diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/development/running-nixos-tests-interactively.xml | 4 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 7 | ||||
-rw-r--r-- | nixos/lib/build-vms.nix | 4 | ||||
-rw-r--r-- | nixos/lib/testing-python.nix | 20 | ||||
-rw-r--r-- | nixos/modules/config/no-x-libs.nix | 3 | ||||
-rw-r--r-- | nixos/modules/installer/tools/nix-fallback-paths.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/continuous-integration/hydra/default.nix | 33 | ||||
-rw-r--r-- | nixos/modules/services/misc/jellyfin.nix | 40 | ||||
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 7 | ||||
-rw-r--r-- | nixos/modules/services/networking/sslh.nix | 2 | ||||
-rw-r--r-- | nixos/modules/testing/test-instrumentation.nix | 9 | ||||
-rw-r--r-- | nixos/modules/virtualisation/qemu-guest-agent.nix | 7 | ||||
-rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 11 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/hydra/db-migration.nix | 92 | ||||
-rw-r--r-- | nixos/tests/hydra/default.nix | 2 |
17 files changed, 105 insertions, 149 deletions
diff --git a/nixos/doc/manual/development/running-nixos-tests-interactively.xml b/nixos/doc/manual/development/running-nixos-tests-interactively.xml index a11a9382764..a6044d5f89e 100644 --- a/nixos/doc/manual/development/running-nixos-tests-interactively.xml +++ b/nixos/doc/manual/development/running-nixos-tests-interactively.xml @@ -9,7 +9,7 @@ The test itself can be run interactively. This is particularly useful when developing or debugging a test: <screen> -<prompt>$ </prompt>nix-build nixos/tests/login.nix -A driver +<prompt>$ </prompt>nix-build nixos/tests/login.nix -A driverInteractive <prompt>$ </prompt>./result/bin/nixos-test-driver starting VDE switch for network 1 <prompt>></prompt> @@ -30,7 +30,7 @@ starting VDE switch for network 1 <para> To just start and experiment with the VMs, run: <screen> -<prompt>$ </prompt>nix-build nixos/tests/login.nix -A driver +<prompt>$ </prompt>nix-build nixos/tests/login.nix -A driverInteractive <prompt>$ </prompt>./result/bin/nixos-run-vms </screen> The script <command>nixos-run-vms</command> starts the virtual machines diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 04086275d7c..782227de06f 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -643,6 +643,13 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; In the <literal>resilio</literal> module, <xref linkend="opt-services.resilio.httpListenAddr"/> has been changed to listen to <literal>[::1]</literal> instead of <literal>0.0.0.0</literal>. </para> </listitem> + <listitem> + <para> + <literal>sslh</literal> has been updated to version + <literal>1.21</literal>. The <literal>ssl</literal> probe must be + renamed to <literal>tls</literal> in <xref linkend="opt-services.sslh.appendConfig"/>. + </para> + </listitem> <listitem> <para> Users of <link xlink:href="http://openafs.org">OpenAFS 1.6</link> must diff --git a/nixos/lib/build-vms.nix b/nixos/lib/build-vms.nix index b1575fc13bb..ebbb0296bef 100644 --- a/nixos/lib/build-vms.nix +++ b/nixos/lib/build-vms.nix @@ -18,9 +18,6 @@ rec { inherit pkgs; - qemu = pkgs.qemu_test; - - # Build a virtual network from an attribute set `{ machine1 = # config1; ... machineN = configN; }', where `machineX' is the # hostname and `configX' is a NixOS system configuration. Each @@ -39,7 +36,6 @@ rec { [ ../modules/virtualisation/qemu-vm.nix ../modules/testing/test-instrumentation.nix # !!! should only get added for automated test runs { key = "no-manual"; documentation.nixos.enable = false; } - { key = "qemu"; system.build.qemu = qemu; } { key = "nodes"; _module.args.nodes = nodes; } ] ++ optional minimal ../modules/testing/minimal-kernel.nix; }; diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index 498f97336c0..302c7f78bf8 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -17,9 +17,9 @@ rec { inherit pkgs; - testDriver = let + mkTestDriver = let testDriverScript = ./test-driver/test-driver.py; - in stdenv.mkDerivation { + in qemu_pkg: stdenv.mkDerivation { name = "nixos-test-driver"; nativeBuildInputs = [ makeWrapper ]; @@ -47,10 +47,12 @@ rec { # TODO: copy user script part into this file (append) wrapProgram $out/bin/nixos-test-driver \ - --prefix PATH : "${lib.makeBinPath [ qemu_test vde2 netpbm coreutils ]}" \ + --prefix PATH : "${lib.makeBinPath [ qemu_pkg vde2 netpbm coreutils ]}" \ ''; }; + testDriver = mkTestDriver qemu_test; + testDriverInteractive = mkTestDriver qemu_kvm; # Run an automated test suite in the given virtual network. # `driver' is