diff options
| author | Dmitry Kalinkin <dmitry.kalinkin@gmail.com> | 2019-09-25 18:52:30 -0400 |
|---|---|---|
| committer | Dmitry Kalinkin <dmitry.kalinkin@gmail.com> | 2019-09-25 19:21:46 -0400 |
| commit | c455adcc42f9b2b62376b9fee99a0c5004a52425 (patch) | |
| tree | 8b489f54e79aa7710554a1a4f3c1e58cfe32890f /nixos | |
| parent | eab41878ac16a80b1189d5e4aeec5e037f6571db (diff) | |
| parent | 96ac71d680fe8d07e51fa979b0818b9aae06e1ec (diff) | |
| download | nixpkgs-c455adcc42f9b2b62376b9fee99a0c5004a52425.tar nixpkgs-c455adcc42f9b2b62376b9fee99a0c5004a52425.tar.gz nixpkgs-c455adcc42f9b2b62376b9fee99a0c5004a52425.tar.bz2 nixpkgs-c455adcc42f9b2b62376b9fee99a0c5004a52425.tar.lz nixpkgs-c455adcc42f9b2b62376b9fee99a0c5004a52425.tar.xz nixpkgs-c455adcc42f9b2b62376b9fee99a0c5004a52425.tar.zst nixpkgs-c455adcc42f9b2b62376b9fee99a0c5004a52425.zip | |
Merge branch 'master' into staging-next
Fixes eval on darwin after #69072 Resolved conflict in pkgs/tools/security/thc-hydra/default.nix Basically had to revert a1c0e10564f9a6281e14d7a7279b8589521e2c48 which adapts #69210 to master that doesn't yet have 329a88efa78126ae7413807ce58000eab49e82d9 Tested using maintainers/scripts/eval-release.sh before and after to see that the fix works
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/installation/installing-nspawn-container.xml | 37 | ||||
| -rw-r--r-- | nixos/doc/manual/installation/installing.xml | 3 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-1909.xml | 29 | ||||
| -rw-r--r-- | nixos/modules/installer/tools/nixos-install.sh | 3 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/rename.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/amqp/rabbitmq.nix | 10 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/fancontrol.nix | 46 | ||||
| -rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 10 | ||||
| -rw-r--r-- | nixos/modules/services/misc/home-assistant.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/misc/pykms.nix | 39 | ||||
| -rw-r--r-- | nixos/modules/services/monitoring/zabbix-server.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/system/activation/activation-script.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/tasks/network-interfaces-systemd.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/container-config.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/systemd-machinectl.nix | 52 |
17 files changed, 221 insertions, 25 deletions
diff --git a/nixos/doc/manual/installation/installing-nspawn-container.xml b/nixos/doc/manual/installation/installing-nspawn-container.xml new file mode 100644 index 00000000000..ae893c53c90 --- /dev/null +++ b/nixos/doc/manual/installation/installing-nspawn-container.xml @@ -0,0 +1,37 @@ +<section xmlns="http://docbook.org/ns/docbook" + version="5.0" + xml:id="sec-installing-nspawn-container"> + <title>Installing into a nspawn container</title> + + <para> + For installing a NixOS into a systemd nspawn container the NixOS installation tools are needed. + If you run another distribution than NixOS on your host, + please follow <xref linkend="sec-installing-from-other-distro"/> steps 1, 2, and 3. + </para> + + <para> + Create a NixOS configuration file <filename>/var/lib/machines/my-container/etc/nixos/configuration.nix</filename>. + It is important that the container root file system is under <filename>/var/lib/machines</filename>. + This is the standard location where <command>machinectl</command> will look for containers. + If you choose place the root into another location you need to start the container directly with <command>systemd-nspawn</command>. + The file needs to have at least following options enabled: +<programlisting> +<xref linkend="opt-boot.isContainer"/> = true; +<xref linkend="opt-boot.loader.initScript.enable"/> = true; +</programlisting> + If your host uses <command>systemd-networkd</command> to configure the network, + you can also enable <xref linkend="opt-networking.useNetworkd"/> to use networkd default network configuration for your host and container. + </para> + + <para> + Install the container by running following command: + <screen>nixos-install --root /var/lib/machines/my-container \ + --no-channel-copy --no-root-passwd --no-bootloader</screen> + </para> + + <para> + Start the container by running following command: + <screen>machinectl start my-container</screen> + </para> + +</section> diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index