; + } // systemArgs) + else + import ../../.. { + inherit (cfg) config overlays localSystem crossSystem; + }; finalPkgs = if opt.pkgs.isDefined then cfg.pkgs.appendOverlays cfg.overlays else defaultPkgs; @@ -67,6 +104,7 @@ in imports = [ ./assertions.nix ./meta.nix + (mkRemovedOptionModule [ "nixpkgs" "initialSystem" ] "The NixOS options `nesting.clone` and `nesting.children` have been deleted, and replaced with named specialisation. Therefore `nixpgks.initialSystem` has no effect anymore.") ]; options.nixpkgs = { @@ -156,6 +194,46 @@ in ''; }; + hostPlatform = mkOption { + type = types.either types.str types.attrs; # TODO utilize lib.systems.parsedPlatform + example = { system = "aarch64-linux"; config = "aarch64-unknown-linux-gnu"; }; + # Make sure that the final value has all fields for sake of other modules + # referring to this. TODO make `lib.systems` itself use the module system. + apply = lib.systems.elaborate; + defaultText = literalExpression + ''(import "''${nixos}/../lib").lib.systems.examples.aarch64-multiplatform''; + description = '' + Specifies the platform where the NixOS configuration will run. + + To cross-compile, set also <code>nixpkgs.buildPlatform</code>. + + Ignored when <code>nixpkgs.pkgs</code> is set. + ''; + }; + + buildPlatform = mkOption { + type = types.either types.str types.attrs; # TODO utilize lib.systems.parsedPlatform + default = cfg.hostPlatform; + example = { system = "x86_64-linux"; config = "x86_64-unknown-linux-gnu"; }; + # Make sure that the final value has all fields for sake of other modules + # referring to this. + apply = lib.systems.elaborate; + defaultText = literalExpression + ''config.nixpkgs.hostPlatform''; + description = '' + Specifies the platform on which NixOS should be built. + By default, NixOS is built on the system where it runs, but you can + change where it's built. Setting this option will cause NixOS to be + cross-compiled. + + For instance, if you're doing distributed multi-platform deployment, + or if you're building machines, you can set this to match your + development system and/or build farm. + + Ignored when <code>nixpkgs.pkgs</code> is set. + ''; + }; + localSystem = mkOption { type = types.attrs; # TODO utilize lib.systems.parsedPlatform default = { inherit (cfg) system; }; @@ -175,10 +253,13 @@ in deployment, or when building virtual machines. See its description in the Nixpkgs manual for more details. - Ignored when <code>nixpkgs.pkgs</code> is set. + Ignored when <code>nixpkgs.pkgs</code> or <code>hostPlatform</code> is set. ''; }; + # TODO deprecate. "crossSystem" is a nonsense identifier, because "cross" + # is a relation between at least 2 systems in the context of a + # specific build step, not a single system. crossSystem = mkOption { type = types.nullOr types.attrs; # TODO utilize lib.systems.parsedPlatform default = null; @@ -192,7 +273,7 @@ in should be set as null, the default. See its description in the Nixpkgs manual for more details. - Ignored when <code>nixpkgs.pkgs</code> is set. + Ignored when <code>nixpkgs.pkgs</code> or <code>hostPlatform</code> is set. ''; }; @@ -215,16 +296,7 @@ in </programlisting> See <code>nixpkgs.localSystem</code> for more information. - Ignored when <code>nixpkgs.localSystem</code> is set. - Ignored when <code>nixpkgs.pkgs</code> is set. - ''; - }; - - initialSystem = mkOption { - type = types.str; - internal = true; - description = '' - Preserved value of <literal>system</literal> passed to <literal>eval-config.nix</literal>. + Ignored when <code>nixpkgs.pkgs</code>, <code>nixpkgs.localSystem</code> or <code>nixpkgs.hostPlatform</code> is set. ''; }; }; @@ -247,10 +319,23 @@ in else "nixpkgs.localSystem"; pkgsSystem = finalPkgs.stdenv.targetPlatform.system; in { - assertion = nixosExpectedSystem == pkgsSystem; + assertion = !hasPlatform -> nixosExpectedSystem == pkgsSystem; message = "The NixOS nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but NixOS was configured for system ${nixosExpectedSystem} via NixOS option ${nixosOption}. The NixOS system settings must match the Nixpkgs target system."; } ) + { + assertion = hasPlatform -> legacyOptionsDefined == []; + message = '' + Your system configures nixpkgs with the platform parameter${optionalString hasBuildPlatform "s"}: + ${hostPlatformLine + }${buildPlatformLine + } + However, it also defines the legacy options: + ${concatMapStrings showOptionWithDefLocs legacyOptionsDefined} + For a future proof system configuration, we recommend to remove + the legacy definitions. + ''; + } ]; }; diff --git a/nixos/modules/misc/nixpkgs/test.nix b/nixos/modules/misc/nixpkgs/test.nix index ec5fab9fb4a..9e8851707f8 100644 --- a/nixos/modules/misc/nixpkgs/test.nix +++ b/nixos/modules/misc/nixpkgs/test.nix @@ -1,8 +1,63 @@ { evalMinimalConfig, pkgs, lib, stdenv }: +let + eval = mod: evalMinimalConfig { + imports = [ ../nixpkgs.nix mod ]; + }; + withHost = eval { + nixpkgs.hostPlatform = "aarch64-linux"; + }; + withHostAndBuild = eval { + nixpkgs.hostPlatform = "aarch64-linux"; + nixpkgs.buildPlatform = "aarch64-darwin"; + }; + ambiguous = { + _file = "ambiguous.nix"; + nixpkgs.hostPlatform = "aarch64-linux"; + nixpkgs.buildPlatform = "aarch64-darwin"; + nixpkgs.system = "x86_64-linux"; + nixpkgs.localSystem.system = "x86_64-darwin"; + nixpkgs.crossSystem.system = "i686-linux"; + imports = [ + { _file = "repeat.nix"; + nixpkgs.hostPlatform = "aarch64-linux"; + } + ]; + }; + getErrors = module: + let + uncheckedEval = lib.evalModules { modules = [ ../nixpkgs.nix module ]; }; + in map (ass: ass.message) (lib.filter (ass: !ass.assertion) uncheckedEval.config.assertions); +in lib.recurseIntoAttrs { invokeNixpkgsSimple = - (evalMinimalConfig ({ config, modulesPath, ... }: { - imports = [ (modulesPath + "/misc/nixpkgs.nix") ]; + (eval { nixpkgs.system = stdenv.hostPlatform.system; - }))._module.args.pkgs.hello; + })._module.args.pkgs.hello; + assertions = + assert withHost._module.args.pkgs.stdenv.hostPlatform.system == "aarch64-linux"; + assert withHost._module.args.pkgs.stdenv.buildPlatform.system == "aarch64-linux"; + assert withHostAndBuild._module.args.pkgs.stdenv.hostPlatform.system == "aarch64-linux"; + assert withHostAndBuild._module.args.pkgs.stdenv.buildPlatform.system == "aarch64-darwin"; + assert builtins.trace (lib.head (getErrors ambiguous)) + getErrors ambiguous == + ['' + Your system configures nixpkgs with the platform parameters: + nixpkgs.hostPlatform, with values defined in: + - repeat.nix + - ambiguous.nix + nixpkgs.buildPlatform, with values defined in: + - ambiguous.nix + + However, it also defines the legacy options: + nixpkgs.system, with values defined in: + - ambiguous.nix + nixpkgs.localSystem, with values defined in: + - ambiguous.nix + nixpkgs.crossSystem, with values defined in: + - ambiguous.nix + + For a future proof system configuration, we recommend to remove + the legacy definitions. + '']; + pkgs.emptyFile; } diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index 931201ade29..da458a57484 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -13,7 +13,7 @@ let attrsToText = attrs: concatStringsSep "\n" ( mapAttrsToList (n: v: ''${n}=${escapeIfNeccessary (toString v)}'') attrs - ); + ) + "\n"; osReleaseContents = { NAME = "NixOS"; @@ -146,6 +146,15 @@ in "/etc/os-release".source = initrdRelease; "/etc/initrd-release".source = initrdRelease; }; + + # We have to use `warnings` because when warning in the default of the option + # the warning would also be shown when building the manual since the manual + # has to evaluate the default. + # + # TODO Remove this and drop the default of the option so people are forced to set it. + # Doing this also means fixing the comment in nixos/modules/testing/test-instrumentation.nix + warnings = lib.optional (options.system.stateVersion.highestPrio == (lib.mkOptionDefault { }).priority) + "system.stateVersion is not set, defaulting to ${config.system.stateVersion}. Read why this matters on https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion."; }; # uses version info nixpkgs, which requires a full nixpkgs path diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 132416d865f..b2ae30aa9ff 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -57,6 +57,7 @@ ./hardware/sensor/hddtemp.nix ./hardware/sensor/iio.nix ./hardware/keyboard/teck.nix + ./hardware/keyboard/uhk.nix ./hardware/keyboard/zsa.nix ./hardware/ksm.nix ./hardware/ledger.nix @@ -65,6 +66,7 @@ ./hardware/network/ath-user-regd.nix ./hardware/network/b43.nix ./hardware/network/intel-2200bg.nix + ./hardware/new-lg4ff.nix ./hardware/nitrokey.nix ./hardware/opengl.nix ./hardware/openrazer.nix @@ -72,6 +74,7 @@ ./hardware/printers.nix ./hardware/raid/hpsa.nix ./hardware/rtl-sdr.nix + ./hardware/saleae-logic.nix ./hardware/steam-hardware.nix ./hardware/system-76.nix ./hardware/tuxedo-keyboard.nix @@ -136,8 +139,8 @@ ./programs/captive-browser.nix ./programs/ccache.nix ./programs/cdemu.nix + ./programs/cfs-zen-tweaks.nix ./programs/chromium.nix - ./programs/clickshare.nix ./programs/cnping.nix ./programs/command-not-found/command-not-found.nix ./programs/criu.nix @@ -165,6 +168,7 @@ ./programs/gpaste.nix ./programs/gnupg.nix ./programs/gphoto2.nix + ./programs/haguichi.nix ./programs/hamster.nix ./programs/htop.nix ./programs/iftop.nix @@ -172,6 +176,7 @@ ./programs/java.nix ./programs/k40-whisperer.nix ./programs/kclock.nix + ./programs/k3b.nix ./programs/kdeconnect.nix ./programs/kbdlight.nix ./programs/less.nix @@ -191,11 +196,11 @@ ./programs/npm.nix ./programs/noisetorch.nix ./programs/oblogout.nix + ./programs/openvpn3.nix ./programs/pantheon-tweaks.nix ./programs/partition-manager.nix ./programs/plotinus.nix ./programs/proxychains.nix - ./programs/phosh.nix ./programs/qt5ct.nix ./programs/screen.nix ./programs/sedutil.nix @@ -212,6 +217,7 @@ ./programs/sway.nix ./programs/system-config-printer.nix ./programs/thefuck.nix + ./programs/thunar.nix ./programs/tmux.nix ./programs/traceroute.nix ./programs/tsm-client.nix @@ -224,6 +230,7 @@ ./programs/weylus.nix ./programs/wireshark.nix ./programs/wshowkeys.nix + ./programs/xfconf.nix ./programs/xfs_quota.nix ./programs/xonsh.nix ./programs/xss-lock.nix @@ -344,6 +351,8 @@ ./services/databases/clickhouse.nix ./services/databases/cockroachdb.nix ./services/databases/couchdb.nix + ./services/databases/dragonflydb.nix + ./services/databases/dgraph.nix ./services/databases/firebird.nix ./services/databases/foundationdb.nix ./services/databases/hbase.nix @@ -359,7 +368,6 @@ ./services/databases/pgmanage.nix ./services/databases/postgresql.nix ./services/databases/redis.nix - ./services/databases/riak.nix ./services/databases/victoriametrics.nix ./services/desktops/accountsservice.nix ./services/desktops/bamf.nix @@ -424,6 +432,7 @@ ./services/games/terraria.nix ./services/hardware/acpid.nix ./services/hardware/actkbd.nix + ./services/hardware/argonone.nix ./services/hardware/auto-cpufreq.nix ./services/hardware/bluetooth.nix ./services/hardware/bolt.nix @@ -459,6 +468,7 @@ ./services/hardware/udisks2.nix ./services/hardware/upower.nix ./services/hardware/usbmuxd.nix + ./services/hardware/usbrelayd.nix ./services/hardware/thermald.nix ./services/hardware/undervolt.nix ./services/hardware/vdr.nix @@ -503,15 +513,23 @@ ./services/mail/postfixadmin.nix ./services/mail/postsrsd.nix ./services/mail/postgrey.nix + ./services/mail/public-inbox.nix ./services/mail/spamassassin.nix ./services/mail/rspamd.nix ./services/mail/rss2email.nix ./services/mail/roundcube.nix + ./services/mail/schleuder.nix ./services/mail/sympa.nix ./services/mail/nullmailer.nix - ./services/matrix/matrix-synapse.nix + ./services/matrix/appservice-discord.nix + ./services/matrix/appservice-irc.nix + ./services/matrix/conduit.nix + ./services/matrix/dendrite.nix + ./services/matrix/mautrix-facebook.nix + ./services/matrix/mautrix-telegram.nix ./services/matrix/mjolnir.nix ./services/matrix/pantalaimon.nix + ./services/matrix/synapse.nix ./services/misc/ananicy.nix ./services/misc/airsonic.nix ./services/misc/ankisyncd.nix @@ -530,7 +548,6 @@ ./services/misc/cpuminer-cryptonight.nix ./services/misc/cgminer.nix ./services/misc/confd.nix - ./services/misc/dendrite.nix ./services/misc/devmon.nix ./services/misc/dictd.nix ./services/misc/duckling.nix @@ -573,11 +590,6 @@ ./services/misc/libreddit.nix ./services/misc/lifecycled.nix ./services/misc/mame.nix - ./services/misc/matrix-appservice-discord.nix - ./services/misc/matrix-appservice-irc.nix - ./services/misc/matrix-conduit.nix - ./services/misc/mautrix-facebook.nix - ./services/misc/mautrix-telegram.nix ./services/misc/mbpfan.nix ./services/misc/mediatomb.nix ./services/misc/metabase.nix @@ -599,6 +611,7 @@ ./services/misc/packagekit.nix ./services/misc/paperless.nix ./services/misc/parsoid.nix + ./services/misc/persistent-evdev.nix ./services/misc/plex.nix ./services/misc/plikd.nix ./services/misc/podgrab.nix @@ -650,6 +663,7 @@ ./services/monitoring/do-agent.nix ./services/monitoring/fusion-inventory.nix ./services/monitoring/grafana.nix + ./services/monitoring/grafana-agent.nix ./services/monitoring/grafana-image-renderer.nix ./services/monitoring/grafana-reporter.nix ./services/monitoring/graphite.nix @@ -661,6 +675,7 @@ ./services/monitoring/longview.nix ./services/monitoring/mackerel-agent.nix ./services/monitoring/metricbeat.nix + ./services/monitoring/mimir.nix ./services/monitoring/monit.nix ./services/monitoring/munin.nix ./services/monitoring/nagios.nix @@ -729,11 +744,13 @@ ./services/networking/bitcoind.nix ./services/networking/autossh.nix ./services/networking/bird.nix + ./services/networking/bird-lg.nix ./services/networking/bitlbee.nix ./services/networking/blockbook-frontend.nix ./services/networking/blocky.nix ./services/networking/charybdis.nix ./services/networking/cjdns.nix + ./services/networking/cloudflare-dyndns.nix ./services/networking/cntlm.nix ./services/networking/connman.nix ./services/networking/consul.nix @@ -760,6 +777,7 @@ ./services/networking/ergo.nix ./services/networking/ergochat.nix ./services/networking/eternal-terminal.nix + ./services/networking/expressvpn.nix ./services/networking/fakeroute.nix ./services/networking/ferm.nix ./services/networking/fireqos.nix @@ -872,12 +890,14 @@ ./services/networking/quassel.nix ./services/networking/quorum.nix ./services/networking/quicktun.nix + ./services/networking/r53-ddns.nix ./services/networking/radicale.nix ./services/networking/radvd.nix ./services/networking/rdnssd.nix ./services/networking/redsocks.nix ./services/networking/resilio.nix ./services/networking/robustirc-bridge.nix + ./services/networking/routedns.nix ./services/networking/rpcbind.nix ./services/networking/rxe.nix ./services/networking/sabnzbd.nix @@ -932,6 +952,7 @@ ./services/networking/unifi.nix ./services/video/unifi-video.nix ./services/video/rtsp-simple-server.nix + ./services/networking/uptermd.nix ./services/networking/v2ray.nix ./services/networking/vsftpd.nix ./services/networking/wasabibackend.nix @@ -971,6 +992,8 @@ ./services/security/hockeypuck.nix ./services/security/hologram-server.nix ./services/security/hologram-agent.nix + ./services/security/kanidm.nix + ./services/security/infnoise.nix ./services/security/munge.nix ./services/security/nginx-sso.nix ./services/security/oauth2_proxy.nix @@ -1035,6 +1058,7 @@ ./services/web-apps/gerrit.nix ./services/web-apps/gotify-server.nix ./services/web-apps/grocy.nix + ./services/web-apps/healthchecks.nix ./services/web-apps/hedgedoc.nix ./services/web-apps/hledger-web.nix ./services/web-apps/icingaweb2/icingaweb2.nix @@ -1058,6 +1082,7 @@ ./services/web-apps/nexus.nix ./services/web-apps/nifi.nix ./services/web-apps/node-red.nix + ./services/web-apps/phylactery.nix ./services/web-apps/pict-rs.nix ./services/web-apps/peertube.nix ./services/web-apps/plantuml-server.nix @@ -1074,6 +1099,7 @@ ./services/web-apps/trilium.nix ./services/web-apps/selfoss.nix ./services/web-apps/shiori.nix + ./services/web-apps/snipe-it.nix ./services/web-apps/vikunja.nix ./services/web-apps/virtlyst.nix ./services/web-apps/wiki-js.nix @@ -1181,13 +1207,14 @@ ./system/boot/stage-2.nix ./system/boot/systemd.nix ./system/boot/systemd/coredump.nix + ./system/boot/systemd/initrd-secrets.nix + ./system/boot/systemd/initrd.nix ./system/boot/systemd/journald.nix ./system/boot/systemd/logind.nix ./system/boot/systemd/nspawn.nix ./system/boot/systemd/shutdown.nix ./system/boot/systemd/tmpfiles.nix ./system/boot/systemd/user.nix - ./system/boot/systemd/initrd.nix ./system/boot/timesyncd.nix ./system/boot/tmp.nix ./system/etc/etc-activation.nix @@ -1224,6 +1251,7 @@ ./tasks/powertop.nix ./testing/service-runner.nix ./virtualisation/anbox.nix + ./virtualisation/appvm.nix ./virtualisation/build-vm.nix ./virtualisation/container-config.nix ./virtualisation/containerd.nix @@ -1251,6 +1279,7 @@ ./virtualisation/virtualbox-guest.nix ./virtualisation/virtualbox-host.nix ./virtualisation/vmware-guest.nix + ./virtualisation/vmware-host.nix ./virtualisation/waydroid.nix ./virtualisation/xen-dom0.nix ./virtualisation/xe-guest-utilities.nix diff --git a/nixos/modules/profiles/all-hardware.nix b/nixos/modules/profiles/all-hardware.nix index 25f68123a1d..8347453d403 100644 --- a/nixos/modules/profiles/all-hardware.nix +++ b/nixos/modules/profiles/all-hardware.nix @@ -40,6 +40,9 @@ in # SD cards. "sdhci_pci" + # NVMe drives + "nvme" + # Firewire support. Not tested. "ohci1394" "sbp2" diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 3c503fba2a3..a8601a9e2c0 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -99,6 +99,10 @@ with lib; stdenvNoCC # for runCommand busybox jq # for closureInfo + # For boot.initrd.systemd + makeInitrdNGTool + systemdStage1 + systemdStage1Network ]; # Show all debug messages from the kernel but don't log refused packets diff --git a/nixos/modules/profiles/minimal.nix b/nixos/modules/profiles/minimal.nix index e79b9272384..0e65989214a 100644 --- a/nixos/modules/profiles/minimal.nix +++ b/nixos/modules/profiles/minimal.nix @@ -8,9 +8,6 @@ with lib; { environment.noXlibs = mkDefault true; - # This isn't perfect, but let's expect the user specifies an UTF-8 defaultLocale - i18n.supportedLocales = [ (config.i18n.defaultLocale + "/UTF-8") ]; - documentation.enable = mkDefault false; documentation.nixos.enable = mkDefault false; diff --git a/nixos/modules/profiles/qemu-guest.nix b/nixos/modules/profiles/qemu-guest.nix index d4335edfcf2..8b3df97ae0d 100644 --- a/nixos/modules/profiles/qemu-guest.nix +++ b/nixos/modules/profiles/qemu-guest.nix @@ -1,13 +1,13 @@ # Common configuration for virtual machines running under QEMU (using # virtio). -{ ... }: +{ config, lib, ... }: { boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ]; boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ]; - boot.initrd.postDeviceCommands = + boot.initrd.postDeviceCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' # Set the system time from the hardware clock to work around a # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised diff --git a/nixos/modules/programs/atop.nix b/nixos/modules/programs/atop.nix index ad75ab27666..a31078a891a 100644 --- a/nixos/modules/programs/atop.nix +++ b/nixos/modules/programs/atop.nix @@ -136,6 +136,24 @@ in packages = [ atop (lib.mkIf cfg.netatop.enable cfg.netatop.package) ]; services = mkService cfg.atopService.enable "atop" [ atop ] + // lib.mkIf cfg.atopService.enable { + # always convert logs to newer version first + # XXX might trigger TimeoutStart but restarting atop.service will + # convert remainings logs and start eventually + atop.serviceConfig.ExecStartPre = pkgs.writeShellScript "atop-update-log-format" '' + set -e -u + for logfile in "$LOGPATH"/atop_* + do + ${atop}/bin/atopconvert "$logfile" "$logfile".new + # only replace old file if version was upgraded to avoid + # false positives for atop-rotate.service + if ! ${pkgs.diffutils}/bin/cmp -s "$logfile" "$logfile".new + then + ${pkgs.coreutils}/bin/mv -v -f "$logfile".new "$logfile" + fi + done + ''; + } // mkService cfg.atopacctService.enable "atopacct" [ atop ] // mkService cfg.netatop.enable "netatop" [ cfg.netatop.package ] // mkService cfg.atopgpu.enable "atopgpu" [ atop ]; diff --git a/nixos/modules/programs/captive-browser.nix b/nixos/modules/programs/captive-browser.nix index aad554c2bd6..1e5c6ff9b24 100644 --- a/nixos/modules/programs/captive-browser.nix +++ b/nixos/modules/programs/captive-browser.nix @@ -98,7 +98,7 @@ in config = mkIf cfg.enable { environment.systemPackages = [ - (pkgs.runCommandNoCC "captive-browser-desktop-item" { } '' + (pkgs.runCommand "captive-browser-desktop-item" { } '' install -Dm444 -t $out/share/applications ${desktopItem}/share/applications/*.desktop '') ]; diff --git a/nixos/modules/programs/cfs-zen-tweaks.nix b/nixos/modules/programs/cfs-zen-tweaks.nix new file mode 100644 index 00000000000..f168662bbef --- /dev/null +++ b/nixos/modules/programs/cfs-zen-tweaks.nix @@ -0,0 +1,28 @@ +# CFS Zen Tweaks + +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.programs.cfs-zen-tweaks; + +in + +{ + + meta = { + maintainers = with maintainers; [ mkg20001 ]; + }; + + options = { + programs.cfs-zen-tweaks.enable = mkEnableOption "CFS Zen Tweaks"; + }; + + config = mkIf cfg.enable { + systemd.packages = [ pkgs.cfs-zen-tweaks ]; + + systemd.services.set-cfs-tweak.wantedBy = [ "multi-user.target" "suspend.target" "hibernate.target" "hybrid-sleep.target" "suspend-then-hibernate.target" ]; + }; +} diff --git a/nixos/modules/programs/clickshare.nix b/nixos/modules/programs/clickshare.nix deleted file mode 100644 index 9980a7daf52..00000000000 --- a/nixos/modules/programs/clickshare.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - - options.programs.clickshare-csc1.enable = - lib.options.mkEnableOption '' - Barco ClickShare CSC-1 driver/client. - This allows users in the <literal>clickshare</literal> - group to access and use a ClickShare USB dongle - that is connected to the machine - ''; - - config = lib.modules.mkIf config.programs.clickshare-csc1.enable { - environment.systemPackages = [ pkgs.clickshare-csc1 ]; - services.udev.packages = [ pkgs.clickshare-csc1 ]; - users.groups.clickshare = {}; - }; - - meta.maintainers = [ lib.maintainers.yarny ]; - -} diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index b41f30287ea..7d8ab7dda96 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -17,7 +17,7 @@ let else if xserverCfg.enable || config.programs.sway.enable then "gnome3" else - null; + "curses"; in diff --git a/nixos/modules/programs/haguichi.nix b/nixos/modules/programs/haguichi.nix new file mode 100644 index 00000000000..4f48551cf1d --- /dev/null +++ b/nixos/modules/programs/haguichi.nix @@ -0,0 +1,15 @@ +{ lib, pkgs, config, ... }: + +with lib; + +{ + options.programs.haguichi = { + enable = mkEnableOption "Haguichi, a Linux GUI frontend to the proprietary LogMeIn Hamachi"; + }; + + config = mkIf config.programs.haguichi.enable { + environment.systemPackages = with pkgs; [ haguichi ]; + + services.logmein-hamachi.enable = true; + }; +} diff --git a/nixos/modules/programs/k3b.nix b/nixos/modules/programs/k3b.nix new file mode 100644 index 00000000000..68a4d08f349 --- /dev/null +++ b/nixos/modules/programs/k3b.nix @@ -0,0 +1,52 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + # interface + options.programs.k3b = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable k3b, the KDE disk burning application. + + Additionally to installing <package>k3b</package> enabling this will + add <literal>setuid</literal> wrappers in <literal>/run/wrappers/bin</literal> + for both <package>cdrdao</package> and <package>cdrecord</package>. On first + run you must manually configure the path of <package>cdrdae</package> and + <package>cdrecord</package> to correspond to the appropriate paths under + <literal>/run/wrappers/bin</literal> in the "Setup External Programs" menu. + ''; + }; + }; + + # implementation + config = mkIf config.programs.k3b.enable { + + environment.systemPackages = with pkgs; [ + k3b + dvdplusrwtools + cdrdao + cdrkit + ]; + + security.wrappers = { + cdrdao = { + setuid = true; + owner = "root"; + group = "cdrom"; + permissions = "u+wrx,g+x"; + source = "${pkgs.cdrdao}/bin/cdrdao"; + }; + cdrecord = { + setuid = true; + owner = "root"; + group = "cdrom"; + permissions = "u+wrx,g+x"; + source = "${pkgs.cdrkit}/bin/cdrecord"; + }; + }; + + }; +} diff --git a/nixos/modules/programs/kdeconnect.nix b/nixos/modules/programs/kdeconnect.nix index df698e84dd7..10d6e18a3d1 100644 --- a/nixos/modules/programs/kdeconnect.nix +++ b/nixos/modules/programs/kdeconnect.nix @@ -12,8 +12,8 @@ with lib; implementation if you use Gnome. ''; package = mkOption { - default = pkgs.kdeconnect; - defaultText = literalExpression "pkgs.kdeconnect"; + default = pkgs.plasma5Packages.kdeconnect-kde; + defaultText = literalExpression "pkgs.plasma5Packages.kdeconnect-kde"; type = types.package; example = literalExpression "pkgs.gnomeExtensions.gsconnect"; description = '' diff --git a/nixos/modules/programs/nix-ld.nix b/nixos/modules/programs/nix-ld.nix index 810a74ab50b..89779cfef39 100644 --- a/nixos/modules/programs/nix-ld.nix +++ b/nixos/modules/programs/nix-ld.nix @@ -5,8 +5,6 @@ programs.nix-ld.enable = lib.mkEnableOption ''nix-ld, Documentation: <link xlink:href="https://github.com/Mic92/nix-ld"/>''; }; config = lib.mkIf config.programs.nix-ld.enable { - systemd.tmpfiles.rules = [ - "L+ ${pkgs.nix-ld.ldPath} - - - - ${pkgs.nix-ld}/libexec/nix-ld" - ]; + systemd.tmpfiles.packages = [ pkgs.nix-ld ]; }; } diff --git a/nixos/modules/programs/openvpn3.nix b/nixos/modules/programs/openvpn3.nix new file mode 100644 index 00000000000..f3101d3cebd --- /dev/null +++ b/nixos/modules/programs/openvpn3.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.openvpn3; +in +{ + options.programs.openvpn3 = { + enable = mkEnableOption "the openvpn3 client"; + }; + + config = mkIf cfg.enable { + services.dbus.packages = with pkgs; [ + openvpn3 + ]; + + users.users.openvpn = { + isSystemUser = true; + uid = config.ids.uids.openvpn; + group = "openvpn"; + }; + + users.groups.openvpn = { + gid = config.ids.gids.openvpn; + }; + + environment.systemPackages = with pkgs; [ + openvpn3 + ]; + }; + +} diff --git a/nixos/modules/programs/thefuck.nix b/nixos/modules/programs/thefuck.nix index b909916158d..18d09e26866 100644 --- a/nixos/modules/programs/thefuck.nix +++ b/nixos/modules/programs/thefuck.nix @@ -6,9 +6,12 @@ let prg = config.programs; cfg = prg.thefuck; - initScript = '' + bashAndZshInitScript = '' eval $(${pkgs.thefuck}/bin/thefuck --alias ${cfg.alias}) ''; + fishInitScript = '' + ${pkgs.thefuck}/bin/thefuck --alias ${cfg.alias} | source + ''; in { options = { @@ -30,10 +33,8 @@ in config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ thefuck ]; - programs.bash.interactiveShellInit = initScript; - programs.zsh.interactiveShellInit = mkIf prg.zsh.enable initScript; - programs.fish.interactiveShellInit = mkIf prg.fish.enable '' - ${pkgs.thefuck}/bin/thefuck --alias | source - ''; + programs.bash.interactiveShellInit = bashAndZshInitScript; + programs.zsh.interactiveShellInit = mkIf prg.zsh.enable bashAndZshInitScript; + programs.fish.interactiveShellInit = mkIf prg.fish.enable fishInitScript; }; } diff --git a/nixos/modules/programs/thunar.nix b/nixos/modules/programs/thunar.nix new file mode 100644 index 00000000000..5ea2982dd93 --- /dev/null +++ b/nixos/modules/programs/thunar.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.programs.thunar; + +in { + meta = { + maintainers = teams.xfce.members; + }; + + options = { + programs.thunar = { + enable = mkEnableOption "Thunar, the Xfce file manager"; + + plugins = mkOption { + default = []; + type = types.listOf types.package; + description = "List of thunar plugins to install."; + example = literalExpression "with pkgs.xfce; [ thunar-archive-plugin thunar-volman ]"; + }; + + }; + }; + + config = mkIf cfg.enable ( + let package = pkgs.xfce.thunar.override { thunarPlugins = cfg.plugins; }; + + in { + environment.systemPackages = [ + package + ]; + + services.dbus.packages = [ + package + ]; + + systemd.packages = [ + package + ]; + + programs.xfconf.enable = true; + } + ); +} diff --git a/nixos/modules/programs/xfconf.nix b/nixos/modules/programs/xfconf.nix new file mode 100644 index 00000000000..8e854b40e51 --- /dev/null +++ b/nixos/modules/programs/xfconf.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.programs.xfconf; + +in { + meta = { + maintainers = teams.xfce.members; + }; + + options = { + programs.xfconf = { + enable = mkEnableOption "Xfconf, the Xfce configuration storage system"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ + pkgs.xfce.xfconf + ]; + + services.dbus.packages = [ + pkgs.xfce.xfconf + ]; + }; +} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 1d226276493..7a6a6b5ed30 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -97,6 +97,7 @@ with lib; (mkRemovedOptionModule [ "services" "gogoclient" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "virtuoso" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "openfire" ] "The corresponding package was removed from nixpkgs.") + (mkRemovedOptionModule [ "services" "riak" ] "The corresponding package was removed from nixpkgs.") # Do NOT add any option renames here, see top of the file ]; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 530304b497a..23d1344a57a 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -492,7 +492,7 @@ let auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"} '') + (let oath = config.security.pam.oath; in optionalString cfg.oathAuth '' - auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} + auth requisite ${pkgs.oath-toolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} '') + (let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth '' auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"} @@ -626,7 +626,7 @@ let session optional ${pkgs.otpw}/lib/security/pam_otpw.so '' + optionalString cfg.startSession '' - session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional ${config.systemd.package}/lib/security/pam_systemd.so '' + optionalString cfg.forwardXAuth '' session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99 @@ -1131,7 +1131,7 @@ in ++ optional config.services.sssd.enable pkgs.sssd ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] - ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] + ++ optionals config.security.pam.oath.enable [ pkgs.oath-toolkit ] ++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ] ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ]; @@ -1221,7 +1221,7 @@ in mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so, '' + optionalString (isEnabled (cfg: cfg.oathAuth)) '' - "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so, + "mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so, '' + optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, @@ -1242,7 +1242,7 @@ in mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so, '' + optionalString (isEnabled (cfg: cfg.startSession)) '' - mr ${pkgs.systemd}/lib/security/pam_systemd.so, + mr ${config.systemd.package}/lib/security/pam_systemd.so, '' + optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable) '' diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix index f3a2de3bf87..07b725effb7 100644 --- a/nixos/modules/security/systemd-confinement.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -22,16 +22,17 @@ in { options.confinement.fullUnit = lib.mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Whether to include the full closure of the systemd unit file into the chroot, instead of just the dependencies for the executables. - <warning><para>While it may be tempting to just enable this option to + ::: {.warning} + While it may be tempting to just enable this option to make things work quickly, please be aware that this might add paths to the closure of the chroot that you didn't anticipate. It's better - to use <option>confinement.packages</option> to <emphasis - role="strong">explicitly</emphasis> add additional store paths to the - chroot.</para></warning> + to use {option}`confinement.packages` to **explicitly** add additional store paths to the + chroot. + ::: ''; }; diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index e63f19010de..169ef744262 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -98,7 +98,7 @@ let # Prevent races chmod 0000 "$wrapperDir/${program}" - chown ${owner}.${group} "$wrapperDir/${program}" + chown ${owner}:${group} "$wrapperDir/${program}" # Set desired capabilities on the file plus cap_setpcap so # the wrapper program can elevate the capabilities set on @@ -126,7 +126,7 @@ let # Prevent races chmod 0000 "$wrapperDir/${program}" - chown ${owner}.${group} "$wrapperDir/${program}" + chown ${owner}:${group} "$wrapperDir/${program}" chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" "$wrapperDir/${program}" ''; diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c index 529669facda..a21ec500208 100644 --- a/nixos/modules/security/wrappers/wrapper.c +++ b/nixos/modules/security/wrappers/wrapper.c @@ -2,12 +2,12 @@ #include <stdio.h> #include <string.h> #include <unistd.h> +#include <stdnoreturn.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/xattr.h> #include <fcntl.h> #include <dirent.h> -#include <assert.h> #include <errno.h> #include <linux/capability.h> #include <sys/prctl.h> @@ -16,10 +16,7 @@ #include <syscall.h> #include <byteswap.h> -// Make sure assertions are not compiled out, we use them to codify -// invariants about this program and we want it to fail fast and -// loudly if they are violated. -#undef NDEBUG +#define ASSERT(expr) ((expr) ? (void) 0 : assert_failure(#expr)) extern char **environ; @@ -38,6 +35,12 @@ static char *wrapper_debug = "WRAPPER_DEBUG"; #define LE32_TO_H(x) (x) #endif +static noreturn void assert_failure(const char *assertion) { + fprintf(stderr, "Assertion `%s` in NixOS's wrapper.c failed.\n", assertion); + fflush(stderr); + abort(); +} + int get_last_cap(unsigned *last_cap) { FILE* file = fopen("/proc/sys/kernel/cap_last_cap", "r"); if (file == NULL) { @@ -167,6 +170,7 @@ int readlink_malloc(const char *p, char **ret) { } int main(int argc, char **argv) { + ASSERT(argc >= 1); char *self_path = NULL; int self_path_size = readlink_malloc("/proc/self/exe", &self_path); if (self_path_size < 0) { @@ -181,36 +185,36 @@ int main(int argc, char **argv) { int len = strlen(wrapper_dir); if (len > 0 && '/' == wrapper_dir[len - 1]) --len; - assert(!strncmp(self_path, wrapper_dir, len)); - assert('/' == wrapper_dir[0]); - assert('/' == self_path[len]); + ASSERT(!strncmp(self_path, wrapper_dir, len)); + ASSERT('/' == wrapper_dir[0]); + ASSERT('/' == self_path[len]); // Make *really* *really* sure that we were executed as // `self_path', and not, say, as some other setuid program. That // is, our effective uid/gid should match the uid/gid of // `self_path'. struct stat st; - assert(lstat(self_path, &st) != -1); + ASSERT(lstat(self_path, &st) != -1); - assert(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())); - assert(!(st.st_mode & S_ISGID) || (st.st_gid == getegid())); + ASSERT(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())); + ASSERT(!(st.st_mode & S_ISGID) || (st.st_gid == getegid())); // And, of course, we shouldn't be writable. - assert(!(st.st_mode & (S_IWGRP | S_IWOTH))); + ASSERT(!(st.st_mode & (S_IWGRP | S_IWOTH))); // Read the path of the real (wrapped) program from <self>.real. char real_fn[PATH_MAX + 10]; int real_fn_size = snprintf(real_fn, sizeof(real_fn), "%s.real", self_path); - assert(real_fn_size < sizeof(real_fn)); + ASSERT(real_fn_size < sizeof(real_fn)); int fd_self = open(real_fn, O_RDONLY); - assert(fd_self != -1); + ASSERT(fd_self != -1); char source_prog[PATH_MAX]; len = read(fd_self, source_prog, PATH_MAX); - assert(len != -1); - assert(len < sizeof(source_prog)); - assert(len > 0); + ASSERT(len != -1); + ASSERT(len < sizeof(source_prog)); + ASSERT(len > 0); source_prog[len] = 0; close(fd_self); diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index 586b9ffa688..11733d99fca 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -215,6 +215,7 @@ in { systemd.sockets.mpd = mkIf cfg.startWhenNeeded { wantedBy = [ "sockets.target" ]; listenStreams = [ + "" # Note: this is needed to override the upstream unit (if pkgs.lib.hasPrefix "/" cfg.network.listenAddress then cfg.network.listenAddress else "${optionalString (cfg.network.listenAddress != "any") "${cfg.network.listenAddress}:"}${toString cfg.network.port}") diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix index 3660e05310b..319212c0207 100644 --- a/nixos/modules/services/audio/navidrome.nix +++ b/nixos/modules/services/audio/navidrome.nix @@ -45,7 +45,10 @@ in { RootDirectory = "/run/navidrome"; ReadWritePaths = ""; BindReadOnlyPaths = [ + # navidrome uses online services to download additional album metadata / covers + "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir + "/etc" ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; CapabilityBoundingSet = ""; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; diff --git a/nixos/modules/services/backup/automysqlbackup.nix b/nixos/modules/services/backup/automysqlbackup.nix index fd2764a40ad..cf0cb4da32c 100644 --- a/nixos/modules/services/backup/automysqlbackup.nix +++ b/nixos/modules/services/backup/automysqlbackup.nix @@ -112,7 +112,7 @@ in services.mysql.ensureUsers = optional (config.services.mysql.enable && cfg.config.mysql_dump_host == "localhost") { name = user; - ensurePermissions = { "*.*" = "SELECT, SHOW VIEW, TRIGGER, LOCK TABLES"; }; + ensurePermissions = { "*.*" = "SELECT, SHOW VIEW, TRIGGER, LOCK TABLES, EVENT"; }; }; }; diff --git a/nixos/modules/services/backup/borgmatic.nix b/nixos/modules/services/backup/borgmatic.nix index 5e5c0bbeccc..9414d78aa75 100644 --- a/nixos/modules/services/backup/borgmatic.nix +++ b/nixos/modules/services/backup/borgmatic.nix @@ -4,7 +4,8 @@ with lib; let cfg = config.services.borgmatic; - cfgfile = pkgs.writeText "config.yaml" (builtins.toJSON cfg.settings); + settingsFormat = pkgs.formats.yaml { }; + cfgfile = settingsFormat.generate "config.yaml" cfg.settings; in { options.services.borgmatic = { enable = mkEnableOption "borgmatic"; @@ -14,7 +15,7 @@ in { See https://torsion.org/borgmatic/docs/reference/configuration/ ''; type = types.submodule { - freeformType = with lib.types; attrsOf anything; + freeformType = settingsFormat.type; options.location = { source_directories = mkOption { type = types.listOf types.str; diff --git a/nixos/modules/services/backup/btrbk.nix b/nixos/modules/services/backup/btrbk.nix index 0c00b934405..e17761ffc3c 100644 --- a/nixos/modules/services/backup/btrbk.nix +++ b/nixos/modules/services/backup/btrbk.nix @@ -1,18 +1,36 @@ { config, pkgs, lib, ... }: let + inherit (lib) + concatMapStringsSep + concatStringsSep + filterAttrs + flatten + isAttrs + isString + literalExpression + mapAttrs' + mapAttrsToList + mkIf + mkOption + optionalString + partition + typeOf + types + ; + cfg = config.services.btrbk; sshEnabled = cfg.sshAccess != [ ]; serviceEnabled = cfg.instances != { }; attr2Lines = attr: let - pairs = lib.attrsets.mapAttrsToList (name: value: { inherit name value; }) attr; + pairs = mapAttrsToList (name: value: { inherit name value; }) attr; isSubsection = value: - if builtins.isAttrs value then true - else if builtins.isString value then false - else throw "invalid type in btrbk config ${builtins.typeOf value}"; - sortedPairs = lib.lists.partition (x: isSubsection x.value) pairs; + if isAttrs value then true + else if isString value then false + else throw "invalid type in btrbk config ${typeOf value}"; + sortedPairs = partition (x: isSubsection x.value) pairs; in - lib.flatten ( + flatten ( # non subsections go first ( map (pair: [ "${pair.name} ${pair.value}" ]) sortedPairs.wrong @@ -22,7 +40,7 @@ let map ( pair: - lib.mapAttrsToList + mapAttrsToList ( childname: value: [ "${pair.name} ${childname}" ] ++ (map (x: " " + x) (attr2Lines value)) @@ -34,7 +52,7 @@ let ) ; addDefaults = settings: { backend = "btrfs-progs-sudo"; } // settings; - mkConfigFile = settings: lib.concatStringsSep "\n" (attr2Lines (addDefaults settings)); + mkConfigFile = settings: concatStringsSep "\n" (attr2Lines (addDefaults settings)); mkTestedConfigFile = name: settings: let configFile = pkgs.writeText "btrbk-${name}.conf" (mkConfigFile settings); @@ -51,37 +69,42 @@ let ''; in { + meta.maintainers = with lib.maintainers; [ oxalica ]; + options = { services.btrbk = { - extraPackages = lib.mkOption { + extraPackages = mkOption { description = "Extra packages for btrbk, like compression utilities for <literal>stream_compress</literal>"; - type = lib.types.listOf lib.types.package; + type = types.listOf types.package; default = [ ]; - example = lib.literalExpression "[ pkgs.xz ]"; + example = literalExpression "[ pkgs.xz ]"; }; - niceness = lib.mkOption { + niceness = mkOption { description = "Niceness for local instances of btrbk. Also applies to remote ones connecting via ssh when positive."; - type = lib.types.ints.between (-20) 19; + type = types.ints.between (-20) 19; default = 10; }; - ioSchedulingClass = lib.mkOption { + ioSchedulingClass = mkOption { description = "IO scheduling class for btrbk (see ionice(1) for a quick description). Applies to local instances, and remote ones connecting by ssh if set to idle."; - type = lib.types.enum [ "idle" "best-effort" "realtime" ]; + type = types.enum [ "idle" "best-effort" "realtime" ]; default = "best-effort"; }; - instances = lib.mkOption { + instances = mkOption { description = "Set of btrbk instances. The instance named <literal>btrbk</literal> is the default one."; - type = with lib.types; + type = with types; attrsOf ( submodule { options = { - onCalendar = lib.mkOption { - type = lib.types.str; + onCalendar = mkOption { + type = types.nullOr types.str; default = "daily"; - description = "How often this btrbk instance is started. See systemd.time(7) for more information about the format."; + description = '' + How often this btrbk instance is started. See systemd.time(7) for more information about the format. + Setting it to null disables the timer, thus this instance can only be started manually. + ''; }; - settings = lib.mkOption { - type = let t = lib.types.attrsOf (lib.types.either lib.types.str (t // { description = "instances of this type recursively"; })); in t; + settings = mkOption { + type = let t = types.attrsOf (types.either types.str (t // { description = "instances of this type recursively"; })); in t; default = { }; example = { snapshot_preserve_min = "2d"; @@ -103,16 +126,16 @@ in ); default = { }; }; - sshAccess = lib.mkOption { + sshAccess = mkOption { description = "SSH keys that should be able to make or push snapshots on this system remotely with btrbk"; - type = with lib.types; listOf ( + type = with types; listOf ( submodule { options = { - key = lib.mkOption { + key = mkOption { type = str; description = "SSH public key allowed to login as user <literal>btrbk</literal> to run remote backups."; }; - roles = lib.mkOption { + roles = mkOption { type = listOf (enum [ "info" "source" "target" "delete" "snapshot" "send" "receive" ]); example = [ "source" "info" "send" ]; description = "What actions can be performed with this SSH key. See ssh_filter_btrbk(1) for details"; @@ -125,7 +148,7 @@ in }; }; - config = lib.mkIf (sshEnabled || serviceEnabled) { + config = mkIf (sshEnabled || serviceEnabled) { environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages; security.sudo.extraRules = [ { @@ -152,14 +175,14 @@ in ( v: let - options = lib.concatMapStringsSep " " (x: "--" + x) v.roles; + options = concatMapStringsSep " " (x: "--" + x) v.roles; ioniceClass = { "idle" = 3; "best-effort" = 2; "realtime" = 1; }.${cfg.ioSchedulingClass}; in - ''command="${pkgs.util-linux}/bin/ionice -t -c ${toString ioniceClass} ${lib.optionalString (cfg.niceness >= 1) "${pkgs.coreutils}/bin/nice -n ${toString cfg.niceness}"} ${pkgs.btrbk}/share/btrbk/scripts/ssh_filter_btrbk.sh --sudo ${options}" ${v.key}'' + ''command="${pkgs.util-linux}/bin/ionice -t -c ${toString ioniceClass} ${optionalString (cfg.niceness >= 1) "${pkgs.coreutils}/bin/nice -n ${toString cfg.niceness}"} ${pkgs.btrbk}/share/btrbk/scripts/ssh_filter_btrbk.sh --sudo ${options}" ${v.key}'' ) cfg.sshAccess; }; @@ -169,7 +192,7 @@ in "d /var/lib/btrbk/.ssh 0700 btrbk btrbk" "f /var/lib/btrbk/.ssh/config 0700 btrbk btrbk - StrictHostKeyChecking=accept-new" ]; - environment.etc = lib.mapAttrs' + environment.etc = mapAttrs' ( name: instance: { name = "btrbk/${name}.conf"; @@ -177,7 +200,7 @@ in } ) cfg.instances; - systemd.services = lib.mapAttrs' + systemd.services = mapAttrs' ( name: _: { name = "btrbk-${name}"; @@ -199,7 +222,7 @@ in ) cfg.instances; - systemd.timers = lib.mapAttrs' + systemd.timers = mapAttrs' ( name: instance: { name = "btrbk-${name}"; @@ -214,7 +237,8 @@ in }; } ) - cfg.instances; + (filterAttrs (name: instance: instance.onCalendar != null) + cfg.instances); }; } diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix index 8ff8e31864b..333fdd494e3 100644 --- a/nixos/modules/services/backup/restic.nix +++ b/nixos/modules/services/backup/restic.nix @@ -96,13 +96,22 @@ in }; repository = mkOption { - type = types.str; + type = with types; nullOr str; + default = null; description = '' repository to backup to. ''; example = "sftp:backup@192.168.1.100:/backups/${name}"; }; + repositoryFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + Path to the file containing the repository location to backup to. + ''; + }; + paths = mkOption { type = types.nullOr (types.listOf types.str); default = null; @@ -142,7 +151,7 @@ in extraBackupArgs = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = '' Extra arguments passed to restic backup. ''; @@ -153,7 +162,7 @@ in extraOptions = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = '' Extra extended options to be passed to the restic --option flag. ''; @@ -172,7 +181,7 @@ in pruneOpts = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = '' A list of options (--keep-* et al.) for 'restic forget --prune', to automatically prune old snapshots. The @@ -197,9 +206,25 @@ in ''; example = "find /home/matt/git -type d -name .git"; }; + + backupPrepareCommand = mkOption { + type = with types; nullOr str; + default = null; + description = '' + A script that must run before starting the backup process. + ''; + }; + + backupCleanupCommand = mkOption { + type = with types; nullOr str; + default = null; + description = '' + A script that must run after finishing the backup process. + ''; + }; }; })); - default = {}; + default = { }; example = { localbackup = { paths = [ "/home" ]; @@ -225,66 +250,85 @@ in config = { warnings = mapAttrsToList (n: v: "services.restic.backups.${n}.s3CredentialsFile is deprecated, please use services.restic.backups.${n}.environmentFile instead.") (filterAttrs (n: v: v.s3CredentialsFile != null) config.services.restic.backups); systemd.services = - mapAttrs' (name: backup: - let - extraOptions = concatMapStrings (arg: " -o ${arg}") backup.extraOptions; - resticCmd = "${pkgs.restic}/bin/restic${extraOptions}"; - filesFromTmpFile = "/run/restic-backups-${name}/includes"; - backupPaths = if (backup.dynamicFilesFrom == null) - then if (backup.paths != null) then concatStringsSep " " backup.paths else "" - else "--files-from ${filesFromTmpFile}"; - pruneCmd = optionals (builtins.length backup.pruneOpts > 0) [ - ( resticCmd + " forget --prune " + (concatStringsSep " " backup.pruneOpts) ) - ( resticCmd + " check" ) - ]; - # Helper functions for rclone remotes - rcloneRemoteName = builtins.elemAt (splitString ":" backup.repository) 1; - rcloneAttrToOpt = v: "RCLONE_" + toUpper (builtins.replaceStrings [ "-" ] [ "_" ] v); - rcloneAttrToConf = v: "RCLONE_CONFIG_" + toUpper (rcloneRemoteName + "_" + v); - toRcloneVal = v: if lib.isBool v then lib.boolToString v else v; - in nameValuePair "restic-backups-${name}" ({ - environment = { - RESTIC_PASSWORD_FILE = backup.passwordFile; - RESTIC_REPOSITORY = backup.repository; - } // optionalAttrs (backup.rcloneOptions != null) (mapAttrs' (name: value: - nameValuePair (rcloneAttrToOpt name) (toRcloneVal value) - ) backup.rcloneOptions) // optionalAttrs (backup.rcloneConfigFile != null) { - RCLONE_CONFIG = backup.rcloneConfigFile; - } // optionalAttrs (backup.rcloneConfig != null) (mapAttrs' (name: value: - nameValuePair (rcloneAttrToConf name) (toRcloneVal value) - ) backup.rcloneConfig); - path = [ pkgs.openssh ]; - restartIfChanged = false; - serviceConfig = { - Type = "oneshot"; - ExecStart = (optionals (backupPaths != "") [ "${resticCmd} backup --cache-dir=%C/restic-backups-${name} ${concatStringsSep " " backup.extraBackupArgs} ${backupPaths}" ]) - ++ pruneCmd; - User = backup.user; - RuntimeDirectory = "restic-backups-${name}"; - CacheDirectory = "restic-backups-${name}"; - CacheDirectoryMode = "0700"; - } // optionalAttrs (backup.environmentFile != null) { - EnvironmentFile = backup.environmentFile; - }; - } // optionalAttrs (backup.initialize || backup.dynamicFilesFrom != null) { - preStart = '' - ${optionalString (backup.initialize) '' - ${resticCmd} snapshots || ${resticCmd} init - ''} - ${optionalString (backup.dynamicFilesFrom != null) '' - ${pkgs.writeScript "dynamicFilesFromScript" backup.dynamicFilesFrom} > ${filesFromTmpFile} - ''} - ''; - } // optionalAttrs (backup.dynamicFilesFrom != null) { - postStart = '' - rm ${filesFromTmpFile} - ''; - }) - ) config.services.restic.backups; + mapAttrs' + (name: backup: + let + extraOptions = concatMapStrings (arg: " -o ${arg}") backup.extraOptions; + resticCmd = "${pkgs.restic}/bin/restic${extraOptions}"; + filesFromTmpFile = "/run/restic-backups-${name}/includes"; + backupPaths = + if (backup.dynamicFilesFrom == null) + then if (backup.paths != null) then concatStringsSep " " backup.paths else "" + else "--files-from ${filesFromTmpFile}"; + pruneCmd = optionals (builtins.length backup.pruneOpts > 0) [ + (resticCmd + " forget --prune " + (concatStringsSep " " backup.pruneOpts)) + (resticCmd + " check") + ]; + # Helper functions for rclone remotes + rcloneRemoteName = builtins.elemAt (splitString ":" backup.repository) 1; + rcloneAttrToOpt = v: "RCLONE_" + toUpper (builtins.replaceStrings [ "-" ] [ "_" ] v); + rcloneAttrToConf = v: "RCLONE_CONFIG_" + toUpper (rcloneRemoteName + "_" + v); + toRcloneVal = v: if lib.isBool v then lib.boolToString v else v; + in + nameValuePair "restic-backups-${name}" ({ + environment = { + RESTIC_PASSWORD_FILE = backup.passwordFile; + RESTIC_REPOSITORY = backup.repository; + RESTIC_REPOSITORY_FILE = backup.repositoryFile; + } // optionalAttrs (backup.rcloneOptions != null) (mapAttrs' + (name: value: + nameValuePair (rcloneAttrToOpt name) (toRcloneVal value) + ) + backup.rcloneOptions) // optionalAttrs (backup.rcloneConfigFile != null) { + RCLONE_CONFIG = backup.rcloneConfigFile; + } // optionalAttrs (backup.rcloneConfig != null) (mapAttrs' + (name: value: + nameValuePair (rcloneAttrToConf name) (toRcloneVal value) + ) + backup.rcloneConfig); + path = [ pkgs.openssh ]; + restartIfChanged = false; + serviceConfig = { + Type = "oneshot"; + ExecStart = (optionals (backupPaths != "") [ "${resticCmd} backup --cache-dir=%C/restic-backups-${name} ${concatStringsSep " " backup.extraBackupArgs} ${backupPaths}" ]) + ++ pruneCmd; + User = backup.user; + RuntimeDirectory = "restic-backups-${name}"; + CacheDirectory = "restic-backups-${name}"; + CacheDirectoryMode = "0700"; + } // optionalAttrs (backup.environmentFile != null) { + EnvironmentFile = backup.environmentFile; + }; + } // optionalAttrs (backup.initialize || backup.dynamicFilesFrom != null || backup.backupPrepareCommand != null) { + preStart = '' + ${optionalString (backup.backupPrepareCommand != null) '' + ${pkgs.writeScript "backupPrepareCommand" backup.backupPrepareCommand} + ''} + ${optionalString (backup.initialize) '' + ${resticCmd} snapshots || ${resticCmd} init + ''} + ${optionalString (backup.dynamicFilesFrom != null) '' + ${pkgs.writeScript "dynamicFilesFromScript" backup.dynamicFilesFrom} > ${filesFromTmpFile} + ''} + ''; + } // optionalAttrs (backup.dynamicFilesFrom != null || backup.backupCleanupCommand != null) { + postStart = '' + ${optionalString (backup.backupCleanupCommand != null) '' + ${pkgs.writeScript "backupCleanupCommand" backup.backupCleanupCommand} + ''} + ${optionalString (backup.dynamicFilesFrom != null) '' + rm ${filesFromTmpFile} + ''} + ''; + }) + ) + config.services.restic.backups; systemd.timers = - mapAttrs' (name: backup: nameValuePair "restic-backups-${name}" { - wantedBy = [ "timers.target" ]; - timerConfig = backup.timerConfig; - }) config.services.restic.backups; + mapAttrs' + (name: backup: nameValuePair "restic-backups-${name}" { + wantedBy = [ "timers.target" ]; + timerConfig = backup.timerConfig; + }) + config.services.restic.backups; }; } diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix index 3a36cfa3f37..421aa0aac60 100644 --- a/nixos/modules/services/cluster/k3s/default.nix +++ b/nixos/modules/services/cluster/k3s/default.nix @@ -3,8 +3,14 @@ with lib; let cfg = config.services.k3s; + removeOption = config: instruction: + lib.mkRemovedOptionModule ([ "services" "k3s" ] ++ config) instruction; in { + imports = [ + (removeOption [ "docker" ] "k3s docker option is no longer supported.") + ]; + # interface options.services.k3s = { enable = mkEnableOption "k3s"; @@ -48,12 +54,6 @@ in default = null; }; - docker = mkOption { - type = types.bool; - default = false; - description = "Use docker to run containers rather than the built-in containerd."; - }; - extraFlags = mkOption { description = "Extra flags to pass to the k3s command."; type = types.str; @@ -88,14 +88,11 @@ in } ]; - virtualisation.docker = mkIf cfg.docker { - enable = mkDefault true; - }; environment.systemPackages = [ config.services.k3s.package ]; systemd.services.k3s = { description = "k3s service"; - after = [ "network.service" "firewall.service" ] ++ (optional cfg.docker "docker.service"); + after = [ "network.service" "firewall.service" ]; wants = [ "network.service" "firewall.service" ]; wantedBy = [ "multi-user.target" ]; path = optional config.boot.zfs.enabled config.boot.zfs.package; @@ -113,8 +110,8 @@ in ExecStart = concatStringsSep " \\\n " ( [ "${cfg.package}/bin/k3s ${cfg.role}" - ] ++ (optional cfg.docker "--docker") - ++ (optional (cfg.docker && config.systemd.enableUnifiedCgroupHierarchy) "--kubelet-arg=cgroup-driver=systemd") + ] + ++ (optional (config.systemd.enableUnifiedCgroupHierarchy) "--kubelet-arg=cgroup-driver=systemd") ++ (optional cfg.disableAgent "--disable-agent") ++ (optional (cfg.serverAddr != "") "--server ${cfg.serverAddr}") ++ (optional (cfg.token != "") "--token ${cfg.token}") diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index 8cbe54c6060..b9792fd1334 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -361,8 +361,13 @@ in ++ lib.optional cfg.enableSrunX11 slurm-spank-x11; wantedBy = [ "multi-user.target" ]; - after = [ "systemd-tmpfiles-clean.service" ]; - requires = [ "network.target" ]; + after = [ + "systemd-tmpfiles-clean.service" + "munge.service" + "network-online.target" + "remote-fs.target" + ]; + wants = [ "network-online.target" ]; serviceConfig = { Type = "forking"; @@ -371,6 +376,7 @@ in PIDFile = "/run/slurmd.pid"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; LimitMEMLOCK = "infinity"; + Delegate="Yes"; }; }; diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index dc58c634523..85ac0fb2a89 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -36,12 +36,12 @@ let # register new services ${concatStringsSep "\n" (mapAttrsToList (name: service: '' - if echo "$NEW_SERVICES" | grep -xq ${name}; then + if echo "$NEW_SERVICES" | grep -xq "${name}"; then bash -c ${escapeShellArg (concatStringsSep " \\\n " ([ "set -a && source ${service.registrationConfigFile} &&" "gitlab-runner register" "--non-interactive" - "--name ${name}" + (if service.description != null then "--description \"${service.description}\"" else "--name '${name}'") "--executor ${service.executor}" "--limit ${toString service.limit}" "--request-concurrency ${toString service.requestConcurrency}" @@ -365,6 +365,13 @@ in with <literal>RUNNER_ENV</literal> variable set. ''; }; + description = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Name/description of the runner. + ''; + }; executor = mkOption { type = types.str; default = "docker"; diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index cc5de97d6d1..87806d48e89 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -99,8 +99,8 @@ in package = mkOption { type = types.package; - default = pkgs.hydra-unstable; - defaultText = literalExpression "pkgs.hydra-unstable"; + default = pkgs.hydra_unstable; + defaultText = literalExpression "pkgs.hydra_unstable"; description = "The Hydra package."; }; @@ -300,17 +300,21 @@ in }; preStart = '' mkdir -p ${baseDir} - chown hydra.hydra ${baseDir} + chown hydra:hydra ${baseDir} chmod 0750 ${baseDir} ln -sf ${hydraConf} ${baseDir}/hydra.conf mkdir -m 0700 -p ${baseDir}/www - chown hydra-www.hydra ${baseDir}/www + chown hydra-www:hydra ${baseDir}/www mkdir -m 0700 -p ${baseDir}/queue-runner mkdir -m 0750 -p ${baseDir}/build-logs - chown hydra-queue-runner.hydra ${baseDir}/queue-runner ${baseDir}/build-logs + mkdir -m 0750 -p ${baseDir}/runcommand-logs + chown hydra-queue-runner.hydra \ + ${baseDir}/queue-runner \ + ${baseDir}/build-logs \ + ${baseDir}/runcommand-logs ${optionalString haveLocalDB '' if ! [ -e ${baseDir}/.db-created ]; then @@ -338,7 +342,7 @@ in rmdir /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots fi - chown hydra.hydra ${cfg.gcRootsDir} + chown hydra:hydra ${cfg.gcRootsDir} chmod 2775 ${cfg.gcRootsDir} ''; serviceConfig.ExecStart = "${hydra-package}/bin/hydra-init"; diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix index b36cac35e7c..b457e69baba 100644 --- a/nixos/modules/services/databases/cassandra.nix +++ b/nixos/modules/services/databases/cassandra.nix @@ -4,11 +4,12 @@ let inherit (lib) concatStringsSep flip - literalDocBook + literalMD literalExpression optionalAttrs optionals recursiveUpdate + mdDoc mkEnableOption mkIf mkOption @@ -107,7 +108,7 @@ in clusterName = mkOption { type = types.str; default = "Test Cluster"; - description = '' + description = mdDoc '' The name of the cluster. This setting prevents nodes in one logical cluster from joining another. All nodes in a cluster must have the same value. @@ -117,19 +118,19 @@ in user = mkOption { type = types.str; default = defaultUser; - description = "Run Apache Cassandra under this user."; + description = mdDoc "Run Apache Cassandra under this user."; }; group = mkOption { type = types.str; default = defaultUser; - description = "Run Apache Cassandra under this group."; + description = mdDoc "Run Apache Cassandra under this group."; }; homeDir = mkOption { type = types.path; default = "/var/lib/cassandra"; - description = '' + description = mdDoc '' Home directory for Apache Cassandra. ''; }; @@ -139,7 +140,7 @@ in default = pkgs.cassandra; defaultText = literalExpression "pkgs.cassandra"; example = literalExpression "pkgs.cassandra_3_11"; - description = '' + description = mdDoc '' The Apache Cassandra package to use. ''; }; @@ -147,8 +148,8 @@ in jvmOpts = mkOption { type = types.listOf types.str; default = [ ]; - description = '' - Populate the JVM_OPT environment variable. + description = mdDoc '' + Populate the `JVM_OPT` environment variable. ''; }; @@ -156,20 +157,20 @@ in type = types.nullOr types.str; default = "127.0.0.1"; example = null; - description = '' + description = mdDoc '' Address or interface to bind to and tell other Cassandra nodes to connect to. You _must_ change this if you want multiple nodes to be able to communicate! - Set listenAddress OR listenInterface, not both. + Set {option}`listenAddress` OR {option}`listenInterface`, not both. Leaving it blank leaves it up to - InetAddress.getLocalHost(). This will always do the Right - Thing _if_ the node is properly configured (hostname, name + `InetAddress.getLocalHost()`. This will always do the "Right + Thing" _if_ the node is properly configured (hostname, name resolution, etc), and the Right Thing is to use the address associated with the hostname (it might not be). - Setting listen_address to 0.0.0.0 is always wrong. + Setting {option}`listenAddress` to `0.0.0.0` is always wrong. ''; }; @@ -177,8 +178,8 @@ in type = types.nullOr types.str; default = null; example = "eth1"; - description = '' - Set listenAddress OR listenInterface, not both. Interfaces + description = mdDoc '' + Set `listenAddress` OR `listenInterface`, not both. Interfaces must correspond to a single address, IP aliasing is not supported. ''; @@ -188,18 +189,18 @@ in type = types.nullOr types.str; default = "127.0.0.1"; example = null; - description = '' + description = mdDoc '' The address or interface to bind the native transport server to. - Set rpcAddress OR rpcInterface, not both. + Set {option}`rpcAddress` OR {option}`rpcInterface`, not both. - Leaving rpcAddress blank has the same effect as on - listenAddress (i.e. it will be based on the configured hostname + Leaving {option}`rpcAddress` blank has the same effect as on + {option}`listenAddress` (i.e. it will be based on the configured hostname of the node). - Note that unlike listenAddress, you can specify 0.0.0.0, but you - must also set extraConfig.broadcast_rpc_address to a value other - than 0.0.0.0. + Note that unlike {option}`listenAddress`, you can specify `"0.0.0.0"`, but you + must also set `extraConfig.broadcast_rpc_address` to a value other + than `"0.0.0.0"`. For security reasons, you should not expose this port to the internet. Firewall it if needed. @@ -210,8 +211,8 @@ in type = types.nullOr types.str; default = null; example = "eth1"; - description = '' - Set rpcAddress OR rpcInterface, not both. Interfaces must + description = mdDoc '' + Set {option}`rpcAddress` OR {option}`rpcInterface`, not both. Interfaces must correspond to a single address, IP aliasing is not supported. ''; }; @@ -233,7 +234,7 @@ in <logger name="com.thinkaurelius.thrift" level="ERROR"/> </configuration> ''; - description = '' + description = mdDoc '' XML logback configuration for cassandra ''; }; @@ -241,24 +242,24 @@ in seedAddresses = mkOption { type = types.listOf types.str; default = [ "127.0.0.1" ]; - description = '' + description = mdDoc '' The addresses of hosts designated as contact points in the cluster. A joining node contacts one of the nodes in the seeds list to learn the topology of the ring. - Set to 127.0.0.1 for a single node cluster. + Set to `[ "127.0.0.1" ]` for a single node cluster. ''; }; allowClients = mkOption { type = types.bool; default = true; - description = '' + description = mdDoc '' Enables or disables the native transport server (CQL binary protocol). - This server uses the same address as the <literal>rpcAddress</literal>, - but the port it uses is not <literal>rpc_port</literal> but - <literal>native_transport_port</literal>. See the official Cassandra + This server uses the same address as the {option}`rpcAddress`, + but the port it uses is not `rpc_port` but + `native_transport_port`. See the official Cassandra docs for more information on these variables and set them using - <literal>extraConfig</literal>. + {option}`extraConfig`. ''; }; @@ -269,8 +270,8 @@ in { commitlog_sync_batch_window_in_ms = 3; }; - description = '' - Extra options to be merged into cassandra.yaml as nix attribute set. + description = mdDoc '' + Extra options to be merged into {file}`cassandra.yaml` as nix attribute set. ''; }; @@ -278,8 +279,8 @@ in type = types.lines; default = ""; example = literalExpression ''"CLASSPATH=$CLASSPATH:''${extraJar}"''; - description = '' - Extra shell lines to be appended onto cassandra-env.sh. + description = mdDoc '' + Extra shell lines to be appended onto {file}`cassandra-env.sh`. ''; }; @@ -287,13 +288,13 @@ in type = types.nullOr types.str; default = "3w"; example = null; - description = '' + description = mdDoc '' Set the interval how often full repairs are run, i.e. - <literal>nodetool repair --full</literal> is executed. See - https://cassandra.apache.org/doc/latest/operating/repair.html + {command}`nodetool repair --full` is executed. See + <https://cassandra.apache.org/doc/latest/operating/repair.html> for more information. - Set to <literal>null</literal> to disable full repairs. + Set to `null` to disable full repairs. ''; }; @@ -301,7 +302,7 @@ in type = types.listOf types.str; default = [ ]; example = [ "--partitioner-range" ]; - description = '' + description = mdDoc '' Options passed through to the full repair command. ''; }; @@ -310,13 +311,13 @@ in type = types.nullOr types.str; default = "3d"; example = null; - description = '' + description = mdDoc '' Set the interval how often incremental repairs are run, i.e. - <literal>nodetool repair</literal> is executed. See - https://cassandra.apache.org/doc/latest/operating/repair.html + {command}`nodetool repair` is executed. See + <https://cassandra.apache.org/doc/latest/operating/repair.html> for more information. - Set to <literal>null</literal> to disable incremental repairs. + Set to `null` to disable incremental repairs. ''; }; @@ -324,7 +325,7 @@ in type = types.listOf types.str; default = [ ]; example = [ "--partitioner-range" ]; - description = '' + description = mdDoc '' Options passed through to the incremental repair command. ''; }; @@ -333,15 +334,15 @@ in type = types.nullOr types.str; default = null; example = "4G"; - description = '' - Must be left blank or set together with heapNewSize. + description = mdDoc '' + Must be left blank or set together with {option}`heapNewSize`. If left blank a sensible value for the available amount of RAM and CPU cores is calculated. Override to set the amount of memory to allocate to the JVM at start-up. For production use you may wish to adjust this for your - environment. MAX_HEAP_SIZE is the total amount of memory dedicated - to the Java heap. HEAP_NEWSIZE refers to the size of the young + environment. `MAX_HEAP_SIZE` is the total amount of memory dedicated + to the Java heap. `HEAP_NEWSIZE` refers to the size of the young generation. The main trade-off for the young generation is that the larger it @@ -354,21 +355,21 @@ in type = types.nullOr types.str; default = null; example = "800M"; - description = '' - Must be left blank or set together with heapNewSize. + description = mdDoc '' + Must be left blank or set together with {option}`heapNewSize`. If left blank a sensible value for the available amount of RAM and CPU cores is calculated. Override to set the amount of memory to allocate to the JVM at start-up. For production use you may wish to adjust this for your - environment. HEAP_NEWSIZE refers to the size of the young + environment. `HEAP_NEWSIZE` refers to the size of the young generation. The main trade-off for the young generation is that the larger it is, the longer GC pause times will be. The shorter it is, the more expensive GC will be (usually). - The example HEAP_NEWSIZE assumes a modern 8-core+ machine for decent pause + The example `HEAP_NEWSIZE` assumes a modern 8-core+ machine for decent pause times. If in doubt, and if you do not particularly want to tweak, go with 100 MB per physical CPU core. ''; @@ -378,7 +379,7 @@ in type = types.nullOr types.int; default = null; example = 4; - description = '' + description = mdDoc '' Set this to control the amount of arenas per-thread in glibc. ''; }; @@ -386,19 +387,19 @@ in remoteJmx = mkOption { type = types.bool; default = false; - description = '' + description = mdDoc '' Cassandra ships with JMX accessible *only* from localhost. To enable remote JMX connections set to true. Be sure to also enable authentication and/or TLS. - See: https://wiki.apache.org/cassandra/JmxSecurity + See: <https://wiki.apache.org/cassandra/JmxSecurity> ''; }; jmxPort = mkOption { type = types.int; default = 7199; - description = '' + description = mdDoc '' Specifies the default port over which Cassandra will be available for JMX connections. For security reasons, you should not expose this port to the internet. @@ -408,11 +409,11 @@ in jmxRoles = mkOption { default = [ ]; - description = '' - Roles that are allowed to access the JMX (e.g. nodetool) - BEWARE: The passwords will be stored world readable in the nix-store. + description = mdDoc '' + Roles that are allowed to access the JMX (e.g. {command}`nodetool`) + BEWARE: The passwords will be stored world readable in the nix store. It's recommended to use your own protected file using - <literal>jmxRolesFile</literal> + {option}`jmxRolesFile` Doesn't work in versions older than 3.11 because they don't like that it's world readable. @@ -437,7 +438,7 @@ in if versionAtLeast cfg.package.version "3.11" then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile else null; - defaultText = literalDocBook ''generated configuration file if version is at least 3.11, otherwise <literal>null</literal>''; + defaultText = literalMD ''generated configuration file if version is at least 3.11, otherwise `null`''; example = "/var/lib/cassandra/jmx.password"; description = '' Specify your own jmx roles file. diff --git a/nixos/modules/services/databases/couchdb.nix b/nixos/modules/services/databases/couchdb.nix index 742e605d224..39d1ead28fc 100644 --- a/nixos/modules/services/databases/couchdb.nix +++ b/nixos/modules/services/databases/couchdb.nix @@ -193,6 +193,11 @@ in { preStart = '' touch ${cfg.configFile} + if ! test -e ${cfg.databaseDir}/.erlang.cookie; then + touch ${cfg.databaseDir}/.erlang.cookie + chmod 600 ${cfg.databaseDir}/.erlang.cookie + dd if=/dev/random bs=16 count=1 | base64 > ${cfg.databaseDir}/.erlang.cookie + fi ''; environment = { @@ -204,6 +209,7 @@ in { ERL_FLAGS= ''-couch_ini ${cfg.package}/etc/default.ini ${configFile} ${pkgs.writeText "couchdb-extra.ini" cfg.extraConfig} ${cfg.configFile}''; # 5. the vm.args file COUCHDB_ARGS_FILE=''${cfg.argsFile}''; + HOME =''${cfg.databaseDir}''; }; serviceConfig = { diff --git a/nixos/modules/services/databases/dgraph.nix b/nixos/modules/services/databases/dgraph.nix new file mode 100644 index 00000000000..5c1ae536051 --- /dev/null +++ b/nixos/modules/services/databases/dgraph.nix @@ -0,0 +1,148 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.dgraph; + settingsFormat = pkgs.formats.json {}; + configFile = settingsFormat.generate "config.json" cfg.settings; + dgraphWithNode = pkgs.runCommand "dgraph" { + nativeBuildInputs = [ pkgs.makeWrapper ]; + } + '' + mkdir -p $out/bin + makeWrapper ${cfg.package}/bin/dgraph $out/bin/dgraph \ + --set PATH '${lib.makeBinPath [ pkgs.nodejs ]}:$PATH' \ + ''; + securityOptions = { + NoNewPrivileges = true; + + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + + DeviceAllow = ""; + + LockPersonality = true; + + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RemoveIPC = true; + + RestrictNamespaces = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" + ]; + }; +in +{ + options = { + services.dgraph = { + enable = mkEnableOption "Dgraph native GraphQL database with a graph backend"; + + package = lib.mkPackageOption pkgs "dgraph" { }; + + settings = mkOption { + type = settingsFormat.type; + default = {}; + description = '' + Contents of the dgraph config. For more details see https://dgraph.io/docs/deploy/config + ''; + }; + + alpha = { + host = mkOption { + type = types.str; + default = "localhost"; + description = '' + The host which dgraph alpha will be run on. + ''; + }; + port = mkOption { + type = types.port; + default = 7080; + description = '' + The port which to run dgraph alpha on. + ''; + }; + + }; + + zero = { + host = mkOption { + type = types.str; + default = "localhost"; + description = '' + The host which dgraph zero will be run on. + ''; + }; + port = mkOption { + type = types.port; + default = 5080; + description = '' + The port which to run dgraph zero on. + ''; + }; + }; + + }; + }; + + config = mkIf cfg.enable { + services.dgraph.settings = { + badger.compression = mkDefault "zstd:3"; + }; + + systemd.services.dgraph-zero = { + description = "Dgraph native GraphQL database with a graph backend. Zero controls node clustering"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + StateDirectory = "dgraph-zero"; + WorkingDirectory = "/var/lib/dgraph-zero"; + DynamicUser = true; + ExecStart = "${cfg.package}/bin/dgraph zero --my ${cfg.zero.host}:${toString cfg.zero.port}"; + Restart = "on-failure"; + } // securityOptions; + }; + + systemd.services.dgraph-alpha = { + description = "Dgraph native GraphQL database with a graph backend. Alpha serves data"; + after = [ "network.target" "dgraph-zero.service" ]; + requires = [ "dgraph-zero.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + StateDirectory = "dgraph-alpha"; + WorkingDirectory = "/var/lib/dgraph-alpha"; + DynamicUser = true; + ExecStart = "${dgraphWithNode}/bin/dgraph alpha --config ${configFile} --my ${cfg.alpha.host}:${toString cfg.alpha.port} --zero ${cfg.zero.host}:${toString cfg.zero.port}"; + ExecStop = '' + ${pkgs.curl}/bin/curl --data "mutation { shutdown { response { message code } } }" \ + --header 'Content-Type: application/graphql' \ + -X POST \ + http://localhost:8080/admin + ''; + Restart = "on-failure"; + } // securityOptions; + }; + }; + + meta.maintainers = with lib.maintainers; [ happysalada ]; +} diff --git a/nixos/modules/services/databases/dragonflydb.nix b/nixos/modules/services/databases/dragonflydb.nix new file mode 100644 index 00000000000..e72afa9d908 --- /dev/null +++ b/nixos/modules/services/databases/dragonflydb.nix @@ -0,0 +1,152 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.dragonflydb; + dragonflydb = pkgs.dragonflydb; + + settings = + { + port = cfg.port; + dir = "/var/lib/dragonflydb"; + keys_output_limit = cfg.keysOutputLimit; + } // + (lib.optionalAttrs (cfg.bind != null) { bind = cfg.bind; }) // + (lib.optionalAttrs (cfg.requirePass != null) { requirepass = cfg.requirePass; }) // + (lib.optionalAttrs (cfg.maxMemory != null) { maxmemory = cfg.maxMemory; }) // + (lib.optionalAttrs (cfg.memcachePort != null) { memcache_port = cfg.memcachePort; }) // + (lib.optionalAttrs (cfg.dbNum != null) { dbnum = cfg.dbNum; }) // + (lib.optionalAttrs (cfg.cacheMode != null) { cache_mode = cfg.cacheMode; }); +in +{ + + ###### interface + + options = { + services.dragonflydb = { + enable = mkEnableOption "DragonflyDB"; + + user = mkOption { + type = types.str; + default = "dragonfly"; + description = "The user to run DragonflyDB as"; + }; + + port = mkOption { + type = types.port; + default = 6379; + description = "The TCP port to accept connections."; + }; + + bind = mkOption { + type = with types; nullOr str; + default = "127.0.0.1"; + description = '' + The IP interface to bind to. + <literal>null</literal> means "all interfaces". + ''; + }; + + requirePass = mkOption { + type = with types; nullOr str; + default = null; + description = "Password for database"; + example = "letmein!"; + }; + + maxMemory = mkOption { + type = with types; nullOr ints.unsigned; + default = null; + description = '' + The maximum amount of memory to use for storage (in bytes). + <literal>null</literal> means this will be automatically set. + ''; + }; + + memcachePort = mkOption { + type = with types; nullOr port; + default = null; + description = '' + To enable memcached compatible API on this port. + <literal>null</literal> means disabled. + ''; + }; + + keysOutputLimit = mkOption { + type = types.ints.unsigned; + default = 8192; + description = '' + Maximum number of returned keys in keys command. + <literal>keys</literal> is a dangerous command. + We truncate its result to avoid blowup in memory when fetching too many keys. + ''; + }; + + dbNum = mkOption { + type = with types; nullOr ints.unsigned; + default = null; + description = "Maximum number of supported databases for <literal>select</literal>"; + }; + + cacheMode = mkOption { + type = with types; nullOr bool; + default = null; + description = '' + Once this mode is on, Dragonfly will evict items least likely to be stumbled + upon in the future but only when it is near maxmemory limit. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf config.services.dragonflydb.enable { + + users.users = optionalAttrs (cfg.user == "dragonfly") { + dragonfly.description = "DragonflyDB server user"; + dragonfly.isSystemUser = true; + dragonfly.group = "dragonfly"; + }; + users.groups = optionalAttrs (cfg.user == "dragonfly") { dragonfly = { }; }; + + environment.systemPackages = [ dragonflydb ]; + + systemd.services.dragonflydb = { + description = "DragonflyDB server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${dragonflydb}/bin/dragonfly --alsologtostderr ${builtins.concatStringsSep " " (attrsets.mapAttrsToList (n: v: "--${n} ${strings.escapeShellArg v}") settings)}"; + + User = cfg.user; + + # Filesystem access + ReadWritePaths = [ settings.dir ]; + StateDirectory = "dragonflydb"; + StateDirectoryMode = "0700"; + # Process Properties + LimitMEMLOCK = "infinity"; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + LockPersonality = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + PrivateMounts = true; + MemoryDenyWriteExecute = true; + }; + }; + }; +} diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 2c1e25d4308..d80d1b07b97 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -268,9 +268,14 @@ in { }; systemd.services.openldap = { - description = "LDAP server"; + description = "OpenLDAP Server Daemon"; + documentation = [ + "man:slapd" + "man:slapd-config" + "man:slapd-mdb" + ]; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + after = [ "network-online.target" ]; preStart = let settingsFile = pkgs.writeText "config.ldif" (lib.concatStringsSep "\n" (attrsToLdif "cn=config" cfg.settings)); @@ -306,7 +311,8 @@ in { "${openldap}/libexec/slapd" "-u" cfg.user "-g" cfg.group "-F" configDir "-h" (lib.concatStringsSep " " cfg.urlList) ]); - Type = "forking"; + Type = "notify"; + NotifyAccess = "all"; PIDFile = cfg.settings.attrs.olcPidFile; }; }; diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 2919022496a..550bd36efff 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -295,7 +295,8 @@ in # Note: when changing the default, make it conditional on # ‘system.stateVersion’ to maintain compatibility with existing # systems! - mkDefault (if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13 + mkDefault (if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14 + else if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13 else if versionAtLeast config.system.stateVersion "20.03" then pkgs.postgresql_11 else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6" else mkThrow "9_5"); diff --git a/nixos/modules/services/databases/riak.nix b/nixos/modules/services/databases/riak.nix deleted file mode 100644 index cc4237d038c..00000000000 --- a/nixos/modules/services/databases/riak.nix +++ /dev/null @@ -1,162 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.riak; - -in - -{ - - ###### interface - - options = { - - services.riak = { - - enable = mkEnableOption "riak"; - - package = mkOption { - type = types.package; - default = pkgs.riak; - defaultText = literalExpression "pkgs.riak"; - description = '' - Riak package to use. - ''; - }; - - nodeName = mkOption { - type = types.str; - default = "riak@127.0.0.1"; - description = '' - Name of the Erlang node. - ''; - }; - - distributedCookie = mkOption { - type = types.str; - default = "riak"; - description = '' - Cookie for distributed node communication. All nodes in the - same cluster should use the same cookie or they will not be able to - communicate. - ''; - }; - - dataDir = mkOption { - type = types.path; - default = "/var/db/riak"; - description = '' - Data directory for Riak. - ''; - }; - - logDir = mkOption { - type = types.path; - default = "/var/log/riak"; - description = '' - Log directory for Riak. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional text to be appended to <filename>riak.conf</filename>. - ''; - }; - - extraAdvancedConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional text to be appended to <filename>advanced.config</filename>. - ''; - }; - - }; - - }; - - ###### implementation - - config = mkIf cfg.enable { - - environment.systemPackages = [ cfg.package ]; - environment.etc."riak/riak.conf".text = '' - nodename = ${cfg.nodeName} - distributed_cookie = ${cfg.distributedCookie} - - platform_log_dir = ${cfg.logDir} - platform_etc_dir = /etc/riak - platform_data_dir = ${cfg.dataDir} - - ${cfg.extraConfig} - ''; - - environment.etc."riak/advanced.config".text = '' - ${cfg.extraAdvancedConfig} - ''; - - users.users.riak = { - name = "riak"; - uid = config.ids.uids.riak; - group = "riak"; - description = "Riak server user"; - }; - - users.groups.riak.gid = config.ids.gids.riak; - - systemd.services.riak = { - description = "Riak Server"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - path = [ - pkgs.util-linux # for `logger` - pkgs.bash - ]; - - environment.HOME = "${cfg.dataDir}"; - environment.RIAK_DATA_DIR = "${cfg.dataDir}"; - environment.RIAK_LOG_DIR = "${cfg.logDir}"; - environment.RIAK_ETC_DIR = "/etc/riak"; - - preStart = '' - if ! test -e ${cfg.logDir}; then - mkdir -m 0755 -p ${cfg.logDir} - chown -R riak ${cfg.logDir} - fi - - if ! test -e ${cfg.dataDir}; then - mkdir -m 0700 -p ${cfg.dataDir} - chown -R riak ${cfg.dataDir} - fi - ''; - - serviceConfig = { - ExecStart = "${cfg.package}/bin/riak console"; - ExecStop = "${cfg.package}/bin/riak stop"; - StandardInput = "tty"; - User = "riak"; - Group = "riak"; - PermissionsStartOnly = true; - # Give Riak a decent amount of time to clean up. - TimeoutStopSec = 120; - LimitNOFILE = 65536; - }; - - unitConfig.RequiresMountsFor = [ - "${cfg.dataDir}" - "${cfg.logDir}" - "/etc/riak" - ]; - }; - - }; - -} diff --git a/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json b/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json index b19fb33ec17..114afbfb0ea 100644 --- a/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json +++ b/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json @@ -62,6 +62,9 @@ "application.process.binary": "teams" }, { + "application.process.binary": "teams-insiders" + }, + { "application.process.binary": "skypeforlinux" } ], diff --git a/nixos/modules/services/desktops/pipewire/pipewire.nix b/nixos/modules/services/desktops/pipewire/pipewire.nix index 1323336d866..dd1f5e3a018 100644 --- a/nixos/modules/services/desktops/pipewire/pipewire.nix +++ b/nixos/modules/services/desktops/pipewire/pipewire.nix @@ -234,12 +234,12 @@ in { environment.etc."pipewire/pipewire.conf" = { source = json.generate "pipewire.conf" configs.pipewire; }; - environment.etc."pipewire/pipewire-pulse.conf" = { + environment.etc."pipewire/pipewire-pulse.conf" = mkIf cfg.pulse.enable { source = json.generate "pipewire-pulse.conf" configs.pipewire-pulse; }; environment.sessionVariables.LD_LIBRARY_PATH = - lib.optional cfg.jack.enable "${cfg.package.jack}/lib"; + lib.mkIf cfg.jack.enable [ "${cfg.package.jack}/lib" ]; users = lib.mkIf cfg.systemWide { users.pipewire = { @@ -251,6 +251,8 @@ in { ] ++ lib.optional config.security.rtkit.enable "rtkit"; description = "Pipewire system service user"; isSystemUser = true; + home = "/var/lib/pipewire"; + createHome = true; }; groups.pipewire.gid = config.ids.gids.pipewire; }; @@ -258,5 +260,8 @@ in { # https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/464#note_723554 systemd.services.pipewire.environment."PIPEWIRE_LINK_PASSIVE" = "1"; systemd.user.services.pipewire.environment."PIPEWIRE_LINK_PASSIVE" = "1"; + + # pipewire-pulse default config expects pactl to be in PATH + systemd.user.services.pipewire-pulse.path = lib.mkIf cfg.pulse.enable [ pkgs.pulseaudio ]; }; } diff --git a/nixos/modules/services/desktops/pipewire/wireplumber.nix b/nixos/modules/services/desktops/pipewire/wireplumber.nix index 1dbdd842c4a..439a3ae68da 100644 --- a/nixos/modules/services/desktops/pipewire/wireplumber.nix +++ b/nixos/modules/services/desktops/pipewire/wireplumber.nix @@ -37,11 +37,19 @@ in environment.systemPackages = [ cfg.package ]; environment.etc."wireplumber/main.lua.d/80-nixos.lua" = lib.mkIf (!pwUsedForAudio) { - text = '' + text = '' -- Pipewire is not used for audio, so prevent it from grabbing audio devices alsa_monitor.enable = function() end ''; }; + environment.etc."wireplumber/main.lua.d/80-systemwide.lua" = lib.mkIf config.services.pipewire.systemWide { + text = '' + -- When running system-wide, these settings need to be disabled (they + -- use functions that aren't available on the system dbus). + alsa_monitor.properties["alsa.reserve"] = false + default_access.properties["enable-flatpak-portal"] = false + ''; + }; systemd.packages = [ cfg.package ]; @@ -50,5 +58,10 @@ in systemd.services.wireplumber.wantedBy = [ "pipewire.service" ]; systemd.user.services.wireplumber.wantedBy = [ "pipewire.service" ]; + + systemd.services.wireplumber.environment = lib.mkIf config.services.pipewire.systemWide { + # Force wireplumber to use system dbus. + DBUS_SESSION_BUS_ADDRESS = "unix:path=/run/dbus/system_bus_socket"; + }; }; } diff --git a/nixos/modules/services/games/asf.nix b/nixos/modules/services/games/asf.nix index ea2bfd40fff..ed1a5544d7a 100644 --- a/nixos/modules/services/games/asf.nix +++ b/nixos/modules/services/games/asf.nix @@ -13,6 +13,8 @@ let # is in theory not needed as this is already the default for default builds UpdateChannel = 0; Headless = true; + } // lib.optionalAttrs (cfg.ipcPasswordFile != null) { + IPCPassword = "#ipcPassword#"; }); ipc-config = format.generate "IPC.config" cfg.ipcSettings; @@ -81,8 +83,7 @@ in type = format.type; description = '' The ASF.json file, all the options are documented <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config">here</link>. - Do note that `AutoRestart` and `UpdateChannel` is always to `false` -respectively `0` because NixOS takes care of updating everything. + Do note that `AutoRestart` and `UpdateChannel` is always to `false` respectively `0` because NixOS takes care of updating everything. `Headless` is also always set to `true` because there is no way to provide inputs via a systemd service. You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod">here</link>. ''; @@ -92,6 +93,12 @@ respectively `0` because NixOS takes care of updating everything. default = { }; }; + ipcPasswordFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to a file containig the password. The file must be readable by the <literal>asf</literal> user/group."; + }; + ipcSettings = mkOption { type = format.type; description = '' @@ -115,14 +122,12 @@ respectively `0` because NixOS takes care of updating everything. options = { username = mkOption { type = types.str; - description = - "Name of the user to log in. Default is attribute name."; + description = "Name of the user to log in. Default is attribute name."; default = ""; }; passwordFile = mkOption { type = types.path; - description = - "Path to a file containig the password. The file must be readable by the <literal>asf</literal> user/group."; + description = "Path to a file containig the password. The file must be readable by the <literal>asf</literal> user/group."; }; enabled = mkOption { type = types.bool; @@ -131,8 +136,7 @@ respectively `0` because NixOS takes care of updating everything. }; settings = mkOption { type = types.attrs; - description = - "Additional settings that are documented <link xlink:href=\"https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config\">here</link>."; + description = "Additional settings that are documented <link xlink:href=\"https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config\">here</link>."; default = { }; }; }; @@ -170,14 +174,17 @@ respectively `0` because NixOS takes care of updating everything. wantedBy = [ "multi-user.target" ]; serviceConfig = mkMerge [ - (mkIf (cfg.dataDir == "/var/lib/asf") { StateDirectory = "asf"; }) + (mkIf (cfg.dataDir == "/var/lib/asf") { + StateDirectory = "asf"; + StateDirectoryMode = "700"; + }) { User = "asf"; Group = "asf"; WorkingDirectory = cfg.dataDir; Type = "simple"; - ExecStart = - "${cfg.package}/bin/ArchiSteamFarm --path ${cfg.dataDir} --process-required --no-restart --service --no-config-migrate"; + ExecStart = "${cfg.package}/bin/ArchiSteamFarm --path ${cfg.dataDir} --process-required --no-restart --service --no-config-migrate"; + Restart = "always"; # mostly copied from the default systemd service PrivateTmp = true; @@ -202,35 +209,47 @@ respectively `0` because NixOS takes care of updating everything. } ]; - preStart = '' - mkdir -p config - rm -f www - rm -f config/{*.json,*.config} - - ln -s ${asf-config} config/ASF.json - - ${strings.optionalString (cfg.ipcSettings != {}) '' - ln -s ${ipc-config} config/IPC.config - ''} - - ln -s ${pkgs.runCommandLocal "ASF-bots" {} '' - mkdir -p $out/lib/asf/bots - for i in ${strings.concatStringsSep " " (lists.map (x: "${getName x},${x}") (attrsets.mapAttrsToList mkBot cfg.bots))}; do IFS=","; - set -- $i - ln -s $2 $out/lib/asf/bots/$1 - done - ''}/lib/asf/bots/* config/ - - ${strings.optionalString cfg.web-ui.enable '' - ln -s ${cfg.web-ui.package}/lib/dist www - ''} - ''; + preStart = + let + createBotsScript = pkgs.runCommandLocal "ASF-bots" { } '' + mkdir -p $out + # clean potential removed bots + rm -rf $out/*.json + for i in ${strings.concatStringsSep " " (lists.map (x: "${getName x},${x}") (attrsets.mapAttrsToList mkBot cfg.bots))}; do IFS=","; + set -- $i + ln -fs $2 $out/$1 + done + ''; + replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; + in + '' + mkdir -p config + + cp --no-preserve=mode ${asf-config} config/ASF.json + + ${optionalString (cfg.ipcPasswordFile != null) '' + ${replaceSecretBin} '#ipcPassword#' '${cfg.ipcPasswordFile}' config/ASF.json + ''} + + ${optionalString (cfg.ipcSettings != {}) '' + ln -fs ${ipc-config} config/IPC.config + ''} + + ${optionalString (cfg.ipcSettings != {}) '' + ln -fs ${createBotsScript}/* config/ + ''} + + rm -f www + ${optionalString cfg.web-ui.enable '' + ln -s ${cfg.web-ui.package}/lib/dist www + ''} + ''; }; }; }; meta = { buildDocsInSandbox = false; - maintainers = with maintainers; [ lom ]; + maintainers = with maintainers; [ lom SuperSandro2000 ]; }; } diff --git a/nixos/modules/services/games/factorio.nix b/nixos/modules/services/games/factorio.nix index ff73d7a46ed..bb6898a08c5 100644 --- a/nixos/modules/services/games/factorio.nix +++ b/nixos/modules/services/games/factorio.nix @@ -87,6 +87,18 @@ in a new map with default settings will be generated before starting the service. ''; }; + loadLatestSave = mkOption { + type = types.bool; + default = false; + description = '' + Load the latest savegame on startup. This overrides saveName, in that the latest + save will always be used even if a saved game of the given name exists. It still + controls the 'canonical' name of the savegame. + + Set this to true to have the server automatically reload a recent autosave after + a crash or desync. + ''; + }; # TODO Add more individual settings as nixos-options? # TODO XXX The server tries to copy a newly created config file over the old one # on shutdown, but fails, because it's in the nix store. When is this needed? @@ -250,8 +262,9 @@ in "--config=${cfg.configFile}" "--port=${toString cfg.port}" "--bind=${cfg.bind}" - "--start-server=${mkSavePath cfg.saveName}" + (optionalString (!cfg.loadLatestSave) "--start-server=${mkSavePath cfg.saveName}") "--server-settings=${serverSettingsFile}" + (optionalString cfg.loadLatestSave "--start-server-load-latest") (optionalString (cfg.mods != []) "--mod-directory=${modDir}") (optionalString (cfg.admins != []) "--server-adminlist=${serverAdminsFile}") ]; diff --git a/nixos/modules/services/hardware/argonone.nix b/nixos/modules/services/hardware/argonone.nix new file mode 100644 index 00000000000..638181b1b12 --- /dev/null +++ b/nixos/modules/services/hardware/argonone.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.hardware.argonone; +in +{ + options.services.hardware.argonone = { + enable = lib.mkEnableOption "the driver for Argon One Raspberry Pi case fan and power button"; + package = lib.mkOption { + type = lib.types.package; + default = pkgs.argononed; + defaultText = "pkgs.argononed"; + description = '' + The package implementing the Argon One driver + ''; + }; + }; + + config = lib.mkIf cfg.enable { + hardware.i2c.enable = true; + hardware.deviceTree.overlays = [ + { + name = "argononed"; + dtboFile = "${cfg.package}/boot/overlays/argonone.dtbo"; + } + { + name = "i2c1-okay-overlay"; + dtsText = '' + /dts-v1/; + /plugin/; + / { + compatible = "brcm,bcm2711"; + fragment@0 { + target = <&i2c1>; + __overlay__ { + status = "okay"; + }; + }; + }; + ''; + } + ]; + environment.systemPackages = [ cfg.package ]; + systemd.services.argononed = { + description = "Argon One Raspberry Pi case Daemon Service"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "forking"; + ExecStart = "${cfg.package}/bin/argononed"; + PIDFile = "/run/argononed.pid"; + Restart = "on-failure"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ misterio77 ]; + +} diff --git a/nixos/modules/services/hardware/illum.nix b/nixos/modules/services/hardware/illum.nix index ff73c99a653..7f7a8500023 100644 --- a/nixos/modules/services/hardware/illum.nix +++ b/nixos/modules/services/hardware/illum.nix @@ -28,6 +28,7 @@ in { description = "Backlight Adjustment Service"; wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${pkgs.illum}/bin/illum-d"; + serviceConfig.Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 8257eeb673b..2e9deebbb74 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -8,6 +8,24 @@ let cfg = config.services.udev; + initrdUdevRules = pkgs.runCommand "initrd-udev-rules" {} '' + mkdir -p $out/etc/udev/rules.d + for f in 60-cdrom_id 60-persistent-storage 75-net-description 80-drivers 80-net-setup-link; do + ln -s ${config.boot.initrd.systemd.package}/lib/udev/rules.d/$f.rules $out/etc/udev/rules.d + done + ''; + + + # networkd link files are used early by udev to set up interfaces early. + # This must be done in stage 1 to avoid race conditions between udev and + # network daemons. + # TODO move this into the initrd-network module when it exists + initrdLinkUnits = pkgs.runCommand "initrd-link-units" {} '' + mkdir -p $out + ln -s ${udev}/lib/systemd/network/*.link $out/ + ${lib.concatMapStringsSep "\n" (file: "ln -s ${file} $out/") (lib.mapAttrsToList (n: v: "${v.unit}/${n}") (lib.filterAttrs (n: _: hasSuffix ".link" n) config.systemd.network.units))} + ''; + extraUdevRules = pkgs.writeTextFile { name = "extra-udev-rules"; text = cfg.extraRules; @@ -153,6 +171,11 @@ let mv etc/udev/hwdb.bin $out ''; + compressFirmware = if config.boot.kernelPackages.kernelAtLeast "5.3" then + pkgs.compressFirmwareXz + else + id; + # Udev has a 512-character limit for ENV{PATH}, so create a symlink # tree to work around this. udevPath = pkgs.buildEnv { @@ -249,7 +272,7 @@ in ''; apply = list: pkgs.buildEnv { name = "firmware"; - paths = list; + paths = map compressFirmware list; pathsToLink = [ "/lib/firmware" ]; ignoreCollisions = true; }; @@ -350,7 +373,10 @@ in ]; boot.initrd.systemd.storePaths = [ "${config.boot.initrd.systemd.package}/lib/systemd/systemd-udevd" - "${config.boot.initrd.systemd.package}/lib/udev" + "${config.boot.initrd.systemd.package}/lib/udev/ata_id" + "${config.boot.initrd.systemd.package}/lib/udev/cdrom_id" + "${config.boot.initrd.systemd.package}/lib/udev/scsi_id" + "${config.boot.initrd.systemd.package}/lib/udev/rules.d" ] ++ map (x: "${x}/bin") config.boot.initrd.services.udev.binPackages; # Generate the udev rules for the initrd @@ -364,13 +390,17 @@ in systemd = config.boot.initrd.systemd.package; binPackages = config.boot.initrd.services.udev.binPackages ++ [ config.boot.initrd.systemd.contents."/bin".source ]; }; + "/etc/systemd/network".source = initrdLinkUnits; }; - # Insert custom rules - boot.initrd.services.udev.packages = mkIf (config.boot.initrd.services.udev.rules != "") (pkgs.writeTextFile { - name = "initrd-udev-rules"; - destination = "/etc/udev/rules.d/99-local.rules"; - text = config.boot.initrd.services.udev.rules; - }); + # Insert initrd rules + boot.initrd.services.udev.packages = [ + initrdUdevRules + (mkIf (config.boot.initrd.services.udev.rules != "") (pkgs.writeTextFile { + name = "initrd-udev-rules"; + destination = "/etc/udev/rules.d/99-local.rules"; + text = config.boot.initrd.services.udev.rules; + })) + ]; environment.etc = { diff --git a/nixos/modules/services/hardware/usbrelayd.nix b/nixos/modules/services/hardware/usbrelayd.nix new file mode 100644 index 00000000000..2cee4e1ff7e --- /dev/null +++ b/nixos/modules/services/hardware/usbrelayd.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.usbrelayd; +in +{ + options.services.usbrelayd = with types; { + enable = mkEnableOption "USB Relay MQTT daemon"; + + broker = mkOption { + type = str; + description = "Hostname or IP address of your MQTT Broker."; + default = "127.0.0.1"; + example = [ + "mqtt" + "192.168.1.1" + ]; + }; + + clientName = mkOption { + type = str; + description = "Name, your client connects as."; + default = "MyUSBRelay"; + }; + }; + + config = mkIf cfg.enable { + + environment.etc."usbrelayd.conf".text = '' + [MQTT] + BROKER = ${cfg.broker} + CLIENTNAME = ${cfg.clientName} + ''; + + services.udev.packages = [ pkgs.usbrelayd ]; + systemd.packages = [ pkgs.usbrelayd ]; + users.users.usbrelay = { + isSystemUser = true; + group = "usbrelay"; + }; + users.groups.usbrelay = { }; + }; + + meta = { + maintainers = with lib.maintainers; [ wentasah ]; + }; +} diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index 6022227f6ea..2aacc5e55c6 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -360,7 +360,25 @@ in { }; config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + assertions = [ + { + assertion = cfg.openFirewall -> !isNull cfg.config; + message = "openFirewall can only be used with a declarative config"; + } + ]; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.config.http.server_port ]; + + # symlink the configuration to /etc/home-assistant + environment.etc = lib.mkMerge [ + (lib.mkIf (cfg.config != null && !cfg.configWritable) { + "home-assistant/configuration.yaml".source = configFile; + }) + + (lib.mkIf (cfg.lovelaceConfig != null && !cfg.lovelaceConfigWritable) { + "home-assistant/ui-lovelace.yaml".source = lovelaceConfigFile; + }) + ]; systemd.services.home-assistant = { description = "Home Assistant"; @@ -371,18 +389,22 @@ in { "mysql.service" "postgresql.service" ]; + reloadTriggers = [ + configFile + lovelaceConfigFile + ]; preStart = let copyConfig = if cfg.configWritable then '' cp --no-preserve=mode ${configFile} "${cfg.configDir}/configuration.yaml" '' else '' rm -f "${cfg.configDir}/configuration.yaml" - ln -s ${configFile} "${cfg.configDir}/configuration.yaml" + ln -s /etc/home-assistant/configuration.yaml "${cfg.configDir}/configuration.yaml" ''; copyLovelaceConfig = if cfg.lovelaceConfigWritable then '' cp --no-preserve=mode ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" '' else '' rm -f "${cfg.configDir}/ui-lovelace.yaml" - ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" + ln -s /etc/home-assistant/ui-lovelace.yaml "${cfg.configDir}/ui-lovelace.yaml" ''; in (optionalString (cfg.config != null) copyConfig) + diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix index e6eb0552c9e..dfc58d7d539 100644 --- a/nixos/modules/services/logging/logrotate.nix +++ b/nixos/modules/services/logging/logrotate.nix @@ -193,7 +193,7 @@ let }; mailOption = - if foldr (n: a: a || n ? mail) false (attrValues cfg.settings) + if foldr (n: a: a || (n.mail or false) != false) false (attrValues cfg.settings) then "--mail=${pkgs.mailutils}/bin/mail" else ""; in diff --git a/nixos/modules/services/logging/logstash.nix b/nixos/modules/services/logging/logstash.nix index a08203dffe7..5d00feabe1c 100644 --- a/nixos/modules/services/logging/logstash.nix +++ b/nixos/modules/services/logging/logstash.nix @@ -109,7 +109,7 @@ in ''' # Read from journal pipe { - command => "''${pkgs.systemd}/bin/journalctl -f -o json" + command => "''${config.systemd.package}/bin/journalctl -f -o json" type => "syslog" codec => json {} } ''' diff --git a/nixos/modules/services/logging/syslog-ng.nix b/nixos/modules/services/logging/syslog-ng.nix index 0a57bf20bd0..1c11de51f2c 100644 --- a/nixos/modules/services/logging/syslog-ng.nix +++ b/nixos/modules/services/logging/syslog-ng.nix @@ -51,9 +51,6 @@ in { extraModulePaths = mkOption { type = types.listOf types.str; default = []; - example = literalExpression '' - [ "''${pkgs.syslogng_incubator}/lib/syslog-ng" ] - ''; description = '' A list of paths that should be included in syslog-ng's <literal>--module-path</literal> option. They should usually diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix index f1e074587b3..5b714c384de 100644 --- a/nixos/modules/services/mail/mailman.nix +++ b/nixos/modules/services/mail/mailman.nix @@ -6,10 +6,10 @@ let cfg = config.services.mailman; - pythonEnv = pkgs.python3.withPackages (ps: - [ps.mailman ps.mailman-web] - ++ lib.optional cfg.hyperkitty.enable ps.mailman-hyperkitty - ++ cfg.extraPythonPackages); + inherit (pkgs.mailmanPackages.buildEnvs { withHyperkitty = cfg.hyperkitty.enable; }) + mailmanEnv webEnv; + + withPostgresql = config.services.postgresql.enable; # This deliberately doesn't use recursiveUpdate so users can # override the defaults. @@ -72,6 +72,9 @@ in { stored in the world-readable Nix store. To continue using Hyperkitty, you must set services.mailman.hyperkitty.enable = true. '') + (mkRemovedOptionModule [ "services" "mailman" "package" ] '' + Didn't have an effect for several years. + '') ]; options = { @@ -84,14 +87,6 @@ in { description = "Enable Mailman on this host. Requires an active MTA on the host (e.g. Postfix)."; }; - package = mkOption { - type = types.package; - default = pkgs.mailman; - defaultText = literalExpression "pkgs.mailman"; - example = literalExpression "pkgs.mailman.override { archivers = []; }"; - description = "Mailman package to use"; - }; - enablePostfix = mkOption { type = types.bool; default = true; @@ -185,7 +180,7 @@ in { mailman.layout = "fhs"; "paths.fhs" = { - bin_dir = "${pkgs.python3Packages.mailman}/bin"; + bin_dir = "${pkgs.mailmanPackages.mailman}/bin"; var_dir = "/var/lib/mailman"; queue_dir = "$var_dir/queue"; template_dir = "$var_dir/templates"; @@ -295,9 +290,12 @@ in { name = "mailman-tools"; # We don't want to pollute the system PATH with a python # interpreter etc. so let's pick only the stuff we actually - # want from pythonEnv + # want from {web,mailman}Env pathsToLink = ["/bin"]; - paths = [pythonEnv]; + paths = [ mailmanEnv webEnv ]; + # Only mailman-related stuff is installed, the rest is removed + # in `postBuild`. + ignoreCollisions = true; postBuild = '' find $out/bin/ -mindepth 1 -not -name "mailman*" -delete ''; @@ -320,12 +318,14 @@ in { description = "GNU Mailman Master Process"; before = lib.optional cfg.enablePostfix "postfix.service"; after = [ "network.target" ] - ++ lib.optional cfg.enablePostfix "postfix-setup.service"; + ++ lib.optional cfg.enablePostfix "postfix-setup.service" + ++ lib.optional withPostgresql "postgresql.service"; restartTriggers = [ config.environment.etc."mailman.cfg".source ]; + requires = optional withPostgresql "postgresql.service"; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pythonEnv}/bin/mailman start"; - ExecStop = "${pythonEnv}/bin/mailman stop"; + ExecStart = "${mailmanEnv}/bin/mailman start"; + ExecStop = "${mailmanEnv}/bin/mailman stop"; User = "mailman"; Group = "mailman"; Type = "forking"; @@ -340,6 +340,8 @@ in { before = [ "mailman.service" "mailman-web-setup.service" "mailman-uwsgi.service" "hyperkitty.service" ]; requiredBy = [ "mailman.service" "mailman-web-setup.service" "mailman-uwsgi.service" "hyperkitty.service" ]; path = with pkgs; [ jq ]; + after = optional withPostgresql "postgresql.service"; + requires = optional withPostgresql "postgresql.service"; serviceConfig.Type = "oneshot"; script = '' mailmanDir=/var/lib/mailman @@ -381,9 +383,9 @@ in { restartTriggers = [ config.environment.etc."mailman3/settings.py".source ]; script = '' [[ -e "${webSettings.STATIC_ROOT}" ]] && find "${webSettings.STATIC_ROOT}/" -mindepth 1 -delete - ${pythonEnv}/bin/mailman-web migrate - ${pythonEnv}/bin/mailman-web collectstatic - ${pythonEnv}/bin/mailman-web compress + ${webEnv}/bin/mailman-web migrate + ${webEnv}/bin/mailman-web collectstatic + ${webEnv}/bin/mailman-web compress ''; serviceConfig = { User = cfg.webUser; @@ -397,14 +399,16 @@ in { uwsgiConfig.uwsgi = { type = "normal"; plugins = ["python3"]; - home = pythonEnv; + home = webEnv; module = "mailman_web.wsgi"; http = "127.0.0.1:18507"; }; uwsgiConfigFile = pkgs.writeText "uwsgi-mailman.json" (builtins.toJSON uwsgiConfig); in { wantedBy = ["multi-user.target"]; - requires = ["mailman-uwsgi.socket" "mailman-web-setup.service"]; + after = optional withPostgresql "postgresql.service"; + requires = ["mailman-uwsgi.socket" "mailman-web-setup.service"] + ++ optional withPostgresql "postgresql.service"; restartTriggers = [ config.environment.etc."mailman3/settings.py".source ]; serviceConfig = { # Since the mailman-web settings.py obstinately creates a logs @@ -422,7 +426,7 @@ in { startAt = "daily"; restartTriggers = [ config.environment.etc."mailman.cfg".source ]; serviceConfig = { - ExecStart = "${pythonEnv}/bin/mailman digests --send"; + ExecStart = "${mailmanEnv}/bin/mailman digests --send"; User = "mailman"; Group = "mailman"; }; @@ -434,7 +438,7 @@ in { restartTriggers = [ config.environment.etc."mailman3/settings.py".source ]; wantedBy = [ "mailman.service" "multi-user.target" ]; serviceConfig = { - ExecStart = "${pythonEnv}/bin/mailman-web qcluster"; + ExecStart = "${webEnv}/bin/mailman-web qcluster"; User = cfg.webUser; Group = "mailman"; WorkingDirectory = "/var/lib/mailman-web"; @@ -453,7 +457,7 @@ in { inherit startAt; restartTriggers = [ config.environment.etc."mailman3/settings.py".source ]; serviceConfig = { - ExecStart = "${pythonEnv}/bin/mailman-web runjobs ${name}"; + ExecStart = "${webEnv}/bin/mailman-web runjobs ${name}"; User = cfg.webUser; Group = "mailman"; WorkingDirectory = "/var/lib/mailman-web"; @@ -462,7 +466,7 @@ in { }; meta = { - maintainers = with lib.maintainers; [ lheckemann qyliss ]; + maintainers = with lib.maintainers; [ lheckemann qyliss ma27 ]; doc = ./mailman.xml; }; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index da14b6eef7e..de00c87b95a 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -725,6 +725,7 @@ in systemd.services.postfix-setup = { description = "Setup for Postfix mail server"; + serviceConfig.RemainAfterExit = true; serviceConfig.Type = "oneshot"; script = '' # Backwards compatibility diff --git a/nixos/modules/services/mail/postfixadmin.nix b/nixos/modules/services/mail/postfixadmin.nix index a0846ad5290..8adae3c1a01 100644 --- a/nixos/modules/services/mail/postfixadmin.nix +++ b/nixos/modules/services/mail/postfixadmin.nix @@ -177,7 +177,7 @@ in services.phpfpm.pools.postfixadmin = { user = user; - phpPackage = pkgs.php74; + phpPackage = pkgs.php81; phpOptions = '' error_log = 'stderr' log_errors = on diff --git a/nixos/modules/services/mail/public-inbox.nix b/nixos/modules/services/mail/public-inbox.nix new file mode 100644 index 00000000000..0f9bc4ef226 --- /dev/null +++ b/nixos/modules/services/mail/public-inbox.nix @@ -0,0 +1,579 @@ +{ lib, pkgs, config, ... }: + +with lib; + +let + cfg = config.services.public-inbox; + stateDir = "/var/lib/public-inbox"; + + manref = name: vol: "<citerefentry><refentrytitle>${name}</refentrytitle><manvolnum>${toString vol}</manvolnum></citerefentry>"; + + gitIni = pkgs.formats.gitIni { listsAsDuplicateKeys = true; }; + iniAtom = elemAt gitIni.type/*attrsOf*/.functor.wrapped/*attrsOf*/.functor.wrapped/*either*/.functor.wrapped 0; + + useSpamAssassin = cfg.settings.publicinboxmda.spamcheck == "spamc" || + cfg.settings.publicinboxwatch.spamcheck == "spamc"; + + publicInboxDaemonOptions = proto: defaultPort: { + args = mkOption { + type = with types; listOf str; + default = []; + description = "Command-line arguments to pass to ${manref "public-inbox-${proto}d" 1}."; + }; + port = mkOption { + type = with types; nullOr (either str port); + default = defaultPort; + description = '' + Listening port. + Beware that public-inbox uses well-known ports number to decide whether to enable TLS or not. + Set to null and use <code>systemd.sockets.public-inbox-${proto}d.listenStreams</code> + if you need a more advanced listening. + ''; + }; + cert = mkOption { + type = with types; nullOr str; + default = null; + example = "/path/to/fullchain.pem"; + description = "Path to TLS certificate to use for connections to ${manref "public-inbox-${proto}d" 1}."; + }; + key = mkOption { + type = with types; nullOr str; + default = null; + example = "/path/to/key.pem"; + description = "Path to TLS key to use for connections to ${manref "public-inbox-${proto}d" 1}."; + }; + }; + + serviceConfig = srv: + let proto = removeSuffix "d" srv; + needNetwork = builtins.hasAttr proto cfg && cfg.${proto}.port == null; + in { + serviceConfig = { + # Enable JIT-compiled C (via Inline::C) + Environment = [ "PERL_INLINE_DIRECTORY=/run/public-inbox-${srv}/perl-inline" ]; + # NonBlocking is REQUIRED to avoid a race condition + # if running simultaneous services. + NonBlocking = true; + #LimitNOFILE = 30000; + User = config.users.users."public-inbox".name; + Group = config.users.groups."public-inbox".name; + RuntimeDirectory = [ + "public-inbox-${srv}/perl-inline" + ]; + RuntimeDirectoryMode = "700"; + # This is for BindPaths= and BindReadOnlyPaths= + # to allow traversal of directories they create inside RootDirectory= + UMask = "0066"; + StateDirectory = ["public-inbox"]; + StateDirectoryMode = "0750"; + WorkingDirectory = stateDir; + BindReadOnlyPaths = [ + "/etc" + "/run/systemd" + "${config.i18n.glibcLocales}" + ] ++ + mapAttrsToList (name: inbox: inbox.description) cfg.inboxes ++ + # Without confinement the whole Nix store + # is made available to the service + optionals (!config.systemd.services."public-inbox-${srv}".confinement.enable) [ + "${pkgs.dash}/bin/dash:/bin/sh" + builtins.storeDir + ]; + # The following options are only for optimizing: + # systemd-analyze security public-inbox-'*' + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateNetwork = mkDefault (!needNetwork); + ProcSubset = "pid"; + ProtectClock = true; + ProtectHome = mkDefault true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + #ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_UNIX" ] ++ + optionals needNetwork [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallFilter = [ + "@system-service" + "~@aio" "~@chown" "~@keyring" "~@memlock" "~@resources" + # Not removing @setuid and @privileged because Inline::C needs them. + # Not removing @timer because git upload-pack needs it. + ]; + SystemCallArchitectures = "native"; + + # The following options are redundant when confinement is enabled + RootDirectory = "/var/empty"; + TemporaryFileSystem = "/"; + PrivateMounts = true; + MountAPIVFS = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + }; + confinement = { + # Until we agree upon doing it directly here in NixOS + # https://github.com/NixOS/nixpkgs/pull/104457#issuecomment-1115768447 + # let the user choose to enable the confinement with: + # systemd.services.public-inbox-httpd.confinement.enable = true; + # systemd.services.public-inbox-imapd.confinement.enable = true; + # systemd.services.public-inbox-init.confinement.enable = true; + # systemd.services.public-inbox-nntpd.confinement.enable = true; + #enable = true; + mode = "full-apivfs"; + # Inline::C needs a /bin/sh, and dash is enough + binSh = "${pkgs.dash}/bin/dash"; + packages = [ + pkgs.iana-etc + (getLib pkgs.nss) + pkgs.tzdata + ]; + }; + }; +in + +{ + options.services.public-inbox = { + enable = mkEnableOption "the public-inbox mail archiver"; + package = mkOption { + type = types.package; + default = pkgs.public-inbox; + defaultText = literalExpression "pkgs.public-inbox"; + description = "public-inbox package to use."; + }; + path = mkOption { + type = with types; listOf package; + default = []; + example = literalExpression "with pkgs; [ spamassassin ]"; + description = '' + Additional packages to place in the path of public-inbox-mda, + public-inbox-watch, etc. + ''; + }; + inboxes = mkOption { + description = '' + Inboxes to configure, where attribute names are inbox names. + ''; + default = {}; + type = types.attrsOf (types.submodule ({name, ...}: { + freeformType = types.attrsOf iniAtom; + options.inboxdir = mkOption { + type = types.str; + default = "${stateDir}/inboxes/${name}"; + description = "The absolute path to the directory which hosts the public-inbox."; + }; + options.address = mkOption { + type = with types; listOf str; + example = "example-discuss@example.org"; + description = "The email addresses of the public-inbox."; + }; + options.url = mkOption { + type = with types; nullOr str; + default = null; + example = "https://example.org/lists/example-discuss"; + description = "URL where this inbox can be accessed over HTTP."; + }; + options.description = mkOption { + type = types.str; + example = "user/dev discussion of public-inbox itself"; + description = "User-visible description for the repository."; + apply = pkgs.writeText "public-inbox-description-${name}"; + }; + options.newsgroup = mkOption { + type = with types; nullOr str; + default = null; + description = "NNTP group name for the inbox."; + }; + options.watch = mkOption { + type = with types; listOf str; + default = []; + description = "Paths for ${manref "public-inbox-watch" 1} to monitor for new mail."; + example = [ "maildir:/path/to/test.example.com.git" ]; + }; + options.watchheader = mkOption { + type = with types; nullOr str; + default = null; + example = "List-Id:<test@example.com>"; + description = '' + If specified, ${manref "public-inbox-watch" 1} will only process + mail containing a matching header. + ''; + }; + options.coderepo = mkOption { + type = (types.listOf (types.enum (attrNames cfg.settings.coderepo))) // { + description = "list of coderepo names"; + }; + default = []; + description = "Nicknames of a 'coderepo' section associated with the inbox."; + }; + })); + }; + imap = { + enable = mkEnableOption "the public-inbox IMAP server"; + } // publicInboxDaemonOptions "imap" 993; + http = { + enable = mkEnableOption "the public-inbox HTTP server"; + mounts = mkOption { + type = with types; listOf str; + default = [ "/" ]; + example = [ "/lists/archives" ]; + description = '' + Root paths or URLs that public-inbox will be served on. + If domain parts are present, only requests to those + domains will be accepted. + ''; + }; + args = (publicInboxDaemonOptions "http" 80).args; + port = mkOption { + type = with types; nullOr (either str port); + default = 80; + example = "/run/public-inbox-httpd.sock"; + description = '' + Listening port or systemd's ListenStream= entry + to be used as a reverse proxy, eg. in nginx: + <code>locations."/inbox".proxyPass = "http://unix:''${config.services.public-inbox.http.port}:/inbox";</code> + Set to null and use <code>systemd.sockets.public-inbox-httpd.listenStreams</code> + if you need a more advanced listening. + ''; + }; + }; + mda = { + enable = mkEnableOption "the public-inbox Mail Delivery Agent"; + args = mkOption { + type = with types; listOf str; + default = []; + description = "Command-line arguments to pass to ${manref "public-inbox-mda" 1}."; + }; + }; + postfix.enable = mkEnableOption "the integration into Postfix"; + nntp = { + enable = mkEnableOption "the public-inbox NNTP server"; + } // publicInboxDaemonOptions "nntp" 563; + spamAssassinRules = mkOption { + type = with types; nullOr path; + default = "${cfg.package.sa_config}/user/.spamassassin/user_prefs"; + defaultText = literalExpression "\${cfg.package.sa_config}/user/.spamassassin/user_prefs"; + description = "SpamAssassin configuration specific to public-inbox."; + }; + settings = mkOption { + description = '' + Settings for the <link xlink:href="https://public-inbox.org/public-inbox-config.html">public-inbox config file</link>. + ''; + default = {}; + type = types.submodule { + freeformType = gitIni.type; + options.publicinbox = mkOption { + default = {}; + description = "public inboxes"; + type = types.submodule { + freeformType = with types; /*inbox name*/attrsOf (/*inbox option name*/attrsOf /*inbox option value*/iniAtom); + options.css = mkOption { + type = with types; listOf str; + default = []; + description = "The local path name of a CSS file for the PSGI web interface."; + }; + options.nntpserver = mkOption { + type = with types; listOf str; + default = []; + example = [ "nntp://news.public-inbox.org" "nntps://news.public-inbox.org" ]; + description = "NNTP URLs to this public-inbox instance"; + }; + options.wwwlisting = mkOption { + type = with types; enum [ "all" "404" "match=domain" ]; + default = "404"; + description = '' + Controls which lists (if any) are listed for when the root + public-inbox URL is accessed over HTTP. + ''; + }; + }; + }; + options.publicinboxmda.spamcheck = mkOption { + type = with types; enum [ "spamc" "none" ]; + default = "none"; + description = '' + If set to spamc, ${manref "public-inbox-watch" 1} will filter spam + using SpamAssassin. + ''; + }; + options.publicinboxwatch.spamcheck = mkOption { + type = with types; enum [ "spamc" "none" ]; + default = "none"; + description = '' + If set to spamc, ${manref "public-inbox-watch" 1} will filter spam + using SpamAssassin. + ''; + }; + options.publicinboxwatch.watchspam = mkOption { + type = with types; nullOr str; + default = null; + example = "maildir:/path/to/spam"; + description = '' + If set, mail in this maildir will be trained as spam and + deleted from all watched inboxes + ''; + }; + options.coderepo = mkOption { + default = {}; + description = "code repositories"; + type = types.attrsOf (types.submodule { + freeformType = types.attrsOf iniAtom; + options.cgitUrl = mkOption { + type = types.str; + description = "URL of a cgit instance"; + }; + options.dir = mkOption { + type = types.str; + description = "Path to a git repository"; + }; + }); + }; + }; + }; + openFirewall = mkEnableOption "opening the firewall when using a port option"; + }; + config = mkIf cfg.enable { + assertions = [ + { assertion = config.services.spamassassin.enable || !useSpamAssassin; + message = '' + public-inbox is configured to use SpamAssassin, but + services.spamassassin.enable is false. If you don't need + spam checking, set `services.public-inbox.settings.publicinboxmda.spamcheck' and + `services.public-inbox.settings.publicinboxwatch.spamcheck' to null. + ''; + } + { assertion = cfg.path != [] || !useSpamAssassin; + message = '' + public-inbox is configured to use SpamAssassin, but there is + no spamc executable in services.public-inbox.path. If you + don't need spam checking, set + `services.public-inbox.settings.publicinboxmda.spamcheck' and + `services.public-inbox.settings.publicinboxwatch.spamcheck' to null. + ''; + } + ]; + services.public-inbox.settings = + filterAttrsRecursive (n: v: v != null) { + publicinbox = mapAttrs (n: filterAttrs (n: v: n != "description")) cfg.inboxes; + }; + users = { + users.public-inbox = { + home = stateDir; + group = "public-inbox"; + isSystemUser = true; + }; + groups.public-inbox = {}; + }; + networking.firewall = mkIf cfg.openFirewall + { allowedTCPPorts = mkMerge + (map (proto: (mkIf (cfg.${proto}.enable && types.port.check cfg.${proto}.port) [ cfg.${proto}.port ])) + ["imap" "http" "nntp"]); + }; + services.postfix = mkIf (cfg.postfix.enable && cfg.mda.enable) { + # Not sure limiting to 1 is necessary, but better safe than sorry. + config.public-inbox_destination_recipient_limit = "1"; + + # Register the addresses as existing + virtual = + concatStringsSep "\n" (mapAttrsToList (_: inbox: + concatMapStringsSep "\n" (address: + "${address} ${address}" + ) inbox.address + ) cfg.inboxes); + + # Deliver the addresses with the public-inbox transport + transport = + concatStringsSep "\n" (mapAttrsToList (_: inbox: + concatMapStringsSep "\n" (address: + "${address} public-inbox:${address}" + ) inbox.address + ) cfg.inboxes); + + # The public-inbox transport + masterConfig.public-inbox = { + type = "unix"; + privileged = true; # Required for user= + command = "pipe"; + args = [ + "flags=X" # Report as a final delivery + "user=${with config.users; users."public-inbox".name + ":" + groups."public-inbox".name}" + # Specifying a nexthop when using the transport + # (eg. test public-inbox:test) allows to + # receive mails with an extension (eg. test+foo). + "argv=${pkgs.writeShellScript "public-inbox-transport" '' + export HOME="${stateDir}" + export ORIGINAL_RECIPIENT="''${2:-1}" + export PATH="${makeBinPath cfg.path}:$PATH" + exec ${cfg.package}/bin/public-inbox-mda ${escapeShellArgs cfg.mda.args} + ''} \${original_recipient} \${nexthop}" + ]; + }; + }; + systemd.sockets = mkMerge (map (proto: + mkIf (cfg.${proto}.enable && cfg.${proto}.port != null) + { "public-inbox-${proto}d" = { + listenStreams = [ (toString cfg.${proto}.port) ]; + wantedBy = [ "sockets.target" ]; + }; + } + ) [ "imap" "http" "nntp" ]); + systemd.services = mkMerge [ + (mkIf cfg.imap.enable + { public-inbox-imapd = mkMerge [(serviceConfig "imapd") { + after = [ "public-inbox-init.service" "public-inbox-watch.service" ]; + requires = [ "public-inbox-init.service" ]; + serviceConfig = { + ExecStart = escapeShellArgs ( + [ "${cfg.package}/bin/public-inbox-imapd" ] ++ + cfg.imap.args ++ + optionals (cfg.imap.cert != null) [ "--cert" cfg.imap.cert ] ++ + optionals (cfg.imap.key != null) [ "--key" cfg.imap.key ] + ); + }; + }]; + }) + (mkIf cfg.http.enable + { public-inbox-httpd = mkMerge [(serviceConfig "httpd") { + after = [ "public-inbox-init.service" "public-inbox-watch.service" ]; + requires = [ "public-inbox-init.service" ]; + serviceConfig = { + ExecStart = escapeShellArgs ( + [ "${cfg.package}/bin/public-inbox-httpd" ] ++ + cfg.http.args ++ + # See https://public-inbox.org/public-inbox.git/tree/examples/public-inbox.psgi + # for upstream's example. + [ (pkgs.writeText "public-inbox.psgi" '' + #!${cfg.package.fullperl} -w + use strict; + use warnings; + use Plack::Builder; + use PublicInbox::WWW; + + my $www = PublicInbox::WWW->new; + $www->preload; + + builder { + # If reached through a reverse proxy, + # make it transparent by resetting some HTTP headers + # used by public-inbox to generate URIs. + enable 'ReverseProxy'; + + # No need to send a response body if it's an HTTP HEAD requests. + enable 'Head'; + + # Route according to configured domains and root paths. + ${concatMapStrings (path: '' + mount q(${path}) => sub { $www->call(@_); }; + '') cfg.http.mounts} + } + '') ] + ); + }; + }]; + }) + (mkIf cfg.nntp.enable + { public-inbox-nntpd = mkMerge [(serviceConfig "nntpd") { + after = [ "public-inbox-init.service" "public-inbox-watch.service" ]; + requires = [ "public-inbox-init.service" ]; + serviceConfig = { + ExecStart = escapeShellArgs ( + [ "${cfg.package}/bin/public-inbox-nntpd" ] ++ + cfg.nntp.args ++ + optionals (cfg.nntp.cert != null) [ "--cert" cfg.nntp.cert ] ++ + optionals (cfg.nntp.key != null) [ "--key" cfg.nntp.key ] + ); + }; + }]; + }) + (mkIf (any (inbox: inbox.watch != []) (attrValues cfg.inboxes) + || cfg.settings.publicinboxwatch.watchspam != null) + { public-inbox-watch = mkMerge [(serviceConfig "watch") { + inherit (cfg) path; + wants = [ "public-inbox-init.service" ]; + requires = [ "public-inbox-init.service" ] ++ + optional (cfg.settings.publicinboxwatch.spamcheck == "spamc") "spamassassin.service"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/public-inbox-watch"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + }]; + }) + ({ public-inbox-init = let + PI_CONFIG = gitIni.generate "public-inbox.ini" + (filterAttrsRecursive (n: v: v != null) cfg.settings); + in mkMerge [(serviceConfig "init") { + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + restartTriggers = [ PI_CONFIG ]; + script = '' + set -ux + install -D -p ${PI_CONFIG} ${stateDir}/.public-inbox/config + '' + optionalString useSpamAssassin '' + install -m 0700 -o spamd -d ${stateDir}/.spamassassin + ${optionalString (cfg.spamAssassinRules != null) '' + ln -sf ${cfg.spamAssassinRules} ${stateDir}/.spamassassin/user_prefs + ''} + '' + concatStrings (mapAttrsToList (name: inbox: '' + if [ ! -e ${stateDir}/inboxes/${escapeShellArg name} ]; then + # public-inbox-init creates an inbox and adds it to a config file. + # It tries to atomically write the config file by creating + # another file in the same directory, and renaming it. + # This has the sad consequence that we can't use + # /dev/null, or it would try to create a file in /dev. + conf_dir="$(mktemp -d)" + + PI_CONFIG=$conf_dir/conf \ + ${cfg.package}/bin/public-inbox-init -V2 \ + ${escapeShellArgs ([ name "${stateDir}/inboxes/${name}" inbox.url ] ++ inbox.address)} + + rm -rf $conf_dir + fi + + ln -sf ${inbox.description} \ + ${stateDir}/inboxes/${escapeShellArg name}/description + + export GIT_DIR=${stateDir}/inboxes/${escapeShellArg name}/all.git + if test -d "$GIT_DIR"; then + # Config is inherited by each epoch repository, + # so just needs to be set for all.git. + ${pkgs.git}/bin/git config core.sharedRepository 0640 + fi + '') cfg.inboxes + ) + '' + shopt -s nullglob + for inbox in ${stateDir}/inboxes/*/; do + # This should be idempotent, but only do it for new + # inboxes anyway because it's only needed once, and could + # be slow for large pre-existing inboxes. + ls -1 "$inbox" | grep -q '^xap' || + ${cfg.package}/bin/public-inbox-index "$inbox" + done + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StateDirectory = [ + "public-inbox/.public-inbox" + "public-inbox/.public-inbox/emergency" + "public-inbox/inboxes" + ]; + }; + }]; + }) + ]; + environment.systemPackages = with pkgs; [ cfg.package ]; + }; + meta.maintainers = with lib.maintainers; [ julm qyliss ]; +} diff --git a/nixos/modules/services/mail/schleuder.nix b/nixos/modules/services/mail/schleuder.nix new file mode 100644 index 00000000000..7ba15f1070b --- /dev/null +++ b/nixos/modules/services/mail/schleuder.nix @@ -0,0 +1,162 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.schleuder; + settingsFormat = pkgs.formats.yaml { }; + postfixMap = entries: lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${value}") entries); + writePostfixMap = name: entries: pkgs.writeText name (postfixMap entries); + configScript = pkgs.writeScript "schleuder-cfg" '' + #!${pkgs.runtimeShell} + set -exuo pipefail + umask 0077 + ${pkgs.yq}/bin/yq \ + --slurpfile overrides <(${pkgs.yq}/bin/yq . <${lib.escapeShellArg cfg.extraSettingsFile}) \ + < ${settingsFormat.generate "schleuder.yml" cfg.settings} \ + '. * $overrides[0]' \ + > /etc/schleuder/schleuder.yml + chown schleuder: /etc/schleuder/schleuder.yml + ''; +in +{ + options.services.schleuder = { + enable = lib.mkEnableOption "Schleuder secure remailer"; + enablePostfix = lib.mkEnableOption "automatic postfix integration" // { default = true; }; + lists = lib.mkOption { + description = '' + List of list addresses that should be handled by Schleuder. + + Note that this is only handled by the postfix integration, and + the setup of the lists, their members and their keys has to be + performed separately via schleuder's API, using a tool such as + schleuder-cli. + ''; + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "widget-team@example.com" "security@example.com" ]; + }; + /* maybe one day.... + domains = lib.mkOption { + description = "Domains for which all mail should be handled by Schleuder."; + type = lib.types.listOf lib.types.str; + default = []; + example = ["securelists.example.com"]; + }; + */ + settings = lib.mkOption { + description = '' + Settings for schleuder.yml. + + Check the <link xlink:href="https://0xacab.org/schleuder/schleuder/blob/master/etc/schleuder.yml">example configuration</link> for possible values. + ''; + type = lib.types.submodule { + freeformType = settingsFormat.type; + options.keyserver = lib.mkOption { + type = lib.types.str; + description = '' + Key server from which to fetch and update keys. + + Note that NixOS uses a different default from upstream, since the upstream default sks-keyservers.net is deprecated. + ''; + default = "keys.openpgp.org"; + }; + }; + default = { }; + }; + extraSettingsFile = lib.mkOption { + description = "YAML file to merge into the schleuder config at runtime. This can be used for secrets such as API keys."; + type = lib.types.nullOr lib.types.path; + default = null; + }; + listDefaults = lib.mkOption { + description = '' + Default settings for lists (list-defaults.yml). + + Check the <link xlink:href="https://0xacab.org/schleuder/schleuder/-/blob/master/etc/list-defaults.yml">example configuration</link> for possible values. + ''; + type = settingsFormat.type; + default = { }; + }; + }; + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = !(cfg.settings.api ? valid_api_keys); + message = '' + services.schleuder.settings.api.valid_api_keys is set. Defining API keys via NixOS config results in them being copied to the world-readable Nix store. Please use the extraSettingsFile option to store API keys in a non-public location. + ''; + } + { + assertion = !(lib.any (db: db ? password) (lib.attrValues cfg.settings.database or {})); + message = '' + A password is defined for at least one database in services.schleuder.settings.database. Defining passwords via NixOS config results in them being copied to the world-readable Nix store. Please use the extraSettingsFile option to store database passwords in a non-public location. + ''; + } + ]; + users.users.schleuder.isSystemUser = true; + users.users.schleuder.group = "schleuder"; + users.groups.schleuder = {}; + environment.systemPackages = [ + pkgs.schleuder-cli + ]; + services.postfix = lib.mkIf cfg.enablePostfix { + extraMasterConf = '' + schleuder unix - n n - - pipe + flags=DRhu user=schleuder argv=/${pkgs.schleuder}/bin/schleuder work ''${recipient} + ''; + transport = lib.mkIf (cfg.lists != [ ]) (postfixMap (lib.genAttrs cfg.lists (_: "schleuder:"))); + extraConfig = '' + schleuder_destination_recipient_limit = 1 + ''; + # review: does this make sense? + localRecipients = lib.mkIf (cfg.lists != [ ]) cfg.lists; + }; + systemd.services = let commonServiceConfig = { + # We would have liked to use DynamicUser, but since the default + # database is SQLite and lives in StateDirectory, and that same + # database needs to be readable from the postfix service, this + # isn't trivial to do. + User = "schleuder"; + StateDirectory = "schleuder"; + StateDirectoryMode = "0700"; + }; in + { + schleuder-init = { + serviceConfig = commonServiceConfig // { + ExecStartPre = lib.mkIf (cfg.extraSettingsFile != null) [ + "+${configScript}" + ]; + ExecStart = [ "${pkgs.schleuder}/bin/schleuder install" ]; + Type = "oneshot"; + }; + }; + schleuder-api-daemon = { + after = [ "local-fs.target" "network.target" "schleuder-init.service" ]; + wantedBy = [ "multi-user.target" ]; + requires = [ "schleuder-init.service" ]; + serviceConfig = commonServiceConfig // { + ExecStart = [ "${pkgs.schleuder}/bin/schleuder-api-daemon" ]; + }; + }; + schleuder-weekly-key-maintenance = { + after = [ "local-fs.target" "network.target" ]; + startAt = "weekly"; + serviceConfig = commonServiceConfig // { + ExecStart = [ + "${pkgs.schleuder}/bin/schleuder refresh_keys" + "${pkgs.schleuder}/bin/schleuder check_keys" + ]; + }; + }; + }; + + environment.etc."schleuder/schleuder.yml" = lib.mkIf (cfg.extraSettingsFile == null) { + source = settingsFormat.generate "schleuder.yml" cfg.settings; + }; + environment.etc."schleuder/list-defaults.yml".source = settingsFormat.generate "list-defaults.yml" cfg.listDefaults; + + services.schleuder = { + #lists_dir = "/var/lib/schleuder.lists"; + settings.filters_dir = lib.mkDefault "/var/lib/schleuder/filters"; + settings.keyword_handlers_dir = lib.mkDefault "/var/lib/schleuder/keyword_handlers"; + }; + }; +} diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix index ac878222b26..3b10d8d2909 100644 --- a/nixos/modules/services/mail/spamassassin.nix +++ b/nixos/modules/services/mail/spamassassin.nix @@ -135,7 +135,7 @@ in User = "spamd"; Group = "spamd"; StateDirectory = "spamassassin"; - ExecStartPost = "+${pkgs.systemd}/bin/systemctl -q --no-block try-reload-or-restart spamd.service"; + ExecStartPost = "+${config.systemd.package}/bin/systemctl -q --no-block try-reload-or-restart spamd.service"; }; script = '' diff --git a/nixos/modules/services/misc/matrix-appservice-discord.nix b/nixos/modules/services/matrix/appservice-discord.nix index 8a8c7f41e3c..8a8c7f41e3c 100644 --- a/nixos/modules/services/misc/matrix-appservice-discord.nix +++ b/nixos/modules/services/matrix/appservice-discord.nix diff --git a/nixos/modules/services/misc/matrix-appservice-irc.nix b/nixos/modules/services/matrix/appservice-irc.nix index b041c9c82c5..ff938527ed5 100644 --- a/nixos/modules/services/misc/matrix-appservice-irc.nix +++ b/nixos/modules/services/matrix/appservice-irc.nix @@ -153,6 +153,9 @@ in { systemd.services.matrix-appservice-irc = { description = "Matrix-IRC bridge"; before = [ "matrix-synapse.service" ]; # So the registration can be used by Synapse + after = lib.optionals (cfg.settings.database.engine == "postgres") [ + "postgresql.service" + ]; wantedBy = [ "multi-user.target" ]; preStart = '' diff --git a/nixos/modules/services/misc/matrix-conduit.nix b/nixos/modules/services/matrix/conduit.nix index 108f64de7aa..108f64de7aa 100644 --- a/nixos/modules/services/misc/matrix-conduit.nix +++ b/nixos/modules/services/matrix/conduit.nix diff --git a/nixos/modules/services/misc/dendrite.nix b/nixos/modules/services/matrix/dendrite.nix index 35bec40926e..54052084b33 100644 --- a/nixos/modules/services/misc/dendrite.nix +++ b/nixos/modules/services/matrix/dendrite.nix @@ -74,6 +74,18 @@ in <literal>dendrite</literal> is running. ''; }; + loadCredential = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "private_key:/path/to/my_private_key" ]; + description = '' + This can be used to pass secrets to the systemd service without adding them to + the nix store. + To use the example setting, see the example of + <option>services.dendrite.settings.global.private_key</option>. + See the LoadCredential section of systemd.exec manual for more information. + ''; + }; settings = lib.mkOption { type = lib.types.submodule { freeformType = settingsFormat.type; @@ -88,8 +100,10 @@ in ''; }; private_key = lib.mkOption { - type = lib.types.path; - example = "${workingDir}/matrix_key.pem"; + type = lib.types.either + lib.types.path + (lib.types.strMatching "^\\$CREDENTIALS_DIRECTORY/.+"); + example = "$CREDENTIALS_DIRECTORY/private_key"; description = '' The path to the signing private key file, used to sign requests and events. @@ -222,6 +236,13 @@ in for available options with which to populate settings. ''; }; + openRegistration = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Allow open registration without secondary verification (reCAPTCHA). + ''; + }; }; config = lib.mkIf cfg.enable { @@ -249,6 +270,7 @@ in RuntimeDirectoryMode = "0700"; LimitNOFILE = 65535; EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; + LoadCredential = cfg.loadCredential; ExecStartPre = '' ${pkgs.envsubst}/bin/envsubst \ -i ${configurationYaml} \ @@ -263,6 +285,8 @@ in "--https-bind-address :${builtins.toString cfg.httpsPort}" "--tls-cert ${cfg.tlsCert}" "--tls-key ${cfg.tlsKey}" + ] ++ lib.optionals cfg.openRegistration [ + "--really-enable-open-registration" ]); ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "on-failure"; diff --git a/nixos/modules/services/misc/mautrix-facebook.nix b/nixos/modules/services/matrix/mautrix-facebook.nix index e046c791ac0..e046c791ac0 100644 --- a/nixos/modules/services/misc/mautrix-facebook.nix +++ b/nixos/modules/services/matrix/mautrix-facebook.nix diff --git a/nixos/modules/services/misc/mautrix-telegram.nix b/nixos/modules/services/matrix/mautrix-telegram.nix index 794c4dd9ddc..794c4dd9ddc 100644 --- a/nixos/modules/services/misc/mautrix-telegram.nix +++ b/nixos/modules/services/matrix/mautrix-telegram.nix diff --git a/nixos/modules/services/matrix/matrix-synapse-log_config.yaml b/nixos/modules/services/matrix/synapse-log_config.yaml index d85bdd1208f..d85bdd1208f 100644 --- a/nixos/modules/services/matrix/matrix-synapse-log_config.yaml +++ b/nixos/modules/services/matrix/synapse-log_config.yaml diff --git a/nixos/modules/services/matrix/matrix-synapse.nix b/nixos/modules/services/matrix/synapse.nix index a498aff7a55..3d5d10cdf07 100644 --- a/nixos/modules/services/matrix/matrix-synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -191,12 +191,12 @@ in { settings = mkOption { default = {}; - description = '' + description = mdDoc '' The primary synapse configuration. See the - <link xlink:href="https://github.com/matrix-org/synapse/blob/v${cfg.package.version}/docs/sample_config.yaml">sample configuration</link> + [sample configuration](https://github.com/matrix-org/synapse/blob/v${cfg.package.version}/docs/sample_config.yaml) for possible values. - Secrets should be passed in by using the <literal>extraConfigFiles</literal> option. + Secrets should be passed in by using the `extraConfigFiles` option. ''; type = with types; submodule { freeformType = format.type; @@ -230,23 +230,23 @@ in { registration_shared_secret = mkOption { type = types.nullOr types.str; default = null; - description = '' + description = mdDoc '' If set, allows registration by anyone who also has the shared secret, even if registration is otherwise disabled. - Secrets should be passed in via <literal>extraConfigFiles</literal>! + Secrets should be passed in via `extraConfigFiles`! ''; }; macaroon_secret_key = mkOption { type = types.nullOr types.str; default = null; - description = '' + description = mdDoc '' Secret key for authentication tokens. If none is specified, the registration_shared_secret is used, if one is given; otherwise, a secret key is derived from the signing key. - Secrets should be passed in via <literal>extraConfigFiles</literal>! + Secrets should be passed in via `extraConfigFiles`! ''; }; @@ -285,7 +285,7 @@ in { log_config = mkOption { type = types.path; - default = ./matrix-synapse-log_config.yaml; + default = ./synapse-log_config.yaml; description = '' The file that holds the logging configuration. ''; @@ -296,6 +296,7 @@ in { default = if lib.versionAtLeast config.system.stateVersion "22.05" then "${cfg.dataDir}/media_store" else "${cfg.dataDir}/media"; + defaultText = "${cfg.dataDir}/media_store for when system.stateVersion is at least 22.05, ${cfg.dataDir}/media when lower than 22.05"; description = '' Directory where uploaded images and attachments are stored. ''; @@ -619,10 +620,10 @@ in { example = literalExpression '' config.services.coturn.static-auth-secret ''; - description = '' + description = mdDoc '' The shared secret used to compute passwords for the TURN server. - Secrets should be passed in via <literal>extraConfigFiles</literal>! + Secrets should be passed in via `extraConfigFiles`! ''; }; @@ -766,7 +767,7 @@ in { meta = { buildDocsInSandbox = false; - doc = ./matrix-synapse.xml; + doc = ./synapse.xml; maintainers = teams.matrix.members; }; diff --git a/nixos/modules/services/matrix/matrix-synapse.xml b/nixos/modules/services/matrix/synapse.xml index cf33957d58e..cf33957d58e 100644 --- a/nixos/modules/services/matrix/matrix-synapse.xml +++ b/nixos/modules/services/matrix/synapse.xml diff --git a/nixos/modules/services/misc/geoipupdate.nix b/nixos/modules/services/misc/geoipupdate.nix index 3211d4d88e4..db643c3d847 100644 --- a/nixos/modules/services/misc/geoipupdate.nix +++ b/nixos/modules/services/misc/geoipupdate.nix @@ -2,6 +2,7 @@ let cfg = config.services.geoipupdate; + inherit (builtins) isAttrs isString isInt isList typeOf hashString; in { imports = [ @@ -27,11 +28,30 @@ in }; settings = lib.mkOption { + example = lib.literalExpression '' + { + AccountID = 200001; + DatabaseDirectory = "/var/lib/GeoIP"; + LicenseKey = { _secret = "/run/keys/maxmind_license_key"; }; + Proxy = "10.0.0.10:8888"; + ProxyUserPassword = { _secret = "/run/keys/proxy_pass"; }; + } + ''; description = '' <productname>geoipupdate</productname> configuration options. See <link xlink:href="https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md" /> for a full list of available options. + + Settings containing secret data should be set to an + attribute set containing the attribute + <literal>_secret</literal> - a string pointing to a file + containing the value the option should be set to. See the + example to get a better picture of this: in the resulting + <filename>GeoIP.conf</filename> file, the + <literal>ProxyUserPassword</literal> key will be set to the + contents of the + <filename>/run/keys/proxy_pass</filename> file. ''; type = lib.types.submodule { freeformType = @@ -65,11 +85,18 @@ in }; LicenseKey = lib.mkOption { - type = lib.types.path; + type = with lib.types; either path (attrsOf path); description = '' - A file containing the <productname>MaxMind</productname> - license key. + A file containing the + <productname>MaxMind</productname> license key. + + Always handled as a secret whether the value is + wrapped in a <literal>{ _secret = ...; }</literal> + attrset or not (refer to <xref + linkend="opt-services.geoipupdate.settings" /> for + details). ''; + apply = x: if isAttrs x then x else { _secret = x; }; }; DatabaseDirectory = lib.mkOption { @@ -102,6 +129,9 @@ in systemd.services.geoipupdate-create-db-dir = { serviceConfig.Type = "oneshot"; script = '' + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit + mkdir -p ${cfg.settings.DatabaseDirectory} chmod 0755 ${cfg.settings.DatabaseDirectory} ''; @@ -115,32 +145,41 @@ in "network-online.target" "nss-lookup.target" ]; + path = [ pkgs.replace-secret ]; wants = [ "network-online.target" ]; startAt = cfg.interval; serviceConfig = { ExecStartPre = let + isSecret = v: isAttrs v && v ? _secret && isString v._secret; geoipupdateKeyValue = lib.generators.toKeyValue { mkKeyValue = lib.flip lib.generators.mkKeyValueDefault " " rec { - mkValueString = v: with builtins; + mkValueString = v: if isInt v then toString v else if isString v then v else if true == v then "1" else if false == v then "0" else if isList v then lib.concatMapStringsSep " " mkValueString v + else if isSecret v then hashString "sha256" v._secret else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; }; }; + secretPaths = lib.catAttrs "_secret" (lib.collect isSecret cfg.settings); + mkSecretReplacement = file: '' + replace-secret ${lib.escapeShellArgs [ (hashString "sha256" file) file "/run/geoipupdate/GeoIP.conf" ]} + ''; + secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths; geoipupdateConf = pkgs.writeText "geoipupdate.conf" (geoipupdateKeyValue cfg.settings); script = '' + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit + chown geoip "${cfg.settings.DatabaseDirectory}" cp ${geoipupdateConf} /run/geoipupdate/GeoIP.conf - ${pkgs.replace-secret}/bin/replace-secret '${cfg.settings.LicenseKey}' \ - '${cfg.settings.LicenseKey}' \ - /run/geoipupdate/GeoIP.conf + ${secretReplacements} ''; in "+${pkgs.writeShellScript "start-pre-full-privileges" script}"; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 0811b34156e..0b8bd08a22b 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -13,12 +13,28 @@ let else pkgs.postgresql_12; + # Git 2.36.1 seemingly contains a commit-graph related bug which is + # easily triggered through GitLab, so we downgrade it to 2.35.x + # until this issue is solved. See + # https://gitlab.com/gitlab-org/gitlab/-/issues/360783#note_992870101. + gitPackage = + let + version = "2.35.3"; + in + pkgs.git.overrideAttrs (oldAttrs: rec { + inherit version; + src = pkgs.fetchurl { + url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz"; + sha256 = "sha256-FenbT5vy7Z//MMtioAxcfAkBAV9asEjNtOiwTd7gD6I="; + }; + }); + gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url; - databaseConfig = { - production = { + databaseConfig = let + val = { adapter = "postgresql"; database = cfg.databaseName; host = cfg.databaseHost; @@ -26,6 +42,10 @@ let encoding = "utf8"; pool = cfg.databasePool; } // cfg.extraDatabaseConfig; + in if lib.versionAtLeast (lib.getVersion cfg.packages.gitlab) "15.0" then { + production.main = val; + } else { + production = val; }; # We only want to create a database if we're actually going to connect to it. @@ -37,7 +57,7 @@ let prometheus_listen_addr = "localhost:9236" [git] - bin_path = "${pkgs.git}/bin/git" + bin_path = "${gitPackage}/bin/git" [gitaly-ruby] dir = "${cfg.packages.gitaly.ruby}" @@ -133,7 +153,7 @@ let }; workhorse.secret_file = "${cfg.statePath}/.gitlab_workhorse_secret"; gitlab_kas.secret_file = "${cfg.statePath}/.gitlab_kas_secret"; - git.bin_path = "git"; + git.bin_path = "${gitPackage}/bin/git"; monitoring = { ip_whitelist = [ "127.0.0.0/8" "::1/128" ]; sidekiq_exporter = { @@ -1184,7 +1204,7 @@ in { fi jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ - '.production.password = $ENV.db_password' \ + '.${if lib.versionAtLeast (lib.getVersion cfg.packages.gitlab) "15.0" then "production.main" else "production"}.password = $ENV.db_password' \ >'${cfg.statePath}/config/database.yml' '' else '' @@ -1271,7 +1291,7 @@ in { }); path = with pkgs; [ postgresqlPackage - git + gitPackage ruby openssh nodejs @@ -1302,7 +1322,7 @@ in { path = with pkgs; [ openssh procps # See https://gitlab.com/gitlab-org/gitaly/issues/1562 - git + gitPackage cfg.packages.gitaly.rubyEnv cfg.packages.gitaly.rubyEnv.wrappedRuby gzip @@ -1347,7 +1367,7 @@ in { partOf = [ "gitlab.target" ]; path = with pkgs; [ exiftool - git + gitPackage gnutar gzip openssh @@ -1408,7 +1428,7 @@ in { environment = gitlabEnv; path = with pkgs; [ postgresqlPackage - git + gitPackage openssh nodejs procps diff --git a/nixos/modules/services/misc/gollum.nix b/nixos/modules/services/misc/gollum.nix index cad73a871ba..5a5f488dc56 100644 --- a/nixos/modules/services/misc/gollum.nix +++ b/nixos/modules/services/misc/gollum.nix @@ -44,6 +44,12 @@ in description = "Enable uploads of external files"; }; + user-icons = mkOption { + type = types.nullOr (types.enum [ "gravatar" "identicon" ]); + default = null; + description = "Enable specific user icons for history view"; + }; + emoji = mkOption { type = types.bool; default = false; @@ -56,6 +62,18 @@ in description = "Use the first h1 as page title"; }; + no-edit = mkOption { + type = types.bool; + default = false; + description = "Disable editing pages"; + }; + + local-time = mkOption { + type = types.bool; + default = false; + description = "Use the browser's local timezone instead of the server's for displaying dates."; + }; + branch = mkOption { type = types.str; default = "master"; @@ -110,12 +128,15 @@ in ${optionalString cfg.mathjax "--mathjax"} \ ${optionalString cfg.emoji "--emoji"} \ ${optionalString cfg.h1-title "--h1-title"} \ + ${optionalString cfg.no-edit "--no-edit"} \ + ${optionalString cfg.local-time "--local-time"} \ ${optionalString (cfg.allowUploads != null) "--allow-uploads ${cfg.allowUploads}"} \ + ${optionalString (cfg.user-icons != null) "--user-icons ${cfg.user-icons}"} \ ${cfg.stateDir} ''; }; }; }; - meta.maintainers = with lib.maintainers; [ erictapen ]; + meta.maintainers = with lib.maintainers; [ erictapen bbenno ]; } diff --git a/nixos/modules/services/misc/heisenbridge.nix b/nixos/modules/services/misc/heisenbridge.nix index 7ce8a23d9af..deefb061d8b 100644 --- a/nixos/modules/services/misc/heisenbridge.nix +++ b/nixos/modules/services/misc/heisenbridge.nix @@ -204,7 +204,7 @@ in NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; - SystemCallFilter = ["@system-service" "~@priviledged" "@chown"]; + SystemCallFilter = ["@system-service" "~@privileged" "@chown"]; SystemCallArchitectures = "native"; RestrictAddressFamilies = "AF_INET AF_INET6"; }; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 04cf82f8a46..789b78702e9 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -53,7 +53,10 @@ in User = cfg.user; Group = cfg.group; StateDirectory = "jellyfin"; + StateDirectoryMode = "0700"; CacheDirectory = "jellyfin"; + CacheDirectoryMode = "0700"; + UMask = "0077"; ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; Restart = "on-failure"; diff --git a/nixos/modules/services/misc/libreddit.nix b/nixos/modules/services/misc/libreddit.nix index 77b34a85620..e21a8844784 100644 --- a/nixos/modules/services/misc/libreddit.nix +++ b/nixos/modules/services/misc/libreddit.nix @@ -2,14 +2,13 @@ with lib; - let - cfg = config.services.libreddit; - - args = concatStringsSep " " ([ - "--port ${toString cfg.port}" - "--address ${cfg.address}" - ] ++ optional cfg.redirect "--redirect-https"); +let + cfg = config.services.libreddit; + args = concatStringsSep " " ([ + "--port ${toString cfg.port}" + "--address ${cfg.address}" + ]); in { options = { @@ -30,12 +29,6 @@ in description = "The port to listen on"; }; - redirect = mkOption { - type = types.bool; - default = false; - description = "Enable the redirecting to HTTPS"; - }; - openFirewall = mkOption { type = types.bool; default = false; @@ -56,6 +49,31 @@ in AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; Restart = "on-failure"; RestartSec = "2s"; + # Hardening + CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + # A private user cannot have process capabilities on the host's user + # namespace and thus CAP_NET_BIND_SERVICE has no effect. + PrivateUsers = (cfg.port >= 1024); + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0077"; }; }; diff --git a/nixos/modules/services/misc/mbpfan.nix b/nixos/modules/services/misc/mbpfan.nix index e0a4d8a13e7..7a149ff47e6 100644 --- a/nixos/modules/services/misc/mbpfan.nix +++ b/nixos/modules/services/misc/mbpfan.nix @@ -31,7 +31,7 @@ in { settings = mkOption { default = {}; - description = "The INI configuration for Mbpfan."; + description = "INI configuration for Mbpfan."; type = types.submodule { freeformType = settingsFormat.type; @@ -39,32 +39,26 @@ in { type = types.nullOr types.int; default = 2000; description = '' - The minimum fan speed. Setting to null enables automatic detection. - Check minimum fan limits with "cat /sys/devices/platform/applesmc.768/fan*_min". - ''; - }; - options.general.max_fan1_speed = mkOption { - type = types.nullOr types.int; - default = 6199; - description = '' - The maximum fan speed. Setting to null enables automatic detection. - Check maximum fan limits with "cat /sys/devices/platform/applesmc.768/fan*_max". + You can check minimum and maximum fan limits with + "cat /sys/devices/platform/applesmc.768/fan*_min" and + "cat /sys/devices/platform/applesmc.768/fan*_max" respectively. + Setting to null implies using default value from applesmc. ''; }; options.general.low_temp = mkOption { type = types.int; default = 55; - description = "Temperature below which fan speed will be at minimum. Try ranges 55-63."; + description = "If temperature is below this, fans will run at minimum speed."; }; options.general.high_temp = mkOption { type = types.int; default = 58; - description = "Fan will increase speed when higher than this temperature. Try ranges 58-66."; + description = "If temperature is above this, fan speed will gradually increase."; }; options.general.max_temp = mkOption { type = types.int; default = 86; - description = "Fan will run at full speed above this temperature. Do not set it > 90."; + description = "If temperature is above this, fans will run at maximum speed."; }; options.general.polling_interval = mkOption { type = types.int; diff --git a/nixos/modules/services/misc/nitter.nix b/nixos/modules/services/misc/nitter.nix index 97005c9d914..5bf0e6bc008 100644 --- a/nixos/modules/services/misc/nitter.nix +++ b/nixos/modules/services/misc/nitter.nix @@ -277,7 +277,7 @@ in Add settings here to override NixOS module generated settings. Check the official repository for the available settings: - https://github.com/zedeus/nitter/blob/master/nitter.conf + https://github.com/zedeus/nitter/blob/master/nitter.example.conf ''; }; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index a4d2d10af70..f6f74d12e10 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -734,7 +734,7 @@ in CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; IOSchedulingClass = cfg.daemonIOSchedClass; IOSchedulingPriority = cfg.daemonIOSchedPriority; - LimitNOFILE = 4096; + LimitNOFILE = 1048576; }; restartTriggers = [ nixConf ]; diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index bfaf842fb46..17cd555d7e1 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -83,7 +83,7 @@ let }; in { - meta.maintainers = with maintainers; [ earvstedt Flakebi ]; + meta.maintainers = with maintainers; [ erikarvstedt Flakebi ]; imports = [ (mkRenamedOptionModule [ "services" "paperless-ng" ] [ "services" "paperless" ]) diff --git a/nixos/modules/services/misc/persistent-evdev.nix b/nixos/modules/services/misc/persistent-evdev.nix new file mode 100644 index 00000000000..401d20010b1 --- /dev/null +++ b/nixos/modules/services/misc/persistent-evdev.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.persistent-evdev; + settingsFormat = pkgs.formats.json {}; + + configFile = settingsFormat.generate "persistent-evdev-config" { + cache = "/var/cache/persistent-evdev"; + devices = lib.mapAttrs (virt: phys: "/dev/input/by-id/${phys}") cfg.devices; + }; +in +{ + options.services.persistent-evdev = { + enable = lib.mkEnableOption "virtual input devices that persist even if the backing device is hotplugged"; + + devices = lib.mkOption { + default = {}; + type = with lib.types; attrsOf str; + description = '' + A set of virtual proxy device labels with backing physical device ids. + + Physical devices should already exist in <filename class="devicefile">/dev/input/by-id/</filename>. + Proxy devices will be automatically given a <literal>uinput-</literal> prefix. + + See the <link xlink:href="https://github.com/aiberia/persistent-evdev#example-usage-with-libvirt"> + project page</link> for example configuration of virtual devices with libvirt + and remember to add <literal>uinput-*</literal> devices to the qemu + <literal>cgroup_device_acl</literal> list (see <xref linkend="opt-virtualisation.libvirtd.qemu.verbatimConfig"/>). + ''; + example = lib.literalExpression '' + { + persist-mouse0 = "usb-Logitech_G403_Prodigy_Gaming_Mouse_078738533531-event-if01"; + persist-mouse1 = "usb-Logitech_G403_Prodigy_Gaming_Mouse_078738533531-event-mouse"; + persist-mouse2 = "usb-Logitech_G403_Prodigy_Gaming_Mouse_078738533531-if01-event-kbd"; + persist-keyboard0 = "usb-Microsoft_Natural®_Ergonomic_Keyboard_4000-event-kbd"; + persist-keyboard1 = "usb-Microsoft_Natural®_Ergonomic_Keyboard_4000-if01-event-kbd"; + } + ''; + }; + }; + + config = lib.mkIf cfg.enable { + + systemd.services.persistent-evdev = { + documentation = [ "https://github.com/aiberia/persistent-evdev/blob/master/README.md" ]; + description = "Persistent evdev proxy"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "on-failure"; + ExecStart = "${pkgs.persistent-evdev}/bin/persistent-evdev.py ${configFile}"; + CacheDirectory = "persistent-evdev"; + }; + }; + + services.udev.packages = [ pkgs.persistent-evdev ]; + }; + + meta.maintainers = with lib.maintainers; [ lodi ]; +} diff --git a/nixos/modules/services/misc/radarr.nix b/nixos/modules/services/misc/radarr.nix index 74444e24043..826d59da0af 100644 --- a/nixos/modules/services/misc/radarr.nix +++ b/nixos/modules/services/misc/radarr.nix @@ -11,6 +11,14 @@ in services.radarr = { enable = mkEnableOption "Radarr"; + package = mkOption { + description = "Radarr package to use"; + default = pkgs.radarr; + defaultText = literalExpression "pkgs.radarr"; + example = literalExpression "pkgs.radarr"; + type = types.package; + }; + dataDir = mkOption { type = types.str; default = "/var/lib/radarr/.config/Radarr"; @@ -51,7 +59,7 @@ in Type = "simple"; User = cfg.user; Group = cfg.group; - ExecStart = "${pkgs.radarr}/bin/Radarr -nobrowser -data='${cfg.dataDir}'"; + ExecStart = "${cfg.package}/bin/Radarr -nobrowser -data='${cfg.dataDir}'"; Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/misc/sourcehut/builds.nix b/nixos/modules/services/misc/sourcehut/builds.nix deleted file mode 100644 index 685a132d350..00000000000 --- a/nixos/modules/services/misc/sourcehut/builds.nix +++ /dev/null @@ -1,236 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; -let - cfg = config.services.sourcehut; - opt = options.services.sourcehut; - scfg = cfg.builds; - rcfg = config.services.redis; - iniKey = "builds.sr.ht"; - - drv = pkgs.sourcehut.buildsrht; -in -{ - options.services.sourcehut.builds = { - user = mkOption { - type = types.str; - default = "buildsrht"; - description = '' - User for builds.sr.ht. - ''; - }; - - port = mkOption { - type = types.port; - default = 5002; - description = '' - Port on which the "builds" module should listen. - ''; - }; - - database = mkOption { - type = types.str; - default = "builds.sr.ht"; - description = '' - PostgreSQL database name for builds.sr.ht. - ''; - }; - - statePath = mkOption { - type = types.path; - default = "${cfg.statePath}/buildsrht"; - defaultText = literalExpression ''"''${config.