the script that runs the network. @@ -113,7 +115,11 @@ rec { # Generate convenience wrappers for running the test driver # interactively with the specified network, and for starting the # VMs from the command line. - driver = let warn = if skipLint then lib.warn "Linting is disabled!" else lib.id; in warn (runCommand testDriverName + driver = testDriver: + let + warn = if skipLint then lib.warn "Linting is disabled!" else lib.id; + in + warn (runCommand testDriverName { buildInputs = [ makeWrapper]; testScript = testScript'; preferLocalBuild = true; @@ -148,7 +154,7 @@ rec { meta = (drv.meta or {}) // t.meta; }; - test = passMeta (runTests driver); + test = passMeta (runTests (driver testDriver)); nodeNames = builtins.attrNames nodes; invalidNodeNames = lib.filter @@ -165,7 +171,9 @@ rec { '' else test // { - inherit nodes driver test; + inherit nodes test; + driver = driver testDriver; + driverInteractive = driver testDriverInteractive; }; runInMachine = diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 941ab78f863..c3120c2bf30 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -30,11 +30,12 @@ with lib; cairo = super.cairo.override { x11Support = false; }; dbus = super.dbus.override { x11Support = false; }; networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; }; + networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; networkmanager-l2tp = super.networkmanager-l2tp.override { withGnome = false; }; networkmanager-openconnect = super.networkmanager-openconnect.override { withGnome = false; }; networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; }; + networkmanager-sstp = super.networkmanager-vpnc.override { withGnome = false; }; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; - networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; qemu = super.qemu.override { gtkSupport = false; spiceSupport = false; sdlSupport = false; }; })); diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index a15a2dbadb8..bd70bd20013 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/4vz8sh9ngx34ivi0bw5hlycxdhvy5hvz-nix-2.3.7"; - i686-linux = "/nix/store/dzxkg9lpp60bjmzvagns42vqlz3yq5kx-nix-2.3.7"; - aarch64-linux = "/nix/store/cfvf8nl8mwyw817by5y8zd3s8pnf5m9f-nix-2.3.7"; - x86_64-darwin = "/nix/store/5ira7xgs92inqz1x8l0n1wci4r79hnd0-nix-2.3.7"; + x86_64-linux = "/nix/store/qxayqjmlpqnmwg5yfsjjayw220ls8i2r-nix-2.3.8"; + i686-linux = "/nix/store/5834psaay75048jp6d07liqh4j0v1swd-nix-2.3.8"; + aarch64-linux = "/nix/store/pic90a5fxvifz05jzkd0zak21f9mjin6-nix-2.3.8"; + x86_64-darwin = "/nix/store/cjx3f8z12wlayp5983kli2a52ipi8jz2-nix-2.3.8"; } diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index 502a5898a5d..252ca17006d 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -37,8 +37,6 @@ let haveLocalDB = cfg.dbi == localDB; - inherit (config.system) stateVersion; - hydra-package = let makeWrapperArgs = concatStringsSep " " (mapAttrsToList (key: value: "--set \"${key}\" \"${value}\"") hydraEnv); @@ -96,7 +94,8 @@ in package = mkOption { type = types.package; - defaultText = "pkgs.hydra"; + default = pkgs.hydra-unstable; + defaultText = "pkgs.hydra-unstable"; description = "The Hydra package."; }; @@ -225,34 +224,6 @@ in config = mkIf cfg.enable { - warnings = optional (cfg.package.migration or false) '' - You're currently deploying an older version of Hydra which is needed to - make some required database changes[1]. As soon as this is done, it's recommended - to run `hydra-backfill-ids` and set `services.hydra.package` to `pkgs.hydra-unstable` - after that. - - [1] https://github.com/NixOS/hydra/pull/711 - ''; - - services.hydra.package = with pkgs; - mkDefault ( - if pkgs ? hydra - then throw '' - The Hydra package doesn't exist anymore in `nixpkgs`! It probably exists - due to an overlay. To upgrade Hydra, you need to take two steps as some - bigger changes in the database schema were implemented recently[1]. You first - need to deploy `pkgs.hydra-migration`, run `hydra-backfill-ids` on the server - and then deploy `pkgs.hydra-unstable`. - - If you want to use `pkgs.hydra` from your overlay, please set `services.hydra.package` - explicitly to `pkgs.hydra` and make sure you know what you're doing. - - [1] https://github.com/NixOS/hydra/pull/711 - '' - else if versionOlder stateVersion "20.03" then hydra-migration - else hydra-unstable - ); - users.groups.hydra = { gid = config.ids.gids.hydra; }; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 0493dadea94..6a47dc3628f 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -45,6 +45,46 @@ in