diff options
Diffstat (limited to 'nixos')
72 files changed, 1895 insertions, 507 deletions
diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index af7a2e08220..151743d9fb5 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -12,7 +12,7 @@ let # E.g. if some `options` came from modules in ${pkgs.customModules}/nix, # you'd need to include `extraSources = [ pkgs.customModules ]` prefixesToStrip = map (p: "${toString p}/") ([ ../../.. ] ++ extraSources); - stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix) prefixesToStrip; + stripAnyPrefixes = lib.flip (lib.foldr lib.removePrefix) prefixesToStrip; optionsDoc = buildPackages.nixosOptionsDoc { inherit options revision; diff --git a/nixos/doc/manual/development/linking-nixos-tests-to-packages.section.md b/nixos/doc/manual/development/linking-nixos-tests-to-packages.section.md new file mode 100644 index 00000000000..38a64027f7c --- /dev/null +++ b/nixos/doc/manual/development/linking-nixos-tests-to-packages.section.md @@ -0,0 +1,6 @@ +# Linking NixOS tests to packages {#sec-linking-nixos-tests-to-packages} + +You can link NixOS module tests to the packages that they exercised, +so that the tests can be run automatically during code review when the package gets changed. +This is +[described in the nixpkgs manual](https://nixos.org/manual/nixpkgs/stable/#ssec-nixos-tests-linking). diff --git a/nixos/doc/manual/development/nixos-tests.xml b/nixos/doc/manual/development/nixos-tests.xml index 702fc03f668..67dc09fc715 100644 --- a/nixos/doc/manual/development/nixos-tests.xml +++ b/nixos/doc/manual/development/nixos-tests.xml @@ -16,4 +16,5 @@ xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/tests">nixos/test <xi:include href="../from_md/development/writing-nixos-tests.section.xml" /> <xi:include href="../from_md/development/running-nixos-tests.section.xml" /> <xi:include href="../from_md/development/running-nixos-tests-interactively.section.xml" /> + <xi:include href="../from_md/development/linking-nixos-tests-to-packages.section.xml" /> </chapter> diff --git a/nixos/doc/manual/from_md/development/linking-nixos-tests-to-packages.section.xml b/nixos/doc/manual/from_md/development/linking-nixos-tests-to-packages.section.xml new file mode 100644 index 00000000000..666bbec6162 --- /dev/null +++ b/nixos/doc/manual/from_md/development/linking-nixos-tests-to-packages.section.xml @@ -0,0 +1,10 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-linking-nixos-tests-to-packages"> + <title>Linking NixOS tests to packages</title> + <para> + You can link NixOS module tests to the packages that they exercised, + so that the tests can be run automatically during code review when + the package gets changed. This is + <link xlink:href="https://nixos.org/manual/nixpkgs/stable/#ssec-nixos-tests-linking">described + in the nixpkgs manual</link>. + </para> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index fcaac9e8bec..570262d380a 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -7,14 +7,14 @@ <itemizedlist spacing="compact"> <listitem> <para> - Support is planned until the end of April 2022, handing over to + Support is planned until the end of June 2022, handing over to 22.05. </para> </listitem> </itemizedlist> <section xml:id="sec-release-21.11-highlights"> <title>Highlights</title> - <itemizedlist spacing="compact"> + <itemizedlist> <listitem> <para> PHP now defaults to PHP 8.0, updated from 7.4. @@ -26,6 +26,17 @@ default runtime. </para> </listitem> + <listitem> + <para> + <literal>python3</literal> now defaults to Python 3.9, updated + from Python 3.8. + </para> + </listitem> + <listitem> + <para> + PostgreSQL now defaults to major version 13. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-21.11-new-services"> @@ -42,6 +53,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/xrelkd/clipcat/">clipcat</link>, + an X11 clipboard manager written in Rust. Available at + [services.clipcat](options.html#o pt-services.clipcat.enable). + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/maxmind/geoipupdate">geoipupdate</link>, a GeoIP database updater from MaxMind. Available as <link xlink:href="options.html#opt-services.geoipupdate.enable">services.geoipupdate</link>. @@ -49,6 +67,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://www.isc.org/kea/">Kea</link>, ISCs + 2nd generation DHCP and DDNS server suite. Available at + <link xlink:href="options.html#opt-services.kea">services.kea</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://sr.ht">sourcehut</link>, a collection of tools useful for software development. Available as @@ -85,6 +110,21 @@ <link linkend="opt-snapraid.enable">snapraid</link>. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/hockeypuck/hockeypuck">Hockeypuck</link>, + a OpenPGP Key Server. Available as + <link linkend="opt-services.hockeypuck.enable">services.hockeypuck</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/buildkite/buildkite-agent-metrics">buildkite-agent-metrics</link>, + a command-line tool for collecting Buildkite agent metrics, + now has a Prometheus exporter available as + <link linkend="opt-services.prometheus.exporters.buildkite-agent.enable">services.prometheus.exporters.buildkite-agent</link>. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-21.11-incompatibilities"> @@ -503,6 +543,44 @@ changelog</link>. </para> </listitem> + <listitem> + <para> + The <literal>isabelle</literal> package has been upgraded from + 2020 to 2021 + </para> + </listitem> + <listitem> + <para> + the <literal>mingw-64</literal> package has been upgraded from + 6.0.0 to 9.0.0 + </para> + </listitem> + <listitem> + <para> + The following Visual Studio Code extensions were renamed to + keep the naming convention uniform. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>bbenoist.Nix</literal> -> + <literal>bbenoist.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>CoenraadS.bracket-pair-colorizer</literal> -> + <literal>coenraads.bracket-pair-colorizer</literal> + </para> + </listitem> + <listitem> + <para> + <literal>golang.Go</literal> -> + <literal>golang.go</literal> + </para> + </listitem> + </itemizedlist> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-21.11-notable-changes"> @@ -540,6 +618,14 @@ </listitem> <listitem> <para> + <literal>python3</literal> now defaults to Python 3.9. Python + 3.9 introduces many deprecation warnings, please look at the + <link xlink:href="https://docs.python.org/3/whatsnew/3.9.html">What’s + New In Python 3.9 post</link> for more information. + </para> + </listitem> + <listitem> + <para> The <literal>claws-mail</literal> package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install the @@ -562,6 +648,99 @@ be removed in 22.05. </para> </listitem> + <listitem> + <para> + The order of NSS (host) modules has been brought in line with + upstream recommendations: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The <literal>myhostname</literal> module is placed before + the <literal>resolve</literal> (optional) and + <literal>dns</literal> entries, but after + <literal>file</literal> (to allow overriding via + <literal>/etc/hosts</literal> / + <literal>networking.extraHosts</literal>, and prevent ISPs + with catchall-DNS resolvers from hijacking + <literal>.localhost</literal> domains) + </para> + </listitem> + <listitem> + <para> + The <literal>mymachines</literal> module, which provides + hostname resolution for local containers (registered with + <literal>systemd-machined</literal>) is placed to the + front, to make sure its mappings are preferred over other + resolvers. + </para> + </listitem> + <listitem> + <para> + If systemd-networkd is enabled, the + <literal>resolve</literal> module is placed before + <literal>files</literal> and + <literal>myhostname</literal>, as it provides the same + logic internally, with caching. + </para> + </listitem> + <listitem> + <para> + The <literal>mdns(_minimal)</literal> module has been + updated to the new priorities. + </para> + </listitem> + </itemizedlist> + <para> + If you use your own NSS host modules, make sure to update your + priorities according to these rules: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + NSS modules which should be queried before + <literal>resolved</literal> DNS resolution should use + mkBefore. + </para> + </listitem> + <listitem> + <para> + NSS modules which should be queried after + <literal>resolved</literal>, <literal>files</literal> and + <literal>myhostname</literal>, but before + <literal>dns</literal> should use the default priority + </para> + </listitem> + <listitem> + <para> + NSS modules which should come after <literal>dns</literal> + should use mkAfter. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-networking.wireless.iwd.enable">networking.wireless.iwd</link> + module has a new + <link xlink:href="options.html#opt-networking.wireless.iwd.settings">networking.wireless.iwd.settings</link> + option. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.syncoid.enable">services.syncoid.enable</link> + module now properly drops ZFS permissions after usage. Before + it delegated permissions to whole pools instead of datasets + and didn’t clean up after execution. You can manually look + this up for your pools by running + <literal>zfs allow your-pool-name</literal> and use + <literal>zfs unallow syncoid your-pool-name</literal> to clean + this up. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 030f1d21818..b8936e31844 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -2,19 +2,28 @@ In addition to numerous new and upgraded packages, this release has the following highlights: -- Support is planned until the end of April 2022, handing over to 22.05. +- Support is planned until the end of June 2022, handing over to 22.05. ## Highlights {#sec-release-21.11-highlights} - PHP now defaults to PHP 8.0, updated from 7.4. - kOps now defaults to 1.21.0, which uses containerd as the default runtime. +- `python3` now defaults to Python 3.9, updated from Python 3.8. + +- PostgreSQL now defaults to major version 13. + ## New Services {#sec-release-21.11-new-services} - [btrbk](https://digint.ch/btrbk/index.html), a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as [services.btrbk](options.html#opt-services.brtbk.instances). +- [clipcat](https://github.com/xrelkd/clipcat/), an X11 clipboard manager written in Rust. Available at [services.clipcat](options.html#o +pt-services.clipcat.enable). + - [geoipupdate](https://github.com/maxmind/geoipupdate), a GeoIP database updater from MaxMind. Available as [services.geoipupdate](options.html#opt-services.geoipupdate.enable). +- [Kea](https://www.isc.org/kea/), ISCs 2nd generation DHCP and DDNS server suite. Available at [services.kea](options.html#opt-services.kea). + - [sourcehut](https://sr.ht), a collection of tools useful for software development. Available as [services.sourcehut](options.html#opt-services.sourcehut.enable). - [ucarp](https://download.pureftpd.org/pub/ucarp/README), an userspace implementation of the Common Address Redundancy Protocol (CARP). Available as [networking.ucarp](options.html#opt-networking.ucarp.enable). @@ -26,6 +35,9 @@ In addition to numerous new and upgraded packages, this release has the followin - [snapraid](https://www.snapraid.it/), a backup program for disk arrays. Available as [snapraid](#opt-snapraid.enable). +- [Hockeypuck](https://github.com/hockeypuck/hockeypuck), a OpenPGP Key Server. Available as [services.hockeypuck](#opt-services.hockeypuck.enable). + +- [buildkite-agent-metrics](https://github.com/buildkite/buildkite-agent-metrics), a command-line tool for collecting Buildkite agent metrics, now has a Prometheus exporter available as [services.prometheus.exporters.buildkite-agent](#opt-services.prometheus.exporters.buildkite-agent.enable). ## Backward Incompatibilities {#sec-release-21.11-incompatibilities} @@ -126,6 +138,15 @@ In addition to numerous new and upgraded packages, this release has the followin - `icingaweb2` was upgraded to a new release which requires a manual database upgrade, see [upstream changelog](https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0). +- The `isabelle` package has been upgraded from 2020 to 2021 + +- the `mingw-64` package has been upgraded from 6.0.0 to 9.0.0 + +- The following Visual Studio Code extensions were renamed to keep the naming convention uniform. + - `bbenoist.Nix` -> `bbenoist.nix` + - `CoenraadS.bracket-pair-colorizer` -> `coenraads.bracket-pair-colorizer` + - `golang.Go` -> `golang.go` + ## Other Notable Changes {#sec-release-21.11-notable-changes} - The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets. @@ -134,8 +155,38 @@ In addition to numerous new and upgraded packages, this release has the followin - Sway: The terminal emulator `rxvt-unicode` is no longer installed by default via `programs.sway.extraPackages`. The current default configuration uses `alacritty` (and soon `foot`) so this is only an issue when using a customized configuration and not installing `rxvt-unicode` explicitly. +- `python3` now defaults to Python 3.9. Python 3.9 introduces many deprecation warnings, please look at the [What's New In Python 3.9 post](https://docs.python.org/3/whatsnew/3.9.html) for more information. + - The `claws-mail` package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install the `claws-mail-gtk2` package. - The wordpress module provides a new interface which allows to use different webservers with the new option [`services.wordpress.webserver`](options.html#opt-services.wordpress.webserver). Currently `httpd` and `nginx` are supported. The definitions of wordpress sites should now be set in [`services.wordpress.sites`](options.html#opt-services.wordpress.sites). Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05. + +- The order of NSS (host) modules has been brought in line with upstream + recommendations: + + - The `myhostname` module is placed before the `resolve` (optional) and `dns` + entries, but after `file` (to allow overriding via `/etc/hosts` / + `networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from + hijacking `.localhost` domains) + - The `mymachines` module, which provides hostname resolution for local + containers (registered with `systemd-machined`) is placed to the front, to + make sure its mappings are preferred over other resolvers. + - If systemd-networkd is enabled, the `resolve` module is placed before + `files` and `myhostname`, as it provides the same logic internally, with + caching. + - The `mdns(_minimal)` module has been updated to the new priorities. + + If you use your own NSS host modules, make sure to update your priorities + according to these rules: + + - NSS modules which should be queried before `resolved` DNS resolution should + use mkBefore. + - NSS modules which should be queried after `resolved`, `files` and + `myhostname`, but before `dns` should use the default priority + - NSS modules which should come after `dns` should use mkAfter. + +- The [networking.wireless.iwd](options.html#opt-networking.wireless.iwd.enable) module has a new [networking.wireless.iwd.settings](options.html#opt-networking.wireless.iwd.settings) option. + +- The [services.syncoid.enable](options.html#opt-services.syncoid.enable) module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn't clean up after execution. You can manually look this up for your pools by running `zfs allow your-pool-name` and use `zfs unallow syncoid your-pool-name` to clean this up. diff --git a/nixos/lib/test-driver/test-driver.py b/nixos/lib/test-driver/test-driver.py index 15eaba88476..2a3e4d94b94 100644 --- a/nixos/lib/test-driver/test-driver.py +++ b/nixos/lib/test-driver/test-driver.py @@ -499,7 +499,7 @@ class Machine: output += out return output - def wait_until_succeeds(self, command: str) -> str: + def wait_until_succeeds(self, command: str, timeout: int = 900) -> str: """Wait until a command returns success and return its output. Throws an exception on timeout. """ @@ -511,7 +511,7 @@ class Machine: return status == 0 with self.nested("waiting for success: {}".format(command)): - retry(check_success) + retry(check_success, timeout) return output def wait_until_fails(self, command: str) -> str: diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index d19d35a4890..91a36cef10e 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -124,8 +124,8 @@ with lib; group = mkBefore [ "files" ]; shadow = mkBefore [ "files" ]; hosts = mkMerge [ - (mkBefore [ "files" ]) - (mkAfter [ "dns" ]) + (mkOrder 998 [ "files" ]) + (mkOrder 1499 [ "dns" ]) ]; services = mkBefore [ "files" ]; }; diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index a37b46b8c46..ff2ae1da31b 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -127,6 +127,15 @@ let ''; }; + options = mkOption { + default = [ "defaults" ]; + example = [ "nofail" ]; + type = types.listOf types.nonEmptyStr; + description = '' + Options used to mount the swap. + ''; + }; + deviceName = mkOption { type = types.str; internal = true; @@ -215,7 +224,7 @@ in fi ''} ${optionalString sw.randomEncryption.enable '' - cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} ${sw.device} ${sw.deviceName} + cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} ${optionalString (sw.discardPolicy != null) "--allow-discards"} ${sw.device} ${sw.deviceName} mkswap ${sw.realDevice} ''} ''; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 567a8b6f3b9..d5e7745c53f 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -396,7 +396,7 @@ let }; }; - idsAreUnique = set: idAttr: !(fold (name: args@{ dup, acc }: + idsAreUnique = set: idAttr: !(foldr (name: args@{ dup, acc }: let id = builtins.toString (builtins.getAttr idAttr (builtins.getAttr name set)); exists = builtins.hasAttr id acc; diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index 3e88a4c20ad..524dae57010 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -35,6 +35,14 @@ in { ''; }; + hardware.wirelessRegulatoryDatabase = mkOption { + default = false; + type = types.bool; + description = '' + Load the wireless regulatory database at boot. + ''; + }; + }; @@ -58,6 +66,7 @@ in { ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [ rtl8723bs-firmware ]; + hardware.wirelessRegulatoryDatabase = true; }) (mkIf cfg.enableAllFirmware { assertions = [{ @@ -75,5 +84,8 @@ in { b43FirmwareCutter ] ++ optional (pkgs.stdenv.hostPlatform.isi686 || pkgs.stdenv.hostPlatform.isx86_64) facetimehd-firmware; }) + (mkIf cfg.wirelessRegulatoryDatabase { + hardware.firmware = [ pkgs.wireless-regdb ]; + }) ]; } diff --git a/nixos/modules/hardware/sensor/iio.nix b/nixos/modules/hardware/sensor/iio.nix index 4c359c3b172..8b3ba87a7d9 100644 --- a/nixos/modules/hardware/sensor/iio.nix +++ b/nixos/modules/hardware/sensor/iio.nix @@ -9,7 +9,7 @@ with lib; hardware.sensor.iio = { enable = mkOption { description = '' - Enable this option to support IIO sensors. + Enable this option to support IIO sensors with iio-sensor-proxy. IIO sensors are used for orientation and ambient light sensors on some mobile devices. diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 801e28cec44..e3576074a5b 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,7 @@ { - x86_64-linux = "/nix/store/d1ppfhjhdwcsb4npfzyifv5z8i00fzsk-nix-2.3.11"; - i686-linux = "/nix/store/c6ikndcrzwpfn2sb5b9xb1f17p9b8iga-nix-2.3.11"; - aarch64-linux = "/nix/store/fb0lfrn0m8s197d264jzd64vhz9c8zbx-nix-2.3.11"; - x86_64-darwin = "/nix/store/qvb86ffv08q3r66qbd6nqifz425lyyhf-nix-2.3.11"; + x86_64-linux = "/nix/store/qsgz2hhn6mzlzp53a7pwf9z2pq3l5z6h-nix-2.3.14"; + i686-linux = "/nix/store/1yw40bj04lykisw2jilq06lir3k9ga4a-nix-2.3.14"; + aarch64-linux = "/nix/store/32yzwmynmjxfrkb6y6l55liaqdrgkj4a-nix-2.3.14"; + x86_64-darwin = "/nix/store/06j0vi2d13w4l0p3jsigq7lk4x6gkycj-nix-2.3.14"; + aarch64-darwin = "/nix/store/77wi7vpbrghw5rgws25w30bwb8yggnk9-nix-2.3.14"; } diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 2cbbbc522e1..858c7ee53db 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -229,7 +229,7 @@ in grafana = 196; skydns = 197; # ripple-rest = 198; # unused, removed 2017-08-12 - nix-serve = 199; + # nix-serve = 199; # unused, removed 2020-12-12 tvheadend = 200; uwsgi = 201; gitit = 202; diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 8160bfef4a3..a2ac5c58528 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -39,7 +39,7 @@ let if c x then true else lib.traceSeqN 1 x false; in traceXIfNot isConfig; - merge = args: fold (def: mergeConfig def.value) {}; + merge = args: foldr (def: mergeConfig def.value) {}; }; overlayType = mkOptionType { diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 3474c6e99d2..4d1700ed99a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -475,6 +475,7 @@ ./services/misc/calibre-server.nix ./services/misc/cfdyndns.nix ./services/misc/clipmenu.nix + ./services/misc/clipcat.nix ./services/misc/cpuminer-cryptonight.nix ./services/misc/cgminer.nix ./services/misc/confd.nix @@ -727,6 +728,7 @@ ./services/networking/iwd.nix ./services/networking/jicofo.nix ./services/networking/jitsi-videobridge.nix + ./services/networking/kea.nix ./services/networking/keepalived/default.nix ./services/networking/keybase.nix ./services/networking/kippo.nix @@ -885,6 +887,7 @@ ./services/security/fprot.nix ./services/security/haka.nix ./services/security/haveged.nix + ./services/security/hockeypuck.nix ./services/security/hologram-server.nix ./services/security/hologram-agent.nix ./services/security/munge.nix diff --git a/nixos/modules/programs/udevil.nix b/nixos/modules/programs/udevil.nix index ba5670f9dfe..25975d88ec8 100644 --- a/nixos/modules/programs/udevil.nix +++ b/nixos/modules/programs/udevil.nix @@ -10,5 +10,8 @@ in { config = mkIf cfg.enable { security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil"; + + systemd.packages = [ pkgs.udevil ]; + systemd.services."devmon@".wantedBy = [ "multi-user.target" ]; }; } diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 48638fda28d..6c824a692b7 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -53,7 +53,7 @@ in }; shellAliases = mkOption { - default = {}; + default = { }; description = '' Set of aliases for zsh shell, which overrides <option>environment.shellAliases</option>. See <option>environment.shellAliases</option> for an option format description. @@ -118,7 +118,9 @@ in setOptions = mkOption { type = types.listOf types.str; default = [ - "HIST_IGNORE_DUPS" "SHARE_HISTORY" "HIST_FCNTL_LOCK" + "HIST_IGNORE_DUPS" + "SHARE_HISTORY" + "HIST_FCNTL_LOCK" ]; example = [ "EXTENDED_HISTORY" "RM_STAR_WAIT" ]; description = '' @@ -278,15 +280,29 @@ in environment.etc.zinputrc.source = ./zinputrc; - environment.systemPackages = [ pkgs.zsh ] - ++ optional cfg.enableCompletion pkgs.nix-zsh-completions; + environment.systemPackages = + let + completions = + if lib.versionAtLeast (lib.getVersion config.nix.package) "2.4pre" + then + pkgs.nix-zsh-completions.overrideAttrs + (_: { + postInstall = '' + rm $out/share/zsh/site-functions/_nix + ''; + }) + else pkgs.nix-zsh-completions; + in + [ pkgs.zsh ] + ++ optional cfg.enableCompletion completions; environment.pathsToLink = optional cfg.enableCompletion "/share/zsh"; #users.defaultUserShell = mkDefault "/run/current-system/sw/bin/zsh"; environment.shells = - [ "/run/current-system/sw/bin/zsh" + [ + "/run/current-system/sw/bin/zsh" "${pkgs.zsh}/bin/zsh" ]; diff --git a/nixos/modules/services/backup/sanoid.nix b/nixos/modules/services/backup/sanoid.nix index be44a43b6d3..41d0e2e1df6 100644 --- a/nixos/modules/services/backup/sanoid.nix +++ b/nixos/modules/services/backup/sanoid.nix @@ -52,7 +52,7 @@ let use_template = mkOption { description = "Names of the templates to use for this dataset."; type = types.listOf (types.enum (attrNames cfg.templates)); - default = []; + default = [ ]; }; useTemplate = use_template; @@ -70,116 +70,127 @@ let processChildrenOnly = process_children_only; }; - # Extract pool names from configured datasets - pools = unique (map (d: head (builtins.match "([^/]+).*" d)) (attrNames cfg.datasets)); - - configFile = let - mkValueString = v: - if builtins.isList v then concatStringsSep "," v - else generators.mkValueStringDefault {} v; - - mkKeyValue = k: v: if v == null then "" - else if k == "processChildrenOnly" then "" - else if k == "useTemplate" then "" - else generators.mkKeyValueDefault { inherit mkValueString; } "=" k v; - in generators.toINI { inherit mkKeyValue; } cfg.settings; - -in { - - # Interface - - options.services.sanoid = { - enable = mkEnableOption "Sanoid ZFS snapshotting service"; - - interval = mkOption { - type = types.str; - default = "hourly"; - example = "daily"; - description = '' - Run sanoid at this interval. The default is to run hourly. - - The format is described in - <citerefentry><refentrytitle>systemd.time</refentrytitle> - <manvolnum>7</manvolnum></citerefentry>. - ''; - }; + # Extract unique dataset names + datasets = unique (attrNames cfg.datasets); + + # Function to build "zfs allow" and "zfs unallow" commands for the + # filesystems we've delegated permissions to. + buildAllowCommand = zfsAction: permissions: dataset: lib.escapeShellArgs [ + # Here we explicitly use the booted system to guarantee the stable API needed by ZFS + "-+/run/booted-system/sw/bin/zfs" + zfsAction + "sanoid" + (concatStringsSep "," permissions) + dataset + ]; + + configFile = + let + mkValueString = v: + if builtins.isList v then concatStringsSep "," v + else generators.mkValueStringDefault { } v; + + mkKeyValue = k: v: + if v == null then "" + else if k == "processChildrenOnly" then "" + else if k == "useTemplate" then "" + else generators.mkKeyValueDefault { inherit mkValueString; } "=" k v; + in + generators.toINI { inherit mkKeyValue; } cfg.settings; + +in +{ + + # Interface + + options.services.sanoid = { + enable = mkEnableOption "Sanoid ZFS snapshotting service"; + + interval = mkOption { + type = types.str; + default = "hourly"; + example = "daily"; + description = '' + Run sanoid at this interval. The default is to run hourly. + + The format is described in + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + ''; + }; - datasets = mkOption { - type = types.attrsOf (types.submodule ({config, options, ...