${opt.statePath}}/buildsrht"''; - description = '' - State path for builds.sr.ht. - ''; - }; - - enableWorker = mkOption { - type = types.bool; - default = false; - description = '' - Run workers for builds.sr.ht. - ''; - }; - - images = mkOption { - type = types.attrsOf (types.attrsOf (types.attrsOf types.package)); - default = { }; - example = lib.literalExpression ''(let - # Pinning unstable to allow usage with flakes and limit rebuilds. - pkgs_unstable = builtins.fetchGit { - url = "https://github.com/NixOS/nixpkgs"; - rev = "ff96a0fa5635770390b184ae74debea75c3fd534"; - ref = "nixos-unstable"; - }; - image_from_nixpkgs = pkgs_unstable: (import ("''${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix") { - pkgs = (import pkgs_unstable {}); - }); - in - { - nixos.unstable.x86_64 = image_from_nixpkgs pkgs_unstable; - } - )''; - description = '' - Images for builds.sr.ht. Each package should be distro.release.arch and point to a /nix/store/package/root.img.qcow2. - ''; - }; - - }; - - config = with scfg; let - image_dirs = lib.lists.flatten ( - lib.attrsets.mapAttrsToList - (distro: revs: - lib.attrsets.mapAttrsToList - (rev: archs: - lib.attrsets.mapAttrsToList - (arch: image: - pkgs.runCommand "buildsrht-images" { } '' - mkdir -p $out/${distro}/${rev}/${arch} - ln -s ${image}/*.qcow2 $out/${distro}/${rev}/${arch}/root.img.qcow2 - '') - archs) - revs) - scfg.images); - image_dir_pre = pkgs.symlinkJoin { - name = "builds.sr.ht-worker-images-pre"; - paths = image_dirs ++ [ - "${pkgs.sourcehut.buildsrht}/lib/images" - ]; - }; - image_dir = pkgs.runCommand "builds.sr.ht-worker-images" { } '' - mkdir -p $out/images - cp -Lr ${image_dir_pre}/* $out/images - ''; - in - lib.mkIf (cfg.enable && elem "builds" cfg.services) { - users = { - users = { - "${user}" = { - isSystemUser = true; - group = user; - extraGroups = lib.optionals cfg.builds.enableWorker [ "docker" ]; - description = "builds.sr.ht user"; - }; - }; - - groups = { - "${user}" = { }; - }; - }; - - services.postgresql = { - authentication = '' - local ${database} ${user} trust - ''; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = user; - ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; - } - ]; - }; - - systemd = { - tmpfiles.rules = [ - "d ${statePath} 0755 ${user} ${user} -" - ] ++ (lib.optionals cfg.builds.enableWorker - [ "d ${statePath}/logs 0775 ${user} ${user} - -" ] - ); - - services = { - buildsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey - { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "builds.sr.ht website service"; - - serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; - - # Hack to bypass this hack: https://git.sr.ht/~sircmpwn/core.sr.ht/tree/master/item/srht-update-profiles#L6 - } // { preStart = " "; }; - - buildsrht-worker = { - enable = scfg.enableWorker; - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - partOf = [ "buildsrht.service" ]; - description = "builds.sr.ht worker service"; - path = [ pkgs.openssh pkgs.docker ]; - preStart = let qemuPackage = pkgs.qemu_kvm; - in '' - if [[ "$(docker images -q qemu:latest 2> /dev/null)" == "" || "$(cat ${statePath}/docker-image-qemu 2> /dev/null || true)" != "${qemuPackage.version}" ]]; then - # Create and import qemu:latest image for docker - ${ - pkgs.dockerTools.streamLayeredImage { - name = "qemu"; - tag = "latest"; - contents = [ qemuPackage ]; - } - } | docker load - # Mark down current package version - printf "%s" "${qemuPackage.version}" > ${statePath}/docker-image-qemu - fi - ''; - serviceConfig = { - Type = "simple"; - User = user; - Group = "nginx"; - Restart = "always"; - }; - serviceConfig.ExecStart = "${pkgs.sourcehut.buildsrht}/bin/builds.sr.ht-worker"; - }; - }; - }; - - services.sourcehut.settings = { - # URL builds.sr.ht is being served at (protocol://domain) - "builds.sr.ht".origin = mkDefault "http://builds.${cfg.originBase}"; - # Address and port to bind the debug server to - "builds.sr.ht".debug-host = mkDefault "0.0.0.0"; - "builds.sr.ht".debug-port = mkDefault port; - # Configures the SQLAlchemy connection string for the database. - "builds.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; - # Set to "yes" to automatically run migrations on package upgrade. - "builds.sr.ht".migrate-on-upgrade = mkDefault "yes"; - # builds.sr.ht's OAuth client ID and secret for meta.sr.ht - # Register your client at meta.example.org/oauth - "builds.sr.ht".oauth-client-id = mkDefault null; - "builds.sr.ht".oauth-client-secret = mkDefault null; - # The redis connection used for the celery worker - "builds.sr.ht".redis = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/3"; - # The shell used for ssh - "builds.sr.ht".shell = mkDefault "runner-shell"; - # Register the builds.sr.ht dispatcher - "git.sr.ht::dispatch".${builtins.unsafeDiscardStringContext "${pkgs.sourcehut.buildsrht}/bin/buildsrht-keys"} = mkDefault "${user}:${user}"; - - # Location for build logs, images, and control command - } // lib.attrsets.optionalAttrs scfg.enableWorker { - # Default worker stores logs that are accessible via this address:port - "builds.sr.ht::worker".name = mkDefault "127.0.0.1:5020"; - "builds.sr.ht::worker".buildlogs = mkDefault "${scfg.statePath}/logs"; - "builds.sr.ht::worker".images = mkDefault "${image_dir}/images"; - "builds.sr.ht::worker".controlcmd = mkDefault "${image_dir}/images/control"; - "builds.sr.ht::worker".timeout = mkDefault "3m"; - }; - - services.nginx.virtualHosts."logs.${cfg.originBase}" = - if scfg.enableWorker then { - listen = with builtins; let address = split ":" cfg.settings."builds.sr.ht::worker".name; - in [{ addr = elemAt address 0; port = lib.toInt (elemAt address 2); }]; - locations."/logs".root = "${scfg.statePath}"; - } else { }; - - services.nginx.virtualHosts."builds.${cfg.originBase}" = { - forceSSL = true; - locations."/".proxyPass = "http://${cfg.address}:${toString port}"; - locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; - locations."/static".root = "${pkgs.sourcehut.buildsrht}/${pkgs.sourcehut.python.sitePackages}/buildsrht"; - }; - }; -} diff --git a/nixos/modules/services/misc/sourcehut/default.nix b/nixos/modules/services/misc/sourcehut/default.nix index 21551d7d5f0..3ff2837900e 100644 --- a/nixos/modules/services/misc/sourcehut/default.nix +++ b/nixos/modules/services/misc/sourcehut/default.nix @@ -83,7 +83,7 @@ let python = pkgs.sourcehut.python.withPackages (ps: with ps; [ gunicorn eventlet - # For monitoring Celery: sudo -u listssrht celery --app listssrht.process -b redis+socket:///run/redis-sourcehut/redis.sock?virtual_host=5 flower + # For monitoring Celery: sudo -u listssrht celery --app listssrht.process -b redis+socket:///run/redis-sourcehut/redis.sock?virtual_host=1 flower flower # Sourcehut services srht @@ -238,20 +238,32 @@ in }; smtp-user = mkOptionNullOrStr "Outgoing SMTP user."; smtp-password = mkOptionNullOrStr "Outgoing SMTP password."; - smtp-from = mkOptionNullOrStr "Outgoing SMTP FROM."; + smtp-from = mkOption { + type = types.str; + description = "Outgoing SMTP FROM."; + }; error-to = mkOptionNullOrStr "Address receiving application exceptions"; error-from = mkOptionNullOrStr "Address sending application exceptions"; - pgp-privkey = mkOptionNullOrStr '' - An absolute file path (which should be outside the Nix-store) - to an OpenPGP private key. + pgp-privkey = mkOption { + type = types.str; + description = '' + An absolute file path (which should be outside the Nix-store) + to an OpenPGP private key. - Your PGP key information (DO NOT mix up pub and priv here) - You must remove the password from your secret key, if present. - You can do this with <code>gpg --edit-key [key-id]</code>, - then use the <code>passwd</code> command and do not enter a new password. - ''; - pgp-pubkey = mkOptionNullOrStr "OpenPGP public key."; - pgp-key-id = mkOptionNullOrStr "OpenPGP key identifier."; + Your PGP key information (DO NOT mix up pub and priv here) + You must remove the password from your secret key, if present. + You can do this with <code>gpg --edit-key [key-id]</code>, + then use the <code>passwd</code> command and do not enter a new password. + ''; + }; + pgp-pubkey = mkOption { + type = with types; either path str; + description = "OpenPGP public key."; + }; + pgp-key-id = mkOption { + type = types.str; + description = "OpenPGP key identifier."; + }; }; options.objects = { s3-upstream = mkOption { @@ -905,6 +917,11 @@ in inherit configIniOfService; srvsrht = "buildsrht"; port = 5002; + extraServices.buildsrht-api = { + serviceConfig.Restart = "always"; + serviceConfig.RestartSec = "5s"; + serviceConfig.ExecStart = "${pkgs.sourcehut.buildsrht}/bin/buildsrht-api -b ${cfg.listenAddress}:${toString (cfg.builds.port + 100)}"; + }; # TODO: a celery worker on the master and worker are apparently needed extraServices.buildsrht-worker = let qemuPackage = pkgs.qemu_kvm; @@ -928,13 +945,13 @@ in fi ''; serviceConfig = { - ExecStart = "${pkgs.sourcehut.buildsrht}/bin/builds.sr.ht-worker"; + ExecStart = "${pkgs.sourcehut.buildsrht}/bin/buildsrht-worker"; BindPaths = [ cfg.settings."builds.sr.ht::worker".buildlogs ]; LogsDirectory = [ "sourcehut/${serviceName}" ]; RuntimeDirectory = [ "sourcehut/${serviceName}/subdir" ]; StateDirectory = [ "sourcehut/${serviceName}" ]; TimeoutStartSec = "1800s"; - # builds.sr.ht-worker looks up ../config.ini + # buildsrht-worker looks up ../config.ini WorkingDirectory = "-"+"/run/sourcehut/${serviceName}/subdir"; }; }; @@ -952,12 +969,12 @@ in ) cfg.builds.images ); image_dir_pre = pkgs.symlinkJoin { - name = "builds.sr.ht-worker-images-pre"; + name = "buildsrht-worker-images-pre"; paths = image_dirs; # FIXME: not working, apparently because ubuntu/latest is a broken link # ++ [ "${pkgs.sourcehut.buildsrht}/lib/images" ]; }; - image_dir = pkgs.runCommand "builds.sr.ht-worker-images" { } '' + image_dir = pkgs.runCommand "buildsrht-worker-images" { } '' mkdir -p $out/images cp -Lr ${image_dir_pre}/* $out/images ''; @@ -1018,7 +1035,7 @@ in inherit configIniOfService; mainService = mkMerge [ baseService { serviceConfig.StateDirectory = [ "sourcehut/gitsrht" "sourcehut/gitsrht/repos" ]; - preStart = mkIf (!versionAtLeast config.system.stateVersion "22.05") (mkBefore '' + preStart = mkIf (versionOlder config.system.stateVersion "22.05") (mkBefore '' # Fix Git hooks of repositories pre-dating https://github.com/NixOS/nixpkgs/pull/133984 ( set +f @@ -1081,6 +1098,11 @@ in }; }) ]; + extraServices.gitsrht-api = { + serviceConfig.Restart = "always"; + serviceConfig.RestartSec = "5s"; + serviceConfig.ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}"; + }; extraServices.gitsrht-fcgiwrap = mkIf cfg.nginx.enable { serviceConfig = { # Socket is passed by gitsrht-fcgiwrap.socket @@ -1124,6 +1146,11 @@ in timerConfig.OnCalendar = ["daily"]; timerConfig.AccuracySec = "1h"; }; + extraServices.hgsrht-api = { + serviceConfig.Restart = "always"; + serviceConfig.RestartSec = "5s"; + serviceConfig.ExecStart = "${pkgs.sourcehut.hgsrht}/bin/hgsrht-api -b ${cfg.listenAddress}:${toString (cfg.hg.port + 100)}"; + }; extraConfig = mkMerge [ { users.users.${cfg.hg.user}.shell = pkgs.bash; @@ -1184,6 +1211,11 @@ in inherit configIniOfService; port = 5006; webhooks = true; + extraServices.listssrht-api = { + serviceConfig.Restart = "always"; + serviceConfig.RestartSec = "5s"; + serviceConfig.ExecStart = "${pkgs.sourcehut.listssrht}/bin/listssrht-api -b ${cfg.listenAddress}:${toString (cfg.lists.port + 100)}"; + }; # Receive the mail from Postfix and enqueue them into Redis and PostgreSQL extraServices.listssrht-lmtp = { wants = [ "postfix.service" ]; @@ -1232,9 +1264,13 @@ in inherit configIniOfService; port = 5000; webhooks = true; + extraTimers.metasrht-daily.timerConfig = { + OnCalendar = ["daily"]; + AccuracySec = "1h"; + }; extraServices.metasrht-api = { serviceConfig.Restart = "always"; - serviceConfig.RestartSec = "2s"; + serviceConfig.RestartSec = "5s"; preStart = "set -x\n" + concatStringsSep "\n\n" (attrValues (mapAttrs (k: s: let srvMatch = builtins.match "^([a-z]*)\\.sr\\.ht$" k; srv = head srvMatch; @@ -1248,10 +1284,6 @@ in ) cfg.settings)); serviceConfig.ExecStart = "${pkgs.sourcehut.metasrht}/bin/metasrht-api -b ${cfg.listenAddress}:${toString (cfg.meta.port + 100)}"; }; - extraTimers.metasrht-daily.timerConfig = { - OnCalendar = ["daily"]; - AccuracySec = "1h"; - }; extraConfig = mkMerge [ { assertions = [ @@ -1348,6 +1380,11 @@ in inherit configIniOfService; port = 5003; webhooks = true; + extraServices.todosrht-api = { + serviceConfig.Restart = "always"; + serviceConfig.RestartSec = "5s"; + serviceConfig.ExecStart = "${pkgs.sourcehut.todosrht}/bin/todosrht-api -b ${cfg.listenAddress}:${toString (cfg.todo.port + 100)}"; + }; extraServices.todosrht-lmtp = { wants = [ "postfix.service" ]; unitConfig.JoinsNamespaceOf = optional cfg.postfix.enable "postfix.service"; diff --git a/nixos/modules/services/misc/sourcehut/dispatch.nix b/nixos/modules/services/misc/sourcehut/dispatch.nix deleted file mode 100644 index 292a51d3e1c..00000000000 --- a/nixos/modules/services/misc/sourcehut/dispatch.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; -let - cfg = config.services.sourcehut; - opt = options.services.sourcehut; - cfgIni = cfg.settings; - scfg = cfg.dispatch; - iniKey = "dispatch.sr.ht"; - - drv = pkgs.sourcehut.dispatchsrht; -in -{ - options.services.sourcehut.dispatch = { - user = mkOption { - type = types.str; - default = "dispatchsrht"; - description = '' - User for dispatch.sr.ht. - ''; - }; - - port = mkOption { - type = types.port; - default = 5005; - description = '' - Port on which the "dispatch" module should listen. - ''; - }; - - database = mkOption { - type = types.str; - default = "dispatch.sr.ht"; - description = '' - PostgreSQL database name for dispatch.sr.ht. - ''; - }; - - statePath = mkOption { - type = types.path; - default = "${cfg.statePath}/dispatchsrht"; - defaultText = literalExpression ''"''${config.${opt.statePath}}/dispatchsrht"''; - description = '' - State path for dispatch.sr.ht. - ''; - }; - }; - - config = with scfg; lib.mkIf (cfg.enable && elem "dispatch" cfg.services) { - - users = { - users = { - "${user}" = { - isSystemUser = true; - group = user; - description = "dispatch.sr.ht user"; - }; - }; - - groups = { - "${user}" = { }; - }; - }; - - services.postgresql = { - authentication = '' - local ${database} ${user} trust - ''; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = user; - ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; - } - ]; - }; - - systemd = { - tmpfiles.rules = [ - "d ${statePath} 0750 ${user} ${user} -" - ]; - - services.dispatchsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "dispatch.sr.ht website service"; - - serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; - }; - }; - - services.sourcehut.settings = { - # URL dispatch.sr.ht is being served at (protocol://domain) - "dispatch.sr.ht".origin = mkDefault "http://dispatch.${cfg.originBase}"; - # Address and port to bind the debug server to - "dispatch.sr.ht".debug-host = mkDefault "0.0.0.0"; - "dispatch.sr.ht".debug-port = mkDefault port; - # Configures the SQLAlchemy connection string for the database. - "dispatch.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; - # Set to "yes" to automatically run migrations on package upgrade. - "dispatch.sr.ht".migrate-on-upgrade = mkDefault "yes"; - # dispatch.sr.ht's OAuth client ID and secret for meta.sr.ht - # Register your client at meta.example.org/oauth - "dispatch.sr.ht".oauth-client-id = mkDefault null; - "dispatch.sr.ht".oauth-client-secret = mkDefault null; - - # Github Integration - "dispatch.sr.ht::github".oauth-client-id = mkDefault null; - "dispatch.sr.ht::github".oauth-client-secret = mkDefault null; - - # Gitlab Integration - "dispatch.sr.ht::gitlab".enabled = mkDefault null; - "dispatch.sr.ht::gitlab".canonical-upstream = mkDefault "gitlab.com"; - "dispatch.sr.ht::gitlab".repo-cache = mkDefault "./repo-cache"; - # "dispatch.sr.ht::gitlab"."gitlab.com" = mkDefault "GitLab:application id:secret"; - }; - - services.nginx.virtualHosts."dispatch.${cfg.originBase}" = { - forceSSL = true; - locations."/".proxyPass = "http://${cfg.address}:${toString port}"; - locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; - locations."/static".root = "${pkgs.sourcehut.dispatchsrht}/${pkgs.sourcehut.python.sitePackages}/dispatchsrht"; - }; - }; -} diff --git a/nixos/modules/services/misc/sourcehut/git.nix b/nixos/modules/services/misc/sourcehut/git.nix deleted file mode 100644 index ff110905d18..00000000000 --- a/nixos/modules/services/misc/sourcehut/git.nix +++ /dev/null @@ -1,217 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; -let - cfg = config.services.sourcehut; - opt = options.services.sourcehut; - scfg = cfg.git; - iniKey = "git.sr.ht"; - - rcfg = config.services.redis; - drv = pkgs.sourcehut.gitsrht; -in -{ - options.services.sourcehut.git = { - user = mkOption { - type = types.str; - visible = false; - internal = true; - readOnly = true; - default = "git"; - description = '' - User for git.sr.ht. - ''; - }; - - port = mkOption { - type = types.port; - default = 5001; - description = '' - Port on which the "git" module should listen. - ''; - }; - - database = mkOption { - type = types.str; - default = "git.sr.ht"; - description = '' - PostgreSQL database name for git.sr.ht. - ''; - }; - - statePath = mkOption { - type = types.path; - default = "${cfg.statePath}/gitsrht"; - defaultText = literalExpression ''"''${config.${opt.statePath}}/gitsrht"''; - description = '' - State path for git.sr.ht. - ''; - }; - - package = mkOption { - type = types.package; - default = pkgs.git; - defaultText = literalExpression "pkgs.git"; - example = literalExpression "pkgs.gitFull"; - description = '' - Git package for git.sr.ht. This can help silence collisions. - ''; - }; - }; - - config = with scfg; lib.mkIf (cfg.enable && elem "git" cfg.services) { - # sshd refuses to run with `Unsafe AuthorizedKeysCommand ... bad ownership or modes for directory /nix/store` - environment.etc."ssh/gitsrht-dispatch" = { - mode = "0755"; - text = '' - #! ${pkgs.stdenv.shell} - ${cfg.python}/bin/gitsrht-dispatch "$@" - ''; - }; - - # Needs this in the $PATH when sshing into the server - environment.systemPackages = [ cfg.git.package ]; - - users = { - users = { - "${user}" = { - isSystemUser = true; - group = user; - # https://stackoverflow.com/questions/22314298/git-push-results-in-fatal-protocol-error-bad-line-length-character-this - # Probably could use gitsrht-shell if output is restricted to just parameters... - shell = pkgs.bash; - description = "git.sr.ht user"; - }; - }; - - groups = { - "${user}" = { }; - }; - }; - - services = { - cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/gitsrht-periodic" ]; - fcgiwrap.enable = true; - - openssh.authorizedKeysCommand = ''/etc/ssh/gitsrht-dispatch "%u" "%h" "%t" "%k"''; - openssh.authorizedKeysCommandUser = "root"; - openssh.extraConfig = '' - PermitUserEnvironment SRHT_* - ''; - - postgresql = { - authentication = '' - local ${database} ${user} trust - ''; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = user; - ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; - } - ]; - }; - }; - - systemd = { - tmpfiles.rules = [ - # /var/log is owned by root - "f /var/log/git-srht-shell 0644 ${user} ${user} -" - - "d ${statePath} 0750 ${user} ${user} -" - "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -" - ]; - - services = { - gitsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { - after = [ "redis.service" "postgresql.service" "network.target" ]; - requires = [ "redis.service" "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - # Needs internally to create repos at the very least - path = [ pkgs.git ]; - description = "git.sr.ht website service"; - - serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; - }; - - gitsrht-webhooks = { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "git.sr.ht webhooks service"; - serviceConfig = { - Type = "simple"; - User = user; - Restart = "always"; - }; - - serviceConfig.ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; - }; - }; - }; - - services.sourcehut.settings = { - # URL git.sr.ht is being served at (protocol://domain) - "git.sr.ht".origin = mkDefault "http://git.${cfg.originBase}"; - # Address and port to bind the debug server to - "git.sr.ht".debug-host = mkDefault "0.0.0.0"; - "git.sr.ht".debug-port = mkDefault port; - # Configures the SQLAlchemy connection string for the database. - "git.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; - # Set to "yes" to automatically run migrations on package upgrade. - "git.sr.ht".migrate-on-upgrade = mkDefault "yes"; - # The redis connection used for the webhooks worker - "git.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/1"; - - # A post-update script which is installed in every git repo. - "git.sr.ht".post-update-script = mkDefault "${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook"; - - # git.sr.ht's OAuth client ID and secret for meta.sr.ht - # Register your client at meta.example.org/oauth - "git.sr.ht".oauth-client-id = mkDefault null; - "git.sr.ht".oauth-client-secret = mkDefault null; - # Path to git repositories on disk - "git.sr.ht".repos = mkDefault "/var/lib/git"; - - "git.sr.ht".outgoing-domain = mkDefault "http://git.${cfg.originBase}"; - - # The authorized keys hook uses this to dispatch to various handlers - # The format is a program to exec into as the key, and the user to match as the - # value. When someone tries to log in as this user, this program is executed - # and is expected to omit an AuthorizedKeys file. - # - # Discard of the string context is in order to allow derivation-derived strings. - # This is safe if the relevant package is installed which will be the case if the setting is utilized. - "git.sr.ht::dispatch".${builtins.unsafeDiscardStringContext "${pkgs.sourcehut.gitsrht}/bin/gitsrht-keys"} = mkDefault "${user}:${user}"; - }; - - services.nginx.virtualHosts."git.${cfg.originBase}" = { - forceSSL = true; - locations."/".proxyPass = "http://${cfg.address}:${toString port}"; - locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; - locations."/static".root = "${pkgs.sourcehut.gitsrht}/${pkgs.sourcehut.python.sitePackages}/gitsrht"; - extraConfig = '' - location = /authorize { - proxy_pass http://${cfg.address}:${toString port}; - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - proxy_set_header X-Original-URI $request_uri; - } - location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ { - auth_request /authorize; - root /var/lib/git; - fastcgi_pass unix:/run/fcgiwrap.sock; - fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend; - fastcgi_param PATH_INFO $uri; - fastcgi_param GIT_PROJECT_ROOT $document_root; - fastcgi_read_timeout 500s; - include ${config.services.nginx.package}/conf/fastcgi_params; - gzip off; - } - ''; - - }; - }; -} diff --git a/nixos/modules/services/misc/sourcehut/hg.nix b/nixos/modules/services/misc/sourcehut/hg.nix deleted file mode 100644 index 6ba1df8b6dd..00000000000 --- a/nixos/modules/services/misc/sourcehut/hg.nix +++ /dev/null @@ -1,175 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; -let - cfg = config.services.sourcehut; - opt = options.services.sourcehut; - scfg = cfg.hg; - iniKey = "hg.sr.ht"; - - rcfg = config.services.redis; - drv = pkgs.sourcehut.hgsrht; -in -{ - options.services.sourcehut.hg = { - user = mkOption { - type = types.str; - internal = true; - readOnly = true; - default = "hg"; - description = '' - User for hg.sr.ht. - ''; - }; - - port = mkOption { - type = types.port; - default = 5010; - description = '' - Port on which the "hg" module should listen. - ''; - }; - - database = mkOption { - type = types.str; - default = "hg.sr.ht"; - description = '' - PostgreSQL database name for hg.sr.ht. - ''; - }; - - statePath = mkOption { - type = types.path; - default = "${cfg.statePath}/hgsrht"; - defaultText = literalExpression ''"''${config.${opt.statePath}}/hgsrht"''; - description = '' - State path for hg.sr.ht. - ''; - }; - - cloneBundles = mkOption { - type = types.bool; - default = false; - description = '' - Generate clonebundles (which require more disk space but dramatically speed up cloning large repositories). - ''; - }; - }; - - config = with scfg; lib.mkIf (cfg.enable && elem "hg" cfg.services) { - # In case it ever comes into being - environment.etc."ssh/hgsrht-dispatch" = { - mode = "0755"; - text = '' - #! ${pkgs.stdenv.shell} - ${cfg.python}/bin/gitsrht-dispatch $@ - ''; - }; - - environment.systemPackages = [ pkgs.mercurial ]; - - users = { - users = { - "${user}" = { - isSystemUser = true; - group = user; - # Assuming hg.sr.ht needs this too - shell = pkgs.bash; - description = "hg.sr.ht user"; - }; - }; - - groups = { - "${user}" = { }; - }; - }; - - services = { - cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/hgsrht-periodic" ] - ++ optional cloneBundles "0 * * * * ${cfg.python}/bin/hgsrht-clonebundles"; - - openssh.authorizedKeysCommand = ''/etc/ssh/hgsrht-dispatch "%u" "%h" "%t" "%k"''; - openssh.authorizedKeysCommandUser = "root"; - openssh.extraConfig = '' - PermitUserEnvironment SRHT_* - ''; - - postgresql = { - authentication = '' - local ${database} ${user} trust - ''; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = user; - ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; - } - ]; - }; - }; - - systemd = { - tmpfiles.rules = [ - # /var/log is owned by root - "f /var/log/hg-srht-shell 0644 ${user} ${user} -" - - "d ${statePath} 0750 ${user} ${user} -" - "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -" - ]; - - services.hgsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { - after = [ "redis.service" "postgresql.service" "network.target" ]; - requires = [ "redis.service" "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - path = [ pkgs.mercurial ]; - description = "hg.sr.ht website service"; - - serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; - }; - }; - - services.sourcehut.settings = { - # URL hg.sr.ht is being served at (protocol://domain) - "hg.sr.ht".origin = mkDefault "http://hg.${cfg.originBase}"; - # Address and port to bind the debug server to - "hg.sr.ht".debug-host = mkDefault "0.0.0.0"; - "hg.sr.ht".debug-port = mkDefault port; - # Configures the SQLAlchemy connection string for the database. - "hg.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; - # The redis connection used for the webhooks worker - "hg.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/1"; - # A post-update script which is installed in every mercurial repo. - "hg.sr.ht".changegroup-script = mkDefault "${cfg.python}/bin/hgsrht-hook-changegroup"; - # hg.sr.ht's OAuth client ID and secret for meta.sr.ht - # Register your client at meta.example.org/oauth - "hg.sr.ht".oauth-client-id = mkDefault null; - "hg.sr.ht".oauth-client-secret = mkDefault null; - # Path to mercurial repositories on disk - "hg.sr.ht".repos = mkDefault "/var/lib/hg"; - # Path to the srht mercurial extension - # (defaults to where the hgsrht code is) - # "hg.sr.ht".srhtext = mkDefault null; - # .hg/store size (in MB) past which the nightly job generates clone bundles. - # "hg.sr.ht".clone_bundle_threshold = mkDefault 50; - # Path to hg-ssh (if not in $PATH) - # "hg.sr.ht".hg_ssh = mkDefault /path/to/hg-ssh; - - # The authorized keys hook uses this to dispatch to various handlers - # The format is a program to exec into as the key, and the user to match as the - # value. When someone tries to log in as this user, this program is executed - # and is expected to omit an AuthorizedKeys file. - # - # Uncomment the relevant lines to enable the various sr.ht dispatchers. - "hg.sr.ht::dispatch"."/run/current-system/sw/bin/hgsrht-keys" = mkDefault "${user}:${user}"; - }; - - # TODO: requires testing and addition of hg-specific requirements - services.nginx.virtualHosts."hg.${cfg.originBase}" = { - forceSSL = true; - locations."/".proxyPass = "http://${cfg.address}:${toString port}"; - locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; - locations."/static".root = "${pkgs.sourcehut.hgsrht}/${pkgs.sourcehut.python.sitePackages}/hgsrht"; - }; - }; -} diff --git a/nixos/modules/services/misc/sourcehut/hub.nix b/nixos/modules/services/misc/sourcehut/hub.nix deleted file mode 100644 index 7d137a76505..00000000000 --- a/nixos/modules/services/misc/sourcehut/hub.nix +++ /dev/null @@ -1,120 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; -let - cfg = config.services.sourcehut; - opt = options.services.sourcehut; - cfgIni = cfg.settings; - scfg = cfg.hub; - iniKey = "hub.sr.ht"; - - drv = pkgs.sourcehut.hubsrht; -in -{ - options.services.sourcehut.hub = { - user = mkOption { - type = types.str; - default = "hubsrht"; - description = '' - User for hub.sr.ht. - ''; - }; - - port = mkOption { - type = types.port; - default = 5014; - description = '' - Port on which the "hub" module should listen. - ''; - }; - - database = mkOption { - type = types.str; - default = "hub.sr.ht"; - description = '' - PostgreSQL database name for hub.sr.ht. - ''; - }; - - statePath = mkOption { - type = types.path; - default = "${cfg.statePath}/hubsrht"; - defaultText = literalExpression ''"''${config.${opt.statePath}}/hubsrht"''; - description = '' - State path for hub.sr.ht. - ''; - }; - }; - - config = with scfg; lib.mkIf (cfg.enable && elem "hub" cfg.services) { - users = { - users = { - "${user}" = { - isSystemUser = true; - group = user; - description = "hub.sr.ht user"; - }; - }; - - groups = { - "${user}" = { }; - }; - }; - - services.postgresql = { - authentication = '' - local ${database} ${user} trust - ''; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = user; - ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; - } - ]; - }; - - systemd = { - tmpfiles.rules = [ - "d ${statePath} 0750 ${user} ${user} -" - ]; - - services.hubsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "hub.sr.ht website service"; - - serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; - }; - }; - - services.sourcehut.settings = { - # URL hub.sr.ht is being served at (protocol://domain) - "hub.sr.ht".origin = mkDefault "http://hub.${cfg.originBase}"; - # Address and port to bind the debug server to - "hub.sr.ht".debug-host = mkDefault "0.0.0.0"; - "hub.sr.ht".debug-port = mkDefault port; - # Configures the SQLAlchemy connection string for the database. - "hub.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; - # Set to "yes" to automatically run migrations on package upgrade. - "hub.sr.ht".migrate-on-upgrade = mkDefault "yes"; - # hub.sr.ht's OAuth client ID and secret for meta.sr.ht - # Register your client at meta.example.org/oauth - "hub.sr.ht".oauth-client-id = mkDefault null; - "hub.sr.ht".oauth-client-secret = mkDefault null; - }; - - services.nginx.virtualHosts."${cfg.originBase}" = { - forceSSL = true; - locations."/".proxyPass = "http://${cfg.address}:${toString port}"; - locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; - locations."/static".root = "${pkgs.sourcehut.hubsrht}/${pkgs.sourcehut.python.sitePackages}/hubsrht"; - }; - services.nginx.virtualHosts."hub.${cfg.originBase}" = { - globalRedirect = "${cfg.originBase}"; - forceSSL = true; - }; - }; -} diff --git a/nixos/modules/services/misc/sourcehut/lists.nix b/nixos/modules/services/misc/sourcehut/lists.nix deleted file mode 100644 index 76f155caa05..00000000000 --- a/nixos/modules/services/misc/sourcehut/lists.nix +++ /dev/null @@ -1,187 +0,0 @@ -# Email setup is fairly involved, useful references: -# https://drewdevault.com/2018/08/05/Local-mail-server.html - -{ config, lib, options, pkgs, ... }: - -with lib; -let - cfg = config.services.sourcehut; - opt = options.services.sourcehut; - cfgIni = cfg.settings; - scfg = cfg.lists; - iniKey = "lists.sr.ht"; - - rcfg = config.services.redis; - drv = pkgs.sourcehut.listssrht; -in -{ - options.services.sourcehut.lists = { - user = mkOption { - type = types.str; - default = "listssrht"; - description = '' - User for lists.sr.ht. - ''; - }; - - port = mkOption { - type = types.port; - default = 5006; - description = '' - Port on which the "lists" module should listen. - ''; - }; - - database = mkOption { - type = types.str; - default = "lists.sr.ht"; - description = '' - PostgreSQL database name for lists.sr.ht. - ''; - }; - - statePath = mkOption { - type = types.path; - default = "${cfg.statePath}/listssrht"; - defaultText = literalExpression ''"''${config.${opt.statePath}}/listssrht"''; - description = '' - State path for lists.sr.ht. - ''; - }; - }; - - config = with scfg; lib.mkIf (cfg.enable && elem "lists" cfg.services) { - users = { - users = { - "${user}" = { - isSystemUser = true; - group = user; - extraGroups = [ "postfix" ]; - description = "lists.sr.ht user"; - }; - }; - groups = { - "${user}" = { }; - }; - }; - - services.postgresql = { - authentication = '' - local ${database} ${user} trust - ''; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = user; - ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; - } - ]; - }; - - systemd = { - tmpfiles.rules = [ - "d ${statePath} 0750 ${user} ${user} -" - ]; - - services = { - listssrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "lists.sr.ht website service"; - - serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; - }; - - listssrht-process = { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "lists.sr.ht process service"; - serviceConfig = { - Type = "simple"; - User = user; - Restart = "always"; - ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.process worker --loglevel=info"; - }; - }; - - listssrht-lmtp = { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "lists.sr.ht process service"; - serviceConfig = { - Type = "simple"; - User = user; - Restart = "always"; - ExecStart = "${cfg.python}/bin/listssrht-lmtp"; - }; - }; - - - listssrht-webhooks = { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "lists.sr.ht webhooks service"; - serviceConfig = { - Type = "simple"; - User = user; - Restart = "always"; - ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; - }; - }; - }; - }; - - services.sourcehut.settings = { - # URL lists.sr.ht is being served at (protocol://domain) - "lists.sr.ht".origin = mkDefault "http://lists.${cfg.originBase}"; - # Address and port to bind the debug server to - "lists.sr.ht".debug-host = mkDefault "0.0.0.0"; - "lists.sr.ht".debug-port = mkDefault port; - # Configures the SQLAlchemy connection string for the database. - "lists.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; - # Set to "yes" to automatically run migrations on package upgrade. - "lists.sr.ht".migrate-on-upgrade = mkDefault "yes"; - # lists.sr.ht's OAuth client ID and secret for meta.sr.ht - # Register your client at meta.example.org/oauth - "lists.sr.ht".oauth-client-id = mkDefault null; - "lists.sr.ht".oauth-client-secret = mkDefault null; - # Outgoing email for notifications generated by users - "lists.sr.ht".notify-from = mkDefault "CHANGEME@example.org"; - # The redis connection used for the webhooks worker - "lists.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/2"; - # The redis connection used for the celery worker - "lists.sr.ht".redis = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/4"; - # Network-key - "lists.sr.ht".network-key = mkDefault null; - # Allow creation - "lists.sr.ht".allow-new-lists = mkDefault "no"; - # Posting Domain - "lists.sr.ht".posting-domain = mkDefault "lists.${cfg.originBase}"; - - # Path for the lmtp daemon's unix socket. Direct incoming mail to this socket. - # Alternatively, specify IP:PORT and an SMTP server will be run instead. - "lists.sr.ht::worker".sock = mkDefault "/tmp/lists.sr.ht-lmtp.sock"; - # The lmtp daemon will make the unix socket group-read/write for users in this - # group. - "lists.sr.ht::worker".sock-group = mkDefault "postfix"; - "lists.sr.ht::worker".reject-url = mkDefault "https://man.sr.ht/lists.sr.ht/etiquette.md"; - "lists.sr.ht::worker".reject-mimetypes = mkDefault "text/html"; - - }; - - services.nginx.virtualHosts."lists.${cfg.originBase}" = { - forceSSL = true; - locations."/".proxyPass = "http://${cfg.address}:${toString port}"; - locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; - locations."/static".root = "${pkgs.sourcehut.listssrht}/${pkgs.sourcehut.python.sitePackages}/listssrht"; - }; - }; -} diff --git a/nixos/modules/services/misc/sourcehut/man.nix b/nixos/modules/services/misc/sourcehut/man.nix deleted file mode 100644 index 8ca271c32ee..00000000000 --- a/nixos/modules/services/misc/sourcehut/man.nix +++ /dev/null @@ -1,124 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; -let - cfg = config.services.sourcehut; - opt = options.services.sourcehut; - cfgIni = cfg.settings; - scfg = cfg.man; - iniKey = "man.sr.ht"; - - drv = pkgs.sourcehut.mansrht; -in -{ - options.services.sourcehut.man = { - user = mkOption { - type = types.str; - default = "mansrht"; - description = '' - User for man.sr.ht. - ''; - }; - - port = mkOption { - type = types.port; - default = 5004; - description = '' - Port on which the "man" module should listen. - ''; - }; - - database = mkOption { - type = types.str; - default = "man.sr.ht"; - description = '' - PostgreSQL database name for man.sr.ht. - ''; - }; - - statePath = mkOption { - type = types.path; - default = "${cfg.statePath}/mansrht"; - defaultText = literalExpression ''"''${config.${opt.statePath}}/mansrht"''; - description = '' - State path for man.sr.ht. - ''; - }; - }; - - config = with scfg; lib.mkIf (cfg.enable && elem "man" cfg.services) { - assertions = - [ - { - assertion = hasAttrByPath [ "git.sr.ht" "oauth-client-id" ] cfgIni; - message = "man.sr.ht needs access to git.sr.ht."; - } - ]; - - users = { - users = { - "${user}" = { - isSystemUser = true; - group = user; - description = "man.sr.ht user"; - }; - }; - - groups = { - "${user}" = { }; - }; - }; - - services.postgresql = { - authentication = '' - local ${database} ${user} trust - ''; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = user; - ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; - } - ]; - }; - - systemd = { - tmpfiles.rules = [ - "d ${statePath} 0750 ${user} ${user} -" - ]; - - services.mansrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "man.sr.ht website service"; - - serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; - }; - }; - - services.sourcehut.settings = { - # URL man.sr.ht is being served at (protocol://domain) - "man.sr.ht".origin = mkDefault "http://man.${cfg.originBase}"; - # Address and port to bind the debug server to - "man.sr.ht".debug-host = mkDefault "0.0.0.0"; - "man.sr.ht".debug-port = mkDefault port; - # Configures the SQLAlchemy connection string for the database. - "man.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; - # Set to "yes" to automatically run migrations on package upgrade. - "man.sr.ht".migrate-on-upgrade = mkDefault "yes"; - # man.sr.ht's OAuth client ID and secret for meta.sr.ht - # Register your client at meta.example.org/oauth - "man.sr.ht".oauth-client-id = mkDefault null; - "man.sr.ht".oauth-client-secret = mkDefault null; - }; - - services.nginx.virtualHosts."man.${cfg.originBase}" = { - forceSSL = true; - locations."/".proxyPass = "http://${cfg.address}:${toString port}"; - locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; - locations."/static".root = "${pkgs.sourcehut.mansrht}/${pkgs.sourcehut.python.sitePackages}/mansrht"; - }; - }; -} diff --git a/nixos/modules/services/misc/sourcehut/meta.nix b/nixos/modules/services/misc/sourcehut/meta.nix deleted file mode 100644 index 33e4f2332b5..00000000000 --- a/nixos/modules/services/misc/sourcehut/meta.nix +++ /dev/null @@ -1,213 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; -let - cfg = config.services.sourcehut; - opt = options.services.sourcehut; - cfgIni = cfg.settings; - scfg = cfg.meta; - iniKey = "meta.sr.ht"; - - rcfg = config.services.redis; - drv = pkgs.sourcehut.metasrht; -in -{ - options.services.sourcehut.meta = { - user = mkOption { - type = types.str; - default = "metasrht"; - description = '' - User for meta.sr.ht. - ''; - }; - - port = mkOption { - type = types.port; - default = 5000; - description = '' - Port on which the "meta" module should listen. - ''; - }; - - database = mkOption { - type = types.str; - default = "meta.sr.ht"; - description = '' - PostgreSQL database name for meta.sr.ht. - ''; - }; - - statePath = mkOption { - type = types.path; - default = "${cfg.statePath}/metasrht"; - defaultText = literalExpression ''"''${config.${opt.statePath}}/metasrht"''; - description = '' - State path for meta.sr.ht. - ''; - }; - }; - - config = with scfg; lib.mkIf (cfg.enable && elem "meta" cfg.services) { - assertions = - [ - { - assertion = with cfgIni."meta.sr.ht::billing"; enabled == "yes" -> (stripe-public-key != null && stripe-secret-key != null); - message = "If meta.sr.ht::billing is enabled, the keys should be defined."; - } - ]; - - users = { - users = { - ${user} = { - isSystemUser = true; - group = user; - description = "meta.sr.ht user"; - }; - }; - - groups = { - "${user}" = { }; - }; - }; - - services.cron.systemCronJobs = [ "0 0 * * * ${cfg.python}/bin/metasrht-daily" ]; - services.postgresql = { - authentication = '' - local ${database} ${user} trust - ''; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = user; - ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; - } - ]; - }; - - systemd = { - tmpfiles.rules = [ - "d ${statePath} 0750 ${user} ${user} -" - ]; - - services = { - metasrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "meta.sr.ht website service"; - - preStart = '' - # Configure client(s) as "preauthorized" - ${concatMapStringsSep "\n\n" - (attr: '' - if ! test -e "${statePath}/${attr}.oauth" || [ "$(cat ${statePath}/${attr}.oauth)" != "${cfgIni."${attr}".oauth-client-id}" ]; then - # Configure ${attr}'s OAuth client as "preauthorized" - psql ${database} \ - -c "UPDATE oauthclient SET preauthorized = true WHERE client_id = '${cfgIni."${attr}".oauth-client-id}'" - - printf "%s" "${cfgIni."${attr}".oauth-client-id}" > "${statePath}/${attr}.oauth" - fi - '') - (builtins.attrNames (filterAttrs - (k: v: !(hasInfix "::" k) && builtins.hasAttr "oauth-client-id" v && v.oauth-client-id != null) - cfg.settings))} - ''; - - serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; - }; - - metasrht-api = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "meta.sr.ht api service"; - - preStart = '' - # Configure client(s) as "preauthorized" - ${concatMapStringsSep "\n\n" - (attr: '' - if ! test -e "${statePath}/${attr}.oauth" || [ "$(cat ${statePath}/${attr}.oauth)" != "${cfgIni."${attr}".oauth-client-id}" ]; then - # Configure ${attr}'s OAuth client as "preauthorized" - psql ${database} \ - -c "UPDATE oauthclient SET preauthorized = true WHERE client_id = '${cfgIni."${attr}".oauth-client-id}'" - - printf "%s" "${cfgIni."${attr}".oauth-client-id}" > "${statePath}/${attr}.oauth" - fi - '') - (builtins.attrNames (filterAttrs - (k: v: !(hasInfix "::" k) && builtins.hasAttr "oauth-client-id" v && v.oauth-client-id != null) - cfg.settings))} - ''; - - serviceConfig.ExecStart = "${pkgs.sourcehut.metasrht}/bin/metasrht-api -b :${toString (port + 100)}"; - }; - - metasrht-webhooks = { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "meta.sr.ht webhooks service"; - serviceConfig = { - Type = "simple"; - User = user; - Restart = "always"; - ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; - }; - - }; - }; - }; - - services.sourcehut.settings = { - # URL meta.sr.ht is being served at (protocol://domain) - "meta.sr.ht".origin = mkDefault "https://meta.${cfg.originBase}"; - # Address and port to bind the debug server to - "meta.sr.ht".debug-host = mkDefault "0.0.0.0"; - "meta.sr.ht".debug-port = mkDefault port; - # Configures the SQLAlchemy connection string for the database. - "meta.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; - # Set to "yes" to automatically run migrations on package upgrade. - "meta.sr.ht".migrate-on-upgrade = mkDefault "yes"; - # If "yes", the user will be sent the stock sourcehut welcome emails after - # signup (requires cron to be configured properly). These are specific to the - # sr.ht instance so you probably want to patch these before enabling this. - "meta.sr.ht".welcome-emails = mkDefault "no"; - - # The redis connection used for the webhooks worker - "meta.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/6"; - - # If "no", public registration will not be permitted. - "meta.sr.ht::settings".registration = mkDefault "no"; - # Where to redirect new users upon registration - "meta.sr.ht::settings".onboarding-redirect = mkDefault "https://meta.${cfg.originBase}"; - # How many invites each user is issued upon registration (only applicable if - # open registration is disabled) - "meta.sr.ht::settings".user-invites = mkDefault 5; - - # Origin URL for API, 100 more than web - "meta.sr.ht".api-origin = mkDefault "http://localhost:5100"; - - # You can add aliases for the client IDs of commonly used OAuth clients here. - # - # Example: - "meta.sr.ht::aliases" = mkDefault { }; - # "meta.sr.ht::aliases"."git.sr.ht" = 12345; - - # "yes" to enable the billing system - "meta.sr.ht::billing".enabled = mkDefault "no"; - # Get your keys at https://dashboard.stripe.com/account/apikeys - "meta.sr.ht::billing".stripe-public-key = mkDefault null; - "meta.sr.ht::billing".stripe-secret-key = mkDefault null; - }; - - services.nginx.virtualHosts."meta.${cfg.originBase}" = { - forceSSL = true; - locations."/".proxyPass = "http://${cfg.address}:${toString port}"; - locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; - locations."/static".root = "${pkgs.sourcehut.metasrht}/${pkgs.sourcehut.python.sitePackages}/metasrht"; - }; - }; -} diff --git a/nixos/modules/services/misc/sourcehut/paste.nix b/nixos/modules/services/misc/sourcehut/paste.nix deleted file mode 100644 index b481ebaf891..00000000000 --- a/nixos/modules/services/misc/sourcehut/paste.nix +++ /dev/null @@ -1,135 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; -let - cfg = config.services.sourcehut; - opt = options.services.sourcehut; - cfgIni = cfg.settings; - scfg = cfg.paste; - iniKey = "paste.sr.ht"; - - rcfg = config.services.redis; - drv = pkgs.sourcehut.pastesrht; -in -{ - options.services.sourcehut.paste = { - user = mkOption { - type = types.str; - default = "pastesrht"; - description = '' - User for paste.sr.ht. - ''; - }; - - port = mkOption { - type = types.port; - default = 5011; - description = '' - Port on which the "paste" module should listen. - ''; - }; - - database = mkOption { - type = types.str; - default = "paste.sr.ht"; - description = '' - PostgreSQL database name for paste.sr.ht. - ''; - }; - - statePath = mkOption { - type = types.path; - default = "${cfg.statePath}/pastesrht"; - defaultText = literalExpression ''"''${config.${opt.statePath}}/pastesrht"''; - description = '' - State path for pastesrht.sr.ht. - ''; - }; - }; - - config = with scfg; lib.mkIf (cfg.enable && elem "paste" cfg.services) { - users = { - users = { - "${user}" = { - isSystemUser = true; - group = user; - description = "paste.sr.ht user"; - }; - }; - - groups = { - "${user}" = { }; - }; - }; - - services.postgresql = { - authentication = '' - local ${database} ${user} trust - ''; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = user; - ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; - } - ]; - }; - - systemd = { - tmpfiles.rules = [ - "d ${statePath} 0750 ${user} ${user} -" - ]; - - services = { - pastesrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "paste.sr.ht website service"; - - serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; - }; - - pastesrht-webhooks = { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "paste.sr.ht webhooks service"; - serviceConfig = { - Type = "simple"; - User = user; - Restart = "always"; - ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; - }; - - }; - }; - }; - - services.sourcehut.settings = { - # URL paste.sr.ht is being served at (protocol://domain) - "paste.sr.ht".origin = mkDefault "http://paste.${cfg.originBase}"; - # Address and port to bind the debug server to - "paste.sr.ht".debug-host = mkDefault "0.0.0.0"; - "paste.sr.ht".debug-port = mkDefault port; - # Configures the SQLAlchemy connection string for the database. - "paste.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; - # Set to "yes" to automatically run migrations on package upgrade. - "paste.sr.ht".migrate-on-upgrade = mkDefault "yes"; - # paste.sr.ht's OAuth client ID and secret for meta.sr.ht - # Register your client at meta.example.org/oauth - "paste.sr.ht".oauth-client-id = mkDefault null; - "paste.sr.ht".oauth-client-secret = mkDefault null; - "paste.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/5"; - }; - - services.nginx.virtualHosts."paste.${cfg.originBase}" = { - forceSSL = true; - locations."/".proxyPass = "http://${cfg.address}:${toString port}"; - locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; - locations."/static".root = "${pkgs.sourcehut.pastesrht}/${pkgs.sourcehut.python.sitePackages}/pastesrht"; - }; - }; -} diff --git a/nixos/modules/services/misc/sourcehut/service.nix b/nixos/modules/services/misc/sourcehut/service.nix index f1706ad0a6a..4ecc7a72669 100644 --- a/nixos/modules/services/misc/sourcehut/service.nix +++ b/nixos/modules/services/misc/sourcehut/service.nix @@ -148,7 +148,7 @@ in redis = { host = mkOption { type = types.str; - default = "unix:/run/redis-sourcehut-${srvsrht}/redis.sock?db=0"; + default = "unix:///run/redis-sourcehut-${srvsrht}/redis.sock?db=0"; example = "redis://shared.wireguard:6379/0"; description = '' The redis host URL. This is used for caching and temporary storage, and must diff --git a/nixos/modules/services/misc/sourcehut/todo.nix b/nixos/modules/services/misc/sourcehut/todo.nix deleted file mode 100644 index 262fa48f59d..00000000000 --- a/nixos/modules/services/misc/sourcehut/todo.nix +++ /dev/null @@ -1,163 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; -let - cfg = config.services.sourcehut; - opt = options.services.sourcehut; - cfgIni = cfg.settings; - scfg = cfg.todo; - iniKey = "todo.sr.ht"; - - rcfg = config.services.redis; - drv = pkgs.sourcehut.todosrht; -in -{ - options.services.sourcehut.todo = { - user = mkOption { - type = types.str; - default = "todosrht"; - description = '' - User for todo.sr.ht. - ''; - }; - - port = mkOption { - type = types.port; - default = 5003; - description = '' - Port on which the "todo" module should listen. - ''; - }; - - database = mkOption { - type = types.str; - default = "todo.sr.ht"; - description = '' - PostgreSQL database name for todo.sr.ht. - ''; - }; - - statePath = mkOption { - type = types.path; - default = "${cfg.statePath}/todosrht"; - defaultText = literalExpression ''"''${config.${opt.statePath}}/todosrht"''; - description = '' - State path for todo.sr.ht. - ''; - }; - }; - - config = with scfg; lib.mkIf (cfg.enable && elem "todo" cfg.services) { - users = { - users = { - "${user}" = { - isSystemUser = true; - group = user; - extraGroups = [ "postfix" ]; - description = "todo.sr.ht user"; - }; - }; - groups = { - "${user}" = { }; - }; - }; - - services.postgresql = { - authentication = '' - local ${database} ${user} trust - ''; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = user; - ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; - } - ]; - }; - - systemd = { - tmpfiles.rules = [ - "d ${statePath} 0750 ${user} ${user} -" - ]; - - services = { - todosrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "todo.sr.ht website service"; - - serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; - }; - - todosrht-lmtp = { - after = [ "postgresql.service" "network.target" ]; - bindsTo = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "todo.sr.ht process service"; - serviceConfig = { - Type = "simple"; - User = user; - Restart = "always"; - ExecStart = "${cfg.python}/bin/todosrht-lmtp"; - }; - }; - - todosrht-webhooks = { - after = [ "postgresql.service" "network.target" ]; - requires = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - description = "todo.sr.ht webhooks service"; - serviceConfig = { - Type = "simple"; - User = user; - Restart = "always"; - ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; - }; - - }; - }; - }; - - services.sourcehut.settings = { - # URL todo.sr.ht is being served at (protocol://domain) - "todo.sr.ht".origin = mkDefault "http://todo.${cfg.originBase}"; - # Address and port to bind the debug server to - "todo.sr.ht".debug-host = mkDefault "0.0.0.0"; - "todo.sr.ht".debug-port = mkDefault port; - # Configures the SQLAlchemy connection string for the database. - "todo.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; - # Set to "yes" to automatically run migrations on package upgrade. - "todo.sr.ht".migrate-on-upgrade = mkDefault "yes"; - # todo.sr.ht's OAuth client ID and secret for meta.sr.ht - # Register your client at meta.example.org/oauth - "todo.sr.ht".oauth-client-id = mkDefault null; - "todo.sr.ht".oauth-client-secret = mkDefault null; - # Outgoing email for notifications generated by users - "todo.sr.ht".notify-from = mkDefault "CHANGEME@example.org"; - # The redis connection used for the webhooks worker - "todo.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/1"; - # Network-key - "todo.sr.ht".network-key = mkDefault null; - - # Path for the lmtp daemon's unix socket. Direct incoming mail to this socket. - # Alternatively, specify IP:PORT and an SMTP server will be run instead. - "todo.sr.ht::mail".sock = mkDefault "/tmp/todo.sr.ht-lmtp.sock"; - # The lmtp daemon will make the unix socket group-read/write for users in this - # group. - "todo.sr.ht::mail".sock-group = mkDefault "postfix"; - - "todo.sr.ht::mail".posting-domain = mkDefault "todo.${cfg.originBase}"; - }; - - services.nginx.virtualHosts."todo.${cfg.originBase}" = { - forceSSL = true; - locations."/".proxyPass = "http://${cfg.address}:${toString port}"; - locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; - locations."/static".root = "${pkgs.sourcehut.todosrht}/${pkgs.sourcehut.python.sitePackages}/todosrht"; - }; - }; -} diff --git a/nixos/modules/services/misc/uhub.nix b/nixos/modules/services/misc/uhub.nix index 0d0a8c2a4cb..99774fbb920 100644 --- a/nixos/modules/services/misc/uhub.nix +++ b/nixos/modules/services/misc/uhub.nix @@ -80,11 +80,12 @@ in { tls_enable = cfg.enableTLS; file_plugins = pkgs.writeText "uhub-plugins.conf" (lib.strings.concatStringsSep "\n" (map ({ plugin, settings }: - "plugin ${plugin} ${ - toString - (lib.attrsets.mapAttrsToList (key: value: ''"${key}=${value}"'') - settings) - }") cfg.plugins)); + '' + plugin ${plugin} "${ + toString + (lib.attrsets.mapAttrsToList (key: value: "${key}=${value}") + settings) + }"'') cfg.plugins)); }; in { name = "uhub/${name}.conf"; @@ -104,6 +105,9 @@ in { ExecStart = "${pkg}/bin/uhub -c /etc/uhub/${name}.conf -L"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; DynamicUser = true; + + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; }; }; }) hubs; diff --git a/nixos/modules/services/misc/zookeeper.nix b/nixos/modules/services/misc/zookeeper.nix index 3809a93a61e..fefbf9a86de 100644 --- a/nixos/modules/services/misc/zookeeper.nix +++ b/nixos/modules/services/misc/zookeeper.nix @@ -114,6 +114,13 @@ in { type = types.package; }; + jre = mkOption { + description = "The JRE with which to run Zookeeper"; + default = cfg.package.jre; + defaultText = literalExpression "pkgs.zookeeper.jre"; + example = literalExpression "pkgs.jre"; + type = types.package; + }; }; @@ -131,7 +138,7 @@ in { after = [ "network.target" ]; serviceConfig = { ExecStart = '' - ${pkgs.jre}/bin/java \ + ${cfg.jre}/bin/java \ -cp "${cfg.package}/lib/*:${configDir}" \ ${escapeShellArgs cfg.extraCmdLineOptions} \ -Dzookeeper.datadir.autocreate=false \ diff --git a/nixos/modules/services/monitoring/grafana-agent.nix b/nixos/modules/services/monitoring/grafana-agent.nix new file mode 100644 index 00000000000..bbeda184647 --- /dev/null +++ b/nixos/modules/services/monitoring/grafana-agent.nix @@ -0,0 +1,143 @@ +{ lib, pkgs, config, generators, ... }: +with lib; +let + cfg = config.services.grafana-agent; + settingsFormat = pkgs.formats.yaml { }; + configFile = settingsFormat.generate "grafana-agent.yaml" cfg.settings; +in +{ + meta = { + maintainers = with maintainers; [ flokli zimbatm ]; + }; + + options.services.grafana-agent = { + enable = mkEnableOption "grafana-agent"; + + package = mkOption { + type = types.package; + default = pkgs.grafana-agent; + defaultText = "pkgs.grafana-agent"; + description = "The grafana-agent package to use."; + }; + + credentials = mkOption { + description = '' + Credentials to load at service startup. Keys that are UPPER_SNAKE will be loaded as env vars. Values are absolute paths to the credentials. + ''; + type = types.attrsOf types.str; + default = { }; + + example = { + logs_remote_write_password = "/run/keys/grafana_agent_logs_remote_write_password"; + LOGS_REMOTE_WRITE_URL = "/run/keys/grafana_agent_logs_remote_write_url"; + LOGS_REMOTE_WRITE_USERNAME = "/run/keys/grafana_agent_logs_remote_write_username"; + metrics_remote_write_password = "/run/keys/grafana_agent_metrics_remote_write_password"; + METRICS_REMOTE_WRITE_URL = "/run/keys/grafana_agent_metrics_remote_write_url"; + METRICS_REMOTE_WRITE_USERNAME = "/run/keys/grafana_agent_metrics_remote_write_username"; + }; + }; + + settings = mkOption { + description = '' + Configuration for <package>grafana-agent</package>. + + See https://grafana.com/docs/agent/latest/configuration/ + ''; + + type = types.submodule { + freeformType = settingsFormat.type; + }; + + default = { + metrics = { + wal_directory = "\${STATE_DIRECTORY}"; + global.scrape_interval = "5s"; + }; + integrations = { + agent.enabled = true; + agent.scrape_integration = true; + node_exporter.enabled = true; + replace_instance_label = true; + }; + }; + + example = { + metrics.global.remote_write = [{ + url = "\${METRICS_REMOTE_WRITE_URL}"; + basic_auth.username = "\${METRICS_REMOTE_WRITE_USERNAME}"; + basic_auth.password_file = "\${CREDENTIALS_DIRECTORY}/metrics_remote_write_password"; + }]; + logs.configs = [{ + name = "default"; + scrape_configs = [ + { + job_name = "journal"; + journal = { + max_age = "12h"; + labels.job = "systemd-journal"; + }; + relabel_configs = [ + { + source_labels = [ "__journal__systemd_unit" ]; + target_label = "systemd_unit"; + } + { + source_labels = [ "__journal__hostname" ]; + target_label = "nodename"; + } + { + source_labels = [ "__journal_syslog_identifier" ]; + target_label = "syslog_identifier"; + } + ]; + } + ]; + positions.filename = "\${STATE_DIRECTORY}/loki_positions.yaml"; + clients = [{ + url = "\${LOGS_REMOTE_WRITE_URL}"; + basic_auth.username = "\${LOGS_REMOTE_WRITE_USERNAME}"; + basic_auth.password_file = "\${CREDENTIALS_DIRECTORY}/logs_remote_write_password"; + }]; + }]; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.grafana-agent = { + wantedBy = [ "multi-user.target" ]; + script = '' + set -euo pipefail + shopt -u nullglob + + # Load all credentials into env if they are in UPPER_SNAKE form. + if [[ -n "''${CREDENTIALS_DIRECTORY:-}" ]]; then + for file in "$CREDENTIALS_DIRECTORY"/*; do + key=$(basename "$file") + if [[ $key =~ ^[A-Z0-9_]+$ ]]; then + echo "Environ $key" + export "$key=$(< "$file")" + fi + done + fi + + # We can't use Environment=HOSTNAME=%H, as it doesn't include the domain part. + export HOSTNAME=$(< /proc/sys/kernel/hostname) + + exec ${cfg.package}/bin/agent -config.expand-env -config.file ${configFile} + ''; + serviceConfig = { + Restart = "always"; + DynamicUser = true; + RestartSec = 2; + SupplementaryGroups = [ + # allow to read the systemd journal for loki log forwarding + "systemd-journal" + ]; + StateDirectory = "grafana-agent"; + LoadCredential = lib.mapAttrsToList (key: value: "${key}:${value}") cfg.credentials; + Type = "simple"; + }; + }; + }; +} diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index b959379d331..68b4796f4f4 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -14,6 +14,7 @@ let PATHS_PLUGINS = if builtins.isNull cfg.declarativePlugins then "${cfg.dataDir}/plugins" else declarativePlugins; PATHS_LOGS = "${cfg.dataDir}/log"; + SERVER_SERVE_FROM_SUBPATH = boolToString cfg.server.serveFromSubPath; SERVER_PROTOCOL = cfg.protocol; SERVER_HTTP_ADDR = cfg.addr; SERVER_HTTP_PORT = cfg.port; @@ -41,9 +42,23 @@ let USERS_AUTO_ASSIGN_ORG = boolToString cfg.users.autoAssignOrg; USERS_AUTO_ASSIGN_ORG_ROLE = cfg.users.autoAssignOrgRole; + AUTH_DISABLE_LOGIN_FORM = boolToString cfg.auth.disableLoginForm; + AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable; AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name; AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role; + + AUTH_AZUREAD_NAME = "Azure AD"; + AUTH_AZUREAD_ENABLED = boolToString cfg.auth.azuread.enable; + AUTH_AZUREAD_ALLOW_SIGN_UP = boolToString cfg.auth.azuread.allowSignUp; + AUTH_AZUREAD_CLIENT_ID = cfg.auth.azuread.clientId; + AUTH_AZUREAD_SCOPES = "openid email profile"; + AUTH_AZUREAD_AUTH_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/authorize"; + AUTH_AZUREAD_TOKEN_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/token"; + AUTH_AZUREAD_ALLOWED_DOMAINS = cfg.auth.azuread.allowedDomains; + AUTH_AZUREAD_ALLOWED_GROUPS = cfg.auth.azuread.allowedGroups; + AUTH_AZUREAD_ROLE_ATTRIBUTE_STRICT = false; + AUTH_GOOGLE_ENABLED = boolToString cfg.auth.google.enable; AUTH_GOOGLE_ALLOW_SIGN_UP = boolToString cfg.auth.google.allowSignUp; AUTH_GOOGLE_CLIENT_ID = cfg.auth.google.clientId; @@ -109,6 +124,11 @@ let default = 1; description = "Org id. will default to orgId 1 if not specified."; }; + uid = mkOption { + type = types.nullOr types.str; + default = null; + description = "Custom UID which can be used to reference this datasource in other parts of the configuration, if not specified will be generated automatically."; + }; url = mkOption { type = types.str; description = "Url of the datasource."; @@ -484,6 +504,14 @@ in { }; }; + server = { + serveFromSubPath = mkOption { + description = "Serve Grafana from subpath specified in rootUrl setting"; + default = false; + type = types.bool; + }; + }; + smtp = { enable = mkEnableOption "smtp"; host = mkOption { @@ -546,6 +574,12 @@ in { }; auth = { + disableLoginForm = mkOption { + description = "Set to true to disable (hide) the login form, useful if you use OAuth"; + default = false; + type = types.bool; + }; + anonymous = { enable = mkOption { description = "Whether to allow anonymous access."; @@ -563,6 +597,53 @@ in { type = types.str; }; }; + azuread = { + enable = mkOption { + description = "Whether to allow Azure AD OAuth."; + default = false; + type = types.bool; + }; + allowSignUp = mkOption { + description = "Whether to allow sign up with Azure AD OAuth."; + default = false; + type = types.bool; + }; + clientId = mkOption { + description = "Azure AD OAuth client ID."; + default = ""; + type = types.str; + }; + clientSecretFile = mkOption { + description = "Azure AD OAuth client secret."; + default = null; + type = types.nullOr types.path; + }; + tenantId = mkOption { + description = '' + Tenant id used to create auth and token url. Default to "common" + , let user sign in with any tenant. + ''; + default = "common"; + type = types.str; + }; + allowedDomains = mkOption { + description = '' + To limit access to authenticated users who are members of one or more groups, + set allowedGroups to a comma- or space-separated list of group object IDs. + You can find object IDs for a specific group on the Azure portal. + ''; + default = ""; + type = types.str; + }; + allowedGroups = mkOption { + description = '' + Limits access to users who belong to specific domains. + Separate domains with space or comma. + ''; + default = ""; + type = types.str; + }; + }; google = { enable = mkOption { description = "Whether to allow Google OAuth2."; @@ -652,6 +733,10 @@ in { set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit + ${optionalString (cfg.auth.azuread.clientSecretFile != null) '' + GF_AUTH_AZUREAD_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.azuread.clientSecretFile})" + export GF_AUTH_AZUREAD_CLIENT_SECRET + ''} ${optionalString (cfg.auth.google.clientSecretFile != null) '' GF_AUTH_GOOGLE_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.google.clientSecretFile})" export GF_AUTH_GOOGLE_CLIENT_SECRET diff --git a/nixos/modules/services/monitoring/mimir.nix b/nixos/modules/services/monitoring/mimir.nix new file mode 100644 index 00000000000..83c0b23c59d --- /dev/null +++ b/nixos/modules/services/monitoring/mimir.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) escapeShellArgs mkEnableOption mkIf mkOption types; + + cfg = config.services.mimir; + + settingsFormat = pkgs.formats.yaml {}; +in { + options.services.mimir = { + enable = mkEnableOption "mimir"; + + configuration = mkOption { + type = (pkgs.formats.json {}).type; + default = {}; + description = '' + Specify the configuration for Mimir in Nix. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Specify a configuration file that Mimir should use. + ''; + }; + }; + + config = mkIf cfg.enable { + # for mimirtool + environment.systemPackages = [ pkgs.mimir ]; + + assertions = [{ + assertion = ( + (cfg.configuration == {} -> cfg.configFile != null) && + (cfg.configFile != null -> cfg.configuration == {}) + ); + message = '' + Please specify either + 'services.mimir.configuration' or + 'services.mimir.configFile'. + ''; + }]; + + systemd.services.mimir = { + description = "mimir Service Daemon"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = let + conf = if cfg.configFile == null + then settingsFormat.generate "config.yaml" cfg.configuration + else cfg.configFile; + in + { + ExecStart = "${pkgs.mimir}/bin/mimir --config.file=${conf}"; + DynamicUser = true; + Restart = "always"; + ProtectSystem = "full"; + DevicePolicy = "closed"; + NoNewPrivileges = true; + WorkingDirectory = "/var/lib/mimir"; + StateDirectory = "mimir"; + }; + }; + }; +} diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index f528d183042..489dd337bb7 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -201,6 +201,8 @@ in { serviceConfig = { ExecStart = "${cfg.package}/bin/netdata -P /run/netdata/netdata.pid -D -c /etc/netdata/netdata.conf"; ExecReload = "${pkgs.util-linux}/bin/kill -s HUP -s USR1 -s USR2 $MAINPID"; + ExecPostStart = ''while [ "$(netdatacli ping)" != pong ]; do sleep 0.5; done''; + TimeoutStopSec = 60; Restart = "on-failure"; # User and group diff --git a/nixos/modules/services/monitoring/parsedmarc.nix b/nixos/modules/services/monitoring/parsedmarc.nix index ec71365ba3c..efc7f69be7d 100644 --- a/nixos/modules/services/monitoring/parsedmarc.nix +++ b/nixos/modules/services/monitoring/parsedmarc.nix @@ -3,7 +3,19 @@ let cfg = config.services.parsedmarc; opt = options.services.parsedmarc; - ini = pkgs.formats.ini {}; + isSecret = v: isAttrs v && v ? _secret && isString v._secret; + ini = pkgs.formats.ini { + mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" rec { + mkValueString = v: + if isInt v then toString v + else if isString v then v + else if true == v then "True" + else if false == v then "False" + else if isSecret v then hashString "sha256" v._secret + else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; + }; + }; + inherit (builtins) elem isAttrs isString isInt isList typeOf hashString; in { options.services.parsedmarc = { @@ -107,11 +119,35 @@ in }; settings = lib.mkOption { + example = lib.literalExpression '' + { + imap = { + host = "imap.example.com"; + user = "alice@example.com"; + password = { _secret = "/run/keys/imap_password" }; + watch = true; + }; + splunk_hec = { + url = "https://splunkhec.example.com"; + token = { _secret = "/run/keys/splunk_token" }; + index = "email"; + }; + } + ''; description = '' Configuration parameters to set in <filename>parsedmarc.ini</filename>. For a full list of available parameters, see <link xlink:href="https://domainaware.github.io/parsedmarc/#configuration-file" />. + + Settings containing secret data should be set to an attribute + set containing the attribute <literal>_secret</literal> - a + string pointing to a file containing the value the option + should be set to. See the example to get a better picture of + this: in the resulting <filename>parsedmarc.ini</filename> + file, the <literal>splunk_hec.token</literal> key will be set + to the contents of the + <filename>/run/keys/splunk_token</filename> file. ''; type = lib.types.submodule { @@ -170,11 +206,18 @@ in }; password = lib.mkOption { - type = with lib.types; nullOr path; + type = with lib.types; nullOr (either path (attrsOf path)); default = null; description = '' - The path to a file containing the IMAP server password. + The IMAP server password. + + Always handled as a secret whether the value is + wrapped in a <literal>{ _secret = ...; }</literal> + attrset or not (refer to <xref + linkend="opt-services.parsedmarc.settings" /> for + details). ''; + apply = x: if isAttrs x || x == null then x else { _secret = x; }; }; watch = lib.mkOption { @@ -228,11 +271,18 @@ in }; password = lib.mkOption { - type = with lib.types; nullOr path; + type = with lib.types; nullOr (either path (attrsOf path)); default = null; description = '' - The path to a file containing the SMTP server password. + The SMTP server password. + + Always handled as a secret whether the value is + wrapped in a <literal>{ _secret = ...; }</literal> + attrset or not (refer to <xref + linkend="opt-services.parsedmarc.settings" /> for + details). ''; + apply = x: if isAttrs x || x == null then x else { _secret = x; }; }; from = lib.mkOption { @@ -274,12 +324,19 @@ in }; password = lib.mkOption { - type = with lib.types; nullOr path; + type = with lib.types; nullOr (either path (attrsOf path)); default = null; description = '' - The path to a file containing the password to use when - connecting to Elasticsearch, if required. + The password to use when connecting to Elasticsearch, + if required. + + Always handled as a secret whether the value is + wrapped in a <literal>{ _secret = ...; }</literal> + attrset or not (refer to <xref + linkend="opt-services.parsedmarc.settings" /> for + details). ''; + apply = x: if isAttrs x || x == null then x else { _secret = x; }; }; ssl = lib.mkOption { @@ -299,63 +356,6 @@ in ''; }; }; - - kafka = { - hosts = lib.mkOption { - default = []; - type = with lib.types; listOf str; - apply = x: if x == [] then null else lib.concatStringsSep "," x; - description = '' - A list of Apache Kafka hosts to publish parsed reports - to. - ''; - }; - - user = lib.mkOption { - type = with lib.types; nullOr str; - default = null; - description = '' - Username to use when connecting to Kafka, if - required. - ''; - }; - - password = lib.mkOption { - type = with lib.types; nullOr path; - default = null; - description = '' - The path to a file containing the password to use when - connecting to Kafka, if required. - ''; - }; - - ssl = lib.mkOption { - type = with lib.types; nullOr bool; - default = null; - description = '' - Whether to use an encrypted SSL/TLS connection. - ''; - }; - - aggregate_topic = lib.mkOption { - type = with lib.types; nullOr str; - default = null; - example = "aggregate"; - description = '' - The Kafka topic to publish aggregate reports on. - ''; - }; - - forensic_topic = lib.mkOption { - type = with lib.types; nullOr str; - default = null; - example = "forensic"; - description = '' - The Kafka topic to publish forensic reports on. - ''; - }; - }; - }; }; @@ -404,21 +404,14 @@ in enable = cfg.provision.grafana.datasource || cfg.provision.grafana.dashboard; datasources = let - pkgVer = lib.getVersion config.services.elasticsearch.package; - esVersion = - if lib.versionOlder pkgVer "7" then - "60" - else if lib.versionOlder pkgVer "8" then - "70" - else - throw "When provisioning parsedmarc grafana datasources: unknown Elasticsearch version."; + esVersion = lib.getVersion config.services.elasticsearch.package; in lib.mkIf cfg.provision.grafana.datasource [ { name = "dmarc-ag"; type = "elasticsearch"; access = "proxy"; - url = "localhost:9200"; + url = "http://localhost:9200"; jsonData = { timeField = "date_range"; inherit esVersion; @@ -428,7 +421,7 @@ in name = "dmarc-fo"; type = "elasticsearch"; access = "proxy"; - url = "localhost:9200"; + url = "http://localhost:9200"; jsonData = { timeField = "date_range"; inherit esVersion; @@ -467,12 +460,17 @@ in # lists, empty attrsets and null. This makes it possible to # list interesting options in `settings` without them always # ending up in the resulting config. - filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! builtins.elem v [ null [] {} ])) cfg.settings; + filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null [] {} ])) cfg.settings; + + # Extract secrets (attributes set to an attrset with a + # "_secret" key) from the settings and generate the commands + # to run to perform the secret replacements. + secretPaths = lib.catAttrs "_secret" (lib.collect isSecret filteredConfig); parsedmarcConfig = ini.generate "parsedmarc.ini" filteredConfig; - mkSecretReplacement = file: - lib.optionalString (file != null) '' - replace-secret '${file}' '${file}' /run/parsedmarc/parsedmarc.ini - ''; + mkSecretReplacement = file: '' + replace-secret ${lib.escapeShellArgs [ (hashString "sha256" file) file "/run/parsedmarc/parsedmarc.ini" ]} + ''; + secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths; in { wantedBy = [ "multi-user.target" ]; @@ -487,10 +485,7 @@ in umask u=rwx,g=,o= cp ${parsedmarcConfig} /run/parsedmarc/parsedmarc.ini chown parsedmarc:parsedmarc /run/parsedmarc/parsedmarc.ini - ${mkSecretReplacement cfg.settings.smtp.password} - ${mkSecretReplacement cfg.settings.imap.password} - ${mkSecretReplacement cfg.settings.elasticsearch.password} - ${mkSecretReplacement cfg.settings.kafka.password} + ${secretReplacements} '' + lib.optionalString cfg.provision.localMail.enable '' openssl rand -hex 64 >/run/parsedmarc/dmarc_user_passwd replace-secret '@imap-password@' '/run/parsedmarc/dmarc_user_passwd' /run/parsedmarc/parsedmarc.ini diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index 52525e8935b..41848c1c6d3 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -3,7 +3,11 @@ with lib; let + json = pkgs.formats.json { }; cfg = config.services.prometheus; + checkConfigEnabled = + (lib.isBool cfg.checkConfig && cfg.checkConfig) + || cfg.checkConfig == "syntax-only"; workingDir = "/var/lib/" + cfg.stateDir; @@ -26,7 +30,7 @@ let # a wrapper that verifies that the configuration is valid promtoolCheck = what: name: file: - if cfg.checkConfig then + if checkConfigEnabled then pkgs.runCommandLocal "${name}-${replaceStrings [" "] [""] what}-checked" { buildInputs = [ cfg.package ]; } '' @@ -34,13 +38,7 @@ let promtool ${what} $out '' else file; - # Pretty-print JSON to a file - writePrettyJSON = name: x: - pkgs.runCommandLocal name { } '' - echo '${builtins.toJSON x}' | ${pkgs.jq}/bin/jq . > $out - ''; - - generatedPrometheusYml = writePrettyJSON "prometheus.yml" promConfig; + generatedPrometheusYml = json.generate "prometheus.yml" promConfig; # This becomes the main config file for Prometheus promConfig = { @@ -63,7 +61,7 @@ let pkgs.writeText "prometheus.yml" cfg.configText else generatedPrometheusYml; in - promtoolCheck "check config" "prometheus.yml" yml; + promtoolCheck "check config ${lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"}" "prometheus.yml" yml; cmdlineArgs = cfg.extraFlags ++ [ "--storage.tsdb.path=${workingDir}/data/" @@ -1731,16 +1729,20 @@ in }; checkConfig = mkOption { - type = types.bool; + type = with types; either bool (enum [ "syntax-only" ]); default = true; + example = "syntax-only"; description = '' Check configuration with <literal>promtool check</literal>. The call to <literal>promtool</literal> is - subject to sandboxing by Nix. When credentials are stored in - external files (<literal>password_file</literal>, - <literal>bearer_token_file</literal>, etc), they will not be - visible to <literal>promtool</literal> and it will report - errors, despite a correct configuration. + subject to sandboxing by Nix. + + If you use credentials stored in external files + (<literal>password_file</literal>, <literal>bearer_token_file</literal>, etc), + they will not be visible to <literal>promtool</literal> + and it will report errors, despite a correct configuration. + To resolve this, you may set this option to <literal>"syntax-only"</literal> + in order to only syntax check the Prometheus configuration. ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dmarc.nix b/nixos/modules/services/monitoring/prometheus/exporters/dmarc.nix index 330610a15d9..25950e1ece9 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dmarc.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dmarc.nix @@ -108,7 +108,7 @@ in { -i ${pkgs.writeText "dmarc-exporter.json.template" json} \ -o ''${STATE_DIRECTORY}/dmarc-exporter.json - exec ${pkgs.prometheus-dmarc-exporter}/bin/prometheus-dmarc-exporter \ + exec ${pkgs.dmarc-metrics-exporter}/bin/dmarc-metrics-exporter \ --configuration /var/lib/prometheus-dmarc-exporter/dmarc-exporter.json \ ${optionalString cfg.debug "--debug"} ''}"; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix b/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix index 4d3c1fa267e..53509b7a385 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix @@ -74,11 +74,13 @@ in }; }; serviceOpts = { + after = mkIf cfg.systemd.enable [ cfg.systemd.unit ]; serviceConfig = { DynamicUser = false; # By default, each prometheus exporter only gets AF_INET & AF_INET6, # but AF_UNIX is needed to read from the `showq`-socket. RestrictAddressFamilies = [ "AF_UNIX" ]; + SupplementaryGroups = mkIf cfg.systemd.enable [ "systemd-journal" ]; ExecStart = '' ${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix index d4aa69629ec..2d329a1af1c 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix @@ -57,9 +57,9 @@ in { ${pkgs.prometheus-wireguard-exporter}/bin/prometheus_wireguard_exporter \ -p ${toString cfg.port} \ -l ${cfg.listenAddress} \ - ${optionalString cfg.verbose "-v"} \ - ${optionalString cfg.singleSubnetPerField "-s"} \ - ${optionalString cfg.withRemoteIp "-r"} \ + ${optionalString cfg.verbose "-v true"} \ + ${optionalString cfg.singleSubnetPerField "-s true"} \ + ${optionalString cfg.withRemoteIp "-r true"} \ ${optionalString (cfg.wireguardConfig != null) "-n ${escapeShellArg cfg.wireguardConfig}"} ''; RestrictAddressFamilies = [ diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index 395b9788855..b7e6a787cfb 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -257,7 +257,7 @@ in '' + optionalString cfg.autoMigrate '' ${pkgs.ipfs-migrator}/bin/fs-repo-migrations -to '${cfg.package.repoVersion}' -y '' + '' - ipfs --offline config profile apply ${profile} + ipfs --offline config profile apply ${profile} >/dev/null fi '' + optionalString cfg.autoMount '' ipfs --offline config Mounts.FuseAllowOther --json true @@ -283,7 +283,7 @@ in User = cfg.user; Group = cfg.group; StateDirectory = ""; - ReadWritePaths = [ "" cfg.dataDir ]; + ReadWritePaths = optionals (!cfg.autoMount) [ "" cfg.dataDir ]; } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; }; } // optionalAttrs (!cfg.startWhenNeeded) { wantedBy = [ "default.target" ]; diff --git a/nixos/modules/services/networking/asterisk.nix b/nixos/modules/services/networking/asterisk.nix index af091d55c01..297d0b3b2d0 100644 --- a/nixos/modules/services/networking/asterisk.nix +++ b/nixos/modules/services/networking/asterisk.nix @@ -14,28 +14,9 @@ let # Add filecontents from files of useTheseDefaultConfFiles to confFiles, do not override defaultConfFiles = subtractLists (attrNames cfg.confFiles) cfg.useTheseDefaultConfFiles; - allConfFiles = - cfg.confFiles // - builtins.listToAttrs (map (x: { name = x; - value = builtins.readFile (cfg.package + "/etc/asterisk/" + x); }) - defaultConfFiles); - - asteriskEtc = pkgs.stdenv.mkDerivation - ((mapAttrs' (name: value: nameValuePair - # Fudge the names to make bash happy - ((replaceChars ["."] ["_"] name) + "_") - (value) - ) allConfFiles) // - { - confFilesString = concatStringsSep " " ( - attrNames allConfFiles - ); - - name = "asterisk-etc"; - + allConfFiles = { # Default asterisk.conf file - # (Notice that astetcdir will be set to the path of this derivation) - asteriskConf = '' + "asterisk.conf".text = '' [directories] astetcdir => /etc/asterisk astmoddir => ${cfg.package}/lib/asterisk/modules @@ -48,43 +29,28 @@ let astrundir => /run/asterisk astlogdir => /var/log/asterisk astsbindir => ${cfg.package}/sbin + ${cfg.extraConfig} ''; - extraConf = cfg.extraConfig; # Loading all modules by default is considered sensible by the authors of # "Asterisk: The Definitive Guide". Secure sites will likely want to # specify their own "modules.conf" in the confFiles option. - modulesConf = '' + "modules.conf".text = '' [modules] autoload=yes ''; # Use syslog for logging so logs can be viewed with journalctl - loggerConf = '' + "logger.conf".text = '' [general] [logfiles] syslog.local0 => notice,warning,error ''; + } // + mapAttrs (name: text: { inherit text; }) cfg.confFiles // + listToAttrs (map (x: nameValuePair x { source = cfg.package + "/etc/asterisk/" + x; }) defaultConfFiles); - buildCommand = '' - mkdir -p "$out" - - # Create asterisk.conf, pointing astetcdir to the path of this derivation - echo "$asteriskConf" | sed "s|@out@|$out|g" > "$out"/asterisk.conf - echo "$extraConf" >> "$out"/asterisk.conf - - echo "$modulesConf" > "$out"/modules.conf - - echo "$loggerConf" > "$out"/logger.conf - - # Config files specified in confFiles option override all other files - for i in $confFilesString; do - conf=$(echo "$i"_ | sed 's/\./_/g') - echo "''${!conf}" > "$out"/"$i" - done - ''; - }); in { @@ -209,7 +175,9 @@ in config = mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - environment.etc.asterisk.source = asteriskEtc; + environment.etc = mapAttrs' (name: value: + nameValuePair "asterisk/${name}" value + ) allConfFiles; users.users.asterisk = { name = asteriskUser; diff --git a/nixos/modules/services/networking/bird-lg.nix b/nixos/modules/services/networking/bird-lg.nix new file mode 100644 index 00000000000..515ef38608b --- /dev/null +++ b/nixos/modules/services/networking/bird-lg.nix @@ -0,0 +1,269 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.bird-lg; +in +{ + options = { + services.bird-lg = { + package = mkOption { + type = types.package; + default = pkgs.bird-lg; + defaultText = literalExpression "pkgs.bird-lg"; + description = "The Bird Looking Glass package to use."; + }; + + user = mkOption { + type = types.str; + default = "bird-lg"; + description = "User to run the service."; + }; + + group = mkOption { + type = types.str; + default = "bird-lg"; + description = "Group to run the service."; + }; + + frontend = { + enable = mkEnableOption "Bird Looking Glass Frontend Webserver"; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1:5000"; + description = "Address to listen on."; + }; + + proxyPort = mkOption { + type = types.port; + default = 8000; + description = "Port bird-lg-proxy is running on."; + }; + + domain = mkOption { + type = types.str; + default = ""; + example = "dn42.lantian.pub"; + description = "Server name domain suffixes."; + }; + + servers = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "gigsgigscloud" "hostdare" ]; + description = "Server name prefixes."; + }; + + whois = mkOption { + type = types.str; + default = "whois.verisign-grs.com"; + description = "Whois server for queries."; + }; + + dnsInterface = mkOption { + type = types.str; + default = "asn.cymru.com"; + description = "DNS zone to query ASN information."; + }; + + bgpMapInfo = mkOption { + type = types.listOf types.str; + default = [ "asn" "as-name" "ASName" "descr" ]; + description = "Information displayed in bgpmap."; + }; + + titleBrand = mkOption { + type = types.str; + default = "Bird-lg Go"; + description = "Prefix of page titles in browser tabs."; + }; + + netSpecificMode = mkOption { + type = types.str; + default = ""; + example = "dn42"; + description = "Apply network-specific changes for some networks."; + }; + + protocolFilter = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "ospf" ]; + description = "Information displayed in bgpmap."; + }; + + nameFilter = mkOption { + type = types.str; + default = ""; + example = "^ospf"; + description = "Protocol names to hide in summary tables (RE2 syntax),"; + }; + + timeout = mkOption { + type = types.int; + default = 120; + description = "Time before request timed out, in seconds."; + }; + + navbar = { + brand = mkOption { + type = types.str; + default = "Bird-lg Go"; + description = "Brand to show in the navigation bar ."; + }; + + brandURL = mkOption { + type = types.str; + default = "/"; + description = "URL of the brand to show in the navigation bar."; + }; + + allServers = mkOption { + type = types.str; + default = "ALL Servers"; + description = "Text of 'All server' button in the navigation bar."; + }; + + allServersURL = mkOption { + type = types.str; + default = "all"; + description = "URL of 'All servers' button."; + }; + }; + + extraArgs = mkOption { + type = types.lines; + default = ""; + description = " + Extra parameters documented <link xlink:href=\"https://github.com/xddxdd/bird-lg-go#frontend\">here</link>. + "; + }; + }; + + proxy = { + enable = mkEnableOption "Bird Looking Glass Proxy"; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1:8000"; + description = "Address to listen on."; + }; + + allowedIPs = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "192.168.25.52" "192.168.25.53" ]; + description = "List of IPs to allow (default all allowed)."; + }; + + birdSocket = mkOption { + type = types.str; + default = "/run/bird.ctl"; + example = "/var/run/bird/bird.ctl"; + description = "Bird control socket path."; + }; + + traceroute = { + binary = mkOption { + type = types.str; + default = "${pkgs.traceroute}/bin/traceroute"; + defaultText = literalExpression ''"''${pkgs.traceroute}/bin/traceroute"''; + description = "Traceroute's binary path."; + }; + + rawOutput = mkOption { + type = types.bool; + default = false; + description = "Display traceroute output in raw format."; + }; + }; + + extraArgs = mkOption { + type = types.lines; + default = ""; + description = " + Extra parameters documented <link xlink:href=\"https://github.com/xddxdd/bird-lg-go#proxy\">here</link>. + "; + }; + }; + }; + }; + + ###### implementation + + config = { + systemd.services = { + bird-lg-frontend = mkIf cfg.frontend.enable { + enable = true; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "Bird Looking Glass Frontend Webserver"; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + ProtectSystem = "full"; + ProtectHome = "yes"; + MemoryDenyWriteExecute = "yes"; + User = cfg.user; + Group = cfg.group; + }; + script = '' + ${cfg.package}/bin/frontend \ + --servers ${concatStringsSep "," cfg.frontend.servers } \ + --domain ${cfg.frontend.domain} \ + --listen ${cfg.frontend.listenAddress} \ + --proxy-port ${toString cfg.frontend.proxyPort} \ + --whois ${cfg.frontend.whois} \ + --dns-interface ${cfg.frontend.dnsInterface} \ + --bgpmap-info ${concatStringsSep "," cfg.frontend.bgpMapInfo } \ + --title-brand ${cfg.frontend.titleBrand} \ + --navbar-brand ${cfg.frontend.navbar.brand} \ + --navbar-brand-url ${cfg.frontend.navbar.brandURL} \ + --navbar-all-servers ${cfg.frontend.navbar.allServers} \ + --navbar-all-url ${cfg.frontend.navbar.allServersURL} \ + --net-specific-mode ${cfg.frontend.netSpecificMode} \ + --protocol-filter ${concatStringsSep "," cfg.frontend.protocolFilter } \ + --name-filter ${cfg.frontend.nameFilter} \ + --time-out ${toString cfg.frontend.timeout} \ + ${cfg.frontend.extraArgs} + ''; + }; + + bird-lg-proxy = mkIf cfg.proxy.enable { + enable = true; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "Bird Looking Glass Proxy"; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + ProtectSystem = "full"; + ProtectHome = "yes"; + MemoryDenyWriteExecute = "yes"; + User = cfg.user; + Group = cfg.group; + }; + script = '' + ${cfg.package}/bin/proxy \ + --allowed ${concatStringsSep "," cfg.proxy.allowedIPs } \ + --bird ${cfg.proxy.birdSocket} \ + --listen ${cfg.proxy.listenAddress} \ + --traceroute_bin ${cfg.proxy.traceroute.binary} + --traceroute_raw ${boolToString cfg.proxy.traceroute.rawOutput} + ${cfg.proxy.extraArgs} + ''; + }; + }; + users = mkIf (cfg.frontend.enable || cfg.proxy.enable) { + groups."bird-lg" = mkIf (cfg.group == "bird-lg") { }; + users."bird-lg" = mkIf (cfg.user == "bird-lg") { + description = "Bird Looking Glass user"; + extraGroups = lib.optionals (config.services.bird2.enable) [ "bird2" ]; + group = cfg.group; + isSystemUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/bitlbee.nix b/nixos/modules/services/networking/bitlbee.nix index 8bf04e3a1a2..f76cffc79bf 100644 --- a/nixos/modules/services/networking/bitlbee.nix +++ b/nixos/modules/services/networking/bitlbee.nix @@ -174,6 +174,7 @@ in serviceConfig = { DynamicUser = true; StateDirectory = "bitlbee"; + ReadWritePaths = [ cfg.configDir ]; ExecStart = "${bitlbeePkg}/sbin/bitlbee -F -n -c ${bitlbeeConfig}"; }; }; diff --git a/nixos/modules/services/networking/cloudflare-dyndns.nix b/nixos/modules/services/networking/cloudflare-dyndns.nix new file mode 100644 index 00000000000..ab5b1a08539 --- /dev/null +++ b/nixos/modules/services/networking/cloudflare-dyndns.nix @@ -0,0 +1,93 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.cloudflare-dyndns; +in +{ + options = { + services.cloudflare-dyndns = { + enable = mkEnableOption "Cloudflare Dynamic DNS Client"; + + apiTokenFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The path to a file containing the CloudFlare API token. + + The file must have the form `CLOUDFLARE_API_TOKEN=...` + ''; + }; + + domains = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of domain names to update records for. + ''; + }; + + proxied = mkOption { + type = types.bool; + default = false; + description = '' + Whether this is a DNS-only record, or also being proxied through CloudFlare. + ''; + }; + + ipv4 = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable setting IPv4 A records. + ''; + }; + + ipv6 = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable setting IPv6 AAAA records. + ''; + }; + + deleteMissing = mkOption { + type = types.bool; + default = false; + description = '' + Whether to delete the record when no IP address is found. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.cloudflare-dyndns = { + description = "CloudFlare Dynamic DNS Client"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + startAt = "*:0/5"; + + environment = { + CLOUDFLARE_DOMAINS = toString cfg.domains; + }; + + serviceConfig = { + Type = "simple"; + DynamicUser = true; + StateDirectory = "cloudflare-dyndns"; + EnvironmentFile = cfg.apiTokenFile; + ExecStart = + let + args = [ "--cache-file /var/lib/cloudflare-dyndns/ip.cache" ] + ++ (if cfg.ipv4 then [ "-4" ] else [ "-no-4" ]) + ++ (if cfg.ipv6 then [ "-6" ] else [ "-no-6" ]) + ++ optional cfg.deleteMissing "--delete-missing" + ++ optional cfg.proxied "--proxied"; + in + "${pkgs.cloudflare-dyndns}/bin/cloudflare-dyndns ${toString args}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index d025c8f8177..faee99b175e 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -181,7 +181,7 @@ with lib; }; verbose = mkOption { - default = true; + default = false; type = bool; description = '' Print verbose information. diff --git a/nixos/modules/services/networking/expressvpn.nix b/nixos/modules/services/networking/expressvpn.nix new file mode 100644 index 00000000000..d8ae6528a4d --- /dev/null +++ b/nixos/modules/services/networking/expressvpn.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + options.services.expressvpn.enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable the ExpressVPN daemon. + ''; + }; + + config = mkIf config.services.expressvpn.enable { + boot.kernelModules = [ "tun" ]; + + systemd.services.expressvpn = { + description = "ExpressVPN Daemon"; + serviceConfig = { + ExecStart = "${pkgs.expressvpn}/bin/expressvpnd"; + Restart = "on-failure"; + RestartSec = 5; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "network-online.target" ]; + }; + }; + + meta.maintainers = with maintainers; [ yureien ]; +} diff --git a/nixos/modules/services/networking/frr.nix b/nixos/modules/services/networking/frr.nix index 45a82b9450a..98452123f03 100644 --- a/nixos/modules/services/networking/frr.nix +++ b/nixos/modules/services/networking/frr.nix @@ -106,6 +106,14 @@ let TCP Port to bind to for the VTY interface. ''; }; + + extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra options for the daemon. + ''; + }; }; in @@ -196,7 +204,8 @@ in PIDFile = "frr/${daemon}.pid"; ExecStart = "${pkgs.frr}/libexec/frr/${daemon} -f /etc/frr/${service}.conf" + optionalString (scfg.vtyListenAddress != "") " -A ${scfg.vtyListenAddress}" - + optionalString (scfg.vtyListenPort != null) " -P ${toString scfg.vtyListenPort}"; + + optionalString (scfg.vtyListenPort != null) " -P ${toString scfg.vtyListenPort}" + + " " + (concatStringsSep " " scfg.extraOptions); ExecReload = "${pkgs.python3.interpreter} ${pkgs.frr}/libexec/frr/frr-reload.py --reload --daemon ${daemonName service} --bindir ${pkgs.frr}/bin --rundir /run/frr /etc/frr/${service}.conf"; Restart = "on-abnormal"; }; diff --git a/nixos/modules/services/networking/gateone.nix b/nixos/modules/services/networking/gateone.nix index 3e3a3c1aa94..e68f8a47d5c 100644 --- a/nixos/modules/services/networking/gateone.nix +++ b/nixos/modules/services/networking/gateone.nix @@ -36,11 +36,11 @@ config = mkIf cfg.enable { preStart = '' if [ ! -d ${cfg.settingsDir} ] ; then mkdir -m 0750 -p ${cfg.settingsDir} - chown -R gateone.gateone ${cfg.settingsDir} + chown -R gateone:gateone ${cfg.settingsDir} fi if [ ! -d ${cfg.pidDir} ] ; then mkdir -m 0750 -p ${cfg.pidDir} - chown -R gateone.gateone ${cfg.pidDir} + chown -R gateone:gateone ${cfg.pidDir} fi ''; #unitConfig.RequiresMountsFor = "${cfg.settingsDir}"; diff --git a/nixos/modules/services/networking/ircd-hybrid/ircd.conf b/nixos/modules/services/networking/ircd-hybrid/ircd.conf index 17ef203840a..b82094cf5f0 100644 --- a/nixos/modules/services/networking/ircd-hybrid/ircd.conf +++ b/nixos/modules/services/networking/ircd-hybrid/ircd.conf @@ -98,7 +98,7 @@ serverinfo { * * openssl genrsa -out rsa.key 2048 * openssl rsa -in rsa.key -pubout -out rsa.pub - * chown <ircd-user>.<ircd.group> rsa.key rsa.pub + * chown <ircd-user>:<ircd.group> rsa.key rsa.pub * chmod 0600 rsa.key * chmod 0644 rsa.pub */ diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index b41a2fd27be..70c6725d103 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -54,10 +54,10 @@ let hashedPassword = mkOption { type = uniq (nullOr str); default = null; - description = '' + description = mdDoc '' Specifies the hashed password for the MQTT User. - To generate hashed password install <literal>mosquitto</literal> - package and use <literal>mosquitto_passwd</literal>. + To generate hashed password install `mosquitto` + package and use `mosquitto_passwd`. ''; }; @@ -65,11 +65,11 @@ let type = uniq (nullOr types.path); example = "/path/to/file"; default = null; - description = '' + description = mdDoc '' Specifies the path to a file containing the hashed password for the MQTT user. - To generate hashed password install <literal>mosquitto</literal> - package and use <literal>mosquitto_passwd</literal>. + To generate hashed password install `mosquitto` + package and use `mosquitto_passwd`. ''; }; @@ -155,24 +155,24 @@ let options = { plugin = mkOption { type = path; - description = '' - Plugin path to load, should be a <literal>.so</literal> file. + description = mdDoc '' + Plugin path to load, should be a `.so` file. ''; }; denySpecialChars = mkOption { type = bool; - description = '' - Automatically disallow all clients using <literal>#</literal> - or <literal>+</literal> in their name/id. + description = mdDoc '' + Automatically disallow all clients using `#` + or `+` in their name/id. ''; default = true; }; options = mkOption { type = attrsOf optionType; - description = '' - Options for the auth plugin. Each key turns into a <literal>auth_opt_*</literal> + description = mdDoc '' + Options for the auth plugin. Each key turns into a `auth_opt_*` line in the config. ''; default = {}; @@ -199,6 +199,7 @@ let allow_anonymous = 1; allow_zero_length_clientid = 1; auto_id_prefix = 1; + bind_interface = 1; cafile = 1; capath = 1; certfile = 1; @@ -238,8 +239,8 @@ let address = mkOption { type = nullOr str; - description = '' - Address to listen on. Listen on <literal>0.0.0.0</literal>/<literal>::</literal> + description = mdDoc '' + Address to listen on. Listen on `0.0.0.0`/`::` when unset. ''; default = null; @@ -247,10 +248,10 @@ let authPlugins = mkOption { type = listOf authPluginOptions; - description = '' + description = mdDoc '' Authentication plugin to attach to this listener. - Refer to the <link xlink:href="https://mosquitto.org/man/mosquitto-conf-5.html"> - mosquitto.conf documentation</link> for details on authentication plugins. + Refer to the [mosquitto.conf documentation](https://mosquitto.org/man/mosquitto-conf-5.html) + for details on authentication plugins. ''; default = []; }; @@ -295,7 +296,7 @@ let }; listenerAsserts = prefix: listener: - assertKeysValid prefix freeformListenerKeys listener.settings + assertKeysValid "${prefix}.settings" freeformListenerKeys listener.settings ++ userAsserts prefix listener.users ++ imap0 (i: v: authAsserts "${prefix}.authPlugins.${toString i}" v) @@ -397,7 +398,7 @@ let }; bridgeAsserts = prefix: bridge: - assertKeysValid prefix freeformBridgeKeys bridge.settings + assertKeysValid "${prefix}.settings" freeformBridgeKeys bridge.settings ++ [ { assertion = length bridge.addresses > 0; message = "Bridge ${prefix} needs remote broker addresses"; @@ -471,10 +472,10 @@ let includeDirs = mkOption { type = listOf path; - description = '' + description = mdDoc '' Directories to be scanned for further config files to include. Directories will processed in the order given, - <literal>*.conf</literal> files in the directory will be + `*.conf` files in the directory will be read in case-sensistive alphabetical order. ''; default = []; @@ -526,7 +527,7 @@ let globalAsserts = prefix: cfg: flatten [ - (assertKeysValid prefix freeformGlobalKeys cfg.settings) + (assertKeysValid "${prefix}.settings" freeformGlobalKeys cfg.settings) (imap0 (n: l: listenerAsserts "${prefix}.listener.${toString n}" l) cfg.listeners) (mapAttrsToList (n: b: bridgeAsserts "${prefix}.bridge.${n}" b) cfg.bridges) ]; @@ -629,9 +630,10 @@ in ])); RemoveIPC = true; RestrictAddressFamilies = [ - "AF_UNIX" # for sd_notify() call + "AF_UNIX" "AF_INET" "AF_INET6" + "AF_NETLINK" ]; RestrictNamespaces = true; RestrictRealtime = true; diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix index de4439415cf..c83cd9d521c 100644 --- a/nixos/modules/services/networking/nebula.nix +++ b/nixos/modules/services/networking/nebula.nix @@ -192,6 +192,7 @@ in Group = networkId; }) ]; + unitConfig.StartLimitIntervalSec = 0; # ensure Restart=always is always honoured (networks can go down for arbitrarily long) }; }) enabledNetworks); diff --git a/nixos/modules/services/networking/openconnect.nix b/nixos/modules/services/networking/openconnect.nix index de4b505130e..bc873b2198b 100644 --- a/nixos/modules/services/networking/openconnect.nix +++ b/nixos/modules/services/networking/openconnect.nix @@ -9,6 +9,12 @@ let }; interfaceOptions = { options = { + autoStart = mkOption { + default = true; + description = "Whether this VPN connection should be started automatically."; + type = types.bool; + }; + gateway = mkOption { description = "Gateway server to connect to."; example = "gateway.example.com"; @@ -95,7 +101,7 @@ let description = "OpenConnect Interface - ${name}"; requires = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = optional icfg.autoStart "multi-user.target"; serviceConfig = { Type = "simple"; diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix index c6d4c14dcb7..9b8382392c0 100644 --- a/nixos/modules/services/networking/pleroma.nix +++ b/nixos/modules/services/networking/pleroma.nix @@ -1,7 +1,6 @@ { config, options, lib, pkgs, stdenv, ... }: let cfg = config.services.pleroma; - cookieFile = "/var/lib/pleroma/.cookie"; in { options = { services.pleroma = with lib; { @@ -9,7 +8,7 @@ in { package = mkOption { type = types.package; - default = pkgs.pleroma.override { inherit cookieFile; }; + default = pkgs.pleroma; defaultText = literalExpression "pkgs.pleroma"; description = "Pleroma package to use."; }; @@ -101,6 +100,7 @@ in { after = [ "network-online.target" "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ]; + environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie"; serviceConfig = { User = cfg.user; Group = cfg.group; @@ -118,10 +118,10 @@ in { # Better be safe than sorry migration-wise. ExecStartPre = let preScript = pkgs.writers.writeBashBin "pleromaStartPre" '' - if [ ! -f "${cookieFile}" ] || [ ! -s "${cookieFile}" ] + if [ ! -f /var/lib/pleroma/.cookie ] then echo "Creating cookie file" - dd if=/dev/urandom bs=1 count=16 | ${pkgs.hexdump}/bin/hexdump -e '16/1 "%02x"' > "${cookieFile}" + dd if=/dev/urandom bs=1 count=16 | hexdump -e '16/1 "%02x"' > /var/lib/pleroma/.cookie fi ${cfg.package}/bin/pleroma_ctl migrate ''; diff --git a/nixos/modules/services/networking/pptpd.nix b/nixos/modules/services/networking/pptpd.nix index 3e7753b9dd3..423e14e998f 100644 --- a/nixos/modules/services/networking/pptpd.nix +++ b/nixos/modules/services/networking/pptpd.nix @@ -108,7 +108,7 @@ with lib; #username pptpd password * EOF - chown root.root "$secrets" + chown root:root "$secrets" chmod 600 "$secrets" ''; diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix index ae9258b2712..513509eaca3 100644 --- a/nixos/modules/services/networking/prayer.nix +++ b/nixos/modules/services/networking/prayer.nix @@ -82,7 +82,7 @@ in serviceConfig.Type = "forking"; preStart = '' mkdir -m 0755 -p ${stateDir} - chown ${prayerUser}.${prayerGroup} ${stateDir} + chown ${prayerUser}:${prayerGroup} ${stateDir} ''; script = "${prayer}/sbin/prayer --config-file=${prayerCfg}"; }; diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index 42596ccfefd..9e8db04e622 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -511,8 +511,13 @@ in dataDir = mkOption { type = types.path; - description = "Directory where Prosody stores its data"; default = "/var/lib/prosody"; + description = '' + The prosody home directory used to store all data. If left as the default value + this directory will automatically be created before the prosody server starts, otherwise + you are responsible for ensuring the directory exists with appropriate ownership + and permissions. + ''; }; disco_items = mkOption { @@ -524,13 +529,29 @@ in user = mkOption { type = types.str; default = "prosody"; - description = "User account under which prosody runs."; + description = '' + User account under which prosody runs. + + <note><para> + If left as the default value this user will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the prosody service starts. + </para></note> + ''; }; group = mkOption { type = types.str; default = "prosody"; - description = "Group account under which prosody runs."; + description = '' + Group account under which prosody runs. + + <note><para> + If left as the default value this group will automatically be created + on system activation, otherwise you are responsible for + ensuring the group exists before the prosody service starts. + </para></note> + ''; }; allowRegistration = mkOption { @@ -820,6 +841,7 @@ in '') cfg.muc} ${ lib.optionalString (cfg.uploadHttp != null) '' + -- TODO: think about migrating this to mod-http_file_share instead. Component ${toLua cfg.uploadHttp.domain} "http_upload" http_upload_file_size_limit = ${cfg.uploadHttp.uploadFileSizeLimit} http_upload_expire_after = ${cfg.uploadHttp.uploadExpireAfter} @@ -838,9 +860,8 @@ in users.users.prosody = mkIf (cfg.user == "prosody") { uid = config.ids.uids.prosody; description = "Prosody user"; - createHome = true; inherit (cfg) group; - home = "${cfg.dataDir}"; + home = cfg.dataDir; }; users.groups.prosody = mkIf (cfg.group == "prosody") { @@ -853,28 +874,33 @@ in wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."prosody/prosody.cfg.lua".source ]; - serviceConfig = { - User = cfg.user; - Group = cfg.group; - Type = "forking"; - RuntimeDirectory = [ "prosody" ]; - PIDFile = "/run/prosody/prosody.pid"; - ExecStart = "${cfg.package}/bin/prosodyctl start"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - - MemoryDenyWriteExecute = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateTmp = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - }; + serviceConfig = mkMerge [ + { + User = cfg.user; + Group = cfg.group; + Type = "forking"; + RuntimeDirectory = [ "prosody" ]; + PIDFile = "/run/prosody/prosody.pid"; + ExecStart = "${cfg.package}/bin/prosodyctl start"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + } + (mkIf (cfg.dataDir == "/var/lib/prosody") { + StateDirectory = "prosody"; + }) + ]; }; }; diff --git a/nixos/modules/services/networking/r53-ddns.nix b/nixos/modules/services/networking/r53-ddns.nix new file mode 100644 index 00000000000..a8839762d53 --- /dev/null +++ b/nixos/modules/services/networking/r53-ddns.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.r53-ddns; + pkg = pkgs.r53-ddns; +in +{ + options = { + services.r53-ddns = { + + enable = mkEnableOption "r53-ddyns"; + + interval = mkOption { + type = types.str; + default = "15min"; + description = "How often to update the entry"; + }; + + zoneID = mkOption { + type = types.str; + description = "The ID of your zone in Route53"; + }; + + domain = mkOption { + type = types.str; + description = "The name of your domain in Route53"; + }; + + hostname = mkOption { + type = types.str; + description = '' + Manually specify the hostname. Otherwise the tool will try to use the name + returned by the OS (Call to gethostname) + ''; + }; + + environmentFile = mkOption { + type = types.str; + description = '' + File containing the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY + in the format of an EnvironmentFile as described by systemd.exec(5) + ''; + }; + + }; + }; + + config = mkIf cfg.enable { + + systemd.timers.r53-ddns = { + description = "r53-ddns timer"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = cfg.interval; + OnUnitActiveSec = cfg.interval; + }; + }; + + systemd.services.r53-ddns = { + description = "r53-ddns service"; + serviceConfig = { + ExecStart = "${pkg}/bin/r53-ddns -zone-id ${cfg.zoneID} -domain ${cfg.domain}" + + lib.optionalString (cfg.hostname != null) " -hostname ${cfg.hostname}"; + EnvironmentFile = "${cfg.environmentFile}"; + DynamicUser = true; + }; + }; + + }; +} diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index c6c40777ed7..227bafc1d0e 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -164,7 +164,7 @@ in { StateDirectoryMode = "0750"; # Hardening CapabilityBoundingSet = [ "" ]; - DeviceAllow = [ "/dev/stdin" ]; + DeviceAllow = [ "/dev/stdin" "/dev/urandom" ]; DevicePolicy = "strict"; IPAddressAllow = mkIf bindLocalhost "localhost"; IPAddressDeny = mkIf bindLocalhost "any"; diff --git a/nixos/modules/services/networking/routedns.nix b/nixos/modules/services/networking/routedns.nix new file mode 100644 index 00000000000..e0f5eedd2c8 --- /dev/null +++ b/nixos/modules/services/networking/routedns.nix @@ -0,0 +1,84 @@ +{ config +, lib +, pkgs +, ... +}: + +with lib; + +let + cfg = config.services.routedns; + settingsFormat = pkgs.formats.toml { }; +in +{ + options.services.routedns = { + enable = mkEnableOption "RouteDNS - DNS stub resolver, proxy and router"; + + settings = mkOption { + type = settingsFormat.type; + example = literalExpression '' + { + resolvers.cloudflare-dot = { + address = "1.1.1.1:853"; + protocol = "dot"; + }; + groups.cloudflare-cached = { + type = "cache"; + resolvers = ["cloudflare-dot"]; + }; + listeners.local-udp = { + address = "127.0.0.1:53"; + protocol = "udp"; + resolver = "cloudflare-cached"; + }; + listeners.local-tcp = { + address = "127.0.0.1:53"; + protocol = "tcp"; + resolver = "cloudflare-cached"; + }; + } + ''; + description = '' + Configuration for RouteDNS, see <link xlink:href="https://github.com/folbricht/routedns/blob/master/doc/configuration.md"/> + for more information. + ''; + }; + + configFile = mkOption { + default = settingsFormat.generate "routedns.toml" cfg.settings; + defaultText = "A RouteDNS configuration file automatically generated by values from services.routedns.*"; + type = types.path; + example = literalExpression ''"''${pkgs.routedns}/cmd/routedns/example-config/use-case-1.toml"''; + description = "Path to RouteDNS TOML configuration file."; + }; + + package = mkOption { + default = pkgs.routedns; + defaultText = literalExpression "pkgs.routedns"; + type = types.package; + description = "RouteDNS package to use."; + }; + }; + + config = mkIf cfg.enable { + systemd.services.routedns = { + description = "RouteDNS - DNS stub resolver, proxy and router"; + after = [ "network.target" ]; # in case a bootstrap resolver is used, this might fail a few times until the respective server is actually reachable + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + startLimitIntervalSec = 30; + startLimitBurst = 5; + serviceConfig = { + Restart = "on-failure"; + RestartSec = "5s"; + LimitNPROC = 512; + LimitNOFILE = 1048576; + DynamicUser = true; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + NoNewPrivileges = true; + ExecStart = "${getBin cfg.package}/bin/routedns -l 4 ${cfg.configFile}"; + }; + }; + }; + meta.maintainers = with maintainers; [ jsimonetti ]; +} diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 230ab673a97..6b69d559748 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -293,6 +293,7 @@ in kexAlgorithms = mkOption { type = types.listOf types.str; default = [ + "sntrup761x25519-sha512@openssh.com" "curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" @@ -301,7 +302,7 @@ in Allowed key exchange algorithms </para> <para> - Defaults to recommended settings from both + Uses the lower bound recommended in both <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> and <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> @@ -441,6 +442,7 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' if ! [ -s "${k.path}" ]; then + rm -f "${k.path}" ssh-keygen \ -t "${k.type}" \ ${if k ? bits then "-b ${toString k.bits}" else ""} \ diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix index eb24130e519..e111b311d68 100644 --- a/nixos/modules/services/networking/supplicant.nix +++ b/nixos/modules/services/networking/supplicant.nix @@ -43,7 +43,7 @@ let path = [ pkgs.coreutils ]; preStart = '' - ${optionalString (suppl.configFile.path!=null) '' + ${optionalString (suppl.configFile.path!=null && suppl.configFile.writable) '' (umask 077 && touch -a "${suppl.configFile.path}") ''} ${optionalString suppl.userControlled.enable '' @@ -226,10 +226,10 @@ in ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="${i}", TAG+="systemd", ENV{SYSTEMD_WANTS}+="supplicant-${replaceChars [" "] ["-"] iface}.service", TAG+="SUPPLICANT_ASSIGNED"''))} ${optionalString (hasAttr "WLAN" cfg) '' - ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="${pkgs.systemd}/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-wlan@$result.service" + ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="/run/current-system/systemd/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-wlan@$result.service" ''} ${optionalString (hasAttr "LAN" cfg) '' - ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="lan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="${pkgs.systemd}/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-lan@$result.service" + ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="lan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="/run/current-system/systemd/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-lan@$result.service" ''} ''; })]; diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 3a3d4c80ecf..0f697c0cc25 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -72,39 +72,39 @@ in { cert = mkOption { type = types.nullOr types.str; default = null; - description = '' - Path to the <literal>cert.pem</literal> file, which will be copied into Syncthing's - <link linkend="opt-services.syncthing.configDir">configDir</link>. + description = mdDoc '' + Path to the `cert.pem` file, which will be copied into Syncthing's + [configDir](#opt-services.syncthing.configDir). ''; }; key = mkOption { type = types.nullOr types.str; default = null; - description = '' - Path to the <literal>key.pem</literal> file, which will be copied into Syncthing's - <link linkend="opt-services.syncthing.configDir">configDir</link>. + description = mdDoc '' + Path to the `key.pem` file, which will be copied into Syncthing's + [configDir](#opt-services.syncthing.configDir). ''; }; overrideDevices = mkOption { type = types.bool; default = true; - description = '' + description = mdDoc '' Whether to delete the devices which are not configured via the - <link linkend="opt-services.syncthing.devices">devices</link> option. - If set to <literal>false</literal>, devices added via the web + [devices](#opt-services.syncthing.devices) option. + If set to `false`, devices added via the web interface will persist and will have to be deleted manually. ''; }; devices = mkOption { default = {}; - description = '' + description = mdDoc '' Peers/devices which Syncthing should communicate with. Note that you can still add devices manually, but those changes - will be reverted on restart if <link linkend="opt-services.syncthing.overrideDevices">overrideDevices</link> + will be reverted on restart if [overrideDevices](#opt-services.syncthing.overrideDevices) is enabled. ''; example = { @@ -135,27 +135,27 @@ in { id = mkOption { type = types.str; - description = '' - The device ID. See <link xlink:href="https://docs.syncthing.net/dev/device-ids.html"/>. + description = mdDoc '' + The device ID. See <https://docs.syncthing.net/dev/device-ids.html>. ''; }; introducer = mkOption { type = types.bool; default = false; - description = '' + description = mdDoc '' Whether the device should act as an introducer and be allowed to add folders on this computer. - See <link xlink:href="https://docs.syncthing.net/users/introducer.html"/>. + See <https://docs.syncthing.net/users/introducer.html>. ''; }; autoAcceptFolders = mkOption { type = types.bool; default = false; - description = '' + description = mdDoc '' Automatically create or share folders that this device advertises at the default path. - See <link xlink:href="https://docs.syncthing.net/users/config.html?highlight=autoaccept#config-file-format"/>. + See <https://docs.syncthing.net/users/config.html?highlight=autoaccept#config-file-format>. ''; }; @@ -166,21 +166,21 @@ in { overrideFolders = mkOption { type = types.bool; default = true; - description = '' + description = mdDoc '' Whether to delete the folders which are not configured via the - <link linkend="opt-services.syncthing.folders">folders</link> option. - If set to <literal>false</literal>, folders added via the web + [folders](#opt-services.syncthing.folders) option. + If set to `false`, folders added via the web interface will persist and will have to be deleted manually. ''; }; folders = mkOption { default = {}; - description = '' + description = mdDoc '' Folders which should be shared by Syncthing. - Note that you can still add devices manually, but those changes - will be reverted on restart if <link linkend="opt-services.syncthing.overrideDevices">overrideDevices</link> + Note that you can still add folders manually, but those changes + will be reverted on restart if [overrideFolders](#opt-services.syncthing.overrideFolders) is enabled. ''; example = literalExpression '' @@ -231,18 +231,18 @@ in { devices = mkOption { type = types.listOf types.str; default = []; - description = '' + description = mdDoc '' The devices this folder should be shared with. Each device must - be defined in the <link linkend="opt-services.syncthing.devices">devices</link> option. + be defined in the [devices](#opt-services.syncthing.devices) option. ''; }; versioning = mkOption { default = null; - description = '' + description = mdDoc '' How to keep changed/deleted files with Syncthing. There are 4 different types of versioning with different parameters. - See <link xlink:href="https://docs.syncthing.net/users/versioning.html"/>. + See <https://docs.syncthing.net/users/versioning.html>. ''; example = literalExpression '' [ @@ -284,17 +284,17 @@ in { options = { type = mkOption { type = enum [ "external" "simple" "staggered" "trashcan" ]; - description = '' + description = mdDoc '' The type of versioning. - See <link xlink:href="https://docs.syncthing.net/users/versioning.html"/>. + See <https://docs.syncthing.net/users/versioning.html>. ''; }; params = mkOption { type = attrsOf (either str path); - description = '' + description = mdDoc '' The parameters for versioning. Structure depends on - <link linkend="opt-services.syncthing.folders._name_.versioning.type">versioning.type</link>. - See <link xlink:href="https://docs.syncthing.net/users/versioning.html"/>. + [versioning.type](#opt-services.syncthing.folders._name_.versioning.type). + See <https://docs.syncthing.net/users/versioning.html>. ''; }; }; @@ -345,9 +345,9 @@ in { ignoreDelete = mkOption { type = types.bool; default = false; - description = '' + description = mdDoc '' Whether to skip deleting files that are deleted by peers. - See <link xlink:href="https://docs.syncthing.net/advanced/folder-ignoredelete.html"/>. + See <https://docs.syncthing.net/advanced/folder-ignoredelete.html>. ''; }; }; @@ -357,9 +357,9 @@ in { extraOptions = mkOption { type = types.addCheck (pkgs.formats.json {}).type isAttrs; default = {}; - description = '' + description = mdDoc '' Extra configuration options for Syncthing. - See <link xlink:href="https://docs.syncthing.net/users/config.html"/>. + See <https://docs.syncthing.net/users/config.html>. ''; example = { options.localAnnounceEnabled = false; @@ -387,9 +387,9 @@ in { type = types.str; default = defaultUser; example = "yourUser"; - description = '' + description = mdDoc '' The user to run Syncthing as. - By default, a user named <literal>${defaultUser}</literal> will be created. + By default, a user named `${defaultUser}` will be created. ''; }; @@ -397,9 +397,9 @@ in { type = types.str; default = defaultGroup; example = "yourGroup"; - description = '' + description = mdDoc '' The group to run Syncthing under. - By default, a group named <literal>${defaultGroup}</literal> will be created. + By default, a group named `${defaultGroup}` will be created. ''; }; @@ -407,11 +407,11 @@ in { type = with types; nullOr str; default = null; example = "socks5://address.com:1234"; - description = '' + description = mdDoc '' Overwrites the all_proxy environment variable for the Syncthing process to the given value. This is normally used to let Syncthing connect through a SOCKS5 proxy server. - See <link xlink:href="https://docs.syncthing.net/users/proxying.html"/>. + See <https://docs.syncthing.net/users/proxying.html>. ''; }; @@ -432,25 +432,13 @@ in { The path where the settings and keys will exist. ''; default = cfg.dataDir + optionalString cond "/.config/syncthing"; - defaultText = literalDocBook '' - <variablelist> - <varlistentry> - <term><literal>stateVersion >= 19.03</literal></term> - <listitem> - <programlisting> - config.${opt.dataDir} + "/.config/syncthing" - </programlisting> - </listitem> - </varlistentry> - <varlistentry> - <term>otherwise</term> - <listitem> - <programlisting> - config.${opt.dataDir} - </programlisting> - </listitem> - </varlistentry> - </variablelist> + defaultText = literalMD '' + * if `stateVersion >= 19.03`: + + config.${opt.dataDir} + "/.config/syncthing" + * otherwise: + + config.${opt.dataDir} ''; }; diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 1f64113950a..f84252289ab 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -2,9 +2,14 @@ with lib; -let cfg = config.services.tailscale; +let + cfg = config.services.tailscale; + firewallOn = config.networking.firewall.enable; + rpfMode = config.networking.firewall.checkReversePath; + isNetworkd = config.networking.useNetworkd; + rpfIsStrict = rpfMode == true || rpfMode == "strict"; in { - meta.maintainers = with maintainers; [ danderson mbaillie ]; + meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ]; options.services.tailscale = { enable = mkEnableOption "Tailscale client daemon"; @@ -36,17 +41,46 @@ in { }; config = mkIf cfg.enable { + warnings = optional (firewallOn && rpfIsStrict) "Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting `networking.firewall.checkReversePath` = 'loose'"; environment.systemPackages = [ cfg.package ]; # for the CLI systemd.packages = [ cfg.package ]; systemd.services.tailscaled = { wantedBy = [ "multi-user.target" ]; - path = [ pkgs.openresolv pkgs.procps ]; + path = [ + pkgs.openresolv # for configuring DNS in some configs + pkgs.procps # for collecting running services (opt-in feature) + pkgs.glibc # for `getent` to look up user shells + ]; serviceConfig.Environment = [ "PORT=${toString cfg.port}" ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName}"'' ] ++ (lib.optionals (cfg.permitCertUid != null) [ "TS_PERMIT_CERT_UID=${cfg.permitCertUid}" ]); + # Restart tailscaled with a single `systemctl restart` at the + # end of activation, rather than a `stop` followed by a later + # `start`. Activation over Tailscale can hang for tens of + # seconds in the stop+start setup, if the activation script has + # a significant delay between the stop and start phases + # (e.g. script blocked on another unit with a slow shutdown). + # + # Tailscale is aware of the correctness tradeoff involved, and + # already makes its upstream systemd unit robust against unit + # version mismatches on restart for compatibility with other + # linux distros. + stopIfChanged = false; + }; + + networking.dhcpcd.denyInterfaces = [ cfg.interfaceName ]; + + systemd.network.networks."50-tailscale" = mkIf isNetworkd { + matchConfig = { + Name = cfg.interfaceName; + }; + linkConfig = { + Unmanaged = true; + ActivationPolicy = "manual"; + }; }; }; } diff --git a/nixos/modules/services/networking/trickster.nix b/nixos/modules/services/networking/trickster.nix index e48bba8fa58..ac260a14d9a 100644 --- a/nixos/modules/services/networking/trickster.nix +++ b/nixos/modules/services/networking/trickster.nix @@ -6,6 +6,9 @@ let cfg = config.services.trickster; in { + imports = [ + (mkRenamedOptionModule [ "services" "trickster" "origin" ] [ "services" "trickster" "origin-url" ]) + ]; options = { services.trickster = { @@ -58,11 +61,19 @@ in ''; }; - origin = mkOption { + origin-type = mkOption { + type = types.enum [ "prometheus" "influxdb" ]; + default = "prometheus"; + description = '' + Type of origin (prometheus, influxdb) + ''; + }; + + origin-url = mkOption { type = types.str; default = "http://prometheus:9090"; description = '' - URL to the Prometheus Origin. Enter it like you would in grafana, e.g., http://prometheus:9090 (default http://prometheus:9090). + URL to the Origin. Enter it like you would in grafana, e.g., http://prometheus:9090 (default http://prometheus:9090). ''; }; @@ -87,7 +98,7 @@ in config = mkIf cfg.enable { systemd.services.trickster = { - description = "Dashboard Accelerator for Prometheus"; + description = "Reverse proxy cache and time series dashboard accelerator"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { @@ -96,7 +107,8 @@ in ${cfg.package}/bin/trickster \ -log-level ${cfg.log-level} \ -metrics-port ${toString cfg.metrics-port} \ - -origin ${cfg.origin} \ + -origin-type ${cfg.origin-type} \ + -origin-url ${cfg.origin-url} \ -proxy-port ${toString cfg.proxy-port} \ ${optionalString (cfg.configFile != null) "-config ${cfg.configFile}"} \ ${optionalString (cfg.profiler-port != null) "-profiler-port ${cfg.profiler-port}"} \ diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index a683c537f05..e88daae1fbb 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -51,7 +51,7 @@ in services.unifi.openFirewall = mkOption { type = types.bool; - default = true; + default = false; description = '' Whether or not to open the minimum required ports on the firewall. @@ -85,10 +85,6 @@ in config = mkIf cfg.enable { - warnings = optional - (options.services.unifi.openFirewall.highestPrio >= (mkOptionDefault null).priority) - "The current services.unifi.openFirewall = true default is deprecated and will change to false in 22.11. Set it explicitly to silence this warning."; - users.users.unifi = { isSystemUser = true; group = "unifi"; diff --git a/nixos/modules/services/networking/uptermd.nix b/nixos/modules/services/networking/uptermd.nix new file mode 100644 index 00000000000..b845a00649e --- /dev/null +++ b/nixos/modules/services/networking/uptermd.nix @@ -0,0 +1,109 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.uptermd; +in +{ + options = { + services.uptermd = { + enable = mkEnableOption "uptermd"; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the firewall for the port in <option>services.uptermd.port</option>. + ''; + }; + + port = mkOption { + type = types.port; + default = 2222; + description = '' + Port the server will listen on. + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "[::]"; + example = "127.0.0.1"; + description = '' + Address the server will listen on. + ''; + }; + + hostKey = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/upterm_host_ed25519_key"; + description = '' + Path to SSH host key. If not defined, an ed25519 keypair is generated automatically. + ''; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + example = [ "--debug" ]; + description = '' + Extra flags passed to the uptermd command. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + + systemd.services.uptermd = { + description = "Upterm Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + path = [ pkgs.openssh ]; + + preStart = mkIf (cfg.hostKey == null) '' + if ! [ -f ssh_host_ed25519_key ]; then + ssh-keygen \ + -t ed25519 \ + -f ssh_host_ed25519_key \ + -N "" + fi + ''; + + serviceConfig = { + StateDirectory = "uptermd"; + WorkingDirectory = "/var/lib/uptermd"; + ExecStart = "${pkgs.upterm}/bin/uptermd --ssh-addr ${cfg.listenAddress}:${toString cfg.port} --private-key ${if cfg.hostKey == null then "ssh_host_ed25519_key" else cfg.hostKey} ${concatStringsSep " " cfg.extraFlags}"; + + # Hardening + AmbientCapabilities = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; + PrivateUsers = cfg.port >= 1024; + DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + # AF_UNIX is for ssh-keygen, which relies on nscd to resolve the uid to a user + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index 61e9fe5096b..236d3f452e7 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -10,6 +10,18 @@ let interfaceOpts = { ... }: { options = { + + configFile = mkOption { + example = "/secret/wg0.conf"; + default = null; + type = with types; nullOr str; + description = '' + wg-quick .conf file, describing the interface. + This overrides any other configuration interface configuration options. + See wg-quick manpage for more details. + ''; + }; + address = mkOption { example = [ "192.168.2.1/24" ]; default = []; @@ -205,13 +217,13 @@ let writeScriptFile = name: text: ((pkgs.writeShellScriptBin name text) + "/bin/${name}"); generateUnit = name: values: - assert assertMsg ((values.privateKey != null) != (values.privateKeyFile != null)) "Only one of privateKey or privateKeyFile may be set"; + assert assertMsg (values.configFile != null || ((values.privateKey != null) != (values.privateKeyFile != null))) "Only one of privateKey, configFile or privateKeyFile may be set"; let preUpFile = if values.preUp != "" then writeScriptFile "preUp.sh" values.preUp else null; postUp = optional (values.privateKeyFile != null) "wg set ${name} private-key <(cat ${values.privateKeyFile})" ++ (concatMap (peer: optional (peer.presharedKeyFile != null) "wg set ${name} peer ${peer.publicKey} preshared-key <(cat ${peer.presharedKeyFile})") values.peers) ++ - optional (values.postUp != null) values.postUp; + optional (values.postUp != "") values.postUp; postUpFile = if postUp != [] then writeScriptFile "postUp.sh" (concatMapStringsSep "\n" (line: line) postUp) else null; preDownFile = if values.preDown != "" then writeScriptFile "preDown.sh" values.preDown else null; postDownFile = if values.postDown != "" then writeScriptFile "postDown.sh" values.postDown else null; @@ -247,7 +259,12 @@ let optionalString (peer.allowedIPs != []) "AllowedIPs = ${concatStringsSep "," peer.allowedIPs}\n" ) values.peers; }; - configPath = "${configDir}/${name}.conf"; + configPath = + if values.configFile != null then + # This uses bind-mounted private tmp folder (/tmp/systemd-private-***) + "/tmp/${name}.conf" + else + "${configDir}/${name}.conf"; in nameValuePair "wg-quick-${name}" { @@ -265,9 +282,17 @@ let script = '' ${optionalString (!config.boot.isContainer) "modprobe wireguard"} + ${optionalString (values.configFile != null) '' + cp ${values.configFile} ${configPath} + ''} wg-quick up ${configPath} ''; + serviceConfig = { + # Used to privately store renamed copies of external config files during activation + PrivateTmp = true; + }; + preStop = '' wg-quick down ${configPath} ''; diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 7cd44b2f8a0..a3c3c245f1d 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -301,8 +301,9 @@ let { description = "WireGuard Peer - ${interfaceName} - ${peer.publicKey}"; requires = [ "wireguard-${interfaceName}.service" ]; - after = [ "wireguard-${interfaceName}.service" ]; - wantedBy = [ "multi-user.target" "wireguard-${interfaceName}.service" ]; + wants = [ "network-online.target" ]; + after = [ "wireguard-${interfaceName}.service" "network-online.target" ]; + wantedBy = [ "wireguard-${interfaceName}.service" ]; environment.DEVICE = interfaceName; environment.WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; path = with pkgs; [ iproute2 wireguard-tools ]; @@ -379,8 +380,9 @@ let nameValuePair "wireguard-${name}" { description = "WireGuard Tunnel - ${name}"; - requires = [ "network-online.target" ]; - after = [ "network.target" "network-online.target" ]; + after = [ "network-pre.target" ]; + wants = [ "network.target" ]; + before = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; environment.DEVICE = name; path = with pkgs; [ kmod iproute2 wireguard-tools ]; diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index c2e1d37e28b..5a7975ae178 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -114,7 +114,7 @@ let script = '' - ${optionalString configIsGenerated '' + ${optionalString (configIsGenerated && !cfg.allowAuxiliaryImperativeNetworks) '' if [ -f /etc/wpa_supplicant.conf ]; then echo >&2 "<3>/etc/wpa_supplicant.conf present but ignored. Generated ${configFile} is used instead." fi diff --git a/nixos/modules/services/networking/xl2tpd.nix b/nixos/modules/services/networking/xl2tpd.nix index 7dbe51422d9..9418488c1e9 100644 --- a/nixos/modules/services/networking/xl2tpd.nix +++ b/nixos/modules/services/networking/xl2tpd.nix @@ -116,18 +116,18 @@ with lib; #username xl2tpd password * EOF - chown root.root ppp/chap-secrets + chown root:root ppp/chap-secrets chmod 600 ppp/chap-secrets # The documentation says this file should be present but doesn't explain why and things work even if not there: [ -f l2tp-secrets ] || (echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) > l2tp-secrets - chown root.root l2tp-secrets + chown root:root l2tp-secrets chmod 600 l2tp-secrets popd > /dev/null mkdir -p /run/xl2tpd - chown root.root /run/xl2tpd + chown root:root /run/xl2tpd chmod 700 /run/xl2tpd ''; diff --git a/nixos/modules/services/networking/zeronet.nix b/nixos/modules/services/networking/zeronet.nix index dd83b7facc1..8be6692561d 100644 --- a/nixos/modules/services/networking/zeronet.nix +++ b/nixos/modules/services/networking/zeronet.nix @@ -19,6 +19,13 @@ in with lib; { options.services.zeronet = { enable = mkEnableOption "zeronet"; + package = mkOption { + type = types.package; + default = pkgs.zeronet; + defaultText = literalExpression "pkgs.zeronet"; + description = "ZeroNet package to use"; + }; + settings = mkOption { type = with types; attrsOf (oneOf [ str int bool (listOf str) ]); default = {}; @@ -72,7 +79,7 @@ in with lib; { systemd.services.zeronet = { description = "zeronet"; - after = [ "network.target" (optionalString cfg.tor "tor.service") ]; + after = [ "network.target" ] ++ optional cfg.tor "tor.service"; wantedBy = [ "multi-user.target" ]; serviceConfig = { @@ -80,7 +87,7 @@ in with lib; { DynamicUser = true; StateDirectory = "zeronet"; SupplementaryGroups = mkIf cfg.tor [ "tor" ]; - ExecStart = "${pkgs.zeronet}/bin/zeronet --config_file ${configFile}"; + ExecStart = "${cfg.package}/bin/zeronet --config_file ${configFile}"; }; }; }; diff --git a/nixos/modules/services/security/infnoise.nix b/nixos/modules/services/security/infnoise.nix new file mode 100644 index 00000000000..4fb8adaf33f --- /dev/null +++ b/nixos/modules/services/security/infnoise.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.infnoise; +in { + options = { + services.infnoise = { + enable = mkEnableOption "the Infinite Noise TRNG driver"; + + fillDevRandom = mkOption { + description = '' + Whether to run the infnoise driver as a daemon to refill /dev/random. + + If disabled, you can use the `infnoise` command-line tool to + manually obtain randomness. + ''; + type = types.bool; + default = true; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.infnoise ]; + + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service" + ''; + + systemd.services.infnoise = mkIf cfg.fillDevRandom { + description = "Infinite Noise TRNG driver"; + + bindsTo = [ "dev-infnoise.device" ]; + after = [ "dev-infnoise.device" ]; + + serviceConfig = { + ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug"; + Restart = "always"; + User = "infnoise"; + DynamicUser = true; + SupplementaryGroups = [ "dialout" ]; + DeviceAllow = [ "/dev/infnoise" ]; + DevicePolicy = "closed"; + PrivateNetwork = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; # only reads entropy pool size and watermark + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + }; + }; + }; +} diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix new file mode 100644 index 00000000000..a7c51b9a877 --- /dev/null +++ b/nixos/modules/services/security/kanidm.nix @@ -0,0 +1,345 @@ +{ config, lib, options, pkgs, ... }: +let + cfg = config.services.kanidm; + settingsFormat = pkgs.formats.toml { }; + # Remove null values, so we can document optional values that don't end up in the generated TOML file. + filterConfig = lib.converge (lib.filterAttrsRecursive (_: v: v != null)); + serverConfigFile = settingsFormat.generate "server.toml" (filterConfig cfg.serverSettings); + clientConfigFile = settingsFormat.generate "kanidm-config.toml" (filterConfig cfg.clientSettings); + unixConfigFile = settingsFormat.generate "kanidm-unixd.toml" (filterConfig cfg.unixSettings); + + defaultServiceConfig = { + BindReadOnlyPaths = [ + "/nix/store" + "-/etc/resolv.conf" + "-/etc/nsswitch.conf" + "-/etc/hosts" + "-/etc/localtime" + ]; + CapabilityBoundingSet = ""; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + # Implies ProtectSystem=strict, which re-mounts all paths + # DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateNetwork = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + # Would re-mount paths ignored by temporary root + #ProtectSystem = "strict"; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; + # Does not work well with the temporary root + #UMask = "0066"; + }; + +in +{ + options.services.kanidm = { + enableClient = lib.mkEnableOption "the Kanidm client"; + enableServer = lib.mkEnableOption "the Kanidm server"; + enablePam = lib.mkEnableOption "the Kanidm PAM and NSS integration."; + + serverSettings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + + options = { + bindaddress = lib.mkOption { + description = "Address/port combination the webserver binds to."; + example = "[::1]:8443"; + type = lib.types.str; + }; + # Should be optional but toml does not accept null + ldapbindaddress = lib.mkOption { + description = '' + Address and port the LDAP server is bound to. Setting this to <literal>null</literal> disables the LDAP interface. + ''; + example = "[::1]:636"; + default = null; + type = lib.types.nullOr lib.types.str; + }; + origin = lib.mkOption { + description = "The origin of your Kanidm instance. Must have https as protocol."; + example = "https://idm.example.org"; + type = lib.types.strMatching "^https://.*"; + }; + domain = lib.mkOption { + description = '' + The <literal>domain</literal> that Kanidm manages. Must be below or equal to the domain + specified in <literal>serverSettings.origin</literal>. + This can be left at <literal>null</literal>, only if your instance has the role <literal>ReadOnlyReplica</literal>. + While it is possible to change the domain later on, it requires extra steps! + Please consider the warnings and execute the steps described + <link xlink:href="https://kanidm.github.io/kanidm/stable/administrivia.html#rename-the-domain">in the documentation</link>. + ''; + example = "example.org"; + default = null; + type = lib.types.nullOr lib.types.str; + }; + db_path = lib.mkOption { + description = "Path to Kanidm database."; + default = "/var/lib/kanidm/kanidm.db"; + readOnly = true; + type = lib.types.path; + }; + log_level = lib.mkOption { + description = "Log level of the server."; + default = "default"; + type = lib.types.enum [ "default" "verbose" "perfbasic" "perffull" ]; + }; + role = lib.mkOption { + description = "The role of this server. This affects the replication relationship and thereby available features."; + default = "WriteReplica"; + type = lib.types.enum [ "WriteReplica" "WriteReplicaNoUI" "ReadOnlyReplica" ]; + }; + }; + }; + default = { }; + description = '' + Settings for Kanidm, see + <link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/server_configuration.md">the documentation</link> + and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/server.toml">example configuration</link> + for possible values. + ''; + }; + + clientSettings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + + options.uri = lib.mkOption { + description = "Address of the Kanidm server."; + example = "http://127.0.0.1:8080"; + type = lib.types.str; + }; + }; + description = '' + Configure Kanidm clients, needed for the PAM daemon. See + <link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/client_tools.md#kanidm-configuration">the documentation</link> + and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/config">example configuration</link> + for possible values. + ''; + }; + + unixSettings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + + options.pam_allowed_login_groups = lib.mkOption { + description = "Kanidm groups that are allowed to login using PAM."; + example = "my_pam_group"; + type = lib.types.listOf lib.types.str; + }; + }; + description = '' + Configure Kanidm unix daemon. + See <link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/pam_and_nsswitch.md#the-unix-daemon">the documentation</link> + and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/unixd">example configuration</link> + for possible values. + ''; + }; + }; + + config = lib.mkIf (cfg.enableClient || cfg.enableServer || cfg.enablePam) { + assertions = + [ + { + assertion = !cfg.enableServer || ((cfg.serverSettings.tls_chain or null) == null) || (!lib.isStorePath cfg.serverSettings.tls_chain); + message = '' + <option>services.kanidm.serverSettings.tls_chain</option> points to + a file in the Nix store. You should use a quoted absolute path to + prevent this. + ''; + } + { + assertion = !cfg.enableServer || ((cfg.serverSettings.tls_key or null) == null) || (!lib.isStorePath cfg.serverSettings.tls_key); + message = '' + <option>services.kanidm.serverSettings.tls_key</option> points to + a file in the Nix store. You should use a quoted absolute path to + prevent this. + ''; + } + { + assertion = !cfg.enableClient || options.services.kanidm.clientSettings.isDefined; + message = '' + <option>services.kanidm.clientSettings</option> needs to be configured + if the client is enabled. + ''; + } + { + assertion = !cfg.enablePam || options.services.kanidm.clientSettings.isDefined; + message = '' + <option>services.kanidm.clientSettings</option> needs to be configured + for the PAM daemon to connect to the Kanidm server. + ''; + } + { + assertion = !cfg.enableServer || (cfg.serverSettings.domain == null + -> cfg.serverSettings.role == "WriteReplica" || cfg.serverSettings.role == "WriteReplicaNoUI"); + message = '' + <option>services.kanidm.serverSettings.domain</option> can only be set if this instance + is not a ReadOnlyReplica. Otherwise the db would inherit it from + the instance it follows. + ''; + } + ]; + + environment.systemPackages = lib.mkIf cfg.enableClient [ pkgs.kanidm ]; + + systemd.services.kanidm = lib.mkIf cfg.enableServer { + description = "kanidm identity management daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = defaultServiceConfig // { + StateDirectory = "kanidm"; + StateDirectoryMode = "0700"; + ExecStart = "${pkgs.kanidm}/bin/kanidmd server -c ${serverConfigFile}"; + User = "kanidm"; + Group = "kanidm"; + + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + # This would otherwise override the CAP_NET_BIND_SERVICE capability. + PrivateUsers = false; + # Port needs to be exposed to the host network + PrivateNetwork = false; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + TemporaryFileSystem = "/:ro"; + }; + environment.RUST_LOG = "info"; + }; + + systemd.services.kanidm-unixd = lib.mkIf cfg.enablePam { + description = "Kanidm PAM daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + restartTriggers = [ unixConfigFile clientConfigFile ]; + serviceConfig = defaultServiceConfig // { + CacheDirectory = "kanidm-unixd"; + CacheDirectoryMode = "0700"; + RuntimeDirectory = "kanidm-unixd"; + ExecStart = "${pkgs.kanidm}/bin/kanidm_unixd"; + User = "kanidm-unixd"; + Group = "kanidm-unixd"; + + BindReadOnlyPaths = [ + "/nix/store" + "-/etc/resolv.conf" + "-/etc/nsswitch.conf" + "-/etc/hosts" + "-/etc/localtime" + "-/etc/kanidm" + "-/etc/static/kanidm" + ]; + BindPaths = [ + # To create the socket + "/run/kanidm-unixd:/var/run/kanidm-unixd" + ]; + # Needs to connect to kanidmd + PrivateNetwork = false; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + TemporaryFileSystem = "/:ro"; + }; + environment.RUST_LOG = "info"; + }; + + systemd.services.kanidm-unixd-tasks = lib.mkIf cfg.enablePam { + description = "Kanidm PAM home management daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "kanidm-unixd.service" ]; + partOf = [ "kanidm-unixd.service" ]; + restartTriggers = [ unixConfigFile clientConfigFile ]; + serviceConfig = { + ExecStart = "${pkgs.kanidm}/bin/kanidm_unixd_tasks"; + + BindReadOnlyPaths = [ + "/nix/store" + "-/etc/resolv.conf" + "-/etc/nsswitch.conf" + "-/etc/hosts" + "-/etc/localtime" + "-/etc/kanidm" + "-/etc/static/kanidm" + ]; + BindPaths = [ + # To manage home directories + "/home" + # To connect to kanidm-unixd + "/run/kanidm-unixd:/var/run/kanidm-unixd" + ]; + # CAP_DAC_OVERRIDE is needed to ignore ownership of unixd socket + CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH" ]; + IPAddressDeny = "any"; + # Need access to users + PrivateUsers = false; + # Need access to home directories + ProtectHome = false; + RestrictAddressFamilies = [ "AF_UNIX" ]; + TemporaryFileSystem = "/:ro"; + }; + environment.RUST_LOG = "info"; + }; + + # These paths are hardcoded + environment.etc = lib.mkMerge [ + (lib.mkIf options.services.kanidm.clientSettings.isDefined { + "kanidm/config".source = clientConfigFile; + }) + (lib.mkIf cfg.enablePam { + "kanidm/unixd".source = unixConfigFile; + }) + ]; + + system.nssModules = lib.mkIf cfg.enablePam [ pkgs.kanidm ]; + + system.nssDatabases.group = lib.optional cfg.enablePam "kanidm"; + system.nssDatabases.passwd = lib.optional cfg.enablePam "kanidm"; + + users.groups = lib.mkMerge [ + (lib.mkIf cfg.enableServer { + kanidm = { }; + }) + (lib.mkIf cfg.enablePam { + kanidm-unixd = { }; + }) + ]; + users.users = lib.mkMerge [ + (lib.mkIf cfg.enableServer { + kanidm = { + description = "Kanidm server"; + isSystemUser = true; + group = "kanidm"; + packages = with pkgs; [ kanidm ]; + }; + }) + (lib.mkIf cfg.enablePam { + kanidm-unixd = { + description = "Kanidm PAM daemon"; + isSystemUser = true; + group = "kanidm-unixd"; + }; + }) + ]; + }; + + meta.maintainers = with lib.maintainers; [ erictapen Flakebi ]; + meta.buildDocsInSandbox = false; +} diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 53bd9efa5ac..3be0a8c700b 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -17,7 +17,7 @@ let else "sshg-fw-ipset"; in pkgs.writeText "sshguard.conf" '' BACKEND="${pkgs.sshguard}/libexec/${backend}" - LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" + LOGREADER="LANG=C ${config.systemd.package}/bin/journalctl ${args}" ''; in { diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix index 8277f493639..756e0ee93b2 100644 --- a/nixos/modules/services/security/vaultwarden/default.nix +++ b/nixos/modules/services/security/vaultwarden/default.nix @@ -62,20 +62,52 @@ in { default = {}; example = literalExpression '' { - domain = "https://bw.domain.tld:8443"; - signupsAllowed = true; - rocketPort = 8222; - rocketLog = "critical"; + DOMAIN = "https://bitwarden.example.com"; + SIGNUPS_ALLOWED = false; + + # Vaultwarden currently recommends running behind a reverse proxy + # (nginx or similar) for TLS termination, see + # https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying + # > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support, + # > especially if your instance is publicly accessible. + # + # A suitable NixOS nginx reverse proxy example config might be: + # + # services.nginx.virtualHosts."bitwarden.example.com" = { + # enableACME = true; + # forceSSL = true; + # locations."/" = { + # proxyPass = "http://127.0.0.1:''${toString config.services.vaultwarden.config.ROCKET_PORT}"; + # }; + # }; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + + ROCKET_LOG = "critical"; + + # This example assumes a mailserver running on localhost, + # thus without transport encryption. + # If you use an external mail server, follow: + # https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration + SMTP_HOST = "127.0.0.1"; + SMTP_PORT = 25; + SMTP_SSL = false; + + SMTP_FROM = "admin@bitwarden.example.com"; + SMTP_FROM_NAME = "example.com Bitwarden server"; } ''; description = '' The configuration of vaultwarden is done through environment variables, - therefore the names are converted from camel case (e.g. disable2FARemember) - to upper case snake case (e.g. DISABLE_2FA_REMEMBER). + therefore it is recommended to use upper snake case (e.g. <envar>DISABLE_2FA_REMEMBER</envar>). + + However, camel case (e.g. <literal>disable2FARemember</literal>) is also supported: + The NixOS module will convert it automatically to + upper case snake case (e.g. <envar>DISABLE_2FA_REMEMBER</envar>). In this conversion digits (0-9) are handled just like upper case characters, - so foo2 would be converted to FOO_2. - Names already in this format remain unchanged, so FOO2 remains FOO2 if passed as such, - even though foo2 would have been converted to FOO_2. + so <literal>foo2</literal> would be converted to <envar>FOO_2</envar>. + Names already in this format remain unchanged, so <literal>FOO2</literal> remains <literal>FOO2</literal> if passed as such, + even though <literal>foo2</literal> would have been converted to <envar>FOO_2</envar>. This allows working around any potential future conflicting naming conventions. Based on the attributes passed to this config option an environment file will be generated @@ -83,13 +115,16 @@ in { The available configuration options can be found in <link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>. + + See <xref linkend="opt-services.vaultwarden.environmentFile" /> for how + to set up access to the Admin UI to invite initial users. ''; }; environmentFile = mkOption { type = with types; nullOr path; default = null; - example = "/root/vaultwarden.env"; + example = "/var/lib/vaultwarden.env"; description = '' Additional environment file as defined in <citerefentry> <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> @@ -100,6 +135,23 @@ in { Note that this file needs to be available on the host on which <literal>vaultwarden</literal> is running. + + As a concrete example, to make the Admin UI available + (from which new users can be invited initially), + the secret <envar>ADMIN_TOKEN</envar> needs to be defined as described + <link xlink:href="https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page">here</link>. + Setting <literal>environmentFile</literal> to <literal>/var/lib/vaultwarden.env</literal> + and ensuring permissions with e.g. + <literal>chown vaultwarden:vaultwarden /var/lib/vaultwarden.env</literal> + (the <literal>vaultwarden</literal> user will only exist after activating with + <literal>enable = true;</literal> before this), we can set the contents of the file to have + contents such as: + +<programlisting> +# Admin secret token, see +# https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page +ADMIN_TOKEN=...copy-paste a unique generated secret token here... +</programlisting> ''; }; diff --git a/nixos/modules/services/system/cachix-agent/default.nix b/nixos/modules/services/system/cachix-agent/default.nix index 496e0b90355..3d2e9bc374b 100644 --- a/nixos/modules/services/system/cachix-agent/default.nix +++ b/nixos/modules/services/system/cachix-agent/default.nix @@ -17,6 +17,12 @@ in { defaultText = "config.networking.hostName"; }; + verbose = mkOption { + type = types.bool; + description = "Enable verbose output"; + default = false; + }; + profile = mkOption { type = types.nullOr types.str; default = null; @@ -45,12 +51,16 @@ in { after = ["network-online.target"]; path = [ config.nix.package ]; wantedBy = [ "multi-user.target" ]; + # don't restart while changing - reloadIfChanged = true; + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + environment.USER = "root"; serviceConfig = { Restart = "on-failure"; EnvironmentFile = cfg.credentialsFile; - ExecStart = "${cfg.package}/bin/cachix deploy agent ${cfg.name} ${if cfg.profile != null then profile else ""}"; + ExecStart = "${cfg.package}/bin/cachix ${lib.optionalString cfg.verbose "--verbose"} deploy agent ${cfg.name} ${if cfg.profile != null then profile else ""}"; }; }; }; diff --git a/nixos/modules/services/system/localtime.nix b/nixos/modules/services/system/localtime.nix index 8f23454af9d..689453375f5 100644 --- a/nixos/modules/services/system/localtime.nix +++ b/nixos/modules/services/system/localtime.nix @@ -3,30 +3,28 @@ with lib; let - cfg = config.services.localtime; + cfg = config.services.localtimed; in { + imports = [ (lib.mkRenamedOptionModule [ "services" "localtime" ] [ "services" "localtimed" ]) ]; + options = { - services.localtime = { + services.localtimed = { enable = mkOption { type = types.bool; default = false; description = '' - Enable <literal>localtime</literal>, simple daemon for keeping the system - timezone up-to-date based on the current location. It uses geoclue2 to - determine the current location and systemd-timedated to actually set - the timezone. + Enable <literal>localtimed</literal>, a simple daemon for keeping the + system timezone up-to-date based on the current location. It uses + geoclue2 to determine the current location. ''; }; }; }; config = mkIf cfg.enable { - services.geoclue2 = { - enable = true; - appConfig.localtime = { - isAllowed = true; - isSystem = true; - }; + services.geoclue2.appConfig.localtimed = { + isAllowed = true; + isSystem = true; }; # Install the polkit rules. @@ -34,16 +32,6 @@ in { # Install the systemd unit. systemd.packages = [ pkgs.localtime ]; - users.users.localtimed = { - description = "localtime daemon"; - isSystemUser = true; - group = "localtimed"; - }; - users.groups.localtimed = {}; - - systemd.services.localtime = { - wantedBy = [ "multi-user.target" ]; - serviceConfig.Restart = "on-failure"; - }; + systemd.services.localtime.wantedBy = [ "multi-user.target" ]; }; } diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix index 0caebc8ce90..002c4092780 100644 --- a/nixos/modules/services/system/nscd.nix +++ b/nixos/modules/services/system/nscd.nix @@ -38,7 +38,7 @@ in default = if pkgs.stdenv.hostPlatform.libc == "glibc" then pkgs.stdenv.cc.libc.bin else pkgs.glibc.bin; - defaultText = literalExample '' + defaultText = lib.literalExpression '' if pkgs.stdenv.hostPlatform.libc == "glibc" then pkgs.stdenv.cc.libc.bin else pkgs.glibc.bin; diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix index a32b81a916f..b818f5c463a 100644 --- a/nixos/modules/services/wayland/cage.nix +++ b/nixos/modules/services/wayland/cage.nix @@ -88,7 +88,7 @@ in { account required pam_unix.so session required pam_unix.so session required pam_env.so conffile=/etc/pam/environment readenv=0 - session required ${pkgs.systemd}/lib/security/pam_systemd.so + session required ${config.systemd.package}/lib/security/pam_systemd.so ''; hardware.opengl.enable = mkDefault true; diff --git a/nixos/modules/services/web-apps/atlassian/confluence.nix b/nixos/modules/services/web-apps/atlassian/confluence.nix index 2d809c17ff0..28491fb3a4e 100644 --- a/nixos/modules/services/web-apps/atlassian/confluence.nix +++ b/nixos/modules/services/web-apps/atlassian/confluence.nix @@ -189,6 +189,8 @@ in User = cfg.user; Group = cfg.group; PrivateTmp = true; + Restart = "on-failure"; + RestartSec = "10"; ExecStart = "${pkg}/bin/start-confluence.sh -fg"; ExecStop = "${pkg}/bin/stop-confluence.sh"; }; diff --git a/nixos/modules/services/web-apps/atlassian/crowd.nix b/nixos/modules/services/web-apps/atlassian/crowd.nix index a8b2482d5a9..79306541b85 100644 --- a/nixos/modules/services/web-apps/atlassian/crowd.nix +++ b/nixos/modules/services/web-apps/atlassian/crowd.nix @@ -157,6 +157,8 @@ in User = cfg.user; Group = cfg.group; PrivateTmp = true; + Restart = "on-failure"; + RestartSec = "10"; ExecStart = "${pkg}/start_crowd.sh -fg"; }; }; diff --git a/nixos/modules/services/web-apps/atlassian/jira.nix b/nixos/modules/services/web-apps/atlassian/jira.nix index a120f6cdb3d..bc0bf43522e 100644 --- a/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixos/modules/services/web-apps/atlassian/jira.nix @@ -197,6 +197,8 @@ in User = cfg.user; Group = cfg.group; PrivateTmp = true; + Restart = "on-failure"; + RestartSec = "10"; ExecStart = "${pkg}/bin/start-jira.sh -fg"; ExecStop = "${pkg}/bin/stop-jira.sh"; }; diff --git a/nixos/modules/services/web-apps/dokuwiki.nix b/nixos/modules/services/web-apps/dokuwiki.nix index 1f8ca742db9..d8fc978774e 100644 --- a/nixos/modules/services/web-apps/dokuwiki.nix +++ b/nixos/modules/services/web-apps/dokuwiki.nix @@ -293,9 +293,7 @@ in inherit user; group = webserver.group; - # Not yet compatible with php 8 https://www.dokuwiki.org/requirements - # https://github.com/splitbrain/dokuwiki/issues/3545 - phpPackage = pkgs.php74; + phpPackage = pkgs.php81; phpEnv = { DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig hostName cfg}"; DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig hostName cfg}"; diff --git a/nixos/modules/services/web-apps/galene.nix b/nixos/modules/services/web-apps/galene.nix index 1d0a620585b..38c3392014f 100644 --- a/nixos/modules/services/web-apps/galene.nix +++ b/nixos/modules/services/web-apps/galene.nix @@ -164,6 +164,35 @@ in optional (cfg.dataDir == defaultdataDir) "galene/data" ++ optional (cfg.groupsDir == defaultgroupsDir) "galene/groups" ++ optional (cfg.recordingsDir == defaultrecordingsDir) "galene/recordings"; + + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = cfg.recordingsDir; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0077"; } ]; }; diff --git a/nixos/modules/services/web-apps/grocy.nix b/nixos/modules/services/web-apps/grocy.nix index be2de638dd9..a77fddf1f2f 100644 --- a/nixos/modules/services/web-apps/grocy.nix +++ b/nixos/modules/services/web-apps/grocy.nix @@ -115,9 +115,9 @@ in { user = "grocy"; group = "nginx"; - # PHP 7.4 is the only version which is supported/tested by upstream: - # https://github.com/grocy/grocy/blob/v3.0.0/README.md#how-to-install - phpPackage = pkgs.php74; + # PHP 8.0 is the only version which is supported/tested by upstream: + # https://github.com/grocy/grocy/blob/v3.3.0/README.md#how-to-install + phpPackage = pkgs.php80; inherit (cfg.phpfpm) settings; diff --git a/nixos/modules/services/web-apps/healthchecks.nix b/nixos/modules/services/web-apps/healthchecks.nix new file mode 100644 index 00000000000..be025e7dd55 --- /dev/null +++ b/nixos/modules/services/web-apps/healthchecks.nix @@ -0,0 +1,249 @@ +{ config, lib, pkgs, buildEnv, ... }: + +with lib; + +let + defaultUser = "healthchecks"; + cfg = config.services.healthchecks; + pkg = cfg.package; + boolToPython = b: if b then "True" else "False"; + environment = { + PYTHONPATH = pkg.pythonPath; + STATIC_ROOT = cfg.dataDir + "/static"; + DB_NAME = "${cfg.dataDir}/healthchecks.sqlite"; + } // cfg.settings; + + environmentFile = pkgs.writeText "healthchecks-environment" (lib.generators.toKeyValue { } environment); + + healthchecksManageScript = with pkgs; (writeShellScriptBin "healthchecks-manage" '' + if [[ "$USER" != "${cfg.user}" ]]; then + echo "please run as user 'healtchecks'." >/dev/stderr + exit 1 + fi + export $(cat ${environmentFile} | xargs); + exec ${pkg}/opt/healthchecks/manage.py "$@" + ''); +in +{ + options.services.healthchecks = { + enable = mkEnableOption "healthchecks" // { + description = '' + Enable healthchecks. + It is expected to be run behind a HTTP reverse proxy. + ''; + }; + + package = mkOption { + default = pkgs.healthchecks; + defaultText = literalExpression "pkgs.healthchecks"; + type = types.package; + description = "healthchecks package to use."; + }; + + user = mkOption { + default = defaultUser; + type = types.str; + description = '' + User account under which healthchecks runs. + + <note><para> + If left as the default value this user will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the healthchecks service starts. + </para></note> + ''; + }; + + group = mkOption { + default = defaultUser; + type = types.str; + description = '' + Group account under which healthchecks runs. + + <note><para> + If left as the default value this group will automatically be created + on system activation, otherwise you are responsible for + ensuring the group exists before the healthchecks service starts. + </para></note> + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "localhost"; + description = "Address the server will listen on."; + }; + + port = mkOption { + type = types.port; + default = 8000; + description = "Port the server will listen on."; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/healthchecks"; + description = '' + The directory used to store all data for healthchecks. + + <note><para> + If left as the default value this directory will automatically be created before + the healthchecks server starts, otherwise you are responsible for ensuring the + directory exists with appropriate ownership and permissions. + </para></note> + ''; + }; + + settings = lib.mkOption { + description = '' + Environment variables which are read by healthchecks <literal>(local)_settings.py</literal>. + + Settings which are explictly covered in options bewlow, are type-checked and/or transformed + before added to the environment, everything else is passed as a string. + + See <link xlink:href="">https://healthchecks.io/docs/self_hosted_configuration/</link> + for a full documentation of settings. + + We add two variables to this list inside the packages <literal>local_settings.py.