CacheDirectory = "jellyfin"; ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; Restart = "on-failure"; + + # Security options: + + NoNewPrivileges = true; + + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + + LockPersonality = true; + + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RemoveIPC = true; + + RestrictNamespaces = true; + # AF_NETLINK needed because Jellyfin monitors the network connection + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + + "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" + "~@obsolete" "~@privileged" "~@setuid" + ]; }; }; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 17c549d42c3..201a51ff70b 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -15,6 +15,7 @@ let networkmanager-openconnect networkmanager-openvpn networkmanager-vpnc + networkmanager-sstp ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; @@ -386,6 +387,9 @@ in { "NetworkManager/VPN/nm-iodine-service.name".source = "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; + + "NetworkManager/VPN/nm-sstp-service.name".source = + "${networkmanager-sstp}/lib/NetworkManager/VPN/nm-sstp-service.name"; } // optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != []) { diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 5365b8b9b10..1b745931c4f 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -269,6 +269,7 @@ in kexAlgorithms = mkOption { type = types.listOf types.str; default = [ + "curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; @@ -279,7 +280,7 @@ in Defaults to recommended settings from both <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> and - <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> ''; }; @@ -300,7 +301,7 @@ in Defaults to recommended settings from both <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> and - <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> ''; }; @@ -321,7 +322,7 @@ in Defaults to recommended settings from both <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> and - <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> ''; }; diff --git a/nixos/modules/services/networking/sslh.nix b/nixos/modules/services/networking/sslh.nix index 0921febba66..4c2740d2019 100644 --- a/nixos/modules/services/networking/sslh.nix +++ b/nixos/modules/services/networking/sslh.nix @@ -31,7 +31,7 @@ let { name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; }, { name: "xmpp"; host: "localhost"; port: "5222"; probe: "builtin"; }, { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; }, - { name: "ssl"; host: "localhost"; port: "443"; probe: "builtin"; }, + { name: "tls"; host: "localhost"; port: "443"; probe: "builtin"; }, { name: "anyprot"; host: "localhost"; port: "443"; probe: "builtin"; } ); ''; diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index c0ec76e8a3a..e9f5eac7f5f 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -51,7 +51,10 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; # we avoid defining consoles if not possible. # TODO: refactor such that test-instrumentation can import qemu-vm # or declare virtualisation.qemu.console option in a module that's always imported - virtualisation = lib.optionalAttrs (options ? virtualisation.qemu.consoles) { qemu.consoles = [ qemuSerialDevice ]; }; + virtualisation.qemu = { + consoles = lib.optional (options ? virtualisation.qemu.consoles) qemuSerialDevice; + package = pkgs.qemu_test; + }; boot.initrd.preDeviceCommands = '' @@ -116,6 +119,10 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; users.users.root.initialHashedPassword = mkOverride 150 ""; services.xserver.displayManager.job.logToJournal = true; + + # Make sure we use the Guest Agent from the QEMU package for testing + # to reduce the closure size required for the tests. + services.qemuGuest.package = pkgs.qemu_test.ga; }; } diff --git a/nixos/modules/virtualisation/qemu-guest-agent.nix b/nixos/modules/virtualisation/qemu-guest-agent.nix index 665224e35d8..6a735f451a7 100644 --- a/nixos/modules/virtualisation/qemu-guest-agent.nix +++ b/nixos/modules/virtualisation/qemu-guest-agent.nix @@ -12,6 +12,11 @@ in { default = false; description = "Whether to enable the qemu guest agent."; }; + package = mkOption { + type = types.package; + default = pkgs.qemu.ga; + description = "The QEMU guest agent package."; + }; }; config = mkIf cfg.enable ( @@ -25,7 +30,7 @@ in { systemd.services.qemu-guest-agent = { description = "Run the QEMU Guest Agent"; serviceConfig = { - ExecStart = "${pkgs.qemu.ga}/bin/qemu-ga"; + ExecStart = "${cfg.package}/bin/qemu-ga"; Restart = "always"; RestartSec = 0; }; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 42e43f5ee02..191d7c758c0 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -14,10 +14,11 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; let - qemu = config.system.build.qemu or pkgs.qemu_test; cfg = config.virtualisation; + qemu = cfg.qemu.package; + consoles = lib.concatMapStringsSep " " (c: "console=${c}") cfg.qemu.consoles; driveOpts = { ... }: { @@ -401,6 +402,14 @@ in }; virtualisation.qemu = { + package = + mkOption { + type = types.package; + default = pkgs.qemu; + example = "pkgs.qemu_test"; + description = "QEMU package to use."; + }; + options = mkOption { type = types.listOf types.unspecified; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 6564a958d5b..9ffeba27a7f 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -150,7 +150,6 @@ in hostname = handleTest ./hostname.nix {}; hound = handleTest ./hound.nix {}; hydra = handleTest ./hydra {}; - hydra-db-migration = handleTest ./hydra/db-migration.nix {}; i3wm = handleTest ./i3wm.nix {}; icingaweb2 = handleTest ./icingaweb2.nix {}; iftop = handleTest ./iftop.nix {}; diff --git a/nixos/tests/hydra/db-migration.nix b/nixos/tests/hydra/db-migration.nix deleted file mode 100644 index ca65e2e66aa..00000000000 --- a/nixos/tests/hydra/db-migration.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ system ? builtins.currentSystem -, pkgs ? import ../../.. { inherit system; } -, ... -}: - -let inherit (import ./common.nix { inherit system; }) baseConfig; in - -with import ../../lib/testing-python.nix { inherit system pkgs; }; -with pkgs.lib; - -{ mig = makeTest { - name = "hydra-db-migration"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ ma27 ]; - }; - - nodes = { - original = { pkgs, lib, ... }: { - imports = [ baseConfig ]; - - # An older version of Hydra before the db change - # for testing purposes. - services.hydra.package = pkgs.hydra-migration.overrideAttrs (old: { - inherit (old) pname; - version = "2020-02-06"; - src = pkgs.fetchFromGitHub { - owner = "NixOS"; - repo = "hydra"; - rev = "2b4f14963b16b21ebfcd6b6bfa7832842e9b2afc"; - sha256 = "16q0cffcsfx5pqd91n9k19850c1nbh4vvbd9h8yi64ihn7v8bick"; - }; - }); - }; - - migration_phase1 = { pkgs, lib, ... }: { - imports = [ baseConfig ]; - services.hydra.package = pkgs.hydra-migration; - }; - - finished = { pkgs, lib, ... }: { - imports = [ baseConfig ]; - services.hydra.package = pkgs.hydra-unstable; - }; - }; - - testScript = { nodes, ... }: let - next = nodes.migration_phase1.config.system.build.toplevel; - finished = nodes.finished.config.system.build.toplevel; - in '' - original.start() - original.wait_for_unit("multi-user.target") - original.wait_for_unit("postgresql.service") - original.wait_for_unit("hydra-init.service") - original.require_unit_state("hydra-queue-runner.service") - original.require_unit_state("hydra-evaluator.service") - original.require_unit_state("hydra-notify.service") - original.succeed("hydra-create-user admin --role admin --password admin") - original.wait_for_open_port(3000) - original.succeed("create-trivial-project.sh") - original.wait_until_succeeds( - 'curl -L -s http://localhost:3000/build/1 -H "Accept: application/json" | jq .buildstatus | xargs test 0 -eq' - ) - - out = original.succeed("su -l postgres -c 'psql -d hydra <<< \"\\d+ builds\" -A'") - assert "jobset_id" not in out - - original.succeed( - "${next}/bin/switch-to-configuration test >&2" - ) - original.wait_for_unit("hydra-init.service") - - out = original.succeed("su -l postgres -c 'psql -d hydra <<< \"\\d+ builds\" -A'") - assert "jobset_id|integer|||" in out - - original.succeed("hydra-backfill-ids") - - original.succeed( - "${finished}/bin/switch-to-configuration test >&2" - ) - original.wait_for_unit("hydra-init.service") - - out = original.succeed("su -l postgres -c 'psql -d hydra <<< \"\\d+ builds\" -A'") - assert "jobset_id|integer||not null|" in out - - original.wait_until_succeeds( - 'curl -L -s http://localhost:3000/build/1 -H "Accept: application/json" | jq .buildstatus | xargs test 0 -eq' - ) - - original.shutdown() - ''; - }; -} diff --git a/nixos/tests/hydra/default.nix b/nixos/tests/hydra/default.nix index 2336e4033d6..e91a1cd3359 100644 --- a/nixos/tests/hydra/default.nix +++ b/nixos/tests/hydra/default.nix @@ -11,7 +11,7 @@ let inherit (import ./common.nix { inherit system; }) baseConfig; hydraPkgs = { - inherit (pkgs) hydra-migration hydra-unstable; + inherit (pkgs) hydra-unstable; }; makeHydraTest = with pkgs.lib; name: package: makeTest { |