}: { - freeformType = datasetSettingsType; - options = commonOptions // datasetOptions; - config.use_template = mkAliasDefinitions (options.useTemplate or {}); - config.process_children_only = mkAliasDefinitions (options.processChildrenOnly or {}); - })); - default = {}; - description = "Datasets to snapshot."; - }; + datasets = mkOption { + type = types.attrsOf (types.submodule ({ config, options, ... }: { + freeformType = datasetSettingsType; + options = commonOptions // datasetOptions; + config.use_template = mkAliasDefinitions (mkDefault options.useTemplate or { }); + config.process_children_only = mkAliasDefinitions (mkDefault options.processChildrenOnly or { }); + })); + default = { }; + description = "Datasets to snapshot."; + }; - templates = mkOption { - type = types.attrsOf (types.submodule { - freeformType = datasetSettingsType; - options = commonOptions; - }); - default = {}; - description = "Templates for datasets."; - }; + templates = mkOption { + type = types.attrsOf (types.submodule { + freeformType = datasetSettingsType; + options = commonOptions; + }); + default = { }; + description = "Templates for datasets."; + }; - settings = mkOption { - type = types.attrsOf datasetSettingsType; - description = '' - Free-form settings written directly to the config file. See - <link xlink:href="https://github.com/jimsalterjrs/sanoid/blob/master/sanoid.defaults.conf"/> - for allowed values. - ''; - }; + settings = mkOption { + type = types.attrsOf datasetSettingsType; + description = '' + Free-form settings written directly to the config file. See + <link xlink:href="https://github.com/jimsalterjrs/sanoid/blob/master/sanoid.defaults.conf"/> + for allowed values. + ''; + }; - extraArgs = mkOption { - type = types.listOf types.str; - default = []; - example = [ "--verbose" "--readonly" "--debug" ]; - description = '' - Extra arguments to pass to sanoid. See - <link xlink:href="https://github.com/jimsalterjrs/sanoid/#sanoid-command-line-options"/> - for allowed options. - ''; - }; + extraArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "--verbose" "--readonly" "--debug" ]; + description = '' + Extra arguments to pass to sanoid. See + <link xlink:href="https://github.com/jimsalterjrs/sanoid/#sanoid-command-line-options"/> + for allowed options. + ''; }; + }; - # Implementation - - config = mkIf cfg.enable { - services.sanoid.settings = mkMerge [ - (mapAttrs' (d: v: nameValuePair ("template_" + d) v) cfg.templates) - (mapAttrs (d: v: v) cfg.datasets) - ]; - - systemd.services.sanoid = { - description = "Sanoid snapshot service"; - serviceConfig = { - ExecStartPre = map (pool: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - "sanoid" "snapshot,mount,destroy" pool - ]) pools; - ExecStart = lib.escapeShellArgs ([ - "${pkgs.sanoid}/bin/sanoid" - "--cron" - "--configdir" (pkgs.writeTextDir "sanoid.conf" configFile) - ] ++ cfg.extraArgs); - ExecStopPost = map (pool: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "unallow" "sanoid" pool - ]) pools; - User = "sanoid"; - Group = "sanoid"; - DynamicUser = true; - RuntimeDirectory = "sanoid"; - CacheDirectory = "sanoid"; - }; - # Prevents missing snapshots during DST changes - environment.TZ = "UTC"; - after = [ "zfs.target" ]; - startAt = cfg.interval; + # Implementation + + config = mkIf cfg.enable { + services.sanoid.settings = mkMerge [ + (mapAttrs' (d: v: nameValuePair ("template_" + d) v) cfg.templates) + (mapAttrs (d: v: v) cfg.datasets) + ]; + + systemd.services.sanoid = { + description = "Sanoid snapshot service"; + serviceConfig = { + ExecStartPre = (map (buildAllowCommand "allow" [ "snapshot" "mount" "destroy" ]) datasets); + ExecStopPost = (map (buildAllowCommand "unallow" [ "snapshot" "mount" "destroy" ]) datasets); + ExecStart = lib.escapeShellArgs ([ + "${pkgs.sanoid}/bin/sanoid" + "--cron" + "--configdir" + (pkgs.writeTextDir "sanoid.conf" configFile) + ] ++ cfg.extraArgs); + User = "sanoid"; + Group = "sanoid"; + DynamicUser = true; + RuntimeDirectory = "sanoid"; + CacheDirectory = "sanoid"; }; + # Prevents missing snapshots during DST changes + environment.TZ = "UTC"; + after = [ "zfs.target" ]; + startAt = cfg.interval; }; + }; - meta.maintainers = with maintainers; [ lopsided98 ]; - } + meta.maintainers = with maintainers; [ lopsided98 ]; +} diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix index b764db1f14e..73b01d4b53f 100644 --- a/nixos/modules/services/backup/syncoid.nix +++ b/nixos/modules/services/backup/syncoid.nix @@ -5,212 +5,315 @@ with lib; let cfg = config.services.syncoid; - # Extract pool names of local datasets (ones that don't contain "@") that - # have the specified type (either "source" or "target") - getPools = type: unique (map (d: head (builtins.match "([^/]+).*" d)) ( - # Filter local datasets - filter (d: !hasInfix "@" d) - # Get datasets of the specified type - (catAttrs type (attrValues cfg.commands)) - )); -in { - - # Interface - - options.services.syncoid = { - enable = mkEnableOption "Syncoid ZFS synchronization service"; - - interval = mkOption { - type = types.str; - default = "hourly"; - example = "*-*-* *:15:00"; - description = '' - Run syncoid at this interval. The default is to run hourly. - - The format is described in - <citerefentry><refentrytitle>systemd.time</refentrytitle> - <manvolnum>7</manvolnum></citerefentry>. - ''; - }; + # Extract local dasaset names (so no datasets containing "@") + localDatasetName = d: optionals (d != null) ( + let m = builtins.match "([^/@]+[^@]*)" d; in + optionals (m != null) m + ); - user = mkOption { - type = types.str; - default = "syncoid"; - example = "backup"; - description = '' - The user for the service. ZFS privilege delegation will be - automatically configured for any local pools used by syncoid if this - option is set to a user other than root. The user will be given the - "hold" and "send" privileges on any pool that has datasets being sent - and the "create", "mount", "receive", and "rollback" privileges on - any pool that has datasets being received. - ''; - }; + # Escape as required by: https://www.freedesktop.org/software/systemd/man/systemd.unit.html + escapeUnitName = name: + lib.concatMapStrings (s: if lib.isList s then "-" else s) + (builtins.split "[^a-zA-Z0-9_.\\-]+" name); - group = mkOption { - type = types.str; - default = "syncoid"; - example = "backup"; - description = "The group for the service."; - }; + # Function to build "zfs allow" and "zfs unallow" commands for the + # filesystems we've delegated permissions to. + buildAllowCommand = zfsAction: permissions: dataset: lib.escapeShellArgs [ + # Here we explicitly use the booted system to guarantee the stable API needed by ZFS + "-+/run/booted-system/sw/bin/zfs" + zfsAction + cfg.user + (concatStringsSep "," permissions) + dataset + ]; +in +{ - sshKey = mkOption { - type = types.nullOr types.path; - # Prevent key from being copied to store - apply = mapNullable toString; - default = null; - description = '' - SSH private key file to use to login to the remote system. Can be - overridden in individual commands. - ''; - }; + # Interface - commonArgs = mkOption { - type = types.listOf types.str; - default = []; - example = [ "--no-sync-snap" ]; - description = '' - Arguments to add to every syncoid command, unless disabled for that - command. See - <link xlink:href="https://github.com/jimsalterjrs/sanoid/#syncoid-command-line-options"/> - for available options. - ''; - }; + options.services.syncoid = { + enable = mkEnableOption "Syncoid ZFS synchronization service"; - commands = mkOption { - type = types.attrsOf (types.submodule ({ name, ... }: { - options = { - source = mkOption { - type = types.str; - example = "pool/dataset"; - description = '' - Source ZFS dataset. Can be either local or remote. Defaults to - the attribute name. - ''; - }; + interval = mkOption { + type = types.str; + default = "hourly"; + example = "*-*-* *:15:00"; + description = '' + Run syncoid at this interval. The default is to run hourly. - target = mkOption { - type = types.str; - example = "user@server:pool/dataset"; - description = '' - Target ZFS dataset. Can be either local - (<replaceable>pool/dataset</replaceable>) or remote - (<replaceable>user@server:pool/dataset</replaceable>). - ''; - }; + The format is described in + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + ''; + }; - recursive = mkOption { - type = types.bool; - default = false; - description = '' - Whether to also transfer child datasets. - ''; - }; + user = mkOption { + type = types.str; + default = "syncoid"; + example = "backup"; + description = '' + The user for the service. ZFS privilege delegation will be + automatically configured for any local pools used by syncoid if this + option is set to a user other than root. The user will be given the + "hold" and "send" privileges on any pool that has datasets being sent + and the "create", "mount", "receive", and "rollback" privileges on + any pool that has datasets being received. + ''; + }; - sshKey = mkOption { - type = types.nullOr types.path; - # Prevent key from being copied to store - apply = mapNullable toString; - description = '' - SSH private key file to use to login to the remote system. - Defaults to <option>services.syncoid.sshKey</option> option. - ''; - }; + group = mkOption { + type = types.str; + default = "syncoid"; + example = "backup"; + description = "The group for the service."; + }; - sendOptions = mkOption { - type = types.separatedString " "; - default = ""; - example = "Lc e"; - description = '' - Advanced options to pass to zfs send. Options are specified - without their leading dashes and separated by spaces. - ''; - }; + sshKey = mkOption { + type = types.nullOr types.path; + # Prevent key from being copied to store + apply = mapNullable toString; + default = null; + description = '' + SSH private key file to use to login to the remote system. Can be + overridden in individual commands. + ''; + }; - recvOptions = mkOption { - type = types.separatedString " "; - default = ""; - example = "ux recordsize o compression=lz4"; - description = '' - Advanced options to pass to zfs recv. Options are specified - without their leading dashes and separated by spaces. - ''; - }; + commonArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "--no-sync-snap" ]; + description = '' + Arguments to add to every syncoid command, unless disabled for that + command. See + <link xlink:href="https://github.com/jimsalterjrs/sanoid/#syncoid-command-line-options"/> + for available options. + ''; + }; - useCommonArgs = mkOption { - type = types.bool; - default = true; - description = '' - Whether to add the configured common arguments to this command. - ''; - }; + service = mkOption { + type = types.attrs; + default = { }; + description = '' + Systemd configuration common to all syncoid services. + ''; + }; - extraArgs = mkOption { - type = types.listOf types.str; - default = []; - example = [ "--sshport 2222" ]; - description = "Extra syncoid arguments for this command."; - }; + commands = mkOption { + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + source = mkOption { + type = types.str; + example = "pool/dataset"; + description = '' + Source ZFS dataset. Can be either local or remote. Defaults to + the attribute name. + ''; }; - config = { - source = mkDefault name; - sshKey = mkDefault cfg.sshKey; + + target = mkOption { + type = types.str; + example = "user@server:pool/dataset"; + description = '' + Target ZFS dataset. Can be either local + (<replaceable>pool/dataset</replaceable>) or remote + (<replaceable>user@server:pool/dataset</replaceable>). + ''; }; - })); - default = {}; - example = literalExample '' - { - "pool/test".target = "root@target:pool/test"; - } - ''; - description = "Syncoid commands to run."; - }; - }; - # Implementation + recursive = mkEnableOption ''the transfer of child datasets''; + + sshKey = mkOption { + type = types.nullOr types.path; + # Prevent key from being copied to store + apply = mapNullable toString; + description = '' + SSH private key file to use to login to the remote system. + Defaults to <option>services.syncoid.sshKey</option> option. + ''; + }; + + sendOptions = mkOption { + type = types.separatedString " "; + default = ""; + example = "Lc e"; + description = '' + Advanced options to pass to zfs send. Options are specified + without their leading dashes and separated by spaces. + ''; + }; - config = mkIf cfg.enable { - users = { - users = mkIf (cfg.user == "syncoid") { - syncoid = { - group = cfg.group; - isSystemUser = true; + recvOptions = mkOption { + type = types.separatedString " "; + default = ""; + example = "ux recordsize o compression=lz4"; + description = '' + Advanced options to pass to zfs recv. Options are specified + without their leading dashes and separated by spaces. + ''; + }; + + useCommonArgs = mkOption { + type = types.bool; + default = true; + description = '' + Whether to add the configured common arguments to this command. + ''; + }; + + service = mkOption { + type = types.attrs; + default = { }; + description = '' + Systemd configuration specific to this syncoid service. + ''; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "--sshport 2222" ]; + description = "Extra syncoid arguments for this command."; }; }; - groups = mkIf (cfg.group == "syncoid") { - syncoid = {}; + config = { + source = mkDefault name; + sshKey = mkDefault cfg.sshKey; }; - }; + })); + default = { }; + example = literalExample '' + { + "pool/test".target = "root@target:pool/test"; + } + ''; + description = "Syncoid commands to run."; + }; + }; - systemd.services.syncoid = { - description = "Syncoid ZFS synchronization service"; - script = concatMapStringsSep "\n" (c: lib.escapeShellArgs - ([ "${pkgs.sanoid}/bin/syncoid" ] - ++ (optionals c.useCommonArgs cfg.commonArgs) - ++ (optional c.recursive "-r") - ++ (optionals (c.sshKey != null) [ "--sshkey" c.sshKey ]) - ++ c.extraArgs - ++ [ "--sendoptions" c.sendOptions - "--recvoptions" c.recvOptions - "--no-privilege-elevation" - c.source c.target - ])) (attrValues cfg.commands); - after = [ "zfs.target" ]; - serviceConfig = { - ExecStartPre = let - allowCmd = permissions: pool: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user (concatStringsSep "," permissions) pool - ]; - in - (map (allowCmd [ "hold" "send" "snapshot" "destroy" ]) (getPools "source")) ++ - (map (allowCmd [ "create" "mount" "receive" "rollback" ]) (getPools "target")); - User = cfg.user; - Group = cfg.group; + # Implementation + + config = mkIf cfg.enable { + users = { + users = mkIf (cfg.user == "syncoid") { + syncoid = { + group = cfg.group; + isSystemUser = true; + # For syncoid to be able to create /var/lib/syncoid/.ssh/ + # and to use custom ssh_config or known_hosts. + home = "/var/lib/syncoid"; + createHome = false; }; - startAt = cfg.interval; + }; + groups = mkIf (cfg.group == "syncoid") { + syncoid = { }; }; }; - meta.maintainers = with maintainers; [ lopsided98 ]; - } + systemd.services = mapAttrs' + (name: c: + nameValuePair "syncoid-${escapeUnitName name}" (mkMerge [ + { + description = "Syncoid ZFS synchronization from ${c.source} to ${c.target}"; + after = [ "zfs.target" ]; + startAt = cfg.interval; + # syncoid may need zpool to get feature@extensible_dataset + path = [ "/run/booted-system/sw/bin/" ]; + serviceConfig = { + ExecStartPre = + # Permissions snapshot and destroy are in case --no-sync-snap is not used + (map (buildAllowCommand "allow" [ "bookmark" "hold" "send" "snapshot" "destroy" ]) (localDatasetName c.source)) ++ + (map (buildAllowCommand "allow" [ "create" "mount" "receive" "rollback" ]) (localDatasetName c.target)); + ExecStopPost = + # Permissions snapshot and destroy are in case --no-sync-snap is not used + (map (buildAllowCommand "unallow" [ "bookmark" "hold" "send" "snapshot" "destroy" ]) (localDatasetName c.source)) ++ + (map (buildAllowCommand "unallow" [ "create" "mount" "receive" "rollback" ]) (localDatasetName c.target)); + ExecStart = lib.escapeShellArgs ([ "${pkgs.sanoid}/bin/syncoid" ] + ++ optionals c.useCommonArgs cfg.commonArgs + ++ optional c.recursive "-r" + ++ optionals (c.sshKey != null) [ "--sshkey" c.sshKey ] + ++ c.extraArgs + ++ [ + "--sendoptions" + c.sendOptions + "--recvoptions" + c.recvOptions + "--no-privilege-elevation" + c.source + c.target + ]); + User = cfg.user; + Group = cfg.group; + StateDirectory = [ "syncoid" ]; + StateDirectoryMode = "700"; + # Prevent SSH control sockets of different syncoid services from interfering + PrivateTmp = true; + # Permissive access to /proc because syncoid + # calls ps(1) to detect ongoing `zfs receive`. + ProcSubset = "all"; + ProtectProc = "default"; + + # The following options are only for optimizing: + # systemd-analyze security | grep syncoid-'*' + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + DeviceAllow = [ "/dev/zfs" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateNetwork = mkDefault false; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RootDirectory = "/run/syncoid/${escapeUnitName name}"; + RootDirectoryStartOnly = true; + BindPaths = [ "/dev/zfs" ]; + BindReadOnlyPaths = [ builtins.storeDir "/etc" "/run" "/bin/sh" ]; + # Avoid useless mounting of RootDirectory= in the own RootDirectory= of ExecStart='s mount namespace. + InaccessiblePaths = [ "-+/run/syncoid/${escapeUnitName name}" ]; + MountAPIVFS = true; + # Create RootDirectory= in the host's mount namespace. + RuntimeDirectory = [ "syncoid/${escapeUnitName name}" ]; + RuntimeDirectoryMode = "700"; + SystemCallFilter = [ + "@system-service" + # Groups in @system-service which do not contain a syscall listed by: + # perf stat -x, 2>perf.log -e 'syscalls:sys_enter_*' syncoid … + # awk >perf.syscalls -F "," '$1 > 0 {sub("syscalls:sys_enter_","",$3); print $3}' perf.log + # systemd-analyze syscall-filter | grep -v -e '#' | sed -e ':loop; /^[^ ]/N; s/\n //; t loop' | grep $(printf ' -e \\<%s\\>' $(cat perf.syscalls)) | cut -f 1 -d ' ' + "~@aio" + "~@chown" + "~@keyring" + "~@memlock" + "~@privileged" + "~@resources" + "~@setuid" + "~@timer" + ]; + SystemCallArchitectures = "native"; + # This is for BindPaths= and BindReadOnlyPaths= + # to allow traversal of directories they create in RootDirectory=. + UMask = "0066"; + }; + } + cfg.service + c.service + ])) + cfg.commands; + }; + + meta.maintainers = with maintainers; [ julm lopsided98 ]; +} diff --git a/nixos/modules/services/backup/znapzend.nix b/nixos/modules/services/backup/znapzend.nix index 0ca71b413ce..debb2a39705 100644 --- a/nixos/modules/services/backup/znapzend.nix +++ b/nixos/modules/services/backup/znapzend.nix @@ -279,7 +279,7 @@ let src_plan = plan; tsformat = timestampFormat; zend_delay = toString sendDelay; - } // fold (a: b: a // b) {} ( + } // foldr (a: b: a // b) {} ( map mkDestAttrs (builtins.attrValues destinations) ); diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix index d0fb8cc5098..e5c51441690 100644 --- a/nixos/modules/services/cluster/k3s/default.nix +++ b/nixos/modules/services/cluster/k3s/default.nix @@ -67,6 +67,12 @@ in default = false; description = "Only run the server. This option only makes sense for a server."; }; + + configPath = mkOption { + type = types.nullOr types.path; + default = null; + description = "File path containing the k3s YAML config. This is useful when the config is generated (for example on boot)."; + }; }; # implementation @@ -74,12 +80,12 @@ in config = mkIf cfg.enable { assertions = [ { - assertion = cfg.role == "agent" -> cfg.serverAddr != ""; - message = "serverAddr should be set if role is 'agent'"; + assertion = cfg.role == "agent" -> (cfg.configPath != null || cfg.serverAddr != ""); + message = "serverAddr or configPath (with 'server' key) should be set if role is 'agent'"; } { - assertion = cfg.role == "agent" -> cfg.token != "" || cfg.tokenFile != null; - message = "token or tokenFile should be set if role is 'agent'"; + assertion = cfg.role == "agent" -> cfg.configPath != null || cfg.tokenFile != null || cfg.token != ""; + message = "token or tokenFile or configPath (with 'token' or 'token-file' keys) should be set if role is 'agent'"; } ]; @@ -115,12 +121,10 @@ in "${cfg.package}/bin/k3s ${cfg.role}" ] ++ (optional cfg.docker "--docker") ++ (optional cfg.disableAgent "--disable-agent") - ++ (optional (cfg.role == "agent") "--server ${cfg.serverAddr} ${ - if cfg.tokenFile != null then - "--token-file ${cfg.tokenFile}" - else - "--token ${cfg.token}" - }") + ++ (optional (cfg.serverAddr != "") "--server ${cfg.serverAddr}") + ++ (optional (cfg.token != "") "--token ${cfg.token}") + ++ (optional (cfg.tokenFile != null) "--token-file ${cfg.tokenFile}") + ++ (optional (cfg.configPath != null) "--config ${cfg.configPath}") ++ [ cfg.extraFlags ] ); }; diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index d9311d3e3a0..faf951d8157 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -189,7 +189,7 @@ in # manually paste it in place. Just symlink. # otherwise, create the target file, ready for users to insert the token - mkdir -p $(dirname ${certmgrAPITokenPath}) + mkdir -p "$(dirname "${certmgrAPITokenPath}")" if [ -f "${cfsslAPITokenPath}" ]; then ln -fs "${cfsslAPITokenPath}" "${certmgrAPITokenPath}" else diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix index 2f0b573e872..70d85a97f3b 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix @@ -105,7 +105,7 @@ let pkgs.stdenv.mkDerivation { name = "hercules-ci-check-system-nix-src"; inherit (config.nix.package) src patches; - configurePhase = ":"; + dontConfigure = true; buildPhase = '' echo "Checking in-memory pathInfoCache expiry" if ! grep 'PathInfoCacheValue' src/libstore/store-api.hh >/dev/null; then diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index effc9182472..fd4a195787f 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -293,7 +293,8 @@ in # Note: when changing the default, make it conditional on # ‘system.stateVersion’ to maintain compatibility with existing # systems! - mkDefault (if versionAtLeast config.system.stateVersion "20.03" then pkgs.postgresql_11 + mkDefault (if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13 + else if versionAtLeast config.system.stateVersion "20.03" then pkgs.postgresql_11 else if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql_9_6 else throw "postgresql_9_5 was removed, please upgrade your postgresql version."); diff --git a/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix b/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix index 556f6bbb419..9d083a615a2 100644 --- a/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix +++ b/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix @@ -54,8 +54,7 @@ stdenv.mkDerivation { ${addAllNetDev netDevices} ''; - installPhase = ":"; - + dontInstall = true; dontStrip = true; dontPatchELF = true; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 35639e1bbc8..9b0a5bba2fe 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -194,7 +194,7 @@ let # We need to handle the last column specially here, because it's # open-ended (command + args). lines = [ labels labelDefaults ] ++ (map (l: init l ++ [""]) masterCf); - in fold foldLine (genList (const 0) (length labels)) lines; + in foldr foldLine (genList (const 0) (length labels)) lines; # Pad a string with spaces from the right (opposite of fixedWidthString). pad = width: str: let @@ -203,7 +203,7 @@ let in str + optionalString (padWidth > 0) padding; # It's + 2 here, because that's the amount of spacing between columns. - fullWidth = fold (width: acc: acc + width + 2) 0 maxWidths; + fullWidth = foldr (width: acc: acc + width + 2) 0 maxWidths; formatLine = line: concatStringsSep " " (zipListsWith pad maxWidths line); diff --git a/nixos/modules/services/misc/clipcat.nix b/nixos/modules/services/misc/clipcat.nix new file mode 100644 index 00000000000..128bb9a89d6 --- /dev/null +++ b/nixos/modules/services/misc/clipcat.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.clipcat; +in { + + options.services.clipcat= { + enable = mkEnableOption "Clipcat clipboard daemon"; + + package = mkOption { + type = types.package; + default = pkgs.clipcat; + defaultText = "pkgs.clipcat"; + description = "clipcat derivation to use."; + }; + }; + + config = mkIf cfg.enable { + systemd.user.services.clipcat = { + enable = true; + description = "clipcat daemon"; + wantedBy = [ "graphical-session.target" ]; + after = [ "graphical-session.target" ]; + serviceConfig.ExecStart = "${cfg.package}/bin/clipcatd --no-daemon"; + }; + + environment.systemPackages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index d68d7b05c17..dcd825bba43 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -313,6 +313,7 @@ in { "w800rf32" "xbee" "zha" + "zwave" ]; in { ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'"; diff --git a/nixos/modules/services/misc/klipper.nix b/nixos/modules/services/misc/klipper.nix index 2f04c011a65..909408225e0 100644 --- a/nixos/modules/services/misc/klipper.nix +++ b/nixos/modules/services/misc/klipper.nix @@ -2,8 +2,13 @@ with lib; let cfg = config.services.klipper; - package = pkgs.klipper; - format = pkgs.formats.ini { mkKeyValue = generators.mkKeyValueDefault {} ":"; }; + format = pkgs.formats.ini { + # https://github.com/NixOS/nixpkgs/pull/121613#issuecomment-885241996 + listToValue = l: + if builtins.length l == 1 then generators.mkValueStringDefault {} (head l) + else lib.concatMapStrings (s: "\n ${generators.mkValueStringDefault {} s}") l; + mkKeyValue = generators.mkKeyValueDefault {} ":"; + }; in { ##### interface @@ -11,12 +16,51 @@ in services.klipper = { enable = mkEnableOption "Klipper, the 3D printer firmware"; + package = mkOption { + type = types.package; + default = pkgs.klipper; + description = "The Klipper package."; + }; + + inputTTY = mkOption { + type = types.path; + default = "/run/klipper/tty"; + description = "Path of the virtual printer symlink to create."; + }; + + apiSocket = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/klipper/api"; + description = "Path of the API socket to create."; + }; + octoprintIntegration = mkOption { type = types.bool; default = false; description = "Allows Octoprint to control Klipper."; }; + user = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + User account under which Klipper runs. + + If null is specified (default), a temporary user will be created by systemd. + ''; + }; + + group = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Group account under which Klipper runs. + + If null is specified (default), a temporary user will be created by systemd. + ''; + }; + settings = mkOption { type = format.type; default = { }; @@ -30,26 +74,40 @@ in ##### implementation config = mkIf cfg.enable { - assertions = [{ - assertion = cfg.octoprintIntegration -> config.services.octoprint.enable; - message = "Option klipper.octoprintIntegration requires Octoprint to be enabled on this system. Please enable services.octoprint to use it."; - }]; + assertions = [ + { + assertion = cfg.octoprintIntegration -> config.services.octoprint.enable; + message = "Option klipper.octoprintIntegration requires Octoprint to be enabled on this system. Please enable services.octoprint to use it."; + } + { + assertion = cfg.user != null -> cfg.group != null; + message = "Option klipper.group is not set when a user is specified."; + } + ]; environment.etc."klipper.cfg".source = format.generate "klipper.cfg" cfg.settings; - systemd.services.klipper = { + services.klipper = mkIf cfg.octoprintIntegration { + user = config.services.octoprint.user; + group = config.services.octoprint.group; + }; + + systemd.services.klipper = let + klippyArgs = "--input-tty=${cfg.inputTTY}" + + optionalString (cfg.apiSocket != null) " --api-server=${cfg.apiSocket}"; + in { description = "Klipper 3D Printer Firmware"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - ExecStart = "${package}/lib/klipper/klippy.py --input-tty=/run/klipper/tty /etc/klipper.cfg"; + ExecStart = "${cfg.package}/lib/klipper/klippy.py ${klippyArgs} /etc/klipper.cfg"; RuntimeDirectory = "klipper"; SupplementaryGroups = [ "dialout" ]; - WorkingDirectory = "${package}/lib"; - } // (if cfg.octoprintIntegration then { - Group = config.services.octoprint.group; - User = config.services.octoprint.user; + WorkingDirectory = "${cfg.package}/lib"; + } // (if cfg.user != null then { + Group = cfg.group; + User = cfg.user; } else { DynamicUser = true; User = "klipper"; diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 46015c9ec1e..d648de6a414 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -27,6 +27,7 @@ let "bird" "bitcoin" "blackbox" + "buildkite-agent" "collectd" "dnsmasq" "domain" @@ -180,7 +181,7 @@ let serviceConfig.PrivateTmp = mkDefault true; serviceConfig.WorkingDirectory = mkDefault /tmp; serviceConfig.DynamicUser = mkDefault enableDynamicUser; - serviceConfig.User = conf.user; + serviceConfig.User = mkDefault conf.user; serviceConfig.Group = conf.group; } serviceOpts ]); }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/buildkite-agent.nix b/nixos/modules/services/monitoring/prometheus/exporters/buildkite-agent.nix new file mode 100644 index 00000000000..7557480ac06 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/buildkite-agent.nix @@ -0,0 +1,64 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.buildkite-agent; +in +{ + port = 9876; + extraOpts = { + tokenPath = mkOption { + type = types.nullOr types.path; + apply = final: if final == null then null else toString final; + description = '' + The token from your Buildkite "Agents" page. + + A run-time path to the token file, which is supposed to be provisioned + outside of Nix store. + ''; + }; + interval = mkOption { + type = types.str; + default = "30s"; + example = "1min"; + description = '' + How often to update metrics. + ''; + }; + endpoint = mkOption { + type = types.str; + default = "https://agent.buildkite.com/v3"; + description = '' + The Buildkite Agent API endpoint. + ''; + }; + queues = mkOption { + type = with types; nullOr (listOf str); + default = null; + example = literalExample ''[ "my-queue1" "my-queue2" ]''; + description = '' + Which specific queues to process. + ''; + }; + }; + serviceOpts = { + script = + let + queues = concatStringsSep " " (map (q: "-queue ${q}") cfg.queues); + in + '' + export BUILDKITE_AGENT_TOKEN="$(cat ${toString cfg.tokenPath})" + exec ${pkgs.buildkite-agent-metrics}/bin/buildkite-agent-metrics \ + -backend prometheus \ + -interval ${cfg.interval} \ + -endpoint ${cfg.endpoint} \ + ${optionalString (cfg.queues != null) queues} \ + -prometheus-addr "${cfg.listenAddress}:${toString cfg.port}" ${concatStringsSep " " cfg.extraFlags} + ''; + serviceConfig = { + DynamicUser = false; + RuntimeDirectory = "buildkite-agent-metrics"; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix index b6cd89c3866..9677281f877 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @@ -26,6 +26,7 @@ in { }; serviceOpts = { serviceConfig = { + User = "kea"; ExecStart = '' ${pkgs.prometheus-kea-exporter}/bin/kea-exporter \ --address ${cfg.listenAddress} \ diff --git a/nixos/modules/services/monitoring/telegraf.nix b/nixos/modules/services/monitoring/telegraf.nix index bc30ca3b77c..4046260c164 100644 --- a/nixos/modules/services/monitoring/telegraf.nix +++ b/nixos/modules/services/monitoring/telegraf.nix @@ -25,10 +25,9 @@ in { default = []; example = "/run/keys/telegraf.env"; description = '' - File to load as environment file. Environment variables - from this file will be interpolated into the config file - using envsubst with this syntax: - <literal>$ENVIRONMENT ''${VARIABLE}</literal> + File to load as environment file. Environment variables from this file + will be interpolated into the config file using envsubst with this + syntax: <literal>$ENVIRONMENT</literal> or <literal>''${VARIABLE}</literal>. This is useful to avoid putting secrets into the nix store. ''; }; @@ -73,6 +72,7 @@ in { ExecReload="${pkgs.coreutils}/bin/kill -HUP $MAINPID"; RuntimeDirectory = "telegraf"; User = "telegraf"; + Group = "telegraf"; Restart = "on-failure"; # for ping probes AmbientCapabilities = [ "CAP_NET_RAW" ]; @@ -81,7 +81,10 @@ in { users.users.telegraf = { uid = config.ids.uids.telegraf; + group = "telegraf"; description = "telegraf daemon user"; }; + + users.groups.telegraf = {}; }; } diff --git a/nixos/modules/services/networking/autossh.nix b/nixos/modules/services/networking/autossh.nix index a8d9a027e9f..245f2bfc2cf 100644 --- a/nixos/modules/services/networking/autossh.nix +++ b/nixos/modules/services/networking/autossh.nix @@ -79,7 +79,7 @@ in systemd.services = - lib.fold ( s : acc : acc // + lib.foldr ( s : acc : acc // { "autossh-${s.name}" = let diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 0b7d5575c11..020a817f259 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -240,8 +240,8 @@ in system.nssModules = optional cfg.nssmdns pkgs.nssmdns; system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ - (mkOrder 900 [ "mdns_minimal [NOTFOUND=return]" ]) # must be before resolve - (mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns + (mkBefore [ "mdns_minimal [NOTFOUND=return]" ]) # before resolve + (mkAfter [ "mdns" ]) # after dns ]); environment.systemPackages = [ pkgs.avahi ]; diff --git a/nixos/modules/services/networking/corerad.nix b/nixos/modules/services/networking/corerad.nix index 4acdd1d69cc..e76ba9a2d00 100644 --- a/nixos/modules/services/networking/corerad.nix +++ b/nixos/modules/services/networking/corerad.nix @@ -37,7 +37,7 @@ in { } ''; description = '' - Configuration for CoreRAD, see <link xlink:href="https://github.com/mdlayher/corerad/blob/master/internal/config/default.toml"/> + Configuration for CoreRAD, see <link xlink:href="https://github.com/mdlayher/corerad/blob/main/internal/config/reference.toml"/> for supported values. Ignored if configFile is set. ''; }; diff --git a/nixos/modules/services/networking/iwd.nix b/nixos/modules/services/networking/iwd.nix index 99e5e78badd..8835f7f9372 100644 --- a/nixos/modules/services/networking/iwd.nix +++ b/nixos/modules/services/networking/iwd.nix @@ -4,8 +4,31 @@ with lib; let cfg = config.networking.wireless.iwd; + ini = pkgs.formats.ini { }; + configFile = ini.generate "main.conf" cfg.settings; in { - options.networking.wireless.iwd.enable = mkEnableOption "iwd"; + options.networking.wireless.iwd = { + enable = mkEnableOption "iwd"; + + settings = mkOption { + type = ini.type; + default = { }; + + example = { + Settings.AutoConnect = true; + + Network = { + EnableIPv6 = true; + RoutePriorityOffset = 300; + }; + }; + + description = '' + Options passed to iwd. + See <link xlink:href="https://iwd.wiki.kernel.org/networkconfigurationsettings">here</link> for supported options. + ''; + }; + }; config = mkIf cfg.enable { assertions = [{ @@ -15,6 +38,8 @@ in { ''; }]; + environment.etc."iwd/main.conf".source = configFile; + # for iwctl environment.systemPackages = [ pkgs.iwd ]; @@ -27,7 +52,10 @@ in { linkConfig.NamePolicy = "keep kernel"; }; - systemd.services.iwd.wantedBy = [ "multi-user.target" ]; + systemd.services.iwd = { + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ]; + }; }; meta.maintainers = with lib.maintainers; [ mic92 dtzWill ]; diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix new file mode 100644 index 00000000000..72773b83a49 --- /dev/null +++ b/nixos/modules/services/networking/kea.nix @@ -0,0 +1,361 @@ +{ config +, lib +, pkgs +, ... +}: + +with lib; + +let + cfg = config.services.kea; + + format = pkgs.formats.json {}; + + ctrlAgentConfig = format.generate "kea-ctrl-agent.conf" { + Control-agent = cfg.ctrl-agent.settings; + }; + dhcp4Config = format.generate "kea-dhcp4.conf" { + Dhcp4 = cfg.dhcp4.settings; + }; + dhcp6Config = format.generate "kea-dhcp6.conf" { + Dhcp6 = cfg.dhcp6.settings; + }; + dhcpDdnsConfig = format.generate "kea-dhcp-ddns.conf" { + DhcpDdns = cfg.dhcp-ddns.settings; + }; + + package = pkgs.kea; +in +{ + options.services.kea = with types; { + ctrl-agent = mkOption { + description = '' + Kea Control Agent configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea Control Agent"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + description = '' + Kea Control Agent configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html"/>. + ''; + }; + }; + }; + }; + + dhcp4 = mkOption { + description = '' + DHCP4 Server configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DHCP4 server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + interfaces-config = { + interfaces = [ + "eth0" + ]; + }; + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp4.leases"; + }; + subnet4 = [ { + subnet = "192.0.2.0/24"; + pools = [ { + pool = "192.0.2.100 - 192.0.2.240"; + } ]; + } ]; + }; + description = '' + Kea DHCP4 configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html"/>. + ''; + }; + }; + }; + }; + + dhcp6 = mkOption { + description = '' + DHCP6 Server configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DHCP6 server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + preferred-lifetime = 3000; + interfaces-config = { + interfaces = [ + "eth0" + ]; + }; + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp6.leases"; + }; + subnet6 = [ { + subnet = "2001:db8:1::/64"; + pools = [ { + pool = "2001:db8:1::1-2001:db8:1::ffff"; + } ]; + } ]; + }; + description = '' + Kea DHCP6 configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html"/>. + ''; + }; + }; + }; + }; + + dhcp-ddns = mkOption { + description = '' + Kea DHCP-DDNS configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DDNS server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + ip-address = "127.0.0.1"; + port = 53001; + dns-server-timeout = 100; + ncr-protocol = "UDP"; + ncr-format = "JSON"; + tsig-keys = [ ]; + forward-ddns = { + ddns-domains = [ ]; + }; + reverse-ddns = { + ddns-domains = [ ]; + }; + }; + description = '' + Kea DHCP-DDNS configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html"/>. + ''; + }; + }; + }; + }; + }; + + config = let + commonServiceConfig = { + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + DynamicUser = true; + User = "kea"; + ConfigurationDirectory = "kea"; + RuntimeDirectory = "kea"; + StateDirectory = "kea"; + UMask = "0077"; + }; + in mkIf (cfg.ctrl-agent.enable || cfg.dhcp4.enable || cfg.dhcp6.enable || cfg.dhcp-ddns.enable) (mkMerge [ + { + environment.systemPackages = [ package ]; + } + + (mkIf cfg.ctrl-agent.enable { + + environment.etc."kea/ctrl-agent.conf".source = ctrlAgentConfig; + + systemd.services.kea-ctrl-agent = { + description = "Kea Control Agent"; + documentation = [ + "man:kea-ctrl-agent(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "kea-dhcp4-server.service" + "kea-dhcp6-server.service" + "kea-dhcp-ddns-server.service" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-ctrl-agent -c /etc/kea/ctrl-agent.conf ${lib.escapeShellArgs cfg.dhcp4.extraArgs}"; + KillMode = "process"; + Restart = "on-failure"; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp4.enable { + + environment.etc."kea/dhcp4-server.conf".source = dhcp4Config; + + systemd.services.kea-dhcp4-server = { + description = "Kea DHCP4 Server"; + documentation = [ + "man:kea-dhcp4(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp4 -c /etc/kea/dhcp4-server.conf ${lib.escapeShellArgs cfg.dhcp4.extraArgs}"; + # Kea does not request capabilities by itself + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ]; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp6.enable { + + environment.etc."kea/dhcp6-server.conf".source = dhcp6Config; + + systemd.services.kea-dhcp6-server = { + description = "Kea DHCP6 Server"; + documentation = [ + "man:kea-dhcp6(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp6 -c /etc/kea/dhcp6-server.conf ${lib.escapeShellArgs cfg.dhcp6.extraArgs}"; + # Kea does not request capabilities by itself + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + ]; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp-ddns.enable { + + environment.etc."kea/dhcp-ddns.conf".source = dhcpDdnsConfig; + + systemd.services.kea-dhcp-ddns-server = { + description = "Kea DHCP-DDNS Server"; + documentation = [ + "man:kea-dhcp-ddns(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp-ddns -c /etc/kea/dhcp-ddns.conf ${lib.escapeShellArgs cfg.dhcp-ddns.extraArgs}"; + AmbientCapabilites = [ + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + ]; + } // commonServiceConfig; + }; + }) + + ]); + + meta.maintainers = with maintainers; [ hexa ]; +} diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 064018057cd..790de4ace01 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -6,7 +6,6 @@ let cfg = config.networking.networkmanager; basePackages = with pkgs; [ - crda modemmanager networkmanager networkmanager-fortisslvpn @@ -404,6 +403,8 @@ in { } ]; + hardware.wirelessRegulatoryDatabase = true; + environment.etc = with pkgs; { "NetworkManager/NetworkManager.conf".source = configFile; diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index