</literal> + - STATIC_ROOT to set a state directory for dynamically generated static files. + - SECRET_KEY_FILE to read SECRET_KEY from a file at runtime and keep it out of /nix/store. + ''; + type = types.submodule { + freeformType = types.attrsOf types.str; + options = { + ALLOWED_HOSTS = lib.mkOption { + type = types.listOf types.str; + default = [ "*" ]; + description = "The host/domain names that this site can serve."; + apply = lib.concatStringsSep ","; + }; + + SECRET_KEY_FILE = mkOption { + type = types.path; + description = "Path to a file containing the secret key."; + }; + + DEBUG = mkOption { + type = types.bool; + default = false; + description = "Enable debug mode."; + apply = boolToPython; + }; + + REGISTRATION_OPEN = mkOption { + type = types.bool; + default = false; + description = '' + A boolean that controls whether site visitors can create new accounts. + Set it to false if you are setting up a private Healthchecks instance, + but it needs to be publicly accessible (so, for example, your cloud + services can send pings to it). + If you close new user registration, you can still selectively invite + users to your team account. + ''; + apply = boolToPython; + }; + }; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ healthchecksManageScript ]; + + systemd.targets.healthchecks = { + description = "Target for all Healthchecks services"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "network-online.target" ]; + }; + + systemd.services = + let + commonConfig = { + WorkingDirectory = cfg.dataDir; + User = cfg.user; + Group = cfg.group; + EnvironmentFile = environmentFile; + StateDirectory = mkIf (cfg.dataDir == "/var/lib/healthchecks") "healthchecks"; + StateDirectoryMode = mkIf (cfg.dataDir == "/var/lib/healthchecks") "0750"; + }; + in + { + healthchecks-migration = { + description = "Healthchecks migrations"; + wantedBy = [ "healthchecks.target" ]; + + serviceConfig = commonConfig // { + Restart = "on-failure"; + Type = "oneshot"; + ExecStart = '' + ${pkg}/opt/healthchecks/manage.py migrate + ''; + }; + }; + + healthchecks = { + description = "Healthchecks WSGI Service"; + wantedBy = [ "healthchecks.target" ]; + after = [ "healthchecks-migration.service" ]; + + preStart = '' + ${pkg}/opt/healthchecks/manage.py collectstatic --no-input + ${pkg}/opt/healthchecks/manage.py remove_stale_contenttypes --no-input + ${pkg}/opt/healthchecks/manage.py compress + ''; + + serviceConfig = commonConfig // { + Restart = "always"; + ExecStart = '' + ${pkgs.python3Packages.gunicorn}/bin/gunicorn hc.wsgi \ + --bind ${cfg.listenAddress}:${toString cfg.port} \ + --pythonpath ${pkg}/opt/healthchecks + ''; + }; + }; + + healthchecks-sendalerts = { + description = "Healthchecks Alert Service"; + wantedBy = [ "healthchecks.target" ]; + after = [ "healthchecks.service" ]; + + serviceConfig = commonConfig // { + Restart = "always"; + ExecStart = '' + ${pkg}/opt/healthchecks/manage.py sendalerts + ''; + }; + }; + + healthchecks-sendreports = { + description = "Healthchecks Reporting Service"; + wantedBy = [ "healthchecks.target" ]; + after = [ "healthchecks.service" ]; + + serviceConfig = commonConfig // { + Restart = "always"; + ExecStart = '' + ${pkg}/opt/healthchecks/manage.py sendreports --loop + ''; + }; + }; + }; + + users.users = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = + { + description = "healthchecks service owner"; + isSystemUser = true; + group = defaultUser; + }; + }; + + users.groups = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = + { + members = [ defaultUser ]; + }; + }; + }; +} diff --git a/nixos/modules/services/web-apps/hedgedoc.nix b/nixos/modules/services/web-apps/hedgedoc.nix index 9eeabb9d566..22270609dbc 100644 --- a/nixos/modules/services/web-apps/hedgedoc.nix +++ b/nixos/modules/services/web-apps/hedgedoc.nix @@ -197,6 +197,13 @@ in Whether to allow note creation by accessing a nonexistent note URL. ''; }; + requireFreeURLAuthentication = mkOption { + type = types.bool; + default = false; + description = '' + Whether to require authentication for FreeURL mode style note creation. + ''; + }; defaultPermission = mkOption { type = types.enum [ "freely" "editable" "limited" "locked" "private" ]; default = "editable"; @@ -431,7 +438,7 @@ in Minio secret key. ''; }; - endpoint = mkOption { + endPoint = mkOption { type = types.str; description = '' Minio endpoint. @@ -1020,9 +1027,11 @@ in ${pkgs.envsubst}/bin/envsubst \ -o ${cfg.workDir}/config.json \ -i ${prettyJSON cfg.configuration} + mkdir -p ${cfg.configuration.uploadsPath} ''; serviceConfig = { WorkingDirectory = cfg.workDir; + StateDirectory = [ cfg.workDir cfg.configuration.uploadsPath ]; ExecStart = "${cfg.package}/bin/hedgedoc"; EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; Environment = [ diff --git a/nixos/modules/services/web-apps/invoiceplane.nix b/nixos/modules/services/web-apps/invoiceplane.nix index 095eec36dec..527e248f65b 100644 --- a/nixos/modules/services/web-apps/invoiceplane.nix +++ b/nixos/modules/services/web-apps/invoiceplane.nix @@ -236,7 +236,7 @@ in }; services.phpfpm = { - phpPackage = pkgs.php74; + phpPackage = pkgs.php81; pools = mapAttrs' (hostName: cfg: ( nameValuePair "invoiceplane-${hostName}" { inherit user; @@ -302,4 +302,3 @@ in ]); } - diff --git a/nixos/modules/services/web-apps/jitsi-meet.nix b/nixos/modules/services/web-apps/jitsi-meet.nix index be0b5b94fb2..8ad92706b06 100644 --- a/nixos/modules/services/web-apps/jitsi-meet.nix +++ b/nixos/modules/services/web-apps/jitsi-meet.nix @@ -253,9 +253,20 @@ in ''; }; }; - systemd.services.prosody.serviceConfig = mkIf cfg.prosody.enable { - EnvironmentFile = [ "/var/lib/jitsi-meet/secrets-env" ]; - SupplementaryGroups = [ "jitsi-meet" ]; + systemd.services.prosody = mkIf cfg.prosody.enable { + preStart = let + videobridgeSecret = if cfg.videobridge.passwordFile != null then cfg.videobridge.passwordFile else "/var/lib/jitsi-meet/videobridge-secret"; + in '' + ${config.services.prosody.package}/bin/prosodyctl register focus auth.${cfg.hostName} "$(cat /var/lib/jitsi-meet/jicofo-user-secret)" + ${config.services.prosody.package}/bin/prosodyctl register jvb auth.${cfg.hostName} "$(cat ${videobridgeSecret})" + ${config.services.prosody.package}/bin/prosodyctl mod_roster_command subscribe focus.${cfg.hostName} focus@auth.${cfg.hostName} + ${config.services.prosody.package}/bin/prosodyctl register jibri auth.${cfg.hostName} "$(cat /var/lib/jitsi-meet/jibri-auth-secret)" + ${config.services.prosody.package}/bin/prosodyctl register recorder recorder.${cfg.hostName} "$(cat /var/lib/jitsi-meet/jibri-recorder-secret)" + ''; + serviceConfig = { + EnvironmentFile = [ "/var/lib/jitsi-meet/secrets-env" ]; + SupplementaryGroups = [ "jitsi-meet" ]; + }; }; users.groups.jitsi-meet = {}; @@ -266,14 +277,12 @@ in systemd.services.jitsi-meet-init-secrets = { wantedBy = [ "multi-user.target" ]; before = [ "jicofo.service" "jitsi-videobridge2.service" ] ++ (optional cfg.prosody.enable "prosody.service"); - path = [ config.services.prosody.package ]; serviceConfig = { Type = "oneshot"; }; script = let secrets = [ "jicofo-component-secret" "jicofo-user-secret" "jibri-auth-secret" "jibri-recorder-secret" ] ++ (optional (cfg.videobridge.passwordFile == null) "videobridge-secret"); - videobridgeSecret = if cfg.videobridge.passwordFile != null then cfg.videobridge.passwordFile else "/var/lib/jitsi-meet/videobridge-secret"; in '' cd /var/lib/jitsi-meet @@ -291,12 +300,6 @@ in chmod 640 secrets-env '' + optionalString cfg.prosody.enable '' - prosodyctl register focus auth.${cfg.hostName} "$(cat /var/lib/jitsi-meet/jicofo-user-secret)" - prosodyctl register jvb auth.${cfg.hostName} "$(cat ${videobridgeSecret})" - prosodyctl mod_roster_command subscribe focus.${cfg.hostName} focus@auth.${cfg.hostName} - prosodyctl register jibri auth.${cfg.hostName} "$(cat /var/lib/jitsi-meet/jibri-auth-secret)" - prosodyctl register recorder recorder.${cfg.hostName} "$(cat /var/lib/jitsi-meet/jibri-recorder-secret)" - # generate self-signed certificates if [ ! -f /var/lib/jitsi-meet.crt ]; then ${getBin pkgs.openssl}/bin/openssl req \ diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 2d817ca1923..a1855e1c1a7 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -540,7 +540,8 @@ in db = if cfg.database.type == "postgresql" then "postgres" else cfg.database.type; db-username = if databaseActuallyCreateLocally then "keycloak" else cfg.database.username; db-password._secret = cfg.database.passwordFile; - db-url-host = "${cfg.database.host}:${toString cfg.database.port}"; + db-url-host = cfg.database.host; + db-url-port = toString cfg.database.port; db-url-database = if databaseActuallyCreateLocally then "keycloak" else cfg.database.name; db-url-properties = prefixUnlessEmpty "?" dbProps; db-url = null; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index fbfcc33b2dc..03adaadff93 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -294,7 +294,7 @@ in { port = lib.mkOption { description = "Redis port."; type = lib.types.port; - default = 6379; + default = 31637; }; }; @@ -605,8 +605,10 @@ in { enable = true; hostname = lib.mkDefault "${cfg.localDomain}"; }; - services.redis = lib.mkIf (cfg.redis.createLocally && cfg.redis.host == "127.0.0.1") { + services.redis.servers.mastodon = lib.mkIf (cfg.redis.createLocally && cfg.redis.host == "127.0.0.1") { enable = true; + port = cfg.redis.port; + bind = "127.0.0.1"; }; services.postgresql = lib.mkIf databaseActuallyCreateLocally { enable = true; diff --git a/nixos/modules/services/web-apps/moodle.nix b/nixos/modules/services/web-apps/moodle.nix index 19f3e754691..55e5ac9281e 100644 --- a/nixos/modules/services/web-apps/moodle.nix +++ b/nixos/modules/services/web-apps/moodle.nix @@ -56,7 +56,7 @@ let mysqlLocal = cfg.database.createLocally && cfg.database.type == "mysql"; pgsqlLocal = cfg.database.createLocally && cfg.database.type == "pgsql"; - phpExt = pkgs.php74.withExtensions + phpExt = pkgs.php81.withExtensions ({ enabled, all }: with all; [ iconv mbstring curl openssl tokenizer xmlrpc soap ctype zip gd simplexml dom intl json sqlite3 pgsql pdo_sqlite pdo_pgsql pdo_odbc pdo_mysql pdo mysqli session zlib xmlreader fileinfo filter opcache ]); in { diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index d78c90974a6..0e2a016a0cb 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -91,7 +91,8 @@ in { }; datadir = mkOption { type = types.str; - defaultText = "config.services.nextcloud.home"; + default = config.services.nextcloud.home; + defaultText = literalExpression "config.services.nextcloud.home"; description = '' Data storage path of nextcloud. Will be <xref linkend="opt-services.nextcloud.home" /> by default. This folder will be populated with a config.php and data folder which contains the state of the instance (excl the database)."; @@ -155,11 +156,11 @@ in { package = mkOption { type = types.package; description = "Which package to use for the Nextcloud instance."; - relatedPackages = [ "nextcloud22" "nextcloud23" ]; + relatedPackages = [ "nextcloud23" "nextcloud24" ]; }; phpPackage = mkOption { type = types.package; - relatedPackages = [ "php74" "php80" ]; + relatedPackages = [ "php80" "php81" ]; defaultText = "pkgs.php"; description = '' PHP package to use for Nextcloud. @@ -524,6 +525,29 @@ in { The nextcloud-occ program preconfigured to target this Nextcloud instance. ''; }; + globalProfiles = mkEnableOption "global profiles" // { + description = '' + Makes user-profiles globally available under <literal>nextcloud.tld/u/user.name</literal>. + Even though it's enabled by default in Nextcloud, it must be explicitly enabled + here because it has the side-effect that personal information is even accessible to + unauthenticated users by default. + + By default, the following properties are set to <quote>Show to everyone</quote> + if this flag is enabled: + <itemizedlist> + <listitem><para>About</para></listitem> + <listitem><para>Full name</para></listitem> + <listitem><para>Headline</para></listitem> + <listitem><para>Organisation</para></listitem> + <listitem><para>Profile picture</para></listitem> + <listitem><para>Role</para></listitem> + <listitem><para>Twitter</para></listitem> + <listitem><para>Website</para></listitem> + </itemizedlist> + + Only has an effect in Nextcloud 23 and later. + ''; + }; extraOptions = mkOption { type = jsonFormat.type; @@ -552,16 +576,29 @@ in { ''; }; - nginx.recommendedHttpHeaders = mkOption { - type = types.bool; - default = true; - description = "Enable additional recommended HTTP response headers"; + nginx = { + recommendedHttpHeaders = mkOption { + type = types.bool; + default = true; + description = "Enable additional recommended HTTP response headers"; + }; + hstsMaxAge = mkOption { + type = types.ints.positive; + default = 15552000; + description = '' + Value for the <code>max-age</code> directive of the HTTP + <code>Strict-Transport-Security</code> header. + + See section 6.1.1 of IETF RFC 6797 for detailed information on this + directive and header. + ''; + }; }; }; config = mkIf cfg.enable (mkMerge [ { warnings = let - latest = 23; + latest = 24; upgradeWarning = major: nixos: '' A legacy Nextcloud install (from before NixOS ${nixos}) may be installed. @@ -597,6 +634,7 @@ in { ++ (optional (versionOlder cfg.package.version "21") (upgradeWarning 20 "21.05")) ++ (optional (versionOlder cfg.package.version "22") (upgradeWarning 21 "21.11")) ++ (optional (versionOlder cfg.package.version "23") (upgradeWarning 22 "22.05")) + ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05")) ++ (optional isUnsupportedMariadb '' You seem to be using MariaDB at an unsupported version (i.e. at least 10.6)! Please note that this isn't supported officially by Nextcloud. You can either @@ -617,15 +655,18 @@ in { nextcloud defined in an overlay, please set `services.nextcloud.package` to `pkgs.nextcloud`. '' - else if versionOlder stateVersion "21.11" then nextcloud21 else if versionOlder stateVersion "22.05" then nextcloud22 - else nextcloud23 + else nextcloud24 ); - services.nextcloud.datadir = mkOptionDefault config.services.nextcloud.home; - services.nextcloud.phpPackage = - if versionOlder cfg.package.version "21" then pkgs.php74 + if versionOlder cfg.package.version "24" then pkgs.php80 + # FIXME: Use PHP 8.1 with Nextcloud 24 and higher, once issues like this one are fixed: + # + # https://github.com/nextcloud/twofactor_totp/issues/1192 + # + # else if versionOlder cfg.package.version "24" then pkgs.php80 + # else pkgs.php81; else pkgs.php80; } @@ -637,6 +678,7 @@ in { { systemd.timers.nextcloud-cron = { wantedBy = [ "timers.target" ]; + after = [ "nextcloud-setup.service" ]; timerConfig.OnBootSec = "5m"; timerConfig.OnUnitActiveSec = "5m"; timerConfig.Unit = "nextcloud-cron.service"; @@ -679,6 +721,8 @@ in { if x == null then "false" else boolToString x; + nextcloudGreaterOrEqualThan = req: versionAtLeast cfg.package.version req; + overrideConfig = pkgs.writeText "nextcloud-config.php" '' <?php ${optionalString requiresReadSecretFunction '' @@ -716,7 +760,7 @@ in { 'skeletondirectory' => '${cfg.skeletonDirectory}', ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"} 'log_type' => 'syslog', - 'log_level' => '${builtins.toString cfg.logLevel}', + 'loglevel' => '${builtins.toString cfg.logLevel}', ${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"} ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"} ${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"} @@ -736,6 +780,7 @@ in { 'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)}, 'trusted_proxies' => ${writePhpArrary (c.trustedProxies)}, ${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"} + ${optionalString (nextcloudGreaterOrEqualThan "23") "'profile.enabled' => ${boolToString cfg.globalProfiles},"} ${objectstoreConfig} ]; @@ -844,7 +889,7 @@ in { ${occ}/bin/nextcloud-occ config:system:delete trusted_domains ${optionalString (cfg.extraAppsEnable && cfg.extraApps != { }) '' - # Try to enable apps (don't fail when one of them cannot be enabled , eg. due to incompatible version) + # Try to enable apps ${occ}/bin/nextcloud-occ app:enable ${concatStringsSep " " (attrNames cfg.extraApps)} ''} @@ -854,12 +899,14 @@ in { serviceConfig.User = "nextcloud"; }; nextcloud-cron = { + after = [ "nextcloud-setup.service" ]; environment.NEXTCLOUD_CONFIG_DIR = "${datadir}/config"; serviceConfig.Type = "oneshot"; serviceConfig.User = "nextcloud"; serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php"; }; nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { + after = [ "nextcloud-setup.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all"; serviceConfig.User = "nextcloud"; @@ -904,7 +951,7 @@ in { # FIXME(@Ma27) Nextcloud isn't compatible with mariadb 10.6, # this is a workaround. # See https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/22 - settings = { + settings = mkIf (versionOlder cfg.package.version "24") { mysqld = { innodb_read_only_compressed = 0; }; @@ -928,7 +975,6 @@ in { priority = 100; extraConfig = '' allow all; - log_not_found off; access_log off; ''; }; @@ -1016,7 +1062,9 @@ in { add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options sameorigin; add_header Referrer-Policy no-referrer; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + ''} + ${optionalString (cfg.https) '' + add_header Strict-Transport-Security "max-age=${toString cfg.nginx.hstsMaxAge}; includeSubDomains" always; ''} client_max_body_size ${cfg.maxUploadSize}; fastcgi_buffers 64 4K; diff --git a/nixos/modules/services/web-apps/nextcloud.xml b/nixos/modules/services/web-apps/nextcloud.xml index 8f55086a2bd..b46f34420a7 100644 --- a/nixos/modules/services/web-apps/nextcloud.xml +++ b/nixos/modules/services/web-apps/nextcloud.xml @@ -11,7 +11,7 @@ desktop client is packaged at <literal>pkgs.nextcloud-client</literal>. </para> <para> - The current default by NixOS is <package>nextcloud23</package> which is also the latest + The current default by NixOS is <package>nextcloud24</package> which is also the latest major version available. </para> <section xml:id="module-services-nextcloud-basic-usage"> diff --git a/nixos/modules/services/web-apps/openwebrx.nix b/nixos/modules/services/web-apps/openwebrx.nix index 9e90c01e0bb..c530a07610f 100644 --- a/nixos/modules/services/web-apps/openwebrx.nix +++ b/nixos/modules/services/web-apps/openwebrx.nix @@ -19,6 +19,7 @@ in wantedBy = [ "multi-user.target" ]; path = with pkgs; [ csdr + digiham alsaUtils netcat ]; diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index e195e6e6e82..e6b6aa273e7 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -209,7 +209,7 @@ in { port = lib.mkOption { type = lib.types.nullOr lib.types.port; - default = if cfg.redis.createLocally && cfg.redis.enableUnixSocket then null else 6379; + default = if cfg.redis.createLocally && cfg.redis.enableUnixSocket then null else 31638; defaultText = lib.literalExpression '' if config.${opt.redis.createLocally} && config.${opt.redis.enableUnixSocket} then null @@ -344,7 +344,7 @@ in { }; }; } - (lib.mkIf cfg.redis.enableUnixSocket { redis = { socket = "/run/redis/redis.sock"; }; }) + (lib.mkIf cfg.redis.enableUnixSocket { redis = { socket = "/run/redis-peertube/redis.sock"; }; }) ]; systemd.tmpfiles.rules = [ @@ -441,13 +441,17 @@ in { enable = true; }; - services.redis = lib.mkMerge [ + services.redis.servers.peertube = lib.mkMerge [ (lib.mkIf cfg.redis.createLocally { enable = true; }) + (lib.mkIf (cfg.redis.createLocally && !cfg.redis.enableUnixSocket) { + bind = "127.0.0.1"; + port = cfg.redis.port; + }) (lib.mkIf (cfg.redis.createLocally && cfg.redis.enableUnixSocket) { - unixSocket = "/run/redis/redis.sock"; - unixSocketPerm = 770; + unixSocket = "/run/redis-peertube/redis.sock"; + unixSocketPerm = 660; }) ]; @@ -465,7 +469,7 @@ in { }; }) (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package peertubeEnv peertubeCli pkgs.ffmpeg pkgs.nodejs-16_x pkgs.yarn ]) - (lib.mkIf cfg.redis.enableUnixSocket {${config.services.peertube.user}.extraGroups = [ "redis" ];}) + (lib.mkIf cfg.redis.enableUnixSocket {${config.services.peertube.user}.extraGroups = [ "redis-peertube" ];}) ]; users.groups = lib.optionalAttrs (cfg.group == "peertube") { diff --git a/nixos/modules/services/web-apps/phylactery.nix b/nixos/modules/services/web-apps/phylactery.nix new file mode 100644 index 00000000000..f0e97da1f20 --- /dev/null +++ b/nixos/modules/services/web-apps/phylactery.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: + +with lib; +let cfg = config.services.phylactery; +in { + options.services.phylactery = { + enable = mkEnableOption "Whether to enable Phylactery server"; + + host = mkOption { + type = types.str; + default = "localhost"; + description = "Listen host for Phylactery"; + }; + + port = mkOption { + type = types.port; + description = "Listen port for Phylactery"; + }; + + library = mkOption { + type = types.path; + description = "Path to CBZ library"; + }; + + package = mkOption { + type = types.package; + default = pkgs.phylactery; + defaultText = literalExpression "pkgs.phylactery"; + description = "The Phylactery package to use"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.phylactery = { + environment = { + PHYLACTERY_ADDRESS = "${cfg.host}:${toString cfg.port}"; + PHYLACTERY_LIBRARY = "${cfg.library}"; + }; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ConditionPathExists = cfg.library; + DynamicUser = true; + ExecStart = "${cfg.package}/bin/phylactery"; + }; + }; + }; + + meta.maintainers = with maintainers; [ McSinyx ]; +} diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index 4b36cc8754c..1a8199ab3b3 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -263,8 +263,8 @@ in serviceConfig.RemainAfterExit = true; wantedBy = [ "multi-user.target" ]; - requires = [ "postgresql.service" ]; - after = [ "network.target" "postgresql.service" ]; + requires = if cfg.database.host == null then [] else [ "postgresql.service" ]; + after = [ "network.target" ] ++ (if cfg.database.host == null then [] else [ "postgresql.service" ]); script = '' rm -rf "${runDir}" @@ -282,7 +282,7 @@ in sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', 'restya');/g" "${runDir}/server/php/config.inc.php" '' else '' sed -i "s/^.*'R_DB_HOST'.*$/define('R_DB_HOST', '${cfg.database.host}');/g" "${runDir}/server/php/config.inc.php" - sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', ${if cfg.database.passwordFile == null then "''" else "'file_get_contents(${cfg.database.passwordFile})'"});/g" "${runDir}/server/php/config.inc.php + sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', ${if cfg.database.passwordFile == null then "''" else "'$(cat ${cfg.database.passwordFile})');/g"}" "${runDir}/server/php/config.inc.php" ''} sed -i "s/^.*'R_DB_PORT'.*$/define('R_DB_PORT', '${toString cfg.database.port}');/g" "${runDir}/server/php/config.inc.php" sed -i "s/^.*'R_DB_NAME'.*$/define('R_DB_NAME', '${cfg.database.name}');/g" "${runDir}/server/php/config.inc.php" @@ -294,7 +294,7 @@ in ln -sf "${cfg.dataDir}/client/img" "${runDir}/client/img" chmod g+w "${runDir}/tmp/cache" - chown -R "${cfg.user}"."${cfg.group}" "${runDir}" + chown -R "${cfg.user}":"${cfg.group}" "${runDir}" mkdir -m 0750 -p "${cfg.dataDir}" @@ -302,9 +302,9 @@ in mkdir -m 0750 -p "${cfg.dataDir}/client/img" cp -r "${pkgs.restya-board}/media/"* "${cfg.dataDir}/media" cp -r "${pkgs.restya-board}/client/img/"* "${cfg.dataDir}/client/img" - chown "${cfg.user}"."${cfg.group}" "${cfg.dataDir}" - chown -R "${cfg.user}"."${cfg.group}" "${cfg.dataDir}/media" - chown -R "${cfg.user}"."${cfg.group}" "${cfg.dataDir}/client/img" + chown "${cfg.user}":"${cfg.group}" "${cfg.dataDir}" + chown -R "${cfg.user}":"${cfg.group}" "${cfg.dataDir}/media" + chown -R "${cfg.user}":"${cfg.group}" "${cfg.dataDir}/client/img" ${optionalString (cfg.database.host == null) '' if ! [ -e "${cfg.dataDir}/.db-initialized" ]; then diff --git a/nixos/modules/services/web-apps/snipe-it.nix b/nixos/modules/services/web-apps/snipe-it.nix new file mode 100644 index 00000000000..842e0715c02 --- /dev/null +++ b/nixos/modules/services/web-apps/snipe-it.nix @@ -0,0 +1,493 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.snipe-it; + snipe-it = pkgs.snipe-it.override { + dataDir = cfg.dataDir; + }; + db = cfg.database; + mail = cfg.mail; + + user = cfg.user; + group = cfg.group; + + tlsEnabled = cfg.nginx.addSSL || cfg.nginx.forceSSL || cfg.nginx.onlySSL || cfg.nginx.enableACME; + + # shell script for local administration + artisan = pkgs.writeScriptBin "snipe-it" '' + #! ${pkgs.runtimeShell} + cd ${snipe-it} + sudo=exec + if [[ "$USER" != ${user} ]]; then + sudo='exec /run/wrappers/bin/sudo -u ${user}' + fi + $sudo ${pkgs.php}/bin/php artisan $* + ''; +in { + options.services.snipe-it = { + + enable = mkEnableOption "A free open source IT asset/license management system"; + + user = mkOption { + default = "snipeit"; + description = "User snipe-it runs as."; + type = types.str; + }; + + group = mkOption { + default = "snipeit"; + description = "Group snipe-it runs as."; + type = types.str; + }; + + appKeyFile = mkOption { + description = '' + A file containing the Laravel APP_KEY - a 32 character long, + base64 encoded key used for encryption where needed. Can be + generated with <code>head -c 32 /dev/urandom | base64</code>. + ''; + example = "/run/keys/snipe-it/appkey"; + type = types.path; + }; + + hostName = lib.mkOption { + type = lib.types.str; + default = if config.networking.domain != null then + config.networking.fqdn + else + config.networking.hostName; + defaultText = lib.literalExpression "config.networking.fqdn"; + example = "snipe-it.example.com"; + description = '' + The hostname to serve Snipe-IT on. + ''; + }; + + appURL = mkOption { + description = '' + The root URL that you want to host Snipe-IT on. All URLs in Snipe-IT will be generated using this value. + If you change this in the future you may need to run a command to update stored URLs in the database. + Command example: <code>snipe-it snipe-it:update-url https://old.example.com https://new.example.com</code> + ''; + default = "http${lib.optionalString tlsEnabled "s"}://${cfg.hostName}"; + defaultText = '' + http''${lib.optionalString tlsEnabled "s"}://''${cfg.hostName} + ''; + example = "https://example.com"; + type = types.str; + }; + + dataDir = mkOption { + description = "snipe-it data directory"; + default = "/var/lib/snipe-it"; + type = types.path; + }; + + database = { + host = mkOption { + type = types.str; + default = "localhost"; + description = "Database host address."; + }; + port = mkOption { + type = types.port; + default = 3306; + description = "Database host port."; + }; + name = mkOption { + type = types.str; + default = "snipeit"; + description = "Database name."; + }; + user = mkOption { + type = types.str; + default = user; + defaultText = literalExpression "user"; + description = "Database username."; + }; + passwordFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/run/keys/snipe-it/dbpassword"; + description = '' + A file containing the password corresponding to + <option>database.user</option>. + ''; + }; + createLocally = mkOption { + type = types.bool; + default = false; + description = "Create the database and database user locally."; + }; + }; + + mail = { + driver = mkOption { + type = types.enum [ "smtp" "sendmail" ]; + default = "smtp"; + description = "Mail driver to use."; + }; + host = mkOption { + type = types.str; + default = "localhost"; + description = "Mail host address."; + }; + port = mkOption { + type = types.port; + default = 1025; + description = "Mail host port."; + }; + encryption = mkOption { + type = with types; nullOr (enum [ "tls" "ssl" ]); + default = null; + description = "SMTP encryption mechanism to use."; + }; + user = mkOption { + type = with types; nullOr str; + default = null; + example = "snipeit"; + description = "Mail username."; + }; + passwordFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/run/keys/snipe-it/mailpassword"; + description = '' + A file containing the password corresponding to + <option>mail.user</option>. + ''; + }; + backupNotificationAddress = mkOption { + type = types.str; + default = "backup@example.com"; + description = "Email Address to send Backup Notifications to."; + }; + from = { + name = mkOption { + type = types.str; + default = "Snipe-IT Asset Management"; + description = "Mail \"from\" name."; + }; + address = mkOption { + type = types.str; + default = "mail@example.com"; + description = "Mail \"from\" address."; + }; + }; + replyTo = { + name = mkOption { + type = types.str; + default = "Snipe-IT Asset Management"; + description = "Mail \"reply-to\" name."; + }; + address = mkOption { + type = types.str; + default = "mail@example.com"; + description = "Mail \"reply-to\" address."; + }; + }; + }; + + maxUploadSize = mkOption { + type = types.str; + default = "18M"; + example = "1G"; + description = "The maximum size for uploads (e.g. images)."; + }; + + poolConfig = mkOption { + type = with types; attrsOf (oneOf [ str int bool ]); + default = { + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "pm.max_requests" = 500; + }; + description = '' + Options for the snipe-it PHP pool. See the documentation on <literal>php-fpm.conf</literal> + for details on configuration directives. + ''; + }; + + nginx = mkOption { + type = types.submodule ( + recursiveUpdate + (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) {} + ); + default = {}; + example = literalExpression '' + { + serverAliases = [ + "snipe-it.''${config.networking.domain}" + ]; + # To enable encryption and let let's encrypt take care of certificate + forceSSL = true; + enableACME = true; + } + ''; + description = '' + With this option, you can customize the nginx virtualHost settings. + ''; + }; + + config = mkOption { + type = with types; + attrsOf + (nullOr + (either + (oneOf [ + bool + int + port + path + str + ]) + (submodule { + options = { + _secret = mkOption { + type = nullOr (oneOf [ str path ]); + description = '' + The path to a file containing the value the + option should be set to in the final + configuration file. + ''; + }; + }; + }))); + default = {}; + example = literalExpression '' + { + ALLOWED_IFRAME_HOSTS = "https://example.com"; + WKHTMLTOPDF = "''${pkgs.wkhtmltopdf}/bin/wkhtmltopdf"; + AUTH_METHOD = "oidc"; + OIDC_NAME = "MyLogin"; + OIDC_DISPLAY_NAME_CLAIMS = "name"; + OIDC_CLIENT_ID = "snipe-it"; + OIDC_CLIENT_SECRET = {_secret = "/run/keys/oidc_secret"}; + OIDC_ISSUER = "https://keycloak.example.com/auth/realms/My%20Realm"; + OIDC_ISSUER_DISCOVER = true; + } + ''; + description = '' + Snipe-IT configuration options to set in the + <filename>.env</filename> file. + Refer to <link xlink:href="https://snipe-it.readme.io/docs/configuration"/> + for details on supported values. + + Settings containing secret data should be set to an attribute + set containing the attribute <literal>_secret</literal> - a + string pointing to a file containing the value the option + should be set to. See the example to get a better picture of + this: in the resulting <filename>.env</filename> file, the + <literal>OIDC_CLIENT_SECRET</literal> key will be set to the + contents of the <filename>/run/keys/oidc_secret</filename> + file. + ''; + }; + }; + + config = mkIf cfg.enable { + + assertions = [ + { assertion = db.createLocally -> db.user == user; + message = "services.snipe-it.database.user must be set to ${user} if services.snipe-it.database.createLocally is set true."; + } + { assertion = db.createLocally -> db.passwordFile == null; + message = "services.snipe-it.database.passwordFile cannot be specified if services.snipe-it.database.createLocally is set to true."; + } + ]; + + environment.systemPackages = [ artisan ]; + + services.snipe-it.config = { + APP_ENV = "production"; + APP_KEY._secret = cfg.appKeyFile; + APP_URL = cfg.appURL; + DB_HOST = db.host; + DB_PORT = db.port; + DB_DATABASE = db.name; + DB_USERNAME = db.user; + DB_PASSWORD._secret = db.passwordFile; + MAIL_DRIVER = mail.driver; + MAIL_FROM_NAME = mail.from.name; + MAIL_FROM_ADDR = mail.from.address; + MAIL_REPLYTO_NAME = mail.from.name; + MAIL_REPLYTO_ADDR = mail.from.address; + MAIL_BACKUP_NOTIFICATION_ADDRESS = mail.backupNotificationAddress; + MAIL_HOST = mail.host; + MAIL_PORT = mail.port; + MAIL_USERNAME = mail.user; + MAIL_ENCRYPTION = mail.encryption; + MAIL_PASSWORD._secret = mail.passwordFile; + APP_SERVICES_CACHE = "/run/snipe-it/cache/services.php"; + APP_PACKAGES_CACHE = "/run/snipe-it/cache/packages.php"; + APP_CONFIG_CACHE = "/run/snipe-it/cache/config.php"; + APP_ROUTES_CACHE = "/run/snipe-it/cache/routes-v7.php"; + APP_EVENTS_CACHE = "/run/snipe-it/cache/events.php"; + SESSION_SECURE_COOKIE = tlsEnabled; + }; + + services.mysql = mkIf db.createLocally { + enable = true; + package = mkDefault pkgs.mariadb; + ensureDatabases = [ db.name ]; + ensureUsers = [ + { name = db.user; + ensurePermissions = { "${db.name}.*" = "ALL PRIVILEGES"; }; + } + ]; + }; + + services.phpfpm.pools.snipe-it = { + inherit user group; + phpPackage = pkgs.php81; + phpOptions = '' + post_max_size = ${cfg.maxUploadSize} + upload_max_filesize = ${cfg.maxUploadSize} + ''; + settings = { + "listen.mode" = "0660"; + "listen.owner" = user; + "listen.group" = group; + } // cfg.poolConfig; + }; + + services.nginx = { + enable = mkDefault true; + virtualHosts."${cfg.hostName}" = mkMerge [ cfg.nginx { + root = mkForce "${snipe-it}/public"; + extraConfig = optionalString (cfg.nginx.addSSL || cfg.nginx.forceSSL || cfg.nginx.onlySSL || cfg.nginx.enableACME) "fastcgi_param HTTPS on;"; + locations = { + "/" = { + index = "index.php"; + extraConfig = ''try_files $uri $uri/ /index.php?$query_string;''; + }; + "~ \.php$" = { + extraConfig = '' + try_files $uri $uri/ /index.php?$query_string; + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param REDIRECT_STATUS 200; + fastcgi_pass unix:${config.services.phpfpm.pools."snipe-it".socket}; + ${optionalString (cfg.nginx.addSSL || cfg.nginx.forceSSL || cfg.nginx.onlySSL || cfg.nginx.enableACME) "fastcgi_param HTTPS on;"} + ''; + }; + "~ \.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 365d;"; + }; + }; + }]; + }; + + systemd.services.snipe-it-setup = { + description = "Preperation tasks for snipe-it"; + before = [ "phpfpm-snipe-it.service" ]; + after = optional db.createLocally "mysql.service"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = user; + WorkingDirectory = snipe-it; + RuntimeDirectory = "snipe-it/cache"; + RuntimeDirectoryMode = 0700; + }; + path = [ pkgs.replace-secret ]; + script = + let + isSecret = v: isAttrs v && v ? _secret && (isString v._secret || builtins.isPath v._secret); + snipeITEnvVars = lib.generators.toKeyValue { + mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" { + mkValueString = v: with builtins; + if isInt v then toString v + else if isString v then "\"${v}\"" + else if true == v then "true" + else if false == v then "false" + else if isSecret v then + if (isString v._secret) then + hashString "sha256" v._secret + else + hashString "sha256" (builtins.readFile v._secret) + else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; + }; + }; + secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.config); + mkSecretReplacement = file: '' + replace-secret ${escapeShellArgs [ + ( + if (isString file) then + builtins.hashString "sha256" file + else + builtins.hashString "sha256" (builtins.readFile file) + ) + file + "${cfg.dataDir}/.env" + ]} + ''; + secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths; + filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ {} null ])) cfg.config; + snipeITEnv = pkgs.writeText "snipeIT.env" (snipeITEnvVars filteredConfig); + in '' + # error handling + set -euo pipefail + + # set permissions + umask 077 + + # create .env file + install -T -m 0600 -o ${user} ${snipeITEnv} "${cfg.dataDir}/.env" + + # replace secrets + ${secretReplacements} + + # prepend `base64:` if it does not exist in APP_KEY + if ! grep 'APP_KEY=base64:' "${cfg.dataDir}/.env" >/dev/null; then + sed -i 's/APP_KEY=/APP_KEY=base64:/' "${cfg.dataDir}/.env" + fi + + # purge cache + rm "${cfg.dataDir}"/bootstrap/cache/*.php || true + + # migrate db + ${pkgs.php}/bin/php artisan migrate --force + ''; + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.dataDir} 0710 ${user} ${group} - -" + "d ${cfg.dataDir}/bootstrap 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/bootstrap/cache 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/storage 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/app 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/fonts 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/framework 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/framework/cache 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/framework/sessions 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/framework/views 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/logs 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/uploads 0700 ${user} ${group} - -" + ]; + + users = { + users = mkIf (user == "snipeit") { + snipeit = { + inherit group; + isSystemUser = true; + }; + "${config.services.nginx.user}".extraGroups = [ group ]; + }; + groups = mkIf (group == "snipeit") { + snipeit = {}; + }; + }; + + }; + + meta.maintainers = with maintainers; [ yayayayaka ]; +} diff --git a/nixos/modules/services/web-apps/timetagger.nix b/nixos/modules/services/web-apps/timetagger.nix deleted file mode 100644 index 373f4fcd52f..00000000000 --- a/nixos/modules/services/web-apps/timetagger.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib) mkEnableOption mkIf mkOption types literalExpression; - - cfg = config.services.timetagger; -in { - - options = { - services.timetagger = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Tag your time, get the insight - - <note><para> - This app does not do authentication. - You must setup authentication yourself or run it in an environment where - only allowed users have access. - </para></note> - ''; - }; - - bindAddr = mkOption { - description = "Address to bind to."; - type = types.str; - default = "127.0.0.1"; - }; - - port = mkOption { - description = "Port to bind to."; - type = types.port; - default = 8080; - }; - - package = mkOption { - description = '' - Use own package for starting timetagger web application. - - The ${literalExpression ''pkgs.timetagger''} package only provides a - "run.py" script for the actual package - ${literalExpression ''pkgs.python3Packages.timetagger''}. - - If you want to provide a "run.py" script for starting timetagger - yourself, you can do so with this option. - If you do so, the 'bindAddr' and 'port' options are ignored. - ''; - - default = pkgs.timetagger.override { addr = cfg.bindAddr; port = cfg.port; }; - defaultText = literalExpression '' - pkgs.timetagger.override { - addr = ${cfg.bindAddr}; - port = ${cfg.port}; - }; - ''; - type = types.package; - }; - }; - }; - - config = mkIf cfg.enable { - systemd.services.timetagger = { - description = "Timetagger service"; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - User = "timetagger"; - Group = "timetagger"; - StateDirectory = "timetagger"; - - ExecStart = "${cfg.package}/bin/timetagger"; - - Restart = "on-failure"; - RestartSec = 1; - }; - }; - }; -} - diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index 9aa38ab25c9..c441a2a7764 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -534,6 +534,7 @@ let services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { ${poolName} = { inherit (cfg) user; + phpPackage = pkgs.php80; settings = mapAttrs (name: mkDefault) { "listen.owner" = "nginx"; "listen.group" = "nginx"; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 0c2333399e8..5ccbaf77481 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -360,7 +360,7 @@ let ${optionalString (config.alias != null) "alias ${config.alias};"} ${optionalString (config.return != null) "return ${config.return};"} ${config.extraConfig} - ${optionalString (config.proxyPass != null && cfg.recommendedProxySettings) "include ${recommendedProxyConfig};"} + ${optionalString (config.proxyPass != null && config.recommendedProxySettings) "include ${recommendedProxyConfig};"} ${mkBasicAuth "sublocation" config} } '') (sortProperties (mapAttrsToList (k: v: v // { location = k; }) locations))); @@ -423,7 +423,7 @@ in default = false; type = types.bool; description = " - Enable recommended proxy settings. + Whether to enable recommended proxy settings if a vhost does not specify the option manually. "; }; @@ -932,7 +932,7 @@ in # System Call Filtering SystemCallArchitectures = "native"; SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] - ++ optionals ((cfg.package != pkgs.tengine) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; + ++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; }; }; diff --git a/nixos/modules/services/web-servers/nginx/location-options.nix b/nixos/modules/services/web-servers/nginx/location-options.nix index 6fd00b38697..49dd8893015 100644 --- a/nixos/modules/services/web-servers/nginx/location-options.nix +++ b/nixos/modules/services/web-servers/nginx/location-options.nix @@ -3,7 +3,7 @@ # has additional options that affect the web server as a whole, like # the user/group to run under.) -{ lib }: +{ lib, config }: with lib; @@ -128,5 +128,14 @@ with lib; a greater priority. ''; }; + + recommendedProxySettings = mkOption { + type = types.bool; + default = config.services.nginx.recommendedProxySettings; + defaultText = literalExpression "config.services.nginx.recommendedProxySettings"; + description = '' + Enable recommended proxy settings. + ''; + }; }; } diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 2c77d6ee816..a9929297a24 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -281,7 +281,7 @@ with lib; locations = mkOption { type = types.attrsOf (types.submodule (import ./location-options.nix { - inherit lib; + inherit lib config; })); default = {}; example = literalExpression '' diff --git a/nixos/modules/services/x11/desktop-managers/default.nix b/nixos/modules/services/x11/desktop-managers/default.nix index 8247a7e381c..2c2f2cae4b7 100644 --- a/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixos/modules/services/x11/desktop-managers/default.nix @@ -18,7 +18,7 @@ in # determines the default: later modules (if enabled) are preferred. # E.g., if Plasma 5 is enabled, it supersedes xterm. imports = [ - ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix + ./none.nix ./xterm.nix ./phosh.nix ./xfce.nix ./plasma5.nix ./lumina.nix ./lxqt.nix ./enlightenment.nix ./gnome.nix ./retroarch.nix ./kodi.nix ./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix ./cinnamon.nix @@ -72,7 +72,7 @@ in apply = map (d: d // { manage = "desktop"; start = d.start - + optionalString (needBGCond d) '' + + optionalString (needBGCond d) ''\n\n if [ -e $HOME/.background-image ]; then ${pkgs.feh}/bin/feh --bg-${cfg.wallpaper.mode} ${optionalString cfg.wallpaper.combineScreens "--no-xinerama"} $HOME/.background-image fi diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index d1513a596b9..991616bd192 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -16,6 +16,10 @@ let in { + meta = { + maintainers = teams.enlightenment.members; + }; + imports = [ (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "e19" "enable" ] [ "services" "xserver" "desktopManager" "enlightenment" "enable" ]) ]; @@ -92,6 +96,7 @@ in services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; + services.xserver.libinput.enable = mkDefault true; services.dbus.packages = [ e.efl ]; diff --git a/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix index e7e626c66f0..ff9d08ea997 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -189,7 +189,6 @@ in Note that this should be a last resort; patching the package is preferred (see GPaste). ''; - apply = list: list ++ [ pkgs.gnome.gnome-shell pkgs.gnome.gnome-shell-extensions ]; }; favoriteAppsOverride = mkOption { @@ -367,6 +366,10 @@ in services.upower.enable = config.powerManagement.enable; services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center + # Explicitly enabled since GNOME will be severely broken without these. + xdg.mime.enable = true; + xdg.icons.enable = true; + xdg.portal.enable = true; xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gnome @@ -400,6 +403,18 @@ in }) (mkIf serviceCfg.core-shell.enable { + services.xserver.desktopManager.gnome.sessionPath = + let + mandatoryPackages = [ + pkgs.gnome.gnome-shell + ]; + optionalPackages = [ + pkgs.gnome.gnome-shell-extensions + ]; + in + mandatoryPackages + ++ utils.removePackagesByName optionalPackages config.environment.gnome.excludePackages; + services.colord.enable = mkDefault true; services.gnome.chrome-gnome-shell.enable = mkDefault true; services.gnome.glib-networking.enable = true; @@ -452,26 +467,31 @@ in ]; # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-38/elements/core/meta-gnome-core-shell.bst - environment.systemPackages = with pkgs.gnome; [ - adwaita-icon-theme - nixos-background-info - gnome-backgrounds - gnome-bluetooth - gnome-color-manager - gnome-control-center - gnome-shell - gnome-shell-extensions - gnome-themes-extra - pkgs.gnome-tour # GNOME Shell detects the .desktop file on first log-in. - pkgs.gnome-user-docs - pkgs.orca - pkgs.glib # for gsettings - pkgs.gnome-menus - pkgs.gtk3.out # for gtk-launch - pkgs.hicolor-icon-theme - pkgs.shared-mime-info # for update-mime-database - pkgs.xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ - ]; + environment.systemPackages = + let + mandatoryPackages = with pkgs.gnome; [ + gnome-shell + ]; + optionalPackages = with pkgs.gnome; [ + adwaita-icon-theme + nixos-background-info + gnome-backgrounds + gnome-bluetooth + gnome-color-manager + gnome-control-center + gnome-shell-extensions + gnome-themes-extra + pkgs.gnome-tour # GNOME Shell detects the .desktop file on first log-in. + pkgs.gnome-user-docs + pkgs.orca + pkgs.glib # for gsettings program + pkgs.gnome-menus + pkgs.gtk3.out # for gtk-launch program + pkgs.xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ + ]; + in + mandatoryPackages + ++ utils.removePackagesByName optionalPackages config.environment.gnome.excludePackages; }) # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-38/elements/core/meta-gnome-core-utilities.bst diff --git a/nixos/modules/services/x11/desktop-managers/lumina.nix b/nixos/modules/services/x11/desktop-managers/lumina.nix index 419f5055d8b..faa83b8bc54 100644 --- a/nixos/modules/services/x11/desktop-managers/lumina.nix +++ b/nixos/modules/services/x11/desktop-managers/lumina.nix @@ -10,6 +10,10 @@ let in { + meta = { + maintainers = teams.lumina.members; + }; + options = { services.xserver.desktopManager.lumina.enable = mkOption { diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix index 1bc6c906c47..46f35f11b4a 100644 --- a/nixos/modules/services/x11/desktop-managers/lxqt.nix +++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix @@ -9,6 +9,10 @@ let in { + meta = { + maintainers = teams.lxqt.members; + }; + options = { services.xserver.desktopManager.lxqt.enable = mkOption { @@ -62,6 +66,11 @@ in services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; + + services.xserver.libinput.enable = mkDefault true; + + xdg.portal.enable = true; + xdg.portal.extraPortals = [ pkgs.lxqt.xdg-desktop-portal-lxqt ]; }; } diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index 9ab4c6e7e98..b63510475ec 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -73,6 +73,7 @@ in services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; + services.xserver.libinput.enable = mkDefault true; security.pam.services.mate-screensaver.unixAuth = true; diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 004d14b634d..d04e565f7d3 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -50,10 +50,6 @@ in Note that this should be a last resort; patching the package is preferred (see GPaste). ''; - apply = list: list ++ - [ - pkgs.pantheon.pantheon-agent-geoclue2 - ]; }; extraWingpanelIndicators = mkOption { @@ -96,6 +92,9 @@ in config = mkMerge [ (mkIf cfg.enable { + services.xserver.desktopManager.pantheon.sessionPath = utils.removePackagesByName [ + pkgs.pantheon.pantheon-agent-geoclue2 + ] config.environment.pantheon.excludePackages; services.xserver.displayManager.sessionPackages = [ pkgs.pantheon.elementary-session-settings ]; @@ -136,6 +135,7 @@ in services.colord.enable = mkDefault true; services.fwupd.enable = mkDefault true; services.packagekit.enable = mkDefault true; + services.power-profiles-daemon.enable = mkDefault true; services.touchegg.enable = mkDefault true; services.touchegg.package = pkgs.pantheon.touchegg; services.tumbler.enable = mkDefault true; @@ -167,28 +167,37 @@ in isSystem = true; }; services.udev.packages = [ - pkgs.gnome.gnome-settings-daemon338 + pkgs.pantheon.gnome-settings-daemon ]; systemd.packages = [ - pkgs.gnome.gnome-settings-daemon338 + pkgs.pantheon.gnome-settings-daemon ]; programs.dconf.enable = true; networking.networkmanager.enable = mkDefault true; # Global environment - environment.systemPackages = with pkgs; [ + environment.systemPackages = (with pkgs.pantheon; [ + elementary-session-settings + elementary-settings-daemon + gala + gnome-settings-daemon + (switchboard-with-plugs.override { + plugs = cfg.extraSwitchboardPlugs; + }) + (wingpanel-with-indicators.override { + indicators = cfg.extraWingpanelIndicators; + }) + ]) ++ utils.removePackagesByName ((with pkgs; [ desktop-file-utils - glib + glib # for gsettings program gnome-menus gnome.adwaita-icon-theme - gtk3.out - hicolor-icon-theme + gtk3.out # for gtk-launch program onboard qgnomeplatform - shared-mime-info sound-theme-freedesktop - xdg-user-dirs - ] ++ (with pkgs.pantheon; [ + xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ + ]) ++ (with pkgs.pantheon; [ # Artwork elementary-gtk-theme elementary-icon-theme @@ -198,33 +207,21 @@ in # Desktop elementary-default-settings elementary-dock - elementary-session-settings elementary-shortcut-overlay - gala - (switchboard-with-plugs.override { - plugs = cfg.extraSwitchboardPlugs; - }) - (wingpanel-with-indicators.override { - indicators = cfg.extraWingpanelIndicators; - }) # Services elementary-capnet-assist elementary-notifications - elementary-settings-daemon pantheon-agent-geoclue2 pantheon-agent-polkit - ]) ++ (utils.removePackagesByName [ - gnome.gnome-font-viewer - gnome.gnome-settings-daemon338 - ] config.environment.pantheon.excludePackages); - - programs.evince.enable = mkDefault true; - programs.file-roller.enable = mkDefault true; + ])) config.environment.pantheon.excludePackages; # Settings from elementary-default-settings environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini"; + xdg.mime.enable = true; + xdg.icons.enable = true; + xdg.portal.enable = true; xdg.portal.extraPortals = with pkgs.pantheon; [ elementary-files @@ -272,7 +269,12 @@ in }) (mkIf serviceCfg.apps.enable { - environment.systemPackages = with pkgs.pantheon; utils.removePackagesByName ([ + programs.evince.enable = mkDefault true; + programs.file-roller.enable = mkDefault true; + + environment.systemPackages = utils.removePackagesByName ([ + pkgs.gnome.gnome-font-viewer + ] ++ (with pkgs.pantheon; [ elementary-calculator elementary-calendar elementary-camera @@ -290,7 +292,8 @@ in # Only install appcenter if flatpak is enabled before # https://github.com/NixOS/nixpkgs/issues/15932 is resolved. appcenter - ]) config.environment.pantheon.excludePackages; + sideload + ])) config.environment.pantheon.excludePackages; # needed by screenshot fonts.fonts = [ diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.xml b/nixos/modules/services/x11/desktop-managers/pantheon.xml index 202909d398f..6226f8f6a27 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.xml +++ b/nixos/modules/services/x11/desktop-managers/pantheon.xml @@ -3,7 +3,7 @@ xml:id="chap-pantheon"> <title>Pantheon Desktop</title> <para> - Pantheon is the desktop environment created for the elementary OS distribution. It is written from scratch in Vala, utilizing GNOME technologies with GTK 3 and Granite. + Pantheon is the desktop environment created for the elementary OS distribution. It is written from scratch in Vala, utilizing GNOME technologies with GTK and Granite. </para> <section xml:id="sec-pantheon-enable"> <title>Enabling Pantheon</title> @@ -89,9 +89,9 @@ switchboard-with-plugs.override { </para> </listitem> </varlistentry> - <varlistentry xml:id="sec-pantheon-faq-gnome3-and-pantheon"> + <varlistentry xml:id="sec-pantheon-faq-gnome-and-pantheon"> <term> - I cannot enable both GNOME 3 and Pantheon. + I cannot enable both GNOME and Pantheon. </term> <listitem> <para> diff --git a/nixos/modules/programs/phosh.nix b/nixos/modules/services/x11/desktop-managers/phosh.nix index ad875616ac9..5efe645d8aa 100644 --- a/nixos/modules/programs/phosh.nix +++ b/nixos/modules/services/x11/desktop-managers/phosh.nix @@ -3,7 +3,7 @@ with lib; let - cfg = config.programs.phosh; + cfg = config.services.xserver.desktopManager.phosh; # Based on https://source.puri.sm/Librem5/librem5-base/-/blob/4596c1056dd75ac7f043aede07887990fd46f572/default/sm.puri.OSK0.desktop oskItem = pkgs.makeDesktopItem { @@ -78,7 +78,13 @@ let description = '' Display scaling factor. ''; - type = types.nullOr types.ints.unsigned; + type = types.nullOr ( + types.addCheck + (types.either types.int types.float) + (x : x > 0) + ) // { + description = "null or positive integer or float"; + }; default = null; example = 2; }; @@ -118,12 +124,39 @@ let [cursor] theme = ${phoc.cursorTheme} ''; -in { +in + +{ options = { - programs.phosh = { - enable = mkEnableOption '' - Whether to enable, Phosh, related packages and default configurations. - ''; + services.xserver.desktopManager.phosh = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the Phone Shell."; + }; + + package = mkOption { + type = types.package; + default = pkgs.phosh; + defaultText = literalExpression "pkgs.phosh"; + example = literalExpression "pkgs.phosh"; + description = '' + Package that should be used for Phosh. + ''; + }; + + user = mkOption { + description = "The user to run the Phosh service."; + type = types.str; + example = "alice"; + }; + + group = mkOption { + description = "The group to run the Phosh service."; + type = types.str; + example = "users"; + }; + phocConfig = mkOption { description = '' Configurations for the Phoc compositor. @@ -135,14 +168,42 @@ in { }; config = mkIf cfg.enable { + systemd.defaultUnit = "graphical.target"; + # Inspired by https://gitlab.gnome.org/World/Phosh/phosh/-/blob/main/data/phosh.service + systemd.services.phosh = { + wantedBy = [ "graphical.target" ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/phosh"; + User = cfg.user; + Group = cfg.group; + PAMName = "login"; + WorkingDirectory = "~"; + Restart = "always"; + + TTYPath = "/dev/tty7"; + TTYReset = "yes"; + TTYVHangup = "yes"; + TTYVTDisallocate = "yes"; + + # Fail to start if not controlling the tty. + StandardInput = "tty-fail"; + StandardOutput = "journal"; + StandardError = "journal"; + + # Log this user with utmp, letting it show up with commands 'w' and 'who'. + UtmpIdentifier = "tty7"; + UtmpMode = "user"; + }; + }; + environment.systemPackages = [ pkgs.phoc - pkgs.phosh + cfg.package pkgs.squeekboard oskItem ]; - systemd.packages = [ pkgs.phosh ]; + systemd.packages = [ cfg.package ]; programs.feedbackd.enable = true; @@ -152,7 +213,7 @@ in { services.gnome.core-shell.enable = true; services.gnome.core-os-services.enable = true; - services.xserver.displayManager.sessionPackages = [ pkgs.phosh ]; + services.xserver.displayManager.sessionPackages = [ cfg.package ]; environment.etc."phosh/phoc.ini".source = if builtins.isPath cfg.phocConfig then cfg.phocConfig diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 3ca044ad5bc..144cb00e480 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -234,11 +234,11 @@ in (mkIf (cfg.enable || cfg.mobile.enable) { security.wrappers = { - kcheckpass = { + kscreenlocker_greet = { setuid = true; owner = "root"; group = "root"; - source = "${getBin libsForQt5.kscreenlocker}/libexec/kcheckpass"; + source = "${getBin libsForQt5.kscreenlocker}/libexec/kscreenlocker_greet"; }; start_kdeinit = { setuid = true; diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 88b21e59aaa..3a468b55062 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -4,10 +4,9 @@ with lib; let cfg = config.services.xserver.desktopManager.xfce; -in +in { - meta = { maintainers = teams.xfce.members; }; @@ -36,6 +35,12 @@ in [ "services" "xserver" "desktopManager" "xfce" "extraSessionCommands" ] [ "services" "xserver" "displayManager" "sessionCommands" ]) (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "xfce" "screenLock" ] "") + + # added 2022-06-26 + # thunar has its own module + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce" "thunarPlugins" ] + [ "programs" "thunar" "plugins" ]) ]; options = { @@ -46,15 +51,6 @@ in description = "Enable the Xfce desktop environment."; }; - thunarPlugins = mkOption { - default = []; - type = types.listOf types.package; - example = literalExpression "[ pkgs.xfce.thunar-archive-plugin ]"; - description = '' - A list of plugin that should be installed with Thunar. - ''; - }; - noDesktop = mkOption { type = types.bool; default = false; @@ -98,7 +94,6 @@ in exo garcon libxfce4ui - xfconf mousepad parole @@ -110,8 +105,6 @@ in xfce4-settings xfce4-taskmanager xfce4-terminal - - (thunar.override { thunarPlugins = cfg.thunarPlugins; }) ] # TODO: NetworkManager doesn't belong here ++ optional config.networking.networkmanager.enable networkmanagerapplet ++ optional config.powerManagement.enable xfce4-power-manager @@ -130,6 +123,9 @@ in xfdesktop ] ++ optional cfg.enableScreensaver xfce4-screensaver; + programs.xfconf.enable = true; + programs.thunar.enable = true; + environment.pathsToLink = [ "/share/xfce4" "/lib/xfce4" @@ -170,7 +166,6 @@ in # Systemd services systemd.packages = with pkgs.xfce; [ - (thunar.override { thunarPlugins = cfg.thunarPlugins; }) xfce4-notifyd ]; diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 70ae6b8978d..45e3d84afa4 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -140,8 +140,13 @@ in environment = { GDM_X_SERVER_EXTRA_ARGS = toString (filter (arg: arg != "-terminate") cfg.xserverArgs); - # GDM is needed for gnome-login.session - XDG_DATA_DIRS = "${gdm}/share:${cfg.sessionData.desktops}/share:${pkgs.gnome.gnome-control-center}/share"; + XDG_DATA_DIRS = lib.makeSearchPath "share" [ + gdm # for gnome-login.session + cfg.sessionData.desktops + pkgs.gnome.gnome-control-center # for accessibility icon + pkgs.gnome.adwaita-icon-theme + pkgs.hicolor-icon-theme # empty icon theme as a base + ]; } // optionalAttrs (xSessionWrapper != null) { # Make GDM use this wrapper before running the session, which runs the # configured setupCommands. This relies on a patched GDM which supports @@ -298,7 +303,7 @@ in session required pam_succeed_if.so audit quiet_success user = gdm session required pam_env.so conffile=/etc/pam/environment readenv=0 - session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional ${config.systemd.package}/lib/security/pam_systemd.so session optional pam_keyinit.so force revoke session optional pam_permit.so ''; diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 27dfed3cc14..302c8fe0d91 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -287,7 +287,7 @@ in session required pam_succeed_if.so audit quiet_success user = lightdm session required pam_env.so conffile=/etc/pam/environment readenv=0 - session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional ${config.systemd.package}/lib/security/pam_systemd.so session optional pam_keyinit.so force revoke session optional pam_permit.so ''; diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index 529a086381f..c44f24002e0 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -231,7 +231,7 @@ in session required pam_succeed_if.so audit quiet_success user = sddm session required pam_env.so conffile=/etc/pam/environment readenv=0 - session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional ${config.systemd.package}/lib/security/pam_systemd.so session optional pam_keyinit.so force revoke session optional pam_permit.so ''; diff --git a/nixos/modules/services/x11/display-managers/xpra.nix b/nixos/modules/services/x11/display-managers/xpra.nix index c23e479140f..1566e38da08 100644 --- a/nixos/modules/services/x11/display-managers/xpra.nix +++ b/nixos/modules/services/x11/display-managers/xpra.nix @@ -26,6 +26,13 @@ in description = "Bind xpra to TCP"; }; + desktop = mkOption { + type = types.nullOr types.str; + default = null; + example = "gnome-shell"; + description = "Start a desktop environment instead of seamless mode"; + }; + auth = mkOption { type = types.str; default = "pam"; @@ -222,7 +229,7 @@ in services.xserver.displayManager.job.execCmd = '' ${optionalString (cfg.pulseaudio) "export PULSE_COOKIE=/run/pulse/.config/pulse/cookie"} - exec ${pkgs.xpra}/bin/xpra start \ + exec ${pkgs.xpra}/bin/xpra ${if cfg.desktop == null then "start" else "start-desktop --start=${cfg.desktop}"} \ --daemon=off \ --log-dir=/var/log \ --log-file=xpra.log \ diff --git a/nixos/modules/services/x11/picom.nix b/nixos/modules/services/x11/picom.nix index b40e20bcd35..2eef71f71fc 100644 --- a/nixos/modules/services/x11/picom.nix +++ b/nixos/modules/services/x11/picom.nix @@ -51,6 +51,11 @@ in { imports = [ (mkAliasOptionModule [ "services" "compton" ] [ "services" "picom" ]) + (mkRemovedOptionModule [ "services" "picom" "refreshRate" ] '' + This option corresponds to `refresh-rate`, which has been unused + since picom v6 and was subsequently removed by upstream. + See https://github.com/yshui/picom/commit/bcbc410 + '') ]; options.services.picom = { @@ -235,15 +240,6 @@ in { ''; }; - refreshRate = mkOption { - type = types.ints.unsigned; - default = 0; - example = 60; - description = '' - Screen refresh rate (0 = automatically detect). - ''; - }; - settings = with types; let scalar = oneOf [ bool int float str ] @@ -306,7 +302,6 @@ in { # other options backend = cfg.backend; vsync = cfg.vSync; - refresh-rate = cfg.refreshRate; }; systemd.user.services.picom = { diff --git a/nixos/modules/services/x11/window-managers/xmonad.nix b/nixos/modules/services/x11/window-managers/xmonad.nix index 68f97c2f504..66d11131391 100644 --- a/nixos/modules/services/x11/window-managers/xmonad.nix +++ b/nixos/modules/services/x11/window-managers/xmonad.nix @@ -128,33 +128,34 @@ in { [ ( (mod4Mask,xK_r), compileRestart True) , ( (mod4Mask,xK_q), restart "xmonad" True ) ] + compileRestart resume = do + dirs <- asks directories + whenX (recompile dirs True) $ do + when resume writeStateToFile + catchIO + ( do + args <- getArgs + executeFile (cacheDir dirs </> compiledConfig) False args Nothing + ) + + main = getDirectories >>= launch myConfig + -------------------------------------------- - {- version 0.17.0 -} + {- For versions before 0.17.0 use this instead -} -------------------------------------------- -- compileRestart resume = - -- dirs <- io getDirectories - -- whenX (recompile dirs True) $ + -- whenX (recompile True) $ -- when resume writeStateToFile -- *> catchIO -- ( do + -- dir <- getXMonadDataDir -- args <- getArgs - -- executeFile (cacheDir dirs </> compiledConfig) False args Nothing + -- executeFile (dir </> compiledConfig) False args Nothing -- ) -- - -- main = getDirectories >>= launch myConfig + -- main = launch myConfig -------------------------------------------- - compileRestart resume = - whenX (recompile True) $ - when resume writeStateToFile - *> catchIO - ( do - dir <- getXMonadDataDir - args <- getArgs - executeFile (dir </> compiledConfig) False args Nothing - ) - - main = launch myConfig ''; }; diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index fad00e39497..b2c92a85f7a 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -273,9 +273,6 @@ in boot.kernelModules = [ "loop" "atkbd" ]; - # The Linux kernel >= 2.6.27 provides firmware. - hardware.firmware = [ kernel ]; - # Create /etc/modules-load.d/nixos.conf, which is read by # systemd-modules-load.service to load required kernel modules. environment.etc = diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index fa879437fd8..aca6a1ca2cc 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -204,7 +204,6 @@ def get_profiles() -> List[str]: else: return [] - def main() -> None: parser = argparse.ArgumentParser(description='Update NixOS-related systemd-boot files') parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help='The default NixOS config to boot') @@ -244,27 +243,29 @@ def main() -> None: subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@"] + flags + ["install"]) else: # Update bootloader to latest if needed - systemd_version = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[2] - sdboot_status = subprocess.check_output(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "status"], universal_newlines=True) + available_out = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[2] + installed_out = subprocess.check_output(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "status"], universal_newlines=True) # See status_binaries() in systemd bootctl.c for code which generates this - m = re.search("^\W+File:.*/EFI/(BOOT|systemd)/.*\.efi \(systemd-boot ([\d.]+[^)]*)\)$", - sdboot_status, re.IGNORECASE | re.MULTILINE) + installed_match = re.search(r"^\W+File:.*/EFI/(?:BOOT|systemd)/.*\.efi \(systemd-boot ([\d.]+[^)]*)\)$", + installed_out, re.IGNORECASE | re.MULTILINE) - needs_install = False + available_match = re.search(r"^\((.*)\)$", available_out) - if m is None: - print("could not find any previously installed systemd-boot, installing.") - # Let systemd-boot attempt an installation if a previous one wasn't found - needs_install = True - else: - sdboot_version = f'({m.group(2)})' - if systemd_version != sdboot_version: - print("updating systemd-boot from %s to %s" % (sdboot_version, systemd_version)) - needs_install = True + if installed_match is None: + raise Exception("could not find any previously installed systemd-boot") + + if available_match is None: + raise Exception("could not determine systemd-boot version") - if needs_install: + installed_version = installed_match.group(1) + available_version = available_match.group(1) + + if installed_version < available_version: + print("updating systemd-boot from %s to %s" % (installed_version, available_version)) subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "update"]) + else: + print("leaving systemd-boot %s in place (%s is not newer)" % (installed_version, available_version)) mkdir_p("@efiSysMountPoint@/efi/nixos") mkdir_p("@efiSysMountPoint@/loader/entries") diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index c07567ec82e..1a1dcaea9c8 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -33,7 +33,7 @@ let netbootxyz = if cfg.netbootxyz.enable then pkgs.netbootxyz-efi else ""; copyExtraFiles = pkgs.writeShellScript "copy-extra-files" '' - empty_file=$(mktemp) + empty_file=$(${pkgs.coreutils}/bin/mktemp) ${concatStrings (mapAttrsToList (n: v: '' ${pkgs.coreutils}/bin/install -Dp "${v}" "${efi.efiSysMountPoint}/"${escapeShellArg n} diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 57fc02a2e32..4103a7af57c 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -992,6 +992,7 @@ in ]; storePaths = [ "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup" + "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-cryptsetup-generator" ]; }; diff --git a/nixos/modules/system/boot/modprobe.nix b/nixos/modules/system/boot/modprobe.nix index e683d181729..21be18ef866 100644 --- a/nixos/modules/system/boot/modprobe.nix +++ b/nixos/modules/system/boot/modprobe.nix @@ -52,7 +52,7 @@ with lib; ''; environment.etc."modprobe.d/debian.conf".source = pkgs.kmod-debian-aliases; - environment.etc."modprobe.d/systemd.conf".source = "${pkgs.systemd}/lib/modprobe.d/systemd.conf"; + environment.etc."modprobe.d/systemd.conf".source = "${config.systemd.package}/lib/modprobe.d/systemd.conf"; environment.systemPackages = [ pkgs.kmod ]; diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index d1a6f46bfc4..0336930b3ab 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -779,6 +779,7 @@ let "RouteDenyList" "RouteAllowList" "DHCPv6Client" + "RouteMetric" ]) (assertValueOneOf "UseDNS" boolValues) (assertValueOneOf "UseDomains" (boolValues ++ ["route"])) diff --git a/nixos/modules/system/boot/plymouth.nix b/nixos/modules/system/boot/plymouth.nix index 78ae8e9d20b..59037d4e6b4 100644 --- a/nixos/modules/system/boot/plymouth.nix +++ b/nixos/modules/system/boot/plymouth.nix @@ -4,7 +4,10 @@ with lib; let - inherit (pkgs) plymouth nixos-icons; + inherit (pkgs) nixos-icons; + plymouth = pkgs.plymouth.override { + systemd = config.boot.initrd.systemd.package; + }; cfg = config.boot.plymouth; opt = options.boot.plymouth; @@ -143,7 +146,88 @@ in systemd.services.systemd-ask-password-plymouth.wantedBy = [ "multi-user.target" ]; systemd.paths.systemd-ask-password-plymouth.wantedBy = [ "multi-user.target" ]; - boot.initrd.extraUtilsCommands = '' + boot.initrd.systemd = { + extraBin.plymouth = "${plymouth}/bin/plymouth"; # for the recovery shell + storePaths = [ + "${lib.getBin config.boot.initrd.systemd.package}/bin/systemd-tty-ask-password-agent" + "${plymouth}/bin/plymouthd" + "${plymouth}/sbin/plymouthd" + ]; + packages = [ plymouth ]; # systemd units + contents = { + # Files + "/etc/plymouth/plymouthd.conf".source = configFile; + "/etc/plymouth/plymouthd.defaults".source = "${plymouth}/share/plymouth/plymouthd.defaults"; + "/etc/plymouth/logo.png".source = cfg.logo; + # Directories + "/etc/plymouth/plugins".source = pkgs.runCommand "plymouth-initrd-plugins" {} '' + # Check if the actual requested theme is here + if [[ ! -d ${themesEnv}/share/plymouth/themes/${cfg.theme} ]]; then + echo "The requested theme: ${cfg.theme} is not provided by any of the packages in boot.plymouth.themePackages" + exit 1 + fi + + moduleName="$(sed -n 's,ModuleName *= *,,p' ${themesEnv}/share/plymouth/themes/${cfg.theme}/${cfg.theme}.plymouth)" + + mkdir -p $out/renderers + # module might come from a theme + cp ${themesEnv}/lib/plymouth/{text,details,label,$moduleName}.so $out + cp ${plymouth}/lib/plymouth/renderers/{drm,frame-buffer}.so $out/renderers + ''; + "/etc/plymouth/themes".source = pkgs.runCommand "plymouth-initrd-themes" {} '' + # Check if the actual requested theme is here + if [[ ! -d ${themesEnv}/share/plymouth/themes/${cfg.theme} ]]; then + echo "The requested theme: ${cfg.theme} is not provided by any of the packages in boot.plymouth.themePackages" + exit 1 + fi + + mkdir $out + cp -r ${themesEnv}/share/plymouth/themes/${cfg.theme} $out + # Copy more themes if the theme depends on others + for theme in $(grep -hRo '/etc/plymouth/themes/.*$' ${themesEnv} | xargs -n1 basename); do + if [[ -d "${themesEnv}/theme" ]]; then + cp -r "${themesEnv}/theme" $out + fi + done + ''; + + # Fonts + "/etc/plymouth/fonts".source = pkgs.runCommand "plymouth-initrd-fonts" {} '' + mkdir -p $out + cp ${cfg.font} $out + ''; + "/etc/fonts/fonts.conf".text = '' + <?xml version="1.0"?> + <!