diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2211.section.xml | 9 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2211.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/programs/streamdeck-ui.nix | 28 | ||||
-rw-r--r-- | nixos/modules/services/continuous-integration/jenkins/job-builder.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/security/pass-secret-service.nix | 27 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 2 | ||||
-rw-r--r-- | nixos/tests/libuiohook.nix | 21 | ||||
-rw-r--r-- | nixos/tests/pass-secret-service.nix | 69 |
9 files changed, 161 insertions, 1 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 550dddfaf35..864b6e47db2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -343,6 +343,15 @@ </listitem> <listitem> <para> + The <literal>pass-secret-service</literal> package now + includes systemd units from upstream, so adding it to the + NixOS <literal>services.dbus.packages</literal> option will + make it start automatically as a systemd user service when an + application tries to talk to the libsecret D-Bus API. + </para> + </listitem> + <listitem> + <para> There is a new module for the <literal>thunar</literal> program (the Xfce file manager), which depends on the <literal>xfconf</literal> dbus service, and also has a dbus diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index b652419bcf1..d4059e73932 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -128,6 +128,8 @@ Use `configure.packages` instead. - Add udev rules for the Teensy family of microcontrollers. +- The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API. + - There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed. - There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 268ebbf18dd..82c0b5d74de 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -215,6 +215,7 @@ ./programs/systemtap.nix ./programs/starship.nix ./programs/steam.nix + ./programs/streamdeck-ui.nix ./programs/sway.nix ./programs/system-config-printer.nix ./programs/thefuck.nix @@ -1002,6 +1003,7 @@ ./services/security/oauth2_proxy.nix ./services/security/oauth2_proxy_nginx.nix ./services/security/opensnitch.nix + ./services/security/pass-secret-service.nix ./services/security/privacyidea.nix ./services/security/physlock.nix ./services/security/shibboleth-sp.nix diff --git a/nixos/modules/programs/streamdeck-ui.nix b/nixos/modules/programs/streamdeck-ui.nix new file mode 100644 index 00000000000..1434f82660d --- /dev/null +++ b/nixos/modules/programs/streamdeck-ui.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.streamdeck-ui; +in { + options.programs.streamdeck-ui = { + enable = mkEnableOption "streamdeck-ui"; + + autoStart = mkOption { + default = true; + type = types.bool; + description = "Whether streamdeck-ui should be started automatically."; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + streamdeck-ui + (mkIf cfg.autoStart (makeAutostartItem { name = "streamdeck-ui"; package = streamdeck-ui; })) + ]; + + services.udev.packages = with pkgs; [ streamdeck-ui ]; + }; + + meta.maintainers = with maintainers; [ majiir ]; +} diff --git a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix index deabeec0b29..edbf31f5ca1 100644 --- a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix +++ b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix @@ -165,7 +165,7 @@ in { jenkins_url="http://${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}" auth_file="$RUNTIME_DIRECTORY/jenkins_auth_file.txt" trap 'rm -f "$auth_file"' EXIT - printf "${cfg.accessUser}:@password_placeholder@" >"$auth_file" + (umask 0077; printf "${cfg.accessUser}:@password_placeholder@" >"$auth_file") "${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "$access_token_file" "$auth_file" if ! "${pkgs.jenkins}/bin/jenkins-cli" -s "$jenkins_url" -auth "@$auth_file" reload-configuration; then diff --git a/nixos/modules/services/security/pass-secret-service.nix b/nixos/modules/services/security/pass-secret-service.nix new file mode 100644 index 00000000000..6ae190eb95e --- /dev/null +++ b/nixos/modules/services/security/pass-secret-service.