b17f35c769b..7fc145f2303 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -69,13 +69,9 @@ in ExecStart = "${pkgs.nix-serve}/bin/nix-serve " + "--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}"; User = "nix-serve"; - Group = "nogroup"; + Group = "nix-serve"; + DynamicUser = true; }; }; - - users.users.nix-serve = { - description = "Nix-serve user"; - uid = config.ids.uids.nix-serve; - }; }; } diff --git a/nixos/modules/services/networking/nylon.nix b/nixos/modules/services/networking/nylon.nix index bfc358cb12f..a20fa615af8 100644 --- a/nixos/modules/services/networking/nylon.nix +++ b/nixos/modules/services/networking/nylon.nix @@ -160,7 +160,7 @@ in users.groups.nylon.gid = config.ids.gids.nylon; - systemd.services = fold (a: b: a // b) {} nylonUnits; + systemd.services = foldr (a: b: a // b) {} nylonUnits; }; } diff --git a/nixos/modules/services/networking/pppd.nix b/nixos/modules/services/networking/pppd.nix index c1cbdb46176..37f44f07ac4 100644 --- a/nixos/modules/services/networking/pppd.nix +++ b/nixos/modules/services/networking/pppd.nix @@ -82,13 +82,21 @@ in LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; NIX_REDIRECTS = "/var/run=/run/pppd"; }; - serviceConfig = { + serviceConfig = let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; Restart = "always"; RestartSec = 5; - AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; - CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; KeyringMode = "private"; LockPersonality = true; MemoryDenyWriteExecute = true; @@ -103,7 +111,17 @@ in ProtectKernelTunables = false; ProtectSystem = "strict"; RemoveIPC = true; - RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX"; + RestrictAddressFamilies = [ + "AF_ATMPVC" + "AF_ATMSVC" + "AF_INET" + "AF_INET6" + "AF_IPX" + "AF_NETLINK" + "AF_PACKET" + "AF_PPPOX" + "AF_UNIX" + ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; diff --git a/nixos/modules/services/networking/quicktun.nix b/nixos/modules/services/networking/quicktun.nix index fb783c83646..438e67d5ebb 100644 --- a/nixos/modules/services/networking/quicktun.nix +++ b/nixos/modules/services/networking/quicktun.nix @@ -87,7 +87,7 @@ with lib; }; config = mkIf (cfg != []) { - systemd.services = fold (a: b: a // b) {} ( + systemd.services = foldr (a: b: a // b) {} ( mapAttrsToList (name: qtcfg: { "quicktun-${name}" = { wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 28348c7893a..3c58cd9ddad 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -25,41 +25,43 @@ let folder.enable ) cfg.declarative.folders); - # get the api key by parsing the config.xml - getApiKey = pkgs.writers.writeDash "getAPIKey" '' - ${pkgs.libxml2}/bin/xmllint \ - --xpath 'string(configuration/gui/apikey)'\ - ${cfg.configDir}/config.xml - ''; - updateConfig = pkgs.writers.writeDash "merge-syncthing-config" '' set -efu - # wait for syncthing port to open - until ${pkgs.curl}/bin/curl -Ss ${cfg.guiAddress} -o /dev/null; do - sleep 1 - done - - API_KEY=$(${getApiKey}) - OLD_CFG=$(${pkgs.curl}/bin/curl -Ss \ - -H "X-API-Key: $API_KEY" \ - ${cfg.guiAddress}/rest/system/config) - - # generate the new config by merging with the nixos config options - NEW_CFG=$(echo "$OLD_CFG" | ${pkgs.jq}/bin/jq -s '.[] as $in | $in * { - "devices": (${builtins.toJSON devices}${optionalString (! cfg.declarative.overrideDevices) " + $in.devices"}), - "folders": (${builtins.toJSON folders}${optionalString (! cfg.declarative.overrideFolders) " + $in.folders"}) - }') - - # POST the new config to syncthing - echo "$NEW_CFG" | ${pkgs.curl}/bin/curl -Ss \ - -H "X-API-Key: $API_KEY" \ - ${cfg.guiAddress}/rest/system/config -d @- - - # restart syncthing after sending the new config - ${pkgs.curl}/bin/curl -Ss \ - -H "X-API-Key: $API_KEY" \ - -X POST \ - ${cfg.guiAddress}/rest/system/restart + + # get the api key by parsing the config.xml + while + ! api_key=$(${pkgs.libxml2}/bin/xmllint \ + --xpath 'string(configuration/gui/apikey)' \ + ${cfg.configDir}/config.xml) + do sleep 1; done + + curl() { + while + ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $api_key" \ + --retry 100 --retry-delay 1 --retry-connrefused "$@" + status=$? + [ "$status" -eq 52 ] # retry on empty reply from server + do sleep 1; done + return "$status" + } + + # query the old config + old_cfg=$(curl ${cfg.guiAddress}/rest/config) + + # generate the new config by merging with the NixOS config options + new_cfg=$(echo "$old_cfg" | ${pkgs.jq}/bin/jq -c '. * { + "devices": (${builtins.toJSON devices}${optionalString (! cfg.declarative.overrideDevices) " + .devices"}), + "folders": (${builtins.toJSON folders}${optionalString (! cfg.declarative.overrideFolders) " + .folders"}) + } * ${builtins.toJSON cfg.declarative.extraOptions}') + + # send the new config + curl -X PUT -d "$new_cfg" ${cfg.guiAddress}/rest/config + + # restart Syncthing if required + if curl ${cfg.guiAddress}/rest/config/restart-required | + ${pkgs.jq}/bin/jq -e .requiresRestart > /dev/null; then + curl -X POST ${cfg.guiAddress}/rest/system/restart + fi ''; in { ###### interface @@ -77,7 +79,7 @@ in { type = types.nullOr types.str; default = null; description = '' - Path to users cert.pem file, will be copied into the syncthing's + Path to users cert.pem file, will be copied into Syncthing's <literal>configDir</literal> ''; }; @@ -86,7 +88,7 @@ in { type = types.nullOr types.str; default = null; description = '' - Path to users key.pem file, will be copied into the syncthing's + Path to users key.pem file, will be copied into Syncthing's <literal>configDir</literal> ''; }; @@ -105,7 +107,7 @@ in { devices = mkOption { default = {}; description = '' - Peers/devices which syncthing should communicate with. + Peers/devices which Syncthing should communicate with. ''; example = { bigbox = { @@ -168,7 +170,7 @@ in { folders = mkOption { default = {}; description = '' - folders which should be shared by syncthing. + Folders which should be shared by Syncthing. ''; example = literalExample '' { @@ -227,7 +229,7 @@ in { versioning = mkOption { default = null; description = '' - How to keep changed/deleted files with syncthing. + How to keep changed/deleted files with Syncthing. There are 4 different types of versioning with different parameters. See https://docs.syncthing.net/users/versioning.html ''; @@ -335,10 +337,21 @@ in { upstream's docs</link>. ''; }; - }; })); }; + + extraOptions = mkOption { + type = types.addCheck (pkgs.formats.json {}).type isAttrs; + default = {}; + description = '' + Extra configuration options for Syncthing. + ''; + example = { + options.localAnnounceEnabled = false; + gui.theme = "black"; + }; + }; }; guiAddress = mkOption { @@ -378,7 +391,7 @@ in { default = null; example = "socks5://address.com:1234"; description = '' - Overwrites all_proxy environment variable for the syncthing process to + Overwrites all_proxy environment variable for the Syncthing process to the given value. This is normaly used to let relay client connect through SOCKS5 proxy server. ''; @@ -412,7 +425,7 @@ in { Open the default ports in the firewall: - TCP 22000 for transfers - UDP 21027 for discovery - If multiple users are running syncthing on this machine, you will need to manually open a set of ports for each instance and leave this disabled. + If multiple users are running Syncthing on this machine, you will need to manually open a set of ports for each instance and leave this disabled. Alternatively, if are running only a single instance on this machine using the default ports, enable this. ''; }; @@ -431,7 +444,7 @@ in { imports = [ (mkRemovedOptionModule ["services" "syncthing" "useInotify"] '' - This option was removed because syncthing now has the inotify functionality included under the name "fswatcher". + This option was removed because Syncthing now has the inotify functionality included under the name "fswatcher". It can be enabled on a per-folder basis through the webinterface. '') ]; @@ -516,8 +529,9 @@ in { }; }; syncthing-init = mkIf ( - cfg.declarative.devices != {} || cfg.declarative.folders != {} + cfg.declarative.devices != {} || cfg.declarative.folders != {} || cfg.declarative.extraOptions != {} ) { + description = "Syncthing configuration updater"; after = [ "syncthing.service" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index b6afd83a9ab..9e433ad1a98 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -351,7 +351,7 @@ in config = mkIf (cfg.networks != { }) { - environment.etc = fold (a: b: a // b) { } + environment.etc = foldr (a: b: a // b) { } (flip mapAttrsToList cfg.networks (network: data: flip mapAttrs' data.hosts (host: text: nameValuePair ("tinc/${network}/hosts/${host}") diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 09aef9a1dcf..6d7178047ea 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -21,7 +21,15 @@ let )) else throw (traceSeq v "services.unbound.settings: unexpected type"); - confFile = pkgs.writeText "unbound.conf" (concatStringsSep "\n" ((mapAttrsToList (toConf "") cfg.settings) ++ [""])); + confNoServer = concatStringsSep "\n" ((mapAttrsToList (toConf "") (builtins.removeAttrs cfg.settings [ "server" ])) ++ [""]); + confServer = concatStringsSep "\n" (mapAttrsToList (toConf " ") (builtins.removeAttrs cfg.settings.server [ "define-tag" ])); + + confFile = pkgs.writeText "unbound.conf" '' + server: + ${optionalString (cfg.settings.server.define-tag != "") (toOption " " "define-tag" cfg.settings.server.define-tag)} + ${confServer} + ${confNoServer} + ''; rootTrustAnchorFile = "${cfg.stateDir}/root.key"; @@ -170,6 +178,7 @@ in { # prevent race conditions on system startup when interfaces are not yet # configured ip-freebind = mkDefault true; + define-tag = mkDefault ""; }; remote-control = { control-enable = mkDefault false; diff --git a/nixos/modules/services/networking/wakeonlan.nix b/nixos/modules/services/networking/wakeonlan.nix index 35ff67937fc..f41b6ec2740 100644 --- a/nixos/modules/services/networking/wakeonlan.nix +++ b/nixos/modules/services/networking/wakeonlan.nix @@ -19,7 +19,7 @@ let ${ethtool} -s ${interface} ${methodParameter {inherit method password;}} ''; - concatStrings = fold (x: y: x + y) ""; + concatStrings = foldr (x: y: x + y) ""; lines = concatStrings (map (l: line l) interfaces); in diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index c0a4ce40760..494d21cc867 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -241,7 +241,8 @@ in { environment.systemPackages = [ package ]; services.dbus.packages = [ package ]; - services.udev.packages = [ pkgs.crda ]; + + hardware.wirelessRegulatoryDatabase = true; # FIXME: start a separate wpa_supplicant instance per interface. systemd.services.wpa_supplicant = let diff --git a/nixos/modules/services/security/hockeypuck.nix b/nixos/modules/services/security/hockeypuck.nix new file mode 100644 index 00000000000..686634c8add --- /dev/null +++ b/nixos/modules/services/security/hockeypuck.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.hockeypuck; + settingsFormat = pkgs.formats.toml { }; +in { + meta.maintainers = with lib.maintainers; [ etu ]; + + options.services.hockeypuck = { + enable = lib.mkEnableOption "Hockeypuck OpenPGP Key Server"; + + port = lib.mkOption { + default = 11371; + type = lib.types.port; + description = "HKP port to listen on."; + }; + + settings = lib.mkOption { + type = settingsFormat.type; + default = { }; + example = lib.literalExample '' + { + hockeypuck = { + loglevel = "INFO"; + logfile = "/var/log/hockeypuck/hockeypuck.log"; + indexTemplate = "''${pkgs.hockeypuck-web}/share/templates/index.html.tmpl"; + vindexTemplate = "''${pkgs.hockeypuck-web}/share/templates/index.html.tmpl"; + statsTemplate = "''${pkgs.hockeypuck-web}/share/templates/stats.html.tmpl"; + webroot = "''${pkgs.hockeypuck-web}/share/webroot"; + + hkp.bind = ":''${toString cfg.port}"; + + openpgp.db = { + driver = "postgres-jsonb"; + dsn = "database=hockeypuck host=/var/run/postgresql sslmode=disable"; + }; + }; + } + ''; + description = '' + Configuration file for hockeypuck, here you can override + certain settings (<literal>loglevel</literal> and + <literal>openpgp.db.dsn</literal>) by just setting those values. + + For other settings you need to use lib.mkForce to override them. + + This service doesn't provision or enable postgres on your + system, it rather assumes that you enable postgres and create + the database yourself. + + Example: + <literal> + services.postgresql = { + enable = true; + ensureDatabases = [ "hockeypuck" ]; + ensureUsers = [{ + name = "hockeypuck"; + ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES"; + }]; + }; + </literal> + ''; + }; + }; + + config = lib.mkIf cfg.enable { + services.hockeypuck.settings.hockeypuck = { + loglevel = lib.mkDefault "INFO"; + logfile = "/var/log/hockeypuck/hockeypuck.log"; + indexTemplate = "${pkgs.hockeypuck-web}/share/templates/index.html.tmpl"; + vindexTemplate = "${pkgs.hockeypuck-web}/share/templates/index.html.tmpl"; + statsTemplate = "${pkgs.hockeypuck-web}/share/templates/stats.html.tmpl"; + webroot = "${pkgs.hockeypuck-web}/share/webroot"; + + hkp.bind = ":${toString cfg.port}"; + + openpgp.db = { + driver = "postgres-jsonb"; + dsn = lib.mkDefault "database=hockeypuck host=/var/run/postgresql sslmode=disable"; + }; + }; + + users.users.hockeypuck = { + isSystemUser = true; + description = "Hockeypuck user"; + }; + + systemd.services.hockeypuck = { + description = "Hockeypuck OpenPGP Key Server"; + after = [ "network.target" "postgresql.