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd"> + <fontconfig> + <dir>/etc/plymouth/fonts</dir> + </fontconfig> + ''; + }; + # Properly enable units. These are the units that arch copies + services = { + plymouth-halt.wantedBy = [ "halt.target" ]; + plymouth-kexec.wantedBy = [ "kexec.target" ]; + plymouth-poweroff.wantedBy = [ "poweroff.target" ]; + plymouth-quit-wait.wantedBy = [ "multi-user.target" ]; + plymouth-quit.wantedBy = [ "multi-user.target" ]; + plymouth-read-write.wantedBy = [ "sysinit.target" ]; + plymouth-reboot.wantedBy = [ "reboot.target" ]; + plymouth-start.wantedBy = [ "initrd-switch-root.target" "sysinit.target" ]; + plymouth-switch-root-initramfs.wantedBy = [ "halt.target" "kexec.target" "plymouth-switch-root-initramfs.service" "poweroff.target" "reboot.target" ]; + plymouth-switch-root.wantedBy = [ "initrd-switch-root.target" ]; + }; + }; + + # Insert required udev rules. We take stage 2 systemd because the udev + # rules are only generated when building with logind. + boot.initrd.services.udev.packages = [ (pkgs.runCommand "initrd-plymouth-udev-rules" {} '' + mkdir -p $out/etc/udev/rules.d + cp ${config.systemd.package.out}/lib/udev/rules.d/{70-uaccess,71-seat}.rules $out/etc/udev/rules.d + sed -i '/loginctl/d' $out/etc/udev/rules.d/71-seat.rules + '') ]; + + boot.initrd.extraUtilsCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${plymouth}/bin/plymouth copy_bin_and_libs ${plymouth}/bin/plymouthd @@ -198,18 +282,18 @@ in EOF ''; - boot.initrd.extraUtilsCommandsTest = '' + boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) '' $out/bin/plymouthd --help >/dev/null $out/bin/plymouth --help >/dev/null ''; - boot.initrd.extraUdevRulesCommands = '' + boot.initrd.extraUdevRulesCommands = mkIf (!config.boot.initrd.systemd.enable) '' cp ${config.systemd.package}/lib/udev/rules.d/{70-uaccess,71-seat}.rules $out sed -i '/loginctl/d' $out/71-seat.rules ''; # We use `mkAfter` to ensure that LUKS password prompt would be shown earlier than the splash screen. - boot.initrd.preLVMCommands = mkAfter '' + boot.initrd.preLVMCommands = mkIf (!config.boot.initrd.systemd.enable) (mkAfter '' mkdir -p /etc/plymouth mkdir -p /run/plymouth ln -s ${configFile} /etc/plymouth/plymouthd.conf @@ -221,16 +305,16 @@ in plymouthd --mode=boot --pid-file=/run/plymouth/pid --attach-to-session plymouth show-splash - ''; + ''); - boot.initrd.postMountCommands = '' + boot.initrd.postMountCommands = mkIf (!config.boot.initrd.systemd.enable) '' plymouth update-root-fs --new-root-dir="$targetRoot" ''; # `mkBefore` to ensure that any custom prompts would be visible. - boot.initrd.preFailCommands = mkBefore '' + boot.initrd.preFailCommands = mkIf (!config.boot.initrd.systemd.enable) (mkBefore '' plymouth quit --wait - ''; + ''); }; diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 31758366980..337064034ef 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -14,6 +14,8 @@ extraUtils="@extraUtils@" export LD_LIBRARY_PATH=@extraUtils@/lib export PATH=@extraUtils@/bin ln -s @extraUtils@/bin /bin +# hardcoded in util-linux's mount helper search path `/run/wrappers/bin:/run/current-system/sw/bin:/sbin` +ln -s @extraUtils@/bin /sbin # Copy the secrets to their needed location if [ -d "@extraUtils@/secrets" ]; then @@ -318,11 +320,7 @@ checkFS() { echo "checking $device..." - fsckFlags= - if test "$fsType" != "btrfs"; then - fsckFlags="-V -a" - fi - fsck $fsckFlags "$device" + fsck -V -a "$device" fsckResult=$? if test $(($fsckResult | 2)) = $fsckResult; then diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index d10ebac5682..e35ccff2907 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -31,6 +31,9 @@ let # mounting `/`, like `/` on a loopback). fileSystems = filter utils.fsNeededForBoot config.system.build.fileSystems; + # Determine whether zfs-mount(8) is needed. + zfsRequiresMountHelper = any (fs: lib.elem "zfsutil" fs.options) fileSystems; + # A utility for enumerating the shared-library dependencies of a program findLibs = pkgs.buildPackages.writeShellScriptBin "find-libs" '' set -euo pipefail @@ -107,6 +110,22 @@ let copy_bin_and_libs $BIN done + ${optionalString zfsRequiresMountHelper '' + # Filesystems using the "zfsutil" option are mounted regardless of the + # mount.zfs(8) helper, but it is required to ensure that ZFS properties + # are used as mount options. + # + # BusyBox does not use the ZFS helper in the first place. + # util-linux searches /sbin/ as last path for helpers (stage-1-init.sh + # must symlink it to the store PATH). + # Without helper program, both `mount`s silently fails back to internal + # code, using default options and effectively ignore security relevant + # ZFS properties such as `setuid=off` and `exec=off` (unless manually + # duplicated in `fileSystems.*.options`, defeating "zfsutil"'s purpose). + copy_bin_and_libs ${pkgs.util-linux}/bin/mount + copy_bin_and_libs ${pkgs.zfs}/bin/mount.zfs + ''} + # Copy some util-linux stuff. copy_bin_and_libs ${pkgs.util-linux}/sbin/blkid @@ -204,24 +223,29 @@ let # Run patchelf to make the programs refer to the copied libraries. find $out/bin $out/lib -type f | while read i; do - if ! test -L $i; then - nuke-refs -e $out $i - fi + nuke-refs -e $out $i done find $out/bin -type f | while read i; do - if ! test -L $i; then - echo "patching $i..." - patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true - fi + echo "patching $i..." + patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true + done + + find $out/lib -type f \! -name 'ld*.so.?' | while read i; do + echo "patching $i..." + patchelf --set-rpath $out/lib $i done if [ -z "${toString (pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform)}" ]; then # Make sure that the patchelf'ed binaries still work. echo "testing patched programs..." $out/bin/ash -c 'echo hello world' | grep "hello world" - export LD_LIBRARY_PATH=$out/lib - $out/bin/mount --help 2>&1 | grep -q "BusyBox" + ${if zfsRequiresMountHelper then '' + $out/bin/mount -V 1>&1 | grep -q "mount from util-linux" + $out/bin/mount.zfs -h 2>&1 | grep -q "Usage: mount.zfs" + '' else '' + $out/bin/mount --help 2>&1 | grep -q "BusyBox" + ''} $out/bin/blkid -V 2>&1 | grep -q 'libblkid' $out/bin/udevadm --version $out/bin/dmsetup --version 2>&1 | tee -a log | grep -q "version:" @@ -260,8 +284,6 @@ let } '' mkdir -p $out - echo 'ENV{LD_LIBRARY_PATH}="${extraUtils}/lib"' > $out/00-env.rules - cp -v ${udev}/lib/udev/rules.d/60-cdrom_id.rules $out/ cp -v ${udev}/lib/udev/rules.d/60-persistent-storage.rules $out/ cp -v ${udev}/lib/udev/rules.d/75-net-description.rules $out/ diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 2c9ee9fc319..645fbc2b713 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -8,8 +8,6 @@ let cfg = config.systemd; - systemd = cfg.package; - inherit (systemdUtils.lib) generateUnits targetToUnit @@ -35,11 +33,11 @@ let "nss-lookup.target" "nss-user-lookup.target" "time-sync.target" - ] ++ (optionals cfg.package.withCryptsetup [ + ] ++ optionals cfg.package.withCryptsetup [ "cryptsetup.target" "cryptsetup-pre.target" "remote-cryptsetup.target" - ]) ++ [ + ] ++ [ "sigpwr.target" "timers.target" "paths.target" @@ -133,20 +131,27 @@ let # Slices / containers. "slices.target" + ] ++ optionals cfg.package.withImportd [ + "systemd-importd.service" + ] ++ optionals cfg.package.withMachined [ "machine.slice" "machines.target" - "systemd-importd.service" "systemd-machined.service" + ] ++ [ "systemd-nspawn@.service" # Misc. "systemd-sysctl.service" + ] ++ optionals cfg.package.withTimedated [ "dbus-org.freedesktop.timedate1.service" - "dbus-org.freedesktop.locale1.service" - "dbus-org.freedesktop.hostname1.service" "systemd-timedated.service" + ] ++ optionals cfg.package.withLocaled [ + "dbus-org.freedesktop.locale1.service" "systemd-localed.service" + ] ++ optionals cfg.package.withHostnamed [ + "dbus-org.freedesktop.hostname1.service" "systemd-hostnamed.service" + ] ++ [ "systemd-exit.service" "systemd-update-done.service" ] ++ cfg.additionalUpstreamSystemUnits; @@ -432,7 +437,7 @@ in system.build.units = cfg.units; - system.nssModules = [ systemd.out ]; + system.nssModules = [ cfg.package.out ]; system.nssDatabases = { hosts = (mkMerge [ (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd) @@ -446,7 +451,7 @@ in ]); }; - environment.systemPackages = [ systemd ]; + environment.systemPackages = [ cfg.package ]; environment.etc = let # generate contents for /etc/systemd/system-${type} from attrset of links and packages diff --git a/nixos/modules/system/boot/systemd/initrd-secrets.nix b/nixos/modules/system/boot/systemd/initrd-secrets.nix new file mode 100644 index 00000000000..bc65880719d --- /dev/null +++ b/nixos/modules/system/boot/systemd/initrd-secrets.nix @@ -0,0 +1,36 @@ +{ config, pkgs, lib, ... }: + +{ + config = lib.mkIf (config.boot.initrd.enable && config.boot.initrd.systemd.enable) { + # Copy secrets into the initrd if they cannot be appended + boot.initrd.systemd.contents = lib.mkIf (!config.boot.loader.supportsInitrdSecrets) + (lib.mapAttrs' (dest: source: lib.nameValuePair "/.initrd-secrets/${dest}" { source = if source == null then dest else source; }) config.boot.initrd.secrets); + + # Copy secrets to their respective locations + boot.initrd.systemd.services.initrd-nixos-copy-secrets = lib.mkIf (config.boot.initrd.secrets != {}) { + description = "Copy secrets into place"; + # Run as early as possible + wantedBy = [ "sysinit.target" ]; + before = [ "cryptsetup-pre.target" ]; + unitConfig.DefaultDependencies = false; + + # We write the secrets to /.initrd-secrets and move them because this allows + # secrets to be written to /run. If we put the secret directly to /run and + # drop this service, we'd mount the /run tmpfs over the secret, making it + # invisible in stage 2. + script = '' + for secret in $(cd /.initrd-secrets; find . -type f); do + mkdir -p "$(dirname "/$secret")" + cp "/.initrd-secrets/$secret" "/$secret" + done + ''; + + unitConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + }; + # The script needs this + boot.initrd.systemd.extraBin.find = "${pkgs.findutils}/bin/find"; + }; +} diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 6c1b42da1c4..cdec7f53291 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -65,7 +65,6 @@ let "systemd-kexec.service" "systemd-modules-load.service" "systemd-poweroff.service" - "systemd-random-seed.service" "systemd-reboot.service" "systemd-sysctl.service" "systemd-tmpfiles-setup-dev.service" @@ -106,6 +105,9 @@ let opts = options ++ optional autoFormat "x-systemd.makefs" ++ optional autoResize "x-systemd.growfs"; in "${device} /sysroot${mountPoint} ${fsType} ${lib.concatStringsSep "," opts}") fileSystems); + needMakefs = lib.any (fs: fs.autoFormat) fileSystems; + needGrowfs = lib.any (fs: fs.autoResize) fileSystems; + kernel-name = config.boot.kernelPackages.kernel.name or "kernel"; modulesTree = config.system.modulesTree.override { name = kernel-name + "-modules"; }; firmware = config.hardware.firmware; @@ -156,44 +158,14 @@ in { ''; visible = false; default = {}; - type = types.attrsOf (types.submodule ({ config, options, name, ... }: { - options = { - enable = mkEnableOption "copying of this file to initrd and symlinking it" // { default = true; }; - - target = mkOption { - type = types.path; - description = '' - Path of the symlink. - ''; - default = name; - }; - - text = mkOption { - default = null; - type = types.nullOr types.lines; - description = "Text of the file."; - }; - - source = mkOption { - type = types.path; - description = "Path of the source file."; - }; - }; - - config = { - source = mkIf (config.text != null) ( - let name' = "initrd-" + baseNameOf name; - in mkDerivedConfig options.text (pkgs.writeText name') - ); - }; - })); + type = utils.systemdUtils.types.initrdContents; }; storePaths = mkOption { description = '' Store paths to copy into the initrd as well. ''; - type = types.listOf types.singleLineStr; + type = with types; listOf (oneOf [ singleLineStr package ]); default = []; }; @@ -370,6 +342,7 @@ in { "/etc/fstab".source = fstab; "/lib/modules".source = "${modulesClosure}/lib/modules"; + "/lib/firmware".source = "${modulesClosure}/lib/firmware"; "/etc/modules-load.d/nixos.conf".text = concatStringsSep "\n" config.boot.initrd.kernelModules; @@ -391,19 +364,22 @@ in { storePaths = [ # systemd tooling "${cfg.package}/lib/systemd/systemd-fsck" - "${cfg.package}/lib/systemd/systemd-growfs" + (lib.mkIf needGrowfs "${cfg.package}/lib/systemd/systemd-growfs") "${cfg.package}/lib/systemd/systemd-hibernate-resume" "${cfg.package}/lib/systemd/systemd-journald" - "${cfg.package}/lib/systemd/systemd-makefs" + (lib.mkIf needMakefs "${cfg.package}/lib/systemd/systemd-makefs") "${cfg.package}/lib/systemd/systemd-modules-load" - "${cfg.package}/lib/systemd/systemd-random-seed" "${cfg.package}/lib/systemd/systemd-remount-fs" "${cfg.package}/lib/systemd/systemd-shutdown" "${cfg.package}/lib/systemd/systemd-sulogin-shell" "${cfg.package}/lib/systemd/systemd-sysctl" - # additional systemd directories - "${cfg.package}/lib/systemd/system-generators" + # generators + "${cfg.package}/lib/systemd/system-generators/systemd-debug-generator" + "${cfg.package}/lib/systemd/system-generators/systemd-fstab-generator" + "${cfg.package}/lib/systemd/system-generators/systemd-gpt-auto-generator" + "${cfg.package}/lib/systemd/system-generators/systemd-hibernate-resume-generator" + "${cfg.package}/lib/systemd/system-generators/systemd-run-generator" # utilities needed by systemd "${cfg.package.util-linux}/bin/mount" @@ -441,8 +417,8 @@ in { mkdir -p $out/etc/systemd/system touch $out/etc/systemd/system/systemd-{makefs,growfs}@.service '')]; - services."systemd-makefs@".unitConfig.IgnoreOnIsolate = true; - services."systemd-growfs@".unitConfig.IgnoreOnIsolate = true; + services."systemd-makefs@" = lib.mkIf needMakefs { unitConfig.IgnoreOnIsolate = true; }; + services."systemd-growfs@" = lib.mkIf needGrowfs { unitConfig.IgnoreOnIsolate = true; }; services.initrd-nixos-activation = { after = [ "initrd-fs.target" ]; @@ -504,9 +480,23 @@ in { ''systemctl --no-block switch-root /sysroot "''${NEW_INIT}"'' ]; }; + + services.panic-on-fail = { + wantedBy = ["emergency.target"]; + unitConfig = { + DefaultDependencies = false; + ConditionKernelCommandLine = [ + "|boot.panic_on_fail" + "|stage1panic" + ]; + }; + script = '' + echo c > /proc/sysrq-trigger + ''; + serviceConfig.Type = "oneshot"; + }; }; boot.kernelParams = lib.mkIf (config.boot.resumeDevice != "") [ "resume=${config.boot.resumeDevice}" ]; - }; } diff --git a/nixos/modules/system/boot/systemd/logind.nix b/nixos/modules/system/boot/systemd/logind.nix index c1e6cfe61d0..97ac588bce1 100644 --- a/nixos/modules/system/boot/systemd/logind.nix +++ b/nixos/modules/system/boot/systemd/logind.nix @@ -81,8 +81,11 @@ in "systemd-logind.service" "autovt@.service" "systemd-user-sessions.service" + ] ++ optionals config.systemd.package.withImportd [ "dbus-org.freedesktop.import1.service" + ] ++ optionals config.systemd.package.withMachined [ "dbus-org.freedesktop.machine1.service" + ] ++ [ "dbus-org.freedesktop.login1.service" "user@.service" "user-runtime-dir@.service" diff --git a/nixos/modules/system/boot/systemd/nspawn.nix b/nixos/modules/system/boot/systemd/nspawn.nix index bf9995d03cc..da03c60db52 100644 --- a/nixos/modules/system/boot/systemd/nspawn.nix +++ b/nixos/modules/system/boot/systemd/nspawn.nix @@ -16,7 +16,7 @@ let "LimitNOFILE" "LimitAS" "LimitNPROC" "LimitMEMLOCK" "LimitLOCKS" "LimitSIGPENDING" "LimitMSGQUEUE" "LimitNICE" "LimitRTPRIO" "LimitRTTIME" "OOMScoreAdjust" "CPUAffinity" "Hostname" "ResolvConf" "Timezone" - "LinkJournal" + "LinkJournal" "Ephemeral" "AmbientCapability" ]) (assertValueOneOf "Boot" boolValues) (assertValueOneOf "ProcessTwo" boolValues) @@ -26,11 +26,13 @@ let checkFiles = checkUnitConfig "Files" [ (assertOnlyFields [ "ReadOnly" "Volatile" "Bind" "BindReadOnly" "TemporaryFileSystem" - "Overlay" "OverlayReadOnly" "PrivateUsersChown" + "Overlay" "OverlayReadOnly" "PrivateUsersChown" "BindUser" + "Inaccessible" "PrivateUserOwnership" ]) (assertValueOneOf "ReadOnly" boolValues) (assertValueOneOf "Volatile" (boolValues ++ [ "state" ])) (assertValueOneOf "PrivateUsersChown" boolValues) + (assertValueOneOf "PrivateUserOwnership" [ "off" "chown" "map" "auto" ]) ]; checkNetwork = checkUnitConfig "Network" [ diff --git a/nixos/modules/system/boot/systemd/shutdown.nix b/nixos/modules/system/boot/systemd/shutdown.nix index 93426931667..ca4cdf827d9 100644 --- a/nixos/modules/system/boot/systemd/shutdown.nix +++ b/nixos/modules/system/boot/systemd/shutdown.nix @@ -1,31 +1,57 @@ -{ config, lib, ... }: let +{ config, lib, utils, pkgs, ... }: let - cfg = config.boot.systemd.shutdown; + cfg = config.systemd.shutdownRamfs; + + ramfsContents = let + storePaths = map (p: "${p}\n") cfg.storePaths; + contents = lib.mapAttrsToList (_: v: "${v.source}\n${v.target}") (lib.filterAttrs (_: v: v.enable) cfg.contents); + in pkgs.writeText "shutdown-ramfs-contents" (lib.concatStringsSep "\n" (storePaths ++ contents)); in { - options.boot.systemd.shutdown = { + options.systemd.shutdownRamfs = { enable = lib.mkEnableOption "pivoting back to an initramfs for shutdown" // { default = true; }; + contents = lib.mkOption { + description = "Set of files that have to be linked into the shutdown ramfs"; + example = lib.literalExpression '' + { + "/lib/systemd/system-shutdown/zpool-sync-shutdown".source = writeShellScript "zpool" "exec ''${zfs}/bin/zpool sync" + } + ''; + type = utils.systemdUtils.types.initrdContents; + }; + + storePaths = lib.mkOption { + description = '' + Store paths to copy into the shutdown ramfs as well. + ''; + type = lib.types.listOf lib.types.singleLineStr; + default = []; + }; }; config = lib.mkIf cfg.enable { + systemd.shutdownRamfs.contents."/shutdown".source = "${config.systemd.package}/lib/systemd/systemd-shutdown"; + systemd.shutdownRamfs.storePaths = [pkgs.runtimeShell "${pkgs.coreutils}/bin"]; + systemd.services.generate-shutdown-ramfs = { description = "Generate shutdown ramfs"; + wantedBy = [ "shutdown.target" ]; before = [ "shutdown.target" ]; unitConfig = { DefaultDependencies = false; ConditionFileIsExecutable = [ "!/run/initramfs/shutdown" - "/run/current-system/systemd/lib/systemd/systemd-shutdown" ]; }; + path = [pkgs.util-linux pkgs.makeInitrdNGTool]; serviceConfig.Type = "oneshot"; script = '' mkdir -p /run/initramfs if ! mountpoint -q /run/initramfs; then mount -t tmpfs tmpfs /run/initramfs fi - cp /run/current-system/systemd/lib/systemd/systemd-shutdown /run/initramfs/shutdown + make-initrd-ng ${ramfsContents} /run/initramfs ''; }; }; diff --git a/nixos/modules/tasks/auto-upgrade.nix b/nixos/modules/tasks/auto-upgrade.nix index d00dc761d6e..21a25cbfa96 100644 --- a/nixos/modules/tasks/auto-upgrade.nix +++ b/nixos/modules/tasks/auto-upgrade.nix @@ -190,7 +190,7 @@ in { nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild"; date = "${pkgs.coreutils}/bin/date"; readlink = "${pkgs.coreutils}/bin/readlink"; - shutdown = "${pkgs.systemd}/bin/shutdown"; + shutdown = "${config.systemd.package}/bin/shutdown"; upgradeFlag = optional (cfg.channel == null) "--upgrade"; in if cfg.allowReboot then '' ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)} diff --git a/nixos/modules/tasks/bcache.nix b/nixos/modules/tasks/bcache.nix index 41fb7664f3d..0a13522de11 100644 --- a/nixos/modules/tasks/bcache.nix +++ b/nixos/modules/tasks/bcache.nix @@ -1,13 +1,23 @@ -{ pkgs, ... }: +{ config, lib, pkgs, ... }: { + options.boot.initrd.services.bcache.enable = (lib.mkEnableOption "bcache support in the initrd") // { + visible = false; # only works with systemd stage 1 + }; - environment.systemPackages = [ pkgs.bcache-tools ]; + config = { - services.udev.packages = [ pkgs.bcache-tools ]; + environment.systemPackages = [ pkgs.bcache-tools ]; - boot.initrd.extraUdevRulesCommands = '' - cp -v ${pkgs.bcache-tools}/lib/udev/rules.d/*.rules $out/ - ''; + services.udev.packages = [ pkgs.bcache-tools ]; + boot.initrd.extraUdevRulesCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' + cp -v ${pkgs.bcache-tools}/lib/udev/rules.d/*.rules $out/ + ''; + + boot.initrd.services.udev = lib.mkIf config.boot.initrd.services.bcache.enable { + packages = [ pkgs.bcache-tools ]; + binPackages = [ pkgs.bcache-tools ]; + }; + }; } diff --git a/nixos/modules/tasks/filesystems/btrfs.nix b/nixos/modules/tasks/filesystems/btrfs.nix index ae1dab5b8d8..b7ebc37dd5c 100644 --- a/nixos/modules/tasks/filesystems/btrfs.nix +++ b/nixos/modules/tasks/filesystems/btrfs.nix @@ -66,19 +66,19 @@ in ] ); - boot.initrd.extraUtilsCommands = mkIf inInitrd + boot.initrd.extraUtilsCommands = mkIf (inInitrd && !config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfs ln -sv btrfs $out/bin/btrfsck ln -sv btrfsck $out/bin/fsck.btrfs ''; - boot.initrd.extraUtilsCommandsTest = mkIf inInitrd + boot.initrd.extraUtilsCommandsTest = mkIf (inInitrd && !config.boot.initrd.systemd.enable) '' $out/bin/btrfs --version ''; - boot.initrd.postDeviceCommands = mkIf inInitrd + boot.initrd.postDeviceCommands = mkIf (inInitrd && !config.boot.initrd.systemd.enable) '' btrfs device scan ''; diff --git a/nixos/modules/tasks/filesystems/cifs.nix b/nixos/modules/tasks/filesystems/cifs.nix index 47ba0c03c56..0de292a6920 100644 --- a/nixos/modules/tasks/filesystems/cifs.nix +++ b/nixos/modules/tasks/filesystems/cifs.nix @@ -16,7 +16,7 @@ in boot.initrd.availableKernelModules = mkIf inInitrd [ "cifs" "nls_utf8" "hmac" "md4" "ecb" "des_generic" "sha256" ]; - boot.initrd.extraUtilsCommands = mkIf inInitrd + boot.initrd.extraUtilsCommands = mkIf (inInitrd && !config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.cifs-utils}/sbin/mount.cifs ''; diff --git a/nixos/modules/tasks/filesystems/ext.nix b/nixos/modules/tasks/filesystems/ext.nix index a14a3ac3854..9b61f21643a 100644 --- a/nixos/modules/tasks/filesystems/ext.nix +++ b/nixos/modules/tasks/filesystems/ext.nix @@ -1,14 +1,20 @@ -{ pkgs, ... }: +{ config, lib, pkgs, ... }: + +let + + inInitrd = lib.any (fs: fs == "ext2" || fs == "ext3" || fs == "ext4") config.boot.initrd.supportedFilesystems; + +in { config = { - system.fsPackages = [ pkgs.e2fsprogs ]; + system.fsPackages = lib.mkIf (config.boot.initrd.systemd.enable -> inInitrd) [ pkgs.e2fsprogs ]; # As of kernel 4.3, there is no separate ext3 driver (they're also handled by ext4.ko) - boot.initrd.availableKernelModules = [ "ext2" "ext4" ]; + boot.initrd.availableKernelModules = lib.mkIf (config.boot.initrd.systemd.enable -> inInitrd) [ "ext2" "ext4" ]; - boot.initrd.extraUtilsCommands = + boot.initrd.extraUtilsCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' # Copy e2fsck and friends. copy_bin_and_libs ${pkgs.e2fsprogs}/sbin/e2fsck diff --git a/nixos/modules/tasks/filesystems/f2fs.nix b/nixos/modules/tasks/filesystems/f2fs.nix index a305235979a..1d52861aa39 100644 --- a/nixos/modules/tasks/filesystems/f2fs.nix +++ b/nixos/modules/tasks/filesystems/f2fs.nix @@ -13,7 +13,7 @@ in boot.initrd.availableKernelModules = mkIf inInitrd [ "f2fs" "crc32" ]; - boot.initrd.extraUtilsCommands = mkIf inInitrd '' + boot.initrd.extraUtilsCommands = mkIf (inInitrd && !config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.f2fs-tools}/sbin/fsck.f2fs ${optionalString (any (fs: fs.autoResize) fileSystems) '' # We need f2fs-tools' tools to resize filesystems diff --git a/nixos/modules/tasks/filesystems/jfs.nix b/nixos/modules/tasks/filesystems/jfs.nix index fc3905c7dc2..700f05af2be 100644 --- a/nixos/modules/tasks/filesystems/jfs.nix +++ b/nixos/modules/tasks/filesystems/jfs.nix @@ -12,7 +12,7 @@ in boot.initrd.kernelModules = mkIf inInitrd [ "jfs" ]; - boot.initrd.extraUtilsCommands = mkIf inInitrd '' + boot.initrd.extraUtilsCommands = mkIf (inInitrd && !boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.jfsutils}/sbin/fsck.jfs ''; }; diff --git a/nixos/modules/tasks/filesystems/reiserfs.nix b/nixos/modules/tasks/filesystems/reiserfs.nix index ab4c43e2ab8..7b017a83db8 100644 --- a/nixos/modules/tasks/filesystems/reiserfs.nix +++ b/nixos/modules/tasks/filesystems/reiserfs.nix @@ -15,7 +15,7 @@ in boot.initrd.kernelModules = mkIf inInitrd [ "reiserfs" ]; - boot.initrd.extraUtilsCommands = mkIf inInitrd + boot.initrd.extraUtilsCommands = mkIf (inInitrd && !config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.reiserfsprogs}/sbin/reiserfsck ln -s reiserfsck $out/bin/fsck.reiserfs diff --git a/nixos/modules/tasks/filesystems/unionfs-fuse.nix b/nixos/modules/tasks/filesystems/unionfs-fuse.nix index f54f3559c34..f9954b5182f 100644 --- a/nixos/modules/tasks/filesystems/unionfs-fuse.nix +++ b/nixos/modules/tasks/filesystems/unionfs-fuse.nix @@ -6,7 +6,7 @@ (lib.mkIf (lib.any (fs: fs == "unionfs-fuse") config.boot.initrd.supportedFilesystems) { boot.initrd.kernelModules = [ "fuse" ]; - boot.initrd.extraUtilsCommands = '' + boot.initrd.extraUtilsCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.fuse}/sbin/mount.fuse copy_bin_and_libs ${pkgs.unionfs-fuse}/bin/unionfs substitute ${pkgs.unionfs-fuse}/sbin/mount.unionfs-fuse $out/bin/mount.unionfs-fuse \ @@ -16,12 +16,23 @@ chmod +x $out/bin/mount.unionfs-fuse ''; - boot.initrd.postDeviceCommands = '' + boot.initrd.postDeviceCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' # Hacky!!! fuse hard-codes the path to mount mkdir -p /nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-${pkgs.util-linux.name}-bin/bin ln -s $(which mount) /nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-${pkgs.util-linux.name}-bin/bin ln -s $(which umount) /nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-${pkgs.util-linux.name}-bin/bin ''; + + boot.initrd.systemd.extraBin = { + "mount.fuse" = "${pkgs.fuse}/bin/mount.fuse"; + "unionfs" = "${pkgs.unionfs-fuse}/bin/unionfs"; + "mount.unionfs-fuse" = pkgs.runCommand "mount.unionfs-fuse" {} '' + substitute ${pkgs.unionfs-fuse}/sbin/mount.unionfs-fuse $out \ + --replace '${pkgs.bash}/bin/bash' /bin/sh \ + --replace '${pkgs.fuse}/sbin' /bin \ + --replace '${pkgs.unionfs-fuse}/bin' /bin + ''; + }; }) (lib.mkIf (lib.any (fs: fs == "unionfs-fuse") config.boot.supportedFilesystems) { diff --git a/nixos/modules/tasks/filesystems/vfat.nix b/nixos/modules/tasks/filesystems/vfat.nix index 958e27ae8a3..5baab1c802c 100644 --- a/nixos/modules/tasks/filesystems/vfat.nix +++ b/nixos/modules/tasks/filesystems/vfat.nix @@ -15,7 +15,7 @@ in boot.initrd.kernelModules = mkIf inInitrd [ "vfat" "nls_cp437" "nls_iso8859-1" ]; - boot.initrd.extraUtilsCommands = mkIf inInitrd + boot.initrd.extraUtilsCommands = mkIf (inInitrd && !config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.dosfstools}/sbin/dosfsck ln -sv dosfsck $out/bin/fsck.vfat diff --git a/nixos/modules/tasks/filesystems/xfs.nix b/nixos/modules/tasks/filesystems/xfs.nix index 98038701ca5..f81f5864655 100644 --- a/nixos/modules/tasks/filesystems/xfs.nix +++ b/nixos/modules/tasks/filesystems/xfs.nix @@ -15,14 +15,14 @@ in boot.initrd.availableKernelModules = mkIf inInitrd [ "xfs" "crc32c" ]; - boot.initrd.extraUtilsCommands = mkIf inInitrd + boot.initrd.extraUtilsCommands = mkIf (inInitrd && !config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.xfsprogs.bin}/bin/fsck.xfs copy_bin_and_libs ${pkgs.xfsprogs.bin}/bin/xfs_repair ''; # Trick just to set 'sh' after the extraUtils nuke-refs. - boot.initrd.extraUtilsCommandsTest = mkIf inInitrd + boot.initrd.extraUtilsCommandsTest = mkIf (inInitrd && !config.boot.initrd.systemd.enable) '' sed -i -e 's,^#!.*,#!'$out/bin/sh, $out/bin/fsck.xfs ''; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index fbfc61177d3..c8bbfe9769b 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -58,6 +58,13 @@ let # latter case it makes one last attempt at importing, allowing the system to # (eventually) boot even with a degraded pool. importLib = {zpoolCmd, awkCmd, cfgZfs}: '' + for o in $(cat /proc/cmdline); do + case $o in + zfs_force|zfs_force=1|zfs_force=y) + ZFS_FORCE="-f" + ;; + esac + done poolReady() { pool="$1" state="$("${zpoolCmd}" import 2>/dev/null | "${awkCmd}" "/pool: $pool/ { found = 1 }; /state:/ { if (found == 1) { print \$2; exit } }; END { if (found == 0) { print \"MISSING\" } }")" @@ -78,6 +85,95 @@ let } ''; + getPoolFilesystems = pool: + filter (x: x.fsType == "zfs" && (fsToPool x) == pool) config.system.build.fileSystems; + + getPoolMounts = prefix: pool: + let + # Remove the "/" suffix because even though most mountpoints + # won't have it, the "/" mountpoint will, and we can't have the + # trailing slash in "/sysroot/" in stage 1. + mountPoint = fs: escapeSystemdPath (prefix + (lib.removeSuffix "/" fs.mountPoint)); + in + map (x: "${mountPoint x}.mount") (getPoolFilesystems pool); + + getKeyLocations = pool: + if isBool cfgZfs.requestEncryptionCredentials + then "${cfgZfs.package}/sbin/zfs list -rHo name,keylocation,keystatus ${pool}" + else "${cfgZfs.package}/sbin/zfs list -Ho name,keylocation,keystatus ${toString (filter (x: datasetToPool x == pool) cfgZfs.requestEncryptionCredentials)}"; + + createImportService = { pool, systemd, force, prefix ? "" }: + nameValuePair "zfs-import-${pool}" { + description = "Import ZFS pool \"${pool}\""; + # we need systemd-udev-settle to ensure devices are available + # In the future, hopefully someone will complete this: + # https://github.com/zfsonlinux/zfs/pull/4943 + requires = [ "systemd-udev-settle.service" ]; + after = [ + "systemd-udev-settle.service" + "systemd-modules-load.service" + "systemd-ask-password-console.service" + ]; + wantedBy = (getPoolMounts prefix pool) ++ [ "local-fs.target" ]; + before = (getPoolMounts prefix pool) ++ [ "local-fs.target" ]; + unitConfig = { + DefaultDependencies = "no"; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + environment.ZFS_FORCE = optionalString force "-f"; + script = (importLib { + # See comments at importLib definition. + zpoolCmd = "${cfgZfs.package}/sbin/zpool"; + awkCmd = "${pkgs.gawk}/bin/awk"; + inherit cfgZfs; + }) + '' + poolImported "${pool}" && exit + echo -n "importing ZFS pool \"${pool}\"..." + # Loop across the import until it succeeds, because the devices needed may not be discovered yet. + for trial in `seq 1 60`; do + poolReady "${pool}" && poolImport "${pool}" && break + sleep 1 + done + poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. + if poolImported "${pool}"; then + ${optionalString (if isBool cfgZfs.requestEncryptionCredentials + then cfgZfs.requestEncryptionCredentials + else cfgZfs.requestEncryptionCredentials != []) '' + ${getKeyLocations pool} | while IFS=$'\t' read ds kl ks; do + { + if [[ "$ks" != unavailable ]]; then + continue + fi + case "$kl" in + none ) + ;; + prompt ) + tries=3 + success=false + while [[ $success != true ]] && [[ $tries -gt 0 ]]; do + ${systemd}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds" \ + && success=true \ + || tries=$((tries - 1)) + done + [[ $success = true ]] + ;; + * ) + ${cfgZfs.package}/sbin/zfs load-key "$ds" + ;; + esac + } < /dev/null # To protect while read ds kl in case anything reads stdin + done + ''} + echo "Successfully imported ${pool}" + else + exit 1 + fi + ''; + }; + zedConf = generators.toKeyValue { mkKeyValue = generators.mkKeyValueDefault { mkValueString = v: @@ -428,14 +524,6 @@ in ''; postDeviceCommands = concatStringsSep "\n" (['' ZFS_FORCE="${optionalString cfgZfs.forceImportRoot "-f"}" - - for o in $(cat /proc/cmdline); do - case $o in - zfs_force|zfs_force=1) - ZFS_FORCE="-f" - ;; - esac - done ''] ++ [(importLib { # See comments at importLib definition. zpoolCmd = "zpool"; @@ -464,8 +552,28 @@ in zfs load-key ${fs} '') cfgZfs.requestEncryptionCredentials} '') rootPools)); + + # Systemd in stage 1 + systemd = { + packages = [cfgZfs.package]; + services = listToAttrs (map (pool: createImportService { + inherit pool; + systemd = config.boot.initrd.systemd.package; + force = cfgZfs.forceImportRoot; + prefix = "/sysroot"; + }) rootPools); + extraBin = { + # zpool and zfs are already in thanks to fsPackages + awk = "${pkgs.gawk}/bin/awk"; + }; + }; }; + systemd.shutdownRamfs.contents."/etc/systemd/system-shutdown/zpool".source = pkgs.writeShellScript "zpool-sync-shutdown" '' + exec ${cfgZfs.package}/bin/zpool sync + ''; + systemd.shutdownRamfs.storePaths = ["${cfgZfs.package}/bin/zpool"]; + # TODO FIXME See https://github.com/NixOS/nixpkgs/pull/99386#issuecomment-798813567. To not break people's bootloader and as probably not everybody would read release notes that thoroughly add inSystem. boot.loader.grub = mkIf (inInitrd || inSystem) { zfsSupport = true; @@ -516,79 +624,11 @@ in systemd.packages = [ cfgZfs.package ]; systemd.services = let - getPoolFilesystems = pool: - filter (x: x.fsType == "zfs" && (fsToPool x) == pool) config.system.build.fileSystems; - - getPoolMounts = pool: - let - mountPoint = fs: escapeSystemdPath fs.mountPoint; - in - map (x: "${mountPoint x}.mount") (getPoolFilesystems pool); - - createImportService = pool: - nameValuePair "zfs-import-${pool}" { - description = "Import ZFS pool \"${pool}\""; - # we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged - requires = [ "systemd-udev-settle.service" ]; - after = [ - "systemd-udev-settle.service" - "systemd-modules-load.service" - "systemd-ask-password-console.service" - ]; - wantedBy = (getPoolMounts pool) ++ [ "local-fs.target" ]; - before = (getPoolMounts pool) ++ [ "local-fs.target" ]; - unitConfig = { - DefaultDependencies = "no"; - }; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - environment.ZFS_FORCE = optionalString cfgZfs.forceImportAll "-f"; - script = (importLib { - # See comments at importLib definition. - zpoolCmd = "${cfgZfs.package}/sbin/zpool"; - awkCmd = "${pkgs.gawk}/bin/awk"; - inherit cfgZfs; - }) + '' - poolImported "${pool}" && exit - echo -n "importing ZFS pool \"${pool}\"..." - # Loop across the import until it succeeds, because the devices needed may not be discovered yet. - for trial in `seq 1 60`; do - poolReady "${pool}" && poolImport "${pool}" && break - sleep 1 - done - poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. - if poolImported "${pool}"; then - ${optionalString (if isBool cfgZfs.requestEncryptionCredentials - then cfgZfs.requestEncryptionCredentials - else cfgZfs.requestEncryptionCredentials != []) '' - ${cfgZfs.package}/sbin/zfs list -rHo name,keylocation ${pool} | while IFS=$'\t' read ds kl; do - { - ${optionalString (!isBool cfgZfs.requestEncryptionCredentials) '' - if ! echo '${concatStringsSep "\n" cfgZfs.requestEncryptionCredentials}' | grep -qFx "$ds"; then - continue - fi - ''} - case "$kl" in - none ) - ;; - prompt ) - ${config.systemd.package}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds" - ;; - * ) - ${cfgZfs.package}/sbin/zfs load-key "$ds" - ;; - esac - } < /dev/null # To protect while read ds kl in case anything reads stdin - done - ''} - echo "Successfully imported ${pool}" - else - exit 1 - fi - ''; - }; + createImportService' = pool: createImportService { + inherit pool; + systemd = config.systemd.package; + force = cfgZfs.forceImportAll; + }; # This forces a sync of any ZFS pools prior to poweroff, even if they're set # to sync=disabled. @@ -614,7 +654,7 @@ in wantedBy = [ "zfs.target" ]; }; - in listToAttrs (map createImportService dataPools ++ + in listToAttrs (map createImportService' dataPools ++ map createSyncService allPools ++ map createZfsService [ "zfs-mount" "zfs-share" "zfs-zed" ]); diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index b0f160c1dbf..dce72b36fc5 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -90,7 +90,7 @@ let bindsTo = [ "network-setup.service" ]; }; - networkSetup = + networkSetup = lib.mkIf (config.networking.resolvconf.enable || cfg.defaultGateway != null || cfg.defaultGateway6 != null) { description = "Networking Setup"; after = [ "network-pre.target" "systemd-udevd.service" "systemd-sysctl.service" ]; @@ -219,14 +219,15 @@ let cidr = "${route.address}/${toString route.prefixLength}"; via = optionalString (route.via != null) ''via "${route.via}"''; options = concatStrings (mapAttrsToList (name: val: "${name} ${val} ") route.options); + type = toString route.type; in '' echo "${cidr}" >> $state echo -n "adding route ${cidr}... " - if out=$(ip route add "${cidr}" ${options} ${via} dev "${i.name}" proto static 2>&1); then + if out=$(ip route add ${type} "${cidr}" ${options} ${via} dev "${i.name}" proto static 2>&1); then echo "done" elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then - echo "'ip route add "${cidr}" ${options} ${via} dev "${i.name}"' failed: $out" + echo "'ip route add ${type} "${cidr}" ${options} ${via} dev "${i.name}"' failed: $out" exit 1 fi '' diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 8654539b662..1657fabcd9b 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -43,12 +43,6 @@ in } { assertion = cfg.defaultGateway6 == null || cfg.defaultGateway6.interface == null; message = "networking.defaultGateway6.interface is not supported by networkd."; - } { - assertion = cfg.useDHCP == false; - message = '' - networking.useDHCP is not supported by networkd. - Please use per interface configuration and set the global option to false. - ''; } ] ++ flip mapAttrsToList cfg.bridges (n: { rstp, ... }: { assertion = !rstp; message = "networking.bridges.${n}.rstp is not supported by networkd."; @@ -65,21 +59,58 @@ in genericNetwork = override: let gateway = optional (cfg.defaultGateway != null && (cfg.defaultGateway.address or "") != "") cfg.defaultGateway.address ++ optional (cfg.defaultGateway6 != null && (cfg.defaultGateway6.address or "") != "") cfg.defaultGateway6.address; - in optionalAttrs (gateway != [ ]) { - routes = override [ - { + makeGateway = gateway: { routeConfig = { Gateway = gateway; GatewayOnLink = false; }; - } - ]; + }; + in optionalAttrs (gateway != [ ]) { + routes = override (map makeGateway gateway); } // optionalAttrs (domains != [ ]) { domains = override domains; }; in mkMerge [ { enable = true; } + (mkIf cfg.useDHCP { + networks."99-ethernet-default-dhcp" = lib.mkIf cfg.useDHCP { + # We want to match physical ethernet interfaces as commonly + # found on laptops, desktops and servers, to provide an + # "out-of-the-box" setup that works for common cases. This + # heuristic isn't perfect (it could match interfaces with + # custom names that _happen_ to start with en or eth), but + # should be good enough to make the common case easy and can + # be overridden on a case-by-case basis using + # higher-priority networks or by disabling useDHCP. + + # Type=ether matches veth interfaces as well, and this is + # more likely to result in interfaces being configured to + # use DHCP when they shouldn't. + + # When wait-online.anyInterface is enabled, RequiredForOnline really + # means "sufficient for online", so we can enable it. + # Otherwise, don't block the network coming online because of default networks. + matchConfig.Name = ["en*" "eth*"]; + DHCP = "yes"; + linkConfig.RequiredForOnline = + lib.mkDefault config.systemd.network.wait-online.anyInterface; + networkConfig.IPv6PrivacyExtensions = "kernel"; + }; + networks."99-wireless-client-dhcp" = lib.mkIf cfg.useDHCP { + # Like above, but this is much more likely to be correct. + matchConfig.WLANInterfaceType = "station"; + DHCP = "yes"; + linkConfig.RequiredForOnline = + lib.mkDefault config.systemd.network.wait-online.anyInterface; + networkConfig.IPv6PrivacyExtensions = "kernel"; + # We also set the route metric to one more than the default + # of 1024, so that Ethernet is preferred if both are + # available. + dhcpV4Config.RouteMetric = 1025; + ipv6AcceptRAConfig.RouteMetric = 1025; + }; + }) (mkMerge (forEach interfaces (i: { netdevs = mkIf i.virtual ({ "40-${i.name}" = { @@ -112,6 +143,9 @@ in optionalAttrs (route.via != null) { Gateway = route.via; } // + optionalAttrs (route.type != null) { + Type = route.type; + } // optionalAttrs (route.options ? onlink) { GatewayOnLink = true; } // diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index d09e9b99248..07bccf98f40 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -90,6 +90,22 @@ let ''; }; + type = mkOption { + type = types.nullOr (types.enum [ + "unicast" "local" "broadcast" "multicast" + ]); + default = null; + description = '' + Type of the route. See the <literal>Route types</literal> section + in the <literal>ip-route(8)</literal> manual page for the details. + + Note that <literal>prohibit</literal>, <literal>blackhole</literal>, + <literal>unreachable</literal>, and <literal>throw</literal> cannot + be configured per device, so they are not available here. Similarly, + <literal>nat</literal> hasn't been supported since kernel 2.6. + ''; + }; + via = mkOption { type = types.nullOr types.str; default = null; @@ -1254,11 +1270,6 @@ in Whether to use DHCP to obtain an IP address and other configuration for all network interfaces that are not manually configured. - - Using this option is highly discouraged and also incompatible with - <option>networking.useNetworkd</option>. Please use - <option>networking.interfaces.<name>.useDHCP</option> instead - and set this to false. ''; }; diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 01447e6ada8..4ab2578eb81 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -65,33 +65,26 @@ in }; }; - boot.initrd.preDeviceCommands = - '' - echo 600 > /proc/sys/kernel/hung_task_timeout_secs - ''; - - boot.initrd.postDeviceCommands = - '' - # Using acpi_pm as a clock source causes the guest clock to - # slow down under high host load. This is usually a bad - # thing, but for VM tests it should provide a bit more - # determinism (e.g. if the VM runs at lower speed, then - # timeouts in the VM should also be delayed). - echo acpi_pm > /sys/devices/system/clocksource/clocksource0/current_clocksource - ''; - - boot.postBootCommands = - '' - # Panic on out-of-memory conditions rather than letting the - # OOM killer randomly get rid of processes, since this leads - # to failures that are hard to diagnose. - echo 2 > /proc/sys/vm/panic_on_oom - ''; + boot.kernel.sysctl = { + "kernel.hung_task_timeout_secs" = 600; + # Panic on out-of-memory conditions rather than letting the + # OOM killer randomly get rid of processes, since this leads + # to failures that are hard to diagnose. + "vm.panic_on_oom" = lib.mkDefault 2; + }; - # Panic if an error occurs in stage 1 (rather than waiting for - # user intervention). - boot.kernelParams = - [ "console=${qemu-common.qemuSerialDevice}" "panic=1" "boot.panic_on_fail" ]; + boot.kernelParams = [ + "console=${qemu-common.qemuSerialDevice}" + # Panic if an error occurs in stage 1 (rather than waiting for + # user intervention). + "panic=1" "boot.panic_on_fail" + # Using acpi_pm as a clock source causes the guest clock to + # slow down under high host load. This is usually a bad + # thing, but for VM tests it should provide a bit more + # determinism (e.g. if the VM runs at lower speed, then + # timeouts in the VM should also be delayed). + "clock=acpi_pm" + ]; # `xwininfo' is used by the test driver to query open windows. environment.systemPackages = [ pkgs.xorg.xwininfo ]; @@ -136,6 +129,9 @@ in # Make sure we use the Guest Agent from the QEMU package for testing # to reduce the closure size required for the tests. services.qemuGuest.package = pkgs.qemu_test.ga; + + # Squelch warning about unset system.stateVersion + system.stateVersion = lib.mkDefault lib.trivial.release; }; } diff --git a/nixos/modules/virtualisation/amazon-ec2-amis.nix b/nixos/modules/virtualisation/amazon-ec2-amis.nix index 91b5237e337..0324c5332cf 100644 --- a/nixos/modules/virtualisation/amazon-ec2-amis.nix +++ b/nixos/modules/virtualisation/amazon-ec2-amis.nix @@ -440,5 +440,53 @@ let self = { "21.11".ap-east-1.aarch64-linux.hvm-ebs = "ami-0aa3b50a4f2822a00"; "21.11".sa-east-1.aarch64-linux.hvm-ebs = "ami-00f68eff453d3fe69"; - latest = self."21.11"; + # 22.05.342.a634c8f6c1f + + "22.05".eu-west-1.x86_64-linux.hvm-ebs = "ami-00badba5cfa0a0c0d"; + "22.05".af-south-1.x86_64-linux.hvm-ebs = "ami-0d3a6166c1ea4d7b4"; + "22.05".ap-east-1.x86_64-linux.hvm-ebs = "ami-06445325c360470d8"; + "22.05".ap-northeast-1.x86_64-linux.hvm-ebs = "ami-009c422293bcf3721"; + "22.05".ap-northeast-2.x86_64-linux.hvm-ebs = "ami-0bfc0397525a67ed8"; + "22.05".ap-northeast-3.x86_64-linux.hvm-ebs = "ami-0a1fb4d4e08a6065e"; + "22.05".ap-south-1.x86_64-linux.hvm-ebs = "ami-07ad258dcc69239d2"; + "22.05".ap-southeast-1.x86_64-linux.hvm-ebs = "ami-0f59f7f33cba8b1a4"; + "22.05".ap-southeast-2.x86_64-linux.hvm-ebs = "ami-0d1e49fe30aec165d"; + "22.05".ap-southeast-3.x86_64-linux.hvm-ebs = "ami-0f5cb24a1e3fc62dd"; + "22.05".ca-central-1.x86_64-linux.hvm-ebs = "ami-0551a595ba7916462"; + "22.05".eu-central-1.x86_64-linux.hvm-ebs = "ami-0702eee2e75d541d1"; + "22.05".eu-north-1.x86_64-linux.hvm-ebs = "ami-0fc6838942cb7d9cb"; + "22.05".eu-south-1.x86_64-linux.hvm-ebs = "ami-0df9463b8965cdb80"; + "22.05".eu-west-2.x86_64-linux.hvm-ebs = "ami-08f3c1eb533a42ac1"; + "22.05".eu-west-3.x86_64-linux.hvm-ebs = "ami-04b50c79dc4009c97"; + "22.05".me-south-1.x86_64-linux.hvm-ebs = "ami-05c52087afab7024d"; + "22.05".sa-east-1.x86_64-linux.hvm-ebs = "ami-0732aa0f0c28f281b"; + "22.05".us-east-1.x86_64-linux.hvm-ebs = "ami-0223db08811f6fb2d"; + "22.05".us-east-2.x86_64-linux.hvm-ebs = "ami-0a743534fa3e51b41"; + "22.05".us-west-1.x86_64-linux.hvm-ebs = "ami-0d72ab697beab5ea5"; + "22.05".us-west-2.x86_64-linux.hvm-ebs = "ami-034946f0c47088751"; + + "22.05".eu-west-1.aarch64-linux.hvm-ebs = "ami-08114069426233360"; + "22.05".af-south-1.aarch64-linux.hvm-ebs = "ami-0a9b83913abd61694"; + "22.05".ap-east-1.aarch64-linux.hvm-ebs = "ami-03966ad4547f532b7"; + "22.05".ap-northeast-1.aarch64-linux.hvm-ebs = "ami-0eb7e152c8d5aae7d"; + "22.05".ap-northeast-2.aarch64-linux.hvm-ebs = "ami-08369e00c5528762b"; + "22.05".ap-northeast-3.aarch64-linux.hvm-ebs = "ami-0fa14b8d48cdd57c3"; + "22.05".ap-south-1.aarch64-linux.hvm-ebs = "ami-0f2ca3b542ff0913b"; + "22.05".ap-southeast-1.aarch64-linux.hvm-ebs = "ami-087def0511ef2687d"; + "22.05".ap-southeast-2.aarch64-linux.hvm-ebs = "ami-0aa90985199011f04"; + "22.05".ap-southeast-3.aarch64-linux.hvm-ebs = "ami-0c86c52790deefa23"; + "22.05".ca-central-1.aarch64-linux.hvm-ebs = "ami-06e932cc9c20403e4"; + "22.05".eu-central-1.aarch64-linux.hvm-ebs = "ami-07680df1026a9b54c"; + "22.05".eu-north-1.aarch64-linux.hvm-ebs = "ami-0cbe9f2725e4de706"; + "22.05".eu-south-1.aarch64-linux.hvm-ebs = "ami-01a83c3892925765f"; + "22.05".eu-west-2.aarch64-linux.hvm-ebs = "ami-049024d086d039b54"; + "22.05".eu-west-3.aarch64-linux.hvm-ebs = "ami-0c0ebe20ebfc635a1"; + "22.05".me-south-1.aarch64-linux.hvm-ebs = "ami-0d662fcaac553e945"; + "22.05".sa-east-1.aarch64-linux.hvm-ebs = "ami-0888c8f703e00fdb8"; + "22.05".us-east-1.aarch64-linux.hvm-ebs = "ami-03536a13324333073"; + "22.05".us-east-2.aarch64-linux.hvm-ebs = "ami-067611519fa817aaa"; + "22.05".us-west-1.aarch64-linux.hvm-ebs = "ami-0f96be48071c13ab2"; + "22.05".us-west-2.aarch64-linux.hvm-ebs = "ami-084bc5d777585adfb"; + + latest = self."22.05"; }; in self diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index 9a56b695015..12fe6fa4447 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -37,13 +37,11 @@ in { assertion = cfg.efi -> cfg.hvm; message = "EC2 instances using EFI must be HVM instances."; } - { assertion = versionOlder config.boot.kernelPackages.kernel.version "5.15"; - message = "ENA driver fails to build with kernel >= 5.15"; + { assertion = versionOlder config.boot.kernelPackages.kernel.version "5.17"; + message = "ENA driver fails to build with kernel >= 5.17"; } ]; - boot.kernelPackages = pkgs.linuxKernel.packages.linux_5_10; - boot.growPartition = cfg.hvm; fileSystems."/" = mkIf (!cfg.zfs.enable) { diff --git a/nixos/modules/virtualisation/amazon-init.nix b/nixos/modules/virtualisation/amazon-init.nix index 4f2f8df90eb..9c2adb90bfd 100644 --- a/nixos/modules/virtualisation/amazon-init.nix +++ b/nixos/modules/virtualisation/amazon-init.nix @@ -11,7 +11,7 @@ let echo "attempting to fetch configuration from EC2 user data..." export HOME=/root - export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused pkgs.xz config.system.build.nixos-rebuild]}:$PATH + export PATH=${pkgs.lib.makeBinPath [ config.nix.package config.systemd.package pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused pkgs.xz config.system.build.nixos-rebuild]}:$PATH export NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels userData=/etc/ec2-metadata/user-data diff --git a/nixos/modules/virtualisation/anbox.nix b/nixos/modules/virtualisation/anbox.nix index a4da62eb5f7..c70da573533 100644 --- a/nixos/modules/virtualisation/anbox.nix +++ b/nixos/modules/virtualisation/anbox.nix @@ -73,9 +73,6 @@ in environment.systemPackages = with pkgs; [ anbox ]; - boot.kernelModules = [ "ashmem_linux" "binder_linux" ]; - boot.extraModulePackages = [ kernelPackages.anbox ]; - services.udev.extraRules = '' KERNEL=="ashmem", NAME="%k", MODE="0666" KERNEL=="binder*", NAME="%k", MODE="0666" diff --git a/nixos/modules/virtualisation/appvm.nix b/nixos/modules/virtualisation/appvm.nix new file mode 100644 index 00000000000..24315a85d0e --- /dev/null +++ b/nixos/modules/virtualisation/appvm.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.virtualisation.appvm; + +in { + + options = { + virtualisation.appvm = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + This enables AppVMs and related virtualisation settings. + ''; + }; + user = mkOption { + type = types.str; + description = '' + AppVM user login. Currenly only AppVMs are supported for a single user only. + ''; + }; + }; + + }; + + config = mkIf cfg.enable { + virtualisation.libvirtd = { + enable = true; + qemu.verbatimConfig = '' + namespaces = [] + user = "${cfg.user}" + group = "users" + remember_owner = 0 + ''; + }; + + users.users."${cfg.user}" = { + packages = [ pkgs.appvm ]; + extraGroups = [ "libvirtd" ]; + }; + + }; + +} + diff --git a/nixos/modules/virtualisation/digital-ocean-init.nix b/nixos/modules/virtualisation/digital-ocean-init.nix index 4339d91de16..df30104b7d7 100644 --- a/nixos/modules/virtualisation/digital-ocean-init.nix +++ b/nixos/modules/virtualisation/digital-ocean-init.nix @@ -46,7 +46,7 @@ in { RemainAfterExit = true; }; restartIfChanged = false; - path = [ pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.systemd config.nix.package config.system.build.nixos-rebuild ]; + path = [ pkgs.jq pkgs.gnused pkgs.gnugrep config.systemd.package config.nix.package config.system.build.nixos-rebuild ]; environment = { HOME = "/root"; NIX_PATH = concatStringsSep ":" [ diff --git a/nixos/modules/virtualisation/docker-rootless.nix b/nixos/modules/virtualisation/docker-rootless.nix index d371f67ecdc..b814fa1c435 100644 --- a/nixos/modules/virtualisation/docker-rootless.nix +++ b/nixos/modules/virtualisation/docker-rootless.nix @@ -51,7 +51,6 @@ in default = pkgs.docker; defaultText = literalExpression "pkgs.docker"; type = types.package; - example = literalExpression "pkgs.docker-edge"; description = '' Docker package to be used in the module. ''; diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index a69cbe55c78..c6eca4d6ed5 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -155,7 +155,6 @@ in default = pkgs.docker; defaultText = literalExpression "pkgs.docker"; type = types.package; - example = literalExpression "pkgs.docker-edge"; description = '' Docker package to be used in the module. ''; diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index e0bccb83a97..31d18ae7344 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -11,10 +11,9 @@ let auth_unix_rw = "polkit" ${cfg.extraConfig} ''; - ovmfFilePrefix = if pkgs.stdenv.isAarch64 then "AAVMF" else "OVMF"; qemuConfigFile = pkgs.writeText "qemu.conf" '' ${optionalString cfg.qemu.ovmf.enable '' - nvram = [ "/run/libvirt/nix-ovmf/${ovmfFilePrefix}_CODE.fd:/run/libvirt/nix-ovmf/${ovmfFilePrefix}_VARS.fd" ] + nvram = [ "/run/libvirt/nix-ovmf/AAVMF_CODE.fd:/run/libvirt/nix-ovmf/AAVMF_VARS.fd", "/run/libvirt/nix-ovmf/OVMF_CODE.fd:/run/libvirt/nix-ovmf/OVMF_VARS.fd" ] ''} ${optionalString (!cfg.qemu.runAsRoot) '' user = "qemu-libvirtd" @@ -36,13 +35,20 @@ let ''; }; + # mkRemovedOptionModule does not work in submodules, do it manually package = mkOption { - type = types.package; - default = pkgs.OVMF; - defaultText = literalExpression "pkgs.OVMF"; - example = literalExpression "pkgs.OVMFFull"; + type = types.nullOr types.package; + default = null; + internal = true; + }; + + packages = mkOption { + type = types.listOf types.package; + default = [ pkgs.OVMF.fd ]; + defaultText = literalExpression "[ pkgs.OVMF.fd ]"; + example = literalExpression "[ pkgs.OVMFFull.fd pkgs.pkgsCross.aarch64-multiplatform.OVMF.fd ]"; description = '' - OVMF package to use. + List of OVMF packages to use. Each listed package must contain files names FV/OVMF_CODE.fd and FV/OVMF_VARS.fd or FV/AAVMF_CODE.fd and FV/AAVMF_VARS.fd ''; }; }; @@ -141,9 +147,9 @@ in (mkRenamedOptionModule [ "virtualisation" "libvirtd" "qemuOvmf" ] [ "virtualisation" "libvirtd" "qemu" "ovmf" "enable" ]) - (mkRenamedOptionModule + (mkRemovedOptionModule [ "virtualisation" "libvirtd" "qemuOvmfPackage" ] - [ "virtualisation" "libvirtd" "qemu" "ovmf" "package" ]) + "If this option was set to `foo`, set the option `virtualisation.libvirtd.qemu.ovmf.packages' to `[foo.fd]` instead.") (mkRenamedOptionModule [ "virtualisation" "libvirtd" "qemuSwtpm" ] [ "virtualisation" "libvirtd" "qemu" "swtpm" "enable" ]) @@ -238,12 +244,15 @@ in assertions = [ { - assertion = config.security.polkit.enable; - message = "The libvirtd module currently requires Polkit to be enabled ('security.polkit.enable = true')."; + assertion = config.virtualisation.libvirtd.qemu.ovmf.package == null; + message = '' + The option virtualisation.libvirtd.qemu.ovmf.package is superseded by virtualisation.libvirtd.qemu.ovmf.packages. + If this option was set to `foo`, set the option `virtualisation.libvirtd.qemu.ovmf.packages' to `[foo.fd]` instead. + ''; } { - assertion = builtins.elem "fd" cfg.qemu.ovmf.package.outputs; - message = "The option 'virtualisation.libvirtd.qemuOvmfPackage' needs a package that has an 'fd' output."; + assertion = config.security.polkit.enable; + message = "The libvirtd module currently requires Polkit to be enabled ('security.polkit.enable = true')."; } ]; @@ -303,10 +312,18 @@ in ln -s --force ${cfg.qemu.package}/$helper /run/${dirName}/nix-helpers/ done - ${optionalString cfg.qemu.ovmf.enable '' - ln -s --force ${cfg.qemu.ovmf.package.fd}/FV/${ovmfFilePrefix}_CODE.fd /run/${dirName}/nix-ovmf/ - ln -s --force ${cfg.qemu.ovmf.package.fd}/FV/${ovmfFilePrefix}_VARS.fd /run/${dirName}/nix-ovmf/ - ''} + ${optionalString cfg.qemu.ovmf.enable (let + ovmfpackage = pkgs.buildEnv { + name = "qemu-ovmf"; + paths = cfg.qemu.ovmf.packages; + }; + in + '' + ln -s --force ${ovmfpackage}/FV/AAVMF_CODE.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${ovmfpackage}/FV/OVMF_CODE.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${ovmfpackage}/FV/AAVMF_VARS.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${ovmfpackage}/FV/OVMF_VARS.fd /run/${dirName}/nix-ovmf/ + '')} ''; serviceConfig = { diff --git a/nixos/modules/virtualisation/lxc-container.nix b/nixos/modules/virtualisation/lxc-container.nix index 9816cc2332f..d3a2e0ed151 100644 --- a/nixos/modules/virtualisation/lxc-container.nix +++ b/nixos/modules/virtualisation/lxc-container.nix @@ -63,18 +63,18 @@ in default = {}; example = literalExpression '' { - # create /etc/hostname on container creation + # create /etc/hostname on container creation. also requires networking.hostName = "" to be set "hostname" = { enable = true; target = "/etc/hostname"; - template = builtins.writeFile "hostname.tpl" "{{ container.name }}"; + template = builtins.toFile "hostname.tpl" "{{ container.name }}"; when = [ "create" ]; }; # create /etc/nixos/hostname.nix with a configuration for keeping the hostname applied "hostname-nix" = { enable = true; target = "/etc/nixos/hostname.nix"; - template = builtins.writeFile "hostname-nix.tpl" "{ ... }: { networking.hostName = "{{ container.name }}"; }"; + template = builtins.toFile "hostname-nix.tpl" "{ ... }: { networking.hostName = \"{{ container.name }}\"; }"; # copy keeps the file updated when the container is changed when = [ "create" "copy" ]; }; @@ -82,7 +82,7 @@ in "configuration-nix" = { enable = true; target = "/etc/nixos/configuration.nix"; - template = builtins.writeFile "configuration-nix" "{{ config_get(\"user.user-data\", properties.default) }}"; + template = builtins.toFile "configuration-nix" "{{ config_get(\"user.user-data\", properties.default) }}"; when = [ "create" ]; }; }; diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index 0838a57f0f3..b9301515712 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -4,6 +4,11 @@ with lib; let + configurationPrefix = optionalString (versionAtLeast config.system.stateVersion "22.05") "nixos-"; + configurationDirectoryName = "${configurationPrefix}containers"; + configurationDirectory = "/etc/${configurationDirectoryName}"; + stateDirectory = "/var/lib/${configurationPrefix}containers"; + # The container's init script, a small wrapper around the regular # NixOS stage-2 init script. containerInit = (cfg: @@ -77,7 +82,7 @@ let startScript = cfg: '' mkdir -p -m 0755 "$root/etc" "$root/var/lib" - mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers + mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/nixos-containers if ! [ -e "$root/etc/os-release" ]; then touch "$root/etc/os-release" fi @@ -249,11 +254,11 @@ let SyslogIdentifier = "container %i"; - EnvironmentFile = "-/etc/containers/%i.conf"; + EnvironmentFile = "-${configurationDirectory}/%i.conf"; Type = "notify"; - RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i"; + RuntimeDirectory = lib.optional cfg.ephemeral "${configurationDirectoryName}/%i"; # Note that on reboot, systemd-nspawn returns 133, so this # unit will be restarted. On poweroff, it returns 0, so the @@ -279,7 +284,7 @@ let DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; }; - system = config.nixpkgs.localSystem.system; + inherit (config.nixpkgs) localSystem; kernelVersion = config.boot.kernelPackages.kernel.version; bindMountOpts = { name, ... }: { @@ -473,12 +478,12 @@ in type = lib.mkOptionType { name = "Toplevel NixOS config"; merge = loc: defs: (import "${toString config.nixpkgs}/nixos/lib/eval-config.nix" { - inherit system; modules = let extraConfig = { _file = "module at ${__curPos.file}:${toString __curPos.line}"; config = { + nixpkgs = { inherit localSystem; }; boot.isContainer = true; networking.hostName = mkDefault name; networking.useDHCP = false; @@ -737,15 +742,21 @@ in config = mkIf (config.boot.enableContainers) (let + warnings = flatten [ + (optional (config.virtualisation.containers.enable && versionOlder config.system.stateVersion "22.05") '' + Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported. + '') + ]; + unit = { description = "Container '%i'"; - unitConfig.RequiresMountsFor = "/var/lib/containers/%i"; + unitConfig.RequiresMountsFor = "${stateDirectory}/%i"; path = [ pkgs.iproute2 ]; environment = { - root = "/var/lib/containers/%i"; + root = "${stateDirectory}/%i"; INSTANCE = "%i"; }; @@ -782,8 +793,8 @@ in script = startScript containerConfig; postStart = postStartScript containerConfig; serviceConfig = serviceDirectives containerConfig; - unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i"; - environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i"; + unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "${stateDirectory}/%i"; + environment.root = if containerConfig.ephemeral then "/run/nixos-containers/%i" else "${stateDirectory}/%i"; } // ( if containerConfig.autoStart then { @@ -792,7 +803,7 @@ in after = [ "network.target" ]; restartTriggers = [ containerConfig.path - config.environment.etc."containers/${name}.conf".source + config.environment.etc."${configurationDirectoryName}/${name}.conf".source ]; restartIfChanged = true; } @@ -800,12 +811,12 @@ in )) config.containers) )); - # Generate a configuration file in /etc/containers for each + # Generate a configuration file in /etc/nixos-containers for each # container so that container@.target can get the container # configuration. environment.etc = let mkPortStr = p: p.protocol + ":" + (toString p.hostPort) + ":" + (if p.containerPort == null then toString p.hostPort else toString p.containerPort); - in mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf" + in mapAttrs' (name: cfg: nameValuePair "${configurationDirectoryName}/${name}.conf" { text = '' SYSTEM_PATH=${cfg.path} @@ -854,7 +865,11 @@ in ENV{INTERFACE}=="v[eb]-*", ENV{NM_UNMANAGED}="1" ''; - environment.systemPackages = [ pkgs.nixos-container ]; + environment.systemPackages = [ + (pkgs.nixos-container.override { + inherit stateDirectory configurationDirectory; + }) + ]; boot.kernelModules = [ "bridge" diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index f4048172783..fa5fe997304 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -338,11 +338,7 @@ in { backend = mkOption { type = types.enum [ "podman" "docker" ]; - default = - # TODO: Once https://github.com/NixOS/nixpkgs/issues/77925 is resolved default to podman - # if versionAtLeast config.system.stateVersion "20.09" then "podman" - # else "docker"; - "docker"; + default = if versionAtLeast config.system.stateVersion "22.05" then "podman" else "docker"; description = "The underlying Docker implementation to use."; }; diff --git a/nixos/modules/virtualisation/podman/default.nix b/nixos/modules/virtualisation/podman/default.nix index b7e7f78ded7..361caeff70b 100644 --- a/nixos/modules/virtualisation/podman/default.nix +++ b/nixos/modules/virtualisation/podman/default.nix @@ -153,6 +153,12 @@ in systemd.sockets.podman.wantedBy = [ "sockets.target" ]; systemd.sockets.podman.socketConfig.SocketGroup = "podman"; + systemd.user.services.podman.serviceConfig = { + ExecStart = [ "" "${cfg.package}/bin/podman $LOGGING system service" ]; + }; + + systemd.user.sockets.podman.wantedBy = [ "sockets.target" ]; + systemd.tmpfiles.packages = [ # The /run/podman rule interferes with our podman group, so we remove # it and let the systemd socket logic take care of it. diff --git a/nixos/modules/virtualisation/proxmox-lxc.nix b/nixos/modules/virtualisation/proxmox-lxc.nix index 3913b474afb..9b9f99e5b81 100644 --- a/nixos/modules/virtualisation/proxmox-lxc.nix +++ b/nixos/modules/virtualisation/proxmox-lxc.nix @@ -20,6 +20,15 @@ with lib; configuration from proxmox. ''; }; + manageHostName = mkOption { + type = types.bool; + default = false; + description = '' + Whether to manage hostname through nix options + When false, the hostname is picked up from /etc/hostname + populated by proxmox. + ''; + }; }; config = @@ -50,6 +59,8 @@ with lib; useDHCP = false; useHostResolvConf = false; useNetworkd = true; + # pick up hostname from /etc/hostname generated by proxmox + hostName = mkIf (!cfg.manageHostName) (mkForce ""); }; services.openssh = { diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index b1c5a7a6c95..f622897aa62 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -754,13 +754,13 @@ in ); boot.loader.grub.gfxmodeBios = with cfg.resolution; "${toString x}x${toString y}"; - boot.initrd.extraUtilsCommands = + boot.initrd.extraUtilsCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' # We need mke2fs in the initrd. copy_bin_and_libs ${pkgs.e2fsprogs}/bin/mke2fs ''; - boot.initrd.postDeviceCommands = + boot.initrd.postDeviceCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' # If the disk image appears to be empty, run mke2fs to # initialise. @@ -770,7 +770,7 @@ in fi ''; - boot.initrd.postMountCommands = + boot.initrd.postMountCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' # Mark this as a NixOS machine. mkdir -p $targetRoot/etc @@ -789,6 +789,11 @@ in ''} ''; + systemd.tmpfiles.rules = lib.mkIf config.boot.initrd.systemd.enable [ + "f /etc/NIXOS 0644 root root -" + "d /boot 0644 root root -" + ]; + # After booting, register the closure of the paths in # `virtualisation.additionalPaths' in the Nix database in the VM. This # allows Nix operations to work in the VM. The path to the diff --git a/nixos/modules/virtualisation/vmware-guest.nix b/nixos/modules/virtualisation/vmware-guest.nix index 3caed746ca9..d468a200872 100644 --- a/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixos/modules/virtualisation/vmware-guest.nix @@ -64,7 +64,6 @@ in environment.etc.vmware-tools.source = "${open-vm-tools}/etc/vmware-tools/*"; services.xserver = mkIf (!cfg.headless) { - videoDrivers = mkOverride 50 [ "vmware" ]; modules = [ xf86inputvmmouse ]; config = '' diff --git a/nixos/modules/virtualisation/vmware-host.nix b/nixos/modules/virtualisation/vmware-host.nix new file mode 100644 index 00000000000..faa0d455c9d --- /dev/null +++ b/nixos/modules/virtualisation/vmware-host.nix @@ -0,0 +1,166 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.virtualisation.vmware.host; + wrapperDir = "/run/vmware/bin"; # Perfectly fits as /usr/local/bin + parentWrapperDir = dirOf wrapperDir; + vmwareWrappers = # Needed as hardcoded paths workaround + let mkVmwareSymlink = + program: + '' + ln -s "${config.security.wrapperDir}/${program}" $wrapperDir/${program} + ''; + in + [ + (mkVmwareSymlink "pkexec") + (mkVmwareSymlink "mount") + (mkVmwareSymlink "umount") + ]; +in +{ + options = with lib; { + virtualisation.vmware.host = { + enable = mkEnableOption "VMware" // { + description = '' + This enables VMware host virtualisation for running VMs. + + <important><para> + <literal>vmware-vmx</literal> will cause kcompactd0 due to + <literal>Transparent Hugepages</literal> feature in kernel. + Apply <literal>[ "transparent_hugepage=never" ]</literal> in + option <option>boot.kernelParams</option> to disable them. + </para></important> + + <note><para> + If that didn't work disable <literal>TRANSPARENT_HUGEPAGE</literal>, + <literal>COMPACTION</literal> configs and recompile kernel. + </para></note> + ''; + }; + package = mkOption { + type = types.package; + default = pkgs.vmware-workstation; + defaultText = literalExpression "pkgs.vmware-workstation"; + description = "VMware host virtualisation package to use"; + }; + extraPackages = mkOption { + type = with types; listOf package; + default = with pkgs; [ ]; + description = "Extra packages to be used with VMware host."; + example = "with pkgs; [ ntfs3g ]"; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Add extra config to /etc/vmware/config"; + example = '' + # Allow unsupported device's OpenGL and Vulkan acceleration for guest vGPU + mks.gl.allowUnsupportedDrivers = "TRUE" + mks.vk.allowUnsupportedDevices = "TRUE" + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + boot.extraModulePackages = [ config.boot.kernelPackages.vmware ]; + boot.extraModprobeConfig = "alias char-major-10-229 fuse"; + boot.kernelModules = [ "vmw_pvscsi" "vmw_vmci" "vmmon" "vmnet" "fuse" ]; + + environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; + services.printing.drivers = [ cfg.package ]; + + environment.etc."vmware/config".text = '' + ${builtins.readFile "${cfg.package}/etc/vmware/config"} + ${cfg.extraConfig} + ''; + + environment.etc."vmware/bootstrap".source = "${cfg.package}/etc/vmware/bootstrap"; + environment.etc."vmware/icu".source = "${cfg.package}/etc/vmware/icu"; + environment.etc."vmware-installer".source = "${cfg.package}/etc/vmware-installer"; + + # SUID wrappers + + security.wrappers = { + vmware-vmx = { + setuid = true; + owner = "root"; + group = "root"; + source = "${cfg.package}/lib/vmware/bin/.vmware-vmx-wrapped"; + }; + }; + + ###### wrappers activation script + + system.activationScripts.vmwareWrappers = + lib.stringAfter [ "specialfs" "users" ] + '' + mkdir -p "${parentWrapperDir}" + chmod 755 "${parentWrapperDir}" + # We want to place the tmpdirs for the wrappers to the parent dir. + wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) + chmod a+rx "$wrapperDir" + ${lib.concatStringsSep "\n" (vmwareWrappers)} + if [ -L ${wrapperDir} ]; then + # Atomically replace the symlink + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ + old=$(readlink -f ${wrapperDir}) + if [ -e "${wrapperDir}-tmp" ]; then + rm --force --recursive "${wrapperDir}-tmp" + fi + ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" + mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" + rm --force --recursive "$old" + else + # For initial setup + ln --symbolic "$wrapperDir" "${wrapperDir}" + fi + ''; + + # Services + + systemd.services."vmware-authdlauncher" = { + description = "VMware Authentification Daemon"; + serviceConfig = { + Type = "forking"; + ExecStart = [ "${cfg.package}/bin/vmware-authdlauncher" ]; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services."vmware-networks-configuration" = { + description = "VMware Networks Configuration Generation"; + unitConfig.ConditionPathExists = "!/etc/vmware/networking"; + serviceConfig = { + UMask = "0077"; + ExecStart = [ + "${cfg.package}/bin/vmware-networks --postinstall vmware-player,0,1" + ]; + Type = "oneshot"; + RemainAfterExit = "yes"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services."vmware-networks" = { + description = "VMware Networks"; + after = [ "vmware-networks-configuration.service" ]; + requires = [ "vmware-networks-configuration.service" ]; + serviceConfig = { + Type = "forking"; + ExecCondition = [ "${pkgs.kmod}/bin/modprobe vmnet" ]; + ExecStart = [ "${cfg.package}/bin/vmware-networks --start" ]; + ExecStop = [ "${cfg.package}/bin/vmware-networks --stop" ]; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services."vmware-usbarbitrator" = { + description = "VMware USB Arbitrator"; + serviceConfig = { + ExecStart = [ "${cfg.package}/bin/vmware-usbarbitrator -f" ]; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; +} diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index 975eed10cd2..a999efcb44e 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -23,12 +23,12 @@ in default = false; type = types.bool; description = - '' + mdDoc '' Setting this option enables the Xen hypervisor, a virtualisation technology that allows multiple virtual - machines, known as <emphasis>domains</emphasis>, to run + machines, known as *domains*, to run concurrently on the physical machine. NixOS runs as the - privileged <emphasis>Domain 0</emphasis>. This option + privileged *Domain 0*. This option requires a reboot to take effect. ''; }; diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index fd8a39cfb92..7f81ca1c69b 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -132,12 +132,14 @@ in rec { # fails with kernel >= 5.15 https://github.com/NixOS/nixpkgs/pull/152505#issuecomment-1005049314 #(onFullSupported "nixos.tests.nfs3.simple") (onFullSupported "nixos.tests.nfs4.simple") + (onSystems ["x86_64-linux"] "nixos.tests.oci-containers.podman") (onFullSupported "nixos.tests.openssh") (onFullSupported "nixos.tests.pantheon") (onFullSupported "nixos.tests.php.fpm") (onFullSupported "nixos.tests.php.httpd") (onFullSupported "nixos.tests.php.pcre") (onFullSupported "nixos.tests.plasma5") + (onSystems ["x86_64-linux"] "nixos.tests.podman") (onFullSupported "nixos.tests.predictable-interface-names.predictableNetworkd") (onFullSupported "nixos.tests.predictable-interface-names.predictable") (onFullSupported "nixos.tests.predictable-interface-names.unpredictableNetworkd") diff --git a/nixos/release.nix b/nixos/release.nix index 6b7564a9b97..beafdf9ff5b 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -17,6 +17,7 @@ let # Run the tests for each platform. You can run a test by doing # e.g. ‘nix-build -A tests.login.x86_64-linux’, or equivalently, # ‘nix-build tests/login.nix -A result’. + # See also nixosTests in pkgs/top-level/all-packages.nix allTestsForSystem = system: import ./tests/all-tests.nix { inherit system; @@ -24,7 +25,19 @@ let callTest = t: { ${system} = hydraJob t.test; }; + } // { + # for typechecking of the scripts and evaluation of + # the nodes, without running VMs. + allDrivers = + import ./tests/all-tests.nix { + inherit system; + pkgs = import ./.. { inherit system; }; + callTest = t: { + ${system} = hydraJob t.test.driver; + }; + }; }; + allTests = foldAttrs recursiveUpdate {} (map allTestsForSystem supportedSystems); @@ -138,6 +151,13 @@ in rec { # Build the initial ramdisk so Hydra can keep track of its size over time. initialRamdisk = buildFromConfig ({ ... }: { }) (config: config.system.build.initialRamdisk); + kexec = forMatchingSystems supportedSystems (system: (import lib/eval-config.nix { + inherit system; + modules = [ + ./modules/installer/netboot/netboot-minimal.nix + ]; + }).config.system.build.kexecTree); + netboot = forMatchingSystems supportedSystems (system: makeNetboot { module = ./modules/installer/netboot/netboot-minimal.nix; inherit system; @@ -150,13 +170,13 @@ in rec { }); iso_plasma5 = forMatchingSystems [ "x86_64-linux" ] (system: makeIso { - module = ./modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix; + module = ./modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix; type = "plasma5"; inherit system; }); iso_gnome = forMatchingSystems [ "x86_64-linux" ] (system: makeIso { - module = ./modules/installer/cd-dvd/installation-cd-graphical-gnome.nix; + module = ./modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix; type = "gnome"; inherit system; }); diff --git a/nixos/tests/3proxy.nix b/nixos/tests/3proxy.nix index dfc4b35a772..8127438fabd 100644 --- a/nixos/tests/3proxy.nix +++ b/nixos/tests/3proxy.nix @@ -139,7 +139,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { peer0.wait_for_unit("network-online.target") peer1.wait_for_unit("3proxy.service") - peer1.wait_for_open_port("9999") + peer1.wait_for_open_port(9999) # test none auth peer0.succeed( @@ -153,7 +153,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { ) peer2.wait_for_unit("3proxy.service") - peer2.wait_for_open_port("9999") + peer2.wait_for_open_port(9999) # test iponly auth peer0.succeed( @@ -167,7 +167,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { ) peer3.wait_for_unit("3proxy.service") - peer3.wait_for_open_port("9999") + peer3.wait_for_open_port(9999) # test strong auth peer0.succeed( diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 2dd06a50f40..c07f99c5db3 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -578,7 +578,7 @@ in { webserver.wait_for_unit(f"acme-finished-{test_domain}.target") wait_for_server() check_connection(client, test_domain) - rc, _ = client.execute( + rc, _s = client.execute( f"openssl s_client -CAfile /tmp/ca.crt -connect {test_alias}:443" " </dev/null 2>/dev/null | openssl x509 -noout -text" f" | grep DNS: | grep {test_alias}" diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 5158bc681e0..162e117796a 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -26,8 +26,8 @@ let featureFlags.minimalModules = {}; }; evalMinimalConfig = module: nixosLib.evalModules { modules = [ module ]; }; -in -{ + +in { _3proxy = handleTest ./3proxy.nix {}; acme = handleTest ./acme.nix {}; adguardhome = handleTest ./adguardhome.nix {}; @@ -62,6 +62,7 @@ in breitbandmessung = handleTest ./breitbandmessung.nix {}; brscan5 = handleTest ./brscan5.nix {}; btrbk = handleTest ./btrbk.nix {}; + btrbk-no-timer = handleTest ./btrbk-no-timer.nix {}; buildbot = handleTest ./buildbot.nix {}; buildkite-agents = handleTest ./buildkite-agents.nix {}; caddy = handleTest ./caddy.nix {}; @@ -111,7 +112,7 @@ in croc = handleTest ./croc.nix {}; cryptpad = handleTest ./cryptpad.nix {}; deluge = handleTest ./deluge.nix {}; - dendrite = handleTest ./dendrite.nix {}; + dendrite = handleTest ./matrix/dendrite.nix {}; dex-oidc = handleTest ./dex-oidc.nix {}; dhparams = handleTest ./dhparams.nix {}; disable-installer-tools = handleTest ./disable-installer-tools.nix {}; @@ -122,7 +123,6 @@ in doas = handleTest ./doas.nix {}; docker = handleTestOn ["x86_64-linux"] ./docker.nix {}; docker-rootless = handleTestOn ["x86_64-linux"] ./docker-rootless.nix {}; - docker-edge = handleTestOn ["x86_64-linux"] ./docker-edge.nix {}; docker-registry = handleTest ./docker-registry.nix {}; docker-tools = handleTestOn ["x86_64-linux"] ./docker-tools.nix {}; docker-tools-cross = handleTestOn ["x86_64-linux" "aarch64-linux"] ./docker-tools-cross.nix {}; @@ -151,6 +151,7 @@ in etcd-cluster = handleTestOn ["x86_64-linux"] ./etcd-cluster.nix {}; etebase-server = handleTest ./etebase-server.nix {}; etesync-dav = handleTest ./etesync-dav.nix {}; + extra-python-packages = handleTest ./extra-python-packages.nix {}; fancontrol = handleTest ./fancontrol.nix {}; fcitx = handleTest ./fcitx {}; fenics = handleTest ./fenics.nix {}; @@ -158,6 +159,7 @@ in firefox = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox; }; firefox-esr = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr; }; # used in `tested` job firefox-esr-91 = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr-91; }; + firefox-esr-102 = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr-102; }; firejail = handleTest ./firejail.nix {}; firewall = handleTest ./firewall.nix {}; fish = handleTest ./fish.nix {}; @@ -169,6 +171,7 @@ in frr = handleTest ./frr.nix {}; fsck = handleTest ./fsck.nix {}; ft2-clone = handleTest ./ft2-clone.nix {}; + mimir = handleTest ./mimir.nix {}; gerrit = handleTest ./gerrit.nix {}; geth = handleTest ./geth.nix {}; ghostunnel = handleTest ./ghostunnel.nix {}; @@ -187,6 +190,7 @@ in google-oslogin = handleTest ./google-oslogin {}; gotify-server = handleTest ./gotify-server.nix {}; grafana = handleTest ./grafana.nix {}; + grafana-agent = handleTest ./grafana-agent.nix {}; graphite = handleTest ./graphite.nix {}; graylog = handleTest ./graylog.nix {}; grocy = handleTest ./grocy.nix {}; @@ -199,6 +203,7 @@ in haste-server = handleTest ./haste-server.nix {}; haproxy = handleTest ./haproxy.nix {}; hardened = handleTest ./hardened.nix {}; + healthchecks = handleTest ./web-apps/healthchecks.nix {}; hbase1 = handleTest ./hbase.nix { package=pkgs.hbase1; }; hbase2 = handleTest ./hbase.nix { package=pkgs.hbase2; }; hbase3 = handleTest ./hbase.nix { package=pkgs.hbase3; }; @@ -235,6 +240,7 @@ in input-remapper = handleTest ./input-remapper.nix {}; inspircd = handleTest ./inspircd.nix {}; installer = handleTest ./installer.nix {}; + installer-systemd-stage-1 = handleTest ./installer-systemd-stage-1.nix {}; invoiceplane = handleTest ./invoiceplane.nix {}; iodine = handleTest ./iodine.nix {}; ipfs = handleTest ./ipfs.nix {}; @@ -250,8 +256,8 @@ in jirafeau = handleTest ./jirafeau.nix {}; jitsi-meet = handleTest ./jitsi-meet.nix {}; k3s-single-node = handleTest ./k3s-single-node.nix {}; - k3s-single-node-docker = handleTest ./k3s-single-node-docker.nix {}; kafka = handleTest ./kafka.nix {}; + kanidm = handleTest ./kanidm.nix {}; kbd-setfont-decompress = handleTest ./kbd-setfont-decompress.nix {}; kbd-update-search-paths-patch = handleTest ./kbd-update-search-paths-patch.nix {}; kea = handleTest ./kea.nix {}; @@ -283,7 +289,6 @@ in loki = handleTest ./loki.nix {}; lvm2 = handleTest ./lvm2 {}; lxd = handleTest ./lxd.nix {}; - lxd-image = handleTest ./lxd-image.nix {}; lxd-nftables = handleTest ./lxd-nftables.nix {}; lxd-image-server = handleTest ./lxd-image-server.nix {}; #logstash = handleTest ./logstash.nix {}; @@ -298,9 +303,9 @@ in mariadb-galera = handleTest ./mysql/mariadb-galera.nix {}; mastodon = handleTestOn ["x86_64-linux" "i686-linux" "aarch64-linux"] ./web-apps/mastodon.nix {}; matomo = handleTest ./matomo.nix {}; - matrix-appservice-irc = handleTest ./matrix-appservice-irc.nix {}; - matrix-conduit = handleTest ./matrix-conduit.nix {}; - matrix-synapse = handleTest ./matrix-synapse.nix {}; + matrix-appservice-irc = handleTest ./matrix/appservice-irc.nix {}; + matrix-conduit = handleTest ./matrix/conduit.nix {}; + matrix-synapse = handleTest ./matrix/synapse.nix {}; mattermost = handleTest ./mattermost.nix {}; mediatomb = handleTest ./mediatomb.nix {}; mediawiki = handleTest ./mediawiki.nix {}; @@ -363,6 +368,7 @@ in nginx = handleTest ./nginx.nix {}; nginx-auth = handleTest ./nginx-auth.nix {}; nginx-etag = handleTest ./nginx-etag.nix {}; + nginx-http3 = handleTest ./nginx-http3.nix {}; nginx-modsecurity = handleTest ./nginx-modsecurity.nix {}; nginx-pubhtml = handleTest ./nginx-pubhtml.nix {}; nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {}; @@ -418,9 +424,9 @@ in pgjwt = handleTest ./pgjwt.nix {}; pgmanage = handleTest ./pgmanage.nix {}; php = handleTest ./php {}; - php74 = handleTest ./php { php = pkgs.php74; }; php80 = handleTest ./php { php = pkgs.php80; }; php81 = handleTest ./php { php = pkgs.php81; }; + phylactery = handleTest ./web-apps/phylactery.nix {}; pict-rs = handleTest ./pict-rs.nix {}; pinnwand = handleTest ./pinnwand.nix {}; plasma5 = handleTest ./plasma5.nix {}; @@ -455,6 +461,8 @@ in proxy = handleTest ./proxy.nix {}; prowlarr = handleTest ./prowlarr.nix {}; pt2-clone = handleTest ./pt2-clone.nix {}; + pykms = handleTest ./pykms.nix {}; + public-inbox = handleTest ./public-inbox.nix {}; pulseaudio = discoverTests (import ./pulseaudio.nix); qboot = handleTestOn ["x86_64-linux" "i686-linux"] ./qboot.nix {}; quorum = handleTest ./quorum.nix {}; @@ -468,7 +476,6 @@ in restartByActivationScript = handleTest ./restart-by-activation-script.nix {}; restic = handleTest ./restic.nix {}; retroarch = handleTest ./retroarch.nix {}; - riak = handleTest ./riak.nix {}; robustirc-bridge = handleTest ./robustirc-bridge.nix {}; roundcube = handleTest ./roundcube.nix {}; rspamd = handleTest ./rspamd.nix {}; @@ -481,6 +488,7 @@ in samba = handleTest ./samba.nix {}; samba-wsdd = handleTest ./samba-wsdd.nix {}; sanoid = handleTest ./sanoid.nix {}; + schleuder = handleTest ./schleuder.nix {}; sddm = handleTest ./sddm.nix {}; seafile = handleTest ./seafile.nix {}; searx = handleTest ./searx.nix {}; @@ -524,6 +532,7 @@ in systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {}; systemd-escaping = handleTest ./systemd-escaping.nix {}; + systemd-initrd-btrfs-raid = handleTest ./systemd-initrd-btrfs-raid.nix {}; systemd-initrd-luks-keyfile = handleTest ./systemd-initrd-luks-keyfile.nix {}; systemd-initrd-luks-password = handleTest ./systemd-initrd-luks-password.nix {}; systemd-initrd-shutdown = handleTest ./systemd-shutdown.nix { systemdStage1 = true; }; @@ -572,8 +581,10 @@ in unifi = handleTest ./unifi.nix {}; unit-php = handleTest ./web-servers/unit-php.nix {}; upnp = handleTest ./upnp.nix {}; + uptermd = handleTest ./uptermd.nix {}; usbguard = handleTest ./usbguard.nix {}; user-activation-scripts = handleTest ./user-activation-scripts.nix {}; + user-home-mode = handleTest ./user-home-mode.nix {}; uwsgi = handleTest ./uwsgi.nix {}; v2ray = handleTest ./v2ray.nix {}; vault = handleTest ./vault.nix {}; @@ -606,6 +617,7 @@ in yabar = handleTest ./yabar.nix {}; yggdrasil = handleTest ./yggdrasil.nix {}; zammad = handleTest ./zammad.nix {}; + zeronet-conservancy = handleTest ./zeronet-conservancy.nix {}; zfs = handleTest ./zfs.nix {}; zigbee2mqtt = handleTest ./zigbee2mqtt.nix {}; zoneminder = handleTest ./zoneminder.nix {}; diff --git a/nixos/tests/bazarr.nix b/nixos/tests/bazarr.nix index c3337611aa2..efcd9de0108 100644 --- a/nixos/tests/bazarr.nix +++ b/nixos/tests/bazarr.nix @@ -20,7 +20,7 @@ in testScript = '' machine.wait_for_unit("bazarr.service") - machine.wait_for_open_port("${toString port}") + machine.wait_for_open_port(port) machine.succeed("curl --fail http://localhost:${toString port}/") ''; }) diff --git a/nixos/tests/btrbk-no-timer.nix b/nixos/tests/btrbk-no-timer.nix new file mode 100644 index 00000000000..4fcab8839c8 --- /dev/null +++ b/nixos/tests/btrbk-no-timer.nix @@ -0,0 +1,37 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: + { + name = "btrbk-no-timer"; + meta.maintainers = with lib.maintainers; [ oxalica ]; + + nodes.machine = { ... }: { + environment.systemPackages = with pkgs; [ btrfs-progs ]; + services.btrbk.instances.local = { + onCalendar = null; + settings.volume."