f1e1568c034..270372022fa 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -563,5 +563,8 @@ Retype new UNIX password: ***</screen> <xi:include href="installing-from-other-distro.xml" /> <xi:include href="installing-behind-a-proxy.xml" /> + + <xi:include href="installing-nspawn-container.xml" /> + </section> </chapter> diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 58ab7207f53..e4dcc90cdd3 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -484,6 +484,35 @@ (<literal>citrix_workspace</literal>). </para> </listitem> + <listitem> + <para> + The <literal>services.gitlab</literal> module has had its literal secret options (<option>services.gitlab.smtp.password</option>, + <option>services.gitlab.databasePassword</option>, + <option>services.gitlab.initialRootPassword</option>, + <option>services.gitlab.secrets.secret</option>, + <option>services.gitlab.secrets.db</option>, + <option>services.gitlab.secrets.otp</option> and + <option>services.gitlab.secrets.jws</option>) replaced by file-based versions (<option>services.gitlab.smtp.passwordFile</option>, + <option>services.gitlab.databasePasswordFile</option>, + <option>services.gitlab.initialRootPasswordFile</option>, + <option>services.gitlab.secrets.secretFile</option>, + <option>services.gitlab.secrets.dbFile</option>, + <option>services.gitlab.secrets.otpFile</option> and + <option>services.gitlab.secrets.jwsFile</option>). This was done so that secrets aren't stored + in the world-readable nix store, but means that for each option you'll have to create a file with + the same exact string, add "File" to the end of the option name, and change the definition to a + string pointing to the corresponding file; e.g. <literal>services.gitlab.databasePassword = "supersecurepassword"</literal> + becomes <literal>services.gitlab.databasePasswordFile = "/path/to/secret_file"</literal> where the + file <literal>secret_file</literal> contains the string <literal>supersecurepassword</literal>. + </para> + <para> + The state path (<option>services.gitlab.statePath</option>) now has the following restriction: + no parent directory can be owned by any other user than <literal>root</literal> or the user + specified in <option>services.gitlab.user</option>; i.e. if <option>services.gitlab.statePath</option> + is set to <literal>/var/lib/gitlab/state</literal>, <literal>gitlab</literal> and all parent directories + must be owned by either <literal>root</literal> or the user specified in <option>services.gitlab.user</option>. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 8685cb345e1..be3b5c0687a 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -132,8 +132,9 @@ if [[ -z $noBootLoader ]]; then echo "installing the boot loader..." # Grub needs an mtab. ln -sfn /proc/mounts $mountPoint/etc/mtab - NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot + export NIXOS_INSTALL_BOOTLOADER=1 fi +nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot # Ask the user to set a root password, but only if the passwd command # exists (i.e. when mutable user accounts are enabled). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 775cc05aa0a..a648eef46e5 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -328,6 +328,7 @@ ./services/hardware/bluetooth.nix ./services/hardware/bolt.nix ./services/hardware/brltty.nix + ./services/hardware/fancontrol.nix ./services/hardware/freefall.nix ./services/hardware/fwupd.nix ./services/hardware/illum.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 0c7c45a4708..802ffcdc94e 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -66,6 +66,8 @@ with lib; (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ]) + (mkRemovedOptionModule [ "services" "pykms" "verbose" ] "Use services.pykms.logLevel instead") + (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") diff --git a/nixos/modules/services/amqp/rabbitmq.nix b/nixos/modules/services/amqp/rabbitmq.nix index 302b94de196..38d10923494 100644 --- a/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixos/modules/services/amqp/rabbitmq.nix @@ -80,12 +80,10 @@ in { configItems = mkOption { default = {}; type = types.attrsOf types.str; - example = '' - { - "auth_backends.1.authn" = "rabbit_auth_backend_ldap"; - "auth_backends.1.authz" = "rabbit_auth_backend_internal"; - } - ''; + example = { + "auth_backends.1.authn" = "rabbit_auth_backend_ldap"; + "auth_backends.1.authz" = "rabbit_auth_backend_internal"; + }; description = '' Configuration options in RabbitMQ's new config file format, which is a simple key-value format that can not express nested diff --git a/nixos/modules/services/hardware/fancontrol.nix b/nixos/modules/services/hardware/fancontrol.nix new file mode 100644 index 00000000000..616e4add31e --- /dev/null +++ b/nixos/modules/services/hardware/fancontrol.