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + WorkingDirectory = "/var/lib/hockeypuck"; + User = "hockeypuck"; + ExecStart = "${pkgs.hockeypuck}/bin/hockeypuck -config ${settingsFormat.generate "config.toml" cfg.settings}"; + Restart = "always"; + RestartSec = "5s"; + LogsDirectory = "hockeypuck"; + LogsDirectoryMode = "0755"; + StateDirectory = "hockeypuck"; + }; + }; + }; +} diff --git a/nixos/modules/services/ttys/getty.nix b/nixos/modules/services/ttys/getty.nix index 8345dfabeb7..7cf2ff87da2 100644 --- a/nixos/modules/services/ttys/getty.nix +++ b/nixos/modules/services/ttys/getty.nix @@ -6,7 +6,7 @@ let cfg = config.services.getty; baseArgs = [ - "--login-program" "${pkgs.shadow}/bin/login" + "--login-program" "${cfg.loginProgram}" ] ++ optionals (cfg.autologinUser != null) [ "--autologin" cfg.autologinUser ] ++ optionals (cfg.loginOptions != null) [ @@ -39,6 +39,14 @@ in ''; }; + loginProgram = mkOption { + type = types.path; + default = "${pkgs.shadow}/bin/login"; + description = '' + Path to the login binary executed by agetty. + ''; + }; + loginOptions = mkOption { type = types.nullOr types.str; default = null; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 111b3173469..5e15aaba096 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -699,7 +699,6 @@ in { }; extraConfig = '' index index.php index.html /index.php$request_uri; - expires 1m; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; diff --git a/nixos/modules/services/web-apps/plausible.nix b/nixos/modules/services/web-apps/plausible.nix index caf5ba466df..b56848b79d2 100644 --- a/nixos/modules/services/web-apps/plausible.nix +++ b/nixos/modules/services/web-apps/plausible.nix @@ -7,10 +7,15 @@ let # FIXME consider using LoadCredential as soon as it actually works. envSecrets = '' - export ADMIN_USER_PWD="$(<${cfg.adminUser.passwordFile})" - export SECRET_KEY_BASE="$(<${cfg.server.secretKeybaseFile})" + ADMIN_USER_PWD="$(<${cfg.adminUser.passwordFile})" + export ADMIN_USER_PWD # separate export to make `set -e` work + + SECRET_KEY_BASE="$(<${cfg.server.secretKeybaseFile})" + export SECRET_KEY_BASE # separate export to make `set -e` work + ${optionalString (cfg.mail.smtp.passwordFile != null) '' - export SMTP_USER_PWD="$(<${cfg.mail.smtp.passwordFile})" + SMTP_USER_PWD="$(<${cfg.mail.smtp.passwordFile})" + export SMTP_USER_PWD # separate export to make `set -e` work ''} ''; in { @@ -102,6 +107,11 @@ in { type = types.str; description = '' Public URL where plausible is available. + + Note that <literal>/path</literal> components are currently ignored: + <link xlink:href="https://github.com/plausible/analytics/issues/1182"> + https://github.com/plausible/analytics/issues/1182 + </link>. ''; }; }; @@ -228,6 +238,7 @@ in { WorkingDirectory = "/var/lib/plausible"; StateDirectory = "plausible"; ExecStartPre = "@${pkgs.writeShellScript "plausible-setup" '' + set -eu -o pipefail ${envSecrets} ${pkgs.plausible}/createdb.sh ${pkgs.plausible}/migrate.sh @@ -238,6 +249,7 @@ in { ''} ''} plausible-setup"; ExecStart = "@${pkgs.writeShellScript "plausible" '' + set -eu -o pipefail ${envSecrets} plausible start ''} plausible"; diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 4e2f25cd27f..d3e4923a993 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -125,7 +125,7 @@ let else showWarnings config.warnings baseSystem; # Replace runtime dependencies - system = fold ({ oldDependency, newDependency }: drv: + system = foldr ({ oldDependency, newDependency }: drv: pkgs.replaceDependency { inherit oldDependency newDependency drv; } ) baseSystemAssertWarn config.system.replaceRuntimeDependencies; diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index c6ec9acd54c..e183bc3648c 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -75,7 +75,7 @@ let else "${convertedFont}"); }); - bootDeviceCounters = fold (device: attr: attr // { ${device} = (attr.${device} or 0) + 1; }) {} + bootDeviceCounters = foldr (device: attr: attr // { ${device} = (attr.${device} or 0) + 1; }) {} (concatMap (args: args.devices) cfg.mirroredBoots); convertedFont = (pkgs.runCommand "grub-font-converted.pf2" {} diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 84bc9b78076..a6fc07da0ab 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -140,7 +140,8 @@ in # add resolve to nss hosts database if enabled and nscd enabled # system.nssModules is configured in nixos/modules/system/boot/systemd.nix - system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]"; + # added with order 501 to allow modules to go before with mkBefore + system.nssDatabases.hosts = (mkOrder 501 ["resolve [!UNAVAIL=return]"]); systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index abd8ab29cae..58064e5de86 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -925,9 +925,8 @@ in system.nssModules = [ systemd.out ]; system.nssDatabases = { hosts = (mkMerge [ - [ "mymachines" ] - (mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last - ) + (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd) + (mkOrder 999 ["myhostname"]) # after files (which is 998), but before regular nss modules ]); passwd = (mkMerge [ (mkAfter [ "systemd" ]) diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index dd337de9869..06117d19af4 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -8,7 +8,7 @@ let keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs; keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs; anyEncrypted = - fold (j: v: v || j.encrypted.enable) false encDevs; + foldr (j: v: v || j.encrypted.enable) false encDevs; encryptedFSOptions = { diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index d274a38a270..ea13d396c46 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -255,7 +255,7 @@ in # https://wiki.archlinux.org/index.php/fstab#Filepath_spaces escape = string: builtins.replaceStrings [ " " "\t" ] [ "\\040" "\\011" ] string; swapOptions = sw: concatStringsSep "," ( - [ "defaults" ] + sw.options ++ optional (sw.priority != null) "pri=${toString sw.priority}" ++ optional (sw.discardPolicy != null) "discard${optionalString (sw.discardPolicy != "both") "=${toString sw.discardPolicy}"}" ); @@ -324,28 +324,33 @@ in in listToAttrs (map formatDevice (filter (fs: fs.autoFormat) fileSystems)) // { # Mount /sys/fs/pstore for evacuating panic logs and crashdumps from persistent storage onto the disk using systemd-pstore. # This cannot be done with the other special filesystems because the pstore module (which creates the mount point) is not loaded then. - # Since the pstore filesystem is usually empty right after mounting because the backend isn't registered yet, and a path unit cannot detect files inside of it, the same service waits for that to happen. systemd's restart mechanism can't be used here because the first failure also fails all dependent units. "mount-pstore" = { serviceConfig = { Type = "oneshot"; - ExecStart = "${pkgs.util-linux}/bin/mount -t pstore -o nosuid,noexec,nodev pstore /sys/fs/pstore"; - ExecStartPost = pkgs.writeShellScript "wait-for-pstore.sh" '' + # skip on kernels without the pstore module + ExecCondition = "${pkgs.kmod}/bin/modprobe -b pstore"; + ExecStart = pkgs.writeShellScript "mount-pstore.sh" '' set -eu - TRIES=0 - while [ $TRIES -lt 20 ] && [ "$(cat /sys/module/pstore/parameters/backend)" = "(null)" ]; do - sleep 0.1 - TRIES=$((TRIES+1)) + # if the pstore module is builtin it will have mounted the persistent store automatically. it may also be already mounted for other reasons. + ${pkgs.util-linux}/bin/mountpoint -q /sys/fs/pstore || ${pkgs.util-linux}/bin/mount -t pstore -o nosuid,noexec,nodev pstore /sys/fs/pstore + # wait up to 1.5 seconds for the backend to be registered and the files to appear. a systemd path unit cannot detect this happening; and succeeding after a restart would not start dependent units. + TRIES=15 + while [ "$(cat /sys/module/pstore/parameters/backend)" = "(null)" ]; do + if (( $TRIES )); then + sleep 0.1 + TRIES=$((TRIES-1)) + else + echo "Persistent Storage backend was not registered in time." >&2 + break + fi done ''; RemainAfterExit = true; }; unitConfig = { - ConditionPathIsMountPoint = "!/sys/fs/pstore"; ConditionVirtualization = "!container"; DefaultDependencies = false; # needed to prevent a cycle }; - after = [ "modprobe@pstore.service" ]; - requires = [ "modprobe@pstore.service" ]; before = [ "systemd-pstore.service" ]; wantedBy = [ "systemd-pstore.service" ]; }; diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix index 8d352e36ef9..c135081959a 100644 --- a/nixos/modules/virtualisation/cri-o.nix +++ b/nixos/modules/virtualisation/cri-o.nix @@ -6,6 +6,9 @@ let crioPackage = (pkgs.cri-o.override { inherit (cfg) extraPackages; }); + format = pkgs.formats.toml { }; + + cfgFile = format.generate "00-default.conf" cfg.settings; in { imports = [ @@ -13,7 +16,7 @@ in ]; meta = { - maintainers = lib.teams.podman.members; + maintainers = teams.podman.members; }; options.virtualisation.cri-o = { @@ -55,7 +58,7 @@ in extraPackages = mkOption { type = with types; listOf package; default = [ ]; - example = lib.literalExample '' + example = literalExample '' [ pkgs.gvisor ] @@ -65,7 +68,7 @@ in ''; }; - package = lib.mkOption { + package = mkOption { type = types.package; default = crioPackage; internal = true; @@ -80,6 +83,15 @@ in description = "Override the network_dir option."; internal = true; }; + + settings = mkOption { + type = format.type; + default = { }; + description = '' + Configuration for cri-o, see + <link xlink:href="https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md"/>. + ''; + }; }; config = mkIf cfg.enable { @@ -87,36 +99,38 @@ in environment.etc."crictl.yaml".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml"; - environment.etc."crio/crio.conf.d/00-default.conf".text = '' - [crio] - storage_driver = "${cfg.storageDriver}" - - [crio.image] - ${optionalString (cfg.pauseImage != null) ''pause_image = "${cfg.pauseImage}"''} - ${optionalString (cfg.pauseCommand != null) ''pause_command = "${cfg.pauseCommand}"''} - - [crio.network] - plugin_dirs = ["${pkgs.cni-plugins}/bin/"] - ${optionalString (cfg.networkDir != null) ''network_dir = "${cfg.networkDir}"''} - - [crio.runtime] - cgroup_manager = "systemd" - log_level = "${cfg.logLevel}" - pinns_path = "${cfg.package}/bin/pinns" - hooks_dir = [ - ${lib.optionalString config.virtualisation.containers.ociSeccompBpfHook.enable - ''"${config.boot.kernelPackages.oci-seccomp-bpf-hook}",''} - ] - - ${optionalString (cfg.runtime != null) '' - default_runtime = "${cfg.runtime}" - [crio.runtime.runtimes] - [crio.runtime.runtimes.${cfg.runtime}] - ''} - ''; + virtualisation.cri-o.settings.crio = { + storage_driver = cfg.storageDriver; + + image = { + pause_image = mkIf (cfg.pauseImage != null) cfg.pauseImage; + pause_command = mkIf (cfg.pauseCommand != null) cfg.pauseCommand; + }; + + network = { + plugin_dirs = [ "${pkgs.cni-plugins}/bin" ]; + network_dir = mkIf (cfg.networkDir != null) cfg.networkDir; + }; + + runtime = { + cgroup_manager = "systemd"; + log_level = cfg.logLevel; + manage_ns_lifecycle = true; + pinns_path = "${cfg.package}/bin/pinns"; + hooks_dir = + optional (config.virtualisation.containers.ociSeccompBpfHook.enable) + config.boot.kernelPackages.oci-seccomp-bpf-hook; + + default_runtime = mkIf (cfg.runtime != null) cfg.runtime; + runtimes = mkIf (cfg.runtime != null) { + "${cfg.runtime}" = { }; + }; + }; + }; environment.etc."cni/net.d/10-crio-bridge.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/10-crio-bridge.conf"; environment.etc."cni/net.d/99-loopback.