/mnt" = { + snapshot_dir = "btrbk/local"; + subvolume = "to_backup"; + }; + }; + }; + + testScript = '' + start_all() + + # Create btrfs partition at /mnt + machine.succeed("truncate --size=128M /data_fs") + machine.succeed("mkfs.btrfs /data_fs") + machine.succeed("mkdir /mnt") + machine.succeed("mount /data_fs /mnt") + machine.succeed("btrfs subvolume create /mnt/to_backup") + machine.succeed("mkdir -p /mnt/btrbk/local") + + # The service should not have any triggering timer. + unit = machine.get_unit_info('btrbk-local.service') + assert "TriggeredBy" not in unit + + # Manually starting the service should still work. + machine.succeed("echo foo > /mnt/to_backup/bar") + machine.start_job("btrbk-local.service") + machine.wait_until_succeeds("cat /mnt/btrbk/local/*/bar | grep foo") + ''; + }) diff --git a/nixos/tests/caddy.nix b/nixos/tests/caddy.nix index 16436ab5280..c4abd33d039 100644 --- a/nixos/tests/caddy.nix +++ b/nixos/tests/caddy.nix @@ -61,7 +61,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { '' url = "http://localhost/example.html" webserver.wait_for_unit("caddy") - webserver.wait_for_open_port("80") + webserver.wait_for_open_port(80) def check_etag(url): @@ -95,13 +95,13 @@ import ./make-test-python.nix ({ pkgs, ... }: { webserver.succeed( "${justReloadSystem}/bin/switch-to-configuration test >&2" ) - webserver.wait_for_open_port("8080") + webserver.wait_for_open_port(8080) with subtest("multiple configs are correctly merged"): webserver.succeed( "${multipleConfigs}/bin/switch-to-configuration test >&2" ) - webserver.wait_for_open_port("8080") - webserver.wait_for_open_port("8081") + webserver.wait_for_open_port(8080) + webserver.wait_for_open_port(8081) ''; }) diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index 3815dca7622..6b296fe8a61 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -45,12 +45,14 @@ mapAttrs (channel: chromiumPkg: makeTest { enableOCR = true; - machine.imports = [ ./common/user-account.nix ./common/x11.nix ]; - machine.virtualisation.memorySize = 2047; - machine.test-support.displayManager.auto.user = user; - machine.environment = { - systemPackages = [ chromiumPkg ]; - variables."XAUTHORITY" = "/home/alice/.Xauthority"; + nodes.machine = { ... }: { + imports = [ ./common/user-account.nix ./common/x11.nix ]; + virtualisation.memorySize = 2047; + test-support.displayManager.auto.user = user; + environment = { + systemPackages = [ chromiumPkg ]; + variables."XAUTHORITY" = "/home/alice/.Xauthority"; + }; }; testScript = let diff --git a/nixos/tests/common/lxd/config.yaml b/nixos/tests/common/lxd/config.yaml new file mode 100644 index 00000000000..3bb667ed43f --- /dev/null +++ b/nixos/tests/common/lxd/config.yaml @@ -0,0 +1,24 @@ +storage_pools: + - name: default + driver: dir + config: + source: /var/lxd-pool + +networks: + - name: lxdbr0 + type: bridge + config: + ipv4.address: auto + ipv6.address: none + +profiles: + - name: default + devices: + eth0: + name: eth0 + network: lxdbr0 + type: nic + root: + path: / + pool: default + type: disk diff --git a/nixos/tests/containers-custom-pkgs.nix b/nixos/tests/containers-custom-pkgs.nix index 9894e664376..e8740ac6313 100644 --- a/nixos/tests/containers-custom-pkgs.nix +++ b/nixos/tests/containers-custom-pkgs.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: let in { name = "containers-custom-pkgs"; meta = { - maintainers = with lib.maintainers; [ adisbladis earvstedt ]; + maintainers = with lib.maintainers; [ adisbladis erikarvstedt ]; }; nodes.machine = { config, ... }: { diff --git a/nixos/tests/containers-ephemeral.nix b/nixos/tests/containers-ephemeral.nix index c9fe2778cac..cb4b7d4eba0 100644 --- a/nixos/tests/containers-ephemeral.nix +++ b/nixos/tests/containers-ephemeral.nix @@ -33,10 +33,10 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.succeed("nixos-container start webserver") with subtest("Container got its own root folder"): - machine.succeed("ls /run/containers/webserver") + machine.succeed("ls /run/nixos-containers/webserver") with subtest("Container persistent directory is not created"): - machine.fail("ls /var/lib/containers/webserver") + machine.fail("ls /var/lib/nixos-containers/webserver") # Since "start" returns after the container has reached # multi-user.target, we should now be able to access it. @@ -49,6 +49,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.fail(f"curl --fail --connect-timeout 2 http://{ip}/ > /dev/null") with subtest("Container's root folder was removed"): - machine.fail("ls /run/containers/webserver") + machine.fail("ls /run/nixos-containers/webserver") ''; }) diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 44d2e50288b..3007efaf887 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -18,8 +18,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { # container available within the VM, because we don't have network access. virtualisation.additionalPaths = let emptyContainer = import ../lib/eval-config.nix { - inherit (config.nixpkgs.localSystem) system; modules = lib.singleton { + nixpkgs = { inherit (config.nixpkgs) localSystem; }; + containers.foo.config = { system.stateVersion = "18.03"; }; @@ -69,8 +70,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { with subtest(f"Put the root of {id2} into a bind mount"): machine.succeed( - f"mv /var/lib/containers/{id2} /id2-bindmount", - f"mount --bind /id2-bindmount /var/lib/containers/{id1}", + f"mv /var/lib/nixos-containers/{id2} /id2-bindmount", + f"mount --bind /id2-bindmount /var/lib/nixos-containers/{id1}", ) ip1 = machine.succeed(f"nixos-container show-ip {id1}").rstrip() @@ -88,7 +89,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { "Create a directory with a dummy file and bind-mount it into both containers." ): for id in id1, id2: - important_path = f"/var/lib/containers/{id}/very/important/data" + important_path = f"/var/lib/nixos-containers/{id}/very/important/data" machine.succeed( f"mkdir -p {important_path}", f"mount --bind /nested-bindmount {important_path}", @@ -154,13 +155,13 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.succeed("grep -qF 'important data' /nested-bindmount/dummy") with subtest("Ensure that the container path is gone"): - print(machine.succeed("ls -lsa /var/lib/containers")) - machine.succeed(f"test ! -e /var/lib/containers/{id1}") + print(machine.succeed("ls -lsa /var/lib/nixos-containers")) + machine.succeed(f"test ! -e /var/lib/nixos-containers/{id1}") with subtest("Ensure that a failed container creation doesn'leave any state"): machine.fail( "nixos-container create b0rk --config-file ${brokenCfg}" ) - machine.succeed("test ! -e /var/lib/containers/b0rk") + machine.succeed("test ! -e /var/lib/nixos-containers/b0rk") ''; }) diff --git a/nixos/tests/containers-tmpfs.nix b/nixos/tests/containers-tmpfs.nix index 7a2c835b120..cf5b81656af 100644 --- a/nixos/tests/containers-tmpfs.nix +++ b/nixos/tests/containers-tmpfs.nix @@ -62,7 +62,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.succeed( tmpfs_cmd("touch /root/test.file"), tmpfs_cmd("ls -l /root | grep -q test.file"), - "test -e /var/lib/containers/tmpfs/root/test.file", + "test -e /var/lib/nixos-containers/tmpfs/root/test.file", ) with subtest( @@ -73,7 +73,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { tmpfs_cmd("touch /some/random/path/test.file"), tmpfs_cmd("test -e /some/random/path/test.file"), ) - machine.fail("test -e /var/lib/containers/tmpfs/some/random/path/test.file") + machine.fail("test -e /var/lib/nixos-containers/tmpfs/some/random/path/test.file") with subtest( "files created in the hosts container dir in a path where a tmpfs " @@ -81,9 +81,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { + "the do not exist in the tmpfs" ): machine.succeed( - "touch /var/lib/containers/tmpfs/var/test.file", - "test -e /var/lib/containers/tmpfs/var/test.file", - "ls -l /var/lib/containers/tmpfs/var/ | grep -q test.file 2>/dev/null", + "touch /var/lib/nixos-containers/tmpfs/var/test.file", + "test -e /var/lib/nixos-containers/tmpfs/var/test.file", + "ls -l /var/lib/nixos-containers/tmpfs/var/ | grep -q test.file 2>/dev/null", ) machine.fail(tmpfs_cmd("ls -l /var | grep -q test.file")) ''; diff --git a/nixos/tests/convos.nix b/nixos/tests/convos.nix index a13870d1708..cc0c2e75893 100644 --- a/nixos/tests/convos.nix +++ b/nixos/tests/convos.nix @@ -23,7 +23,7 @@ in testScript = '' machine.wait_for_unit("convos") - machine.wait_for_open_port("${toString port}") + machine.wait_for_open_port(${toString port}) machine.succeed("journalctl -u convos | grep -q 'Listening at.*${toString port}'") machine.succeed("curl -f http://localhost:${toString port}/") ''; diff --git a/nixos/tests/cryptpad.nix b/nixos/tests/cryptpad.nix index 895f291abac..db271f937ef 100644 --- a/nixos/tests/cryptpad.nix +++ b/nixos/tests/cryptpad.nix @@ -12,7 +12,7 @@ with lib; testScript = '' machine.wait_for_unit("cryptpad.service") - machine.wait_for_open_port("3000") + machine.wait_for_open_port(3000) machine.succeed("curl -L --fail http://localhost:3000/sheet") ''; }) diff --git a/nixos/tests/custom-ca.nix b/nixos/tests/custom-ca.nix index 60c6c82223a..73e47c3c9d0 100644 --- a/nixos/tests/custom-ca.nix +++ b/nixos/tests/custom-ca.nix @@ -1,11 +1,18 @@ # Checks that `security.pki` options are working in curl and the main browser -# engines: Gecko (via Firefox), Chromium, QtWebEngine (Falkon) and WebKitGTK -# (via Midori). The test checks that certificates issued by a custom trusted -# CA are accepted but those from an unknown CA are rejected. +# engines: Gecko (via Firefox), Chromium, QtWebEngine (via qutebrowser) and +# WebKitGTK (via Midori). The test checks that certificates issued by a custom +# trusted CA are accepted but those from an unknown CA are rejected. -import ./make-test-python.nix ({ pkgs, lib, ... }: +{ system ? builtins.currentSystem, + config ? {}, + pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; let + inherit (pkgs) lib; + makeCert = { caName, domain }: pkgs.runCommand "example-cert" { buildInputs = [ pkgs.gnutls ]; } '' @@ -68,24 +75,8 @@ let domain = "bad.example.com"; }; -in - -{ - name = "custom-ca"; - meta.maintainers = with lib.maintainers; [ rnhmjoj ]; - - enableOCR = true; - - nodes.machine = { pkgs, ... }: - { imports = [ ./common/user-account.nix ./common/x11.nix ]; - - # chromium-based browsers refuse to run as root - test-support.displayManager.auto.user = "alice"; - - # browsers may hang with the default memory - virtualisation.memorySize = 600; - - networking.hosts."127.0.0.1" = [ "good.example.com" "bad.example.com" ]; + webserverConfig = + { networking.hosts."127.0.0.1" = [ "good.example.com" "bad.example.com" ]; security.pki.certificateFiles = [ "${example-good-cert}/ca.crt" ]; services.nginx.enable = true; @@ -107,73 +98,98 @@ in return 200 'It does not work!'; ''; }; - - environment.systemPackages = with pkgs; [ - xdotool - firefox - chromium - qutebrowser - midori - ]; }; - testScript = '' - from typing import Tuple - def execute_as(user: str, cmd: str) -> Tuple[int, str]: - """ - Run a shell command as a specific user. - """ - return machine.execute(f"sudo -u {user} {cmd}") - - - def wait_for_window_as(user: str, cls: str) -> None: - """ - Wait until a X11 window of a given user appears. - """ - - def window_is_visible(last_try: bool) -> bool: - ret, stdout = execute_as(user, f"xdotool search --onlyvisible --class {cls}") - if last_try: - machine.log(f"Last chance to match {cls} on the window list") - return ret == 0 - - with machine.nested("Waiting for a window to appear"): - retry(window_is_visible) - - - machine.start() - - with subtest("Good certificate is trusted in curl"): - machine.wait_for_unit("nginx") - machine.wait_for_open_port(443) - machine.succeed("curl -fv https://good.example.com") - - with subtest("Unknown CA is untrusted in curl"): - machine.fail("curl -fv https://bad.example.com") - - browsers = { - "firefox": "Security Risk", - "chromium": "not private", - "qutebrowser -T": "Certificate error", - "midori": "Security" - } - - machine.wait_for_x() - for command, error in browsers.items(): - browser = command.split()[0] - with subtest("Good certificate is trusted in " + browser): - execute_as( - "alice", f"{command} https://good.example.com >&2 &" - ) - wait_for_window_as("alice", browser) - machine.wait_for_text("It works!") - machine.screenshot("good" + browser) - execute_as("alice", "xdotool key ctrl+w") # close tab - - with subtest("Unknown CA is untrusted in " + browser): - execute_as("alice", f"{command} https://bad.example.com >&2 &") - machine.wait_for_text(error) - machine.screenshot("bad" + browser) - machine.succeed("pkill -f " + browser) - ''; -}) + curlTest = makeTest { + name = "custom-ca-curl"; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + nodes.machine = { ... }: webserverConfig; + testScript = '' + with subtest("Good certificate is trusted in curl"): + machine.wait_for_unit("nginx") + machine.wait_for_open_port(443) + machine.succeed("curl -fv https://good.example.com") + + with subtest("Unknown CA is untrusted in curl"): + machine.fail("curl -fv https://bad.example.com") + ''; + }; + + mkBrowserTest = browser: testParams: makeTest { + name = "custom-ca-${browser}"; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + + enableOCR = true; + + nodes.machine = { pkgs, ... }: + { imports = + [ ./common/user-account.nix + ./common/x11.nix + webserverConfig + ]; + + # chromium-based browsers refuse to run as root + test-support.displayManager.auto.user = "alice"; + + # browsers may hang with the default memory + virtualisation.memorySize = 600; + + environment.systemPackages = [ pkgs.xdotool pkgs.${browser} ]; + }; + + testScript = '' + from typing import Tuple + def execute_as(user: str, cmd: str) -> Tuple[int, str]: + """ + Run a shell command as a specific user. + """ + return machine.execute(f"sudo -u {user} {cmd}") + + + def wait_for_window_as(user: str, cls: str) -> None: + """ + Wait until a X11 window of a given user appears. + """ + + def window_is_visible(last_try: bool) -> bool: + ret, stdout = execute_as(user, f"xdotool search --onlyvisible --class {cls}") + if last_try: + machine.log(f"Last chance to match {cls} on the window list") + return ret == 0 + + with machine.nested("Waiting for a window to appear"): + retry(window_is_visible) + + + machine.start() + machine.wait_for_x() + + command = "${browser} ${testParams.args or ""}" + with subtest("Good certificate is trusted in ${browser}"): + execute_as( + "alice", f"{command} https://good.example.com >&2 &" + ) + wait_for_window_as("alice", "${browser}") + machine.sleep(4) + execute_as("alice", "xdotool key ctrl+r") # reload to be safe + machine.wait_for_text("It works!") + machine.screenshot("good${browser}") + execute_as("alice", "xdotool key ctrl+w") # close tab + + with subtest("Unknown CA is untrusted in ${browser}"): + execute_as("alice", f"{command} https://bad.example.com >&2 &") + machine.wait_for_text("${testParams.error}") + machine.screenshot("bad${browser}") + ''; + }; + +in + +{ + curl = curlTest; +} // pkgs.lib.mapAttrs mkBrowserTest { + firefox = { error = "Security Risk"; }; + chromium = { error = "not private"; }; + qutebrowser = { args = "-T"; error = "Certificate error"; }; + midori = { error = "Security"; }; +} diff --git a/nixos/tests/deluge.nix b/nixos/tests/deluge.nix index 33c57ce7c36..0cd1d21870a 100644 --- a/nixos/tests/deluge.nix +++ b/nixos/tests/deluge.nix @@ -47,7 +47,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { simple.wait_for_unit("deluged") simple.wait_for_unit("delugeweb") - simple.wait_for_open_port("8112") + simple.wait_for_open_port(8112) declarative.wait_for_unit("network.target") declarative.wait_until_succeeds("curl --fail http://simple:8112") diff --git a/nixos/tests/docker-edge.nix b/nixos/tests/docker-edge.nix deleted file mode 100644 index c6a1a083018..00000000000 --- a/nixos/tests/docker-edge.nix +++ /dev/null @@ -1,49 +0,0 @@ -# This test runs docker and checks if simple container starts - -import ./make-test-python.nix ({ pkgs, ...} : { - name = "docker"; - meta = with pkgs.lib.maintainers; { - maintainers = [ nequissimus offline ]; - }; - - nodes = { - docker = - { pkgs, ... }: - { - virtualisation.docker.enable = true; - virtualisation.docker.package = pkgs.docker-edge; - - users.users = { - noprivs = { - isNormalUser = true; - description = "Can't access the docker daemon"; - password = "foobar"; - }; - - hasprivs = { - isNormalUser = true; - description = "Can access the docker daemon"; - password = "foobar"; - extraGroups = [ "docker" ]; - }; - }; - }; - }; - - testScript = '' - start_all() - - docker.wait_for_unit("sockets.target") - docker.succeed("tar cv --files-from /dev/null | docker import - scratchimg") - docker.succeed( - "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" - ) - docker.succeed("docker ps | grep sleeping") - docker.succeed("sudo -u hasprivs docker ps") - docker.fail("sudo -u noprivs docker ps") - docker.succeed("docker stop sleeping") - - # Must match version 4 times to ensure client and server git commits and versions are correct - docker.succeed('[ $(docker version | grep ${pkgs.docker-edge.version} | wc -l) = "4" ]') - ''; -}) diff --git a/nixos/tests/docker-registry.nix b/nixos/tests/docker-registry.nix index 1d449db4519..316b7c9b972 100644 --- a/nixos/tests/docker-registry.nix +++ b/nixos/tests/docker-registry.nix @@ -35,7 +35,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { registry.start() registry.wait_for_unit("docker-registry.service") - registry.wait_for_open_port("8080") + registry.wait_for_open_port(8080) client1.succeed("docker push registry:8080/scratch") client2.start() diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 80859ac7a96..99a968f17af 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -419,5 +419,10 @@ import ./make-test-python.nix ({ pkgs, ... }: { "docker rmi layered-image-with-path", ) + with subtest("etc"): + docker.succeed("${examples.etc} | docker load") + docker.succeed("docker run --rm etc | grep localhost") + docker.succeed("docker image rm etc:latest") + ''; }) diff --git a/nixos/tests/ecryptfs.nix b/nixos/tests/ecryptfs.nix index e3cfb2ed998..1c67d307a00 100644 --- a/nixos/tests/ecryptfs.nix +++ b/nixos/tests/ecryptfs.nix @@ -11,16 +11,16 @@ import ./make-test-python.nix ({ ... }: testScript = '' def login_as_alice(): - machine.wait_until_tty_matches(1, "login: ") + machine.wait_until_tty_matches("1", "login: ") machine.send_chars("alice\n") - machine.wait_until_tty_matches(1, "Password: ") + machine.wait_until_tty_matches("1", "Password: ") machine.send_chars("foobar\n") - machine.wait_until_tty_matches(1, "alice\@machine") + machine.wait_until_tty_matches("1", "alice\@machine") def logout(): machine.send_chars("logout\n") - machine.wait_until_tty_matches(1, "login: ") + machine.wait_until_tty_matches("1", "login: ") machine.wait_for_unit("default.target") @@ -36,7 +36,7 @@ import ./make-test-python.nix ({ ... }: with subtest("Log alice in (ecryptfs passwhrase is wrapped during first login)"): login_as_alice() machine.send_chars("logout\n") - machine.wait_until_tty_matches(1, "login: ") + machine.wait_until_tty_matches("1", "login: ") # Why do I need to do this?? machine.succeed("su alice -c ecryptfs-umount-private || true") diff --git a/nixos/tests/extra-python-packages.nix b/nixos/tests/extra-python-packages.nix new file mode 100644 index 00000000000..7a48077cf98 --- /dev/null +++ b/nixos/tests/extra-python-packages.nix @@ -0,0 +1,13 @@ +import ./make-test-python.nix ({ ... }: + { + name = "extra-python-packages"; + + extraPythonPackages = p: [ p.numpy ]; + + nodes = { }; + + testScript = '' + import numpy as np + assert str(np.zeros(4) == "array([0., 0., 0., 0.])") + ''; + }) diff --git a/nixos/tests/fcitx/default.nix b/nixos/tests/fcitx/default.nix index 78b322d351d..c132249fcb2 100644 --- a/nixos/tests/fcitx/default.nix +++ b/nixos/tests/fcitx/default.nix @@ -5,6 +5,7 @@ import ../make-test-python.nix ( # copy_from_host works only for store paths rec { name = "fcitx"; + meta.broken = true; # takes hours to time out since October 2021 nodes.machine = { pkgs, diff --git a/nixos/tests/firefox.nix b/nixos/tests/firefox.nix index c773368a3e6..63ccc6efb5b 100644 --- a/nixos/tests/firefox.nix +++ b/nixos/tests/firefox.nix @@ -54,7 +54,7 @@ import ./make-test-python.nix ({ pkgs, firefoxPackage, ... }: { @contextmanager - def audio_recording(machine: Machine) -> None: + def record_audio(machine: Machine): """ Perform actions while recording the machine audio output. @@ -64,7 +64,7 @@ import ./make-test-python.nix ({ pkgs, firefoxPackage, ... }: { machine.systemctl("stop audio-recorder") - def wait_for_sound(machine: Machine) -> None: + def wait_for_sound(machine: Machine): """ Wait until any sound has been emitted. """ @@ -94,7 +94,7 @@ import ./make-test-python.nix ({ pkgs, firefoxPackage, ... }: { machine.sleep(40) with subtest("Check whether Firefox can play sound"): - with audio_recording(machine): + with record_audio(machine): machine.succeed( "firefox file://${pkgs.sound-theme-freedesktop}/share/sounds/freedesktop/stereo/phone-incoming-call.oga >&2 &" ) diff --git a/nixos/tests/freeswitch.nix b/nixos/tests/freeswitch.nix index bcc6a9cb358..bfb7339ec3c 100644 --- a/nixos/tests/freeswitch.nix +++ b/nixos/tests/freeswitch.nix @@ -24,6 +24,6 @@ import ./make-test-python.nix ({ pkgs, ...} : { testScript = '' node0.wait_for_unit("freeswitch.service") # Wait for SIP port to be open - node0.wait_for_open_port("5060") + node0.wait_for_open_port(5060) ''; }) diff --git a/nixos/tests/gitlab.nix b/nixos/tests/gitlab.nix index e1916ed36f3..4f7d3f07f06 100644 --- a/nixos/tests/gitlab.nix +++ b/nixos/tests/gitlab.nix @@ -1,9 +1,31 @@ -# This test runs gitlab and checks if it works +# This test runs gitlab and performs the following tests: +# - Creating users +# - Pushing commits +# - over the API +# - over SSH +# - Creating Merge Requests and merging them +# - Opening and closing issues. +# - Downloading repository archives as tar.gz and tar.bz2 +import ./make-test-python.nix ({ pkgs, lib, ... }: + +with lib; let + inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; initialRootPassword = "notproduction"; -in -import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; { + rootProjectId = "2"; + + aliceUsername = "alice"; + aliceUserId = "2"; + alicePassword = "alicepassword"; + aliceProjectId = "2"; + aliceProjectName = "test-alice"; + + bobUsername = "bob"; + bobUserId = "3"; + bobPassword = "bobpassword"; + bobProjectId = "3"; +in { name = "gitlab"; meta = with pkgs.lib.maintainers; { maintainers = [ globin yayayayaka ]; @@ -31,6 +53,8 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; { }; }; + services.openssh.enable = true; + services.dovecot2 = { enable = true; enableImap = true; @@ -77,8 +101,43 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; { password = initialRootPassword; }); - createProject = pkgs.writeText "create-project.json" (builtins.toJSON { - name = "test"; + createUserAlice = pkgs.writeText "create-user-alice.json" (builtins.toJSON rec { + username = aliceUsername; + name = username; + email = "alice@localhost"; + password = alicePassword; + skip_confirmation = true; + }); + + createUserBob = pkgs.writeText "create-user-bob.json" (builtins.toJSON rec { + username = bobUsername; + name = username; + email = "bob@localhost"; + password = bobPassword; + skip_confirmation = true; + }); + + aliceAuth = pkgs.writeText "alice-auth.json" (builtins.toJSON { + grant_type = "password"; + username = aliceUsername; + password = alicePassword; + }); + + bobAuth = pkgs.writeText "bob-auth.json" (builtins.toJSON { + grant_type = "password"; + username = bobUsername; + password = bobPassword; + }); + + aliceAddSSHKey = pkgs.writeText "alice-add-ssh-key.json" (builtins.toJSON { + id = aliceUserId; + title = "snakeoil@nixos"; + key = snakeOilPublicKey; + }); + + createProjectAlice = pkgs.writeText "create-project-alice.json" (builtins.toJSON { + name = aliceProjectName; + visibility = "public"; }); putFile = pkgs.writeText "put-file.json" (builtins.toJSON { @@ -89,6 +148,23 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; { commit_message = "create a new file"; }); + mergeRequest = pkgs.writeText "merge-request.json" (builtins.toJSON { + id = bobProjectId; + target_project_id = aliceProjectId; + source_branch = "master"; + target_branch = "master"; + title = "Add some other file"; + }); + + newIssue = pkgs.writeText "new-issue.json" (builtins.toJSON { + title = "useful issue title"; + }); + + closeIssue = pkgs.writeText "close-issue.json" (builtins.toJSON { + issue_iid = 1; + state_event = "close"; + }); + # Wait for all GitLab services to be fully started. waitForServices = '' gitlab.wait_for_unit("gitaly.service") @@ -105,6 +181,8 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; { # The actual test of GitLab. Only push data to GitLab if # `doSetup` is is true. test = doSetup: '' + GIT_SSH_COMMAND = "ssh -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null" + gitlab.succeed( "curl -isSf http://gitlab | grep -i location | grep http://gitlab/users/sign_in" ) @@ -115,27 +193,222 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; { "echo \"Authorization: Bearer $(curl -X POST -H 'Content-Type: application/json' -d @${auth} http://gitlab/oauth/token | ${pkgs.jq}/bin/jq -r '.access_token')\" >/tmp/headers" ) '' + optionalString doSetup '' - gitlab.succeed( - """[ "$(curl -o /dev/null -w '%{http_code}' -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${createProject} http://gitlab/api/v4/projects)" = "201" ]""" - ) - gitlab.succeed( - """[ "$(curl -o /dev/null -w '%{http_code}' -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${putFile} http://gitlab/api/v4/projects/2/repository/files/some-file.txt)" = "201" ]""" - ) + with subtest("Create user Alice"): + gitlab.succeed( + """[ "$(curl -o /dev/null -w '%{http_code}' -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${createUserAlice} http://gitlab/api/v4/users)" = "201" ]""" + ) + gitlab.succeed( + "echo \"Authorization: Bearer $(curl -X POST -H 'Content-Type: application/json' -d @${aliceAuth} http://gitlab/oauth/token | ${pkgs.jq}/bin/jq -r '.access_token')\" >/tmp/headers-alice" + ) + + with subtest("Create user Bob"): + gitlab.succeed( + """ [ "$(curl -o /dev/null -w '%{http_code}' -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${createUserBob} http://gitlab/api/v4/users)" = "201" ]""" + ) + gitlab.succeed( + "echo \"Authorization: Bearer $(curl -X POST -H 'Content-Type: application/json' -d @${bobAuth} http://gitlab/oauth/token | ${pkgs.jq}/bin/jq -r '.access_token')\" >/tmp/headers-bob" + ) + + with subtest("Setup Git and SSH for Alice"): + gitlab.succeed("git config --global user.name Alice") + gitlab.succeed("git config --global user.email alice@nixos.invalid") + gitlab.succeed("mkdir -m 700 /root/.ssh") + gitlab.succeed("cat ${snakeOilPrivateKey} > /root/.ssh/id_ecdsa") + gitlab.succeed("chmod 600 /root/.ssh/id_ecdsa") + gitlab.succeed( + """ + [ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -X POST \ + -H 'Content-Type: application/json' \ + -H @/tmp/headers-alice -d @${aliceAddSSHKey} \ + http://gitlab/api/v4/user/keys)" = "201" ] + """ + ) + + with subtest("Create a new repository"): + # Alice creates a new repository + gitlab.succeed( + """ + [ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -X POST \ + -H 'Content-Type: application/json' \ + -H @/tmp/headers-alice \ + -d @${createProjectAlice} \ + http://gitlab/api/v4/projects)" = "201" ] + """ + ) + + # Alice commits an initial commit + gitlab.succeed( + """ + [ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -X POST \ + -H 'Content-Type: application/json' \ + -H @/tmp/headers-alice \ + -d @${putFile} \ + http://gitlab/api/v4/projects/${aliceProjectId}/repository/files/some-file.txt)" = "201" ]""" + ) + + with subtest("git clone over HTTP"): + gitlab.succeed( + """git clone http://gitlab/alice/${aliceProjectName}.git clone-via-http""", + timeout=15 + ) + + with subtest("Push a commit via SSH"): + gitlab.succeed( + f"""GIT_SSH_COMMAND="{GIT_SSH_COMMAND}" git clone gitlab@gitlab:alice/${aliceProjectName}.git""", + timeout=15 + ) + gitlab.succeed( + """echo "a commit sent over ssh" > ${aliceProjectName}/ssh.txt""" + ) + gitlab.succeed( + """ + cd ${aliceProjectName} || exit 1 + git add . + """ + ) + gitlab.succeed( + """ + cd ${aliceProjectName} || exit 1 + git commit -m "Add a commit to be sent over ssh" + """ + ) + gitlab.succeed( + f""" + cd ${aliceProjectName} || exit 1 + GIT_SSH_COMMAND="{GIT_SSH_COMMAND}" git push --set-upstream origin master + """, + timeout=15 + ) + + with subtest("Fork a project"): + # Bob forks Alice's project + gitlab.succeed( + """ + [ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -X POST \ + -H 'Content-Type: application/json' \ + -H @/tmp/headers-bob \ + http://gitlab/api/v4/projects/${aliceProjectId}/fork)" = "201" ] + """ + ) + + # Bob creates a commit + gitlab.wait_until_succeeds( + """ + [ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -X POST \ + -H 'Content-Type: application/json' \ + -H @/tmp/headers-bob \ + -d @${putFile} \ + http://gitlab/api/v4/projects/${bobProjectId}/repository/files/some-other-file.txt)" = "201" ] + """ + ) + + with subtest("Create a Merge Request"): + # Bob opens a merge request against Alice's repository + gitlab.wait_until_succeeds( + """ + [ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -X POST \ + -H 'Content-Type: application/json' \ + -H @/tmp/headers-bob \ + -d @${mergeRequest} \ + http://gitlab/api/v4/projects/${bobProjectId}/merge_requests)" = "201" ] + """ + ) + + # Alice merges the MR + gitlab.wait_until_succeeds( + """ + [ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -X PUT \ + -H 'Content-Type: application/json' \ + -H @/tmp/headers-alice \ + -d @${mergeRequest} \ + http://gitlab/api/v4/projects/${aliceProjectId}/merge_requests/1/merge)" = "200" ] + """ + ) + + with subtest("Create an Issue"): + # Bob opens an issue on Alice's repository + gitlab.succeed( + """[ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -X POST \ + -H 'Content-Type: application/json' \ + -H @/tmp/headers-bob \ + -d @${newIssue} \ + http://gitlab/api/v4/projects/${aliceProjectId}/issues)" = "201" ] + """ + ) + + # Alice closes the issue + gitlab.wait_until_succeeds( + """ + [ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -X PUT \ + -H 'Content-Type: application/json' \ + -H @/tmp/headers-alice -d @${closeIssue} http://gitlab/api/v4/projects/${aliceProjectId}/issues/1)" = "200" ] + """ + ) '' + '' - gitlab.succeed( - """[ "$(curl -o /dev/null -w '%{http_code}' -H @/tmp/headers http://gitlab/api/v4/projects/2/repository/archive.tar.gz)" = "200" ]""" - ) - gitlab.succeed( - """curl -H @/tmp/headers http://gitlab/api/v4/projects/2/repository/archive.tar.gz > /tmp/archive.tar.gz""" - ) - gitlab.succeed( - """[ "$(curl -o /dev/null -w '%{http_code}' -H @/tmp/headers http://gitlab/api/v4/projects/2/repository/archive.tar.bz2)" = "200" ]""" - ) - gitlab.succeed( - """curl -o /dev/null -w '%{http_code}' -H @/tmp/headers http://gitlab/api/v4/projects/2/repository/archive.tar.bz2 > /tmp/archive.tar.bz2""" - ) - gitlab.succeed("test -s /tmp/archive.tar.gz") - gitlab.succeed("test -s /tmp/archive.tar.bz2") + with subtest("Download archive.tar.gz"): + gitlab.succeed( + """ + [ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -H @/tmp/headers-alice \ + http://gitlab/api/v4/projects/${aliceProjectId}/repository/archive.tar.gz)" = "200" ] + """ + ) + gitlab.succeed( + """ + curl \ + -H @/tmp/headers-alice \ + http://gitlab/api/v4/projects/${aliceProjectId}/repository/archive.tar.gz > /tmp/archive.tar.gz + """ + ) + gitlab.succeed("test -s /tmp/archive.tar.gz") + + with subtest("Download archive.tar.bz2"): + gitlab.succeed( + """ + [ "$(curl \ + -o /dev/null \ + -w '%{http_code}' \ + -H @/tmp/headers-alice \ + http://gitlab/api/v4/projects/${aliceProjectId}/repository/archive.tar.bz2)" = "200" ] + """ + ) + gitlab.succeed( + """ + curl \ + -H @/tmp/headers-alice \ + http://gitlab/api/v4/projects/${aliceProjectId}/repository/archive.tar.bz2 > /tmp/archive.tar.bz2 + """ + ) + gitlab.succeed("test -s /tmp/archive.tar.bz2") ''; in '' diff --git a/nixos/tests/gitolite.nix b/nixos/tests/gitolite.nix index 128677cebde..9b3af59e4fb 100644 --- a/nixos/tests/gitolite.nix +++ b/nixos/tests/gitolite.nix @@ -107,7 +107,7 @@ in with subtest("gitolite server starts"): server.wait_for_unit("gitolite-init.service") server.wait_for_unit("sshd.service") - client.succeed("ssh gitolite@server info") + client.succeed("ssh -n gitolite@server info") with subtest("admin can clone and configure gitolite-admin.git"): client.succeed( diff --git a/nixos/tests/gocd-agent.nix b/nixos/tests/gocd-agent.nix index 686d0b971d3..9301a88ec05 100644 --- a/nixos/tests/gocd-agent.nix +++ b/nixos/tests/gocd-agent.nix @@ -36,7 +36,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { testScript = '' start_all() agent.wait_for_unit("gocd-server") - agent.wait_for_open_port("8153") + agent.wait_for_open_port(8153) agent.wait_for_unit("gocd-agent") agent.wait_until_succeeds( "curl ${serverUrl} -H '${header}' | ${pkgs.jq}/bin/jq -e ._embedded.agents[0].uuid" diff --git a/nixos/tests/grafana-agent.nix b/nixos/tests/grafana-agent.nix new file mode 100644 index 00000000000..a9f34d8cea3 --- /dev/null +++ b/nixos/tests/grafana-agent.nix @@ -0,0 +1,32 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: + + let + nodes = { + machine = { + services.grafana-agent = { + enable = true; + }; + }; + }; + in + { + name = "grafana-agent"; + + meta = with lib.maintainers; { + maintainers = [ zimbatm ]; + }; + + inherit nodes; + + testScript = '' + start_all() + + with subtest("Grafana-agent is running"): + machine.wait_for_unit("grafana-agent.service") + machine.wait_for_open_port(12345) + machine.succeed( + "curl -sSfN http://127.0.0.1:12345/-/healthy" + ) + machine.shutdown() + ''; + }) diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix index 10f9cb05c9c..59b82593abc 100644 --- a/nixos/tests/home-assistant.nix +++ b/nixos/tests/home-assistant.nix @@ -98,9 +98,26 @@ in { }; lovelaceConfigWritable = true; }; + + # Cause a configuration change inside `configuration.yml` and verify that the process is being reloaded. + specialisation.differentName = { + inheritParentConfig = true; + configuration.services.home-assistant.config.homeassistant.name = lib.mkForce "Test Home"; + }; + + # Cause a configuration change that requires a service restart as we added a new runtime dependency + specialisation.newFeature = { + inheritParentConfig = true; + configuration.services.home-assistant.config.device_tracker = [ + { platform = "bluetooth_tracker"; } + ]; + }; }; - testScript = '' + testScript = { nodes, ... }: let + system = nodes.hass.config.system.build.toplevel; + in + '' import re start_all() @@ -111,6 +128,7 @@ in { pattern = re.compile(r"path=(?P<path>[\/a-z0-9-.]+)\/bin\/hass") response = hass.execute("systemctl show -p ExecStart home-assistant.service")[1] match = pattern.search(response) + assert match package = match.group('path') hass.wait_for_unit("home-assistant.service") @@ -141,12 +159,21 @@ in { with subtest("Check extra components are considered in systemd unit hardening"): hass.succeed("systemctl show -p DeviceAllow home-assistant.service | grep -q char-ttyUSB") - with subtest("Print log to ease debugging"): - output_log = hass.succeed("cat ${configDir}/home-assistant.log") - print("\n### home-assistant.log ###\n") - print(output_log + "\n") + with subtest("Check service reloads when configuration changes"): + # store the old pid of the process + pid = hass.succeed("systemctl show --property=MainPID home-assistant.service") + hass.succeed("${system}/specialisation/differentName/bin/switch-to-configuration test") + new_pid = hass.succeed("systemctl show --property=MainPID home-assistant.service") + assert pid == new_pid, "The PID of the process should not change between process reloads" + + with subtest("check service restarts when package changes"): + pid = new_pid + hass.succeed("${system}/specialisation/newFeature/bin/switch-to-configuration test") + new_pid = hass.succeed("systemctl show --property=MainPID home-assistant.service") + assert pid != new_pid, "The PID of the process shoudl change when the HA binary changes" with subtest("Check that no errors were logged"): + output_log = hass.succeed("cat ${configDir}/home-assistant.log") assert "ERROR" not in output_log with subtest("Check systemd unit hardening"): diff --git a/nixos/tests/hydra/default.nix b/nixos/tests/hydra/default.nix index 9fc787842d8..baf18afbc56 100644 --- a/nixos/tests/hydra/default.nix +++ b/nixos/tests/hydra/default.nix @@ -11,7 +11,7 @@ let inherit (import ./common.nix { inherit system; }) baseConfig; hydraPkgs = { - inherit (pkgs) hydra-unstable; + inherit (pkgs) hydra_unstable; }; makeHydraTest = with pkgs.lib; name: package: makeTest { diff --git a/nixos/tests/ihatemoney/default.nix b/nixos/tests/ihatemoney/default.nix index cd5f073343d..894a97d43d3 100644 --- a/nixos/tests/ihatemoney/default.nix +++ b/nixos/tests/ihatemoney/default.nix @@ -32,14 +32,7 @@ let }; }; # ihatemoney needs a local smtp server otherwise project creation just crashes - services.opensmtpd = { - enable = true; - serverConfiguration = '' - listen on lo - action foo relay - match from any for any action foo - ''; - }; + services.postfix.enable = true; }; testScript = '' machine.wait_for_open_port(8000) diff --git a/nixos/tests/installed-tests/default.nix b/nixos/tests/installed-tests/default.nix index fd16b481168..c6fb37cfe58 100644 --- a/nixos/tests/installed-tests/default.nix +++ b/nixos/tests/installed-tests/default.nix @@ -106,6 +106,5 @@ in malcontent = callInstalledTest ./malcontent.nix {}; ostree = callInstalledTest ./ostree.nix {}; pipewire = callInstalledTest ./pipewire.nix {}; - power-profiles-daemon = callInstalledTest ./power-profiles-daemon.nix {}; xdg-desktop-portal = callInstalledTest ./xdg-desktop-portal.nix {}; } diff --git a/nixos/tests/installed-tests/power-profiles-daemon.nix b/nixos/tests/installed-tests/power-profiles-daemon.nix deleted file mode 100644 index 43629a0155d..00000000000 --- a/nixos/tests/installed-tests/power-profiles-daemon.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, lib, makeInstalledTest, ... }: - -makeInstalledTest { - tested = pkgs.power-profiles-daemon; - - testConfig = { - services.power-profiles-daemon.enable = true; - }; -} diff --git a/nixos/tests/installer-systemd-stage-1.nix b/nixos/tests/installer-systemd-stage-1.nix new file mode 100644 index 00000000000..d02387ee80e --- /dev/null +++ b/nixos/tests/installer-systemd-stage-1.nix @@ -0,0 +1,33 @@ +{ system ? builtins.currentSystem +, config ? {} +, pkgs ? import ../.. { inherit system config; } +}: + +{ + # Some of these tests don't work with systemd stage 1 yet. Uncomment + # them when fixed. + inherit (import ./installer.nix { inherit system config pkgs; systemdStage1 = true; }) + # bcache + # btrfsSimple + # btrfsSubvolDefault + # btrfsSubvols + # encryptedFSWithKeyfile + # grub1 + # luksroot + # luksroot-format1 + # luksroot-format2 + # lvm + separateBoot + separateBootFat + simple + simpleLabels + simpleProvided + simpleSpecialised + simpleUefiGrub + simpleUefiGrubSpecialisation + simpleUefiSystemdBoot + # swraid + zfsroot + ; + +} diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index ea2b2d04ed1..8bef4fad3dd 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -1,6 +1,7 @@ { system ? builtins.currentSystem, config ? {}, - pkgs ? import ../.. { inherit system config; } + pkgs ? import ../.. { inherit system config; }, + systemdStage1 ? false }: with import ../lib/testing-python.nix { inherit system pkgs; }; @@ -23,6 +24,8 @@ let # To ensure that we can rebuild the grub configuration on the nixos-rebuild system.extraDependencies = with pkgs; [ stdenvNoCC ]; + ${optionalString systemdStage1 "boot.initrd.systemd.enable = true;"} + ${optionalString (bootLoader == "grub") '' boot.loader.grub.version = ${toString grubVersion}; ${optionalString (grubVersion == 1) '' @@ -290,6 +293,8 @@ let virtualisation.cores = 8; virtualisation.memorySize = 1536; + boot.initrd.systemd.enable = systemdStage1; + # Use a small /dev/vdb as the root disk for the # installer. This ensures the target disk (/dev/vda) is # the same during and after installation. @@ -696,6 +701,85 @@ in { ''; }; + bcachefsSimple = makeInstallerTest "bcachefs-simple" { + extraInstallerConfig = { + boot.supportedFilesystems = [ "bcachefs" ]; + }; + + createPartitions = '' + machine.succeed( + "flock /dev/vda parted --script /dev/vda -- mklabel msdos" + + " mkpart primary ext2 1M 100MB" # /boot + + " mkpart primary linux-swap 100M 1024M" # swap + + " mkpart primary 1024M -1s", # / + "udevadm settle", + "mkswap /dev/vda2 -L swap", + "swapon -L swap", + "mkfs.bcachefs -L root /dev/vda3", + "mount -t bcachefs /dev/vda3 /mnt", + "mkfs.ext3 -L boot /dev/vda1", + "mkdir -p /mnt/boot", + "mount /dev/vda1 /mnt/boot", + ) + ''; + }; + + bcachefsEncrypted = makeInstallerTest "bcachefs-encrypted" { + extraInstallerConfig = { + boot.supportedFilesystems = [ "bcachefs" ]; + environment.systemPackages = with pkgs; [ keyutils ]; + }; + + # We don't want to use the normal way of unlocking bcachefs defined in tasks/filesystems/bcachefs.nix. + # So, override initrd.postDeviceCommands completely and simply unlock with the predefined password. + extraConfig = '' + boot.initrd.postDeviceCommands = lib.mkForce "echo password | bcachefs unlock /dev/vda3"; + ''; + + createPartitions = '' + machine.succeed( + "flock /dev/vda parted --script /dev/vda -- mklabel msdos" + + " mkpart primary ext2 1M 100MB" # /boot + + " mkpart primary linux-swap 100M 1024M" # swap + + " mkpart primary 1024M -1s", # / + "udevadm settle", + "mkswap /dev/vda2 -L swap", + "swapon -L swap", + "keyctl link @u @s", + "echo password | mkfs.bcachefs -L root --encrypted /dev/vda3", + "echo password | bcachefs unlock /dev/vda3", + "mount -t bcachefs /dev/vda3 /mnt", + "mkfs.ext3 -L boot /dev/vda1", + "mkdir -p /mnt/boot", + "mount /dev/vda1 /mnt/boot", + ) + ''; + }; + + bcachefsMulti = makeInstallerTest "bcachefs-multi" { + extraInstallerConfig = { + boot.supportedFilesystems = [ "bcachefs" ]; + }; + + createPartitions = '' + machine.succeed( + "flock /dev/vda parted --script /dev/vda -- mklabel msdos" + + " mkpart primary ext2 1M 100MB" # /boot + + " mkpart primary linux-swap 100M 1024M" # swap + + " mkpart primary 1024M 4096M" # / + + " mkpart primary 4096M -1s", # / + "udevadm settle", + "mkswap /dev/vda2 -L swap", + "swapon -L swap", + "mkfs.bcachefs -L root --metadata_replicas 2 --foreground_target ssd --promote_target ssd --background_target hdd --label ssd /dev/vda3 --label hdd /dev/vda4", + "mount -t bcachefs /dev/vda3:/dev/vda4 /mnt", + "mkfs.ext3 -L boot /dev/vda1", + "mkdir -p /mnt/boot", + "mount /dev/vda1 /mnt/boot", + ) + ''; + }; + # Test a basic install using GRUB 1. grub1 = makeInstallerTest "grub1" rec { createPartitions = '' diff --git a/nixos/tests/ipfs.nix b/nixos/tests/ipfs.nix index 5e7c967028e..295a7b9c727 100644 --- a/nixos/tests/ipfs.nix +++ b/nixos/tests/ipfs.nix @@ -14,6 +14,14 @@ import ./make-test-python.nix ({ pkgs, ...} : { }; }; + nodes.fuse = { ... }: { + services.ipfs = { + enable = true; + apiAddress = "/ip4/127.0.0.1/tcp/2324"; + autoMount = true; + }; + }; + testScript = '' start_all() @@ -40,5 +48,12 @@ import ./make-test-python.nix ({ pkgs, ...} : { # Test if setting dataDir works properly with the hardened systemd unit machine.succeed("test -e /mnt/ipfs/config") machine.succeed("test ! -e /var/lib/ipfs/") + + # Test FUSE mountpoint + ipfs_hash = fuse.succeed( + "echo fnord3 | ipfs --api /ip4/127.0.0.1/tcp/2324 add --quieter" + ) + + fuse.succeed(f"cat /ipfs/{ipfs_hash.strip()} | grep fnord3") ''; }) diff --git a/nixos/tests/isso.nix b/nixos/tests/isso.nix index 65bae5f5dce..f4560ba3e63 100644 --- a/nixos/tests/isso.nix +++ b/nixos/tests/isso.nix @@ -22,7 +22,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { '' machine.wait_for_unit("isso.service") - machine.wait_for_open_port("${toString port}") + machine.wait_for_open_port(port) machine.succeed("curl --fail http://localhost:${toString port}/?uri") machine.succeed("curl --fail http://localhost:${toString port}/js/embed.min.js") diff --git a/nixos/tests/jellyfin.nix b/nixos/tests/jellyfin.nix index 4ac37869963..7d3097b5862 100644 --- a/nixos/tests/jellyfin.nix +++ b/nixos/tests/jellyfin.nix @@ -52,18 +52,18 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: machine.succeed(api_post("/Startup/Complete")) with machine.nested("Can login"): - auth_result = machine.succeed( + auth_result_str = machine.succeed( api_post( "/Users/AuthenticateByName", "${payloads.auth}", ) ) - auth_result = json.loads(auth_result) + auth_result = json.loads(auth_result_str) auth_token = auth_result["AccessToken"] auth_header += f", Token={auth_token}" - sessions_result = machine.succeed(api_get("/Sessions")) - sessions_result = json.loads(sessions_result) + sessions_result_str = machine.succeed(api_get("/Sessions")) + sessions_result = json.loads(sessions_result_str) this_session = [ session for session in sessions_result if session["DeviceId"] == "1337" @@ -71,8 +71,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: if len(this_session) != 1: raise Exception("Session not created") - me = machine.succeed(api_get("/Users/Me")) - me = json.loads(me)["Id"] + me_str = machine.succeed(api_get("/Users/Me")) + me = json.loads(me_str)["Id"] with machine.nested("Can add library"): tempdir = machine.succeed("mktemp -d -p /var/lib/jellyfin").strip() @@ -100,8 +100,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: def is_refreshed(_): - folders = machine.succeed(api_get("/Library/VirtualFolders")) - folders = json.loads(folders) + folders_str = machine.succeed(api_get("/Library/VirtualFolders")) + folders = json.loads(folders_str) print(folders) return all(folder["RefreshStatus"] == "Idle" for folder in folders) @@ -116,10 +116,10 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: def has_movie(_): global items - items = machine.succeed( + items_str = machine.succeed( api_get(f"/Users/{me}/Items?IncludeItemTypes=Movie&Recursive=true") ) - items = json.loads(items)["Items"] + items = json.loads(items_str)["Items"] return len(items) == 1 @@ -127,8 +127,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: video = items[0]["Id"] - item_info = machine.succeed(api_get(f"/Users/{me}/Items/{video}")) - item_info = json.loads(item_info) + item_info_str = machine.succeed(api_get(f"/Users/{me}/Items/{video}")) + item_info = json.loads(item_info_str) if item_info["Name"] != "Big Buck Bunny": raise Exception("Jellyfin failed to properly identify file") diff --git a/nixos/tests/jitsi-meet.nix b/nixos/tests/jitsi-meet.nix index 41d53bc7380..c39cd19e1f0 100644 --- a/nixos/tests/jitsi-meet.nix +++ b/nixos/tests/jitsi-meet.nix @@ -34,9 +34,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { server.wait_for_unit("prosody.service") server.wait_until_succeeds( - "journalctl -b -u jitsi-videobridge2 -o cat | grep -q 'Performed a successful health check'" - ) - server.wait_until_succeeds( "journalctl -b -u prosody -o cat | grep -q 'Authenticated as focus@auth.server'" ) server.wait_until_succeeds( diff --git a/nixos/tests/k3s-single-node-docker.nix b/nixos/tests/k3s-single-node-docker.nix deleted file mode 100644 index 735aa5ac297..00000000000 --- a/nixos/tests/k3s-single-node-docker.nix +++ /dev/null @@ -1,84 +0,0 @@ -import ./make-test-python.nix ({ pkgs, ... }: - - let - imageEnv = pkgs.buildEnv { - name = "k3s-pause-image-env"; - paths = with pkgs; [ tini (hiPrio coreutils) busybox ]; - }; - pauseImage = pkgs.dockerTools.streamLayeredImage { - name = "test.local/pause"; - tag = "local"; - contents = imageEnv; - config.Entrypoint = [ "/bin/tini" "--" "/bin/sleep" "inf" ]; - }; - # Don't use the default service account because there's a race where it may - # not be created yet; make our own instead. - testPodYaml = pkgs.writeText "test.yml" '' - apiVersion: v1 - kind: ServiceAccount - metadata: - name: test - --- - apiVersion: v1 - kind: Pod - metadata: - name: test - spec: - serviceAccountName: test - containers: - - name: test - image: test.local/pause:local - imagePullPolicy: Never - command: ["sh", "-c", "sleep inf"] - ''; - in - { - name = "k3s"; - meta = with pkgs.lib.maintainers; { - maintainers = [ euank ]; - }; - - nodes.machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ k3s gzip ]; - - # k3s uses enough resources the default vm fails. - virtualisation.memorySize = 1536; - virtualisation.diskSize = 4096; - - services.k3s = { - enable = true; - role = "server"; - docker = true; - # Slightly reduce resource usage - extraFlags = "--no-deploy coredns,servicelb,traefik,local-storage,metrics-server --pause-image test.local/pause:local"; - }; - - users.users = { - noprivs = { - isNormalUser = true; - description = "Can't access k3s by default"; - password = "*"; - }; - }; - }; - - testScript = '' - start_all() - - machine.wait_for_unit("k3s") - machine.succeed("k3s kubectl cluster-info") - machine.fail("sudo -u noprivs k3s kubectl cluster-info") - # FIXME: this fails with the current nixos kernel config; once it passes, we should uncomment it - # machine.succeed("k3s check-config") - - machine.succeed( - "${pauseImage} | docker load" - ) - - machine.succeed("k3s kubectl apply -f ${testPodYaml}") - machine.succeed("k3s kubectl wait --for 'condition=Ready' pod/test") - machine.succeed("k3s kubectl delete -f ${testPodYaml}") - - machine.shutdown() - ''; - }) diff --git a/nixos/tests/kanidm.nix b/nixos/tests/kanidm.nix new file mode 100644 index 00000000000..d34f680f522 --- /dev/null +++ b/nixos/tests/kanidm.nix @@ -0,0 +1,75 @@ +import ./make-test-python.nix ({ pkgs, ... }: + let + certs = import ./common/acme/server/snakeoil-certs.nix; + serverDomain = certs.domain; + in + { + name = "kanidm"; + meta.maintainers = with pkgs.lib.maintainers; [ erictapen Flakebi ]; + + nodes.server = { config, pkgs, lib, ... }: { + services.kanidm = { + enableServer = true; + serverSettings = { + origin = "https://${serverDomain}"; + domain = serverDomain; + bindaddress = "[::1]:8443"; + ldapbindaddress = "[::1]:636"; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts."${serverDomain}" = { + forceSSL = true; + sslCertificate = certs."${serverDomain}".cert; + sslCertificateKey = certs."${serverDomain}".key; + locations."/".proxyPass = "http://[::1]:8443"; + }; + }; + + security.pki.certificateFiles = [ certs.ca.cert ]; + + networking.hosts."::1" = [ serverDomain ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + users.users.kanidm.shell = pkgs.bashInteractive; + + environment.systemPackages = with pkgs; [ kanidm openldap ripgrep ]; + }; + + nodes.client = { pkgs, nodes, ... }: { + services.kanidm = { + enableClient = true; + clientSettings = { + uri = "https://${serverDomain}"; + }; + }; + + networking.hosts."${nodes.server.config.networking.primaryIPAddress}" = [ serverDomain ]; + + security.pki.certificateFiles = [ certs.ca.cert ]; + }; + + testScript = { nodes, ... }: + let + ldapBaseDN = builtins.concatStringsSep "," (map (s: "dc=" + s) (pkgs.lib.splitString "." serverDomain)); + + # We need access to the config file in the test script. + filteredConfig = pkgs.lib.converge + (pkgs.lib.filterAttrsRecursive (_: v: v != null)) + nodes.server.config.services.kanidm.serverSettings; + serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig; + + in + '' + start_all() + server.wait_for_unit("kanidm.service") + server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm") + server.wait_until_succeeds("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'") + client.wait_until_succeeds("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}") + (rv, result) = server.execute("kanidmd recover_account -d quiet -c ${serverConfigFile} -n admin 2>&1 | rg -o '[A-Za-z0-9]{48}'") + assert rv == 0 + ''; + }) diff --git a/nixos/tests/keepassxc.nix b/nixos/tests/keepassxc.nix index d0f353c71e0..303be133040 100644 --- a/nixos/tests/keepassxc.nix +++ b/nixos/tests/keepassxc.nix @@ -62,7 +62,7 @@ import ./make-test-python.nix ({ pkgs, ...} : machine.send_key("tab") machine.send_chars("/home/alice/foo.keyfile") machine.send_key("ret") - # Passwords folder is displayed - machine.wait_for_text("Passwords") + # Database is unlocked (doesn't have "[Locked]" in the title anymore) + machine.wait_for_text("foo.kdbx - KeePassXC") ''; }) diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index f34d5d60794..04d52cf82e4 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -30,6 +30,7 @@ let linux_5_4_hardened linux_5_10_hardened linux_5_15_hardened + linux_5_18_hardened linux_testing; }; diff --git a/nixos/tests/kexec.nix b/nixos/tests/kexec.nix index 7e5cc010ef9..3f5a6f521af 100644 --- a/nixos/tests/kexec.nix +++ b/nixos/tests/kexec.nix @@ -1,5 +1,3 @@ -# Test whether fast reboots via kexec work. - import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "kexec"; meta = with lib.maintainers; { @@ -18,13 +16,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { node2 = { modulesPath, ... }: { virtualisation.vlans = [ ]; + environment.systemPackages = [ pkgs.hello ]; imports = [ - "${modulesPath}/installer/kexec/kexec-boot.nix" + "${modulesPath}/installer/netboot/netboot-minimal.nix" ]; }; }; testScript = { nodes, ... }: '' + # Test whether reboot via kexec works. node1.wait_for_unit("multi-user.target") node1.succeed('kexec --load /run/current-system/kernel --initrd /run/current-system/initrd --command-line "$(</proc/cmdline)"') node1.execute("systemctl kexec >&2 &", check_return=False) @@ -32,14 +32,17 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { node1.connect() node1.wait_for_unit("multi-user.target") - # Check the machine with kexec-boot.nix profile boots up + # Check if the machine with netboot-minimal.nix profile boots up node2.wait_for_unit("multi-user.target") node2.shutdown() # Kexec node1 to the toplevel of node2 via the kexec-boot script node1.succeed('touch /run/foo') - node1.execute('${nodes.node2.config.system.build.kexecBoot}/kexec-boot', check_return=False) + node1.fail('hello') + node1.execute('${nodes.node2.config.system.build.kexecTree}/kexec-boot', check_return=False) node1.succeed('! test -e /run/foo') + node1.succeed('hello') + node1.succeed('[ "$(hostname)" = "node2" ]') node1.shutdown() ''; diff --git a/nixos/tests/libreddit.nix b/nixos/tests/libreddit.nix index f7ef701d086..82a44cb4e9c 100644 --- a/nixos/tests/libreddit.nix +++ b/nixos/tests/libreddit.nix @@ -6,14 +6,16 @@ with lib; name = "libreddit"; meta.maintainers = with maintainers; [ fab ]; - nodes.machine = - { pkgs, ... }: - { services.libreddit.enable = true; }; + nodes.machine = { + services.libreddit.enable = true; + # Test CAP_NET_BIND_SERVICE + services.libreddit.port = 80; + }; testScript = '' machine.wait_for_unit("libreddit.service") - machine.wait_for_open_port("8080") - # The service wants to get data from https://www.reddit.com - machine.succeed("curl http://localhost:8080/") + machine.wait_for_open_port(80) + # Query a page that does not require Internet access + machine.succeed("curl --fail http://localhost:80/settings") ''; }) diff --git a/nixos/tests/lidarr.nix b/nixos/tests/lidarr.nix index d3f83e5d914..7fbaea62f80 100644 --- a/nixos/tests/lidarr.nix +++ b/nixos/tests/lidarr.nix @@ -14,7 +14,7 @@ with lib; start_all() machine.wait_for_unit("lidarr.service") - machine.wait_for_open_port("8686") + machine.wait_for_open_port(8686) machine.succeed("curl --fail http://localhost:8686/") ''; }) diff --git a/nixos/tests/login.nix b/nixos/tests/login.nix index 0d6f81b1721..2cff38d2005 100644 --- a/nixos/tests/login.nix +++ b/nixos/tests/login.nix @@ -29,11 +29,11 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... }: machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'") with subtest("Log in as alice on a virtual console"): - machine.wait_until_tty_matches(2, "login: ") + machine.wait_until_tty_matches("2", "login: ") machine.send_chars("alice\n") - machine.wait_until_tty_matches(2, "login: alice") + machine.wait_until_tty_matches("2", "login: alice") machine.wait_until_succeeds("pgrep login") - machine.wait_until_tty_matches(2, "Password: ") + machine.wait_until_tty_matches("2", "Password: ") machine.send_chars("foobar\n") machine.wait_until_succeeds("pgrep -u alice bash") machine.send_chars("touch done\n") diff --git a/nixos/tests/lxd-image-server.nix b/nixos/tests/lxd-image-server.nix index fa40e33e74d..072f4570c2c 100644 --- a/nixos/tests/lxd-image-server.nix +++ b/nixos/tests/lxd-image-server.nix @@ -1,54 +1,21 @@ -import ./make-test-python.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, lib, ... } : let - # Since we don't have access to the internet during the tests, we have to - # pre-fetch lxd containers beforehand. - # - # I've chosen to import Alpine Linux, because its image is turbo-tiny and, - # generally, sufficient for our tests. - alpine-meta = pkgs.fetchurl { - url = "https://tarballs.nixos.org/alpine/3.12/lxd.tar.xz"; - hash = "sha256-1tcKaO9lOkvqfmG/7FMbfAEToAuFy2YMewS8ysBKuLA="; - }; - - alpine-rootfs = pkgs.fetchurl { - url = "https://tarballs.nixos.org/alpine/3.12/rootfs.tar.xz"; - hash = "sha256-Tba9sSoaiMtQLY45u7p5DMqXTSDgs/763L/SQp0bkCA="; + lxd-image = import ../release.nix { + configuration = { + # Building documentation makes the test unnecessarily take a longer time: + documentation.enable = lib.mkForce false; + }; }; - lxd-config = pkgs.writeText "config.yaml" '' - storage_pools: - - name: default - driver: dir - config: - source: /var/lxd-pool - - networks: - - name: lxdbr0 - type: bridge - config: - ipv4.address: auto - ipv6.address: none - - profiles: - - name: default - devices: - eth0: - name: eth0 - network: lxdbr0 - type: nic - root: - path: / - pool: default - type: disk - ''; - + lxd-image-metadata = lxd-image.lxdMeta.${pkgs.system}; + lxd-image-rootfs = lxd-image.lxdImage.${pkgs.system}; in { name = "lxd-image-server"; meta = with pkgs.lib.maintainers; { - maintainers = [ mkg20001 ]; + maintainers = [ mkg20001 patryk27 ]; }; nodes.machine = { lib, ... }: { @@ -100,20 +67,20 @@ in { # lxd expects the pool's directory to already exist machine.succeed("mkdir /var/lxd-pool") - machine.succeed( - "cat ${lxd-config} | lxd init --preseed" + "cat ${./common/lxd/config.yaml} | lxd init --preseed" ) machine.succeed( - "lxc image import ${alpine-meta} ${alpine-rootfs} --alias alpine" + "lxc image import ${lxd-image-metadata}/*/*.tar.xz ${lxd-image-rootfs}/*/*.tar.xz --alias nixos" ) - loc = "/var/www/simplestreams/images/iats/alpine/amd64/default/v1" + loc = "/var/www/simplestreams/images/iats/nixos/amd64/default/v1" with subtest("push image to server"): - machine.succeed("lxc launch alpine test") - machine.succeed("lxc stop test") + machine.succeed("lxc launch nixos test") + machine.sleep(5) + machine.succeed("lxc stop -f test") machine.succeed("lxc publish --public test --alias=testimg") machine.succeed("lxc image export testimg") machine.succeed("ls >&2") diff --git a/nixos/tests/lxd-image.nix b/nixos/tests/lxd-image.nix deleted file mode 100644 index 4930b55f190..00000000000 --- a/nixos/tests/lxd-image.nix +++ /dev/null @@ -1,89 +0,0 @@ -# This test ensures that the nixOS lxd images builds and functions properly -# It has been extracted from `lxd.nix` to seperate failures of just the image and the lxd software - -import ./make-test-python.nix ({ pkgs, ...} : let - release = import ../release.nix { - /* configuration = { - environment.systemPackages = with pkgs; [ stdenv ]; # inject stdenv so rebuild test works - }; */ - }; - - metadata = release.lxdMeta.${pkgs.system}; - image = release.lxdImage.${pkgs.system}; - - lxd-config = pkgs.writeText "config.yaml" '' - storage_pools: - - name: default - driver: dir - config: - source: /var/lxd-pool - - networks: - - name: lxdbr0 - type: bridge - config: - ipv4.address: auto - ipv6.address: none - - profiles: - - name: default - devices: - eth0: - name: eth0 - network: lxdbr0 - type: nic - root: - path: / - pool: default - type: disk - ''; -in { - name = "lxd-image"; - - meta = with pkgs.lib.maintainers; { - maintainers = [ mkg20001 ]; - }; - - nodes.machine = { lib, ... }: { - virtualisation = { - # disk full otherwise - diskSize = 2048; - - lxc.lxcfs.enable = true; - lxd.enable = true; - }; - }; - - testScript = '' - machine.wait_for_unit("sockets.target") - machine.wait_for_unit("lxd.service") - machine.wait_for_file("/var/lib/lxd/unix.socket") - - # It takes additional second for lxd to settle - machine.sleep(1) - - # lxd expects the pool's directory to already exist - machine.succeed("mkdir /var/lxd-pool") - - machine.succeed( - "cat ${lxd-config} | lxd init --preseed" - ) - - # TODO: test custom built container aswell - - with subtest("importing container works"): - machine.succeed("lxc image import ${metadata}/*/*.tar.xz ${image}/*/*.tar.xz --alias nixos") - - with subtest("launching container works"): - machine.succeed("lxc launch nixos machine -c security.nesting=true") - # make sure machine boots up properly - machine.sleep(5) - - with subtest("container shell works"): - machine.succeed("echo true | lxc exec machine /run/current-system/sw/bin/bash -") - machine.succeed("lxc exec machine /run/current-system/sw/bin/true") - - # with subtest("rebuilding works"): - # machine.succeed("lxc exec machine /run/current-system/sw/bin/nixos-rebuild switch") - ''; -}) diff --git a/nixos/tests/lxd.nix b/nixos/tests/lxd.nix index 81b36124cc6..15d16564d64 100644 --- a/nixos/tests/lxd.nix +++ b/nixos/tests/lxd.nix @@ -1,48 +1,18 @@ -import ./make-test-python.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, lib, ... } : let - # Since we don't have access to the internet during the tests, we have to - # pre-fetch lxd containers beforehand. - # - # I've chosen to import Alpine Linux, because its image is turbo-tiny and, - # generally, sufficient for our tests. - alpine-meta = pkgs.fetchurl { - url = "https://tarballs.nixos.org/alpine/3.12/lxd.tar.xz"; - hash = "sha256-1tcKaO9lOkvqfmG/7FMbfAEToAuFy2YMewS8ysBKuLA="; - }; + lxd-image = import ../release.nix { + configuration = { + # Building documentation makes the test unnecessarily take a longer time: + documentation.enable = lib.mkForce false; - alpine-rootfs = pkgs.fetchurl { - url = "https://tarballs.nixos.org/alpine/3.12/rootfs.tar.xz"; - hash = "sha256-Tba9sSoaiMtQLY45u7p5DMqXTSDgs/763L/SQp0bkCA="; + # Our tests require `grep` & friends: + environment.systemPackages = with pkgs; [ busybox ]; + }; }; - lxd-config = pkgs.writeText "config.yaml" '' - storage_pools: - - name: default - driver: dir - config: - source: /var/lxd-pool - - networks: - - name: lxdbr0 - type: bridge - config: - ipv4.address: auto - ipv6.address: none - - profiles: - - name: default - devices: - eth0: - name: eth0 - network: lxdbr0 - type: nic - root: - path: / - pool: default - type: disk - ''; - + lxd-image-metadata = lxd-image.lxdMeta.${pkgs.system}; + lxd-image-rootfs = lxd-image.lxdImage.${pkgs.system}; in { name = "lxd"; @@ -53,6 +23,8 @@ in { nodes.machine = { lib, ... }: { virtualisation = { + diskSize = 2048; + # Since we're testing `limits.cpu`, we've gotta have a known number of # cores to lean on cores = 2; @@ -77,61 +49,66 @@ in { machine.succeed("mkdir /var/lxd-pool") machine.succeed( - "cat ${lxd-config} | lxd init --preseed" + "cat ${./common/lxd/config.yaml} | lxd init --preseed" ) machine.succeed( - "lxc image import ${alpine-meta} ${alpine-rootfs} --alias alpine" + "lxc image import ${lxd-image-metadata}/*/*.tar.xz ${lxd-image-rootfs}/*/*.tar.xz --alias nixos" ) - with subtest("Containers can be launched and destroyed"): - machine.succeed("lxc launch alpine test") - machine.succeed("lxc exec test true") - machine.succeed("lxc delete -f test") + with subtest("Container can be managed"): + machine.succeed("lxc launch nixos container") + machine.sleep(5) + machine.succeed("echo true | lxc exec container /run/current-system/sw/bin/bash -") + machine.succeed("lxc exec container true") + machine.succeed("lxc delete -f container") - with subtest("Containers are being mounted with lxcfs inside"): - machine.succeed("lxc launch alpine test") + with subtest("Container is mounted with lxcfs inside"): + machine.succeed("lxc launch nixos container") + machine.sleep(5) ## ---------- ## ## limits.cpu ## - machine.succeed("lxc config set test limits.cpu 1") - machine.succeed("lxc restart test") + machine.succeed("lxc config set container limits.cpu 1") + machine.succeed("lxc restart container") + machine.sleep(5) - # Since Alpine doesn't have `nproc` pre-installed, we've gotta resort - # to the primal methods assert ( "1" - == machine.succeed("lxc exec test grep -- -c ^processor /proc/cpuinfo").strip() + == machine.succeed("lxc exec container grep -- -c ^processor /proc/cpuinfo").strip() ) - machine.succeed("lxc config set test limits.cpu 2") - machine.succeed("lxc restart test") + machine.succeed("lxc config set container limits.cpu 2") + machine.succeed("lxc restart container") + machine.sleep(5) assert ( "2" - == machine.succeed("lxc exec test grep -- -c ^processor /proc/cpuinfo").strip() + == machine.succeed("lxc exec container grep -- -c ^processor /proc/cpuinfo").strip() ) ## ------------- ## ## limits.memory ## - machine.succeed("lxc config set test limits.memory 64MB") - machine.succeed("lxc restart test") + machine.succeed("lxc config set container limits.memory 64MB") + machine.succeed("lxc restart container") + machine.sleep(5) assert ( "MemTotal: 62500 kB" - == machine.succeed("lxc exec test grep -- MemTotal /proc/meminfo").strip() + == machine.succeed("lxc exec container grep -- MemTotal /proc/meminfo").strip() ) - machine.succeed("lxc config set test limits.memory 128MB") - machine.succeed("lxc restart test") + machine.succeed("lxc config set container limits.memory 128MB") + machine.succeed("lxc restart container") + machine.sleep(5) assert ( "MemTotal: 125000 kB" - == machine.succeed("lxc exec test grep -- MemTotal /proc/meminfo").strip() + == machine.succeed("lxc exec container grep -- MemTotal /proc/meminfo").strip() ) - machine.succeed("lxc delete -f test") + machine.succeed("lxc delete -f container") ''; }) diff --git a/nixos/tests/mailcatcher.nix b/nixos/tests/mailcatcher.nix index f23b749a021..627ef56617e 100644 --- a/nixos/tests/mailcatcher.nix +++ b/nixos/tests/mailcatcher.nix @@ -24,7 +24,7 @@ import ./make-test-python.nix ({ lib, ... }: start_all() machine.wait_for_unit("mailcatcher.service") - machine.wait_for_open_port("1025") + machine.wait_for_open_port(1025) machine.succeed( 'echo "this is the body of the email" | mail -s "subject" root@example.org' ) diff --git a/nixos/tests/mailhog.nix b/nixos/tests/mailhog.nix index 3508c2c0a5e..e3c2da37a3c 100644 --- a/nixos/tests/mailhog.nix +++ b/nixos/tests/mailhog.nix @@ -12,8 +12,8 @@ import ./make-test-python.nix ({ lib, ... }: { start_all() machine.wait_for_unit("mailhog.service") - machine.wait_for_open_port("1025") - machine.wait_for_open_port("8025") + machine.wait_for_open_port(1025) + machine.wait_for_open_port(8025) machine.succeed( 'echo "this is the body of the email" | swaks --to root@example.org --body - --server localhost:1025' ) diff --git a/nixos/tests/matrix-appservice-irc.nix b/nixos/tests/matrix/appservice-irc.nix index d1c561f95db..78c53024ca6 100644 --- a/nixos/tests/matrix-appservice-irc.nix +++ b/nixos/tests/matrix/appservice-irc.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ../make-test-python.nix ({ pkgs, ... }: let homeserverUrl = "http://homeserver:8008"; in @@ -20,6 +20,9 @@ import ./make-test-python.nix ({ pkgs, ... }: enable_registration = true; + # don't use this in production, always use some form of verification + enable_registration_without_verification = true; + listeners = [ { # The default but tls=false bind_addresses = [ @@ -190,6 +193,7 @@ import ./make-test-python.nix ({ pkgs, ... }: testScript = '' import pathlib + import os start_all() @@ -203,7 +207,7 @@ import ./make-test-python.nix ({ pkgs, ... }: with subtest("copy the registration file"): appservice.copy_from_vm("/var/lib/matrix-appservice-irc/registration.yml") homeserver.copy_from_host( - pathlib.Path(os.environ.get("out", os.getcwd())) / "registration.yml", "/" + str(pathlib.Path(os.environ.get("out", os.getcwd())) / "registration.yml"), "/" ) homeserver.succeed("chmod 444 /registration.yml") diff --git a/nixos/tests/matrix-conduit.nix b/nixos/tests/matrix/conduit.nix index d159fbaa480..780837f962f 100644 --- a/nixos/tests/matrix-conduit.nix +++ b/nixos/tests/matrix/conduit.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ../make-test-python.nix ({ pkgs, ... }: let name = "conduit"; in diff --git a/nixos/tests/dendrite.nix b/nixos/tests/matrix/dendrite.nix index a444c9b2001..82e71d91213 100644 --- a/nixos/tests/dendrite.nix +++ b/nixos/tests/matrix/dendrite.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ( +import ../make-test-python.nix ( { pkgs, ... }: let homeserverUrl = "http://homeserver:8008"; @@ -17,9 +17,11 @@ import ./make-test-python.nix ( homeserver = { pkgs, ... }: { services.dendrite = { enable = true; + loadCredential = [ "test_private_key:${private_key}" ]; + openRegistration = true; settings = { global.server_name = "test-dendrite-server.com"; - global.private_key = private_key; + global.private_key = "$CREDENTIALS_DIRECTORY/test_private_key"; client_api.registration_disabled = false; }; }; diff --git a/nixos/tests/matrix/mjolnir.nix b/nixos/tests/matrix/mjolnir.nix index 54094ab9d61..3864f0ff2bb 100644 --- a/nixos/tests/matrix/mjolnir.nix +++ b/nixos/tests/matrix/mjolnir.nix @@ -43,7 +43,9 @@ import ../make-test-python.nix ( tls_certificate_path = "${cert}"; tls_private_key_path = "${key}"; enable_registration = true; + enable_registration_without_verification = true; registration_shared_secret = "supersecret-registration"; + enable_registration_without_verification = true; listeners = [ { # The default but tls=false diff --git a/nixos/tests/matrix-synapse.nix b/nixos/tests/matrix/synapse.nix index 1ff1e47b284..756a8d5de49 100644 --- a/nixos/tests/matrix-synapse.nix +++ b/nixos/tests/matrix/synapse.