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.hardware.fancontrol; + configFile = pkgs.writeText "fan.conf" cfg.config; + +in { + + options.hardware.fancontrol = { + enable = mkEnableOption "fancontrol (requires fancontrol.config)"; + + config = mkOption { + type = types.lines; + default = null; + example = '' + # Configuration file generated by pwmconfig + INTERVAL=1 + DEVPATH=hwmon0=devices/platform/nct6775.656 hwmon1=devices/pci0000:00/0000:00:18.3 + DEVNAME=hwmon0=nct6779 hwmon1=k10temp + FCTEMPS=hwmon0/pwm2=hwmon1/temp1_input + FCFANS=hwmon0/pwm2=hwmon0/fan2_input + MINTEMP=hwmon0/pwm2=25 + MAXTEMP=hwmon0/pwm2=60 + MINSTART=hwmon0/pwm2=25 + MINSTOP=hwmon0/pwm2=10 + MINPWM=hwmon0/pwm2=0 + MAXPWM=hwmon0/pwm2=255 + ''; + description = "Contents for configuration file. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry>."; + }; + }; + + + config = mkIf cfg.enable { + systemd.services.fancontrol = { + description = "Fan speed control from lm_sensors"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.lm_sensors}/bin/fancontrol ${configFile}"; + }; + }; + }; +} diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 1e1eb0fd9a1..4c1ffead00c 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -223,7 +223,15 @@ in { statePath = mkOption { type = types.str; default = "/var/gitlab/state"; - description = "Gitlab state directory, logs are stored here."; + description = '' + Gitlab state directory. Configuration, repositories and + logs, among other things, are stored here. + + The directory will be created automatically if it doesn't + exist already. Its parent directories must be owned by + either <literal>root</literal> or the user set in + <option>services.gitlab.user</option>. + ''; }; backupPath = mkOption { diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index f1b35124674..74702c97f55 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -224,6 +224,7 @@ in { KillSignal = "SIGINT"; PrivateTmp = true; RemoveIPC = true; + AmbientCapabilities = "cap_net_raw,cap_net_admin+eip"; }; path = [ "/run/wrappers" # needed for ping diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index ab00086e591..e2d1254602b 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.services.pykms; + libDir = "/var/lib/pykms"; in { meta.maintainers = with lib.maintainers; [ peterhoeg ]; @@ -28,12 +29,6 @@ in { description = "The port on which to listen."; }; - verbose = mkOption { - type = types.bool; - default = false; - description = "Show verbose output."; - }; - openFirewallPort = mkOption { type = types.bool; default = false; @@ -45,30 +40,44 @@ in { default = "64M"; description = "How much memory to use at most."; }; + + logLevel = mkOption { + type = types.enum [ "CRITICAL" "ERROR" "WARNING" "INFO" "DEBUG" "MINI" ]; + default = "INFO"; + description = "How much to log"; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional arguments"; + }; }; }; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewallPort [ cfg.port ]; - systemd.services.pykms = let - home = "/var/lib/pykms"; - in { + systemd.services.pykms = { description = "Python KMS"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; # python programs with DynamicUser = true require HOME to be set - environment.HOME = home; + environment.HOME = libDir; serviceConfig = with pkgs; { DynamicUser = true; - StateDirectory = baseNameOf home; - ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db"; + StateDirectory = baseNameOf libDir; + ExecStartPre = "${getBin pykms}/libexec/create_pykms_db.sh ${libDir}/clients.db"; ExecStart = lib.concatStringsSep " " ([ - "${getBin pykms}/bin/server.py" + "${getBin pykms}/bin/server" + "--logfile STDOUT" + "--loglevel ${cfg.logLevel}" + ] ++ cfg.extraArgs ++ [ cfg.listenAddress (toString cfg.port) - ] ++ lib.optional cfg.verbose "--verbose"); - WorkingDirectory = home; + ]); + ProtectHome = "tmpfs"; + WorkingDirectory = libDir; Restart = "on-failure"; MemoryLimit = cfg.memoryLimit; }; diff --git a/nixos/modules/services/monitoring/zabbix-server.nix b/nixos/modules/services/monitoring/zabbix-server.nix index 4b4049ed360..e9f1590760a 100644 --- a/nixos/modules/services/monitoring/zabbix-server.nix +++ b/nixos/modules/services/monitoring/zabbix-server.nix @@ -30,6 +30,7 @@ let DBUser = ${cfg.database.user} ${optionalString (cfg.database.passwordFile != null) "Include ${passwordFile}"} ${optionalString (mysqlLocal && cfg.database.socket != null) "DBSocket = ${cfg.database.socket}"} + PidFile = ${runtimeDir}/zabbix_server.pid SocketDir = ${runtimeDir} FpingLocation = /run/wrappers/bin/fping ${optionalString (cfg.modules != {}) "LoadModulePath = ${moduleEnv}/lib"} diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index ddfd1af4a31..2f716f92c62 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -184,7 +184,14 @@ in find /var/empty -mindepth 1 -delete chmod 0555 /var/empty chown root:root /var/empty + + ${ # reasons for not setting immutable flag: + # 1. flag is not changeable inside a container + # 2. systemd-nspawn can not perform chown in case of --private-users-chown + # then the owner is nobody and ssh will not start + optionalString (!config.boot.isContainer) '' ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true + ''} ''; system.activationScripts.usrbinenv = if config.environment.usrbinenv != null diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 34e27066715..7c6604922cf 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -12,7 +12,7 @@ let i.ipv4.addresses ++ optionals cfg.enableIPv6 i.ipv6.addresses; - dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "no"; + dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "yes" else "no"; slaves = concatLists (map (bond: bond.interfaces) (attrValues cfg.bonds)) diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index 604fb8a7593..ca7f126c59f 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -10,7 +10,7 @@ with lib; services.udisks2.enable = mkDefault false; powerManagement.enable = mkDefault false; - networking.useHostResolvConf = mkDefault true; + networking.useHostResolvConf = mkDefault (!config.services.resolved.enable); # Containers should be light-weight, so start sshd on demand. services.openssh.startWhenNeeded = mkDefault true; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 5643da99e55..2c6c3a42970 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -262,6 +262,7 @@ in syncthing-relay = handleTest ./syncthing-relay.nix {}; systemd = handleTest ./systemd.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; + systemd-machinectl = handleTest ./systemd-machinectl.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; diff --git a/nixos/tests/systemd-machinectl.nix b/nixos/tests/systemd-machinectl.nix new file mode 100644 index 00000000000..091f855d043 --- /dev/null +++ b/nixos/tests/systemd-machinectl.nix @@ -0,0 +1,52 @@ +import ./make-test.nix (let + + container = { ... }: { + boot.isContainer = true; + + # use networkd to obtain systemd network setup + networking.useNetworkd = true; + + # systemd-nspawn expects /sbin/init + boot.loader.initScript.enable = true; + + imports = [ ../modules/profiles/minimal.nix ]; + }; + + containerSystem = (import ../lib/eval-config.nix { + modules = [ container ]; + }).config.system.build.toplevel; + + containerName = "container"; + containerRoot = "/var/lib/machines/${containerName}"; + +in { + name = "systemd-machinectl"; + + machine = { lib, ... }: { + # use networkd to obtain systemd network setup + networking.useNetworkd = true; + + # open DHCP server on interface to container + networking.firewall.trustedInterfaces = [ "ve-+" ]; + + # do not try to access cache.nixos.org + nix.binaryCaches = lib.mkForce []; + + virtualisation.pathsInNixDB = [ containerSystem ]; + }; + + testScript = '' + startAll; + + $machine->waitForUnit("default.target"); + $machine->succeed("mkdir -p ${containerRoot}"); + $machine->succeed("nixos-install --root ${containerRoot} --system ${containerSystem} --no-channel-copy --no-root-passwd --no-bootloader"); + + $machine->succeed("machinectl start ${containerName}"); + $machine->waitUntilSucceeds("systemctl -M ${containerName} is-active default.target"); + $machine->succeed("ping -n -c 1 ${containerName}"); + $machine->succeed("test `stat ${containerRoot}/var/empty -c %u%g` != 00"); + + $machine->succeed("machinectl stop ${containerName}"); + ''; +}) |