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/99-loopback.conf"; + environment.etc."crio/crio.conf.d/00-default.conf".source = cfgFile; # Enable common /etc/containers configuration virtualisation.containers.enable = true; @@ -139,6 +153,7 @@ in TimeoutStartSec = "0"; Restart = "on-abnormal"; }; + restartTriggers = [ cfgFile ]; }; }; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 76e5077f42d..d6ef7d42431 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -174,6 +174,7 @@ in hitch = handleTest ./hitch {}; hledger-web = handleTest ./hledger-web.nix {}; hocker-fetchdocker = handleTest ./hocker-fetchdocker {}; + hockeypuck = handleTest ./hockeypuck.nix { }; home-assistant = handleTest ./home-assistant.nix {}; hostname = handleTest ./hostname.nix {}; hound = handleTest ./hound.nix {}; @@ -203,6 +204,7 @@ in k3s = handleTest ./k3s.nix {}; kafka = handleTest ./kafka.nix {}; kbd-setfont-decompress = handleTest ./kbd-setfont-decompress.nix {}; + kea = handleTest ./kea.nix {}; keepalived = handleTest ./keepalived.nix {}; keepassxc = handleTest ./keepassxc.nix {}; kerberos = handleTest ./kerberos/default.nix {}; @@ -295,6 +297,7 @@ in nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {}; nginx-sso = handleTest ./nginx-sso.nix {}; nginx-variants = handleTest ./nginx-variants.nix {}; + nix-serve = handleTest ./nix-ssh-serve.nix {}; nix-ssh-serve = handleTest ./nix-ssh-serve.nix {}; nixos-generate-config = handleTest ./nixos-generate-config.nix {}; nomad = handleTest ./nomad.nix {}; @@ -421,6 +424,7 @@ in taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; tiddlywiki = handleTest ./tiddlywiki.nix {}; + tigervnc = handleTest ./tigervnc.nix {}; timezone = handleTest ./timezone.nix {}; tinc = handleTest ./tinc {}; tinydns = handleTest ./tinydns.nix {}; @@ -436,6 +440,7 @@ in txredisapi = handleTest ./txredisapi.nix {}; tuptime = handleTest ./tuptime.nix {}; turbovnc-headless-server = handleTest ./turbovnc-headless-server.nix {}; + tuxguitar = handleTest ./tuxguitar.nix {}; ucarp = handleTest ./ucarp.nix {}; ucg = handleTest ./ucg.nix {}; udisks2 = handleTest ./udisks2.nix {}; diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index d2a8f276f12..ea9e19cefbc 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -80,12 +80,8 @@ mapAttrs (channel: chromiumPkg: makeTest rec { binary = pname # Add optional CLI options: options = [] - major_version = "${versions.major (getVersion chromiumPkg.name)}" - if major_version > "91": - # To avoid a GPU crash: - options += ["--use-gl=angle", "--use-angle=swiftshader"] - options.append("file://${startupHTML}") # Launch the process: + options.append("file://${startupHTML}") machine.succeed(ru(f'ulimit -c unlimited; {binary} {shlex.join(options)} & disown')) if binary.startswith("google-chrome"): # Need to click away the first window: @@ -239,7 +235,18 @@ mapAttrs (channel: chromiumPkg: makeTest rec { with test_new_win("gpu_info", "chrome://gpu", "chrome://gpu"): - pass + # To check the text rendering (catches regressions like #131074): + machine.wait_for_text("Graphics Feature Status") + + + with test_new_win("version_info", "chrome://version", "About Version") as clipboard: + filters = [ + r"${chromiumPkg.version} \(Official Build", + ] + if not all( + re.search(filter, clipboard) for filter in filters + ): + assert False, "Version info not correct." machine.shutdown() diff --git a/nixos/tests/grocy.nix b/nixos/tests/grocy.nix index 220c55b1f63..2be5c24ecb5 100644 --- a/nixos/tests/grocy.nix +++ b/nixos/tests/grocy.nix @@ -40,7 +40,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { assert task_name == "Test Task" - machine.succeed("curl -sSfI http://localhost/api/tasks 2>&1 | grep '401 Unauthorized'") + machine.succeed("curl -sSI http://localhost/api/tasks 2>&1 | grep '401 Unauthorized'") machine.shutdown() ''; diff --git a/nixos/tests/hockeypuck.nix b/nixos/tests/hockeypuck.nix new file mode 100644 index 00000000000..79313f314fd --- /dev/null +++ b/nixos/tests/hockeypuck.nix @@ -0,0 +1,63 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: +let + gpgKeyring = (pkgs.runCommandNoCC "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } '' + mkdir -p $out + export GNUPGHOME=$out + cat > foo <<EOF + %echo Generating a basic OpenPGP key + %no-protection + Key-Type: DSA + Key-Length: 1024 + Subkey-Type: ELG-E + Subkey-Length: 1024 + Name-Real: Foo Example + Name-Email: foo@example.org + Expire-Date: 0 + # Do a commit here, so that we can later print "done" + %commit + %echo done + EOF + gpg --batch --generate-key foo + rm $out/S.gpg-agent $out/S.gpg-agent.* + ''); +in { + name = "hockeypuck"; + meta.maintainers = with lib.maintainers; [ etu ]; + + machine = { ... }: { + # Used for test + environment.systemPackages = [ pkgs.gnupg ]; + + services.hockeypuck.enable = true; + + services.postgresql = { + enable = true; + ensureDatabases = [ "hockeypuck" ]; + ensureUsers = [{ + name = "hockeypuck"; + ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES"; + }]; + }; + }; + + testScript = '' + machine.wait_for_unit("hockeypuck.service") + machine.wait_for_open_port(11371) + + response = machine.succeed("curl -vvv -s http://127.0.0.1:11371/") + + assert "<title>OpenPGP Keyserver</title>" in response, "HTML title not found" + + # Copy the keyring + machine.succeed("cp -R ${gpgKeyring} /tmp/GNUPGHOME") + + # Extract our GPG key id + keyId = machine.succeed("GNUPGHOME=/tmp/GNUPGHOME gpg --list-keys | grep dsa1024 --after-context=1 | grep -v dsa1024").strip() + + # Send the key to our local keyserver + machine.succeed("GNUPGHOME=/tmp/GNUPGHOME gpg --keyserver hkp://127.0.0.1:11371 --send-keys " + keyId) + + # Recieve the key from our local keyserver to a separate directory + machine.succeed("GNUPGHOME=$(mktemp -d) gpg --keyserver hkp://127.0.0.1:11371 --recv-keys " + keyId) + ''; +}) diff --git a/nixos/tests/kea.nix b/nixos/tests/kea.nix new file mode 100644 index 00000000000..6b345893108 --- /dev/null +++ b/nixos/tests/kea.nix @@ -0,0 +1,73 @@ +import ./make-test-python.nix ({ pkgs, lib, ...}: { + meta.maintainers = with lib.maintainers; [ hexa ]; + + nodes = { + router = { config, pkgs, ... }: { + virtualisation.vlans = [ 1 ]; + + networking = { + useNetworkd = true; + useDHCP = false; + firewall.allowedUDPPorts = [ 67 ]; + }; + + systemd.network = { + networks = { + "01-eth1" = { + name = "eth1"; + networkConfig = { + Address = "10.0.0.1/30"; + }; + }; + }; + }; + + services.kea.dhcp4 = { + enable = true; + settings = { + valid-lifetime = 3600; + renew-timer = 900; + rebind-timer = 1800; + + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp4.leases"; + }; + + interfaces-config = { + dhcp-socket-type = "raw"; + interfaces = [ + "eth1" + ]; + }; + + subnet4 = [ { + subnet = "10.0.0.0/30"; + pools = [ { + pool = "10.0.0.2 - 10.0.0.2"; + } ]; + } ]; + }; + }; + }; + + client = { config, pkgs, ... }: { + virtualisation.vlans = [ 1 ]; + systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug"; + networking = { + useNetworkd = true; + useDHCP = false; + firewall.enable = false; + interfaces.eth1.useDHCP = true; + }; + }; + }; + testScript = { ... }: '' + start_all() + router.wait_for_unit("kea-dhcp4-server.service") + client.wait_for_unit("systemd-networkd-wait-online.service") + client.wait_until_succeeds("ping -c 5 10.0.0.1") + router.wait_until_succeeds("ping -c 5 10.0.0.2") + ''; +}) diff --git a/nixos/tests/nix-serve.nix b/nixos/tests/nix-serve.nix new file mode 100644 index 00000000000..ab82f4be43e --- /dev/null +++ b/nixos/tests/nix-serve.nix @@ -0,0 +1,22 @@ +import ./make-test-python.nix ({ pkgs, ... }: +{ + name = "nix-serve"; + machine = { pkgs, ... }: { + services.nix-serve.enable = true; + environment.systemPackages = [ + pkgs.hello + ]; + }; + testScript = let + pkgHash = builtins.head ( + builtins.match "${builtins.storeDir}/([^-]+).+" (toString pkgs.hello) + ); + in '' + start_all() + machine.wait_for_unit("nix-serve.service") + machine.wait_for_open_port(5000) + machine.succeed( + "curl --fail -g http://0.0.0.0:5000/nar/${pkgHash}.nar -o /tmp/hello.nar" + ) + ''; +}) diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index a33aca29fd2..e8bc6339ecf 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -326,49 +326,36 @@ let ''; }; - kea = { + kea = let + controlSocketPath = "/run/kea/dhcp6.sock"; + in + { exporterConfig = { enable = true; controlSocketPaths = [ - "/run/kea/kea-dhcp6.sock" + controlSocketPath ]; }; metricProvider = { - users.users.kea = { - isSystemUser = true; - }; - users.groups.kea = {}; + systemd.services.prometheus-kea-exporter.after = [ "kea-dhcp6-server.service" ]; - systemd.services.prometheus-kea-exporter.after = [ "kea-dhcp6.service" ]; - - systemd.services.kea-dhcp6 = let - configFile = pkgs.writeText "kea-dhcp6.conf" (builtins.toJSON { - Dhcp6 = { - "control-socket" = { - "socket-type" = "unix"; - "socket-name" = "/run/kea/kea-dhcp6.sock"; + services.kea = { + enable = true; + dhcp6 = { + enable = true; + settings = { + control-socket = { + socket-type = "unix"; + socket-name = controlSocketPath; }; }; - }); - in - { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - DynamicUser = false; - User = "kea"; - Group = "kea"; - ExecStart = "${pkgs.kea}/bin/kea-dhcp6 -c ${configFile}"; - StateDirectory = "kea"; - RuntimeDirectory = "kea"; - UMask = "0007"; }; }; }; + exporterTest = '' - wait_for_unit("kea-dhcp6.service") - wait_for_file("/run/kea/kea-dhcp6.sock") + wait_for_unit("kea-dhcp6-server.service") + wait_for_file("${controlSocketPath}") wait_for_unit("prometheus-kea-exporter.service") wait_for_open_port(9547) succeed( diff --git a/nixos/tests/sanoid.nix b/nixos/tests/sanoid.nix index 1983945915f..3bdbe0a8d8d 100644 --- a/nixos/tests/sanoid.nix +++ b/nixos/tests/sanoid.nix @@ -44,7 +44,7 @@ in { # Sync snapshot taken by sanoid "pool/sanoid" = { target = "root@target:pool/sanoid"; - extraArgs = [ "--no-sync-snap" ]; + extraArgs = [ "--no-sync-snap" "--create-bookmark" ]; }; # Take snapshot and sync "pool/syncoid".target = "root@target:pool/syncoid"; @@ -85,15 +85,28 @@ in { "chown -R syncoid:syncoid /var/lib/syncoid/", ) + assert len(source.succeed("zfs allow pool")) == 0, "Pool shouldn't have delegated permissions set before snapshotting" + assert len(source.succeed("zfs allow pool/sanoid")) == 0, "Sanoid dataset shouldn't have delegated permissions set before snapshotting" + assert len(source.succeed("zfs allow pool/syncoid")) == 0, "Syncoid dataset shouldn't have delegated permissions set before snapshotting" + # Take snapshot with sanoid source.succeed("touch /mnt/pool/sanoid/test.txt") source.systemctl("start --wait sanoid.service") + assert len(source.succeed("zfs allow pool")) == 0, "Pool shouldn't have delegated permissions set after snapshotting" + assert len(source.succeed("zfs allow pool/sanoid")) == 0, "Sanoid dataset shouldn't have delegated permissions set after snapshotting" + assert len(source.succeed("zfs allow pool/syncoid")) == 0, "Syncoid dataset shouldn't have delegated permissions set after snapshotting" + # Sync snapshots target.wait_for_open_port(22) source.succeed("touch /mnt/pool/syncoid/test.txt") - source.systemctl("start --wait syncoid.service") + source.systemctl("start --wait syncoid-pool-sanoid.service") target.succeed("cat /mnt/pool/sanoid/test.txt") + source.systemctl("start --wait syncoid-pool-syncoid.service") target.succeed("cat /mnt/pool/syncoid/test.txt") + + assert len(source.succeed("zfs allow pool")) == 0, "Pool shouldn't have delegated permissions set after syncing snapshots" + assert len(source.succeed("zfs allow pool/sanoid")) == 0, "Sanoid dataset shouldn't have delegated permissions set after syncing snapshots" + assert len(source.succeed("zfs allow pool/syncoid")) == 0, "Syncoid dataset shouldn't have delegated permissions set after syncing snapshots" ''; }) diff --git a/nixos/tests/syncthing-init.nix b/nixos/tests/syncthing-init.nix index 4581e3fd4fb..f359f0af1c2 100644 --- a/nixos/tests/syncthing-init.nix +++ b/nixos/tests/syncthing-init.nix @@ -17,6 +17,7 @@ in { path = "/tmp/test"; devices = [ "testDevice" ]; }; + extraOptions.gui.user = "guiUser"; }; }; }; @@ -27,5 +28,6 @@ in { assert "testFolder" in config assert "${testId}" in config + assert "guiUser" in config ''; }) diff --git a/nixos/tests/syncthing.nix b/nixos/tests/syncthing.nix index 5536b7055cc..aff1d874413 100644 --- a/nixos/tests/syncthing.nix +++ b/nixos/tests/syncthing.nix @@ -25,7 +25,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { "xmllint --xpath 'string(configuration/gui/apikey)' %s/config.xml" % confdir ).strip() oldConf = host.succeed( - "curl -Ssf -H 'X-API-Key: %s' 127.0.0.1:8384/rest/system/config" % APIKey + "curl -Ssf -H 'X-API-Key: %s' 127.0.0.1:8384/rest/config" % APIKey ) conf = json.loads(oldConf) conf["devices"].append({"deviceID": deviceID, "id": name}) @@ -39,7 +39,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { ) newConf = json.dumps(conf) host.succeed( - "curl -Ssf -H 'X-API-Key: %s' 127.0.0.1:8384/rest/system/config -d %s" + "curl -Ssf -H 'X-API-Key: %s' 127.0.0.1:8384/rest/config -X PUT -d %s" % (APIKey, shlex.quote(newConf)) ) diff --git a/nixos/tests/tigervnc.nix b/nixos/tests/tigervnc.nix new file mode 100644 index 00000000000..c0a52808b27 --- /dev/null +++ b/nixos/tests/tigervnc.nix @@ -0,0 +1,53 @@ +{ system ? builtins.currentSystem +, config ? {} +, pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +makeTest { + name = "tigervnc"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lheckemann ]; + }; + + nodes = { + server = { pkgs, ...}: { + environment.systemPackages = with pkgs; [ + tigervnc # for Xvnc + xorg.xwininfo + imagemagickBig # for display with working label: support + ]; + networking.firewall.allowedTCPPorts = [ 5901 ]; + }; + + client = { pkgs, ... }: { + imports = [ ./common/x11.nix ]; + # for vncviewer + environment.systemPackages = [ pkgs.tigervnc ]; + }; + }; + + enableOCR = true; + + testScript = '' + start_all() + + for host in [server, client]: + host.succeed("echo foobar | vncpasswd -f > vncpasswd") + + server.succeed("Xvnc -geometry 720x576 :1 -PasswordFile vncpasswd &") + server.wait_until_succeeds("nc -z localhost 5901", timeout=10) + server.succeed("DISPLAY=:1 xwininfo -root | grep 720x576") + server.execute("DISPLAY=:1 display -size 360x200 -font sans -gravity south label:'HELLO VNC WORLD' &") + + client.wait_for_x() + client.execute("vncviewer server:1 -PasswordFile vncpasswd &") + client.wait_for_window(r"VNC") + client.screenshot("screenshot") + text = client.get_screen_text() + # Displayed text + assert 'HELLO VNC WORLD' in text + # Client window title + assert 'TigerVNC' in text + ''; +} diff --git a/nixos/tests/tuxguitar.nix b/nixos/tests/tuxguitar.nix new file mode 100644 index 00000000000..6586132d3cd --- /dev/null +++ b/nixos/tests/tuxguitar.nix @@ -0,0 +1,24 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "tuxguitar"; + meta = with pkgs.lib.maintainers; { + maintainers = [ asbachb ]; + }; + + machine = { config, pkgs, ... }: { + imports = [ + ./common/x11.nix + ]; + + services.xserver.enable = true; + + environment.systemPackages = [ pkgs.tuxguitar ]; + }; + + testScript = '' + machine.wait_for_x() + machine.succeed("tuxguitar &") + machine.wait_for_window("TuxGuitar - Untitled.tg") + machine.sleep(1) + machine.screenshot("tuxguitar") + ''; +}) |