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.passSecretService; +in +{ + options.services.passSecretService = { + enable = mkEnableOption "pass secret service"; + + package = mkOption { + type = types.package; + default = pkgs.pass-secret-service; + defaultText = literalExpression "pkgs.pass-secret-service"; + description = "Which pass-secret-service package to use."; + example = literalExpression "pkgs.pass-secret-service.override { python3 = pkgs.python310 }"; + }; + }; + + config = mkIf cfg.enable { + systemd.packages = [ cfg.package ]; + services.dbus.packages = [ cfg.package ]; + }; + + meta.maintainers = with maintainers; [ aidalgol ]; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 3253a3c750b..03a7f17c07c 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -279,6 +279,7 @@ in { libresprite = handleTest ./libresprite.nix {}; libreswan = handleTest ./libreswan.nix {}; librewolf = handleTest ./firefox.nix { firefoxPackage = pkgs.librewolf; }; + libuiohook = handleTest ./libuiohook.nix {}; lidarr = handleTest ./lidarr.nix {}; lightdm = handleTest ./lightdm.nix {}; limesurvey = handleTest ./limesurvey.nix {}; @@ -413,6 +414,7 @@ in { pam-oath-login = handleTest ./pam/pam-oath-login.nix {}; pam-u2f = handleTest ./pam/pam-u2f.nix {}; pam-ussh = handleTest ./pam/pam-ussh.nix {}; + pass-secret-service = handleTest ./pass-secret-service.nix {}; pantalaimon = handleTest ./matrix/pantalaimon.nix {}; pantheon = handleTest ./pantheon.nix {}; paperless = handleTest ./paperless.nix {}; diff --git a/nixos/tests/libuiohook.nix b/nixos/tests/libuiohook.nix new file mode 100644 index 00000000000..66c5033d968 --- /dev/null +++ b/nixos/tests/libuiohook.nix @@ -0,0 +1,21 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "libuiohook"; + meta = with lib.maintainers; { maintainers = [ anoa ]; }; + + nodes.client = { nodes, ... }: + let user = nodes.client.config.users.users.alice; + in { + imports = [ ./common/user-account.nix ./common/x11.nix ]; + + environment.systemPackages = [ pkgs.libuiohook.test ]; + + test-support.displayManager.auto.user = user.name; + }; + + testScript = { nodes, ... }: + let user = nodes.client.config.users.users.alice; + in '' + client.wait_for_x() + client.succeed("su - alice -c ${pkgs.libuiohook.test}/share/uiohook_tests >&2 &") + ''; +}) diff --git a/nixos/tests/pass-secret-service.nix b/nixos/tests/pass-secret-service.nix new file mode 100644 index 00000000000..a85a508bfe1 --- /dev/null +++ b/nixos/tests/pass-secret-service.nix @@ -0,0 +1,69 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "pass-secret-service"; + meta.maintainers = with lib; [ aidalgol ]; + + nodes.machine = { nodes, pkgs, ... }: + { + imports = [ ./common/user-account.nix ]; + + services.passSecretService.enable = true; + + environment.systemPackages = [ + # Create a script that tries to make a request to the D-Bus secrets API. + (pkgs.writers.writePython3Bin "secrets-dbus-init" + { + libraries = [ pkgs.python3Packages.secretstorage ]; + } '' + import secretstorage + print("Initializing dbus connection...") + connection = secretstorage.dbus_init() + print("Requesting default collection...") + collection = secretstorage.get_default_collection(connection) + print("Done! dbus-org.freedesktop.secrets should now be active.") + '') + pkgs.pass + ]; + + programs.gnupg = { + agent.enable = true; + agent.pinentryFlavor = "tty"; + dirmngr.enable = true; + }; + }; + + # Some of the commands are run via a virtual console because they need to be + # run under a real login session, with D-Bus running in the environment. + testScript = { nodes, ... }: + let + user = nodes.machine.config.users.users.alice; + gpg-uid = "alice@example.net"; + gpg-pw = "foobar9000"; + ready-file = "/tmp/secrets-dbus-init.done"; + in + '' + # Initialise the pass(1) storage. + machine.succeed(""" + sudo -u alice gpg --pinentry-mode loopback --batch --passphrase ${gpg-pw} \ + --quick-gen-key ${gpg-uid} \ + """) + machine.succeed("sudo -u alice pass init ${gpg-uid}") + + with subtest("Service is not running on login"): + machine.wait_until_tty_matches("1", "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches("1", "login: alice") + machine.wait_until_succeeds("pgrep login") + machine.wait_until_tty_matches("1", "Password: ") + machine.send_chars("${user.password}\n") + machine.wait_until_succeeds("pgrep -u alice bash") + + _, output = machine.systemctl("status dbus-org.freedesktop.secrets --no-pager", "alice") + assert "Active: inactive (dead)" in output + + with subtest("Service starts after a client tries to talk to the D-Bus API"): + machine.send_chars("secrets-dbus-init; touch ${ready-file}\n") + machine.wait_for_file("${ready-file}") + _, output = machine.systemctl("status dbus-org.freedesktop.secrets --no-pager", "alice") + assert "Active: active (running)" in output + ''; +}) |