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... } : let +import ../make-test-python.nix ({ pkgs, ... } : let runWithOpenSSL = file: cmd: pkgs.runCommand file { @@ -27,7 +27,7 @@ import ./make-test-python.nix ({ pkgs, ... } : let ''; - mailerCerts = import ./common/acme/server/snakeoil-certs.nix; + mailerCerts = import ../common/acme/server/snakeoil-certs.nix; mailerDomain = mailerCerts.domain; registrationSharedSecret = "unsecure123"; testUser = "alice"; diff --git a/nixos/tests/meilisearch.nix b/nixos/tests/meilisearch.nix index 9f54aa97d6a..6d7514a1cc0 100644 --- a/nixos/tests/meilisearch.nix +++ b/nixos/tests/meilisearch.nix @@ -5,9 +5,10 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: apiUrl = "http://${listenAddress}:${toString listenPort}"; uid = "movies"; indexJSON = pkgs.writeText "index.json" (builtins.toJSON { inherit uid; }); - moviesJSON = pkgs.runCommand "movies.json" {} '' - sed -n '1,5p;$p' ${pkgs.meilisearch.src}/datasets/movies/movies.json > $out - ''; + moviesJSON = pkgs.fetchurl { + url = "https://github.com/meilisearch/meilisearch/raw/v0.23.1/datasets/movies/movies.json"; + sha256 = "1r3srld63dpmg9yrmysm6xl175661j5cspi93mk5q2wf8xwn50c5"; + }; in { name = "meilisearch"; meta.maintainers = with lib.maintainers; [ Br1ght0ne ]; @@ -26,7 +27,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: start_all() machine.wait_for_unit("meilisearch") - machine.wait_for_open_port("7700") + machine.wait_for_open_port(7700) with subtest("check version"): version = json.loads(machine.succeed("curl ${apiUrl}/version")) @@ -34,7 +35,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: with subtest("create index"): machine.succeed( - "curl -XPOST ${apiUrl}/indexes --data @${indexJSON}" + "curl -XPOST --header 'Content-Type: application/json' ${apiUrl}/indexes --data @${indexJSON}" ) indexes = json.loads(machine.succeed("curl ${apiUrl}/indexes")) assert len(indexes) == 1, "index wasn't created" @@ -42,7 +43,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: with subtest("add documents"): response = json.loads( machine.succeed( - "curl -XPOST ${apiUrl}/indexes/${uid}/documents --data @${moviesJSON}" + "curl -XPOST --header 'Content-Type: application/json' ${apiUrl}/indexes/${uid}/documents --data @${moviesJSON}" ) ) update_id = response["updateId"] diff --git a/nixos/tests/mimir.nix b/nixos/tests/mimir.nix new file mode 100644 index 00000000000..f1b30d26147 --- /dev/null +++ b/nixos/tests/mimir.nix @@ -0,0 +1,50 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "mimir"; + nodes = { + server = { ... }: { + environment.systemPackages = [ pkgs.jq ]; + services.mimir.enable = true; + services.mimir.configuration = { + ingester.ring.replication_factor = 1; + }; + + services.telegraf.enable = true; + services.telegraf.extraConfig = { + agent.interval = "1s"; + agent.flush_interval = "1s"; + inputs.exec = { + commands = [ + "${pkgs.coreutils}/bin/echo 'foo i=42i'" + ]; + data_format = "influx"; + }; + outputs = { + http = { + # test remote write + url = "http://localhost:8080/api/v1/push"; + + # Data format to output. + data_format = "prometheusremotewrite"; + + headers = { + Content-Type = "application/x-protobuf"; + Content-Encoding = "snappy"; + X-Scope-OrgID = "nixos"; + X-Prometheus-Remote-Write-Version = "0.1.0"; + }; + }; + }; + }; + }; + }; + + testScript = '' + start_all() + server.wait_for_unit("mimir.service") + server.wait_for_unit("telegraf.service") + server.wait_for_open_port(8080) + server.wait_until_succeeds( + "curl -H 'X-Scope-OrgID: nixos' http://127.0.0.1:8080/prometheus/api/v1/label/host/values | jq -r '.data[0]' | grep server" + ) + ''; +}) diff --git a/nixos/tests/minidlna.nix b/nixos/tests/minidlna.nix index 104b79078fd..76039b0bb42 100644 --- a/nixos/tests/minidlna.nix +++ b/nixos/tests/minidlna.nix @@ -32,7 +32,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { start_all() server.succeed("mkdir -p /tmp/stuff && chown minidlna: /tmp/stuff") server.wait_for_unit("minidlna") - server.wait_for_open_port("8200") + server.wait_for_open_port(8200) # requests must be made *by IP* to avoid triggering minidlna's # DNS-rebinding protection server.succeed("curl --fail http://$(getent ahostsv4 localhost | head -n1 | cut -f 1 -d ' '):8200/") diff --git a/nixos/tests/mosquitto.nix b/nixos/tests/mosquitto.nix index 36cc8e3e3d9..d516d3373d9 100644 --- a/nixos/tests/mosquitto.nix +++ b/nixos/tests/mosquitto.nix @@ -4,6 +4,7 @@ let port = 1888; tlsPort = 1889; anonPort = 1890; + bindTestPort = 1891; password = "VERY_secret"; hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw=="; topic = "test/foo"; @@ -125,6 +126,10 @@ in { }; }; } + { + settings.bind_interface = "eth0"; + port = bindTestPort; + } ]; }; }; @@ -134,6 +139,8 @@ in { }; testScript = '' + import json + def mosquitto_cmd(binary, user, topic, port): return ( "mosquitto_{} " @@ -162,6 +169,27 @@ in { start_all() server.wait_for_unit("mosquitto.service") + with subtest("bind_interface"): + addrs = dict() + for iface in json.loads(server.succeed("ip -json address show")): + for addr in iface['addr_info']: + # don't want to deal with multihoming here + assert addr['local'] not in addrs + addrs[addr['local']] = (iface['ifname'], addr['family']) + + # mosquitto grabs *one* random address per type for bind_interface + (has4, has6) = (False, False) + for line in server.succeed("ss -HlptnO sport = ${toString bindTestPort}").splitlines(): + items = line.split() + if "mosquitto" not in items[5]: continue + listener = items[3].rsplit(':', maxsplit=1)[0].strip('[]') + assert listener in addrs + assert addrs[listener][0] == "eth0" + has4 |= addrs[listener][1] == 'inet' + has6 |= addrs[listener][1] == 'inet6' + assert has4 + assert has6 + with subtest("check passwords"): client1.succeed(publish("-m test", "password_store")) client1.succeed(publish("-m test", "password_file")) diff --git a/nixos/tests/mysql/mysql-backup.nix b/nixos/tests/mysql/mysql-backup.nix index 9335b233327..968f56dd3c9 100644 --- a/nixos/tests/mysql/mysql-backup.nix +++ b/nixos/tests/mysql/mysql-backup.nix @@ -51,7 +51,6 @@ let # Do a backup and wait for it to start master.start_job("mysql-backup.service") - master.wait_for_unit("mysql-backup.service") # wait for backup to fail, because of database 'doesnotexist' master.wait_until_fails("systemctl is-active -q mysql-backup.service") diff --git a/nixos/tests/n8n.nix b/nixos/tests/n8n.nix index ed93639f2a4..c1753a418f6 100644 --- a/nixos/tests/n8n.nix +++ b/nixos/tests/n8n.nix @@ -7,7 +7,7 @@ let in { name = "n8n"; - meta.maintainers = with maintainers; [ freezeboy ]; + meta.maintainers = with maintainers; [ freezeboy k900 ]; nodes.machine = { pkgs, ... }: @@ -19,7 +19,7 @@ in testScript = '' machine.wait_for_unit("n8n.service") - machine.wait_for_open_port("${toString port}") + machine.wait_for_open_port(${toString port}) machine.succeed("curl --fail http://localhost:${toString port}/") ''; }) diff --git a/nixos/tests/navidrome.nix b/nixos/tests/navidrome.nix index 62290d50fc7..7315aef6240 100644 --- a/nixos/tests/navidrome.nix +++ b/nixos/tests/navidrome.nix @@ -7,6 +7,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { testScript = '' machine.wait_for_unit("navidrome") - machine.wait_for_open_port("4533") + machine.wait_for_open_port(4533) ''; }) diff --git a/nixos/tests/ncdns.nix b/nixos/tests/ncdns.nix index 5099d697e03..3ce39ed3cb5 100644 --- a/nixos/tests/ncdns.nix +++ b/nixos/tests/ncdns.nix @@ -73,14 +73,14 @@ in with subtest("DNSKEY bit record is present"): server.wait_for_unit("pdns-recursor") - server.wait_for_open_port("53") + server.wait_for_open_port(53) server.succeed("host -t DNSKEY bit") '') + '' with subtest("can resolve a .bit name"): server.wait_for_unit("namecoind") server.wait_for_unit("ncdns") - server.wait_for_open_port("8332") + server.wait_for_open_port(8332) assert "1.2.3.4" in server.succeed("dig @localhost -p 5333 test.bit") with subtest("SOA record has identity information"): diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index a1150097a09..a00ff165d42 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -77,12 +77,14 @@ let testCases = { loopback = { name = "Loopback"; - machine.networking.useDHCP = false; - machine.networking.useNetworkd = networkd; + nodes.client = { pkgs, ... }: with pkgs.lib; { + networking.useDHCP = false; + networking.useNetworkd = networkd; + }; testScript = '' start_all() - machine.wait_for_unit("network.target") - loopback_addresses = machine.succeed("ip addr show lo") + client.wait_for_unit("network.target") + loopback_addresses = client.succeed("ip addr show lo") assert "inet 127.0.0.1/8" in loopback_addresses assert "inet6 ::1/128" in loopback_addresses ''; @@ -96,6 +98,7 @@ let useNetworkd = networkd; useDHCP = false; defaultGateway = "192.168.1.1"; + defaultGateway6 = "fd00:1234:5678:1::1"; interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } { address = "192.168.1.3"; prefixLength = 32; } @@ -137,8 +140,49 @@ let with subtest("Test default gateway"): router.wait_until_succeeds("ping -c 1 192.168.3.1") client.wait_until_succeeds("ping -c 1 192.168.3.1") + router.wait_until_succeeds("ping -c 1 fd00:1234:5678:3::1") + client.wait_until_succeeds("ping -c 1 fd00:1234:5678:3::1") ''; }; + routeType = { + name = "RouteType"; + nodes.client = { pkgs, ... }: with pkgs.lib; { + networking = { + useDHCP = false; + useNetworkd = networkd; + interfaces.eth1.ipv4.routes = [{ + address = "192.168.1.127"; + prefixLength = 32; + type = "local"; + }]; + }; + }; + testScript = '' + start_all() + client.wait_for_unit("network.target") + client.succeed("ip -4 route list table local | grep 'local 192.168.1.127'") + ''; + }; + dhcpDefault = { + name = "useDHCP-by-default"; + nodes.router = router; + nodes.client = { lib, ... }: { + # Disable test driver default config + networking.interfaces = lib.mkForce {}; + networking.useNetworkd = networkd; + virtualisation.vlans = [ 1 ]; + }; + testScript = '' + start_all() + client.wait_for_unit("multi-user.target") + client.wait_until_succeeds("ip addr show dev eth1 | grep '192.168.1'") + client.shell_interact() + client.succeed("ping -c 1 192.168.1.1") + router.succeed("ping -c 1 192.168.1.1") + router.succeed("ping -c 1 192.168.1.2") + client.succeed("ping -c 1 192.168.1.2") + ''; + }; dhcpSimple = { name = "SimpleDHCP"; nodes.router = router; diff --git a/nixos/tests/nextcloud/default.nix b/nixos/tests/nextcloud/default.nix index 5d4663b5d85..3df773fc0f8 100644 --- a/nixos/tests/nextcloud/default.nix +++ b/nixos/tests/nextcloud/default.nix @@ -26,4 +26,4 @@ foldl }; }) { } - [ 22 23 ] + [ 23 24 ] diff --git a/nixos/tests/nghttpx.nix b/nixos/tests/nghttpx.nix index d83c1c4cae6..11cac332827 100644 --- a/nixos/tests/nghttpx.nix +++ b/nixos/tests/nghttpx.nix @@ -54,8 +54,8 @@ in testScript = '' start_all() - webserver.wait_for_open_port("80") - proxy.wait_for_open_port("80") + webserver.wait_for_open_port(80) + proxy.wait_for_open_port(80) client.wait_until_succeeds("curl -s --fail http://proxy/hello-world.txt") ''; }) diff --git a/nixos/tests/nginx-http3.nix b/nixos/tests/nginx-http3.nix new file mode 100644 index 00000000000..edd0759464c --- /dev/null +++ b/nixos/tests/nginx-http3.nix @@ -0,0 +1,90 @@ +import ./make-test-python.nix ({lib, pkgs, ...}: +let + hosts = '' + 192.168.2.101 acme.test + ''; + +in +{ + name = "nginx-http3"; + meta.maintainers = with pkgs.lib.maintainers; [ izorkin ]; + + nodes = { + server = { pkgs, ... }: { + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.101"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + firewall.allowedTCPPorts = [ 443 ]; + firewall.allowedUDPPorts = [ 443 ]; + }; + + security.pki.certificates = [ + (builtins.readFile ./common/acme/server/ca.cert.pem) + ]; + + services.nginx = { + enable = true; + package = pkgs.nginxQuic; + + virtualHosts."acme.test" = { + onlySSL = true; + sslCertificate = ./common/acme/server/acme.test.cert.pem; + sslCertificateKey = ./common/acme/server/acme.test.key.pem; + http2 = true; + http3 = true; + reuseport = true; + root = lib.mkForce (pkgs.runCommandLocal "testdir2" {} '' + mkdir "$out" + cat > "$out/index.html" <<EOF + <html><body>Hello World!</body></html> + EOF + cat > "$out/example.txt" <<EOF + Check http3 protocol. + EOF + ''); + }; + }; + }; + + client = { pkgs, ... }: { + environment.systemPackages = [ pkgs.curlHTTP3 ]; + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.201"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + }; + + security.pki.certificates = [ + (builtins.readFile ./common/acme/server/ca.cert.pem) + ]; + }; + }; + + testScript = '' + start_all() + + # Check http connections + client.succeed("curl --verbose --http3 https://acme.test | grep 'Hello World!'") + + # Check downloadings + client.succeed("curl --verbose --http3 https://acme.test/example.txt --output /tmp/example.txt") + client.succeed("cat /tmp/example.txt | grep 'Check http3 protocol.'") + + # Check header reading + client.succeed("curl --verbose --http3 --head https://acme.test | grep 'content-type'") + + # Check change User-Agent + client.succeed("curl --verbose --http3 --user-agent 'Curl test 3.0' https://acme.test") + server.succeed("cat /var/log/nginx/access.log | grep 'Curl test 3.0'") + + server.shutdown() + client.shutdown() + ''; +}) diff --git a/nixos/tests/nitter.nix b/nixos/tests/nitter.nix index 0e1a6d150f3..8bc55ba8c69 100644 --- a/nixos/tests/nitter.nix +++ b/nixos/tests/nitter.nix @@ -12,7 +12,7 @@ import ./make-test-python.nix ({ pkgs, ... }: testScript = '' machine.wait_for_unit("nitter.service") - machine.wait_for_open_port("80") + machine.wait_for_open_port(80) machine.succeed("curl --fail http://localhost:80/") ''; }) diff --git a/nixos/tests/nix-ld.nix b/nixos/tests/nix-ld.nix index 5c886182d96..ae5297ab87e 100644 --- a/nixos/tests/nix-ld.nix +++ b/nixos/tests/nix-ld.nix @@ -6,7 +6,7 @@ import ./make-test-python.nix ({ lib, pkgs, ...} : environment.systemPackages = [ (pkgs.runCommand "patched-hello" {} '' install -D -m755 ${pkgs.hello}/bin/hello $out/bin/hello - patchelf $out/bin/hello --set-interpreter ${pkgs.nix-ld.ldPath} + patchelf $out/bin/hello --set-interpreter $(cat ${pkgs.nix-ld}/nix-support/ldpath) '') ]; }; diff --git a/nixos/tests/node-red.nix b/nixos/tests/node-red.nix index 7660bc32f4c..5f5960d6829 100644 --- a/nixos/tests/node-red.nix +++ b/nixos/tests/node-red.nix @@ -19,7 +19,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { testScript = '' start_all() nodered.wait_for_unit("node-red.service") - nodered.wait_for_open_port("1880") + nodered.wait_for_open_port(1880) client.wait_for_unit("multi-user.target") diff --git a/nixos/tests/ombi.nix b/nixos/tests/ombi.nix index bfca86af817..ce3064ce6ac 100644 --- a/nixos/tests/ombi.nix +++ b/nixos/tests/ombi.nix @@ -12,7 +12,7 @@ with lib; testScript = '' machine.wait_for_unit("ombi.service") - machine.wait_for_open_port("5000") + machine.wait_for_open_port(5000) machine.succeed("curl --fail http://localhost:5000/") ''; }) diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 003813379e6..4083f5906d7 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -80,17 +80,21 @@ in { client.wait_for_unit("network.target") client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2", + timeout=30 ) client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024", + timeout=30 ) client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2", + timeout=30 ) client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024", + timeout=30 ) with subtest("configured-authkey"): @@ -99,10 +103,12 @@ in { ) client.succeed("chmod 600 privkey.snakeoil") client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true", + timeout=30 ) client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server_lazy true" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server_lazy true", + timeout=30 ) with subtest("localhost-only"): diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix index ac05bd80c60..1c89cf8c1c6 100644 --- a/nixos/tests/os-prober.nix +++ b/nixos/tests/os-prober.nix @@ -75,21 +75,30 @@ in { # The test cannot access the network, so any packages # nixos-rebuild needs must be included in the VM. system.extraDependencies = with pkgs; - [ sudo - libxml2.bin - libxslt.bin + [ + brotli + brotli.dev + brotli.lib desktop-file-utils docbook5 docbook_xsl_ns - unionfs-fuse - ntp + grub2 + kmod.dev + libarchive + libarchive.dev + libxml2.bin + libxslt.bin nixos-artwork.wallpapers.simple-dark-gray-bottom - perlPackages.XMLLibXML + ntp perlPackages.ListCompare + perlPackages.XMLLibXML + python3Minimal shared-mime-info + stdenv + sudo texinfo + unionfs-fuse xorg.lndir - grub2 # add curl so that rather than seeing the test attempt to download # curl's tarball, we see what it's trying to download diff --git a/nixos/tests/pam/pam-oath-login.nix b/nixos/tests/pam/pam-oath-login.nix index 8fb7553de90..dd6ef4a0abc 100644 --- a/nixos/tests/pam/pam-oath-login.nix +++ b/nixos/tests/pam/pam-oath-login.nix @@ -7,7 +7,7 @@ let # how many passwords have been made. In this env, we'll always be on # the 0th counter, so the password is static. # - # Generated in nix-shell -p oathToolkit + # Generated in nix-shell -p oath-toolkit # via: oathtool -v -d6 -w10 cdd4083ef8ff1fa9178c6d46bfb1a3 # and picking a the first 4: oathSnakeOilPassword1 = "143349"; @@ -77,28 +77,28 @@ in machine.screenshot("postboot") with subtest("Invalid password"): - switch_to_tty(2) - enter_user_alice(2) + switch_to_tty("2") + enter_user_alice("2") machine.send_chars("${oathSnakeOilPassword1}\n") - machine.wait_until_tty_matches(2, "Password: ") + machine.wait_until_tty_matches("2", "Password: ") machine.send_chars("blorg\n") - machine.wait_until_tty_matches(2, "Login incorrect") + machine.wait_until_tty_matches("2", "Login incorrect") with subtest("Invalid oath token"): - switch_to_tty(3) - enter_user_alice(3) + switch_to_tty("3") + enter_user_alice("3") machine.send_chars("000000\n") - machine.wait_until_tty_matches(3, "Login incorrect") - machine.wait_until_tty_matches(3, "login:") + machine.wait_until_tty_matches("3", "Login incorrect") + machine.wait_until_tty_matches("3", "login:") with subtest("Happy path: Both passwords are mandatory to get us in"): - switch_to_tty(4) - enter_user_alice(4) + switch_to_tty("4") + enter_user_alice("4") machine.send_chars("${oathSnakeOilPassword2}\n") - machine.wait_until_tty_matches(4, "Password: ") + machine.wait_until_tty_matches("4", "Password: ") machine.send_chars("${alicePassword}\n") machine.wait_until_succeeds("pgrep -u alice bash") diff --git a/nixos/tests/paperless.nix b/nixos/tests/paperless.nix index 51fe7c20785..12883cd62c6 100644 --- a/nixos/tests/paperless.nix +++ b/nixos/tests/paperless.nix @@ -1,6 +1,6 @@ import ./make-test-python.nix ({ lib, ... }: { name = "paperless"; - meta.maintainers = with lib.maintainers; [ earvstedt Flakebi ]; + meta.maintainers = with lib.maintainers; [ erikarvstedt Flakebi ]; nodes.machine = { pkgs, ... }: { environment.systemPackages = with pkgs; [ imagemagick jq ]; diff --git a/nixos/tests/pdns-recursor.nix b/nixos/tests/pdns-recursor.nix index cf473a06431..14f1b7ea8a3 100644 --- a/nixos/tests/pdns-recursor.nix +++ b/nixos/tests/pdns-recursor.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { testScript = '' server.wait_for_unit("pdns-recursor") - server.wait_for_open_port("53") + server.wait_for_open_port(53) assert "192.0.2.1" in server.succeed("host example.com localhost") ''; }) diff --git a/nixos/tests/pgadmin4.nix b/nixos/tests/pgadmin4.nix index 2f6dc3bd569..b30299d307e 100644 --- a/nixos/tests/pgadmin4.nix +++ b/nixos/tests/pgadmin4.nix @@ -1,53 +1,27 @@ -import ./make-test-python.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, buildDeps ? [ ], pythonEnv ? [ ], ... }: + + /* + This test suite replaces the typical pytestCheckHook function in python + packages. Pgadmin4 test suite needs a running and configured postgresql + server. This is why this test exists. + + To not repeat all the python dependencies needed, this test is called directly + from the pgadmin4 derivation, which also passes the currently + used propagatedBuildInputs and any python overrides. + + Unfortunately, there doesn't seem to be an easy way to otherwise include + the needed packages here. + + Due the the needed parameters a direct call to "nixosTests.pgadmin4" fails + and needs to be called as "pgadmin4.tests" + + */ let pgadmin4SrcDir = "/pgadmin"; pgadmin4Dir = "/var/lib/pgadmin"; pgadmin4LogDir = "/var/log/pgadmin"; - python-with-needed-packages = pkgs.python3.withPackages (ps: with ps; [ - selenium - testtools - testscenarios - flask - flask-babelex - flask-babel - flask-gravatar - flask_login - flask_mail - flask_migrate - flask_sqlalchemy - flask_wtf - flask-compress - passlib - pytz - simplejson - six - sqlparse - wtforms - flask-paranoid - psutil - psycopg2 - python-dateutil - sqlalchemy - itsdangerous - flask-security-too - bcrypt - cryptography - sshtunnel - ldap3 - gssapi - flask-socketio - eventlet - httpagentparser - user-agents - wheel - authlib - qrcode - pillow - pyotp - boto3 - ]); in { name = "pgadmin4"; @@ -55,12 +29,27 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: nodes.machine = { pkgs, ... }: { imports = [ ./common/x11.nix ]; + # needed because pgadmin 6.8 will fail, if those dependencies get updated + nixpkgs.overlays = [ + (self: super: { + pythonPackages = pythonEnv; + }) + ]; + environment.systemPackages = with pkgs; [ pgadmin4 postgresql - python-with-needed-packages chromedriver chromium + # include the same packages as in pgadmin minus speaklater3 + (python3.withPackages + (ps: buildDeps ++ + [ + # test suite package requirements + pythonPackages.testscenarios + pythonPackages.selenium + ]) + ) ]; services.postgresql = { enable = true; @@ -121,7 +110,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: with subtest("run browser test"): machine.succeed( 'cd ${pgadmin4SrcDir}/pgadmin4-${pkgs.pgadmin4.version}/web \ - && ${python-with-needed-packages.interpreter} regression/runtests.py --pkg browser --exclude \ + && python regression/runtests.py --pkg browser --exclude \ browser.tests.test_ldap_login.LDAPLoginTestCase,browser.tests.test_ldap_login' ) @@ -131,13 +120,13 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: machine.succeed( 'cd ${pgadmin4SrcDir}/pgadmin4-${pkgs.pgadmin4.version}/web \ && export FONTCONFIG_FILE=${pkgs.makeFontsConf { fontDirectories = [];}} \ - && ${python-with-needed-packages.interpreter} regression/runtests.py --pkg feature_tests' + && python regression/runtests.py --pkg feature_tests' ) with subtest("run resql test"): machine.succeed( 'cd ${pgadmin4SrcDir}/pgadmin4-${pkgs.pgadmin4.version}/web \ - && ${python-with-needed-packages.interpreter} regression/runtests.py --pkg resql' + && python regression/runtests.py --pkg resql' ) ''; }) diff --git a/nixos/tests/pict-rs.nix b/nixos/tests/pict-rs.nix index 90f01d6d5d0..4315e9fb6e9 100644 --- a/nixos/tests/pict-rs.nix +++ b/nixos/tests/pict-rs.nix @@ -12,6 +12,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: start_all() machine.wait_for_unit("pict-rs") - machine.wait_for_open_port("8080") + machine.wait_for_open_port(8080) ''; }) diff --git a/nixos/tests/pleroma.nix b/nixos/tests/pleroma.nix index 90a9a251104..8998716243a 100644 --- a/nixos/tests/pleroma.nix +++ b/nixos/tests/pleroma.nix @@ -158,7 +158,9 @@ import ./make-test-python.nix ({ pkgs, ... }: # Waiting for pleroma to be up. timeout 5m bash -c 'while [[ "$(curl -s -o /dev/null -w '%{http_code}' https://pleroma.nixos.test/api/v1/instance)" != "200" ]]; do sleep 2; done' - pleroma_ctl user new jamy jamy@nixos.test --password 'jamy-password' --moderator --admin -y + # Toremove the RELEASE_COOKIE bit when https://github.com/NixOS/nixpkgs/issues/166229 gets fixed. + RELEASE_COOKIE="/var/lib/pleroma/.cookie" \ + pleroma_ctl user new jamy jamy@nixos.test --password 'jamy-password' --moderator --admin -y ''; tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' diff --git a/nixos/tests/plikd.nix b/nixos/tests/plikd.nix index 643fd5bfcd3..97c254a5f7b 100644 --- a/nixos/tests/plikd.nix +++ b/nixos/tests/plikd.nix @@ -15,7 +15,7 @@ import ./make-test-python.nix ({ lib, ... }: { machine.wait_for_unit("plikd") # Network test - machine.wait_for_open_port("8080") + machine.wait_for_open_port(8080) machine.succeed("curl --fail -v http://localhost:8080") # Application test diff --git a/nixos/tests/podgrab.nix b/nixos/tests/podgrab.nix index e927e25fea5..e5a340dc2ac 100644 --- a/nixos/tests/podgrab.nix +++ b/nixos/tests/podgrab.nix @@ -22,11 +22,11 @@ import ./make-test-python.nix ({ pkgs, ... }: { start_all() default.wait_for_unit("podgrab") - default.wait_for_open_port("${toString defaultPort}") + default.wait_for_open_port(defaultPort) default.succeed("curl --fail http://localhost:${toString defaultPort}") customized.wait_for_unit("podgrab") - customized.wait_for_open_port("${toString customPort}") + customized.wait_for_open_port(customPort) customized.succeed("curl --fail http://localhost:${toString customPort}") ''; diff --git a/nixos/tests/privoxy.nix b/nixos/tests/privoxy.nix index 47072ce4b0a..2d95c4522a0 100644 --- a/nixos/tests/privoxy.nix +++ b/nixos/tests/privoxy.nix @@ -81,23 +81,23 @@ in '' with subtest("Privoxy is running"): machine.wait_for_unit("privoxy") - machine.wait_for_open_port("8118") + machine.wait_for_open_port(8118) machine.succeed("curl -f http://config.privoxy.org") with subtest("Privoxy can filter http requests"): - machine.wait_for_open_port("80") + machine.wait_for_open_port(80) assert "great day" in machine.succeed( "curl -sfL http://example.com/how-are-you? | tee /dev/stderr" ) with subtest("Privoxy can filter https requests"): - machine.wait_for_open_port("443") + machine.wait_for_open_port(443) assert "great day" in machine.succeed( "curl -sfL https://example.com/how-are-you? | tee /dev/stderr" ) with subtest("Blocks are working"): - machine.wait_for_open_port("443") + machine.wait_for_open_port(443) machine.fail("curl -f https://example.com/ads 1>&2") machine.succeed("curl -f https://example.com/PRIVOXY-FORCE/ads 1>&2") diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index ce3b3fbf3bf..849f5ee159f 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -52,7 +52,7 @@ let * testScript = '' * <exporterName>.start() * <exporterName>.wait_for_unit("prometheus-<exporterName>-exporter.service") - * <exporterName>.wait_for_open_port("1234") + * <exporterName>.wait_for_open_port(1234) * <exporterName>.succeed("curl -sSf 'localhost:1234/metrics'") * <exporterName>.shutdown() * ''; diff --git a/nixos/tests/prowlarr.nix b/nixos/tests/prowlarr.nix index 4cbca107568..144cbd5fc95 100644 --- a/nixos/tests/prowlarr.nix +++ b/nixos/tests/prowlarr.nix @@ -12,7 +12,7 @@ with lib; testScript = '' machine.wait_for_unit("prowlarr.service") - machine.wait_for_open_port("9696") + machine.wait_for_open_port(9696) machine.succeed("curl --fail http://localhost:9696/") ''; }) diff --git a/nixos/tests/public-inbox.nix b/nixos/tests/public-inbox.nix new file mode 100644 index 00000000000..7de40400fcb --- /dev/null +++ b/nixos/tests/public-inbox.nix @@ -0,0 +1,227 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: +let + orga = "example"; + domain = "${orga}.localdomain"; + + tls-cert = pkgs.runCommand "selfSignedCert" { buildInputs = [ pkgs.openssl ]; } '' + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 36500 \ + -subj '/CN=machine.${domain}' + install -D -t $out key.pem cert.pem + ''; +in +{ + name = "public-inbox"; + + meta.maintainers = with pkgs.lib.maintainers; [ julm ]; + + machine = { config, pkgs, nodes, ... }: let + inherit (config.services) gitolite public-inbox; + # Git repositories paths in Gitolite. + # Only their baseNameOf is used for configuring public-inbox. + repositories = [ + "user/repo1" + "user/repo2" + ]; + in + { + virtualisation.diskSize = 1 * 1024; + virtualisation.memorySize = 1 * 1024; + networking.domain = domain; + + security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ]; + # If using security.acme: + #security.acme.certs."${domain}".postRun = '' + # systemctl try-restart public-inbox-nntpd public-inbox-imapd + #''; + + services.public-inbox = { + enable = true; + postfix.enable = true; + openFirewall = true; + settings.publicinbox = { + css = [ "href=https://machine.${domain}/style/light.css" ]; + nntpserver = [ "nntps://machine.${domain}" ]; + wwwlisting = "match=domain"; + }; + mda = { + enable = true; + args = [ "--no-precheck" ]; # Allow Bcc: + }; + http = { + enable = true; + port = "/run/public-inbox-http.sock"; + #port = 8080; + args = ["-W0"]; + mounts = [ + "https://machine.${domain}/inbox" + ]; + }; + nntp = { + enable = true; + #port = 563; + args = ["-W0"]; + cert = "${tls-cert}/cert.pem"; + key = "${tls-cert}/key.pem"; + }; + imap = { + enable = true; + #port = 993; + args = ["-W0"]; + cert = "${tls-cert}/cert.pem"; + key = "${tls-cert}/key.pem"; + }; + inboxes = lib.recursiveUpdate (lib.genAttrs (map baseNameOf repositories) (repo: { + address = [ + # Routed to the "public-inbox:" transport in services.postfix.transport + "${repo}@${domain}" + ]; + description = '' + ${repo}@${domain} : + discussions about ${repo}. + ''; + url = "https://machine.${domain}/inbox/${repo}"; + newsgroup = "inbox.comp.${orga}.${repo}"; + coderepo = [ repo ]; + })) + { + repo2 = { + hide = [ + "imap" # FIXME: doesn't work for IMAP as of public-inbox 1.6.1 + "manifest" + "www" + ]; + }; + }; + settings.coderepo = lib.listToAttrs (map (path: lib.nameValuePair (baseNameOf path) { + dir = "/var/lib/gitolite/repositories/${path}.git"; + cgitUrl = "https://git.${domain}/${path}.git"; + }) repositories); + }; + + # Use gitolite to store Git repositories listed in coderepo entries + services.gitolite = { + enable = true; + adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmoTOQnGqX+//us5oye8UuE+tQBx9QEM7PN13jrwgqY root@localhost"; + }; + systemd.services.public-inbox-httpd = { + serviceConfig.SupplementaryGroups = [ gitolite.group ]; + }; + + # Use nginx as a reverse proxy for public-inbox-httpd + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + virtualHosts."machine.${domain}" = { + forceSSL = true; + sslCertificate = "${tls-cert}/cert.pem"; + sslCertificateKey = "${tls-cert}/key.pem"; + locations."/".return = "302 /inbox"; + locations."= /inbox".return = "302 /inbox/"; + locations."/inbox".proxyPass = "http://unix:${public-inbox.http.port}:/inbox"; + # If using TCP instead of a Unix socket: + #locations."/inbox".proxyPass = "http://127.0.0.1:${toString public-inbox.http.port}/inbox"; + # Referred to by settings.publicinbox.css + # See http://public-inbox.org/meta/_/text/color/ + locations."= /style/light.css".alias = pkgs.writeText "light.css" '' + * { background:#fff; color:#000 } + + a { color:#00f; text-decoration:none } + a:visited { color:#808 } + + *.q { color:#008 } + + *.add { color:#060 } + *.del {color:#900 } + *.head { color:#000 } + *.hunk { color:#960 } + + .hl.num { color:#f30 } /* number */ + .hl.esc { color:#f0f } /* escape character */ + .hl.str { color:#f30 } /* string */ + .hl.ppc { color:#c3c } /* preprocessor */ + .hl.pps { color:#f30 } /* preprocessor string */ + .hl.slc { color:#099 } /* single-line comment */ + .hl.com { color:#099 } /* multi-line comment */ + /* .hl.opt { color:#ccc } */ /* operator */ + /* .hl.ipl { color:#ccc } */ /* interpolation */ + + /* keyword groups kw[a-z] */ + .hl.kwa { color:#f90 } + .hl.kwb { color:#060 } + .hl.kwc { color:#f90 } + /* .hl.kwd { color:#ccc } */ + ''; + }; + }; + + services.postfix = { + enable = true; + setSendmail = true; + #sslCert = "${tls-cert}/cert.pem"; + #sslKey = "${tls-cert}/key.pem"; + recipientDelimiter = "+"; + }; + + environment.systemPackages = [ + pkgs.mailutils + pkgs.openssl + ]; + + }; + + testScript = '' + start_all() + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("public-inbox-init.service") + + # Very basic check that Gitolite can work; + # Gitolite is not needed for the rest of this testScript + machine.wait_for_unit("gitolite-init.service") + + # List inboxes through public-inbox-httpd + machine.wait_for_unit("nginx.service") + machine.succeed("curl -L https://machine.${domain} | grep repo1@${domain}") + # The repo2 inbox is hidden + machine.fail("curl -L https://machine.${domain} | grep repo2@${domain}") + machine.wait_for_unit("public-inbox-httpd.service") + + # Send a mail and read it through public-inbox-httpd + # Must work too when using a recipientDelimiter. + machine.wait_for_unit("postfix.service") + machine.succeed("mail -t <${pkgs.writeText "mail" '' + Subject: Testing mail + From: root@localhost + To: repo1+extension@${domain} + Message-ID: <repo1@root-1> + Content-Type: text/plain; charset=utf-8 + Content-Disposition: inline + + This is a testing mail. + ''}") + machine.sleep(5) + machine.succeed("curl -L 'https://machine.${domain}/inbox/repo1/repo1@root-1/T/#u' | grep 'This is a testing mail.'") + + # Read a mail through public-inbox-imapd + machine.wait_for_open_port(993) + machine.wait_for_unit("public-inbox-imapd.service") + machine.succeed("openssl s_client -ign_eof -crlf -connect machine.${domain}:993 <${pkgs.writeText "imap-commands" '' + tag login anonymous@${domain} anonymous + tag SELECT INBOX.comp.${orga}.repo1.0 + tag FETCH 1 (BODY[HEADER]) + tag LOGOUT + ''} | grep '^Message-ID: <repo1@root-1>'") + + # TODO: Read a mail through public-inbox-nntpd + #machine.wait_for_open_port(563) + #machine.wait_for_unit("public-inbox-nntpd.service") + + # Delete a mail. + # Note that the use of an extension not listed in the addresses + # require to use --all + machine.succeed("curl -L https://machine.example.localdomain/inbox/repo1/repo1@root-1/raw | sudo -u public-inbox public-inbox-learn rm --all") + machine.fail("curl -L https://machine.example.localdomain/inbox/repo1/repo1@root-1/T/#u | grep 'This is a testing mail.'") + ''; +}) diff --git a/nixos/tests/pykms.nix b/nixos/tests/pykms.nix new file mode 100644 index 00000000000..14d776a2f11 --- /dev/null +++ b/nixos/tests/pykms.nix @@ -0,0 +1,14 @@ +import ./make-test-python.nix ({ pkgs, ... }: + { + name = "pykms-test"; + meta.maintainers = with pkgs.lib.maintainers; [ zopieux ]; + + nodes.machine = { config, lib, pkgs, ... }: { + services.pykms.enable = true; + }; + + testScript = '' + machine.wait_for_unit("pykms.service") + machine.succeed("${pkgs.pykms}/bin/client") + ''; + }) diff --git a/nixos/tests/rabbitmq.nix b/nixos/tests/rabbitmq.nix index 831335d8c51..f8e8e61c47d 100644 --- a/nixos/tests/rabbitmq.nix +++ b/nixos/tests/rabbitmq.nix @@ -22,6 +22,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.wait_until_succeeds( 'su -s ${pkgs.runtimeShell} rabbitmq -c "rabbitmqctl status"' ) - machine.wait_for_open_port("15672") + machine.wait_for_open_port(15672) ''; }) diff --git a/nixos/tests/radarr.nix b/nixos/tests/radarr.nix index ed90025ac42..85fd6572f06 100644 --- a/nixos/tests/radarr.nix +++ b/nixos/tests/radarr.nix @@ -12,7 +12,7 @@ with lib; testScript = '' machine.wait_for_unit("radarr.service") - machine.wait_for_open_port("7878") + machine.wait_for_open_port(7878) machine.succeed("curl --fail http://localhost:7878/") ''; }) diff --git a/nixos/tests/redis.nix b/nixos/tests/redis.nix index 7b70c239ad6..abea1657f3e 100644 --- a/nixos/tests/redis.nix +++ b/nixos/tests/redis.nix @@ -30,7 +30,7 @@ import ./make-test-python.nix ({ pkgs, ... }: machine.wait_for_unit("redis-test") # The unnamed Redis server still opens a port for backward-compatibility - machine.wait_for_open_port("6379") + machine.wait_for_open_port(6379) machine.wait_for_file("${redis.servers."".unixSocket}") machine.wait_for_file("${redis.servers."test".unixSocket}") diff --git a/nixos/tests/restic.nix b/nixos/tests/restic.nix index 16979eab821..7523d5e5ed5 100644 --- a/nixos/tests/restic.nix +++ b/nixos/tests/restic.nix @@ -1,96 +1,119 @@ import ./make-test-python.nix ( { pkgs, ... }: - let - password = "some_password"; - repository = "/tmp/restic-backup"; - rcloneRepository = "rclone:local:/tmp/restic-rclone-backup"; + let + password = "some_password"; + repository = "/tmp/restic-backup"; + repositoryFile = "${pkgs.writeText "repositoryFile" "/tmp/restic-backup-from-file"}"; + rcloneRepository = "rclone:local:/tmp/restic-rclone-backup"; - passwordFile = "${pkgs.writeText "password" "correcthorsebatterystaple"}"; - initialize = true; - paths = [ "/opt" ]; - pruneOpts = [ - "--keep-daily 2" - "--keep-weekly 1" - "--keep-monthly 1" - "--keep-yearly 99" - ]; - in - { - name = "restic"; + backupPrepareCommand = '' + touch /opt/backupPrepareCommand + test ! -e /opt/backupCleanupCommand + ''; - meta = with pkgs.lib.maintainers; { - maintainers = [ bbigras i077 ]; - }; + backupCleanupCommand = '' + rm /opt/backupPrepareCommand + touch /opt/backupCleanupCommand + ''; - nodes = { - server = - { pkgs, ... }: - { - services.restic.backups = { - remotebackup = { - inherit repository passwordFile initialize paths pruneOpts; - }; - rclonebackup = { - repository = rcloneRepository; - rcloneConfig = { - type = "local"; - one_file_system = true; - }; + passwordFile = "${pkgs.writeText "password" "correcthorsebatterystaple"}"; + initialize = true; + paths = [ "/opt" ]; + pruneOpts = [ + "--keep-daily 2" + "--keep-weekly 1" + "--keep-monthly 1" + "--keep-yearly 99" + ]; + in + { + name = "restic"; - # This gets overridden by rcloneConfig.type - rcloneConfigFile = pkgs.writeText "rclone.conf" '' - [local] - type=ftp - ''; - inherit passwordFile initialize paths pruneOpts; - }; - remoteprune = { - inherit repository passwordFile; - pruneOpts = [ "--keep-last 1" ]; - }; - }; + meta = with pkgs.lib.maintainers; { + maintainers = [ bbigras i077 ]; + }; - environment.sessionVariables.RCLONE_CONFIG_LOCAL_TYPE = "local"; + nodes = { + server = + { pkgs, ... }: + { + services.restic.backups = { + remotebackup = { + inherit repository passwordFile initialize paths pruneOpts backupPrepareCommand backupCleanupCommand; + }; + remotebackup-from-file = { + inherit repositoryFile passwordFile initialize paths pruneOpts; + }; + rclonebackup = { + repository = rcloneRepository; + rcloneConfig = { + type = "local"; + one_file_system = true; }; + + # This gets overridden by rcloneConfig.type + rcloneConfigFile = pkgs.writeText "rclone.conf" '' + [local] + type=ftp + ''; + inherit passwordFile initialize paths pruneOpts; + }; + remoteprune = { + inherit repository passwordFile; + pruneOpts = [ "--keep-last 1" ]; + }; + }; + + environment.sessionVariables.RCLONE_CONFIG_LOCAL_TYPE = "local"; }; + }; - testScript = '' - server.start() - server.wait_for_unit("dbus.socket") - server.fail( - "${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots", - "${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots", - ) - server.succeed( - "mkdir -p /opt", - "touch /opt/some_file", - "mkdir -p /tmp/restic-rclone-backup", - "timedatectl set-time '2016-12-13 13:45'", - "systemctl start restic-backups-remotebackup.service", - "systemctl start restic-backups-rclonebackup.service", - '${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', - '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', - "timedatectl set-time '2017-12-13 13:45'", - "systemctl start restic-backups-remotebackup.service", - "systemctl start restic-backups-rclonebackup.service", - "timedatectl set-time '2018-12-13 13:45'", - "systemctl start restic-backups-remotebackup.service", - "systemctl start restic-backups-rclonebackup.service", - "timedatectl set-time '2018-12-14 13:45'", - "systemctl start restic-backups-remotebackup.service", - "systemctl start restic-backups-rclonebackup.service", - "timedatectl set-time '2018-12-15 13:45'", - "systemctl start restic-backups-remotebackup.service", - "systemctl start restic-backups-rclonebackup.service", - "timedatectl set-time '2018-12-16 13:45'", - "systemctl start restic-backups-remotebackup.service", - "systemctl start restic-backups-rclonebackup.service", - '${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^4 snapshot"', - '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^4 snapshot"', - "systemctl start restic-backups-remoteprune.service", - '${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', - ) - ''; - } + testScript = '' + server.start() + server.wait_for_unit("dbus.socket") + server.fail( + "${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots", + '${pkgs.restic}/bin/restic --repository-file ${repositoryFile} -p ${passwordFile} snapshots"', + "${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots", + ) + server.succeed( + "mkdir -p /opt", + "touch /opt/some_file", + "mkdir -p /tmp/restic-rclone-backup", + "timedatectl set-time '2016-12-13 13:45'", + "systemctl start restic-backups-remotebackup.service", + "rm /opt/backupCleanupCommand", + "systemctl start restic-backups-remotebackup-from-file.service", + "systemctl start restic-backups-rclonebackup.service", + '${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', + '${pkgs.restic}/bin/restic --repository-file ${repositoryFile} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', + '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', + "timedatectl set-time '2017-12-13 13:45'", + "systemctl start restic-backups-remotebackup.service", + "rm /opt/backupCleanupCommand", + "systemctl start restic-backups-rclonebackup.service", + "timedatectl set-time '2018-12-13 13:45'", + "systemctl start restic-backups-remotebackup.service", + "rm /opt/backupCleanupCommand", + "systemctl start restic-backups-rclonebackup.service", + "timedatectl set-time '2018-12-14 13:45'", + "systemctl start restic-backups-remotebackup.service", + "rm /opt/backupCleanupCommand", + "systemctl start restic-backups-rclonebackup.service", + "timedatectl set-time '2018-12-15 13:45'", + "systemctl start restic-backups-remotebackup.service", + "rm /opt/backupCleanupCommand", + "systemctl start restic-backups-rclonebackup.service", + "timedatectl set-time '2018-12-16 13:45'", + "systemctl start restic-backups-remotebackup.service", + "rm /opt/backupCleanupCommand", + "systemctl start restic-backups-rclonebackup.service", + '${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^4 snapshot"', + '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^4 snapshot"', + "systemctl start restic-backups-remoteprune.service", + '${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', + ) + ''; + } ) diff --git a/nixos/tests/riak.nix b/nixos/tests/riak.nix deleted file mode 100644 index e75d40fa256..00000000000 --- a/nixos/tests/riak.nix +++ /dev/null @@ -1,18 +0,0 @@ -import ./make-test-python.nix ({ lib, pkgs, ... }: { - name = "riak"; - meta = with lib.maintainers; { - maintainers = [ Br1ght0ne ]; - }; - - nodes.machine = { - services.riak.enable = true; - services.riak.package = pkgs.riak; - }; - - testScript = '' - machine.start() - - machine.wait_for_unit("riak") - machine.wait_until_succeeds("riak ping 2>&1") - ''; -}) diff --git a/nixos/tests/schleuder.nix b/nixos/tests/schleuder.nix new file mode 100644 index 00000000000..a9e4cc325bc --- /dev/null +++ b/nixos/tests/schleuder.nix @@ -0,0 +1,128 @@ +let + certs = import ./common/acme/server/snakeoil-certs.nix; + domain = certs.domain; +in +import ./make-test-python.nix { + name = "schleuder"; + nodes.machine = { pkgs, ... }: { + imports = [ ./common/user-account.nix ]; + services.postfix = { + enable = true; + enableSubmission = true; + tlsTrustedAuthorities = "${certs.ca.cert}"; + sslCert = "${certs.${domain}.cert}"; + sslKey = "${certs.${domain}.key}"; + inherit domain; + destination = [ domain ]; + localRecipients = [ "root" "alice" "bob" ]; + }; + services.schleuder = { + enable = true; + # Don't do it like this in production! The point of this setting + # is to allow loading secrets from _outside_ the world-readable + # Nix store. + extraSettingsFile = pkgs.writeText "schleuder-api-keys.yml" '' + api: + valid_api_keys: + - fnord + ''; + lists = [ "security@${domain}" ]; + settings.api = { + tls_cert_file = "${certs.${domain}.cert}"; + tls_key_file = "${certs.${domain}.key}"; + }; + }; + + environment.systemPackages = [ + pkgs.gnupg + pkgs.msmtp + (pkgs.writeScriptBin "do-test" '' + #!${pkgs.runtimeShell} + set -exuo pipefail + + # Generate a GPG key with no passphrase and export it + sudo -u alice gpg --passphrase-fd 0 --batch --yes --quick-generate-key 'alice@${domain}' rsa4096 sign,encr < <(echo) + sudo -u alice gpg --armor --export alice@${domain} > alice.asc + # Create a new mailing list with alice as the owner, and alice's key + schleuder-cli list new security@${domain} alice@${domain} alice.asc + + # Send an email from a non-member of the list. Use --auto-from so we don't have to specify who it's from twice. + msmtp --auto-from security@${domain} --host=${domain} --port=25 --tls --tls-starttls <<EOF + Subject: really big security issue!! + From: root@${domain} + + I found a big security problem! + EOF + + # Wait for delivery + (set +o pipefail; journalctl -f -n 1000 -u postfix | grep -m 1 'delivered to maildir') + + # There should be exactly one email + mail=(/var/spool/mail/alice/new/*) + [[ "''${#mail[@]}" = 1 ]] + + # Find the fingerprint of the mailing list key + read list_key_fp address < <(schleuder-cli keys list security@${domain} | grep security@) + schleuder-cli keys export security@${domain} $list_key_fp > list.asc + + # Import the key into alice's keyring, so we can verify it as well as decrypting + sudo -u alice gpg --import <list.asc + # And perform the decryption. + sudo -u alice gpg -d $mail >decrypted + # And check that the text matches. + grep "big security problem" decrypted + '') + + # For debugging: + # pkgs.vim pkgs.openssl pkgs.sqliteinteractive + ]; + + security.pki.certificateFiles = [ certs.ca.cert ]; + + # Since we don't have internet here, use dnsmasq to provide MX records from /etc/hosts + services.dnsmasq = { + enable = true; + extraConfig = '' + selfmx + ''; + }; + + networking.extraHosts = '' + 127.0.0.1 ${domain} + ''; + + # schleuder-cli's config is not quite optimal in several ways: + # - A fingerprint _must_ be pinned, it doesn't even have an option + # to trust the PKI + # - It compares certificate fingerprints rather than key + # fingerprints, so renewals break the pin (though that's not + # relevant for this test) + # - It compares them as strings, which means we need to match the + # expected format exactly. This means removing the :s and + # lowercasing it. + # Refs: + # https://0xacab.org/schleuder/schleuder-cli/-/issues/16 + # https://0xacab.org/schleuder/schleuder-cli/-/blob/f8895b9f47083d8c7b99a2797c93f170f3c6a3c0/lib/schleuder-cli/helper.rb#L230-238 + systemd.tmpfiles.rules = let cliconfig = pkgs.runCommand "schleuder-cli.yml" + { + nativeBuildInputs = [ pkgs.jq pkgs.openssl ]; + } '' + fp=$(openssl x509 -in ${certs.${domain}.cert} -noout -fingerprint -sha256 | cut -d = -f 2 | tr -d : | tr 'A-Z' 'a-z') + cat > $out <<EOF + host: localhost + port: 4443 + tls_fingerprint: "$fp" + api_key: fnord + EOF + ''; in + [ + "L+ /root/.schleuder-cli/schleuder-cli.yml - - - - ${cliconfig}" + ]; + }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + machine.wait_until_succeeds("nc -z localhost 4443") + machine.succeed("do-test") + ''; +} diff --git a/nixos/tests/shadow.nix b/nixos/tests/shadow.nix index dd2a575b193..50a9f712464 100644 --- a/nixos/tests/shadow.nix +++ b/nixos/tests/shadow.nix @@ -39,9 +39,9 @@ in import ./make-test-python.nix ({ pkgs, ... }: { shadow.wait_until_succeeds("[ $(fgconsole) = 2 ]") shadow.wait_for_unit("getty@tty2.service") shadow.wait_until_succeeds("pgrep -f 'agetty.*tty2'") - shadow.wait_until_tty_matches(2, "login: ") + shadow.wait_until_tty_matches("2", "login: ") shadow.send_chars("emma\n") - shadow.wait_until_tty_matches(2, "login: emma") + shadow.wait_until_tty_matches("2", "login: emma") shadow.wait_until_succeeds("pgrep login") shadow.sleep(2) shadow.send_chars("${password1}\n") @@ -63,9 +63,9 @@ in import ./make-test-python.nix ({ pkgs, ... }: { shadow.wait_until_succeeds("[ $(fgconsole) = 3 ]") shadow.wait_for_unit("getty@tty3.service") shadow.wait_until_succeeds("pgrep -f 'agetty.*tty3'") - shadow.wait_until_tty_matches(3, "login: ") + shadow.wait_until_tty_matches("3", "login: ") shadow.send_chars("emma\n") - shadow.wait_until_tty_matches(3, "login: emma") + shadow.wait_until_tty_matches("3", "login: emma") shadow.wait_until_succeeds("pgrep login") shadow.sleep(2) shadow.send_chars("${password1}\n") @@ -81,16 +81,16 @@ in import ./make-test-python.nix ({ pkgs, ... }: { shadow.wait_until_succeeds("[ $(fgconsole) = 4 ]") shadow.wait_for_unit("getty@tty4.service") shadow.wait_until_succeeds("pgrep -f 'agetty.*tty4'") - shadow.wait_until_tty_matches(4, "login: ") + shadow.wait_until_tty_matches("4", "login: ") shadow.send_chars("emma\n") - shadow.wait_until_tty_matches(4, "login: emma") + shadow.wait_until_tty_matches("4", "login: emma") shadow.wait_until_succeeds("pgrep login") shadow.sleep(2) shadow.send_chars("${password1}\n") - shadow.wait_until_tty_matches(4, "Login incorrect") - shadow.wait_until_tty_matches(4, "login:") + shadow.wait_until_tty_matches("4", "Login incorrect") + shadow.wait_until_tty_matches("4", "login:") shadow.send_chars("emma\n") - shadow.wait_until_tty_matches(4, "login: emma") + shadow.wait_until_tty_matches("4", "login: emma") shadow.wait_until_succeeds("pgrep login") shadow.sleep(2) shadow.send_chars("${password3}\n") @@ -109,11 +109,11 @@ in import ./make-test-python.nix ({ pkgs, ... }: { shadow.wait_until_succeeds("[ $(fgconsole) = 5 ]") shadow.wait_for_unit("getty@tty5.service") shadow.wait_until_succeeds("pgrep -f 'agetty.*tty5'") - shadow.wait_until_tty_matches(5, "login: ") + shadow.wait_until_tty_matches("5", "login: ") shadow.send_chars("layla\n") - shadow.wait_until_tty_matches(5, "login: layla") + shadow.wait_until_tty_matches("5", "login: layla") shadow.wait_until_succeeds("pgrep login") shadow.send_chars("${password2}\n") - shadow.wait_until_tty_matches(5, "login:") + shadow.wait_until_tty_matches("5", "login:") ''; }) diff --git a/nixos/tests/sonarr.nix b/nixos/tests/sonarr.nix index 764a4d05b38..bdfc8916cb7 100644 --- a/nixos/tests/sonarr.nix +++ b/nixos/tests/sonarr.nix @@ -12,7 +12,7 @@ with lib; testScript = '' machine.wait_for_unit("sonarr.service") - machine.wait_for_open_port("8989") + machine.wait_for_open_port(8989) machine.succeed("curl --fail http://localhost:8989/") ''; }) diff --git a/nixos/tests/sourcehut.nix b/nixos/tests/sourcehut.nix index 34a60247e00..d52fbddd20f 100644 --- a/nixos/tests/sourcehut.nix +++ b/nixos/tests/sourcehut.nix @@ -169,6 +169,45 @@ in oauth-client-id = "d07cb713d920702e"; }; settings.webhooks.private-key = pkgs.writeText "webhook-key" "Ra3IjxgFiwG9jxgp4WALQIZw/BMYt30xWiOsqD0J7EA="; + settings.mail = { + smtp-from = "root+hut@${domain}"; + # WARNING: take care to keep pgp-privkey outside the Nix store in production, + # or use LoadCredentialEncrypted= + pgp-privkey = toString (pkgs.writeText "sourcehut.pgp-privkey" '' + -----BEGIN PGP PRIVATE KEY BLOCK----- + + lFgEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd + Gk7hYQoAAP9X4oPmxxrHN8LewBpWITdBomNqlHoiP7mI0nz/BOPJHxEktDZuaXhv + cy90ZXN0cy9zb3VyY2VodXQgPHJvb3QraHV0QHNvdXJjZWh1dC5sb2NhbGRvbWFp + bj6IlwQTFgoAPxYhBPqjgjnL8RHN4JnADNicgXaYm0jJBQJioNE5AhsDBQkDwmcA + BgsJCAcDCgUVCgkICwUWAwIBAAIeBQIXgAAKCRDYnIF2mJtIySVCAP9e2nHsVHSi + 2B1YGZpVG7Xf36vxljmMkbroQy+0gBPwRwEAq+jaiQqlbGhQ7R/HMFcAxBIVsq8h + Aw1rngsUd0o3dAicXQRioNE5EgorBgEEAZdVAQUBAQdAXZV2Sd5ZNBVTBbTGavMv + D6ORrUh8z7TI/3CsxCE7+yADAQgHAAD/c1RU9xH+V/uI1fE7HIn/zL0LUPpsuce2 + cH++g4u3kBgTOYh+BBgWCgAmFiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg0TkC + GwwFCQPCZwAACgkQ2JyBdpibSMlKagD/cTre6p1m8QuJ7kwmCFRSz5tBzIuYMMgN + xtT7dmS91csA/35fWsOykSiFRojQ7ccCSUTHL7ApF2EbL968tP/D2hIG + =Hjoc + -----END PGP PRIVATE KEY BLOCK----- + ''); + pgp-pubkey = pkgs.writeText "sourcehut.pgp-pubkey" '' + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mDMEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd + Gk7hYQq0Nm5peG9zL3Rlc3RzL3NvdXJjZWh1dCA8cm9vdCtodXRAc291cmNlaHV0 + LmxvY2FsZG9tYWluPoiXBBMWCgA/FiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg + 0TkCGwMFCQPCZwAGCwkIBwMKBRUKCQgLBRYDAgEAAh4FAheAAAoJENicgXaYm0jJ + JUIA/17acexUdKLYHVgZmlUbtd/fq/GWOYyRuuhDL7SAE/BHAQCr6NqJCqVsaFDt + H8cwVwDEEhWyryEDDWueCxR3Sjd0CLg4BGKg0TkSCisGAQQBl1UBBQEBB0BdlXZJ + 3lk0FVMFtMZq8y8Po5GtSHzPtMj/cKzEITv7IAMBCAeIfgQYFgoAJhYhBPqjgjnL + 8RHN4JnADNicgXaYm0jJBQJioNE5AhsMBQkDwmcAAAoJENicgXaYm0jJSmoA/3E6 + 3uqdZvELie5MJghUUs+bQcyLmDDIDcbU+3ZkvdXLAP9+X1rDspEohUaI0O3HAklE + xy+wKRdhGy/evLT/w9oSBg== + =pJD7 + -----END PGP PUBLIC KEY BLOCK----- + ''; + pgp-key-id = "0xFAA38239CBF111CDE099C00CD89C8176989B48C9"; + }; }; networking.firewall.allowedTCPPorts = [ 443 ]; @@ -195,6 +234,7 @@ in # Testing metasrht machine.wait_for_unit("metasrht-api.service") machine.wait_for_unit("metasrht.service") + machine.wait_for_unit("metasrht-webhooks.service") machine.wait_for_open_port(5000) machine.succeed("curl -sL http://localhost:5000 | grep meta.${domain}") machine.succeed("curl -sL http://meta.${domain} | grep meta.${domain}") @@ -206,7 +246,9 @@ in #machine.wait_for_unit("buildsrht-worker.service") # Testing gitsrht + machine.wait_for_unit("gitsrht-api.service") machine.wait_for_unit("gitsrht.service") + machine.wait_for_unit("gitsrht-webhooks.service") machine.succeed("curl -sL http://git.${domain} | grep git.${domain}") ''; }) diff --git a/nixos/tests/sway.nix b/nixos/tests/sway.nix index 8f95f2a030d..52e2c7c99ec 100644 --- a/nixos/tests/sway.nix +++ b/nixos/tests/sway.nix @@ -4,6 +4,12 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { maintainers = with lib.maintainers; [ primeos synthetica ]; }; + # testScriptWithTypes:49: error: Cannot call function of unknown type + # (machine.succeed if succeed else machine.execute)( + # ^ + # Found 1 error in 1 file (checked 1 source file) + skipTypeCheck = true; + nodes.machine = { config, ... }: { # Automatically login on tty1 as a normal user: imports = [ ./common/user-account.nix ]; diff --git a/nixos/tests/systemd-initrd-btrfs-raid.nix b/nixos/tests/systemd-initrd-btrfs-raid.nix new file mode 100644 index 00000000000..40fd2d4dc61 --- /dev/null +++ b/nixos/tests/systemd-initrd-btrfs-raid.nix @@ -0,0 +1,45 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "systemd-initrd-btrfs-raid"; + + nodes.machine = { pkgs, ... }: { + # Use systemd-boot + virtualisation = { + emptyDiskImages = [ 512 512 ]; + useBootLoader = true; + useEFIBoot = true; + }; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + environment.systemPackages = with pkgs; [ btrfs-progs ]; + boot.initrd.systemd = { + enable = true; + emergencyAccess = true; + }; + + specialisation.boot-btrfs-raid.configuration = { + fileSystems = lib.mkVMOverride { + "/".fsType = lib.mkForce "btrfs"; + }; + virtualisation.bootDevice = "/dev/vdc"; + }; + }; + + testScript = '' + # Create RAID + machine.succeed("mkfs.btrfs -d raid0 /dev/vdc /dev/vdd") + machine.succeed("mkdir -p /mnt && mount /dev/vdc /mnt && echo hello > /mnt/test && umount /mnt") + + # Boot from the RAID + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-btrfs-raid.conf") + machine.succeed("sync") + machine.crash() + machine.wait_for_unit("multi-user.target") + + # Ensure we have successfully booted from the RAID + assert "(initrd)" in machine.succeed("systemd-analyze") # booted with systemd in stage 1 + assert "/dev/vdc on / type btrfs" in machine.succeed("mount") + assert "hello" in machine.succeed("cat /test") + assert "Total devices 2" in machine.succeed("btrfs filesystem show") + ''; +}) diff --git a/nixos/tests/systemd-initrd-luks-keyfile.nix b/nixos/tests/systemd-initrd-luks-keyfile.nix index 970163c36a4..25c0c5bd866 100644 --- a/nixos/tests/systemd-initrd-luks-keyfile.nix +++ b/nixos/tests/systemd-initrd-luks-keyfile.nix @@ -32,7 +32,7 @@ in { }; }; virtualisation.bootDevice = "/dev/mapper/cryptroot"; - boot.initrd.systemd.contents."/etc/cryptroot.key".source = keyfile; + boot.initrd.secrets."/etc/cryptroot.key" = keyfile; }; }; diff --git a/nixos/tests/systemd-initrd-simple.nix b/nixos/tests/systemd-initrd-simple.nix index 959cc87c0f2..5d98114304b 100644 --- a/nixos/tests/systemd-initrd-simple.nix +++ b/nixos/tests/systemd-initrd-simple.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "systemd-initrd-simple"; - machine = { pkgs, ... }: { + nodes.machine = { pkgs, ... }: { boot.initrd.systemd = { enable = true; emergencyAccess = true; diff --git a/nixos/tests/systemd-networkd-vrf.nix b/nixos/tests/systemd-networkd-vrf.nix index 8a1580fc2ad..3c18f788e92 100644 --- a/nixos/tests/systemd-networkd-vrf.nix +++ b/nixos/tests/systemd-networkd-vrf.nix @@ -138,18 +138,18 @@ in { }; testScript = '' - def compare_tables(expected, actual): - assert ( - expected == actual - ), """ - Routing tables don't match! - Expected: - {} - Actual: - {} - """.format( - expected, actual - ) + import json + + def compare(raw_json, to_compare): + data = json.loads(raw_json) + assert len(raw_json) >= len(to_compare) + for i, row in enumerate(to_compare): + actual = data[i] + assert len(row.keys()) > 0 + for key, value in row.items(): + assert value == actual[key], f""" + In entry {i}, value {key}: got: {actual[key]}, expected {value} + """ start_all() @@ -159,23 +159,18 @@ in { node2.wait_for_unit("network.target") node3.wait_for_unit("network.target") - # NOTE: please keep in mind that the trailing whitespaces in the following strings - # are intentional as the output is compared against the raw `iproute2`-output. - # editorconfig-checker-disable client_ipv4_table = """ - 192.168.1.2 dev vrf1 proto static metric 100 + 192.168.1.2 dev vrf1 proto static metric 100\x20 192.168.2.3 dev vrf2 proto static metric 100 """.strip() vrf1_table = """ - broadcast 192.168.1.0 dev eth1 proto kernel scope link src 192.168.1.1 - 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 - local 192.168.1.1 dev eth1 proto kernel scope host src 192.168.1.1 + 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1\x20 + local 192.168.1.1 dev eth1 proto kernel scope host src 192.168.1.1\x20 broadcast 192.168.1.255 dev eth1 proto kernel scope link src 192.168.1.1 """.strip() vrf2_table = """ - broadcast 192.168.2.0 dev eth2 proto kernel scope link src 192.168.2.1 - 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1 - local 192.168.2.1 dev eth2 proto kernel scope host src 192.168.2.1 + 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1\x20 + local 192.168.2.1 dev eth2 proto kernel scope host src 192.168.2.1\x20 broadcast 192.168.2.255 dev eth2 proto kernel scope link src 192.168.2.1 """.strip() # editorconfig-checker-enable @@ -183,14 +178,28 @@ in { # Check that networkd properly configures the main routing table # and the routing tables for the VRF. with subtest("check vrf routing tables"): - compare_tables( - client_ipv4_table, client.succeed("ip -4 route list | head -n2").strip() + compare( + client.succeed("ip --json -4 route list"), + [ + {"dst": "192.168.1.2", "dev": "vrf1", "metric": 100}, + {"dst": "192.168.2.3", "dev": "vrf2", "metric": 100} + ] ) - compare_tables( - vrf1_table, client.succeed("ip -4 route list table 23 | head -n4").strip() + compare( + client.succeed("ip --json -4 route list table 23"), + [ + {"dst": "192.168.1.0/24", "dev": "eth1", "prefsrc": "192.168.1.1"}, + {"type": "local", "dst": "192.168.1.1", "dev": "eth1", "prefsrc": "192.168.1.1"}, + {"type": "broadcast", "dev": "eth1", "prefsrc": "192.168.1.1", "dst": "192.168.1.255"} + ] ) - compare_tables( - vrf2_table, client.succeed("ip -4 route list table 42 | head -n4").strip() + compare( + client.succeed("ip --json -4 route list table 42"), + [ + {"dst": "192.168.2.0/24", "dev": "eth2", "prefsrc": "192.168.2.1"}, + {"type": "local", "dst": "192.168.2.1", "dev": "eth2", "prefsrc": "192.168.2.1"}, + {"type": "broadcast", "dev": "eth2", "prefsrc": "192.168.2.1", "dst": "192.168.2.255"} + ] ) # Ensure that other nodes are reachable via ICMP through the VRF. diff --git a/nixos/tests/systemd-nspawn.nix b/nixos/tests/systemd-nspawn.nix index 5bf55060d2e..c2cb92d1130 100644 --- a/nixos/tests/systemd-nspawn.nix +++ b/nixos/tests/systemd-nspawn.nix @@ -25,8 +25,15 @@ let nspawnImages = (pkgs.runCommand "localhost" { buildInputs = [ pkgs.coreutils pkgs.gnupg ]; } '' mkdir -p $out cd $out + + # produce a testimage.raw dd if=/dev/urandom of=$out/testimage.raw bs=$((1024*1024+7)) count=5 - sha256sum testimage.raw > SHA256SUMS + + # produce a testimage2.tar.xz, containing the hello store path + tar cvJpf testimage2.tar.xz ${pkgs.hello} + + # produce signature(s) + sha256sum testimage* > SHA256SUMS export GNUPGHOME="$(mktemp -d)" cp -R ${gpgKeyring}/* $GNUPGHOME gpg --batch --sign --detach-sign --output SHA256SUMS.gpg SHA256SUMS @@ -56,5 +63,9 @@ in { client.succeed( "cmp /var/lib/machines/testimage.raw ${nspawnImages}/testimage.raw" ) + client.succeed("machinectl pull-tar --verify=signature http://server/testimage2.tar.xz") + client.succeed( + "cmp /var/lib/machines/testimage2/${pkgs.hello}/bin/hello ${pkgs.hello}/bin/hello" + ) ''; }) diff --git a/nixos/tests/systemd-shutdown.nix b/nixos/tests/systemd-shutdown.nix index 9283489c255..688cd6dd2c1 100644 --- a/nixos/tests/systemd-shutdown.nix +++ b/nixos/tests/systemd-shutdown.nix @@ -1,4 +1,6 @@ -import ./make-test-python.nix ({ pkgs, systemdStage1 ? false, ...} : { +import ./make-test-python.nix ({ pkgs, systemdStage1 ? false, ...} : let + msg = "Shutting down NixOS"; +in { name = "systemd-shutdown"; meta = with pkgs.lib.maintainers; { maintainers = [ das_j ]; @@ -6,7 +8,9 @@ import ./make-test-python.nix ({ pkgs, systemdStage1 ? false, ...} : { nodes.machine = { imports = [ ../modules/profiles/minimal.nix ]; - boot.initrd.systemd.enable = systemdStage1; + systemd.shutdownRamfs.contents."/etc/systemd/system-shutdown/shutdown-message".source = pkgs.writeShellScript "shutdown-message" '' + echo "${msg}" + ''; }; testScript = '' @@ -14,7 +18,8 @@ import ./make-test-python.nix ({ pkgs, systemdStage1 ? false, ...} : { # .shutdown() would wait for the machine to power off machine.succeed("systemctl poweroff") # Message printed by systemd-shutdown - machine.wait_for_console_text("All filesystems, swaps, loop devices, MD devices and DM devices detached.") + machine.wait_for_console_text("Unmounting '/oldroot'") + machine.wait_for_console_text("${msg}") # Don't try to sync filesystems machine.booted = False ''; diff --git a/nixos/tests/teleport.nix b/nixos/tests/teleport.nix index 15b16e44409..34bf1bc0c70 100644 --- a/nixos/tests/teleport.nix +++ b/nixos/tests/teleport.nix @@ -72,9 +72,9 @@ in nodes = { inherit minimal; }; testScript = '' - minimal.wait_for_open_port("3025") - minimal.wait_for_open_port("3080") - minimal.wait_for_open_port("3022") + minimal.wait_for_open_port(3025) + minimal.wait_for_open_port(3080) + minimal.wait_for_open_port(3022) ''; }; @@ -86,12 +86,12 @@ in testScript = '' with subtest("teleport ready"): - server.wait_for_open_port("3025") - client.wait_for_open_port("3022") + server.wait_for_open_port(3025) + client.wait_for_open_port(3022) with subtest("check applied configuration"): server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'") - server.wait_for_open_port("3000") + server.wait_for_open_port(3000) client.succeed("journalctl -u teleport.service --grep='DEBU'") server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'") ''; diff --git a/nixos/tests/terminal-emulators.nix b/nixos/tests/terminal-emulators.nix index 6ea0f1c1872..c724608b915 100644 --- a/nixos/tests/terminal-emulators.nix +++ b/nixos/tests/terminal-emulators.nix @@ -197,6 +197,7 @@ in mapAttrs (name: { pkg, executable ? name, cmd ? "SHELL=$command ${executable} with subtest("have the terminal display a colour"): # We run this command in the background + assert machine.shell is not None machine.shell.send(b"(run-in-this-term display-colour |& systemd-cat -t terminal) &\n") with machine.nested("Waiting for the screen to have pink on it:"): diff --git a/nixos/tests/traefik.nix b/nixos/tests/traefik.nix index 1d6c0a479ef..989ec390c06 100644 --- a/nixos/tests/traefik.nix +++ b/nixos/tests/traefik.nix @@ -11,14 +11,20 @@ import ./make-test-python.nix ({ pkgs, ... }: { environment.systemPackages = [ pkgs.curl ]; }; traefik = { config, pkgs, ... }: { - virtualisation.oci-containers.containers.nginx = { - extraOptions = [ - "-l" "traefik.enable=true" - "-l" "traefik.http.routers.nginx.entrypoints=web" - "-l" "traefik.http.routers.nginx.rule=Host(`nginx.traefik.test`)" - ]; - image = "nginx-container"; - imageFile = pkgs.dockerTools.examples.nginx; + virtualisation.oci-containers = { + backend = "docker"; + containers.nginx = { + extraOptions = [ + "-l" + "traefik.enable=true" + "-l" + "traefik.http.routers.nginx.entrypoints=web" + "-l" + "traefik.http.routers.nginx.rule=Host(`nginx.traefik.test`)" + ]; + image = "nginx-container"; + imageFile = pkgs.dockerTools.examples.nginx; + }; }; networking.firewall.allowedTCPPorts = [ 80 ]; diff --git a/nixos/tests/uptermd.nix b/nixos/tests/uptermd.nix new file mode 100644 index 00000000000..429e3c9dd5f --- /dev/null +++ b/nixos/tests/uptermd.nix @@ -0,0 +1,65 @@ +import ./make-test-python.nix ({ pkgs, ...}: + +let + client = {pkgs, ...}:{ + environment.systemPackages = [ pkgs.upterm ]; + }; +in +{ + name = "uptermd"; + meta = with pkgs.lib.maintainers; { + maintainers = [ fleaz ]; + }; + + nodes = { + server = {config, ...}: { + services.uptermd = { + enable = true; + openFirewall = true; + port = 1337; + }; + }; + client1 = client; + client2 = client; + }; + + + testScript = '' + start_all() + + server.wait_for_unit("uptermd.service") + server.wait_for_unit("network-online.target") + + # wait for upterm port to be reachable + client1.wait_until_succeeds("nc -z -v server 1337") + + # Add SSH hostkeys from the server to both clients + # uptermd needs an '@cert-authority entry so we need to modify the known_hosts file + client1.execute("mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls") + client1.execute("echo @cert-authority $(cat ~/.ssh/known_hosts) > ~/.ssh/known_hosts") + client2.execute("mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls") + client2.execute("echo @cert-authority $(cat ~/.ssh/known_hosts) > ~/.ssh/known_hosts") + + client1.wait_for_unit("multi-user.target") + client1.wait_until_succeeds("pgrep -f 'agetty.*tty1'") + client1.wait_until_tty_matches("1", "login: ") + client1.send_chars("root\n") + client1.wait_until_succeeds("pgrep -u root bash") + + client1.execute("ssh-keygen -t ed25519 -N \"\" -f /root/.ssh/id_ed25519") + client1.send_chars("TERM=xterm upterm host --server ssh://server:1337 --force-command hostname -- bash > /tmp/session-details\n") + client1.wait_for_file("/tmp/session-details") + client1.send_key("q") + + # uptermd can't connect if we don't have a keypair + client2.execute("ssh-keygen -t ed25519 -N \"\" -f /root/.ssh/id_ed25519") + + # Grep the ssh connect command from the output of 'upterm host' + ssh_command = client1.succeed("grep 'SSH Session' /tmp/session-details | cut -d':' -f2-").strip() + + # Connect with client2. Because we used '--force-command hostname' we should get "client1" as the output + output = client2.succeed(ssh_command) + + assert output.strip() == "client1" + ''; +}) diff --git a/nixos/tests/user-activation-scripts.nix b/nixos/tests/user-activation-scripts.nix index 93457357818..5df072ce050 100644 --- a/nixos/tests/user-activation-scripts.nix +++ b/nixos/tests/user-activation-scripts.nix @@ -19,9 +19,9 @@ import ./make-test-python.nix ({ lib, ... }: { machine.wait_for_unit("multi-user.target") machine.wait_for_unit("getty@tty1.service") - machine.wait_until_tty_matches(1, "login: ") + machine.wait_until_tty_matches("1", "login: ") machine.send_chars("alice\n") - machine.wait_until_tty_matches(1, "Password: ") + machine.wait_until_tty_matches("1", "Password: ") machine.send_chars("pass1\n") machine.send_chars("touch login-ok\n") machine.wait_for_file("/home/alice/login-ok") diff --git a/nixos/tests/user-home-mode.nix b/nixos/tests/user-home-mode.nix new file mode 100644 index 00000000000..070cb0b75cc --- /dev/null +++ b/nixos/tests/user-home-mode.nix @@ -0,0 +1,27 @@ +import ./make-test-python.nix ({ lib, ... }: { + name = "user-home-mode"; + meta = with lib.maintainers; { maintainers = [ fbeffa ]; }; + + nodes.machine = { + users.users.alice = { + initialPassword = "pass1"; + isNormalUser = true; + }; + users.users.bob = { + initialPassword = "pass2"; + isNormalUser = true; + homeMode = "750"; + }; + }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("getty@tty1.service") + machine.wait_until_tty_matches("1", "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches("1", "Password: ") + machine.send_chars("pass1\n") + machine.succeed('[ "$(stat -c %a /home/alice)" == "700" ]') + machine.succeed('[ "$(stat -c %a /home/bob)" == "750" ]') + ''; +}) diff --git a/nixos/tests/vengi-tools.nix b/nixos/tests/vengi-tools.nix index 8b80a13384e..5bc8d72c772 100644 --- a/nixos/tests/vengi-tools.nix +++ b/nixos/tests/vengi-tools.nix @@ -23,7 +23,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { # OCR on voxedit's window is very expensive, so we avoid wasting a try # by letting the window load fully first machine.sleep(15) - machine.wait_for_text("Palette") + machine.wait_for_text("Solid") machine.screenshot("screen") ''; }) diff --git a/nixos/tests/vikunja.nix b/nixos/tests/vikunja.nix index bd884b37f4f..2f6c4c1f466 100644 --- a/nixos/tests/vikunja.nix +++ b/nixos/tests/vikunja.nix @@ -1,9 +1,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "vikunja"; - meta = with lib.maintainers; { - maintainers = [ em0lar ]; - }; + meta.maintainers = with lib.maintainers; [ leona ]; nodes = { vikunjaSqlite = { ... }: { diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index 27093aab96e..1c1b0dac7f3 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -3,18 +3,9 @@ pkgs ? import ../.. { inherit system config; }, debug ? false, enableUnfree ? false, - # Nested KVM virtualization (https://www.linux-kvm.org/page/Nested_Guests) - # requires a modprobe flag on the build machine: (kvm-amd for AMD CPUs) - # boot.extraModprobeConfig = "options kvm-intel nested=Y"; - # Without this VirtualBox will use SW virtualization and will only be able - # to run 32-bit guests. - useKvmNestedVirt ? false, - # Whether to run 64-bit guests instead of 32-bit. Requires nested KVM. - use64bitGuest ? false + use64bitGuest ? true }: -assert use64bitGuest -> useKvmNestedVirt; - with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; @@ -26,7 +17,8 @@ let #!${pkgs.runtimeShell} -xe export PATH="${lib.makeBinPath [ pkgs.coreutils pkgs.util-linux ]}" - mkdir -p /run/dbus + mkdir -p /run/dbus /var + ln -s /run /var cat > /etc/passwd <<EOF root:x:0:0::/root:/bin/false messagebus:x:1:1::/run/dbus:/bin/false @@ -200,6 +192,7 @@ let systemd.services."vboxtestlog-${name}@" = { description = "VirtualBox Test Machine Log For ${name}"; serviceConfig.StandardInput = "socket"; + serviceConfig.StandardOutput = "journal"; serviceConfig.SyslogIdentifier = "GUEST-${name}"; serviceConfig.ExecStart = "${pkgs.coreutils}/bin/cat"; }; @@ -222,10 +215,11 @@ let machine.execute(ru("VBoxManage controlvm ${name} poweroff")) machine.succeed("rm -rf ${sharePath}") machine.succeed("mkdir -p ${sharePath}") - machine.succeed("chown alice.users ${sharePath}") + machine.succeed("chown alice:users ${sharePath}") def create_vm_${name}(): + cleanup_${name}() vbm("createvm --name ${name} ${createFlags}") vbm("modifyvm ${name} ${vmFlags}") vbm("setextradata ${name} VBoxInternal/PDM/HaltOnReset 1") @@ -233,7 +227,6 @@ let vbm("storageattach ${name} ${diskFlags}") vbm("sharedfolder add ${name} ${sharedFlags}") vbm("sharedfolder add ${name} ${nixstoreFlags}") - cleanup_${name}() ${mkLog "$HOME/VirtualBox VMs/${name}/Logs/VBox.log" "HOST-${name}"} @@ -317,10 +310,7 @@ let ]; dhcpScript = pkgs: '' - ${pkgs.dhcp}/bin/dhclient \ - -lf /run/dhcp.leases \ - -pf /run/dhclient.pid \ - -v eth0 eth1 + ${pkgs.dhcpcd}/bin/dhcpcd eth0 eth1 otherIP="$(${pkgs.netcat}/bin/nc -l 1234 || :)" ${pkgs.iputils}/bin/ping -I eth1 -c1 "$otherIP" @@ -359,8 +349,7 @@ let vmConfigs = mapAttrsToList mkVMConf vms; in [ ./common/user-account.nix ./common/x11.nix ] ++ vmConfigs; virtualisation.memorySize = 2048; - virtualisation.qemu.options = - if useKvmNestedVirt then ["-cpu" "kvm64,vmx=on"] else []; + virtualisation.qemu.options = ["-cpu" "kvm64,svm=on,vmx=on"]; virtualisation.virtualbox.host.enable = true; test-support.displayManager.auto.user = "alice"; users.users.alice.extraGroups = let @@ -468,7 +457,7 @@ in mapAttrs (mkVBoxTest false vboxVMs) { headless = '' create_vm_headless() - machine.succeed(ru("VBoxHeadless --startvm headless & disown %1")) + machine.succeed(ru("VBoxHeadless --startvm headless >&2 & disown %1")) wait_for_startup_headless() wait_for_vm_boot_headless() shutdown_vm_headless() @@ -476,6 +465,8 @@ in mapAttrs (mkVBoxTest false vboxVMs) { ''; host-usb-permissions = '' + import sys + user_usb = remove_uuids(vbm("list usbhost")) print(user_usb, file=sys.stderr) root_usb = remove_uuids(machine.succeed("VBoxManage list usbhost")) diff --git a/nixos/tests/vscodium.nix b/nixos/tests/vscodium.nix index 688ddfe07e3..3bdb99947a4 100644 --- a/nixos/tests/vscodium.nix +++ b/nixos/tests/vscodium.nix @@ -32,6 +32,14 @@ let maintainers = [ synthetica turion ]; }; enableOCR = true; + + # testScriptWithTypes:55: error: Item "function" of + # "Union[Callable[[Callable[..., Any]], ContextManager[Any]], ContextManager[Any]]" + # has no attribute "__enter__" + # with codium_running: + # ^ + skipTypeCheck = true; + testScript = '' @polling_condition def codium_running(): diff --git a/nixos/tests/vsftpd.nix b/nixos/tests/vsftpd.nix index 4bea27f0eb1..6eaf32b2258 100644 --- a/nixos/tests/vsftpd.nix +++ b/nixos/tests/vsftpd.nix @@ -29,7 +29,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { testScript = '' client.start() server.wait_for_unit("vsftpd") - server.wait_for_open_port("21") + server.wait_for_open_port(21) client.succeed("curl -u ftp-test-user:ftp-test-password ftp://server") client.succeed('echo "this is a test" > /tmp/test.file.up') diff --git a/nixos/tests/web-apps/healthchecks.nix b/nixos/tests/web-apps/healthchecks.nix new file mode 100644 index 00000000000..41374f5e314 --- /dev/null +++ b/nixos/tests/web-apps/healthchecks.nix @@ -0,0 +1,42 @@ +import ../make-test-python.nix ({ lib, pkgs, ... }: { + name = "healthchecks"; + + meta = with lib.maintainers; { + maintainers = [ phaer ]; + }; + + nodes.machine = { ... }: { + services.healthchecks = { + enable = true; + settings = { + SITE_NAME = "MyUniqueInstance"; + COMPRESS_ENABLED = "True"; + SECRET_KEY_FILE = pkgs.writeText "secret" + "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; + }; + }; + }; + + testScript = '' + machine.start() + machine.wait_for_unit("healthchecks.target") + machine.wait_until_succeeds("journalctl --since -1m --unit healthchecks --grep Listening") + + with subtest("Home screen loads"): + machine.succeed( + "curl -sSfL http://localhost:8000 | grep '<title>Sign In'" + ) + + with subtest("Setting SITE_NAME via freeform option works"): + machine.succeed( + "curl -sSfL http://localhost:8000 | grep 'MyUniqueInstance</title>'" + ) + + with subtest("Manage script works"): + # Should fail if not called by healthchecks user + machine.fail("echo 'print(\"foo\")' | healthchecks-manage help") + + # "shell" sucommand should succeed, needs python in PATH. + assert "foo\n" == machine.succeed("echo 'print(\"foo\")' | sudo -u healthchecks healthchecks-manage shell") + ''; +}) diff --git a/nixos/tests/web-apps/peertube.nix b/nixos/tests/web-apps/peertube.nix index d42b4e3d677..ecc45bff2e2 100644 --- a/nixos/tests/web-apps/peertube.nix +++ b/nixos/tests/web-apps/peertube.nix @@ -11,7 +11,7 @@ import ../make-test-python.nix ({pkgs, ...}: { address = "192.168.2.10"; prefixLength = 24; } ]; }; - firewall.allowedTCPPorts = [ 5432 6379 ]; + firewall.allowedTCPPorts = [ 5432 31638 ]; }; services.postgresql = { @@ -34,7 +34,7 @@ import ../make-test-python.nix ({pkgs, ...}: enable = true; bind = "0.0.0.0"; requirePass = "turrQfaQwnanGbcsdhxy"; - port = 6379; + port = 31638; }; }; @@ -76,6 +76,7 @@ import ../make-test-python.nix ({pkgs, ...}: redis = { host = "192.168.2.10"; + port = 31638; passwordFile = "/etc/peertube/password-redis-db"; }; @@ -113,7 +114,7 @@ import ../make-test-python.nix ({pkgs, ...}: database.wait_for_unit("redis-peertube.service") database.wait_for_open_port(5432) - database.wait_for_open_port(6379) + database.wait_for_open_port(31638) server.wait_for_unit("peertube.service") server.wait_for_open_port(9000) diff --git a/nixos/tests/web-apps/phylactery.nix b/nixos/tests/web-apps/phylactery.nix new file mode 100644 index 00000000000..cf2689d2300 --- /dev/null +++ b/nixos/tests/web-apps/phylactery.nix @@ -0,0 +1,20 @@ +import ../make-test-python.nix ({ pkgs, lib, ... }: { + name = "phylactery"; + + nodes.machine = { ... }: { + services.phylactery = rec { + enable = true; + port = 8080; + library = "/tmp"; + }; + }; + + testScript = '' + start_all() + machine.wait_for_unit('phylactery') + machine.wait_for_open_port(8080) + machine.wait_until_succeeds('curl localhost:8080') + ''; + + meta.maintainers = with lib.maintainers; [ McSinyx ]; +}) diff --git a/nixos/tests/xmonad.nix b/nixos/tests/xmonad.nix index aa55f0e3ca6..ec48c3e1127 100644 --- a/nixos/tests/xmonad.nix +++ b/nixos/tests/xmonad.nix @@ -13,7 +13,9 @@ let import System.Environment (getArgs) import System.FilePath ((</>)) - main = launch $ def { startupHook = startup } `additionalKeysP` myKeys + main = do + dirs <- getDirectories + launch (def { startupHook = startup } `additionalKeysP` myKeys) dirs startup = isSessionStart >>= \sessInit -> spawn "touch /tmp/${name}" @@ -23,14 +25,15 @@ let compiledConfig = printf "xmonad-%s-%s" arch os - compileRestart resume = - whenX (recompile True) $ + compileRestart resume = do + dirs <- asks directories + + whenX (recompile dirs True) $ when resume writeStateToFile *> catchIO ( do - dir <- getXMonadDataDir args <- getArgs - executeFile (dir </> compiledConfig) False args Nothing + executeFile (cacheDir dirs </> compiledConfig) False args Nothing ) ''; @@ -94,7 +97,7 @@ in { # set up the new config machine.succeed("mkdir -p ${user.home}/.xmonad") - machine.copy_from_host("${newConfig}", "${user.home}/.xmonad/xmonad.hs") + machine.copy_from_host("${newConfig}", "${user.home}/.config/xmonad/xmonad.hs") # recompile xmonad using the new config machine.send_key("alt-ctrl-q") diff --git a/nixos/tests/xmpp/xmpp-sendmessage.nix b/nixos/tests/xmpp/xmpp-sendmessage.nix index 47a77f524c6..80dfcff2d0e 100644 --- a/nixos/tests/xmpp/xmpp-sendmessage.nix +++ b/nixos/tests/xmpp/xmpp-sendmessage.nix @@ -51,11 +51,8 @@ class CthonTest(ClientXMPP): log.info('Message sent') # Test http upload (XEP_0363) - def timeout_callback(arg): - log.error("ERROR: Cannot upload file. XEP_0363 seems broken") - sys.exit(1) try: - url = await self['xep_0363'].upload_file("${dummyFile}",timeout=10, timeout_callback=timeout_callback) + url = await self['xep_0363'].upload_file("${dummyFile}",timeout=10) except: log.error("ERROR: Cannot run upload command. XEP_0363 seems broken") sys.exit(1) diff --git a/nixos/tests/xrdp.nix b/nixos/tests/xrdp.nix index 0e1d521c5ac..f277d4b7952 100644 --- a/nixos/tests/xrdp.nix +++ b/nixos/tests/xrdp.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "xrdp"; meta = with pkgs.lib.maintainers; { - maintainers = [ volth ]; + maintainers = [ ]; }; nodes = { diff --git a/nixos/tests/zeronet-conservancy.nix b/nixos/tests/zeronet-conservancy.nix new file mode 100644 index 00000000000..8cb649cbdaa --- /dev/null +++ b/nixos/tests/zeronet-conservancy.nix @@ -0,0 +1,25 @@ +let + port = 43110; +in +import ./make-test-python.nix ({ pkgs, ... }: { + name = "zeronet-conservancy"; + meta = with pkgs.lib.maintainers; { + maintainers = [ fgaz ]; + }; + + nodes.machine = { config, pkgs, ... }: { + services.zeronet = { + enable = true; + package = pkgs.zeronet-conservancy; + inherit port; + }; + }; + + testScript = '' + machine.wait_for_unit("zeronet.service") + + machine.wait_for_open_port(${toString port}) + + machine.succeed("curl --fail -H 'Accept: text/html, application/xml, */*' localhost:${toString port}/Stats") + ''; +}) diff --git a/nixos/tests/zsh-history.nix b/nixos/tests/zsh-history.nix index 35568779840..64f32a07e21 100644 --- a/nixos/tests/zsh-history.nix +++ b/nixos/tests/zsh-history.nix @@ -21,13 +21,13 @@ import ./make-test-python.nix ({ pkgs, ...} : { default.wait_until_succeeds("pgrep -f 'agetty.*tty1'") # Login - default.wait_until_tty_matches(1, "login: ") + default.wait_until_tty_matches("1", "login: ") default.send_chars("root\n") - default.wait_until_tty_matches(1, r"\nroot@default\b") + default.wait_until_tty_matches("1", r"\nroot@default\b") # Generate some history default.send_chars("echo foobar\n") - default.wait_until_tty_matches(1, "foobar") + default.wait_until_tty_matches("1", "foobar") # Ensure that command was recorded in history default.succeed("/run/current-system/sw/bin/history list | grep -q foobar") |